Clik here to view.
Policy Based Forwarding on a Palo Alto with different Virtual Routers
This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default...
View ArticleClik here to view.
OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto
Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, and Palo Alto. I am showing my lab network diagram...
View ArticleClik here to view.
Palo Alto Remote Access VPN for Android
For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto...
View ArticleClik here to view.
Tufin SecureTrack: Adding Devices
Since a few weeks I am using Tufin SecureTrack in my lab. A product which analyzes firewall policies about their usage and their changes by administrators (and much more). Therefore, the first step is...
View ArticleClik here to view.
Where to terminate Site-to-Site VPN Tunnels?
When using a multilayer firewall design it is not directly clear on which of these firewalls remote site-to-site VPNs should terminate. What must be considered in such scenarios? Differentiate between...
View ArticleClik here to view.
IPv6 through IPv4 VPN Tunnel with Palo Alto
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as...
View ArticleClik here to view.
Palo Alto Software Download Failure
I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to...
View ArticleClik here to view.
RIPE Atlas Probe Stats
Since almost two years I am running a RIPE Atlas Probe in my server room. It resides in an own security zone on a Palo Alto firewall (which also powers the probe via its USB port :)). With this post I...
View ArticleClik here to view.
Palo Alto IPv4 vs. IPv6 Performance Speedtests
After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and...
View ArticleClik here to view.
Palo Alto VPN Speedtests
Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200...
View ArticleClik here to view.
Using NetFlow with nProbe for ntopng
This blog post is about using NetFlow for sending network traffic statistics to an nProbe collector which forwards the flows to the network analyzer ntopng. It refers to my blog post about installing...
View ArticleClik here to view.
Palo Alto FQDN Objects
While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN...
View ArticleClik here to view.
Palo Alto DNS Proxy Rule for Reverse DNS
I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding)...
View ArticleClik here to view.
Detect DNS Spoofing: dnstraceroute
Another great tool from Babak Farrokhi is dnstraceroute. It is part of the DNSDiag toolkit from which I already showed the dnsping feature. With dnstraceroute you can verify whether a DNS request is...
View ArticleClik here to view.
Palo Alto Reporting
I wanted to configure a weekly email report on a Palo Alto Networks firewall. “Yes, no problem”, I thought. Well, it was absolutely not that easy. ;( While the PAN firewalls have a great GUI and a good...
View ArticleClik here to view.
Palo Alto External Dynamic IP Lists
This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP...
View ArticleClik here to view.
Palo Alto PBF Problem
I migrated an old Juniper SSG ScreenOS firewall to a Palo Alto Networks firewall. While almost everything worked great with the Palo (of course with much more functionalities) I came across one case in...
View ArticleClik here to view.
IPv6 through IPv4 VPN Tunnel with Palo Alto
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as...
View ArticleClik here to view.
Palo Alto Software Download Failure
I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to...
View ArticleClik here to view.
Palo Alto LLDP Neighbors
I just configured LLDP, the Link Layer Discovery Protocol, on a Palo Alto Networks firewall. What I really like about those firewalls is the completeness of configuration capabilities while the...
View Article