Monday, December 30, 2024

Palo Alto Self Signed Certificated ERR_SSL_KEY_USAGE_INCOMPATIBLE

 if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps

For Windows user

Setup Open SSL 

1. download and install open ssl from Shining Light Production (please donate if it helps)


Then Generate CSR Palo Alto KB

1. Complete the Generate the CSR steps

Back to your laptop/pc start to signed the certificate

1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin

2.  Type in command -

openssl.exe genrsa -out rootCA.key 2048

3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"

4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth

save it

5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin

6. type in command just to replace the server.csr to the downloaded CSR name  
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt

7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.

Able to solve the issue

Posted by at No comments:

Saturday, December 7, 2024

Ping Test Tool

Although there're lots of free ping test tool, I develop my own version ping test tool that suit my troubleshooting purpose. Feel free to download it and feedback to me.

My own version ping test tool with time log on each ping result, this time logging can be disable too. 


herewith the tools

ping test tools





Posted by at No comments:
Labels: , , ,

Friday, June 21, 2024

Let start NSE8 !

Let start NSE 8 journey, wondering able to achieve within a year or might not or drag another decade XD.

After going through CCIE - Sec exam roughly understand how the exam going to look like.

Hope my company sponsoring me for this exam as I moved away from Network Security into cloud Security. ahemm FortiSaSe also cloud sec what.



I'm still struggling should release alpha version of Cisco Lina/ASA firewall policy convert tool develop by using company resource (laptop) to public. 

Posted by at No comments:

Thursday, August 3, 2023

Cisco FTD route-map metric

 If you tried search the information even with chatgpt still cant locate the information. Yup, Cisco FTD replace the metric value with bandwidth:




Cli output






Posted by at No comments:

Monday, June 12, 2023

Palo Alto Power Cycle or power outage cause HA down

After done power cycle or power outage for PA 5220 (Active / Active or Active / Passive), once it boot up but the data plane failed

with error dataplane down : path monitor failure or Policy push to dataplane failed


Just physical power cycle it 2 ~ 3 times  

herewith  KB

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCcXCAW 







Posted by at No comments:

Tuesday, April 4, 2023

Palo Alto Failed to find begining of certificate. Make sure certificate starts with BEGIN CERTIFICATE tag.

Don't hesitate just use another browser, problem resolved

Environment
1. PANOS 10.2
2. Panorama
3. Firefox
4. Trying to upload certificate
5. Panicking when migration
6.Engineer ego suspect bug issue

Is a sad TAC case and wasted my company case token is due to silly browser issue.

Yes, you cant find any solution on public KB about this error, according to TAC is from their internal KB. 

And, I tried to reproduce next day but miracle happen it success upload.





So conclude, just switch to another browser or using ultimate weapon RESTART YOUR PC.

Update 05 April 2023

TAC feedback






Posted by at 1 comment:

Wednesday, June 6, 2018

Palo Alto PPPoE with vlan tag, it's stupid setup but it's working !!

Palo Alto is not allow L3 subinterface with PPPoE, but certain ISP require to perform PPPoE with VLAN tagging


at 2018, update from reaper


So I come out this setup. Yes, it is stupid but it work !



Basically, ethernet1/3 setup as Layer 3 with PPPoE

Select interface as Layer 3, virtual router and security zone

Go to IPV4 tab, check PPPoE then configure as request


ethernet 1/4
Create VLAN profile , security zone I left it blank and interface type as L2


Ethernet 1/5, edit select ethernet1/5 at bottom create sub-interface


subinterface configure as TAG (VLAN ID), as Malaysia ISP unifi is using VLAN ID 500, at VLAN must select the previous create VLAN profile at ethernet1/4



p/s by missing VLAN profile at ethernet1/4 and ethernet1/5.500 the packet unable unable reach to modem (laptop as my testing environment)


Tadahhh..................................................

My laptop receive PPPoE discovery broadcast packet with VLAN ID 500 tagged

Although is stupid setup but it work, LOL


alternative setup if with extra switch with VLAN feature


Summary, well Palo Alto is very common implementation via L3 sub-interface PPPoE, okay !
Posted by at 6 comments:
Subscribe to: Posts (Atom)