We use cookies on this page to better serve you. You can find more information about cookies here.

Latest posts

Upgrade Palo Alto HA Pair (Active/Passive) with CLI
by

I’m a big fan of CLI, I love to use it when I can, it always feels more complete and absolute. A while back I posted how to Upgrade Palo Alto Firewall HA Pair (Active/Passive) in that post I only covered the GUI method this post will detail how to complete everything with CLI only.

Here is step-by-step how to upgrade a Palo Alto Networks firewall in an Active/Passive High Availability Pair with CLI only.

In my example, I am running a Palo Alto Active/Passive HA pair. The firewall named DXT-FW-PA01 is the primary firewall and is the currently Active firewall. The firewall named DXT-FW-PA02 is the secondary and Passive firewall. Both are running PAN-OS 10.2 version 10.2.3. I will be upgrading them to PAN-OS 11.0 version 11.0.2-h2 which is the current preferred release for that version.

The Process

Confirm Upgrade Path

  • You always need to do every PAN-OS update as in you can’t jump from 9.1 to 11.0 you need to do 10.0 then 10.1 then 10.2 then 11.0
  • Check your upgrade path with Palo Alto’s documentation. Here is the upgrade path to PAN-OS 11.0.
  • Check what the preferred releases are for your upgrade path. You can do that here. (You will need a Palo Alto support account to access the link)

Review Release Notes

Review Upgrade/Downgrade Considerations

Upgrade Checklist

Check Content Updates

  • Connect to the currently Active firewall with SSH.
  • Run the following command to list out the PAN-OS version you are running along with the hostname and application and threat content versions.  show system info | match sw\|hostname\|app\|threat
Read more
IT
FirewallHigh AvailabilityHow ToNetworkingPalo Alto NetworksPAN-OSUpgrade

TrueNAS Install Tweaks
by

I’m a long-time user of TrueNAS going back to the days when it was still called FreeNAS. I’ll always love the FreeNAS logo. In this post, I’ll go over step-by-step some of the tweaks that I like to make on a fresh install for TrueNAS specifically TrueNAS Core or TrueNAS Enterprise.

The Tweaks

HTTPS Redirection

HTTPS is always a good idea. Here is how to enable HTTP to HTTPS redirection.

  • Click on System > General
  • Select Web Interface HTTP -> HTTPS Redirect and click Save.
  • Confirm that you are restarting the web service by selecting Confirm and click on Continue.

Now if you try to access your TrueNAS on HTTP it will automatically send you over to HTTPS.

Autotune

Autotune is a Python script that is created by iXsystems that will automatically optimize your TrueNAS. If you want to see what the script is doing here is the location of it /usr/local/bin/autotune this is on by default on systems purchased from iXsystems.

  • Click on System > Advanced
Read more
IT
FreeNASHow ToStorageTrueNASTrueNAS CoreTrueNAS EnterpriseTweaks

Palo Alto Config Set Commands
by

By default Palo Alto Networks firewalls export their configuration as an XML file which is great however, I’m more used to set commands such as the ones commonly used in switches. Fortunately, there’s a way to have the best of both worlds.

In this post, I’ll show you step-by-step how to output the Palo Alto running config to set commands and show a way to export it.

The Process

  • Connect to the firewall with SSH (I’ll be using PuTTY)
  • Run the following command to change the command output from XML to set commands set cli config-output-format set
  • Enter the configuration mode by running the following command configure
  • Now when you run the show command it will show you the set command versions of the configuration.

Exporting

I wasn’t able to find a way to easily export the running config of PAN-OS in the set format without using paid tools like Kiwi CatTools however, I did find a workaround by using PuTYY logging.

Read more
IT
FirewallHow ToNetworkingPalo Alto NetworksPAN-OSPuTTY

Microsoft 365 Report Message Button
by

Providing your users with a centralized and user-friendly way to report phishing, junk, and non-junk emails is a great quality-of-life improvement for everyone.

In this post, I’ll cover step-by-step how to deploy the Microsoft Report Message add-in for Microsoft Outlook with Microsoft 365.

  • Login to the Microsoft 365 admin center.
  • Click on Settings > Integrated apps
  • Click on Get apps
  • Search for Report Message
Read more
IT
EUCHow ToMicrosoftMicrosoft 365Microsoft OutlookOffice 365

ESXi Autostart VMs with CLI
by

Maintenance mode is great however, when you have a single ESXi host and you have perfected the perfect VM startup order and you have to place your host into maintenance mode how do you start your VMs in the same order without having to manually do it?

ESXi VMs not starting due to maintenance mode

In this post, I will detail step-by-step how to start the VM auto-start sequence after you’ve exited maintenance mode.

  • Enable SSH by right-clicking on the host and selecting Services > Enable Secure Shell (SSH)
  • SSH into the ESXi host (I’m going to use PuTTY)
  • Run the following command to autostart your VMs vim-cmd hostsvc/autostartmanager/autostart

Now your VMs will start booting up in the autostart order you created.

You can even tell your VMs to shutdown in the reverse order by just running the auto shutdown command vim-cmd hostsvc/autostartmanager/autostop

I tried to find official documentation from VMware about this process but I wasn’t able to find any.

Read more
IT
ESXiHow ToVirtual MachinesVMware

UniFi Network Server with Docker
by

LinuxServer.io makes some great Docker images. I’ve been using their UniFi Controller image for a very long time. Sadly it is being deprecated in January 2024. Fortunately, they have a new replacement image named UniFi Network Application. There’s a bit more to the setup as the database portion has been decoupled from the image.

In this post, I’ll show you step-by-step how to set up the UniFi Network Application with Docker.

The UniFi Network Application uses MongoDB for its database we will need to set that up. MongoDB is composed of two elements, the main database and a stats database.

When you first make a MongoDB container it needs to be initialized there are a few methods to do this. I’ll be using the shell script method as I was able to make that word with all the environment variables I wanted to use.

Setup

  • Make a folder to store everything in. I’ll call mine unifi-net-app.
  • Download the docker-compose.yml, the init-mongo.sh, and the sample.env files from my GitHub https://github.com/thedxt/UniFi-Docker and place them in the folder.
  • The sample.env file shows you the variables you will need to define.
  • The variables are:
    • CONTAINER_NAME is the name of your UniFi stack. There will be two containers spawned.
      • The one with _CORE appended to it is the LinuxServer.io UniFi Network Application image.
      • The one with _DB appended to it is the official MongoDB image. It is currently pinned to version 4.4 as that’s the highest version UniFi supports.
    • MONGO_DBNAME is the name of the MongoDB database that stores all the data. The second database for stats will have _stat appended to it.
    • MONGO_USER is the database user for the UniFi database and the stats database.
    • MONGO_PASS is the password for the database user for the UniFi database and the stats database.
    • TIME_ZONE this sets the time zone for the UniFi Network Application. Here’s a list of the valid TZ identifier entries.
Read more
IT
DockerHow ToNetworkingSelf-hostedUniFi

geoSCOUT 9.0 Launcher Upgrade
by

With the release of geoSCOUT version 9.0 geoLOGIC has upgraded the geoSCOUT launcher. As part of the upgrade process to version 9.0, you should be upgrading the geoSCOUT launcher as geoSCOUT users will get a warning message stating that they need the new launcher. They can still use geoSCOUT even if the launcher isn’t upgraded but they will keep seeing the warning message every time they open geoSCOUT.

Warning message about the old geoSCOUT launcher

The geoSCOUT launcher upgrade can be a challenging task in a large environment when users don’t have local admin. In this post, I’ll detail what I’ve discovered about how the geoSCOUT launcher works and include a PowerShell script to upgrade the launcher.

Discovery

The geoSCOUT launcher seems to work by looking for a user’s GMAP.ini file saved in the user’s %AppData%, if that file isn’t present then the launcher will throw an error.

When you install geoSCOUT using the Desktop_Build_NonAdmin installer or the Desktop_Build installer both of them use the context of the path that executed the install to populate the user’s GMAP.ini file saved in %AppData%.

My theory on how part of the geoSCOUT launcher works is that it uses the user’s GMAP.ini file to find the geoSCOUT server and for version 8 it loads gsmainV8.exe from the Programs directory in the geoSCOUT network location.

The geoSCOUT version 9.0 launcher seems to work the same way as the version 8 launcher did except that instead of launching gsmainV8.exe it launches gsmap.exe. Technically speaking you could run geoSCOUT by just launching gsmap.exe but that isn’t the recommended way.

After the geoSCOUT upgrade to version 9.0 if a user is using a shortcut to gsmainV8.exe they will get the warning that their launcher is out of date and needs to be upgraded even if their geoSCOUT launcher has been upgraded on their system.

The way the geoSCOUT launcher works is important because it shows us that unlike the normal geoSCOUT user install the path you use to install the launcher doesn’t matter.

Read more
ITScripts
EUCgeoLOGICgeoSCOUTPowerShellRabbit HoleScriptUpgradeWindows

Microsoft Configuration Manager Backup
by

Backups are a good thing to have. Within Microsoft Configuration Manager you can set up a backup maintenance task, but what if you need to run a backup on demand how do you do that?

Microsoft Configuration Manager (ConfigMgr) has had a few names the longest-standing name was SCCM (System Center Configuration Manager) it also used to go by the name SMS (Systems Management Server) you will still find references to SMS even on the current version of ConfigMgr. For simplicity, I’m going to refer to it as ConfigMgr.

In this post, I will detail step-by-step how to configure backups for ConfigMgr and how to run an on-demand backup of ConfigMgr.

Configuring Backup Task

  • Open Configuration Manager Console
  • Click on Administration
  • Click on Site Configuration > Sites
Read more
IT
BackupsConfigMgrHow ToMicrosoftSCCM

Swap Microsoft 365 Licenses with Microsoft Graph
by

A few years ago I wrote a post about how to Swap Office 365 Licenses. Microsoft has deprecated the cmdlets that were used in that post specifically Set-MsolUserLicense and has replaced them with Microsoft Graph cmdlets specifically Set-MgUserLicense.

In this post, I will show step-by-step how to swap Microsoft 365 licenses using Microsoft Graph and PowerShell.

Prerequisites

The Process

We need a few more permissions than the default permissions for Microsoft Graph.

  • Run the following command to connect Microsoft Graph to your Microsoft 365 tenant with the necessary permissions Connect-MgGraph -Scopes User.ReadWrite.All, Organization.Read.All

Now let’s find out what SKUs we have to work with.

  • Run the following command to get the list of SKUs in your Microsoft 365 tenant Get-MgSubscribedSku -All | select SkuPartNumber

If you aren’t sure what product the SKU correlates to Microsoft has made a decoder ring, you can find that here.

Now for the license swap part, I’ve created a PowerShell script to do it.

Read more
ITScripts
How ToMicrosoftMicrosoft 365Microsoft GraphOffice 365PowerShellScript

Windows Verbose Status
by

By default, Windows servers display lots of details when you logon to them and rarely leave you wondering what it’s doing. A while back I ran into an issue that was causing 15 minute login times when a user would log in to the computer for the first time. This was particularly a problem with shared systems like meeting room computers as many users may have never logged into that computer before. The problem scales with the more meeting rooms you have and the more users you have, and typically people are rushing for meetings and don’t have time to wait for a long Windows login process.

From the user’s perspective, it looks like the computer would just sit at Welcome for 15 minutes. Yes, you can go dig into the event logs and see what’s causing that or you could make it so the computer can output what it’s doing, making it so the users can provide you with more useful information.

To do this you need to enable verbose statuses. This is enabled by default on Windows servers but not regular Windows devices. When a regular Windows device logins in and sits at the Welcome message it is doing stuff but not telling you what it’s doing.

In this post, I will detail step-by-step how to enable the Windows verbose login status with a GPO or Intune.

The Process

GPO

  • Make a new GPO
  • Go to Computer Configuration > Policies > Administrative Templates > System
  • Set Display highly detailed status messages to Enabled.
  • Link the GPO to the OU of the devices you want to enable Verbose Status on.

Intune

  • Login to Microsoft Intune admin center.
  • Click on Devices
  • Click on Configuration profiles
Read more
IT
EUCGPOHow ToIntuneMicrosoftWindows
theDXT on GitHub
theDXT on X (Twitter)
theDXT on YouTube