26 Jun

AWS Lambda guide part II – Access to S3 service from Lambda function

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

In previous chapter I talked a little what is AWS Lambda and idea behind serverless computing. Furthermore I presented small Python application I wrote to sign certificate requests using my CA authority certificate (how to create such you can find in my post How to act as your own local CA and sign certificate request from ASA). Then after importing the sandboxed Python environment (required because of non-standard library used for SSL, whole procedure is described in my post How to create Python sandbox archive for AWS Lambda) and small change in the code we managed to execute it in Lambda. Also I mentioned that we can use other AWS services in our code, in example Access to S3 service from Lambda.

As you remember the initial version of my application have static paths to all files and assume that it can open it from folders on local hard drive. If you run function in Lambda you need a place where you can store files. This place is AWS S3. In this chapter I show you how to use S3 service in function on Lambda. We will use boto3 library that you can locally install on your computer using pip.

Read More

15 Jun

AWS Lambda guide part I – Import your Python application to Lambda

AWS Lambda Tutorial, I will show you how to create or import your Python application to Lambda, use S3 bucket, add S3 trigger for Lambda and more!

I lately started playing with AWS Lambda for few reasons. I become interested in serverless architecture, ways to save money while running apps and I wanted finally to learn Python. I’m a network engineer, not a software developer. I like cloud computing and see it as important part of market now. So that was an opportunity for me to learn something new. Now I want to share my knowledge with you and show you how to import your Python application to Lambda.

In my tutorial I want to show you that Lambda and programming is something interesting that you can use for everyday work whatever you do. Of course Lambda tutorials are already available on Internet but they show you how to make new application from scratch. I want to show you how to import your own small Python application to Lambda, required changes to the code, python environment, testing approach and finally how to expand it using other AWS services. This post is just first chapter!

Read More

09 Jun

How to create Python sandbox archive for AWS Lambda

AWS Lambda and Python

AWS Lambda contain now 1067 Python libraries that we can use in our programs. The number is big and small at the same time. It should give us flexibility in writing apps but same time is limitation – there are many non-standard libraries that are better replacement for default ones. I will show you how to create Python application sandbox and then ZIP archive for AWS Lambda that will contain libraries not available by default so you can use them in your serverless application.

Using this application I’ve generated list of available libraries for Python 2.7 and you can check the list here.

Serverless applications idea is that we don’t have access to operating system. We just run our code in own sandbox. Therefor we can’t just install new package if we miss it. Solution is providing ZIP archive with code of our application and python environment that have all non-standard libraries inside. Let me show you how to do this.

Read More

01 Jun

How to manage simulation in VIRL from local network

Cisco and VIRL logos

I’ve been using Cisco VIRL for over two years for both learning technologies and testing new solutions as PoC. Accessing devices in simulation via embedded console link is easy but not efficient. I always wanted to manage simulation in VIRL from my laptop not desktop PC. Also in many scenarios you  may want to connect external servers like netflow collector or IPAM software you wanna test. Also it’s quite handy to have access to running simulation form Internet, isn’t it?

Let me show you how I connect Cisco VIRL running simulation to other devices in my network and to Internet. In this tutorial I assume that you didn’t change default VIRL networking configuration.

Read More

26 May

Why having cloud load-balancer for on-premises services is not a good idea?

Cloud load-balancer for on-premise services is not a good idea

We were thinking about redundancy options for CCIE.PL today. There are few restrictions we have there, both came either from policy or our personal thoughts about several aspects of paid services and sharing admin access. But simply we are thinking how to automate failover in case our primary server or database have problems. Easiest solution would be to use Cloudflare free tier service but let’s say we don’t want to do this now. So we were looking on the other options and there was an idea that maybe we can use cloud load-balancer for on-premise services. First thought – it’s brilliant. On second thought – definitely that idea was wrong. Let me show you why.

Read More

18 May

Upgrading SourceFire module from 5.x to 6.x and recovery procedure

SFR Firmware packages download

Hardware failures happens. If you have active service contract you’ll get new device from Cisco with same hardware parameters. One thing you don’t know is which version of software will be installed. In almost all cases it’s not the one you are using. Installing new firewall firmware on ASA is not a problem but what if you’re running SourceFire Management Center version 6.2 but your device came with 5.x or 6.0 firmware on SFR module? Well, prepare for process that will take few hours – you need to perform recovery procedure which is one of the ways of upgrading SourceFire.

Most common cases when we have to use recovery procedure for SFR are:

  • Problems with booting the SFP module after upgrade performed from Firesight Management Center
  • First software installation on SFR (in example when we just put SSD drives in our ASA to get benefits from Sourcefire NGIPS)
  • Need to upgrade firmware but our module cannot be registered in Firesight Management Center due to firmware mismatch

Last case is the one usually happening when we get new device during RMA process. Each Firesight Management Center have list of compatible firmwares that are supported on modules and unfortunatelly backward compatibility is not full. If you run one of the most common version 6.1 or 6.2 you need to have your modules in at least 6.1 version. Recovery process require that whole memory is erased and new firmware installed.

Read More

12 May

Interfaces are important in ASAv failover on VIRL

Failover link on ASAv must be created using interface GigabitEthernet0/8

One reader asked me few days ago following question when he had problem establishing the failover in his lab: “I’ve tried to create ASA failover pair on VIRL and it was not working. I’ve looked through manual and VIRL forum for the solution. I believe that failover is supported configuration on VIRL. I think my configuration is correct, nodes can ping each other but I still cannot establish failover relationship”. Configuration he made was correct except he forgot about one thing – interfaces numbers are important when you setup failover using ASAv.

Cisco VIRL uses ASAv image for virtual firewalls. This is same image that you use in production on ESXi. That means all restrictions applies also to virtual firewall if you run it on VIRL. In this image we must configure failover link using interfaces GigabitEthernet0/8. It’s clearly stated in documentation. If we use any other interface the configuration will be accepted but failover never established.


failover lan unit primary
failover lan interface Fail-link GigabitEthernet0/8
failover replication http
failover link State-link GigabitEthernet0/7
failover interface ip Fail-link 192.168.255.253 255.255.255.252 standby 192.168.255.254
failover interface ip State-link 192.168.254.253 255.255.255.252 standby 192.168.254.254
failover ipsec pre-shared-key 0 FailoverKey
failover

We also need to remember we can’t configure Active-Active failover. This mode is not supported so we have to stick to Active-Standby model. It’s direct result of lack of support for virtual contexts so remember about it as well.

04 May

How to setup VPN between Juniper SRX and AWS Cloud

I’ve said during several conferences where I had a privilege to be a speaker that clouds are one of the futures of computing along with DevOps/SysOps and Machine Learning. But there is no computing if you don’t have the data to compute or you have no way to send it to the cloud in reliable and secure way or you don’t have cloud infrastructure to perform computation. That’s why we need to take a look how to setup VPN between Juniper SRX and AWS Cloud.

I think that hybrid cloud will be the model how many of computer system will work in net few years. Private clouds are not scalable and public clouds cannot address all needs of current systems. So hybrid mode is a solution. But it requires reliable and easy to setup and maintain ways to connect on-premise resourced to public cloud. The technology is here and it’s called VPN.

Read More

19 Apr

How to add network device to Microsoft Operations Management Suite using syslog

How to add network device to Microsoft Operations Management Suite using syslog

Microsoft Operations Management Suite is nice, and in some cases free, tool to manage and search through logs. But it’s dedicated to Windows and Linux operating systems by default. In many environments, especially those most secure ones, huge amount of logs are generated by network devices. Firewalls placed on the edge between Internet and DMZ zone quite often are set up to log all denied connections. Those firewalls can produce significant volume of logs that need to be searched and analyzed. Microsoft Operations Management Suite seems to be perfect tool for that but there is no native support of such feature. But we can implement this doing small workaround. Let’s look how to add network device to Microsoft Operations Management Suite using syslog.

Read More

13 Apr

Microsoft Operations Management Suite – powerful log analyzer in Azure (in 10 minutes for free)

Collecting and processing logs from all systems and network devices can be a nightmare for any systems admin. Searching through them and performing security audits can be a nightmare for security team if collector engine is not powerful enough to process queries in efficient time. Microsoft Operations Management Suite is interesting solution to answer both those problems and add much more analysis giving administrators visibility and control across on-premise and cloud installations.

Microsoft Operations Management Suite runs in Azure which means it’s extremely fast in processing the data. Millions of records are not problem for OMS so we can get Insights and Analytics of what is happening on our servers or workstations, detect and respond to threads or apply proper protection or even put in place some automation in controlling. It’s quick to setup and for many users it can be for free!

Read More