How To

Palo Alto Change Master Key with HA (Active/Passive)

Palo Alto Change Master Key with HA (Active/Passive)

When a Palo Alto Networks firewall is configured with a unique master key, you need to change the master key before it expires, as when the master key expires, the firewall will reboot into maintenance mode, and you’ll need to factory reset it.

In this post, I will show you step by step how to change the Palo Alto Networks firewall master key before it expires.

Prerequisites

  • Palo Alto firewall configured with a unique master key.

If you haven’t configured a master key yet, my post, Palo Alto Configure Master Key with HA (Active/Passive), goes into detail on the process.

The Process

  • Backup your Palo Alto firewall config.

For more information on backing up your firewall config, my post, Palo Alto Config Backup, goes into detail.

Disable HA Config Sync

We need to disable the HA configuration synchronization on both firewalls in the HA setup before changing the master key.

Disable HA Config Sync GUI

  • On the Primary firewall, click on the Device tab.
  • Click on High Availability.
  • Click on the General tab.
  • In the HA Pair Settings, click on the gear icon in the Setup box.
  • Uncheck Enable Config Sync and click OK.
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Disable HA Config Sync CLI

  • SSH into the Primary firewall.
  • Enter configuration mode with the command configure
  • Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to yes, we need to disable it.

  • Disable HA config sync with the following command set deviceconfig high-availability group configuration-synchronization enabled no
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Change Master Key

With HA config sync disabled, we can safely change the master key on both firewalls. The new master key must be exactly 16 characters.

Change Master Key GUI

  • On the Primary firewall, click on the Device tab.

Read More Read More

Deploy Sophos Firewall on VMware vCenter

Deploy Sophos Firewall on VMware vCenter

A virtual SFOS (Sophos Firewall Operating System) can run on many hypervisors, including VMware.

In this post, I will show you step by step how to deploy a virtual SFOS on VMware vCenter.

The Process

  • Download the ZIP file for the SFOS version you want to deploy from Sophos.

There are two locations where you can download the Sophos firewall files. The first is the Sophos Firewall Installers page, and the second is the Sophos Knowledge Base Article KBA-000007972.

  • Extract the ZIP file contents.

Inside the ZIP, there are a few files. The files we care about are sf_virtual_vm8_paravirtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

The sf_virtual_vm8_paravirtual.ovf is the most important because it supports VMXNET 3.

  • In VMware vCenter, right-click the cluster or host you want to deploy SFOS to, and click Deploy OVF Template.
  • Select Local file and click Upload Files.

The Sophos documentation instructs you to select the manifest file sf_virtual.mf, the OVF file you want to use, and the VMDKs. This process only work if you are using the sf_virtual.ovf OVF file.

If you use the manifest file sf_virtual.mf with any OVF other than sf_virtual.ovf, the vCenter checksum verification will fail, and you can not proceed.

If you open the manifest file sf_virtual.mf with notepad, you see that it only contains the checksums for sf_virtual.ovf, sf_virtual-disk1.vmdk, and sf_virtual-disk2.vmdk.

This explains why the vCenter checksum verification fails when you select any OVF other than sf_virtual.ovf.

We don’t want to use the OVF sf_virtual.ovf because it uses the Vlance network adapter, which is an emulated version of the AMD 79C970 PCnet32 LANCE NIC, a 10 Mbps NIC.

Read More Read More

Sophos Firewall Initial Setup

Sophos Firewall Initial Setup

Before you can start using a Sophos firewall, you must complete the initial setup.

In this post, I will show you step by step, how to complete the initial setup of a virtual SFOS (Sophos Firewall Operating System). The process will be similar on a physical Sophos firewall.

Prerequisites

  • Internet access.
  • Console access.

The Process

  • Connect to the SFOS VM console.
  • Enter the admin password.

The default admin password is admin.

  • Review the End User Terms of Use and accept them if you agree.
  • Enter 1 for Network Configuration Menu.
  • Enter 1 for Interface configuration.

Read More Read More

Sophos Firewall Interface Mapping on vSphere

Sophos Firewall Interface Mapping on vSphere

When you deploy a Sophos firewall on VMware vSphere, you start with 3 network interfaces PortA for LAN, PortB for WAN, and PortC is unassigned.

In VMware vCenter, PortA is Network adapter 1, PortB is Network adapter 2, and PortC is Network adapter 3.

However, when you add more network adapters in VMware vSphere, the mappings between SFOS (Sophos Firewall Operating System) and VMware vSphere no longer align.

In this post, I will show you, step by step, how to add more network interfaces to SFOS (Sophos Firewall Operating System) running on VMware vSphere and how to map the interfaces between SFOS and VMware vCenter.

The Process

Adding Interfaces

  • In vCenter, shut down the SFOS VM.
  • Once the SFOS VM has shut down, click on Edit Settings.
  • To add additional network adapters, click Add New Device, then click Network Adapter.

VMware vCenter VMs can have up to 10 network adapters.

In my example, I will add 7 more network adapters, bringing the total to 10.

When adding network adapters, it defaults to the E1000 adapter type, which you can use, but it’s recommended to use the VMXNET 3 adapter type.

  • On each new network adapter, change the Adapter Type from E1000 to VMXNET 3.
  • Power on the SFOS VM.

Mapping Interfaces

Once the SFOS VM has booted after adding the additional network adapters, the interface mapping between vCenter and SFOS won’t match, except that the SFOS network interface PortA always maps to network adapter 1 in vCenter.

Since PortA in SFOS is always vCenter network adapter 1, we will update its name in SFOS to reflect this mapping in vCenter.

  • Login to the SFOS.
  • Click on Configure > Network.

Read More Read More

Sophos Firewall Remove GuestAP Interface

Sophos Firewall Remove GuestAP Interface

By default, Sophos firewalls have a wireless network interface called GuestAP. Normally, this isn’t much of an issue, but if you don’t plan to use Sophos Wireless, it doesn’t make sense to keep the GuestAP network interface.

In this post, I will show you step by step how to remove the GuestAP network interface on SFOS (Sophos Firewall Operating System).

The Process

  • Login to the Sophos firewall.
  • Click on Protect > Wireless.

Read More Read More

Palo Alto Configure Master Key with HA (Active/Passive)

Palo Alto Configure Master Key with HA (Active/Passive)

When you enter a private key or a password on a Palo Alto Networks firewall, it is encrypted with a master key. Out of the box, all Palo Alto firewalls use the same default master key, which used to be p1a2l3o4a5l6t7o8.

If your Palo Alto firewall uses the default master key and someone gets a copy of your firewall configuration, they may be able to decrypt the private keys and passwords stored in it. Fortunately, you can prevent this easily by configuring the master key to something unique.

In this post, I will show you step by step how to set your own master key on a Palo Alto Networks firewall in an Active/Passive High Availability Pair using the GUI and the CLI.

The Process

  • Backup your Palo Alto firewall config.

For more information on how to back up your Palo Alto firewall config, my blog post, Palo Alto Config Backup, goes into detail.

Disable HA Config Sync

We need to disable HA configuration synchronization on both firewalls while we configure the master key on each firewall.

Disable HA Config Sync GUI

  • On the Primary firewall, click on the Device tab.
  • Click on High Availability.
  • Click on the General tab.
  • In the HA Pair Settings, click on the gear icon in the Setup box.
  • Uncheck Enable Config Sync and click OK.
  • Commit the change.
  • Repeat the process on the Secondary firewall.

Disable HA Config Sync CLI

  • SSH into the Primary firewall.
  • Enter configuration mode with the command configure
  • Run the following command to check your current HA config sync settings show deviceconfig high-availability group configuration-synchronization

If enabled is set to yes, we need to disable it.

Read More Read More

Palo Alto Config Backup

Palo Alto Config Backup

It’s important to back up your Palo Alto Networks firewall configuration, as it is useful in the event of a system failure, configuration error, or other unforeseen circumstances.

In this post, I will show you, step by step, how to backup your Palo Alto Networks firewall config using the GUI or CLI.

The Process

  • Login to the Palo Alto Networks firewall.

GUI

  • Click on Device.
  • Click on Setup.
  • Click on Operations.

Read More Read More

ESX Regenerate Self-Signed Certificate

ESX Regenerate Self-Signed Certificate

During the installation of VMware ESX, you’re never prompted to set a hostname or domain name. As a result, ESX defaults to the hostname localhost and the domain localdomain. Due to this when ESXi generates a self-signed certificate, it is for localhost.localdomain.

In this post, I will show you step by step how to regenerate the self-signed certificate for ESX.

Prerequisites

  • The ESXi hostname has been changed.

For more information about changing the ESXi hostname, my blog post, ESXi changing the host name goes into detail.

The Process

  • Connect to your ESXi host.
  • Right-click on the ESXi host and select Services > Enable Secure Shell (SSH).
  • SSH into the ESXi host.
  • To view the current certificate installed on your ESXi host, run the following command openssl x509 -noout -subject -in /etc/vmware/ssl/rui.crt

If you want to view all the details about your ESXi certificate, run the following command  openssl x509 -noout -in /etc/vmware/ssl/rui.crt -text

Read More Read More

Veeam Backup & Replication 13 Windows Install

Veeam Backup & Replication 13 Windows Install

Veeam Backup & Replication is a wonderful product that I’ve been using for years. I’ve used it many times to recovery from various situations, and it’s been a real lifesaver.

VBR (Veeam Backup & Replication) is backup software that can back up your systems, whether they are bare-metal, cloud, or VMs. VBR supports various hypervisors, including VMware, Hyper-V, Nutanix, Proxmox, and others, and has expanded its support to include backing up raw file shares or object storage. Veeam keeps adding more and more features to VBR. VBR is part of the Veeam Data Platform.

In this post, I will show you step by step how to install Veeam Backup & Replication 13 on Windows.

Prerequisites

You need a server with the following.

  • Windows Server 2016 or newer.
  • 8 CPU cores or more.
  • 16 GB RAM or more.
  • 130GB disk space.
    • 5 GB for the Veeam Backup & Replication installation.
    • 4.5 GB for Microsoft .NET Framework.
    • 10 GB per 100 backed up VMs.
    • 100 GB for instant recovery cache folder.
    • 10 GB for Logs.
  • Port 443 is available.

The required disk space doesn’t all have to be on the C drive. For this post, I’ll keep it on the C drive.

The Process

  • Mount the VBR ISO.
  • Run Setup.exe.
  • On the VBR 13 install splash screen, click on Install.
  • Click on Install Veeam Backup & Replication.
  • Wait while the setup wizard is initialized.

Read More Read More

Enable Windows 10 Extended Security Updates

Enable Windows 10 Extended Security Updates

On October 14, 2025, Windows 10 reached end of life and no longer receives updates. To keep getting updates, you must upgrade to Windows 11 or enroll in the Windows 10 ESU (Extended Security Updates) program.

In this post, I will show you step by step how to enable the commercial Windows 10 Extended Security Updates and how to mange ESU in non-persistent VDI setups.

Perquisites

  • Windows 10 ESU MAK.

Once you have purchased Windows 10 ESU, you will receive a MAK (Multiple Activation Key).

  • Windows 10 version 22H2.
    • Windows 10 LTSB or LTSC are not eligible for ESU.
  • The following updates must be installed.
    • 2025-10 Cumulative Update for Windows 10 Version 22H2 (KB5066791) or newer.
      • 2025-11 Security Update for Windows 10 Version 22H2 (KB5072653) installed after KB5066791.

The Process

  • Open Command Prompt or PowerShell as admin.

We will use slmgr.vbs which you can use directly or call it from csript. I will call it from csript to keep everything in the command line window. To use csript with slmgr.vbs we just need to prefix the slmgr.vbs command with cscript C:\Windows\System32\.

If you want to read more about slmgr.vbs, my blog post slmgr.vbs goes into detail.

  • First, we need to install the Windows 10 ESU MAK product key. We will do this with the following command slmgr.vbs /ipk YOUR_ESU_PRODUCT_KEY replace YOUR_ESU_PRODUCT_KEY with your Windows 10 ESU MAK product key.

Next, we need to activate the specific ESU component by using its Activation ID.

Read More Read More