Clik here to view.
Palo Alto: Instant Commit
Finally! With PAN-OS 11.0 Palo Alto Networks introduced an “instant commit”. That is: You no longer have to commit (and wait and wait and wait) until your changes are live, but everything you do is...
View ArticleClik here to view.
Stateful DHCPv6 Capture (along with Relaying)
For my IPv6 training classes, I was missing a capture of a stateful DHCPv6 address assignment. That is: M-flag within the RA, followed by DHCPv6 messages handing out an IPv6 address among others....
View ArticleClik here to view.
Palo Alto NGFW: Handling of IPv6 on the Interface
For the last few years, I have been confused about Palo Alto NGFWs’ various options for configuring an IPv6 address on a layer 3 interface. Let’s have a look at some details: I’m using a PA-220 with...
View ArticleClik here to view.
Minor Palo Bug: ICMPv6 Errors sourced from Unspecified Address
During my IPv6 classes, I discovered a (minor) bug at the NGFW from Palo Alto Networks: ICMPv6 error messages, such as “time exceeded” (type 3) as a reply of traceroute, or “destination unreachable”...
View ArticleClik here to view.
DHCPv6 Prefix Delegation on Palo Alto’s NGFW
Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the...
View ArticleClik here to view.
How to install Palo Alto’s PAN-OS on a FortiGate
It happens occasionally that a customer has to choose between a Palo and a Forti. While I would always favour the Palo for good reasons, I can understand that the Forti is chosen for cost savings, for...
View ArticleClik here to view.
Palo’s Mgmt-Intf is not usable with IPv6 anymore
Wow, that was unexpected: With PAN-OS 11.1 the out-of-band management interface of Palo Alto Networks firewalls doesn’t accept an IPv6 default route pointing to one of its own data interfaces anymore....
View ArticleClik here to view.
Dynamic DNS on a Palo
With PAN-OS 9.0 (quite some time ago), Palo Alto Networks has added Dynamic DNS for a firewall’s interfaces. That is: If your Internet-facing WAN interface gets a dynamic IP address via DHCP or PPPoE...
View ArticleClik here to view.
Misusing Palo’s Captive Portal as a Guest Wi-Fi Welcome Page
I was faced with an interesting customer requirement: An existing guest Wi-Fi should be prefaced with a welcome page for accepting the terms and conditions. Since there was already a Palo Alto Networks...
View ArticleClik here to view.
BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)
With PAN-OS 11.1, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR). The Advanced Routing Engine...
View ArticleClik here to view.
PANW: Dynamic Routing between Logical Routers
How to route traffic between multiple logical routers aka Inter-LR Routing on a Palo Alto Networks Strata firewall? More precisely, inclusive route redistribution rather than a few static routes. –>...
View ArticleClik here to view.
Getting started with the APIs from Palo Alto Ntwks
You can talk to firewalls and Panorama from Palo Alto Networks in various ways. The well-known GUI (which I really love, by the way) and the CLI are quite common at first glance. Nearly everyone using...
View ArticleClik here to view.
Dual-Stack PPPoE on a Palo Alto Firewall
If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along...
View ArticleClik here to view.
Which KPIs to monitor on a Palo Alto Firewall?
We wanted to monitor some of our Palo firewalls from our monitoring system via the API. But: Which enhanced metrics/KPIs shall we monitor? While there are some obvious ones such as interface counters,...
View ArticleClik here to view.
Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing
Palo Alto Networks, a global leader in cybersecurity solutions, has announced a significant strategic shift. The company will transition from its core cybersecurity business to exclusively focus on...
View Article