Setting up a Palo Alto Networks VM 50


Heyo! It would seem the awesomeness of spring has sprung on to us, and that delightful sun’s warm and longer days just feel so awesome in the wake of a cold long winter.

Anyway…. PAN TIME. so I finally got my auth codes I’ve been waiting on. To start you need to get a deploy-able image from a Value added reseller (VAR). Since Palo Alto has no public download for their VM series firewalls. Not a huge fan of their tatics on this one, honestly I believe education should be free and easily accessible. SO this is one area where I do tend to have to give PAN a thumbs down. However when it comes to security, and granular control of said security it is really nice.

Installing PAN VM 50

Deploy the OVA

For my Lab I’ll be using ESXi and an OVA deployment file. So on the vSphere Management, File -> Deploy OVF template. (If you are using the web management, follow this)

In this case my A drive is a mapped drive of all my applications and images, although I did request a newer image than 7.1 as that is rather old and I was hoping for 8.x for 9 even, but I’m hoping I can just update the VM software with my auth codes once I get the VM up and running.

Next you’ll get some details about how the VM will be deployed, simply ensure you have enough resources available to meet the deployment needs.

Click next to assign and name and location for the VM info and VHDD.

I gave it a generic name then the PAN OS number as again, I’m hoping to upgrade it with my auth codes. After that select the datastore to use, I used the local datastore for this VM, and stuck with thin provisioning after that, click next to begin the deployment. depending on your network connections and datastore selection, this time may vary.

Not sure if the copy of the file to my network share got messed, but every-time I deployed it from the share it failed, so I grabbed my IODD device where I had the initial copy, deployed it from there, and it worked.

Yay! Alright time to check its settings.

Alright a couple NICs I was expecting more than that… Anyway normally PAN devices are headless and you can’t see the boot process unless you connect to a serial port, but VMs have direct console, soo I’ll set the NICs not to be connected at the moment as I don’t want them to be in my home NATed network.

Powering on the VM

So disconnected the virtual NICs and booted the VM:

Then I got a login prompt, rather quickly, but don’t be fooled, you have to wait…

After a couple minutes, you’ll get the real login prompt.

Set Admin Password

Now that we got the VM up and running we should change the password:

As you can see it’s not cisco, so short wording doesn’t work. Also just to show that you don’t enter a password at the cli, you enter the word password and it will ask you for them without printing them back to the screen (thumbs up).

Don’t forget to commit. Now we need to figure out how to configure the mgmt IP address… mhmm

Set Management IP Address

So since I wanted to be able to manage this VM easily in my current home network “VM Network” vSwitch on my ESXi host, first I pinged an IP and ensured it was available. Then on the PA VM I ran:

Configure (get into configuration mode)

set deviceconfig system ip-address netmask default-gateway


Then I opened the VM settings and enabled the connect:

Then tested my pings again, and success πŸ˜€

K, so now that we can ping the management IP let’s see if we can access the web interface, and if so hopefully that should be all we need to do at the CLI. I love CLI commands and stuff, but for most management I like GUI’s unless it becomes doing something x number of times, then scripting via the CLI is a necessity.

Access the Web Interface

Once you access the VM’s IP in a local browser you shouldn’t be surprised to be presented with this:

Usual certificate security and warning of un-trusted due to self signed.. yada yada, advanced, proceed….

Mhmmmm I really miss that 7.x Web look, just the right amount of color…

If my upgrades go successfully I’ll be able to show you the new login, a tad more bland….

Awww man, just look at that delightful dashboard, the system info, haha unknown serial in VM mode with no license (yet) πŸ˜› I like how it even shows my two login sessions (CLI and Web).

As well as of course the usual, PAN Tabs (ACC, Monitor, Policies, Objects, Network and Device) mhmmmm so delightful.

Now my main goal of today and this post is simply to get the VM booted up, but also updated. Now I can’t do that without a license, which I got just a couple days ago. Now sadly I can’t share these with you, but I can tell you how to accomplish the task.

Managing Licenses

Click on the Device Tab -> Licenses

In my case I can’t remember if I had uploaded it to my usual PA login account online, so for now I will be using #2 Activate via Auth Codes.

First things first though, set the DNS servers.. :S whoops lol

Device -> Setup -> Services -> edit -> Primary and secondary DNS servers

So even after that I kept getting communication error message, so I googled.

After that I figured they are doing their usual ways, and locking this down in some other form that doesn’t provide any nice error message to try and stop use of these images if they leak, and it’s extremely frustrating for legit users… not gonna lie.

So I decided after I got my DNS up n running to apply the Auth code again and this time I got a different error, that my auth codes have to be registered to my support account before i can create and register the VM… ughhhhhhh

This as you can see is the real annoying side to any DRM. Let me jump through these hoops and come back to this post in a little bit… :S

Alright, so I logged into the online suport portal, found the section to register my auth codes, did that, then jumped back into the VM web and entered the auth codes again, this time it didn’t complain, the VM showed it was rebooting while the web interface stayed at the licenses section… odd haha I was going to take a snippet of that happening but the reboot was rather quick.

Since I knew the VM had rebooted as I saw it via the vSphere console window, I gave it a couple minutes before navigating to the web interface.

Sure enough after logging in again, I know have a serial number defined on my PA VM. πŸ˜€ I hope now I can actually check for updates without getting a generic, false error message…

Yes! So many PAN OS’s to choose from…. but sadly no PAN OS 9… or 8.1.x for that matter… Well that sucks I was hoping to be able to play around with TLS 1.3… oh boy… maybe I have to upgrade first?

Upgrading PAN OS on PA VM 50

Sooo I selected 8.0, downloaded and configured into software manager successfully awesome! Install failed, not enough memory…. nice.

Well considering it’s a VM which are amazingly salable in this regard I won’t blame them here, the message is to the point. I’ll just shutdown the VM and up it’s memory…

Device -> Setup -> Operations -> Shutdown Device

Yeap… System is shutdown. lol

Bammmm more memory like that!

You got me again, you can code for the validation, but you can’t code the process to do that for me eh…. they could, they just didn’t want to.. so let me jump through some more hoops…

Dynamic Updates -> Check Now -> Apps n Threats -> Download (8136-5163 at the time of this writing) -> Install

Yay, at least that worked without some issue to overcome. Let’s try that software upgrade for a third time. Third times the charm right?

SO far so good, device needs a reboot, OK. πŸ™‚

And here it is.. the bland 8.0 login .. πŸ™

Just no color, no life… just go look and compere the login before and this one, I even liked that they had a soft indent of their logo in the background, made it feel so elegant to this… so minimalist…

As for the software, upgrading to 8.0 did make 8.1 available… but still no 9.0 errr lets upgrade again and see… ooo yeah…. there it is… 9.0!

So I can… Yeeee, I dunno if I’ll do it just yet, but good to know I can when I want to.


Overall the deployment and use of the PA VM is very good. I’m rather excited to get my SSL inspection rules setup for some stuff… πŸ˜€ as well as cover other blog posts covering some more in-depth setups and configurations.

In my next post I’ll cover actually setting up some zones and network configurations. or I might even just show how to migrate a physical configuration. In this case since I won’t have a 1 for 1 NIC assignment there would probably be some tweaking required, maybe even before the firewall would accept the config file. but we’ll cover that when we get there. πŸ˜€


OpenShot VS ShotCut

The Story

Hey all! Zewwy here!

An LGR Thing

This is going to be a pretty short boring post. It’s my birth month so I’m going to be enjoying it as much as possible. This happens to include plenty of LGR watching… if you are unfamiliar with LGR it’s Lazy Game Reviews by Clint, on YouTube. Check out his Channel here….

I don’t know why I’m so addicted to his video… but I am.. good job buddy.

Anyway… LGR has sort of… inspired me, in a sense… that I dusted off the old computer that I built years ago, and not only attempted to get it working…. but attempted to get it working, running all version of windows known to man!

Sadly to say, although I did get MS DOS 6.2, Win 3.11 and Win95 all up and running, I was not able to get the main board drivers or video or sound drivers working on these really old legacy OS’s… So running yes, basic apps, yes… Sound.. no, 256 color…. no… USB…. nope… mouse… nope, just the basic apps on a low res window manager with a keyboard….

However, I did manage to get Windows 98SE and Windows ME almost working 100%! πŸ˜€ also lucky for me since these particular old OS were still built ontop of MS DOS, instead of having a dedicated standalone kernel and simply providing a CMD prompt (XP and onward era OS’s). I was just unable to get the network driver going (although I did read on the (like this form section) that someone did manage it with custom drivers… but that I have no accomplished myself… yet. I also got XP, Vista, and Windows 7 all running as well (I could only run with generic MS drivers for the video card on Windows 7, and the driver signing enforcement prevented me from being to utilize custom drivers… arg, there is a driver signing tool (self sign) that you can use to self sign the drivers, but I had no success in this as there was no direct guide in what files you had to sign and how as the app was not very intuitive, and no guides telling you exactly what to do was found.)

Anyway, I’m going off on a tangent here and I will cover this awesome bare metal machine in more details in another post… or video (ooo is that foreshadowing???)

So I ended up ordering a huge box of old DOS/PC games after completing this build… I mean I got an old machine running 98/ME/XP/Vista/Win7 The range is unbelievable, I can review so many games from 1 machine! Bare metal! none of this VM stuff, or DosBox… Although emulators such as DOSBox do have some amazing features and enhancements… I just love hearing the spin of those old drives, and just simply installing it directly from a CD-ROM and all that jazz.

When I got my box, I just had to grab my camera in LGR fashion, and record my excitement and joy of getting this huge box of games. Out of this mystery box the first magical game I pulled out was….. Micorsoft Soccer 95!

So yeah! I made my first game review video, just like LGR… obviously nowhere near as awesome as LGR… but it’s a start.

First Software Tests

Now clearly there were a couple things I wanted to take care of and the first thing and that was covering the product ID of the game… I wanted to blur it… but.. I googled for open source video editors and the first I came across was OpenShot, now OpenShot does not have that feature built in (Bluring an area of the screen) which I felt lacking, then I noticed whenever I would load my video footage of even a couple minutes my CPU would go %100 and get stuck there for a long time, attempting to remove the track simple caused the app to become unresponsive. So I gave up on this editor at this point, and tried out ShotCut.

ShotCut Wins

ShotCut has this ability to blur a section of the screen, but since I was just starting out with video editing, I decided to take the lazy approach and use the scale and rotate filter, to raise the video of the certificate above the area of the product key. I did this using the cut option when i started to show the disc up close, and cut it again when I checked out the back of the jewel case.

ShotCut was really nice and informed me that my video was of a variable bit-rate which would be difficult to work with and ask to convert it to fixed (so must have built in transcoder, maybe Handbrake? built it to handle that) which I found was really nice and it would tell you how far along the process was, the CPU did go to 100% at this point however I had a progress bar, and it didn’t take all that long. Next thing you know I was editing and making clips together.

Then I used the same cut options to create a start cut area, and a stop cut area to cut out areas where I would end up yammering on about nothing, and speed them up.. saved everyone a bunch of time… this doesn’t provide privacy of what I actually said, if someone managed to playback the sound really slow, they would be able to figure out what I said. It was more for seeing how the track gets shortened, and have to butt up the other ends of the spliced tracks. I didn’t provide a video link here, as all it took was cutting areas of the track and then checking that sliced areas properties (highlight the sliced area, make sure you have the properties window available (enable it under the view tab option) you should see the sections “speed”)

Then I learned how to do a voice over. πŸ˜€ This along with a volume filter, finished of the video nicely. Again this was a very basic touch of ShotCut and I hope to use it more. It seemed realllllly good and less buggy then OpenShot.

I like them both as they are both open source, but the fact one of them caused CPU run away and couldn’t even play the project video at this time, and crashed when you would remove the item form the track, without any indoctrination what it was doing, was just a sure “I can’t use this app” sign for me. I hope it does well or at least maybe some other open source devs maybe pitch in their time to help it out, but I’d personally stick with ShotCut (Also they just recently supported keyframes, sooo yeeee!) Use it! πŸ˜€

I’ll quickly mention here that others have also mentioned Davinci Resolve 15, which runs under a free License, but is closed source. I have heard great things about this app, but closed source is just not for me unless it’s business derived software for a business purposes and is backed and funded by the big business boy’s. (I personally love GitHubs new model under Microsoft) So this app just leaves me wondering, how are they making their money?

If you are OK with possible personal data being sold (with Facebook and Google, not sure it really makes any difference really) then I’d probably give that software a shot too. I’ll stick with FOSS for now. πŸ˜€

Sorry this post got longer than I had expected. But I hope someone finds it educational. πŸ™‚


Ubuntu – No Boot Device Found

The Pain

This shouldn’t be this hard. πŸ˜€ The opening lines of another persons blog who experienced the exact same pains I experienced today, the difference?!

I learnt the actual root cause (which I will be sharing with you all) and I learnt something. Which is always nice, and probably be remembered… cause the more painful… the more memorable. So lets get started!

The Story

I have recently setup a camera recording server at my work using Shinobi (another blog is in bound, just you wait!) S omy goal was to give it dedicated hardware over it being a VM to reduce the CPU impact on other servers and services.

Grab Ubuntu live 18.04.2 LTS server edition. How you decide to boot this image is on you, Create a USB image with etcher or rufus, go nuts, burn an actual DVD sure why not, use an amazing device called the IODD (seriously get one… it’ll save you hours of burning/imaging time, and discs).

Boot, run through the installer, and….

No Boot device found…

Uhhhhhh what? OK…. I’m sure I picked the right drive, and there’s only one drive installed in the laptop… and it’s the only one in the boot options… and the only one that was available in the installer… what gives?


The first logical area to guess was what the BIOS/UEFI was setup to do for it’s boot options. As the source blog mentions the HP BIOS is not all that great or intuitive so it was casuing me some grief. However, at first I just wanted Ubuntu to boot. I don’t care how!

BIOS (Legacy)

So I set the HP boot option to Legacy (No UEFI features what so ever, boot you bugger!)

Booted GParted Live x86, fried all partitions leaving a clean allocated disc.

Booted Ubuntu-Live-Server-18.04.2, install….

No Boot Device… WTF!!!

OK, I have legacy, it creates a 1MB bootloader partition, but it won’t boot…

I spent a while talking to people on #Ubuntu on Freenode IRC but wasn’t getting much further in a solution although many great people there were trying everything they could think of to help. However, as usual I just kept narrowing my google searches…

After multiple dead ends, I found this one, and it was exactly the next thing I was going to try anyway as I saw the option on Ubuntus website..

The Alternate Installer

So I downloaded the alternate installer which turns out also to be an offline installer and doesn’t require an internet connection either to install. To my amazement just like the source link. The alternate installer worked and the bootloader seems to have created the required GRUB somewhere on the main partition instead of a separate 1MB bootloader partition? (from my memory of the wizard, I’ll have to double check as I no longer using this build).

Nice! But then how do i get UEFI to work… there must be something I’m missing here…


So going back to the source Blog at the top that stated this shouldn’t be this hard, and he’s right by the way. The only reason this is hard, is for one reason… My own stupid ignorance. So let’s learn something.

Unfortunately he isn’t exactly sure what the issue is or what the solution is, cause really even after clearing my drive I was still getting No Boot Device even on brand new clean drives, so believe it or not, that is not 100% the problem, although I do agree when jumping between UEFI and BIOS OS’s installations on the same disc, or using any disc… clean it! (Either Diskpart CLEAN, or dd some zeros). Seriously it’s not about the parittions in this case, although having none is nice when going new. It’s about clearing the MBR.

With a new or uninitialized disc there won’t be a MBR or GPT and it will be usually created by the installers using (I’m assuming parted (for linux) and diskpart (for windows)). Now normally I would notice a difference in the bootloader right away in most distros when I would switch between UEFI and BIOS (Legacy mode), however in this case I noticed the same boot all the time. Until I set the settings to factory defaults, then it showed a different boot type (like it was finally booting the UEFI boot image that it was suppose to the whole time).

So what actually changed?!?!?!

To CSM or not to CSM

I had to double check what this exactly was, once this reminder was brought to me it’s like the light bulb went off. I checked the boot options, and was now using UEFI without CSM (native). While the setting I was usually switching between was UEFI with CSM, so it was booting the legacy Ubuntu installer, but creating a UEFI bootloader partition. You’d figured cause it’s still a UEFI boot partition and the BIOS boot settings where UEFI w/ CSM that it boot UEFI still without issue, but that was not the case. Once it was set to UEFI w/o CSM it sort of booted….

System BootOrder not found

UEFI you sure can be a PITA you know that! alright so I manged to get this message in the really fast boot loop it got stuck in after I finally got Ubuntu installed via UEFI.

However, it turned out if I smashed F9 to change boot order, I could see ubuntu actually listed in the boot menu, and no matter how I edited the UEFI boot order in the BIOS itself it wouldn’t boot automatically. If I selected it from the menu directly it booted… but not on it’s own. What gives now?

Secure Boot Keys

In this case Secure boot was still enabled, and it had been set with a set list.

I basically Disabled secure boot, cleared the secure boot keys and rebooted.

I’ll double check if I had re-enabled it (I should). however this was enough to get Ubuntu to boot without intervention.


I like learning, and it took me only a couple hours vs days unlike the source blog I shared. but still….. PAINFUL

  1. Check your BIOS settings (ensure UEFI no CSM)
  2. Your Drive is CLEAN! (No old Windows MBR or partitions)
  3. Disable Secure boot, and wipe old keys, then re-enable.

OPNSense for Exchange Reverse Proxy

OPNsense and Exchange

Unlike the German blog I reference below, I use a Palo Alto as my main device to handle normal NAT for the OPNsense box’s internet, as well as the NAT rule to allow HTTP Validation (which I covered in my last blog as it was causing me some issues). Another notable difference is I have a dedicated Datacenter zone which has it’s own dedicated NAT rules for internet access, but not direct NAT rules from the outside world (as it should be), which means no dirty double NAT (like it should be). Then once certs are setup, the OPNsense will reverse proxy the HTTPS requests for OWA, and hopefully Active Sync.

First however, I’m going to add a new VMPG network in this I called it (DMZ) and assigned it a VLAN (70). Since this is ESXi running on an old desktop with only 1 NIC (initially) I have to utilize VLAN to make the most out of the lack of physical adapters. Then I’ll need to create a sub interface on my Palo Alto, with the same VLAN tag of 70, and give it an IP address of This will be the subnet of the DMZ. Now you maybe wondering why I’m putting the subinterface and IP on my Palo Alto and not on the OPNsense VM, the reason for this is I use Palo Alto firewall to manage all the other networks in my environment. so all known routes will take place there.

The whole idea here is to get Active Sync to work, and the PANs do not support reverse proxying. So the idea is to have a NAT rule allow port 443 (HTTPS) from the internet to the OPNsense vm. so after the redesign I have 1 OPNsense VM ( – VLAN 70) and a new DMZ VR, with a new subinterface on the PAN ( – VLAN 70)


and the PAN…

So I added static routes between my Zewwy network and my new DMZ, as you can also tell based on the mgmt-interface profiles, I only allowed pinging the gateway, so the OPNsense ICMP request shown above to succeed.

I had to set the default gateway on the OPNsense VM via the CLI first in order to gain access to the OPNsense web UI

route add default

change IP based on your gateway. Then once in the UI go to:

System : Gateways : Single : Add

This was required to keep the default route persistent after reboots.


Well I was getting a bit stuck so decided to google a bit and sure enough a blog to the rescue, odd enough, it’s a German blog. Ich can ein klein beste duetch aber nicht sehr gut. So I picked translate…

I thought… oooo he’s on a VM on ESXi too, and installing VMtools nice… goto plugins… don’t see a list like him, and thought… Shiiiit, my OPNsense have no internet…

Sooo, I decided to give my OPN VM internet access to get updates and plugins (best move). I won’t cover this but basically required me to add a default route to the DMZ VR, create NAT rule and Sec rule, test pinging internet IP from OPN, and success.

OK so.. Now that the PAN is all setup, and we have tested our NAT rule for internet for the OPNsense VM… let’s just go over the OPNsense install…

OPNsense Install

On your Hypervisor or Hardware of choice, in my case ESXi New VM. πŸ™‚

In this case I know I/O is not a big deal so the local ESXi datastore will suffice for this VM:

Pick VM V8 (cause I’m still on ESXi 5.5)

FreeBSD 64Bit (for some reason we won’t be able to pick EUFI)

CPU: 2, Mem: 2GB, 1 E1000 Nic in the DMZ

LSI Logic Parallel SCSI, New 20 Gig Thin Prov Disk, Create VM.

Edit VM settings, remove floppy, Boot Options Force BIOS.

Open Console, and Boot VM. Disable Disekette A:

Advanced, IO Device Config, Disable All (its a VM we don’t need these)

Now, Select the disc part and mount the OPNsense ISO for booting:

Boot it! by Pressing F10 in the VM and save BIOS settings:

Mhmmmmm so delightful…. and now we let it load the live instance, while this live instance is good enough to start using, I don’t exactly feel like loosing my settings every-time it boots and having to remount my ISO from my local machine… so we’ll install OPNsense by logging in with the installer account:

As you can see it’s assigned our one and only NIC the LAN settings, to ease our deployment and the above section I striked out, we’ll be assigning the interface the WAN value. πŸ˜› anyway logging in the with opnsense password.

Mhmmm just look at the old style look, make me juicy…

*NOTE* if installing EFI based the input here may freeze… googling it quickly I only found one reference to the issue by a comment by eugine-chow

  1. Press CTRL + C (This exists the installer)
  2. re-logon on as installer account (This resumes the install with keyboard control

OK, Let’s go! Accept, Guided instillation! Pick Disk, for simplicity and low disk, we’ll just pick MBR… and look at that installation go… mhmmm humbling…

Set a root password:

Now reboot and unmount the ISO, now the boots quicker and our settings will be saved! First things first, assigning NICs… or should I say our one NIC, login in as root via the console. Press 1 to assign interfaces. Even though I showed VLAN assigning above that is used by the ESXi hypervisor and thus I select no to VLAN tagging here, and then specify em0 as my WAN NIC:

Now in my case it wait a long while at Configuring WAN interface, cauuse it’s defaulting to DHCP, and there’s no DHCP in the subnet… ugh, I don’t know why they don’t ask for IP assignment type in this part of the wizard…

now Select option 2 to set IP which should have been part of the wizard in part 1…

Now that is out of the way, we can access the OPNsense web UI from our Datacenter Laptop/VM… you won’t be able to ping it, but the anti-lockout rule will be created on the WAN rules so…

Follow the config guide… only important part being the upstream gateway:

And of course in my case since it’s being NATed the RFC1918 Networks will be unblocked as it’s using one πŸ˜› and NO LAN IP.

First order of business is going to be moving th eport off of port 80 as that will be needed for Lets Encrypt Validation (only cause my DNS provider doesn’t have the API for DNS validation yet).

Finally time for OPNpackages

OPN packages

Bammmmm that was easy!

OK, Firewall, since my OPNsense only has WAN, and it’s open, all security will be handled by the Pal alto, so I don’t want to open HTTPS from the internet to my the OPN sense just yet, till we create the other requirements.


Create a Real Server, in this case this will be our Exchange server as in the topology.

Now for a Backend Pool

He doesn’t mention any other settings so I just clicked save… I probably should have named the Backend pool better but meh.

Following the German guide I was a lil upset cause I was running OPNsense 19.1, it seems they changed the HAProxy options, however I did manage to figure it out after a while…

ACLs now Conditions

Go to Services -> HAProxy -> Rules & Checks -> Conditions

Add a condition, for testing I kept it simple as the blog I was following:

and then…

Actions are now Rules

Go to Services -> HAProxy -> Rules & Checks -> Rules

add a rule:

Frontends are now Public Services

Go to Services -> HAProxy -> Virtual Services -> Public Services

Add a public service:

Enable The HAProxy Service:

OPNsense Firewall Settings

Even though this VM wasn’t routing any traffic, I still had to create an allow rule under the firewall area before my PA firewall would see completed packets:

first attempts, gave site unavailable and my PA logs showed…

On OPNsense:

Firewall -> Rules -> WAN -> Add -> TCP (HTTPS) Allow + TCP (HTTP) Allow


basically allowing all TCP packets, after applying I was able to get the OWA page from my Windows 10 VM in the datacenter:

so now it’s going to basically be creating a NAT rule on the PA to see it from the internet… but before I get to that…


Now that I covered getting Let’s Encrypt to work behind a Palo Alto firewall I should be able to complete this part!

Lets Encrypt

Enable the service, and the extension to HAproxy, hit apply
Create an Account

I did select my exchange front end, even though I didn’t show it here, then I created a Lets Encrypt Frontend as exchange won’t deal with HTTP:

LetEncrypt FrontEnd

Well lets test this out… Create a Certificate..

Click save changes, but just before we click Issue Certificates, lets tail the log (/var/log/ to see the process… If you try to open it before you click issue it will fail cause the file only gets created on first run… so click issue and then quickly open the log file with tail command… if it gets stuck at ACCOUNT_THUMBPRINT something went wrong… and of course… something went wrong… ugh……

Mhmmm sure enough… Domain Key error on second try…

But if I alter my HTTP validation to…

and attempt to issue the certificate then I see in my its success…

but the UI will still show validation error even though it was issued successfully…

Let me see if I can at least assign this cert even though it may not be automatic…

seems like it… lets test…

Well at least that’s something… I’m not sure if the auto renewall will still work… if so I’m not sure exactly what the point of the HA plugin really is… I mean if you can specify the normal WAN and port 80 to validate the certs and seclt the cert to use on the public service… figured it work none-the-less right?

Well I guess well find out… now there one last thing I want to cover… but I’ll do that when I get it figured out again…

For now I’ll post this blog post as is casue it is getting rather long.

Cheers! OK NM I did it quickly…

Blocking the ECP

Under OPNsense HAProxy go to Conditions:

Then Rules:

Then Edit your Public Service settings and add the rules:

Finally test access to ECP via the Proxy…

Ahhhh much better… πŸ˜€ something not mentioned by the German blogger makes me wonder if I can access his ECP.. mhmmm

Alright that’s all for tonight. πŸ˜€

ZoneMinder on Debian 9

The Story

Alright… here we go again. So I wanted to install the latest ZoneMinder choosing Debian as my OS for stability reasons… I don’t like having to fix stuff, I do it enough for a living and can be rather stressful hahah. Read more on each visiting their respective websites.

However, like usual, and unlike Windows, Installing isn’t usually as easy as just double clicking an executable file… mhmm geez who woulda thought. And sure enough I was getting a bit aww struck by the pain of SecureAptthis is one of those cases where security hinders productivity, but alais its there for a reason.. even though the initial guide I was following did cover this part a lil bit… I wasn’t happy using a third party repo, and creating a hodge podge Debian setup, others in the #Debian IRC channel agreed.

Luckily the very helpful people there educated me on the backport repo πŸ˜€

With this info, I was able to setup ZoneMinder, like a boss… but that’s not good enough… I wanted others to have clean setups without me having to hold a dedicated image (too much size). So what better than a Open Source Script?

Yessss…. I spent my weekend polishing my BASH scripting so others can enjoy a clean ZoneMinder setup on Debian 9 too, using my simple script and following this guide!

Installing Debain9

Grab Debian 9 Net install from here (Note this is CD netinst direct ISO D/L) so ensure you are installing this on a compatible system with a network connection (internet). In my case I’ll be use VMs on ESXi.

Standard Install (no graphics), English, Canada, American English,

Hostname, domain (if you have one), set root password, create first user,

set user password, pick clock region, guided – use entire disk (unless you want to do more advanced disc partitions and configurations, not covered by this guide), All Files in one partition, yes disks partitions be created, and install base

All your bass belong to us, scan other cds (no), pick package manager mirror, Canada, first mirrtors fine for me, no HTTP proxy, survey no thx, unselect desktop enviro, and print server, and then select web server and ssh server.

Install Baby!!

*Double Tap Chest* Reboot!

Mhmmm a nice clean install of Debain 9…

My Script

Let me test this first…

What’s this? it’s checking to ensure permissions… wow πŸ˜€ ok let’s su to root..

OK, so far so good, this part takes a lil while on fresh install… Coffee Break!

Ahh DB security and setup time, enter a SQL root password (like enter one to be created, this can be anything), and follow the prompts…

change root (n) we just set it…

Remove Anon users: yes

disallow root remote login: yes

remove test DB: yes

reload priv tables: yes

Now enter the password you just created, three times as stated by each step.

Wooooo, checking the service statuses and loading the page! Bam!

There you have it, the easiest install of ZoneMiner 1.30.4 on Debian 9!

Alright, let me just create the repo for this puppy

K that’s done…. now Let me try one last run but by grabbing the actual script from the internet… directly from a brand new Debian 9 Install (again).

I’m going to publish this for now… and I’ll try something like this in a new VM.

Grab the source of the script, and save it to the server via SSH

I tried to grab the script with wget, or curl and push it into the shell but it would always fail on me.. :@ :(.

But if you save it locally and adjust the permission, it works fine….

Sigh, I really wanted to figure out a way to call it right from the source via my github repo. But since I can’t this works too for now…

I hope this helps others. πŸ˜€

Lets Encrypt HTTP Validation
And the Palo Alto Firewall

The Story

This…… this one…. this one drove me NUTS! for almost a week…. it was a lil mix of a perfect storm I guess… but lets start from the beginning shall we..

So a couple weeks ago i wanted to get active sync setup for my exchange server (Checking OWA sucks)… so I was sought after OPNsense for my open source firewall of choice.

I started following this German blog post, and I hope to have that blog post up very soon as well (sorry I don’t usually get hung up like this).

My setup was pretty much exactly the same however I was getting hung up on the plugin not validating my scripts over HTTP. See the full pain details here on github, anyway, I did finally manage to get my OPNsense server behind the NAT rule to finally succeeded behind my Palo Alto Firewall (by basically opening up the rule way more then I ever wanted to) so I knew! I knew it was the Palo Alto blocking still somehow… but how I couldn’t make sense so I wasn’t sure how to create my Security rule.

First try

My first try was exactly like the github issue describes, was failing on domain key creation, this failed even on my OPNsense with a Public IP and all rules exactly as the OPNsense basic guide states to set it up.

When Neilpang (the main script writer/contributor) said ti was fixed and no commit was applied, I tried again and it worked, I can only assume this was due to the fact DNS may not have replicated to the external DNS servers lets encrypt servers are configured to use when I first made my attempts at a cert validation.

That didnt’ explain why every attempt behind my Palo Alto with a NAT and security rule would fail…

The Palo Alto

I love these things, but they can also be very finicky. to verify my rule I had used my IIS Core VM (That I’ve used in previous posts on how to manage Windows Server Core) along with the HAProxy plugin on OPNsense to basically move the requests from the NAT rule of the Palo Alto but really serve up the IIS website of my IIS server. Not to my amazement, but sure enough I was able to access the IIS website from the internet, so my security rules and nat rules on the Palo ALto are working fine, as well as the security rules on the OPNsense server…. so what gives? Why are these HTTP Validation requests failing??

Again, as stated above I knew it was the Palo Alto from opening up the rule completely and it working, but I figured it was the issue even before I did that… but opening up the security rule completely is not the answer here… like it works but its far to insecure…

So I managed to talk to a friend of mine who happens to be realllllly good at deploying Palo Alto as he does it for a living. I basically describe my issue to him, and ask him if there’s anything he can think of that might be a problem. (I’ll hopefully be having a couple more Palo Alto blog posts as soon as I can get my proper licensed VM) To my actual amazement he goes on about this one setting you can use inside security rules and about a story about when it caused him grief…. go figure, he’s experienced it all!

What was it?!?!?!

Alright so here’s my rule I intially had, which was causing failures of the let’s encrypt OPNsense plugin…

AS you can see nothing really special, until he told me about… PAN DSRI or Palo Alto’s Disable Server Response Inspection you can check the link for more details. Now the funny part is that post covers better performance…. in my case, it was simply needed to work! And all it was, was a checkbox….

once that checkbox was selected, the rule adds a icon to it.

I was able to click Issue certificates on the OPNsense Lets Encrypt plugin, and I got some certs! I’m ready to now add the Let’s Encrypt HAProxy plugin integration and set these certificates for backend services… like my ActiveSync… or OWA… Ohhh exciting stuff!

Man that feels good to finally have that sorted! Wooooo!



I’ll try and keep this post short, as I have many things to catch up on, and this just happened to be one of those things I haven’t done in a while and had to do today for some newer servers that have been configured.

Now since I hadn’t blogged about this myself I went out to the interests to give me a good reminder on how to accomplish this. My first hit was, Sysops… and I usually really like this site…. well till i read this…

“Access denied should be self-explanatory. The credentials you use must have administrator rights.”

Ughhhhh I’m sorry what did you just say? No I don’t think so, WMI maybe, by default, restricted, but it doesn’t require such drastic permissions to utilize.

My second find was a lot nicer, in particular telling you how to manage those permissions, without ahem need administrator access lol.

So lets follow along shall we! so much for short..

First order of busy-nas is creating a user:

Of course WMI being Windows Management Interface, means I’m making obviously a windows domain user. Nothing special, especially no admin.. πŸ˜›

Again, nothing special here. Alright now I need two servers, well I guess in this case the server being monitored is sort of like a client… ugh anyway…

I guess fo r now I’ll just login to my exchange server and wmi query another server to test out first off… mhmm all I have besides that are core servers, oh boy ok… I think I’m going to need to spin up a new testing server one second…

OK all basic settings…

remove floppy boot into EUFI:

Boot system… attach disc from local host…

lets find us some windows erver 2016…. bug CD-ROM stuck “connecting”…
Close vSphere, reopen console, try again…

always loved this trick over uploading a ISO to a datastore….

Ahh modern Windows still giving off that great nostalgic feel.. πŸ˜€

yada yada, setup, vmware tools, and join domain, you get the jist of it.

Ping and the Firewall

First order of Business Ping and the Firewall!

Ahh yes connectivity verified (I knew it was good cause I joined the system to the domain, but I like ping… just nothing like a good ICMP) good thing that m is not a u….

Anyway time to run WBEMTEST, bet the first attempt fails cause the firewall again…. hour glass… and (not responding) yeah…. sounds like a stupid firewall…

What?! no way RPC error… lol I totally saw this coming cause again a default server installation doesn’t allow these connections through the firewall by default.

This is a bit old, but lets see if it still works…

Amazing it worked… but yes this was just to verify connectivity through the firewall… so…

WBEMTEST Testing WMI with Least Privileges

OK now that we verified connectivity to the wmi stack with wbemtest using our admin account, lets do it again as a normal domain user. Just to validate these credentials were OK as a standard user i logged into a normal workstation with it, if you want to protect this even further you’d use GPOs to disallow this account local logon. Anyway…

What?! Access denied… lol again expected.. now instead of granting this account admin access, which is overkill, lets grant it the basic enable and remote access on the WMI object… so back on the server we want to be monitored via WMI…

Hope that was easy enough to follow without even saying anything.. anyway lets try that connection again…

Try 2, Scale-able

Mhmmm access still denied… lets see here

This is how I normally do it for a monitoring account anyway cause it usually needs more permissions when mointoring a server so lets try it that way… revert the direct permissions… and grant performance group access…

Now lets add wmi reader account to the dcom groujps and the performance monitor group and reboot the server…

Server rebooting, back up, and lets test that connection again on wbemtest!


Bazzaaaaaa! An account thats not a admin anywhere with permissions needed to monitor your server with WMI! Use these accounts on software such as PRTG, Splunk, Zenoss, etc etc.

Hope everyone enjoyed this tutorial on WMI configuration and testing. πŸ˜€

WinXP a Timeless Classic

Something about it that I loved, I rocked the vista themed copy for so long, you know when the Vista Fiasco was the Windows 8 fisaco, that was the uhhh yeah anyway…

Just look at that dark epic theme, a couple pieces of junk, but nothing modern live tiles brings… a Japanese checkers board to appease someone with the shortest attention span one could ever imagine. But not this classic beauty, just look at that recycle bin, made from fine glass.

Holy ball sacks, I was able to download Chrome via IE7 and it worked… in 2019!!

That’s just amazing, chrome supported XP till 2015, if there’s a die hard OS, XP was it. Holy crap… there’s people still commenting about this… like now…

Well, if you’re lucky like me and my old netbook, they manufacture made and it’s third party hardware peeps made drivers up till Windows 7, so I managed to install Windows 7 with an SSD and my old laptop is great, regardless of how many people complain on these comments, haha. πŸ˜€ Which is crazy considering…

Yes, Windows 7 Extended support is coming up… Another Solid beast I hope gets the extended life support it deserves. :D.

This was pretty much just a blah post but whatever… xP

I just needed a VM to test my OPNsense VM lol, figured I had the old ISO why not…

VMware ESXi 5.5
D-Link DGE-530T RevC

The Story

Are you guys ready for a story? This one is actually not so bad. A couple days ago I post on Facebook if anyone happened to have a spare PCI/PCIe Network Interface Card (NIC), since it was going to be used for interest access I was ok with it being 100, but was aiming for 1000 (now that Shaw provide over 300mbps internet, clearly 100 doesn’t cut it).

After a day of no luck, and a bunch of funny remarks (as almost none of my friends had any idea of what I was talking about), I decided to take another look through my old computer hardware to see what I could scrounge up…

PCI NIC Found!

well, well, not even dusty, a PCI NIC, exactly what I needed in my hypervisor to play with OPNsense. I originally was going to try layer 2 trunking via VLANs, however the main vSwitch already had VMkernel Nics bound to the physical adapter @ layer 3, and the same interface on my firewall (Palo Alto) wouldn’t allow me to create a layer 2 sub-interface is the main interface was already bound to layer 3. Since I wanted my OPNsense VM to get an actual public IP address, this required my device to get a connection from my VM, directly to my modem at layer 2… yeah another NIC. So here we are, and it didn’t take long for me to shut down my VMs and install the card, and boot my hypervisor back up (I hope to one day have multiple hypervisor to not have to shut down my VMs, but even then, if you don’t pay chances are you won’t get access to the APIs that migrate the memory states of the VMs for you, so it’s a hassle either way…. anyway back to the story.


Oh Borat, who brought you in?!?! So as you may have guessed I went to add a new vSwitch for my new VM to get it’s direct Public IP, and to my dismay there was no physical NIC to pick… what the….

So to Google! and hopefully either VMware support, or usually always better personal blogs! We all loves these right… ahem… anyway…

You can probably guess where the official answer went, but I’ll enlighten you as I did follow along for … pain? OK I don’t know why I did, I was really hopeful it wasn’t going to be the answer I knew it was going to be….

Hey! some of the command they provided helped, or did they? All this was, was some BS data chasing to tell you, IT’s Not supported, SOWWY!

Clearly, there must be some answers by the community forums right??

Community’s great! VMwares…. :S

So what do we get… One… unanswered and crying about a badly referenced link to source two... also unanswered crying about the same stuff we already know…. it’s officially not supported. Well I’m running ESXi 5.5 Free and using GhettoVCB’s scripts, also unsupported, so not really an issue… the issue is teh lack of help right now.

But bring me down, I don’t thikn so, the internet has many sites, and many people sharing their knowledge, how?!?! BLOGS! Ahem…

Blogs to the Rescue!

Yes believe it or not it is the power of the real untethered, unfiltered beauty that is blogging that we actually get some meat and potatoes. My first source showed signs of light! One problem, it’s literally 9 years old and using ESXi 4. OK well it also wanted a fair amount of direct file placing and special manipulation. Most of this works fairly differently in ESXi 5.x, and vibs or precompiled binaries that work with esxcli are the more preferred method. I avoid saying supported here, cause I use these methods to install unsupported packages :D.

Alright, so now what, well the Holy Grail! This King managed to not only blog about getting this working but shared the drivers/vibs packages required to get it to work too! Epic! Let’s get this dang NIC working…

1) Grab the VIB files

2) Change your support level on ESXi5+:

~ # esxcli software acceptance set –level=CommunitySupported
Host acceptance level changed to β€˜CommunitySupported’.

3) Install the driver with: β€œesxcli software vib install -v /DLink-528T-1.x86_64.vibβ€œ

4) Reboot

Sounds simple enough lets give it a shot… and I hit some errors, classic…

I won’t show the erros just yet as I have it one long snippet, but basically I had a bit of problems cause of the GhettoVCB scripts I had pushed on to my host, but the error results weren’t exactly clear… I attempted a couple things first, like copying the VIB to the path it kept complaining about and specifying the fully qualified path to the VIB.. nothing till I stumbled across this...

esxcli software vib install -v /full/path/to/.vib -f

which finally gave me a driver install successful!

Alright, and after reboot…..

OMG! No way, there it is with the proper name and everything. Considering the blog post I followed was for a different NIC model I wasn’t sure if it would work, but there it is… so lets not get to ahead of ourselfs and see if it comes up and is able to transmit packets…

I was having some issues initially so I decided to give my lil netbook a simple /24 IP and give my OPNsense a simple /24 IP just to validate the card wasn’t the issue, or the drivers I just installed.

Plug them together, lights come up, that’s good… checking ESXI vSphere…

That’s good, and finally can we transmit?!?!

Hey!!!! we have communication! Now it’ll be figuring out getting the Public IP configured properly. But we’ll save that for another post. πŸ˜€ Cheers!

Another BitLocker Problem

The Story

I’ll keep this one short as I have a lot of things to do and this was an interesting find.

So I had to deploy some new laptops, did my usual trick with multiple systems, grab the latest version of Windows,run spiceworks decrapifier, install all updates, install Office, install all updates, install a couple third party software, clean.

Then cleanup the default profile. there have been issues with the “CopyProfile” option that MS supports with an XML file during sysprep, not only have there been known issues but this is total rubbish when it used to be a button. I reallllllllly hate this move by MS, there are times you want to configure the default profile and not sysprep (family computer anyone?)

Well ok enough of that MS rant (there are many) if you need help configuring the default profile check out this guys blog “scribbleghost” who sources the same one I originally followed by “Jose Espitia” which I think has a cleaner look and feel. IMHO

This was so far the cleanest, smoothest deployment I’ve done so far, and I haven’t hit a single snag, I also haven’t had to deal with Forenstics “DefProf” leaving lingering services with the above blog posts. Or other anomies by their profile migration tool.

Instead I suggest admins look into Ehlers “User State Migration Tool GUI” he basically took MS’s new user migration “tool” *cough* cmd line based app *cough* which normally would have someone digging through endless cmd parameters and syntax requirements (I only like doing this if I have to script, outside of that give me a damn GUI MS) Well no worries this guy did it. (it’s worth the cost, buy it).

OK now that allllll that is out of the way, what the heck was the issue man?!?!

So I go to BitLocker one of the deployed systems and BAM! Error in my face in particular Error code: 0x8004259A

so go to google, and my first attempts were not successful as it seems no bit locker reference to this error code has been shown. After some more searching I it this MS support page with some more English understandable definition of the code:



The volume selected for shrink might be corrupted. Use a file system repair utility to fix the corruption problem and then try to shrink the volume again.

Alright well this is something…

The Solution

On my particular laptop that I first tested on (and I only was on my first other test deployment after mine) in which I forgot to enable BitLocker, as other systems leave the office more than Mine ever does. I was able to reproduce the error.

Yet on my laptop CHKDSK always returned clean, what gives, yet shrinking the volume and re-extending it resolved the issue for me…

Until I went to do the same on the first deployed laptop only to find it was telling me I was unable to shrink due to corruption (sure this one picks up on something; remember I shrink the data partitions before making my base image to make DDing it onto other system much faster).

So this time a CHKDSK /f, and a rebooted made chkdsk clean the disk, and without shrinking or expanding was able to run BitLocker!

Another win for today!