Network #PKI-4-TRUSTPOOL_EXPIRATION_WARNING

We faced, on several Cisco switches, this warning:

Mar  8 11:11:52.680: %PKI-4-TRUSTPOOL_EXPIRATION_WARNING: The Trustpool will expire in 20 days

Mar  8 11:11:52.680: %PKI-4-TRUSTPOOL_AUTO_UPDATE_DISABLED: Auto-trustpool update is disabled.

In Cisco IOS XE version 17.12.04, the auto-update feature for the PKI trustpool is enabled by default. This means the device will automatically download and update the trustpool bundle from Cisco's servers when necessary.

How Auto-Update Works

When the PKI trustpool is due for an update—due to reasons like certificate expiration, reissuance, or the addition of new trusted certificates—the system will:Cisco

1. Attempt to download the updated trustpool bundle from the configured URL.
2. If the download is successful, the trustpool is updated.
3. If the download fails, the system will retry at increasing intervals: 20 days, 15 days, 10 days, 5 days, 4 days, 3 days, 2 days, 1 day, and then hourly until successful.Cisco

This process ensures that the device maintains an up-to-date set of trusted root certificates, which is crucial for secure operations like HTTPS, VPNs, and Smart Licensing.

unfortunately, in our case, this configuration command was missing

crypto pki trustpool policy

 cabundle url http://www.cisco.com/security/pki/trs/ios.p7b

 revocation-check none

to manual import certificate you must launch, through config t, this command:

crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

to avoid problems we launched this 

to view certificate status this is command

show crypto pki trustpool policy

[other articles]

https://community.cisco.com/t5/switching/trustpool-expiration-on-3750-x/m-p/2423362#M286822

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-pki-trustpool-mgmt.html

PKI Trustpool Management

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-pki-trustpool-mgmt.pdf

Iphone #How to trasfer HEIC and HEVC photo to PC (in JPEG format)

With the release of iOS 11 and macOS High Sierra in 2017, Apple made the shift to HEIC and HEVC photo and video formats. These file formats can compress photos by up to 50% without losing any image quality.

The major problem is that HEIC and HEVC format is not widely supported (mainly on PC or other devices).

To transfer photo to other devices in .jpeg format here it is procedure that you should apply to your iphone

1. Go to Settings > Photos.
2. Scroll down to the Transfer to Mac or PC section.
3. Tap Automatic.

more details are here indicated

https://appletoolbox.com/how-to-avoid-heic-format-when-transferring-photos-from-your-iphone/

VMWare #how to disable cluster e/o ESX monitor

In case you have to, temporarily disable ESX farm cluster/monitoring you can follow this article instructions:

https://knowledge.broadcom.com/external/article/343224/disabling-and-enabling-vmware-high-avail.html

Security - PAN-OS Firewall DoS Vulnerability - Let attacker Reboot Firewall Repeateldly

 (CVE-2025-0128) is affecting multiple versions of their PAN-OS firewall software. 

affected systems:

PAN-OS 11.2 (< 11.2.3)

PAN-OS 11.1 (< 11.1.5)

PAN-OS 11.0 (< 11.0.6)

PAN-OS 10.2 (< 10.2.11)

PAN-OS 10.1 (< 10.1.14-h11)

Mitigation strategies

For PAN-OS 11.2: Upgrade to 11.2.3 or later

For PAN-OS 11.1: Upgrade to 11.1.5 or later

For PAN-OS 11.0: Upgrade to 11.0.6 or later

For PAN-OS 10.2: Upgrade to 10.2.11 or later

For PAN-OS 10.1: Upgrade to 10.1.14-h11 or later

For organizations unable to update immediately, a temporary CLI-based workaround exists. Administrators can run the following command:

> debug sslmgr set disable-scep-auth-cookie yes

All details are here indicated:

https://cybersecuritynews.com/pan-os-firewall-dos-vulnerability/

Citrix #how to push Citrix Workspace app for windows through GPO

Citrix Workspace app has possibility to be pushed through GPO, using proper scripts and ADMX/ADML templates for Group Policy Editor

All details can be found at below link:

https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-windows-ltsr/workspace-app-for-windows-2402-LTSR-cu2.html

Consider that PDQ product is not able to push software after reboot/shutdown so, this solution, permit to override this software limit

https://documentation.pdq.com/pdqdeploy/13.0.3.0/index.html?logoff-step.htm

https://www.alessandromazzanti.com/search?q=pdq

Be aware that latter VDI Teams version have to utilize this Citrix WorkSpace setting enabled

So in cmd you need to add this value MTOPBootStrapperInstaller (to properly deploy teams plugin)

set CommandLineOptions=/Silent ALLOWADDSTORE=N /includeSSON /AutoUpdateCheck=Disabled EnableCEIP=false ADDLOCAL=ReceiverInside,ICA_Client,SSON,AM,SELFSERVICE,USB,DesktopViewer,Flash,Vd3d,Webhelper,BrowserEngine,WorkspaceHub,MTOPBootStrapperInstaller

start /wait %DeployDirectory%\CitrixWorkspaceFullInstaller.exe DONOTSTARTCC=1 %CommandLineOptions%

https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/multimedia/opt-ms-teams-new/ms-slimcore-optimization.html

Security #Global protect Portal hacker on going scanning activity

Researchers have detected a scanning activity targeting Palo Alto Networks’ GlobalProtect VPN portals. 

During last 30 about 24,000 unique IP addresses have attempted to access these critical security gateways

Here you can find complete article:

https://cybersecuritynews.com/hackers-scanning-palo-alto-networks-portals/