Clik here to view.
PAN Blocking Details
One of my readers sent me this question: We have an internal discussion about whether it is possible to block the 3 way hanshake TCP but allow the JDBC application protocol. In other words we would...
View ArticleClik here to view.
Workaround for Not Using a Palo Alto with a 6in4 Tunnel
Of course, you should use dual-stack networks for almost everything on the Internet. Or even better: IPv6-only with DNS64/NAT64 and so on. ;) Unfortunately, still not every site has native IPv6...
View ArticleClik here to view.
Palo Alto Networks Feature Requests
This is a list of missing features for the next-generation firewall from Palo Alto Networks from my point of view (though I have not that many compared to other vendors such as Fortinet). Let’s see...
View ArticleClik here to view.
Palo Alto GRE Tunnel
Since PAN-OS version 9.0 you can configure GRE tunnels on a Palo Alto Networks firewall. Greetings from the clouds. As always, this is done solely through the GUI while you can use some CLI commands to...
View ArticleClik here to view.
Route-Based VPN Tunnel Palo Alto Cisco ASA
More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a Palo Alto Networks firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based...
View ArticleClik here to view.
Palo Alto Networks Cluster “not synchronized”
For whatever reason, I had a Palo Alto Networks cluster that was not able to sync. A manual sync was not working, nor did a reboot of both devices (sequentially) help. Finally, the PAN support told me...
View ArticleClik here to view.
Palo Alto: User Group Count Exceeds Threshold
We have run into an annoying situation: A hardware-dependent limit of user groups on a Palo Alto Next-Generation Firewall. That is: We cannot use more Active Directory groups at our firewalls. The...
View ArticleClik here to view.
Palo Alto Syslog via TLS
As we have just set up a TLS capable syslog server, let’s configure a Palo Alto Networks firewall to send syslog messages via an encrypted channel. While it was quite straightforward to configure I ran...
View ArticleClik here to view.
PAN: Logging of Packet-Based Attack Protection Events e.g. Spoofed IP
I just had a hard time figuring out that a network routing setup was not working due to a correctly enforced IP Spoofing protection on a Palo Alto Networks firewall. Why was it a hard time? Because I...
View ArticleClik here to view.
Palo Packet Capture: Choosing the Right Filter
Palo Alto firewalls have a nice packet capture feature. It enables you to capture packets as they traverse the firewall. While you might be familiar with the four stages that the Palo can capture...
View ArticleClik here to view.
Linux’ Traceroute
The other day I just wanted to capture some basic Linux traceroutes but ended up troubleshooting different traceroute commands and Wireshark display anomalies. Sigh. Anyway, I just added a few Linux...
View ArticleClik here to view.
Who sends TCP RSTs?
At SharkFest’22 EU, the Annual Wireshark User and Developer Conference, I attended a beginners’ course called “Network Troubleshooting from Scratch”, taught by the great Jasper Bongertz. In the end, we...
View ArticleClik here to view.
RADIUS & TACACS+ PCAP
Again two more commonly used network protocols for the Ultimate PCAP: the Remote Authentication Dial-In User Service (RADIUS) and the Terminal Access Controller Access-Control System Plus (TACACS+)...
View ArticleClik here to view.
Palo Alto: Instant Commit
Finally! With PAN-OS 11.0 Palo Alto Networks introduced an “instant commit”. That is: You no longer have to commit (and wait and wait and wait) until your changes are live, but everything you do is...
View ArticleClik here to view.
Stateful DHCPv6 Capture (along with Relaying)
For my IPv6 training classes, I was missing a capture of a stateful DHCPv6 address assignment. That is: M-flag within the RA, followed by DHCPv6 messages handing out an IPv6 address among others....
View ArticleClik here to view.
Palo Alto NGFW: Handling of IPv6 on the Interface
For the last few years, I have been confused about Palo Alto NGFWs’ various options for configuring an IPv6 address on a layer 3 interface. Let’s have a look at some details: I’m using a PA-220 with...
View ArticleClik here to view.
Minor Palo Bug: ICMPv6 Errors sourced from Unspecified Address
During my IPv6 classes, I discovered a (minor) bug at the NGFW from Palo Alto Networks: ICMPv6 error messages, such as “time exceeded” (type 3) as a reply of traceroute, or “destination unreachable”...
View ArticleClik here to view.
DHCPv6 Prefix Delegation on Palo Alto’s NGFW
Finally! With PAN-OS 11.0 a long missing IPv6 feature was introduced: DHCPv6-PD aka prefix delegation. For the first time, we can now operate a PAN-OS firewall directly on the Internet (the...
View ArticleClik here to view.
How to install Palo Alto’s PAN-OS on a FortiGate
It happens occasionally that a customer has to choose between a Palo and a Forti. While I would always favour the Palo for good reasons, I can understand that the Forti is chosen for cost savings, for...
View ArticleClik here to view.
Palo’s Mgmt-Intf is not usable with IPv6 anymore
Wow, that was unexpected: With PAN-OS 11.1 the out-of-band management interface of Palo Alto Networks firewalls doesn’t accept an IPv6 default route pointing to one of its own data interfaces anymore....
View Article