Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate

Certificate, Palo Alto Networks, , , ,

I had a use case where I wanted to use the SSL Inbound Inspection on a Palo, but with a different X.509 certificate than the one on the server itself. That is: the backend server has its self-signed (or internal PKI-signed) certificate along with its hostname, while the decryption policy on the Palo uses a publicly trusted signed certificate for the same hostname. Just like a reverse proxy / load balancer / WAF.

TL;DR: While it would be technically feasible, this configuration is not working. :(

Continue reading Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate

Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite

Bandwidth/Delay, Fortinet, , , , ,

After years of customers confusing Fortinet with Fortnite, the two companies finally decided to lean into the chaos. The result: FortiNite — a joint innovation designed to deliver “next‑gen latency acceleration” for Fortnite players worldwide, a groundbreaking collaboration with Epic Games’ Fortnite.

Continue reading Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite

Protocol Independent Multicast (PIM) Capture

Routing, , , , , , , , , , ,

You never stop learning. One topic that hadn’t crossed my path in the past decade is: Multicast. Whew. Alongside all the technical literature, online presentations, and various blog posts, I decided to approach it the classic way – through packet captures. ;)

So here’s a new part of the #UltimatePCAP, which contains quite a bit of PIM traffic, including Hello, Join/Prune, Register (via unicast!), and more. Of course, for IPv6 and legacy IP (IPv4). Let’s have a look:

Continue reading Protocol Independent Multicast (PIM) Capture

Multicast Routing w/ Palo

Palo Alto Networks, Routing, , ,

A rare use case on a Palo (at least from my point of view): Multicast Routing. And it can become as complex as you want. Fortunately, the basics are relatively easy to configure, at least if you have a rough understanding of multicast and routing with PIM and IGMP. (Recommended YouTube session here.) Let’s have a look at the common configuration steps on PAN-OS, the needed security policies to the special destination zone type of “multicast”, as well as some “show” outputs that can be used for troubleshooting:

Continue reading Multicast Routing w/ Palo

Don’t Trust Packet Captures on Firewalls

Packet Capture, , , ,

The other day, I was troubleshooting some network-related stuff, using the built-in Packet Capture on a Palo Alto Networks firewall. And while it did the job at a first glance, I stumbled upon some packets that were simply not correct, read: were not present on the Ethernet cable at all and/or were missing some content.

This proves again what the TAP vendors always claim: Don’t use internal packet captures / SPAN ports at all when you’re really serious about the truth. You MUST use network TAPs!

Continue reading Don’t Trust Packet Captures on Firewalls

OSPFv3 Authentication on a Palo Alto (Logical Router)

Authentication, IPv6, Palo Alto Networks, Routing, , , , , ,

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Continue reading OSPFv3 Authentication on a Palo Alto (Logical Router)

DNS Tunneling: iodine

DNS/DNSSEC, Security, Tutorial/Howto, , , , , , , , ,

This post guides through a basic DNS tunneling setup with the usage of the appropriate tool “iodine“. It shows how DNS tunneling works and lists the commands needed to run this type of attack. That is, you can tunnel IPv4 packets through this DNS channel via the (internal) recursive DNS resolver! Nice approach. ;)

In the end, I’m pointing out how to block these tunnelling attempts with the DNS appliances from Infoblox, and the firewalls from Palo Alto Networks and Fortinet.

Continue reading DNS Tunneling: iodine

DNS Security @ SharkFest’25 EU

Authentication, Conference Talks, DNS/DNSSEC, Privacy, , , , , , , , ,

I was presenting at the annual “Wireshark Developer and User Conference“, the SharkFest’25 EU, talking about “Securing DNS – Attacks and Defences“. It covered all the buzzwords related to DNS security, such as malware using DNS, DNS spoofing, DNS exfiltration & tunnelling, while defending them with the keywords as DNSSEC, DoH/DoT, feeds & blocklists, and so on.

Quite many techniques. ;) Luckily, the whole session was recorded. So if you’re interested, have a look!

Continue reading DNS Security @ SharkFest’25 EU

DNS Packet Capture: DoT, DoH, DoQ, DoH3

DNS/DNSSEC, Privacy, , , , , , , , , ,

While I was working on my presentation about “Secure DNS” for this year’s SharkFest, the Wireshark Developer and User Conference, I recognised that I’m still missing some DNS-related packet captures in the Ultimate PCAP, that is DNS over TLS and DNS over HTTPS. And while working on it with the DNSDiag toolkit (thanks, Babak!), I came across DNS over QUIC and DNS over HTTP/3. 😂 Here we go:

Continue reading DNS Packet Capture: DoT, DoH, DoQ, DoH3

It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

ICMP/ICMPv6, Palo Alto Networks, , , , , , , ,

The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.

The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. 😂 The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.

Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Palo Alto Networks, , , , , ,

For a few weeks, our PlayStation stopped downloading game updates. I figured it was just a temporary issue with the PS4. Since it didn’t affect me directly but only the kids, I didn’t pay much attention at first. I planned to wait for a firmware update from Sony. When such an update eventually came but didn’t solve the issue, I started getting suspicious – especially when I found almost no relevant results online for the official error code, which reads “(HTTP Status Code : 416) (CE-40862-0)”.

After conducting further detailed searches, I finally came across a post in the Palo Alto Networks LIVEcommunity. That definitely caught my attention. If there’s one thing that sets my home network apart from most “normal” households, it’s the fact that I have a Palo Alto firewall running – not your average consumer-grade router. 😂

Continue reading Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Redundant VPN with Failover on a Palo NGFW

Internet Access, IPsec/VPN, Palo Alto Networks, Tutorial/Howto, , , , , ,

This goes out to anyone who uses more than one Site-to-Site VPN tunnel between two locations that are secured by firewalls from Palo Alto Networks. Using two (or even more) VPN tunnels, you need an automatic way to failover the traffic flow from one VPN to the other in case of failures. Here’s how to accomplish that requirement:

Continue reading Redundant VPN with Failover on a Palo NGFW