Quantcast
Channel: Palo Alto Networks – Weberblog.net
Viewing all 88 articles
Browse latest View live

Palo Alto Aggregate Interface w/ LACP

June 8, 2017, 10:45 pm
$
0
0
Since PAN-OS version 6.1 the Palo Alto Networks firewall supports LACP, the Link Aggregation Control Protocol which bundles physical links to a logical channel. Palo Alto calls it “Aggregate Interface Group” while Cisco calls it EtherChannel or Channel Group. I configured LACP for two ports connected from a Palo Alto firewall to a Cisco switch. … Continue reading Palo Alto Aggregate Interface w/ LACP
Search

Palo vs. Forti: Blog Stats

June 16, 2017, 12:12 am
$
0
0
I want to talk about a fun fact concerning my blog statistics: Since a few years I have some “CLI troubleshooting commands” posts on my blog – one for the Palo Alto Networks firewall and another for the FortiGate firewall from Fortinet. If you are searching on Google for something like “palo alto cli commands” … Continue reading Palo vs. Forti: Blog Stats

PAN NGFW IPv6 NDP RA RDNSS & DNSSL

August 23, 2017, 12:33 am
$
0
0
Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how … Continue reading PAN NGFW IPv6 NDP RA RDNSS & DNSSL

Palo Alto NDP Monitoring

August 30, 2017, 12:35 am
$
0
0
With PAN-OS version 8.0 Palo Alto Networks introduced another IPv6 feature, namely “NDP Monitoring for Fast Device Location“. It basically adds a few information to the existing neighbor cache such as the User-ID (if present) and a “last reported” timestamp. That is: the admin has a new reporting window within the Palo Alto GUI that … Continue reading Palo Alto NDP Monitoring

IPv6 IPsec VPN Tunnel Palo Alto FortiGate

September 11, 2017, 6:11 am
$
0
0
Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP. While it was quite easy to bring the … Continue reading IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

IKEv2 IPsec VPN Tunnel Palo Alto FortiGate

September 20, 2017, 9:39 pm
$
0
0
And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the … Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

Generating SSHFP Records Remotely

February 8, 2018, 12:41 am
$
0
0
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a87bab4cb5b0474928525-i/]. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found … Continue reading Generating SSHFP Records Remotely

Palo Alto FQDN Objects

September 13, 2016, 1:27 am
$
0
0
While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN objects with more than 32 IP addresses, which are the maximum that are supported due to the official Palo Alto documentation. … Continue reading Palo Alto FQDN Objects
Search

Palo Alto DNS Proxy Rule for Reverse DNS

September 20, 2016, 3:31 am
$
0
0
I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding) which I am using for reverse DNS lookups, i.e., PTR records, that are answered by a BIND DNS server. While it is easy … Continue reading Palo Alto DNS Proxy Rule for Reverse DNS

Palo Alto Application: First Packets Will Pass!

June 7, 2018, 8:59 am
$
0
0
I am using an almost hidden FTP server in my DMZ behind a Palo Alto Networks firewall. FTP is only allowed from a few static IP addresses, hence no brute-force attacks on my server. Furthermore, I have an “allow ping and traceroute from any to DMZ” policy since ping is no security flaw but really … Continue reading Palo Alto Application: First Packets Will Pass!

Notes regarding Palo Alto HA2 Session Sync

June 13, 2018, 8:57 am
$
0
0
Just a quick note concerning the session sync on a Palo Alto Networks firewall cluster: Don’t trust the green HA2 bubble on the HA widget since it is always “Up” as long as the HA interface is up. It does NOT indicate whether the session sync is working or not. You MUST verify the session … Continue reading Notes regarding Palo Alto HA2 Session Sync

Palo Alto policy-deny though Action allow

June 18, 2018, 1:16 pm
$
0
0
I came across some strange behaviors on a Palo Alto Networks firewall: Certain TLS connections with TLS inspection enabled did not work. Looking at the traffic log the connections revealed an Action of “allow” but of Type “deny” with Session End Reason of “policy-deny”. What? During troubleshooting I found the following facts. (Capturing on a … Continue reading Palo Alto policy-deny though Action allow

File Blocking Shootout – Palo Alto vs. Fortinet

June 27, 2018, 10:35 am
$
0
0
We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls, namely Fortinet FortiGate and Palo Alto Networks. The experiences were quite different… Note that the Internet connection must be either unencrypted itself, i.e., HTTP or … Continue reading File Blocking Shootout – Palo Alto vs. Fortinet

Route- vs. Policy-Based VPN Tunnels

July 10, 2018, 4:41 am
$
0
0
There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one of these types, so you probably don’t have a chance to configure the other one anyway. Too bad since route-based VPNs have … Continue reading Route- vs. Policy-Based VPN Tunnels

Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet

September 24, 2018, 12:17 pm
$
0
0
While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks firewall, and a Fortinet FortiGate firewall. Following are all configuration steps from their GUI (Palo) as well as their CLIs (Cisco, Fortinet). It’s just a … Continue reading Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet
Search

MP-BGP Capture

October 3, 2018, 7:00 am
$
0
0
For those who are interested in analyzing basic BGP messages: I have a trace file for you. ;) It consists of two session establishments as I cleared the complete BGP session on two involved routers for it. Refer to my previous blogpost for details about the lab, that is: MP-BGP with IPv6 and legacy IP, … Continue reading MP-BGP Capture

Trying to change an IPv6 Link-Local Address on a FortiGate

November 29, 2018, 9:49 pm
$
0
0

I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.

Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!

Again and again and again I am not happy at all with the IPv6 implementation on the FortiGates. Too many bugs and features missing, while everything is too complicated to configure. (Have a look at my Fortinet feature requests.) For the following tests I used a FortiGate FG-90D with firmware v5.6.5 build1600 (GA).

Before (Default Behaviour)

Before I touched the config the state of IPv6 was the following. Have a look at the “fg-trust” interface with its link-local address in line 12:

fg # diagnose ipv6 address list
dev=31 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=29 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=28 devname=fg-server flag=P scope=0 prefix=64 addr=2003:de:2016:220::1
dev=27 devname=fg-trust2 flag=P scope=0 prefix=64 addr=2003:de:2016:211::1
dev=26 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:de:2016:210::1
dev=24 devname=root flag=P scope=254 prefix=128 addr=::1
dev=5 devname=wan1 flag=P scope=0 prefix=64 addr=2003:de:2016::2
dev=6 devname=wan2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:8360
dev=28 devname=fg-server flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=27 devname=fg-trust2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=26 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835f

The configuration at this point was:

config system interface
    edit "fg-trust"
        set vdom "root"
        set ip 192.168.210.1 255.255.255.0
        set allowaccess ping https ssh
        set role lan
        set snmp-index 5
        config ipv6
            set ip6-address 2003:de:2016:210::1/64
            set ip6-allowaccess ping https ssh
            set ip6-send-adv enable
            config ip6-prefix-list
                edit 2003:de:2016:210::/64
                    set autonomous-flag enable
                    set onlink-flag enable
                next
            end
        end
        set interface "internal1"
        set vlanid 210
    next
end

And a Linux machine got the following routing table, in which the default route had a gateway of 

fe80::a5b:eff:fea1:835e
:
weberjoh@jw-vm05-Ubuntu-Test-3:~$ ip -6 r s
2003:de:2016:210::/64 dev ens32  proto kernel  metric 256  expires 2591699sec pref medium
fe80::/64 dev ens32  proto kernel  metric 256  pref medium
default via fe80::a5b:eff:fea1:835e dev ens32  proto ra  metric 1024  expires 1499sec pref medium

 

Configuration of the Link-Local Address

To add a link-local address you need the “config ip6-extra-addr” submenu. I added the quite simple 

fe80::1/64
address to that interface, that is:
config system interface
edit fg-trust
config ipv6
config ip6-extra-addr
edit fe80::1/64
next
end
end
end

Now, in order to have the router advertisements sent from this newly created link-local address, you have to reboot the firewall! Come on Fortinet, you need a complete reboot for this?!? (Note that the support ticket told me to disable the “ip6-send-adv” before adding the LL address, and enabling it again after that. But this was not successful. At this point the RAs were still sent from the old EUI-64 based LL address.) Hence a reboot:

execute reboot

 

After

After this changes and the reboot the added link-local IPv6 was present (line 6):

fg # diagnose ipv6 address list
dev=31 devname=vsys_fgfm flag=P scope=254 prefix=128 addr=::1
dev=29 devname=vsys_ha flag=P scope=254 prefix=128 addr=::1
dev=28 devname=fg-server flag=P scope=0 prefix=64 addr=2003:de:2016:220::1
dev=27 devname=fg-trust2 flag=P scope=0 prefix=64 addr=2003:de:2016:211::1
dev=26 devname=fg-trust flag=SP scope=253 prefix=64 addr=fe80::1
dev=26 devname=fg-trust flag=P scope=0 prefix=64 addr=2003:de:2016:210::1
dev=24 devname=root flag=P scope=254 prefix=128 addr=::1
dev=5 devname=wan1 flag=P scope=0 prefix=64 addr=2003:de:2016::2
dev=6 devname=wan2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:8360
dev=28 devname=fg-server flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=27 devname=fg-trust2 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=26 devname=fg-trust flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835e
dev=5 devname=wan1 flag=P scope=253 prefix=10 addr=fe80::a5b:eff:fea1:835f

The complete configuration section for this interface looked like this:

config system interface
    edit "fg-trust"
        set vdom "root"
        set ip 192.168.210.1 255.255.255.0
        set allowaccess ping https ssh
        set role lan
        set snmp-index 5
        config ipv6
            set ip6-address 2003:de:2016:210::1/64
            set ip6-allowaccess ping https ssh
            config ip6-extra-addr
                edit fe80::1/64
                next
            end
            set ip6-send-adv enable
            config ip6-prefix-list
                edit 2003:de:2016:210::/64
                    set autonomous-flag enable
                    set onlink-flag enable
                next
            end
        end
        set interface "internal1"
        set vlanid 210
    next
end

And the Linux machine (after a reboot as well) got the correct next hop for its default route:

weberjoh@jw-vm05-Ubuntu-Test-3:~$ ip -6 r s
2003:de:2016:210::/64 dev ens32  proto kernel  metric 256  expires 2591853sec pref medium
fe80::/64 dev ens32  proto kernel  metric 256  pref medium
default via fe80::1 dev ens32  proto ra  metric 1024  expires 1653sec pref medium

Accordingly I could verify that the router advertisements were sent from my added link-local address 

fe80::1
:

Competitors

That’s it. I am not happy with this approach from Fortinet in “changing” the link-local address. On other firewalls such as the Palo Alto Networks firewall you can clearly change the behaviour of the interface ID portion, and it even works without rebooting the firewall:

Cheers.

Featured image “Buy Local” by Mariano Mantel is licensed under CC BY-NC 2.0.

Using Case Sensitive IPv6 Addressing on a Palo Alto

March 31, 2019, 9:45 pm
$
0
0

IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that concludes that we will run out of IPv6 addresses some day.

Luckily Palo Alto Networks has already added one feature to expand the IPv6 address space by making them case sensitive. That is: you can now differentiate between upper and lower case values “a..f” and “A..F”. Instead of 16 different hexadecimal values you now have 22 which increases the IPv6 space from 2^{128} to about 2^{142}. Here is how it works on the Palo Alto Networks firewall:

While the original RFC 4291 “IP Version 6 Addressing Architecture” declares IPv6 addresses to be 128 bits long, represented as hexadecimal values from 0..f, the case sensitive addressing scheme has 6 more values, that is:

0123456789 abcdef ABCDEF

This increases the overall IPv6 address space with a factor of 16384. Wow! From 16^{32} = 2^{128} = 3.4 x 10^{38} to 22^{32} = 2^{142} = 5.5 x 10^{42}.

Enable IPv6 Case Sensitive Addressing

Palo Alto Networks has implemented this feature with PAN-OS 8.1.0. I am running a PA-220 with PAN-OS 8.1.6 in my lab. You can enable this feature at Device -> Setup -> Session -> Session Settings -> Enable IPv6 Case Sensitive Addressing:

After that you can commit layer 3 (sub-)interface IPv6 addresses that are only different in their lower/upper case notation of the abcdef/ABCDEF values:

Looking at the routing table via the CLI you can additionally verify this working setup (refer to lines 15-18):

weberjoh@pa> show routing route afi ipv6

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
::/0                                        2001:470:1f0b:1024::1                   10     A S              ethernet1/2
2001:470:1f0b:1024::/64                     2001:470:1f0b:1024::2                   0      A C              ethernet1/2
2001:470:1f0b:1024::2/128                   ::                                      0      A H
2001:470:765b::/64                          2001:470:765b::1                        0      A C              ethernet1/5.224
2001:470:765b::1/128                        ::                                      0      A H
2001:470:765b:abcd::/64                     2001:470:765b:abcd::1                   0      A C              ethernet1/5.6
2001:470:765b:abcd::1/128                   ::                                      0      A H
2001:470:765b:ABCD::/64                     2001:470:765b:ABCD::1                   0      A C              ethernet1/5.7
2001:470:765b:ABCD::1/128                   ::                                      0      A H
total routes shown: 9

However, keep in mind that this will only work if your overall network infrastructure supports this case sensitive IPv6 addressing scheme as well.

Conclusion

Yes, we will run out of IPv6 addresses one day. Since any kind of NAT/NPT solution should be avoided completely, this case sensitivity of IPv6 addresses is a quite good and working approach. Nice to see that Palo Alto Networks has already implemented it.

Featured image “ABC” by Jeremy Brooks is licensed under CC BY-NC 2.0.

Palo Alto Networks NGFW using NTP Authentication

May 21, 2019, 10:34 am
$
0
0

Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer to Why should I run own NTP Servers?. As always, Palo Alto has implemented this security feature in a really easy way, since it requires just a few clicks on the GUI. (Which again is much better than other solutions, e.g., FortiGate, which requires cumbersome CLI commands.) However, monitoring the NTP servers, whether authentication was successful or not, isn’t implemented in a good way. Here we go:

This article is one of many blogposts within this NTP series. Please have a look!

For this post I am using a PA-220 with PAN-OS 8.1.7. I am querying my Raspberry Pi w/ GPS and my Meinberg M200, both delivering NTP authentication [1, 2]. Funnily enough I can only share this single screenshot which shows everything you need to set up NTP authentication. :) It is at Device -> Setup -> Services:

Note that I am using two out of my three NTP servers, of course with different key IDs, because otherwise it wouldn’t work. (Though you actually can configure both NTP servers with the same key ID while using *different* keys, it won’t work. Hence you MUST use two different key IDs for each of them.)

However, though it was fairly easy to configure I am not completely happy about the monitoring of the NTP daemon. The system logs don’t tell that much: (Above the red line I configured my own NTP servers)

while the CLI command 

show ntp
at least reveals a status of “synched“, but not clearly whether the authentication took place:
weberjoh@pa> show ntp

NTP state:
    NTP synched to ntp2.weberlab.de
    NTP server: ntp3.weberlab.de
        status: available
        reachable: yes
        authentication-type: symmetric key
    NTP server: ntp2.weberlab.de
        status: synched
        reachable: yes
        authentication-type: symmetric key

And I haven’t found any more debug logs. Hm.

Ok, so there is still some room for improvements. Likewise the number of NTP servers to configure, which should be 3 rather than 2 in order to spot a falsified timestamp delivered by one NTP server, which isn’t possible with just 2 servers at all.

Featured image “Waves” by Kacper Gunia is licensed under CC BY-NC 2.0.

My IPv6/Routing/Cisco Lab Rack (2019)

June 24, 2019, 2:25 am
$
0
0

My lab rack of 2019 consists of multiple Cisco routers and switches, as well as Juniper ScreenOS firewalls for routing purposes, a Palo Alto Networks firewall, a Juniper SRX firewall, a server for virtualization and some Raspberry Pis. That is: This rack can be used for basic Cisco courses such as CCNA or CCNP, or for even bigger BGP/OSPF or IPsec VPN scenarios since those ScreenOS firewalls are perfect routers as well. Of course, everything is IPv6 capable. Having some PoE-powered Raspberry Pis you can simulate basic client-server connections. A Juniper SA-2500 (aka Pulse Connect Secure) for remote accessing the Lab rounds things up.

I am just writing down a few thoughts on why I have “designed” the rack in that way. It’s basically a reminder for myself. ;)

Let’s have a look at the rack first. I ordered one with wheels for easy transport. Previously the devices were mounted into several 19″ racks in the data center, which was not that movable. ;D Now the rack can be used by any of my colleagues for test purposes. I am using 24 rack units while some are left free for the cables. On the back side, I have two power strips. All power cables disappear in the rack space.

Initial Thoughts

These are the basic ideas about how to use this lab rack. Of course, everything can be changed. Again, a picture is worth a thousand words:

  1. Remote access connection via a Juniper SA-2500 / Pulse Connect Secure VPN gateway.
  2. A simple server aka Raspberry Pi with a webcam in order to get some traffic through the lab. The Pi is PoE powered by a small PoE module (yellow cable from the upper switch, a Cisco C3750G-48PS).
  3. Simulation of an ISP with three routers aka Juniper ScreenOS SSG 140 firewalls capable of BGP. All of them with one 6-port SFP Gigabit PIM module in the back. Oh, they were that expensive those days… No need for them here, but, you know, because I can. ;)
  4. Simple Cisco switch (C3560-24PS-S) in between to be flexible about the port connections.
  5. Simulation of the own backbone routing with four Cisco routers (2x 2851, 2x 2811). Note the very short blue serial cable between the two 2811 routers.
  6. Again a simple Cisco switch (C2960-24TC-L) in between for being flexible.
  7. Palo Alto Networks PA-3050 firewall for separating the internal network from the “Internet”. This device is not licensed, hence I don’t have a current PAN-OS. However, it fits for basic policies and VPN setups. Of course, it is connected via fiber cables. ;)
  8. Internal LAN with three Cisco switches (2x C3750G-48TS, 1x C3750G-48PS with PoE), interconnected with a couple of network cables to play with STP. The last two switches are connected via stacking cables, too.
  9. Simple client aka Raspberry Pi with PoE power (laying above the three switches) used for accessing the upper Pi throughout the complete lab.
  10. A Juniper SRX firewall which can be used as a router-on-a-stick or the like.
  11. Finally an old IronPort M160 aka Dell PowerEdge R200, Intel Pentium Dual CPU E2200 @ 2.20GHz, 4 GiB DDR2 Memory. It can be used for VMware ESXi to use a couple of VMs, or just as a real server.

What’s missing?

  • Serial console server for using all serial ports directly. Currently, you can only use SSH to access those appliances. This does not fit for an initial configuration. ;(
  • Remotely controllable power switches for using the lab completely off-site.

Featured image “Colours and Casks” by Jens Comiotto-Mayer is licensed under CC BY 2.0.

Viewing all 88 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>