Category Archives: Uncategorized

Sophos XG Firewall Review

Sophos has been climbing the Security leaderboard of the Magic Quadrant for some time now, and we have utilized their amazing Endpoint protection within our company and with our customers. I was excited to get my hands on their XG Firewalls and takes notes of my experience with the initial deployment, configuration, and ongoing feedback.
Note- this review is based off a week or so of usage, and does not incorporate feedback over time, which is where most issues with any product usually creep up.

Aesthetics – Initial impressions of the nuts/bolts

The XG135w is a desktop form factor unit, that has the ability to be rack-mounted (mounting kit not included). It has a nice clean shell, three large omni-directional antennas, with the ability to add two additional antennas with an add-on module. It has 8 x 1GbE ports plus an additional 1GbE SFP port, which when in use, takes the place of Port 5. It has an HDMI port which I haven’t had time to try out, two USB ports and one Micro USB for console access. It feels like they have taken a really nice gaming motherboard and converted it to an awesome firewall. Its rare that you see SFP, HDMI, and Micro USB ports on a firewall, but it’s what makes the XG so unique. The expansion bay allows you to add any one of the following: SFP DSL Module, 3G/4G module, additional Wifi Radio, or additional SFP ports.
The DC power plug threw me off a little bit though, as it is a 12v banana plug that goes into the firewall itself, while the other end requires an adapter to convert it to a US or European power socket. Not a bad thing, but not what you would expect. (There are two DC ports for dual power supplies). 

White Gloss Shell

Banana Plug DC Power

 

Deployment

Deployment was very easy, with a Setup Wizard that takes you through everything. From Power-On to Management login. It ships with default IP of 172.16.16.16, so you will need to give your laptop an IP on that subnet and then hit that IP through a web browser. You can probably take most of the defaults throughout the 5 page wizard, but the only real decisions you will need to make during setup is a New Admin Password, and whether you want to use the firewall in Route Mode or Bridge Mode. 5 min deployment couldnt be easier.

 

GUI and Management

Sophos has always been very good at “simplicity of management”, and the Sophos Firewall OS keeps to that style. There are basically four areas of management with the XG-
Monitor and AnalyzeOverview, Alerts, Reports
Protect: Policies, Rules, Security Features
Configure: Network Routing, VPN, etc
System: Device related management

Control Center – Overview

 

Do not mistake the simplistic design as a lack of features and security granularity. The XG has a LOT of pre-built policy and rule templates, as well as the ability to create your own.

Built-in Web Policies

Application Profiles

 

Little Gotchas and Thing to Improve

There are a few things that were confusing and more complex than they should be, which I will briefly describe.

Using LAN Ports as Switch Access Ports:
I spent an hour or so at least trying to figure out how to use Ports 3-8 on the same subnet as my LAN traffic. After much trial/error, and even reaching out to Sophos Support, it was finally resolved by a local Sophos SE (Thanks Joe!who has ran into this before. Not only do you have to bridge the interfaces together, you also need to create a LAN to LAN firewall rule allowing the traffic. I guess in hindsight you could say this is just an extra step to maintain security more than it is a software issue, but if so, they should at least document this or train their support staff on how to properly set this up.

Bridge the LAN interfaces then apply the following firewall rule

LAN to LAN Firewall Rule

Default Security Policies:
This could also be considered an extra layer of security, but many multimedia websites/services were semi-broken with the default policies of the XG. For example, NetFlix and Amazon Video would allow you to browse content, but would error out when you attempt to play the content. This also caused some issues in company website hosting services. The solution here was to use the “Allow All” web policy for all Outgoing Traffic. I am sure there is a more granular policy to use here, but with the limited testing I have had with this, that was the quick and dirty fix.

 

Final Thoughts

I have been VERY happy with what I have seen so far and am excited to continue digging into more. I wish I had another XG to test HA failover, and I would love to test out some of their wireless access points. I didn’t do much Wireless testing with the XG itself, since it usually doesn’t make sense to have the wireless enabled in the data center or server room, but I am very interested to see if their Access Points can replace some of the broader brands. In general, the XG is worthy of replacing most legacy vendors in the data center. The hardware is great, the security features are even better!

“Your computer can’t connect to the Remote Desktop Gateway server” error

A customer gave me access to their Remote Desktop Gateway server to do some after-hour consulting. Every time I attempted to connect from my Microsoft Surface Book, I got the following error:

Your computer can’t connect to the Remote Desktop Gateway server. Contact you network administrator for assistance.

I assumed my account was not setup correctly, but the customer was able to successfully connect with the account they assigned me. When I attempted to connect from my Desktop PC (same Windows 10 build as my Surface Book), I was able to connect successfully. The following registry edit fixed the issue for me, although I am still baffled as to why it is needed, since it doesn’t exist on my Desktop PC registry which worked from the start.

  • Open Regedit
  • Go to HKCU\Software\Microsoft\Terminal Server Client\
  • Create a new DWORD (32-bit) called: RDGClientTransport
  • Give it a Value of: 1

As soon as I added that entry, I was able to connect. No reboot required.

SmartThings Home Automation – Laundry Alerting

I have tried to create a fully automated “Smart Home” using many technologies with integrated workflows and automation. Alerting when the Washer and Dryer have finished their cycles has been one of the most convenient automation feature for my wife and I. I can’t tell you how many times we have started the laundry, forgot about it, and had to rewash the sour wet clothes. Here is how we do it.

First, and explanation of how this works.

I have my Washing Machine and Dryer, each plugged into their own Z-Wave Power Metering Switch/Plug. This give me insight into how much energy each are using, when they are powered on vs off. I use these plugs specifically: Zooz Zen15

When we start a load of laundry (Washer or Dryer), these Zooz Power Switches sense the energy being used, and SmartThings Hub assumes (correctly) that the laundry is being ran. Since there will always be a tiny bit of power being used, even when the laundry isn’t used, it only assumes the laundry is on when power usage exceeds 10 Watts. This power usage fluctuates during the cycle, especially for the Washing Machine. So the rule I have set in place is to monitor the usage and alert my phone when the Laundry is done. It knows when the laundry is finished when the power usage drops below 8 Watts for 4 mins. BOOM! Perfect solution, and it works every time.

Here is what you will need to pull it off, and I assume if you are reading this, you are already a SmartThings user and have some idea of how the IDE works.

After you have added the “Better Laundry Monitor” device type in your SmartThings IDE, go into your SmartThings app, Marketplace, Smart Apps, and scroll down to My Apps.
See Video Below

 

Update Plex Plugin on FreeNAS 11

If you are rocking your own FreeNAS storage at home or office, you’ll know that FreeNAS’ built-in plugins are hardly up to date. Updating the Plex plugin is fairly straightforward.

1. SSH to your FreeNAS
2. type: jls
3. Take the note of the Jail # of your Plex plugin
4. type:  jexec # csh (where # is the number of the jail noted in last step)
5. type:  fetch -o PMS_Updater.sh https://raw.githubusercontent.com/mstinaff/PMS_Updater/master/PMS_Updater.sh
5. type:  chmod 755 PMS_Updater.sh
6. type:  ./PMS_Updater.sh -u PlexPass_User -p PlexPass_password -a

 

vSphere Web Client Integration Plugin Not Working

When trying to manage your vSphere environment using the web client (or forced to in 6.5+), the Web Client Integration plugin is required to make use of many features the web client has to offer, like remote console, enhanced authentication, and deploying OVF appliances.

If you have downloaded and installed the plugin, but IE, Chrome, or Firefox do not activate the plugin, it can most likely be resolved by doing one of the following:

  1. Add the vCenter FQDN to the trusted site list:
    For vSphere 6.0-6.5: https://vCenter_FQDN
    For vSphere 5.5: https://vCenter_FQDN:9443
  2. Add the vCenter FQDN to the Local Intranet list (IE & Chrome)
  3. Uninstall Plugin, Clear Cache/Cookies, Reinstall Plugin, and Repeat option 1

 

HPE Proliant G7 Servers and vSphere 6.5 Purple Screen of Death

Upgrading VMware to ESXi 6.5 on HP G7 Servers will crash and cause you to scream and will require you to waste your time building a custom ISO that HPE could have easily done.
Best practice is to use the vendor’s custom ISO’s that have the hardware drivers integrated, so I used HPE’s latest Custom ISO.

HPE G7 Server support is being dropped by both HPE and VMware. In fact, vSphere 6.5 is supposedly the last version that will support the G7s. Knowing this info, I assumed upgrading from ESXi 6.0 to 6.5 on G7 would work, but I found out quickly that after the upgrade the hosts would “Purple Screen of Death” (PSOD) right after boot.

The Error: “PF Exception 14 in world 67667:sfcb-smx IP 0x0 addr 0x0″

The Issue: There are incompatible driver(s) in the customized ISO from HPE. Yes, there are more than one driver with issues.

The Workarounds: There are various workarounds that I have personally found to work, while others have been resolutions I have read about after I dealt with this, so I was not able to verify that they do indeed work, but I will list them nevertheless. Upgrading the firmware, BIOS, etc did not resolve the issue.
Note: All these workaround require a fresh install of ESXi. Running an Upgrade does not remove the incompatible drivers, and the host doesn’t stay alive long enough before crashing to manually remove them via SSH.

Solution 1: Use VMware’s Standard ISO Media
While this goes against many best practices, VMware doesnt offer too many vendor drivers in their ISO builds, so the offending drivers do not get installed and crash the system. While you can certainly use this method, you will want to follow-up and manually install the appropriate driver VIBs from HPE.

Solution 2: Build your own Custom ISO
This takes a bit more work, but is probably the most comprehensive path to resolution. You will basically need to remove drivers from the HPE Customized 6.5 ISO and inject those from the 6.0 ISO. The following are instructions on doing this.

Create Custom VMware ESXi Media

Prerequisites:

Instructions:

  • Launch vSphere PowerCLI

  • Add the HP ESXi 6.5 image bundle
    Add-EsxSoftwareDepot -DepotUrl C:\ESXi\HPE-6_5.zip

  • Check the Profile
    Get-EsxImageProfile

  • Copy the Profile
    New-EsxImageProfile -CloneProfile HPE-ESXi-6.5.0-OS-Release-6* -Name “G7-ESXi”


    Use “HPE Custom” for Vendor

  • Check the Profile
    Get-EsxImageProfile

  • Remove the driver from the image
    Remove-EsxSoftwarePackage G7-ESXi hpe-smx-provider

  • Add the HP ESXi 6.0 image bundle
    Add-EsxSoftwareDepot -DepotUrl C:\ESXi\HPE-6_0.zip
  • Check the Profile
    Get-EsxImageProfile

  • View both drivers in the two bundles
    Get-EsxSoftwarePackage | findstr smx

  • Add the necessary driver into the custom build
    add-esxsoftwarepackage -imageprofile G7-ESXi -softwarepackage “hpe-smx-provider 600.03.11.00.9-2768847”

  • Convert your custom bundle to ISO
    Export-EsxImageProfile -ImageProfile G7-ESXi -ExportToIso -filepath “C:\ESXi\G7-ESXi.iso”

  • Now take that ISO file that was created and use it to do a FRESH INSTALL. (Remember, upgrade will not work).

Find Unknown Wireless Password for Aruba Wireless SSID

If you don’t remember what password you or another Administrator set for a particular SSID on an Aruba Wireless Access Controller (or Instant Access Point), you can find this by connecting to any Access Point via SSH, Telnet or Console, and running the following commands:

show run no-encrypt

Scroll up until you get to the wlan ssid-profile section, and the password will be listed next to wpa-passphrase

If you had just ran a show run without the “no-encrypt“, you would have see a random hash like this:

 

vSphere 6.5 – Transport (VMDB) error -45: Failed to connect to peer process

While upgrading some Cisco UCS B200 M3 Servers from vSphere 6.0 to 6.5, I ran into an error that I could not figure out. After upgrading the first Cisco Blade to 6.5, I could not vMotion any VMs from the older 6.0 host to the newly upgraded 6.5 host. I would get the following error:

Transport (VMDB) error -45: Failed to connect to peer process

I was able to vMotion a powered off VM to the new host, but when I attempted to power on the VM, I got the same error: Transport (VMDB) error -45: Failed to connect to peer process

After poking around for awhile, I decided to turn to the VMware community, where I most mostly seeing this error with people using Workstation and Fusion products, but there wasn’t much going on with ESXi environments. I made sure to use the ESXi 6.5 Cisco Media for the original installs and this upgrade, and I assumed there had to be a driver/component issue with all of this. I tried updating by booting into the ISO and running the upgrade from there. After attempting to manually upgrade drivers and firmware, the solution that worked for me was the following:

Reinstall the freaking host from scratch! 

There you have it. Such a simple solution 🙂
Honestly, I have no idea why the reinstall was necessary. I ran into the same issue again when trying to upgrade that second host, and I even tried upgrading it using the an alternative method (Using ESXCLI and Update Manager), but no luck.

I did not call VMware Support on this, but I did submit the bug report. I would love to hear from someone who figured out the root cause and workaround.

Enterprise Wireless Access Points Benchmarks: Cisco, Aruba, Meraki, Aerohive

As more and more aspects of a business now require some type of mobility, the companies that sell you a way to connect them all-together are a dime a dozen. I have spent a considerable amount in my pursuit for wireless knowledge. I have also spent a LOT of time (just ask my wife) with some of these Access Points I have benchmarked and can say I know them fairly well. I’ve decided to take them head-to-head in some various tests and provide my readers with a quick and simplified version of the detailed data I collected during this process. A process that will be a “work in progress” as I find new testing criteria and new hardware to play with. Two of the tested access points are 802.11ac Wave 2 devices, which can provide over 1Gb of throughput using bonded links or MGIG. But all APs were tested with one 1Gb Ethernet (no LAGs)

The Access Points I will be benchmarking are:
Cisco Airnonet 1830i (802.11ac Wave 2)
Meraki MR42 (802.11ac Wave 2)
Meraki MR18 (802.11n)
Aruba 225 (802.11ac)
Aruba 205 (802.11ac)

Let me preface this with a disclaimer that I have no official training or degree in the methodologies of benchmarks. I have tried to take what I believe are some real world tasks a user will encounter daily, and tested them in the best way I know how. I will explain my testing environment, and how I chose that environment, and then move onto the actual benchmarks.

Client OS and Wireless Chipset
2015 Macbook Pro – OS X 10.11 (El Capitan): Broadcom BCM43602
Lenovo T450S – Win 10 Pro: Intel Dual Band AC-7265 (Integrated)
Lenovo T450S – Win 10 Pro: Netgear A6200 (USB 3 Adapter)

Results: I ran a 1GB file upload and download to a local server using each of the above clients. I ran these tests three (3) times on each, and took the averages of each and compared them with each other. I found they each were within ~1/20th of upload/download seconds, and throughput difference was also negligible. I used the Lenovo with integrated Intel chipset for the official benchmarks.

Environment
I placed each access point 9’ high and tested each client ~12’ away. I used the exact placement for each test. I only had one AP powered on during each test, and these tests were done in a very secluded area, with absolutely zero interference from neighboring wifi or Microwave signals. Acrylics Wifi Professional was used to verify this. Each Access Point was connected via POE. No other devices connected to the Access Points besides my client machine

Network Backbone
The bulk of these benchmarks tested for local upload/download speeds of files on the local LAN. I tested the Access Points using two switches. The first one being a Netgear GS728 TP and the second a Cisco Meraki MS350. Surprisingly, I was getting lower latency on the Netgear switch (between 1-3ms), and used the Netgear for the official benchmarks.

Internet Speed Tests
The Internet Speed Tests were semi-irrelevant, since some of these APs can download/upload much faster than my Internet Plan and modem allow. I am using Comcast Xfinity Blast (105 Down/10 Up), but it looks like Comcast is allowing me to burst above those speeds. I am using a Motorola Surfboard SC6121 DOCSIS 3.0 Modem, which has a ~172 Mbps max throughput, which would be the weakest link even if I had faster Internet. What is interesting though, is all these Access Points support multi-streams which should allow internet speeds on the 2.4 Ghz range to exceed the results I am getting in benchmarks. Am I missing something on this opinion?

2.4 Ghz vs 5 Ghz Tests and Features
Each Access Point offers its own array of extended features and configurations, some of which are unique to the access point. Most of these features really only shine under a multi-device scenario, so I think the single-device head to head benchmarks are fairly accurate, as these unique features aren’t needed. 5 Ghz tests were done by shutting off the 2.4 Ghz radios and vice versa. Attempt to “tweak” some of the default settings to more “optimized” ones had little effect, and in some cases made things worse. Again, these Access Points are made for the Enterprise and are built to handle multiple users with multiple devices. I welcome any feedback on any of these testing mechanisms.

Ok, now the good stuff. Here are the results! I ran each aspect of the benchmarks three (3) times and took the average of those results. Some results were surprising and seemed odd and were re-tested but results were similar. Here we go!

Test 1: 20 MB File Transfers over 5 Ghz Radios

Test 2: 20 MB File Transfers over 2.4 Ghz Radios

Test 3: 1 GB File Transfers over 5 Ghz Radios

Test 4: 1 GB File Transfers over 2.4 Ghz Radios

More benchmarking to come. This is definitely a work in progress!

Exporting VMware Logs for Analysis

Sometimes there are issues that arise with your VMware environment that require advanced troubleshooting from VMware Technical Support. Sending them your VMware logs preemptively or upon request is a great way to get to the bottom of an issue.
To get those logs, just do the following.

– Open vSphere (vCenter)
– Click File – Export – Export System Logs

– Select all System Logs

– Choose a location to Download Them
– And Watch the Progress of the Download

It may take awhile to gather and export all the logs, but once finished, you can FTP the logs to VMware Support for further analysis!

If you found this article to be helpful, please support us by visiting our sponsors’ websites.