hardware Archives - Page 15 of 37

Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability

Advisory ID:
cisco-sa-spa-unauth-upgrade-UqhyTWW
First Published:
2023 May 3 16:00 GMT
Version 1.0:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCwe50762
CVSS Score:
Base 9.8
Base 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.Cisco has not released firmware updates to address this vulnerability. There are no workarounds that address this vulnerability.This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

Affected Products

Vulnerable ProductsThis vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.Products Confirmed Not VulnerableOnly products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has not released and will not release firmware updates to address the vulnerability that is described in this advisory. Cisco SPA112 2-Port Phone Adapters have entered the end-of-life process. Customers are advised to refer to the end-of-life notice for the product:End-of-Sale and End-of-Life Announcement for the Cisco SPA112 2-Port Phone Adapter and SPA122 ATA with RouterCustomers are encouraged to migrate to a Cisco ATA 190 Series Analog Telephone Adapter.When considering a device migration, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the new device will be sufficient for their network needs and that current hardware and software configurations will continue to be supported properly by the new product. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

Cisco would like to thank CataLpa of Dbappsecurity Co., Ltd. Hatlab, for reporting this vulnerability.

URL

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

Revision History

VersionDescriptionSectionStatusDate1.0Initial public release.-Final2023-MAY-03

Source :
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW

GPO – Copy files to remote computers

Would you like to learn how to configure a group policy to copy files to remote computers? In this tutorial, we will show you how to copy files using a GPO.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 10
• Windows 7

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial GPO – Copy files

Create a shared folder and place a copy of the files.

This will be the distribution point of the files to the network.

In our example, a shared folder named SOFTWARE was created.

All the domain users and all the domain computers were given read permission over this folder.

In our example, this is the path to access the network share.

Copy to Clipboard

\\tech-dc01\SOFTWARE

On the domain controller, open the group policy management tool.

Create a new group policy.

Enter a name for the new group policy.

In our example, the new GPO was named: MY-GPO.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Computer Configuration > Preferences > Windows Settings > Folders

Create a new folder.

On the General tab, perform the following configuration.

• Action – Update.
• Path – Enter the path to the folder.
• Attributes – Select the attributes to the new folder.

Click on the OK button.

In our example, we are going to create a local folder named TEST on the root of drive C of all computers in the domain.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

Copy to Clipboard

Computer Configuration > Preferences > Windows Settings > Files

Create a new file.

On the General tab, perform the following configuration.

• Action – Update.
• Source – Enter the network path to the file.
• Destination – Enter the local path to save the file.

Click on the OK button.

In our example, we are going to copy a file from the network share named SOFTWARE to the local folder named TEST.

To save the group policy configuration, you need to close the Group Policy editor.

Congratulations! You have finished the GPO creation.

Tutorial – Applying the GPO to copy files

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

In our example, we are going to link the group policy named MY-GPO to the root of the domain.

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers.

On a remote computer, verify if the GPO copied the file.

In our example, we copied a file to all domain computers using a GPO.

Source :
https://techexpert.tips/windows/gpo-copy-files/

7 Reasons Why Security Awareness Is Critical for Employees

by hse | Apr 14, 2023 | Security information

There was a time when security awareness training was informal, short, and focused on simple things like using complex passwords. Well, it transpires that keeping these on a post-it note under your keyword or in a text file is in fact not a safe practice.

This was when cyber threats from hackers were the work of people with expert skills, and at worst resulted in your computer getting infected with a virus, causing a brief interruption to your working day. Fast forward to the modern reality of the dark web where you can literally shop around and choose the method in which you want to carry out a targeted attack.

Added to that are the near-constant cyber-attacks, where we can see an increase in phishing in the below graph from the Cyber Security Report 2023.

cyber security report - attack techniques - security awareness training

Attackers are not slowing down and always finding new, harmful ways to compromise businesses. The efforts therefore to stay ahead and protect organizations must continue, and one of those is to introduce security awareness training. There is significant evidence that security awareness training is more than just essential. A recent Remote Management Survey by Hornetsecurity showed in fact that 1 in 3 organizations do not provide any kind of cybersecurity awareness training to remote employees.

A reliance solely on an organization’s security function for detection and prevention is no longer sufficient. Employees must be armed with security awareness training to become foot soldiers in this war, and I’ll explain the reasons why.

1. Protects Sensitive Data

Security awareness training helps employees understand the importance of protecting sensitive information and the consequences of a data breach. Protecting sensitive data helps to ensure cyber security and maintain the confidentiality, integrity, and availability of your information systems.

Using security awareness services, users are educated to understand how and why sensitive data needs to be protected and can help prevent unauthorized access and data breaches. This security awareness software in turn protects the organization’s reputation and financial well-being, as well as protects the personal information of customers and employees.

Sensitive data is essentially confidential information such as financial records and personally identifiable information (PII) and, depending on the nature of the organization, could also include trade secrets or proprietary information considered commercially sensitive.

Theft and subsequent compromise of sensitive data is very common and a highly prized target during security or data breaches. In IBM’s “Cost of a data breach report 2022” we can see the year-on-year cost of a data breach is going in the wrong direction!

Through a cyber security training program, users become aware of the legal and ethical obligations they have to safeguard it from unauthorized access, disclosure, or misuse. Arming your users with security awareness training provides the knowledge and skills necessary how to handle sensitive information and significantly reduces the risk of a data or security breach.

2. Fosters a Sustainable Security Culture

Creating and fostering a culture of security within the organization is a fundamental step in raising awareness of security threats and practices for mitigating them.

Regular security awareness training promotes a security culture within an organization, making security a priority for all employees. You might have heard the catchphrase “security is everyone’s responsibility.” There’s a lot of truth to that.

Through a security awareness training program, employees benefit by learning and becoming aware of the roles and responsibilities and shifting their mindset from “that’s someone else’s problem” to “that’s my problem.”

Providing security awareness training empowers them to take responsibility and notice and report anything out of the ordinary. This can extend from information security things like phishing scams and emails to physical security and being able to identify or report someone suspicious lurking in the office or tailgating when entering the premises!

A security-conscious workforce brings about a culture where users are more likely to take proactive steps to protect their sensitive data and report suspicious activity.

3. Detects and Prevents Insider Threats

Security awareness training can help identify and prevent potential insider threats, such as employees who may be intentionally or unintentionally compromising the security of an organization, and here is why cybersecurity awareness training is important.

Insider threats refer to security breaches that are caused by a person who has authorized access to an organization’s systems, network, and data. Although only employees are commonly considered, it includes anyone who has access to the organization’s systems like vendors or contractors.

Theft of sensitive information, sabotage of systems, using security credentials, and unauthorized access to confidential data are also examples of insider threats. These threats can significantly impact the organization like financial loss, reputational damage, and even legal liabilities.

4. Increases Employee Engagement

By educating employees on the importance of security threats within and towards it, organizations can increase employee engagement and buy-in to security initiatives.

Engaged employees are more likely to feel like they have a vested interest in the success of their organization, thereby creating a sense of loyalty and responsibility towards it. Ultimately resulting in overall better security practices and reducing the risk of security breaches.

Increased employee engagement through security awareness training can result in employee retention, an often overlooked benefit. When employees leave an organization, they often take away with them potentially institutional sensitive information especially if an employee has a role within the security function of that organization, as their departure could create a security gap and therefore a security risk.

Although most organizations have a defined security policy, in reality, the only time an employee reads this is when they initially join and are required to read this part of their onboarding as a compliance exercise. By being and feeling more engaged, you’re likely to see better compliance with and understanding of security policies and procedures.

Understanding why these policies are necessary and how they contribute to the organization’s overall security reduces the risk of accidental or intentional security breaches.

5. Education on Security Threats and How to Mitigate Them

Educating employees on security threats and how to mitigate them is crucial to maintaining a strong cybersecurity posture within an organization.

Employees who don’t work in a security-related role are often unaware of the plethora of security threats their organization faces every day. Incorporating education of security threats in a security awareness training program is an effective method to “enlist” employees as “soldiers” in this perpetual war.

Time is often of the essence when it comes to recognizing an IT security threat. For example, if a user who has not undergone a security awareness training program opens a malicious link, then realizes this, they are less likely to understand the significance of how quickly they must act on this information and report this.

Employees who understand the impact posed by security threats are more likely to make better decisions armed with this education.

6. Reduces Human Error

Employees are less likely to make costly security mistakes if they have received training on identifying and responding to security threats. Human error is a common cause of security incidents and one of the most common methods attackers use to infiltrate a network.

As you will have been, whenever there is a data breach, along with significant reputational damage, the financial cost is often significant. Assessing the cost and worth of implementing these security measures and awareness training is easily outweighed by the savings in not.

7. Supports Incident Response

Security awareness training equips employees with the knowledge and skills to respond effectively to security incidents, reducing the impact and recovery time of such incidents.

In an organization’s cyber security incident response plan, it will include and detail the roles and responsibilities for everyone in the organization. In the event of a security incident, it is important for all members of the organization to understand their roles and responsibilities in responding to the incident.

A security awareness program will help to educate people who are involved in being able to respond in the face of a security incident adequately and more quickly. Educated users are also more likely to recognize the signs of a security incident and report is prompt, which can help the incident response team take action more quickly.

The ability of an organization to respond in such a manner that minimizes the impact can be the difference between “getting owned” and mitigating a potential disaster.

We at Hornetsecurity work hard perpetually to give our customers confidence in their Security Awareness Service, Spam & Malware Protection, Advanced Threat Protection, Email Encryption, Email Archiving, and VM backup strategies.

To keep up to date with the latest security best practices, become a member of the Hornetsecurity blog now (it’s free).

Summary

The importance and benefits of security awareness training programs should not be underestimated for how organizations combat cybersecurity threats. Organizations can no longer think of cyber security awareness training as a maybe when they plan and strategize on how to improve cyber security posture, it’s essential.

In this digital age, many options and methods exist in which a cyber security awareness training program can be delivered, both online and in person. Hornetsecurity is one such place that offers a cyber security awareness training service.

FAQs

What is security awareness training?

Security awareness training is a kind of training that helps people learn about different security risks and how to keep themselves safe from them. Hornetsecurity provides security awareness training to help people become more aware and knowledgeable about security risks and how to protect themselves. By implementing proper security awareness training in your company, your employees will be able to recognize and avoid potential dangers.

Why is security awareness important?

Security awareness training is important to ensure the safety of sensitive data, and protecting against cyber threats is critical in today’s digital age. We at Hornetsecurity provide one-of-a-kind security awareness training that mainly focuses on creating a user-centric experience for employees better to understand the importance of security measures and procedures. With our training, you can rest assured that your systems and confidential information are secure.

What are the types of security awareness?

Our security expertise distinguishes 4 main types of security awareness training:

Classroom training (lecture-based training)
Video training
Cloud training
Simulation training

How often should security awareness training be conducted?

At Hornetsecurity, the Awareness Engine is the technological heart of our Security Awareness Service. It offers the following:

Everyone to have the right amount of training;
Each user receives as much training as necessary and as little as possible;
Demand-driven roll out of relevant e-training content;
Booster option for users who need more intensive e-training;
Fully automated steering of the e-training.

Source :
https://www.hornetsecurity.com/en/security-information/security-awareness-training/

Using Wireshark to Analyze and Troubleshoot Hyper-V Networking

Analyze traffic and uncover Hyper-V networking problems has never been easier

Networking problems frequently challenge administrators. Introducing a virtualized switch to the mix adds another layer of complexity and multiple failure points. We can use the popular Wireshark tool to analyze traffic and uncover problems.

Requirements for Success with Wireshark

First, you need the software. You can download Wireshark from Wireshark.org. The site includes substantial information and links to more. Due to the extensive depth of the tool, the value that you get from Wireshark depends directly on how well you’ve learned it. Ideally, you’d go through a guided course and practice on training captures. I understand that you might have more immediate needs. This article illustrates enough to get you started but expect to invest time in training and practice.

Second, you need a working knowledge of Ethernet frame structure. You do not need anything near expert level, but you won’t get far if you can’t make sense of what Wireshark reveals. We have an article series on basic networking that can get you started.

Remote Captures in Wireshark

Wireshark can capture information on remote systems. However, it includes more hints than details. I could not find any directions that I felt comfortable sharing. Fortunately, you have alternatives.

Wireshark will run on Windows Server. Because it relies on the Qt library for its graphical interface, you can run the entire program on a Core mode installation by manually starting “C:\Program Files\Wireshark\Wireshark.exe”. I have no objection to running Wireshark on a server. However, I do not like RDP or similar remote connections to servers. These technologies present a significant attack surface for malware and intruders. Use at your own risk.

During the Wireshark install, you can also select the TShark program, which gives you command-line access to captures. TShark works inside a PowerShell Remote session. That means that you can install TShark on a system that you want to capture “remotely”, output its capture to disk, and then import it into a management system. I will not spend much time on TShark in this article, but I will get you started.

TShark Fundamentals

First, install at least the TShark portion of Wireshark on the target server. That might require a remote desktop connection as Wireshark has no official support for remote or scripted installation. However, running “Wireshark-Win64-<VER>.exe /s” at a command prompt, (or via a script, or possibly even a remote session), should install the software with default options.

Second, open a remote PowerShell session to the server using credentials with administrative privileges on the target:

Connect-PSSession -ComputerName <SERVERNAME>

Alternatively, you can supply credentials at the point of entry:

Connect-PSSession -ComputerName <SERVERNAME> -Credential (Get-Credential)

Once you have your remote session, run Get-NetAdapter to retrieve a list of adapters on the remote server:

Locate the adapter(s) that host the Hyper-V virtual switch on the server and note the value(s) for ifIndex. In my case, I want interfaces 4 and 10. With that knowledge, initiate TShark. Tell it which interfaces to include in the capture and where to write an output file with the -i and -w switches, respectively. That looks something like this:

& ‘C:\Program Files\Wireshark\tshark.exe’ -i 4 -i 10 -w C:\Users\esadmin\Documents\cap.pcapng

You do need the leading ampersand. If you use tab completion for assistance in entering the path to TShark, PowerShell will insert it automatically.

Upon pressing [Enter], the capture starts and writes to the file. Most importantly, you need to know that pressing [CTRL]+[C] stops the capture. Because we did not specify a capture limit, it will run until we either cancel it or the remote system runs out of disk space. Less importantly, the TShark program does not generate all its console output in a way that PowerShell remote sessions can process. You will see some things that look like error messages and other things will not appear at all. Just remember how to start and stop the capture and you will get the expected capture file.

TShark allows you to restrict captures with limits and filters. I will leave learning about that to you. Start with tshark.exe –help. The instructions above will generate a capture file that, at worst, has more data than you want. Once you have that file, you can transfer it to your management workstation and use Wireshark to operate on it.

A Warning about Wireshark and Resources

Wireshark will write to capture files, but it defaults to keeping captured packets in memory unless told otherwise. When possible, only run captures for the time needed to gather the data relevant to the problem you want to solve. Take care to set limits on long-running captures to ensure that you do not consume all host memory or disk space. Remember that a full disk will cause any VMs on that disk to pause. Also, remember that Hyper-V prioritizes processes in the management operating system, so it will squeeze virtual machines as needed to provide CPU and memory resources to Wireshark.

Set capture limits from Wireshark’s main interface by clicking the Capture menu item on the menu bar and then clicking Options.

The Input tab allows you to select the adapters to watch and to define capture filters. The Output tab gives you options for writing to files. You can set finite capture limits on the Options tab that apply whether writing to memory or disk, along with some handy quality-of-life settings.

While we frequently want to capture all data so that we don’t miss environmental problems, you can greatly reduce capture size with capture filters. Unlike display filters, capture filters tell Wireshark to discard information without storing it. Use these cautiously; if you inadvertently throw out interesting frames, you’ll have to perform additional captures.

Finally, remember that 10GB and faster interfaces can already generate heavy CPU loads. Using Wireshark to capture and decipher frames costs that much more. Few systems drive their networking capabilities anywhere near their maximums but remain mindful.

Traffic Must Pass a Physical Adapter for Wireshark to Capture It

With the current way that the Hyper-V virtual switch projects into the management operating system, Wireshark cannot bind directly to it. Instead, we attach it to one or more physical adapters. This means that, at the management operating system level, Wireshark cannot intercept any traffic that never leaves the VMBus.

The VMBus limitation primarily impacts internal and private virtual switches. Without a physical adapter, you have few options. If you have an unused physical adapter, you could temporarily bind the virtual switch to it with Set-VMSwitch. If your host uses the older LBFO technology, you can add a team NIC in another VLAN and bind your virtual switch to that. Even with these alternatives, you will still miss anything that does not cross the bound adapter.

However, this should only present a problem in edge cases. Wireshark and TShark can operate just as well inside a virtual machine as they can in the management operating system. Wireshark does not distinguish between virtual and physical adapters. Set it to watch the virtual adapters involved in your communications chain, and you’ll see the traffic. If you can’t install either product inside a given virtual machine, you still have Hyper-V’s port mirroring feature.

Capturing All Virtual Switch Traffic

When you don’t know exactly what you’re looking for, which applies well when you don’t have much experience with network captures, just get everything. When you first open Wireshark, it will present all network adapters that it can operate with. Find the physical adapters that host your virtual switch and highlight them:

Remember that choosing anything that says “vEthernet” in its name binds to that virtual adapter, not the virtual switch. For switch monitoring, you must choose the physical adapter(s).

You can either right-click your selection and click Start Capture or you can click the blue shark icon at the left of Wireshark’s icon menu. If you made a mistake in adapter selection or just want to change it after the capture has started, select Options from the Capture menu:

Once the capture starts. you should see a rapidly scrolling screen like the one below. If you’re working on a problem, reproduce it while the trace runs.

Once the trace has captured enough information, click the red square button on the toolbar to end it. Regardless of your intentions, I recommend saving the file. It’s better to have a capture file that you don’t need than the opposite.

You can scan through the capture to look for anything that seems out of place or just to acclimate yourself to a network capture. If you’ve never used Wireshark before, the topmost pane shows a list of captured frames with some basic information about each. The middle pane tries to break the selected frame down into its individual components. Click on the triangle icon to the left of any item to drill down further. Wireshark uses “dissectors” to interpret frame components. Anything that it doesn’t recognize goes into the generic “Data” portion. The third pane shows a binary dump of the frame. If you click any part of that, the dissector pane will shift focus to that location.

Listings such as this allow you to peruse the activity crossing your virtual switch. You can investigate whatever interests you.

Exercise 1: Capturing Virtual Switch Traffic by Port

Tracing traffic by port can help you locate breaks in communication. It helps you to discover if messages that you expect to arrive on a virtual machine ever make it to the virtual switch at all. You can ensure that servers on virtual machines respond to clients as expected. You can watch for traffic coming from unexpected (potentially malicious) sources.

In my example exercise, I want to verify that my “primary” domain controller properly receives and responds to authentication traffic. For the most basic trace, I can set a display filter on a previously captured file or on an active trace with this format: tcp.port == 389:

Capturing Virtual Switch Traffic by Port

For thoroughness, I want to look at all traffic that a domain controller would utilize for authentication traffic. I can filter to multiple ports like this: tcp.port == 88 or tcp.port == 389 or tcp.port == 636 or tcp.port == 3268 or tcp.port == 3269

Pressing [Enter] or the white arrow with the blue background at the end of the filter field will update the display to show only frames that match the filter:

Scanning the filtered view, I see frames that it clearly identifies as LDAP and others that it marks only as TCP. When Wireshark cannot identify a frame, look to the Info column. In the third row of the screenshot, we see that it has marked the frame as [ACK]. That tells us that the frame contains an acknowledgement of a previously received frame.

If I want to find out what the frame acknowledged, I can right-click on the line item, hover over Conversation Filter, and choose one of the offered items. In this case, I don’t want to miss anything, so I choose Ethernet as the least specific filter:

In response, Wireshark pares down the display to only the items that belong to that particular “conversation”. Also, notice that it updated the display filter:

I know that 192.168.5.1 belongs to the domain controller of interest. I also know that 192.168.5.2 belongs to my “secondary” domain controller. Therefore, before I even performed any of these tasks, I could have guessed that these frames carry requests or updates that keep domain information synchronized. To confirm, I select the first frame in the conversation in the top pane. In the second pane, I find the Lightweight Directory Access Protocol section that indicates a dissector has come into play. In the bottom frame, I locate the highlighted information (remember that this matches whatever I selected in the middle frame):

The frame appears to have something to do with DNS settings. I look at the same portion of the second frame:

We already know that the third and final frame in the conversation is an ACK. So, we can surmise that 192.168.5.2 asked 192.168.5.1 about SVDC02 as a DNS server, got a NO_OBJECT result, and acknowledged receipt of the result. It appears that I may have some DNS troubleshooting to do.

However, I was interested in authentication traffic. We learned that the tracked conversation dealt with DNS servers. I can return to my previous filtered view by clicking the drop-down arrow at the end of the filter line and choosing the filter that I want to see again:

Exercise 2: Including or Excluding Virtual Switch Traffic by IP Address

To continue with the scenario set up in exercise 1, I still want to see all the authentication traffic to my “primary” domain controller, but I want to exclude anything between it and my “secondary” domain controller. The simplest display filter looks like this: ip.addr != 192.168.5.2. If I wanted to only see traffic on that IP, then I could use double equals (==) or eq instead of!=.

Of course, I don’t want non-authentication traffic. So, let’s modify the filter to ip.addr != 192.168.5.2 and (tcp.port == 88 or tcp.port == 389 or tcp.port == 636 or tcp.port == 3268 or tcp.port == 3269). Pay attention to the usage of parentheses. This grouping tells Wireshark that we want traffic where no frame includes IP address 192.168.5.2 but does contain any of the TCP ports inside the parentheses:

Including or Excluding Virtual Switch Traffic by IP Address

The remaining list tells us multiple things:

No non-domain controller except 192.168.10.1 talked to the domain controller during the capture (were we expecting traffic from someone else?)
We see the beginning of a conversation between the domain controller and 192.168.10.1 (indicated by the SYN packets)
192.168.10.1 performed a bind and SASL operation
All traffic was on port 389
We see the end of a conversation (indicated by the RST, ACK packet followed by a FIN, ACK packet)

While not captured in the screenshot, the Info contents provide enough preview information for me to understand what the SASL conversation was about. However, I can click on the individual frames and use the other two panes to get a deeper look at the traffic.

Exercise 3: Determine the Physical Adapter(s) Used by a Virtual Machine

The Hyper-V virtual switch makes its own decisions when placing traffic on the members of a switch-embedded team. If you use the Hyper-V Port load balancing algorithm, it will affinitize each virtual adapter’s incoming traffic to a physical adapter. While it can dynamically change affinities in response to events, each virtual adapter will always receive on exactly one physical adapter. If you use the Dynamic load balancing algorithm instead, then Hyper-V can exploit Ethernet and TCP/IP characteristics to distribute physical adapter use down at the conversation level.

If you want to view its decisions in action, Wireshark can help. Get a capture of traffic on your switch’s physical adapters. Select any frame in the top pane. In the middle pane, expand the Frame group at the top, then the Interface item. Look at the Interface description field:

Skip around in a generic capture and look at the ways that it uses physical adapters. Notice how it freely distributes multicast and broadcast traffic as it sees fit. Notice how it picks an adapter for any given individual unicast conversation and keeps it there.

We will expand on this subject in the next two exercises.

Exercise 4: Determine the MAC Addresses Used by a Virtual Machine

This exercise may seem pointless because you can use PowerShell or the various graphical tools to find the MAC assigned to a Hyper-V virtual network adapter. Bear with me though, as you may see things that you don’t expect.

This exercise begins similarly to exercise 3. Pick a frame from the top pane and look in the center pane. The second section, after Frame, is Ethernet. It shows the MAC addresses involved in the frame, which probably aligns with what you see in your tools:

Determine the MAC Addresses Used by a Virtual Machine

Then again, it might not:

In fact, even though it includes the IP address of a virtual machine (192.168.127.3, visible in the third row), neither the source nor destination MAC belong to a Microsoft virtual adapter. For this reason, I counsel against filtering Hyper-V virtual switch traffic by any MAC owned by a virtual adapter unless you’re doing something like validating MAC address spoofing.

How did this happen? Short answer: Hyper-V silently utilizes the MAC addresses of physical adapters when load balancing traffic from a single virtual adapter. If that seems strange, understand that physical switches do the same thing. Knowing the MAC address that Hyper-V assigned to a virtual adapter does not guarantee that the virtual switch will only use that MAC in conversations involving that adapter. The only Ethernet segment that absolutely must have the correct MAC for an adapter is its direct switch connection. In Hyper-V’s case, that connection only exists on VMBus which, as we discussed earlier, cannot be seen in Wireshark. If you want a longer explanation, I wrote an article that talks about how this very thing can cause problems when using a dynamic-mode Hyper-V virtual switch in conjunction with load balancers.

You can see the MAC-to-adapter matching by comparing the MAC to the interface ID or description (as shown in exercise 3). You can use this information to filter a virtual machine’s traffic by adapter as shown in the next exercise.

Exercise 5: Find Traffic for a Virtual Machine that Uses a Specific Virtual Adapter

We’ll combine what we learned in the previous two exercises to answer a specific question: how do I filter the traffic from a specific virtual adapter that crosses a specific physical adapter? In case you skipped the previous sections, this question only makes sense when your Hyper-V virtual switch involves a physical adapter team.

The part of the virtual machine that does not change is its IP address, so I will filter by that first. Next, I will have Wireshark look at the frame object. As you type the filter, it will make suggestions. I begin my filter with ip.addr == 192.168.127.3 and frame.. Note that this is an incomplete query, and it includes a period at the end of frame:

You can see that Wireshark makes suggestions to help us out. The subcomponent of frame that interests us is the interface, so start typing that to shorten the suggestion list:

If you recall the Wireshark-assigned interface ID from previous exercises, then you can select the interface_id subcomponent and that number. I like repeatable, memorable things, so I will use the interface_description with the name that I gave the adapter in Windows: ip.addr == 192.168.127.3 and frame.interface_description == PTL. You do not need quotes around the name:

My display now contains traffic for that virtual machine that uses the designated physical adapter, even though none of it includes the virtual machine’s “correct” MAC address:

Expect to see many frames marked “TCP Spurious Retransmission” on the physical adapter(s) that substitute their own MAC in place of the virtual adapter’s. Network load balancing does not come free.

Expand on these Lessons

This article only scratched the surface of Wireshark’s capabilities. Most importantly, it empowers you to see below the layer 3 and higher pieces that the virtual adapters deliver into the guest operating systems. You can now see the data that enters and leaves your virtual switch and use that knowledge to find the truth behind those vague “it must be something wrong with the network” excuses.

Source :
https://www.altaro.com/hyper-v/wireshark-hyper-v-networking/

Enable BitLocker on Windows 11 without a TPM chip

Jasmin Kahriman Tue, May 2 2023 bitlocker, encryption, security

Jasmin Kahriman

Jasmin Kahriman is an IT Pro with 15 years of experience. He is deep into data center monitoring, product and customer advocacy, training, and blogging. Check out his blog TechWithJasmin.com, and feel free to connect with Jasmin via LinkedIn.

BitLocker is a security feature that allows you to encrypt your system or data disk and prevent unauthorized access in case of theft. In my view, this is a must-do on your personal or business notebook or workstation.

Improve Active Directory Password Security with Group Policy & Block 3 Billion Compromised Passwords

Download Specops Password PolicyAd

BitLocker drive encryption

BitLocker is available only for Windows 11 Professional or Enterprise Edition.

How to check whether a TPM chip is present

If you want to check whether your machine has a TPM, you can do so by navigating to your machine’s BIOS or UEFI and checking the settings. Another way is to press the Windows key + R and type tpm.msc to open the TPM management console.

Active Directory Management, Automated Provisioning, Delegation, Self-Password Reset

If TPM is not available on your Windows 11 machine, you will see a window like this:

TPM is not available

Note that your Windows 11 system may display the message “Compatible TPM cannot be found.” In this case, it is important to verify whether TPM is available but simply not turned on. To do so, check your system’s BIOS or UEFI settings.

If TPM is available on your Windows 11 machine, you will see a window like this:

TPM is available

Enable BitLocker step-by-step

To make BitLocker work without using TPM on your Windows 11 machine, you need to adjust group policies on your machine. Here is how:

Press the Windows key + R to open the Run dialog box.
Type gpedit.msc to open the Local Group Policy Editor and then press Enter.
Expand Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.Operating system drives
Right-click Require additional authentication at startup and then click Edit to modify the policy.Require additional authentication at startup
Select Enabled and then select Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).Allow BitLocker without a compatible TPM

Using BitLocker with a USB drive

In this mode, either a password or a USB drive is required for startup. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key has been inserted, access to the drive is authenticated, and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you will need to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the insertion of a USB flash drive containing a startup key, the entry of a 6- to 20-digit personal identification number (PIN), or both.

Click Apply and then OK.
Close the Local Group Policy Editor.
Open the command prompt (CMD).
Type gpupdate /force and press Enter to force group policy change.
Close the CMD.

Configuring BitLocker

You successfully enabled BitLocker on a Windows 11 without a TPM chip.

Now, in the next step, you will need to configure BitLocker. You do this by right-clicking your disk or partition and then clicking Manage BitLocker.

Manage BitLocker

Conclusion

BitLocker is a security feature that allows you to encrypt your disk. To enable it in on Windows 11, you need Windows 11 Professional or Enterprise Edition. By default, Windows 11 requires an integrated TPM chip in your machine. However, with the help of some tweaks in the Local Group Policy Editor, you can enable BitLocker without TPM.

Source :
https://4sysops.com/archives/enable-bitlocker-on-windows-11-without-a-tpm-chip/

Ubiquiti UniFi Network – UniFi Cloud Adoption (Layer 3)

Updated on 5 mag 2023Print

Layer 3 adoption is the process of adopting a UniFi device to a remote UniFi Network Application. This is only recommended for advanced users, or those adopting devices to the UniFi Cloud Console.

We highly recommend that users refer to Device Adoption for standard device adoption.

L3 Adoption Methods

For layer 3 adoption, your UniFi Network Application and connected devices must have internet access.

UniFi Network Mobile App

The Cloud Console can leverage your UniFi Network Mobile App (iOS / Android) to provide the easiest L3 adoption experience.

Refer to our UniFi Device LED Status guide to ensure the device is in a factory-default state.
Connect your mobile device to the same local network as your UniFi device.
Open your UniFi Network Mobile App and connect to site you want to adopt your device.
Your device should appear for adoption.

DHCP Option 43

This option leverages your DHCP server to inform your UniFi device of the location of your remote Network Application host. Those with a UniFi Gateway can easily accomplish this by entering the IP address of the remote Network Application in Option 43 Application Host Address field located in the Network Settings.

For those using a third-party gateway or DHCP server, we recommend consulting your manufacturer’s documentation to learn more.

DNS

You’ll need to configure your DNS server to resolve ‘unifi’ to your remote UniFi Network Application host.

There are two methods of specifying the Network Application host:

IP Address: http://ip-address:8080/inform
Fully Qualified Domain Name (FQDN): http://FQDN:8080/inform

SSH

Make sure your device is in a factory-default state. You can refer to our UniFi Device LED Status guide.
SSH into the device. You may refer to our guide on how to Login with SSH.
Issue the following command: set-inform http://ip-of-host:8080/inform
The UniFi device will now show up for adoption and can be treated as a standard L2 adoption.

Migrating From Another Network Application

A Layer 3 migration is useful for moving devices from a current Network application to a new Cloud Console. See Backups and Migration for more information.

Source :
https://help.ui.com/hc/en-us/articles/204909754

Ubiquiti UniFi Recovery Mode

Updated on 5 mag 2023Print

Recovery Mode is a last-resort solution to recover an unresponsive UniFi device, often resulting from power loss occurring at the same time as an update. Only use Recovery Mode if you are unable to perform a standard factory reset.

Note: UniFi Power Backup can prevent unexpected power losses from occurring.

The following UniFi devices support Recovery Mode:

Dream Machine, Dream Machine Pro & Dream Wall
Access Points (all models)
Cloud KeyCloud Key Gen2+
Cameras
USW Flex Mini

Before Considering Recovery Mode

If you are considering Recovery Mode, first check two key points:

Reboot your UniFi device. If this resolves your symptoms, no further actions are required.
Factory reset your UniFi device. If you have cloud backups, you can easily restore your settings after factory resetting. If a factory reset works, no further actions are required.

Performing a Device Recovery

Dream Machine, Dream Machine Pro & Dream Wall

Download the most recent firmware for your device, found here.
Completely power-off the UniFi device and unplug it from its power source.
Press and hold the Reset button and then reconnect it to the power source.
Continue holding the Reset button for 5 seconds, or until the display (in supported models) indicates Recovery Mode.
Connect an Ethernet cable from your computer to the first LAN port (Port 1). This is usually the port nearest to the top left corner.
- Note: Connect to the Dream Wall via Port 18, not Port 1.
Configure a static IP address on your computer in the 192.168.1.0/24 range (for example, 192.168.1.11).

Windows Client

Navigate to the Windows 10 Network connections
- Settings > Network & Internet > Status > Change Adapter Option
Modify the IPv4 settings of the Ethernet adapter
- Ethernet Adapter > Properties > Internet Protocol Version 4 (TCP/IPv4) > Propertie
Select the option to manually enter an IP address and add the following information:
- IP address: 192.168.1.11
- Subnet mask: 255.255.255.0
- Default gateway: <blank>
- DNS servers: <blank>

macOS Client

Navigate to the mac OS Network connections.
- System Preferences > Networks > Ethernet Adapter
Select to manually enter an IP address and add the following information:
- IP Address: 192.168.1.11
- Subnet Mask: 255.255.255.0
- Router: <blank>
- DNS server: <blank>

In a web browser, navigate to http://192.168.1.30 to access the Recovery Mode UI.
- Note: The Recovery Mode UI is accessible via HTTP only (not HTTPS). Your browser may try to redirect your session to HTTPS. Use a different browser if necessary.
Select Firmware Update > Choose and browse your computer for the previously downloaded firmware (.bin) image file.
Wait for the upgrade process to complete and reboot the device afterwards.

Access Points

Download the most recent firmware for your device, found here.
Connect your AP and computer to the same network or VLAN, either through a PoE switch or by connecting the computer directly to the network (data) port on the PoE adapter.
Press and hold the Reset button, and connect your computer to the available ethernet port of the AP.
Continue holding the Reset button until the LED flashes white, blue, off as indicated in our LED Status Guide. This indicates your device is ready for TFTP Recovery and you can release the button.
Set a static IP address on your computer to communicate with the AP, which has a default IP address of 192.168.1.20. The following is an example configuration:
- Static IP: 192.168.1.25
  Subnet: 255.255.255.0
  Gateway: 192.168.1.20
Use TFTP to move the firmware from your computer to your AP. There are various programs and methods for accomplishing this. Here are two methods for your reference.
- Windows
  1. Use the built-in TFTP command line tool, or a separate program such as Tftpd64 or pumpKIN.
  2. Select the downloaded firmware image and transfer it to the AP.
- macOS and Linux
  1. Open Terminal
  2. Enter TFTP mode by entering the command:tftp
  3. Once in TFTP, paste the following commands and hit enter.connect 192.168.1.20
    binary
    rexmt 1
    timeout 60
    put /path/to/firmware_name.bin
The file transfer will begin. The firmware will upgrade and the device will automatically reboot once it has finished. Do not reboot it yourself.

Cloud Key

Cloud Key Gen2, Gen2 Plus

Download the most recent firmware for your device, found here.
Power off the system.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue and white. The LCD screen on the front panel will also read “RECOVERY MODE.”
Open your browser and type the IP address for the Cloud Key, visible on the device’s screen.
- Note: The IP address comes from your DHCP server. If it has not been assigned an IP address, you can try the fallback: 192.168.1.30.
Run the “Check Filesystem” to try searching for and repairing any problems with your storage disk that may cause system issues.
Restore the firmware you downloaded in step (1). Note that this will also factory reset your device.
The LED will flash white while upgrading and turn into a steady white when it is complete.
If your device fails again, this is a sign that you should replace your storage disk.

Cloud Key (Gen1)

Download the most recent firmware for your device, found here.
Power off the system.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue and white.
Open your browser and type the IP address for the Cloud Key.
1. Note: The IP address comes from your DHCP server. If it has not been assigned an IP address, you can try the fallback: 192.168.1.30.
2. If your Cloud Key does have an IP address assigned by the DHCP server, the fallback IP will not work.
3. User Tip: If you don’t know your Cloud Key’s IP address, you can use thearp -a SSH command, or software such as nmap to find the IP address.
You will be taken to the Recovery Mode screen. From here you can reset, reboot, power off and most importantly upload an updated firmware bin file.
Upload the firmware you downloaded in step (1).
Once it is uploaded, reboot the Cloud Key to complete the firmware upgrade.
The LED will flash white while upgrading and turn into a steady white when it is complete.

Cameras

Unplug the PoE cable from the camera.
Press and hold the Reset button, then reconnect the camera to its PoE cable.
Continue holding the Reset button for at least 10 seconds, or until you see the LED flash 3 times rapidly.
Release the Reset button.
The device will automatically reboot to an older firmware.
To update to more recent firmware:
1. Find your specific camera model at our Downloads page using the left hand menu.
2. Copy the .bin file link of the firmware.
3. Use that link to upload it via the webUI of the camera, in System Settings.
  1. Alternatively, adopt the camera to your NVR to perform an upgrade via the NVR-hosted UniFi Video user interface.

USW Flex Mini

Prepare a web server (see below*).
Set the server/computer’s IP to a static 192.168.1.99.
1. The method to set a static IP on a computer varies from platform to platform. Find instructions in your product’s documentation (Windows, macOS or Ubuntu/Linux).
Download the most recent firmware for your device, found here.
Rename the binary to fwupdate.bin and place it in the directory that was created earlier (webserver).
Power off the switch by unplugging it from its power source.
Press and hold the Reset button and then connect it to the power source.
Continue holding the Reset button for 10 seconds, until the LED flashes blue, white, off.
The USW-Flex-Mini should be updated.

* The first step in the recovery process is to prepare a web server. See below for a walkthrough on your operating system: Windows, macOS and Ubuntu/Debian.

Prepare a Web Server on Windows

Download Python for Windows (Executable Installer) here.
Open the downloaded file and make sure you select Add Python x.x to PATH during installation.
After the Python installation open Command Prompt as Administrator and confirm that Python is installed correctly with the command below:
python -V
Create a directory for the web server by running the commands below:
mkdir c:\webserver
cd c:\webserver
5. Start the Python web server on port 80. Note that the version of Python can be found with the command from step 3:
1. Python 3.x:
  python -m http.server 80
2. Python 2.x:
  python -m SimpleHTTPServer 80

Prepare a Web Server on macOS

Download Python for macOS here.
After the Python installation open Terminal and confirm that Python is installed correctly with the command below:
python -V
Create a directory for the web server by running the commands below:
cd ~
mkdir webserver
cd webserver
Start the Python web server on port 80. Note that the version of Python can be found with the command from step 2:
1. Python 3.x:
  python -m http.server 80
2. Python 2.x:
  python -m SimpleHTTPServer 80

Prepare a Web Server on Ubuntu/Debian

Install Python on your machine with the commands below:
sudo apt-get update && sudo apt-get install python3
After the Python installation open a terminal and confirm that Python is installed correctly with the command below:
python_version=$(dpkg -l | grep “^ii” | awk ‘/python/{print$2}’ | grep “^python[0-9].[0-9]$” | head -n1)
sudo “${python_version}” -V
Create a directory for the web server by running the commands below:
cd ~
mkdir webserver
cd webserver
Start the Python web server on port 80. Note that the version of Python can be found with the command from step 2:
1. Python 3.x:
  sudo “${python_version}” -m http.server 80
2. Python 2.x:
  sudo “${python_version}” -m SimpleHTTPServer 80

Source :
https://help.ui.com/hc/en-us/articles/360043360253-UniFi-Recovery-Mode

Ubiquiti Self-Hosted UniFi Network Server as a Windows Service (Advanced)

Updated on 5 mag 2023Print

Running the UniFi Network application on Windows operating systems can be done using two methods:

Launcher – UniFi Network application runs in the foreground (default).
Windows Service – UniFi Network application runs in the background (advanced).

NOTES & REQUIREMENTS:

Applicable to the latest UniFi Network application versions for Windows.
This article applies to UniFi applications that are installed on Windows Desktop (Windows 10 / 11) and not Windows Server versions.
Make sure to allow the ports used by the UniFi application through the Windows Firewall. See the UniFi Network – Required Ports Reference article for more information.

Setting up a new UniFi Network application as a service

ATTENTION:

The latest versions of the UniFi Network application (7.3) requires Java 11.
Previous versions (7.2) use Java 8.
Install only the x64 Java release and only one version of Java.

1. If a previous UniFi Network application is running on the system, download a backup file and then close the launcher.

2. Download the latest UniFi Network application from the Download page and run the setup.

3. You will be prompted to install Java 11. Select the following options and download the x64 .msi file for Windows:

Package Type: JRE
Version: 11

CRITICAL:

If the JAVA_HOME variable is not set correctly, the service installation will not be successful.
If you are experiencing issues with the Java 11 installer or the variable, then remove the other/older Java versions that are present on the system.

3. Run the install, and set the Set JAVA_HOME variable to Will be installed on local hard drive.

CLI: Open an administrative Windows Command Prompt (CMD) window.

5. Change the directory to the location of UniFi installation.

cd "%UserProfile%\Ubiquiti UniFi\"

6. Once in the root of the UniFi folder, run the following command to install the service:

java -jar lib\ace.jar installsvc

7. Wait for the installation to complete, indicated by the Complete Installation log message.

8. Start the service with the command below:

java -jar lib\ace.jar startsvc

9. Open a browser and navigate to the application’s IP address or https://localhost:8443.

Upgrading an existing UniFi Network application as a service

1. Download a backup file of the UniFi Network application.

CLI: Open an administrative Windows Command Prompt (CMD) window.

2. Change the directory to the location of UniFi installation.

cd "%UserProfile%\Ubiquiti UniFi\"

3. Once in the root of the UniFi folder, issue the following to uninstall the service:

java -jar lib\ace.jar uninstallsvc

4. Wait for the service uninstall process to complete.

5. Follow step 2 to 9 from the section above.

Source :
https://help.ui.com/hc/en-us/articles/205144550-Self-Hosted-UniFi-Network-Server-as-a-Windows-Service-Advanced-

Ubiquiti UniFi – Explaining the system.properties File

Updated on 2 mag 2023Print

Note that this article is only applicable to advanced users with the self-hosted UniFi Network Servers installed on a Windows/macOS/Linux machine. We generally recommend using a UniFi OS Host for the best experience. Visit UI.com to learn more.

This article describes what the system.properties file is used for, and how to edit it.

Introduction

The system.properties file defines system-wide parameters for the UniFi Network Server. It is found within <unifi.base> in the data folder. Some advanced use-cases include:

Manual override of the Application IP Interface (the address to which Devices send inform packets).
Advanced Database adjustments.
Port Assignments, for purposes of the UniFi Network application communicating with Managed Devices, redirecting Guest Portal traffic, etc.

WARNING: Before editing the file, remember to create a backup of your system. It is also necessary to stop the application before performing any change in the file to avoid errors after changes are made.

The system.properties file can be edited directly via any text editor. Keep in mind that lines preceded by hash-tags (#) exist as comments and are non-operational. Make edits at the bottom of the file. After changing this file, you’ll need to manually trigger provisioning on each site in order to make these effective.

Note: The file is created when UniFi Network runs successfully. If you cannot find the file within the <unifi_base>, create it by running UniFi Network.

Manually Specify the IP Interface for UniFi Network Application Communication

If a UniFi Host has multiple IP interfaces, the following configuration can manually set the exact IP interface that adopted APs should communicate to the Network application:

system_ip=a.b.c.d           # the IP devices should be talking to for inform

Advanced Database Configuration

Below are advanced database configurations that most users will never need. Note: We do not perform tests on these configurations, they are enabled for the convenience of database experts. One possible usage scenario is where few people run their application on a NAS, which has a smaller footprint than a normal server, hence there’s a need to reduce the required resources.

unifi.db.nojournal=false    # disable mongodb journaling
unifi.db.extraargs          # extra mongod args

The configuration below is used to facilitate UniFi Network application installation. Again, most users will never need to set this. When the is_default is set to true, the application will start with factory default configuration. For normal, everyday users, an uninstallation and then fresh re-installation is recommended over this.

is_default=true

From the UniFi Network application you can configure the auto-backup frequency, amount of backups to store, time of backup, etc. At the time of writing this, you cannot change the storage location via the application. We do have a variable in the system.properties if you wish to change the storage location. Currently, the default points to:

1. For Cloud Key: /data/autobackup (where SD card is mounted as /data by default)
2. For software installs: {data.dir}/backup/autobackup

autobackup.dir=/some/path

HSTS can be enabled, but should only be done by advanced system administrators who are familiar with it. If you run into issues, you likely will need to clear your browser’s cache after disabling this and restarting the service. To enable HSTS support add the following:

unifi.https.hsts=true
unifi.https.hsts.max_age=31536000
unifi.https.hsts.preload=false
unifi.https.hsts.subdomain=false

NOTE: Currently no characters after the custom line(s) are allowed. This includes spaces, pound/sharp signs/comments, etc.

SMTP Related Settings

By default, SMTPS validates certificates and will reject self-signed or untrusted certificates. If your mail server uses an untrusted certificate, you must disable certificate verification with the following:

smtp.checkserveridentity=false

Starting with UniFi Network version 6.1, STARTTLS is opportunistically enabled by default; e.g. will be used if the server announces support for it, and will require a trusted certificate. If using a self-signed or untrusted certificate, you must disable STARTTLS by setting the following:

smtp.starttls_enabled=false

This only controls whether STARTTLS will be used if the server supports it. To force its use, see: starttls_required.

With UniFi Network version 6.1 and newer, STARTTLS is opportunistically enabled by default, but only required if using port 587. This behavior can be overridden by setting smtp.starttls_required=true to force the use of STARTTLS on ports other than 587, or to make STARTTLS optional on port 587, set it to false.

If smtp.starttls_enabled=false is set, the starttls_required value has no impact.

Source :
https://help.ui.com/hc/en-us/articles/205202580-UniFi-Explaining-the-system-properties-File

Ubiquiti UniFi – Tuning the Network Application for a High Number of UniFi Devices

Updated on 4 mag 2023Print

This article only applies to advanced users running UniFi on their own Windows/macOS/Linux machine, to help diagnose and optimize self-hosted UniFi Network Servers running under a high load. We generally recommend using a UniFi OS Host for the best experience. Visit UI.com to learn more.

Notes & Requirements:

Ensure you are running the latest version of UniFi Network, found here.
This article describes advanced configuration options and should only be attempted by advanced users.
Create a backup prior to following the instructions in this article. See UniFi – Backups and Migration for more information.

Caution must be taken when self-hosting a UniFi Network Server if there are hundreds of UniFi devices connected across multiple sites. This increased system load may lead to performance degradation if certain things are not optimized.

Symptom: High CPU Usage

One of the most important metrics to monitor is the CPU usage of the UniFi Host. High CPU usage is the first indication that there is an issue. Unfortunately there is no easy solve for this, and merely increasing the CPU is not always the answer.

Allocating Additional Memory

Before increasing the RAM allocation on your machine, first try increasing the `XMX` and `XMS` options. By default, the UniFi Network application has these set to 1GB. The following lines set the xmx and xms to values to 2GB (2048MB):

unifi.xmx=2048
unifi.xms=2048

The changes above would increase the memory that the UniFi Network application is allowed to consume from 1 to 2GB. Before moving to a machine with more CPU resources, it is recommended to max out the available memory on that machine with the above settings to see if CPU usage decreases.

If 2GB is not sufficient, administrators may want to raise the limit to 4, 8, 16, or even 32GB depending on the scale. In this case it would simply be increasing the value above in increments of 1024, i.e. 4 GB= 4096.

Note: The jstat -gcutil Java command can be used to check whether the memory allocation is sufficient on your machine. See the Oracle documentation for more information.

Increase Mongo WiredTiger Engine Cache

If you already increased the UniFi Network application memory settings to at least 4GB (xmx), you may need to also change the default Mongo WiredTiger engine cache. By default the UniFi Network Application uses:

db.mongo.wt.cache_size=256

On UniFi Network version 6.5.13 and above you can change this setting or let Mongo pick the default value by using:

db.mongo.wt.cache_size_default=true

For more information please refer to Mongo documentation.

Enabling High Performance Java Garbage Collector

If increasing memory does not solve the problem, administrators may consider also adding this line to the system.properties file:

unifi.G1GC.enabled=true

This enables a new Java Garbage Collector that can help optimize performance. However, if after these changes high CPU usage does continue after memory increase, a larger machine with more CPU cores and more memory to handle the workload may be necessary.

Changing Mongo Version/Engine

In persistent cases, administrators may consider updating MongoDB version to 3.2+ with WiredTiger as storage engine, as a means of better scaling their UniFi Network deployment. See the following links for instructions:

Symptom: Heartbeat Missed or Slow to Provision

All devices work by communicating to UniFi Network. These regular inform messages are referred to as “heartbeats”. By default, the application can handle 200 simultaneous device connections so heartbeats shouldn’t be missed unless thousands of devices are being managed. The number of simultaneous inform messages that can be processed can be set in the system.properties file by adding the following lines and adjusting the values to best suit your needs. It does not matter where these lines are added in the file.

inform.num_thread=200
inform.max_keep_alive_requests=100

The default value is 200 and the max_keep_alive_requests value should always be lower than than num_thread. Try adjusting up from there. An increase in device stability should be seen, and by pushing the configuration out to other devices, become even more stable.

Database Connection Tuning

When running a large UniFi installation, it may be desired to run an external Mongo cluster to be able to scale the database independently from the UniFi Network application. Discussion on that can be found here on our Community Beta forum. If high CPU usage is seen on the Mongo process, it can indicate the need of a bigger box or the need to separate the mongodb process as mentioned above. Once that is done, the following can be tuned to see if it results in better application performance:

db.mongo.connections_per_host=100
db.mongo.threads_multiplier=5

This results in 500 threads that can be waiting for a Mongo connection. So keep in mind that more threads can mean higher CPU usage because the CPU has to context-switch between threads. It may allow for higher DB throughput, but only if the Mongo process is able to consume more CPU to serve requests faster.

Source :
https://help.ui.com/hc/en-us/articles/115005159588-UniFi-Tuning-the-Network-Application-for-a-High-Number-of-UniFi-Devices