Common Brocade ADX Commands

expert@punkinnovation

The following commands are based upon Brocade ADX 12.4.

SHOW COMMANDS

show ip int — show interface(s) ip`s

show default values — show defaults

show server global — show global configured parameters

show ip vrrp-extended brief — show cluster status

show server real — show real server stats

show server real http [real server] — show real server http details for given server

show server real [real server/port] detail — show details of real servers port or real server

show server virtual — show virtual server stats

show server bind — show virtual to real server bindings

show server global — show global parameters

show server sessions — show summary of real server connections

show cookie-info — show content switching cookie information

show statistics ethernet 1 — show interface stats

rconsole / sh sessions all 0 / rcon-exit — show flows across all BP’s (Barrel Processors)

RCON COMMANDS

The rconsole is used to view and run commands across the various processors i.e BP. To invoke the rconsole the commands rconsole is used. To exit use rcon-exit.

show ssl statistics counters — shows connection attempts and succesful completions.

show ssl statistics alert — if errors are show RX increase the issue is on the ADX.

show ssl statistics — show statistics for ssl flows (12.4u includes SSL/TLS version stats).

show ssl debug — shows failures and causes such as certificate verify failures.

show ssl con — show ssl connections.

show cp debug — show client/server connection details.

show cp stats — show client/server connection stats.

SERVER COMMANDS

server no-fast-bringup — stops port becom`g ACTIVE until Layer4&7 healthchecks are successfully completed

[no] server no-periodic-arp — enables/disables periodic L2 health checks

[no] server no-real-l3-check — enables/disables periodic ICMP healthchecks

server disable-ping-vip-down — stops vip responding to ping if all backend servers are down

server msl 2 — change maximum session life in delete queue to 2 secs

server l7-dont-reset-on-vip-port-fail — used to allow csw to still be used when all servers are down (12.4+)

server l7-tcp-window-size — limit size of packets in large HTTP requests that can cause BP buffering issues

server l7-dont-ack-last-packet — prevents drop of last packet in request after CSW decision has been completed

server l7-rewrite-pkt-in-sequence — prevents issues with ooo packets when using csw content insertion/rewrite by ensuring they are sent in order

REAL SERVER COMMANDS

max-conn — configures the total maximum of connections per real server

PORT PROFILE COMMANDS

tcp keepalives 5 1 — modify layer 4 healthchecks

tcp keepalive use-master-state — tie the health status of the alias port to the master port

Ubuntu 14.04 Juno Openstack F5 LBaaS conf File examples

expert@punkinnovation

openstack

One drawback of examples is the lack of real-world relational information such as an example of an actual OpenStack install on the Internet without the use of RFC1918 space for all networks.

Additionally the conf files are presented without any real explanation of the consequences of changes, what is superfluous, what is required, etc.

Starting point:
DL180
OS – 1TB
Raid 10 – 6TB
3TB went to an LVM for cinder

  --- Physical volume ---
  PV Name               /dev/sdb1
  VG Name               cinder-volumes
  PV Size               2.73 TiB / not usable 2.00 MiB
  Allocatable           yes
  PE Size               4.00 MiB
  Total PE              715255
  Free PE               702455
  Allocated PE          12800
  PV UUID               QdLfoA-NAq3-BJQJ-W5r9-857T-f7fq-bl9rnI

3TB as a single swift ring

Filesystem                    Size  Used Avail Use% Mounted on
/dev/sdb2                     2.8T   33M  2.8T   1% /srv/node/sdb2

Ubuntu

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

Single Node OpenStack Install for Juno with F5 LBaaS plugin

expert@punkinnovation
Single Node OpenStack Install for Juno with F5 LBaaS plugin

Use this install guide for the basic install of components.

Swift is installed after using the basic openstack swift install guide.

Conf file examples and more

F5 CLI Context Change

expert@punkinnovation
tmsh -m -c 'cd /f1 ; delete net arp /f1/test'

Example:

tmsh -m -c 'cd /uuid_844a8ccf756947cf860510b2d2f26448 ; delete net arp /uuid_844a8ccf756947cf860510b2d2f26448/192.168.101.4%7'

OpenVAS v7, WPScan, Metasploit, ZAP on Ubuntu 14.04

expert@punkinnovation

Install OpenVAS7, WPScan, Metasploit, ZAP

Fix Linux VM NIC assigment after migrating to new hypervisor

expert@punkinnovation

/etc/udev/rules.d/70-persistent-net.rule accordingly to reflect the changes. After completing you also need to change /etc/sysconfig/network-scripts/ifcfg-eth0 to change MAC and name of the eth0.

vi /etc/udev/rules.d/70-persistent-net.rule

F5 HA score view

expert@punkinnovation
To view the HA score and other details
At the system prompt on unit 1, type:
tmsh
/sys
show ha-group  details
Repeat the commands on unit 2.
To compare the HA scores of both units
You can compare the score of the HA score on the current unit with the HA score of the peer unit. At the system prompt on either unit, type:
tmsh
/sys
show ha-status all-properties

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_high_avail.html#1026652

Self-Signed SSL CA Certs & Keys

expert@punkinnovation

Create the CA cert to sign your new cert.

The server certificate is used to terminate SSL on your endpoint (LB, server, HAproxy).

The client cert can be issued to authenticated clients for 2-way authentication.

CA Certificate

echo "0001" > <serial_number_file>.sr1

openssl req -new -x509 -days 3650 -keyout <ca_cert_key>.key -out <ca_cert_file_name>.crt

Server Certificate

openssl req -new -newkey rsa:2048 -nodes -out <cert_request>.req -keyout <cert_key>.key

openssl x509 -CA <ca_cert_file_name>.crt -CAkey <ca_cert_key>.key -CAserial <serial_number_file>.sr1 -req -in <cert_request>.req -out <domain_name>.crt -days 3650

Client Certificate

openssl req -new -newkey rsa:2048 -nodes -out <client_cert_file_name>.req -keyout <client_cert_file_name>.key 

openssl x509 -CA <ca_cert_file_name>.crt -CAkey <ca_cert_key>.key -CAserial <serial_number_file>.sr1 -req -in <client_cert_file_name>.req -out <client_cert_file_name>.crt -days 3650

openssl pkcs12 -export -out <client_cert_file_name>.p12 -inkey <client_cert_file_name>.key -in <client_cert_file_name>.crt -certfile <ca_cert_file_name>.crt

 

F5 Aggressive Connection Reaping

expert@punkinnovation

https://support.f5.com/kb/en-us/solutions/public/5000/600/sol5670.html

More OpenVAS and Greenbone

expert@punkinnovation

Step 1: Configure OBS Repository

sudo apt-get -y install python-software-properties
sudo add-apt-repository “deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/ ./”
sudo apt-key adv –keyserver hkp://keys.gnupg.net –recv-keys BED1E87979EAFD54
sudo apt-get update

Step 2: Quick-Install OpenVAS

sudo apt-get -y install greenbone-security-assistant gsd openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc

Step 3: Quick-Start OpenVAS
(copy and paste whole block, during first time you will be asked to set a password for user “admin”)

test -e /var/lib/openvas/CA/cacert.pem || sudo openvas-mkcert -q
sudo openvas-nvt-sync
test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd –migrate
sudo openvasmd –rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c add_user -n admin -r Admin

Step 4: Log into OpenVAS as “admin”

Open https://localhost:9392/ or start “gsd” on a command line as a regular user (not as root!).

News & Info

Confidence with the CLI

Sourcefire vs Palo Alto UTM Appliances

Unified threat from Sourcefire and Palo Alto Solutions

palo-alto

Version 4.10 from Sourcefire was a stable, robust, competent piece of software. The detection engines performed their duties as expected and IPS/IDS functionality worked as expected.

(more…)

Vendor Sites

Juniper Networks
Cisco
Sourcefire
F5 Networks
Arista Networks
NetApp

Punk Innovation

Legacy Archives