New Year

We here, at White Rhino Security, want to tell you that we hope you had a wonderful and prosperous 2018. And we hope that 2019 is even better for you, your family, and your business or career. Thank you for being a part of our lives, as we are thankful to be a part of yours. Happy New Year, to you and yours.

Merry Christmas Everyone

Palo Alto Firewall: Verifying A Route In CLI

Real quick, how do you verify what interface a destination route goes out of the Palo Alto in CLI?  Here is what you do:
PA850-1(active)> test routing fib-lookup virtual-router vsys_router ip 192.168.1.5

--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router:   vsys_router
destination:      192.168.1.5
result:
  via 5.5.5.5 interface ethernet1/3, source 5.5.5.6, metric 10
--------------------------------------------------------------------------------

Right there it is.  Its ethernet1/3 in this case.  I wanted to know what interface 192.168.1.5 would be going out, and with the above command, it tells me.  Note that "vsys_router" is your virtual router that you have defined for routing.  It may be default in your case, or whatever you named it.

Home Projects: Countertops

The kitchen looks different with new countertops.

From Hurricane Michael: Panama City, FL

On my way over to Panama City, FL, I saw this from the hurricane. This was a little over two months after. It's literally like this in most of the area. I had said that it looked like someone took a giant lawn mower and just went over the city. Be sure to pray for these folks.
By the way, these trees are broken over towards the Gulf. Which means this was the weaker side of the hurricane.

Sunday Thought: Mary

Home Project: Back Door

Ok, what doesn't look right here?

Yeah, you are right. It's not centered. The guy who did this put a 2x4 on the left side, but didn't think that the trim would be off. I had him redo it.

Quote For The Day: 58

“The tragedy of life is not that it ends so soon, but that we wait so long to begin it."– W. M. Lewis

Home Projects: Opening Up The Room

One of the walls that we took out was going into the Florida room (sun room). We opened up a 22 foot span, from living room to kitchen and on into the sun room. This really opened up the space.

Before we bought the house:

The wall has now been taken down and we have the beam in place to open up the rooms.

The above picture is before we started on the kitchen cabinets, but it gives you an idea on how much it opens up the rooms. The middle and upper left side will be completely open. The bottom left is where the kitchen cabinets are going (already in progress). The 6x6 post in the middle is a good support for the beam and will be wrapped in cypress wood, along with each side and the beam itself.

Another Day Of Information Getting Stolen

It's almost a daily read in today's time. Your information getting stolen from someone's database. Like the link below, it could be somewhere you stayed at a hotel. It could be the company you work for, where your data is stored by HR. It could even be your payroll company that was hired by the company you work for. It might even be a bank you do business with that sold your information to someone else. I could go on and on, but the bottom line is that you need to be proactive about security.

https://thehackernews.com/2018/11/marriott-starwood-data-breach.html?m=1

White Rhino Security is here for you. Contact me here.

Proverbs 18:13

To answer before listening—
    that is folly and shame.

This verse reminds me of the saying: Seek to understand, then to be understood. Either way, both wise.

Pic Of The Week: Two Kayaks

Home Projects: Kitchen Reno #3

As some of you know, we are in the process of redoing another fixer upper. I think I'll start posting more things about it here, but wanted to show some progress on the kitchen area. 
This was how it started out:

This is after the rip out:

And this is how it is to date. Still have a little ways to go, but getting there.

I'll post s finished product when we complete it.

Fortinet Packet Capture

Fortinet has a good packet capture, like most firewalls do, in CLI that is easy to read.  If you do the following command, you can get a good read on what you are looking for:
diagnose  sniffer packet any 'host 192.168.20.22' 4 0 a

2018-11-28 06:22:21.015672 VLAN70 in 10.20.3.7 -> 192.168.20.22: icmp: echo reply
2018-11-28 06:22:21.015675 Test VPN out 10.20.3.7 -> 192.168.20.22: icmp: echo reply

Happy Thanksgiving Week

I hope you all have a great Thanksgiving week.

SMB Market

Hi all. I hope all is well with you. I want to reach out to the SMB (small and medium sized businesses) market. If your company falls into this business class, you still need true security just like the enterprise companies do. Get in touch with me. I'm doing really good things around security and offering really good services. Just go to the "Contact Shane Killen" on the right side of this page, and let's start talking.

Pic Of The Week: It's Cold Out Tonight

It's a cold 75° tonight down at the beach. I had to put long sleeves on.

Interesting Pinging

Try this below.  Its interesting.  If you have some "0"s in your IP address, you can leave them out of a ping and it will still ping just fine (provided it will respond anyway).  Below, I'm pinging 10.0.0.91, but as you can see, I only type in 10.91 instead. 

C:\Users\switch>ping 10.91

Pinging 10.0.0.91 with 32 bytes of data:
Reply from 10.0.0.91: bytes=32 time=21ms TTL=64
Reply from 10.0.0.91: bytes=32 time=1ms TTL=64
Reply from 10.0.0.91: bytes=32 time=1ms TTL=64
Reply from 10.0.0.91: bytes=32 time=1ms TTL=64

Ping statistics for 10.0.0.91:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 21ms, Average = 6ms

Home Projects: Replacing Toilets

Old toilets in this house have to go. New toilets going in. I had to lower the flange down to the concrete floor, so these had to be cut out. After that, I put in new flanges and put the toilets in.

Home Project: Out With Tile, In With Concrete

I've been doing a lot of work on this house. The highest priority right now is getting the floors done. It's a lot of hard work. It will be stained concrete when we are done.

Security: Wiring Money

Wiring money is something that a lot of people don't give much thought to.  However, I do.
I don't know about you, but my money is hard earned. And personally, I don't want to lose it, throw it away, or have it stolen from me.
When someone wants you to wire money, a lot of times, companies will email the wiring instructions. This email is the dangerous part. Why?
1. Because someone (we will say hackers) could have access to the company email that sent you the email, without you or that company knowing it. If wiring instructions are sent to you, and it was modified to an incorrect bank account (routing number, etc), and you wire that money, you can consider it lost.
2. Your email could be compromised.
3. Anyone else involved in the email chain could be compromised.
You think this is not possible? Well, it certainly happens.
I just bought a "new to me" house, and to close on it, they wanted me to wire the closing agent the money. I simply told them that I wouldn't be doing that. That is, via email. I did go down to the closing agents location and asked them to hand a copy of the instructions over to me, printed on paper, so that no email exchange would take place. This was the safest option. Now it's just up to me to transfer that information, by hand, over to the bank wiring the money.
Look folks, be safe and use your senses. This is not 1950 anymore. We live in a computer age, and security is important. Especially when it comes to your money.

Truck Tailgate Problem

Well, just as I was needing my truck the most, my tailgate wouldn't open. You lift the leaver and nothing happens.
Below is my tailgate:

Below is the inside of the tailgate, where all of the mechanisms are.  That silver rod comes out of that clip, and that's when it won't open. Clip it back in and close up the tailgate cover. Works again.

Another House Renovation

Well, I have to say that one thing my wife and I like to do is house renovations. We have just started the next house reno and this one will be much different than the previous ones.
We started this weekend with taking off the popcorn ceilings. I'm not sure why anyone would want these, but scraping them off makes the room appear that they have taller ceilings. The times I have done this in the past, it's been a real mess. But this time, it appears to be not be as dusty. I'm very glad for this.
This is what it looks like before.

This is what it will look like after we scrape it all off. It will need painting to make it look good, of course. And that dust below is about after a fourth of the ceiling being done.

Sunday Thought: Law

Pic Of The Week: Beach

Natural Spring

Ponce de Leon, FL has some beautiful sights. At this state park, a 68° all year round swimming hole from a natural spring.

Brocade (Ruckus) Telnet Timeout Disable

Quick note about setting the telnet timeout timer.  I dont recommend doing this, but if you need to for some reason, here is how to configure it where it wont kick you off after the timeout value expries.

telnet@BHMCore1(config)#telnet timeout ?
  DECIMAL   <0..240> In minutes, 0 never timeout
telnet@BHMCore1(config)#telnet timeout 0
telnet@BHMCore1(config)#exit

Aruba Switching Gear

Stacked 3810Ms and stacked 2910Ms. This will be a good solution for these guys.

Aruba Switches

I've always liked the Aruba wireless solution, and the switching gear looks good too.

Sunday Thought: Perfect

Cool T For My Company

My daughter gave me a cool T for me to wear.  I'll be wearing this on the hot days for sure, when appropriate.

Are You Tired Of Not Getting What You Pay For Yet?

Look folks, I'm going to put it out there straight to you. If your security provider is not coming to you and discussing your security needs (without trying to sell you stuff), then you're security provider isn't worth the money you are paying him. You need a proactive security professional instead. Contact me at this page (https://whiterhinosecurity.com/contact/), and let's get started on real security.

Digium Phone System Training

More training for this Digium customer.

Sunday Thought: The Lord Is Faithful

Network Assessment Tool

There are many things that I cover in a network assessment. Starting today, I have added a new tool for my customers. I'll be able to see what's going on, on the network, from a protocol/application standpoint, and deliver a report on it. I'm very pleased to offer this service to my customers. Contact me if you are interested.

Preparing Against Ransomware

I have partnered with a company that specializes in Disaster Recovery.  I know this guy well, and he offers a very affordable and very technically sound solution to prevent against ransomware, and any other type of data loss. It's important to keep your data intact. Email me at Skillen@whiterhinosecurity.com and I'll get you the details you need to make a good DR decision. I don't sell this solution, nor do I make any money off of it. But I do believe in what this solution does. And as a security professional, "availability" of data is important to me.  Don't be a victim against ransomware. Be prepared before it hits.

Sonicwall Firewall: TZ600 HA Pair

I had to do some troubleshooting on this pair of HA TZ600s. The HA had issues, but all problems can be overcome. 

More Content On The White Rhino Security Site

I've added more content to the White Rhino Security site.  Its a 'work in progress' still, but working to make it clear and informative as possible.  My latest changes are below.
I took out the "About" page, and put the content on the "Welcome" page: https://whiterhinosecurity.com/
Also, I added my mentoring page:
https://whiterhinosecurity.com/mentoring

Memorial Day

A day to reflect, for sure. Thank you to those who have given all for this country.
Also, on this day, another reflection. Anyone know what this in the sky means?

Home Project: Washer Pump

No one said working on a clothes washer was fun, but sometimes you have to fix things. After finding water on the floor of the utility area, I found this water pump cracked and needing replaced. A $30 fix. Not bad considering the alternatives.

SSL Decryption

Most NGFWs have the ability to do SSL decryption, and its a really good idea to do so.  Many attacks now come through encrypted packets, and they need to be inspected.  If you have the capability to do SSL decryption, you should be doing this.

The Website: White Rhino Security

I've changed the website a little for White Rhino Security.  Any input would be welcomed.  www.whiterhinosecurity.com

Palo Alto Firewall: PA-200 Replacement

I went on-site to a consumer to replace a PA-200 that was having some issues. I got the software, global protect, and app and threats to the same version and then did a restore from a backup I had taken.  It's not a bad price process to go through.

Sunday Thought: Plans

I like this song. See what you think:  Control

Quote For The Day: 57

"Ultimately, life is about choices. We can work hard to enhance the choices before us. But there will inevitably come a time – a few times – when something happens that we did not choose. Something happens that we did not want. Some situation lands on us for which we did not apply. And that is where our choices really matter."  ~~Dr. David Levy

What To Do When You Need Time Back Or You Don't Have The Expertise

I've been a consultant for a long time in my career. What I have found to be true is that there are two reasons companies need people like me: time and expertise. Let me explain.
1. Time - IT guys simply don't have time to do everything they have to do and cover. They have to deal with the servers, the computers, the printers, the network gear, the firewall, the applications, maybe even the cell phones, etc. You know what I'm talking about. With multiple sites even, there just isn't enough time in the day. Time is a problem.
2. Expertise - IT guys simply can't be experts in everything. They are generally really good at the areas of IT that they really like, and "can do" the rest. The problem is that for the things that they "can do", those things don't get the appropriate attention. You wouldn't want to hire a golfer for your baseball team. It's just two different kinds of experiences. For the IT guy, expertise can also be a problem.  But honestly, lack of expertise is no one's fault. It's just not where the tech guys experience has been in life.  He is just not an expert at everything. No one is.

So what do you do with the two problems?
1. You can struggle to keep up, with the vanishing hope that one day you will be "caught up".
2. You can hire another employee.
3. You can just not get everything done.
Let's explore these options. The first option just doesn't help you. You will get tired and burnt out, and eventually seek another job. Jobs shouldn't have to feel that way.
The second option can be costly. There is a salary to be paid, vacation time, sick time, health insurance, etc. Honestly, it just costs the company more money, and the goal of the company is to make money.
The third option, well, just doesn't work. Either for the company, or for you. As an IT guy, it makes you feel like you aren't doing a good job for the company. Not your fault, it's just how it is.

So how do you fix these problems?
It's not an uncommon thing to hire a consultant. So how does a consultant help? A consultant, if you find the right one, can do a couple of things for you:
1. Give your time back (fixes problem #1).
2. Be that expert in the area you need help in (fixes problem #2).

A consultant can help by doing what?
1. Help you by getting things done, that you can't get done because of either the lack of time or you don't know how to do something, which gets you "caught up".
2. Save the company money by not being a full time employee. Not having to pay the extras.
3. Helps you get things accomplished. You don't feel like you are drowning, and it takes the load off of you. And, the company gets things done also.

This is where I step into the conversation. 
Let me introduce myself. My name is Shane Killen, and I'm both a security expert and a network expert.  I own a company called White Rhino Security. Let me explain where I can help you, and where I can not help you.

What areas can I help you?
Security and network is my forte'. I've been doing these two specialities for a very long time (over 20 years). I've been in all kinds of environments, in many complex networks, in many different sectors. I've been a consultant for most of my career. Security and network is what I love to do. It's fun to me.
1. What do I mean by security?  Firewalls are my specialty. Perimeter firewalls, data center firewalls, cloud firewalls. I know most all vendor firewalls well. Again, I've done this for a long time. Security also means internal network security.
2. What do I mean by network?  Literally, anything you can do with a router or a switch. Again, I've done this for a long time now. And I've done almost everything you can do with one, both in campus networks and data center environments.
3. I don't advertise this through my company, but I also know VoIP. I know load balancers. I know other things pertaining to "network", I just don't advertise them.

What areas can I not help you?
1. I'm not a server guy.
2. I'm not a PC guy.
3. I'm not a printer guy.

What do I offer through my company, White Rhino Security, to help you gain your time back and get the expertise for your company?
1. Firewall managed services. I'm an expert at firewalls. I am proactive, not reactive. I don't wait on you to tell me what to do. I already know what to do, and in conversation with you, I'm your proactive security guy that will take care of all your firewall needs to protect your internal data. Things you know about, and things you don't know about (but will, because I communicate). I do it all (IPS, URL filtering, malware, etc). You no longer have to worry about firewall security work with my services. I'll even provide the firewall if you want.
2. Network managed services. I'm an expert at networks. I've done routing and switching for a very long time. There isn't really anything I haven't seen.
3. Security and network projects. Need help with a project? A one time install? I do that also.
4.  I also do penetration tests and vulnerability assessments. Both are valuable to a company, and I offer these services.
5. Basically, anything security and network. That's what I do. And with my managed services, there are also other things that I throw in for free, things like change log management, etc.
6. I can create a managed service package that makes sense, based on you and your company needs. Not all companies have the same needs.
7.  Most importantly to me, I don't sell a product. I sell "me".  I want to be your "trusted advisor", so it's important to me that I don't sell security products. Which means you get my knowledge, skills, and my personal attention for the best proactive security for your company, without the concern of me being "biased".
8. I also know disaster recovery well. That's why I have partnered with a company that I believe in, that sells a solid product. I have evaluated it myself, and I both recommend the product and the partner. I know this guy personally, and I recommend him, because I trust him. I've seen what he can do and what he does. Keep in mind, I'm a security guy, and trust is not easy for me.
9. I mentor those looking to learn. I come to you. To your company. And I mentor on topics you are interested in and that apply to your network. It doesn't matter how many people you have, the price is the same. I focus on network and security.

Are my prices expensive?
Plain and simple, No.  I'm looking to make an honest living, not a killing. I think you will be surprised.

What is the "value add" for your company?
I'll tell you what the value add is. You get a dedicated, proactive security/network professional for a really good deal. You get someone who is genuinely concerned for your company security and proactive in getting security right.

So what now?
Let's just have a conversation. A conversation costs you nothing. We can discuss over phone or text (205.862.0265) or email (skillen@whiterhinosecurity.com). Whichever you prefer. It's just a conversation, with no obligation or me being a "pushy sales guy". I'm a technical guy, not a sales guy. I'd like to hear from you and extend an invitation for a conversation.

Palo Alto Firewall: Upgrade From 7.1.x To 8.0.9 On HA Pair

Well, what should have been an easy upgrade turned ugly on me today. I've upgraded many Palo Altos is my career. What a great product. But today, I spent three hours working through a Palo that wouldn't boot up after the upgrade to 7.1.17. Thankfully, it was an HA pair and the customer didn't experience any real downtime.
After a factory reset, getting to the same software version and importing the config back in, we were back to its original state again. So with a download of the base 8.0 software and a download and install of 8.0.9 on both units, all is good.

Sonicwall Firewall: Packet Captures

Have you ever worked with the packet capture feature on the Sonicwall? It's not as nice as the CLI of Check Point (TCPDump). And I think it's easier on the ASA in CLI also. But, there are some decent features about it on the Sonicwall that aren't too bad. If you have one laying around, work with it. It's actually OK.
I've always said, packet captures are your best friend.

Sunday Thought: Proverbs 18:24

One who has unreliable friends soon comes to ruin, but there is a friend who sticks closer than a brother.

25 Year Anniversary

My wife and I are celebrating 25 years of marriage together today. Happy anniversary to my wife!

Network Mentoring With White Rhino Security

Hi all. I hope all is well with you.  One of the things I am offering through White Rhino is network mentoring.  I realize and have seen that when your team members need training, you have to send them off to a class. And then, it's usually generic in detail. Not to mention, you have to pay for travel for each member that goes. That's a flight for each one, plus hotel, food, and rental car plus gas.
What I'm offering is to come to your environment. To come mentor you (or your team), in your network. So that you can support your network environment. So that you can learn how to support what your company has.
What you also get with this is a network assessment (without the report). Because we will be looking at every aspect of your network environment, we will also be looking at the same things I would do on an assessment. And you will learn what to do to correctly fix problems, because I will show you. You will get "hands on" on your network.
Even better, it doesn't matter how many people you have there in the mentoring season. It can be one on one, or you can have as many people there as you like. It all costs the same.
So think about this offering over sending your team to a training class. The benefits to this:
1.  I come to you.
2.  I mentor your team, on your network.
3.  They learn how to be a good network guy/girl in your company environment.
4.  We comb through your network and fix problems as we see them, in your company environment. So they both "learn" and "do".
5.  Even though you pay for me, you save money still by having your team stay on-site.
6.  It costs less than sending your team to a training class, because I don't charge more for you having more people wanting to learn. It costs the same no matter how many people you have.
7.  Your team stays on-site, in case you have problems that require their attention. They still get to attend to those problems and come right back to the mentoring sessions. They don't miss much, and I'll circle back around and discuss what they missed when appropriate.
8.  The price of this mentoring offering is cheap compared to sending your team to a training class.
9.  It's hands on, on your network. That's better than a lab environment.

So give some thought to this. I like to mentor people. And if you or your team wants to learn, I'd be glad to come and help. Contact me at this email address, and we can get started.

Sunday Thought: Loving My Jesus

The lyrics to this song is some real good stuff.  Casting Crowns - Loving My Jesus

Enjoy.

The Datto Solution

All, I hope all is well.  I wanted to share something that I think is exciting.  I've partnered up with a company called TKS for a backup solution called datto, which I recommend. 

Take two and a half minutes and watch what this solution can do for your company.  Quick Overview
TKS has the best prices I have seen on this solution.  Contact me on the right side of this page to learn more about the datto solution and how you can get a conversation going and a quote. 

White Rhino Security Network/Security Assessment

Hi all. I hope all is well with you. I wanted to take a moment and let you know that White Rhino Security is offering a network and security assessment session. I'll come to your site, do the assessment, fix any issues that can be done during that session, collaborate with your team, and external vulnerability assessment as well. I'm offering very attractive prices on this. Contact me in the right side of this page if you have an interest and would like a quote for this service.

Quote For The Day: 56

 “With all due respect, I don’t get confused.” ~~ Nikki Haley

Home Projects: Cleaning Driveway

Its amazing how dirty your driveway gets over time.

Radius For Authentication

Keep I mind, if you use radius for your authentication, your userID is not encrypted. Only the password is encrypted. Do a packet capture, and you will see it.

Happy Easter

I'm thankful we have a God that came down and solved our sin problem. By taking the punishment upon Himself, and dying in our place, so that we would not have to be without Him when we die. I'm also thankful that He overcame death by raising Himself three days later and coming back to life. He said he was going to do so, and He did. There is both Biblical and non-Biblical accounts of this.
Thank you Yeshua (the Hebrew name of Jesus).

Palo Alto Firewall: Amber STS LED When Booting

What does that STS amber LED mean?  Well, its still bootIng firewall services.  You can login to the console, but you still may have to wait for a few minutes for all the services to come up.  You should see a "System initializing; please wait... (CTRL-C to bypass)" in the CLI during this time.  When the STS amber LED goes green, then you should be good to go for CLI config.
I had a unit that kept the amber LED on STS. I had to do a factory reset to overcome this problem.

Brocade ICX Switch: Password Recovery

Quick post on how to do a password recovery on the ICX Brocade products. Just stop the boot process in the beginning by pressing "b", and type in "no password" at the prompt. See below:

Enter 'b' to stop at boot monitor:  0

ICX64XX-boot>> no password

OK! Skip password check when the system is up.

ICX64XX-boot>> boot

Booting image from Primary

ICX6450-48 Switch>

Stack unit 1 PS 1, Internal Power supply detected and up.

ICX6450-48 Switch>en

No password has been assigned yet...

ICX6450-48 Switch#

I Can Only Imagine Movie

Have you ever heard of a guy named Bart Millard? If you like good stories, I would encourage you to go see the movie I Can Only Imagine.

100 Gig Uplinks

Do you really need 100gig uplinks? I do work with a lot of big networks. And honestly, a lot of those networks don't even come close to fully utilizing 40gig uplinks, even in the data center.
I'm sure Google probably does. But for most? My guess is probably not. But, when buying, you still have to consider the five year plan. What does your five year plan look like?

Cisco 9500 Series Switches

I have a few network refreshes coming up and I've been looking at different options for the core switches. As you know from my recent posts here, I look for three things: price, performance, and features.
In the scenarios I'm working with, they are Cisco shops. I've been looking at the newer 9500 series switches, and they don't look half bad. They do all the things I need it to do: PBR, multi VRF, etc. And if you are used to catalyst IOS, it should be comfortable from a management standpoint. We will see what the price turns out to be. I'm still considering the nexus 93180 also though. It also does what I need it to do, with the 100gig uplink capability, which is a nice thing.

Pic Of The Week: Fultondale, AL

Check Point: R80.10 Install

I did another install of a Check Point firewall on a 4600 today.  Check Point is a good product, right up there with Palo Alto.  When considering your firewall replacement, these two are the front runners.
Inside the 4600:

Capsa, Again

As most of you know, I use capsa, by Colasoft, a lot. It's my troubleshooting "go to" when I need to know what's going on, on the network. I just used it again the other day to figure out why a switch was performing slowly.
Get capsa for your toolkit.

Cisco Data Center: 9372 vs 93180

I was getting together a list of equipment for a co-location site yesterday, when I realized that the Cisco Nexus 9372 was end of sale last month. So I found the replacement 93180. It appears that the only real difference in the two are the hardware ASICs, from what I read.  And that would be to support certain features.
It also appears that the performance specs are better, but only because the 6 40gig ports also support 100gig. I'll have to go do the math to see if this is a line rate switch or not. The 9372 is, so I suspect the 93180 is also. I'll check on that to make sure.

Check Point Firewall: ZDEBUG

In doing some troubleshooting Sunday night, I think the best way to look for dropped packets, when you know the IPs involved, is to just go direction to zdebug in CLI.
I was helping a SAN guy troubleshoot an issue with SAN to SAN replication, which was failing on him.  In getting into the Check Points, I didn't even bother going to the Smartview Tracker.  I just SSH'ed into the active Check Point (in a HA pair) and did the zdebug, and found what I needed.  It is just easier for me, I guess.
I was getting this message below:
;[cpu_15];[fw4_0];fw_log_drop_ex: Packet proto=6 10.X.X.X:11105 -> 10.X.X.X:18347 dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT;
Turns out the reason for this was stated here, based on initial research.  Ill have to do more later on this.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk81320
Ill stick with the CLI.  The tools are powerful and reliable.  With zdebug, you see not only what could be dropped by the Check Point application itself, but also the OS.  Its just a better tool than Smartview Tracker, in my opinion.

Pic Of The Week: Huntsville, AL

Close to the Vaun Braun Civic Center.

Sunday Thought: What Were The Three Miracles That Would Tell The Jews Who The Messiah Was?

In studying how the Jews would recognize the coming Messiah, I recalled how I had learned from a local messianic Christian church that the Messiah would perform a few certain miracles. I couldn't remember what they were, so I set out to remind myself exactly what they were.
In that pursuit, I came across a very interesting post. Click on the link below for that read.
Click here for the interesting read...
It's a long description, but it's well worth the time.  I'd like to encourage you, take the time to understand it. It's pretty important to our faith.

Truck Is Fixed

Below, in the post where I'm replacing that MAP sensor, that actually did fix the problem. The second problem was when I put everything back together again, I left the intake air temperature sensor unplugged, which threw similar symptoms.

Having To Work On The Truck

Its not fun when your potential fix didn't actually fix the problem. MAP sensor didn't fix this issue. Back to the drawing board.

Cisco R&S: Multiple VRFs In Your Cisco Gear

Most companies don't do multiple VRFs in their environment. When I have the conversations with the technical people, most just don't know what advantages VRFs can bring.
My latest implementation was for a DR site. I architected multiple VRFs in a Nexus 9k to save money for that site, and still accomplish the goals we needed. In this case, it was all about separation between a test environment and a DR environment. Multiple VRFs can be a very good thing. Give that some thought.

Sunday Thought: Matthew 22:37-39

Jesus replied: “‘Love the Lord your God with all your heart and with all your soul and with all your mind.’ This is the first and greatest commandment. And the second is like it: ‘Love your neighbor as yourself.’

Matthew 22:37-39 NIV

Quote For The Day: 55

"Comfort. The enemy of progress."  ~~From the movie The Greatest Showman

Valentine's Day

My wife and I found a fun thing for us to do on Valentine's Day. If you like Elvis Presley and Johnny Cash, then you would like the show these guys put on down on Montgomery, AL. This is our second year, and it's just a fun concert full of old Elvis and Cash music. Fun times.

Check Point Firewall : A Good Firewall With A Slight Disadvantage

Why is it that Check Point has two separate interfaces for managing application related configuration and OS configuration? Well, the answer is just that: Check Point is a software company. 

As I was thinking about some Palo Alto config this week, I realized that Check Point has one major administrative disadvantage to most other firewalls. It's that Gaia and the actual firewall application are not tied together into one "single payne of glass". There are a lot of people who don't like that. Is it enough to deter me? No. 

I do, however, think that Check Point should give this some consideration in the future. Combining them into one management window would be a good idea. 

Thursday 2-1-2018

Been a busy evening today.  I fixed some Cisco voice gateway redundancy issues.  SIP to the gateway and then to a PRI on both 4331s for failover.  When the PRI goes down, you just have to account for SIP that it wont failover automatically, unless you configure your CUCM correctly. 
Then, I had to go let a raccoon loose that go caught in my feral cat traps. 
Then VPN'ed in to upgrade a Cisco 5508 Wireless Lan Controller tonight.  Its been a fun evening.

SonicWall Firewall: "Packet dropped; connection limit for this source IP address has been reached"

You know, I get some settings in some of these firewalls.  But sometimes, they can be annoying.  I ran into an issue on a SonicWall firewall that was causing a few internal users to reload a webpage four to five times to actually see the page.  You can image this being frustrating to the customer.
As I looked in the log entries to try to figure out what was going on, I came across this error message: "Packet dropped; connection limit for this source IP address has been reached"
Well, that doesn't look good.  There happens to be a rule under Firewall --> Access Rules (LAN --> WAN rule), where by default, there is an enabled setting that will probably cause you this issue.

So, I unchecked this setting, which again, is enabled by default.

That should work for you if you are seeing this issue.

Cisco Firewall: How A Cisco ASA L2 Firewall Works (Transparent Mode)

I'd like to explain how the Cisco ASA L2 firewall works.  I find that most people really don't understand how this works, so I'm going to attempt to explain as best I can.

How A L2 Firewall Works (Transparent Mode)

As a packet comes into the Aggregation switch, destined for Server IP address of 10.10.1.30, that packet is destined for Vlan1273 on the Agg switch. As the Agg switch sends out an ARP request to get the MAC address of the Server 10.10.1.30, the ARP is sent out all ports with Vlan 1273 configured.  As the ARP comes into the ASA, it then broadcasts over across its bridge-group 30, and the destination is then within the Layer2 Vlan of 273.  It traverses back to the Agg switch, in Vlan 273, and all ports with Vlan 273.  The Leaf switch sees the ARP request, and forwards it out all ports with Vlan 273 (L2) on the Leaf switch.  The server gets the ARP request, and responds with its MAC address, traversing back across the Leaf switch, through the Agg switch on Vlan 273, and to the ASA on Vlan 273.  When the ASA receives the ARP reply, it forwards it back across the bridge-group 30 to Vlan 1273, and on to the Agg switch in Vlan 1273.  There is now two way communication, from Vlan 1273 across to Vlan 273, and vice versa. 

Notice that in the ASA configuration, the ACL allows all traffic GLOBALLY, for simplicity for our example.

Pic Of The Week: Broken Bone

Its interesting how the body can heal itself.  I did some research on how broken bones heal.  God is pretty amazing in how He created us to heal.  There is a process that the body goes through.  Below is, theoretically, when the second phase of healing should begin.  The bone in my hand is still broken, but should start rejoining back on the day this was taken.  Its interesting.