Clik here to view.
Palo Alto Aggregate Interface w/ LACP
Since PAN-OS version 6.1 the Palo Alto Networks firewall supports LACP, the Link Aggregation Control Protocol which bundles physical links to a logical channel. Palo Alto calls it “Aggregate Interface...
View ArticleClik here to view.
Palo vs. Forti: Blog Stats
I want to talk about a fun fact concerning my blog statistics: Since a few years I have some “CLI troubleshooting commands” posts on my blog – one for the Palo Alto Networks firewall and another for...
View ArticleClik here to view.
PAN NGFW IPv6 NDP RA RDNSS & DNSSL
Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router...
View ArticleClik here to view.
Palo Alto NDP Monitoring
With PAN-OS version 8.0 Palo Alto Networks introduced another IPv6 feature, namely “NDP Monitoring for Fast Device Location“. It basically adds a few information to the existing neighbor cache such as...
View ArticleClik here to view.
IPv6 IPsec VPN Tunnel Palo Alto FortiGate
Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6...
View ArticleClik here to view.
IKEv2 IPsec VPN Tunnel Palo Alto FortiGate
And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for...
View ArticleClik here to view.
Generating SSHFP Records Remotely
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a87bab4cb5b0474928525-i/]. This is quite easy when you already have an SSH connection to a standard...
View ArticleClik here to view.
Palo Alto FQDN Objects
While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN...
View ArticleClik here to view.
Palo Alto DNS Proxy Rule for Reverse DNS
I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding)...
View ArticleClik here to view.
Palo Alto Application: First Packets Will Pass!
I am using an almost hidden FTP server in my DMZ behind a Palo Alto Networks firewall. FTP is only allowed from a few static IP addresses, hence no brute-force attacks on my server. Furthermore, I have...
View ArticleClik here to view.
Notes regarding Palo Alto HA2 Session Sync
Just a quick note concerning the session sync on a Palo Alto Networks firewall cluster: Don’t trust the green HA2 bubble on the HA widget since it is always “Up” as long as the HA interface is up. It...
View ArticleClik here to view.
Palo Alto policy-deny though Action allow
I came across some strange behaviors on a Palo Alto Networks firewall: Certain TLS connections with TLS inspection enabled did not work. Looking at the traffic log the connections revealed an Action of...
View ArticleClik here to view.
File Blocking Shootout – Palo Alto vs. Fortinet
We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls,...
View ArticleClik here to view.
Route- vs. Policy-Based VPN Tunnels
There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one...
View ArticleClik here to view.
Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet
While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks...
View ArticleClik here to view.
MP-BGP Capture
For those who are interested in analyzing basic BGP messages: I have a trace file for you. ;) It consists of two session establishments as I cleared the complete BGP session on two involved routers for...
View ArticleClik here to view.
Trying to change an IPv6 Link-Local Address on a FortiGate
I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the...
View ArticleClik here to view.
Using Case Sensitive IPv6 Addressing on a Palo Alto
IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that...
View ArticleClik here to view.
Palo Alto Networks NGFW using NTP Authentication
Everyone uses NTP, that’s for sure. But are you using it with authentication on your own stratum 1 servers? You should since this is the only way to provide security against spoofed NTP packets, refer...
View ArticleClik here to view.
My IPv6/Routing/Cisco Lab Rack (2019)
My lab rack of 2019 consists of multiple Cisco routers and switches, as well as Juniper ScreenOS firewalls for routing purposes, a Palo Alto Networks firewall, a Juniper SRX firewall, a server for...
View Article