Clik here to view.
Policy Based Forwarding (PBF) on a Palo Alto Firewall
This is a small example on how to configure policy based forwarding (PBF) on a Palo Alto Networks firewall. The use case was to route all user generated http and https traffic through a cheap ADSL...
View ArticleClik here to view.
Palo Alto GlobalProtect for Linux with vpnc
This is a tutorial on how to configure the GlobalProtect Gateway on a Palo Alto firewall in order to connect to it from a Linux computer with vpnc. Short version: Enable IPsec and X-Auth on the Gateway...
View ArticleClik here to view.
Palo Alto Remote Access VPN for iPhone
I tested the Palo Alto GlobalProtect app on my iPhone, but also the native IPsec Cisco VPN-Client on iOS which connects to the GlobalProtect Gateway on a Palo Alto firewall, too. Since this variant...
View ArticleClik here to view.
Site-to-Site VPNs with Diffie-Hellman Group 14
When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of...
View ArticleClik here to view.
IPsec Site-to-Site VPN Palo Alto Cisco Router
This time I configured a static S2S VPN between a Palo Alto firewall and a Cisco IOS router. Here comes the tutorial: I am not using a virtual interface (VTI) on the Cisco router in this scenario, but...
View ArticleClik here to view.
IPsec Site-to-Site VPN Palo Alto Cisco Router w/ VTI
One more VPN article. Even one more between a Palo Alto firewall and a Cisco router. But this time I am using a virtual tunnel interface (VTI) on the Cisco router which makes the whole VPN set a...
View ArticleClik here to view.
Palo Alto: Vsys & Shared Gateway – Zones, Policies, and Logs
It was not easy for me to understand the type of zones and “from – to” policy definitions when working with a Palo Alto firewall that has multiple vsys’s and shared gateways. I was missing an...
View ArticleClik here to view.
OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto
I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a...
View ArticleClik here to view.
Palo Alto blocks SMTP Virus with 541 Response
While preparing for some Palo Alto Networks certifications I read something about the antivirus capabilities of blocking viruses via email by sending an SMTP response code of 541 to the sender (link)....
View ArticleClik here to view.
Common Palo Alto Application Groups
There are a few application groups that I am almost always using at the customer’s site. These are groups for Microsoft Active Directory, file transfer, and print. Furthermore, I am using a group for...
View ArticleClik here to view.
Cisco ASA vs. Palo Alto: Management Goodies
You often have comparisons of both firewalls concerning security components. Of course, a firewall must block attacks, scan for viruses, build VPNs, etc. However, in this post I am discussing the...
View ArticleClik here to view.
MRTG/Routers2: Template Palo Alto
Here is my MRTG/Routers2 configuration for a Palo Alto Networks PA-200 firewall. It uses all available OIDs from the PAN-MIB. With a few search-and-replace runs, this template can be used in many other...
View ArticleClik here to view.
If only one DNS query is malicious …
… the whole Internet breaks down. So happened on a Palo Alto with a DNS proxy and a (slightly misconfigured) anti-spyware profile. All network clients had a single DNS server configured, namely the DNS...
View ArticleClik here to view.
IPsec Site-to-Site VPN Palo Alto FortiGate
This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few...
View ArticleClik here to view.
Minor Palo Alto Bug concerning IPv6 MGT
A few month ago I found a small bug in PANOS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall...
View ArticleClik here to view.
Palo Alto PANOS 6.1.2: No more SSLv3/POODLE
Another fixed issue in the just released PANOS version 6.1.2 from Palo Alto Networks is bug ID 71321: “Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive...
View ArticleClik here to view.
Palo Alto: Save & Load Config through CLI
When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not...
View ArticleClik here to view.
Palo Alto: DNS Proxy for Management Services
The Palo Alto firewall has a feature called DNS Proxy. Normally it is used for data plane interfaces so that clients can use the interfaces of the Palo for its recursive DNS server. Furthermore, this...
View ArticleClik here to view.
Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo
Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration...
View ArticleClik here to view.
Palo Alto High Availability Heartbeat
Beside the HA1 and HA2 interfaces on a Palo Alto Networks firewall, there are the HA1/HA2 Backup and Heartbeat Backup options. I was a bit confused while reading the documentation of the high...
View Article