The Network Time Protocol (NTP) is widely used to synchronize computer clocks. The Precision Time Protocol (PTP) can be used as a time source as well, which is expected to be accurate within microseconds. However, at Microsoft Azure VMs, PTP-derived time-of-day errors could exceed 50,000 microseconds, which may be inadequate. Let’s go into some details:
I just got a few emails from an administrator of a medium-sized company, asking some IPv6 questions. They want to use IPv6 to reach the Internet, using two ISPs, while remaining IPv4-only on their internal networks. For whatever reason, they came across three different ideas that were almost completely wrong, speaking of a sound IPv6 design. But why? Maybe because IPv4 thinking is a bigger problem than we ever thought? Or because admins rely on firewall vendors (like Fortinet) that suggest completely wrong network approaches?
Let’s dig into some misconceptions concerning IPv6:
Palo Alto Networks, a global leader in cybersecurity solutions, has announced a significant strategic shift. The company will transition from its core cybersecurity business to exclusively focus on apparel manufacturing.
Continue reading Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing
One of the mysteries for me in IP networks was the Path MTU Discovery (PMTUD) process. I’ve seldom seen any problems with the MTU at all. Fortunately, while troubleshooting some router issues, I captured several ICMP “packet too big” errors along with the original packets. đđ»
Let’s have a look at those PMTUD processes for IPv6 and legacy IP with Wireshark. Of course, these captured connections are part of the Ultimate PCAP as well, hence, you can download the most current version of it and analyze it by yourself.
We wanted to monitor some of our Palo firewalls from our monitoring system via the API. But: Which enhanced metrics/KPIs shall we monitor? While there are some obvious ones such as interface counters, uptime, software versions, license expiry dates, or HA-states, we dug a little deeper to get more out of it, such as mgmt-/data-plane stats, packet rates, drop counters (all global counters?), and routing entries.
Here are some ideas on which values a monitoring system could observe. I’m listing the required API calls along with some demo values that can be used to develop monitoring tools/scripts.
Continue reading Which KPIs to monitor on a Palo Alto Firewall?
You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:
I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! â Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:
Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall
If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)
So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:
Wenn man eine Enterprise-Firewall an einem klassischen DSL-Anschluss verwenden möchte, benötigt man ein extra DSL-Modem. Dies unterscheidet sich von Heimkundenroutern wie der Fritzbox, die immer schon ein DSL-Modem mit eingebaut hat. Back to the roots – so wie damals, als man ein Dreiergespann aus Splitter, Modem und Router hatte – kennt ihr es noch? ;)
In meinem Fall wollte ich eine Palo bzw. Forti an einem Telekom VDSL-Anschluss betreiben. Zwei Varianten habe ich getestet: Eine zum Modem degradierte Fritzbox (Bastellösung) und ein reines DSL-Modem aus dem Hause DrayTek. Hier ein paar Notizen und Screenshots:
Kaum ein anderes Element ist so essenziell fĂŒr das Internet wie das Domain Name System. Ruckelts mal im DNS, reagieren Webseiten und ĂŒberhaupt alle Internetanwendungen gleich langsamer oder gar nicht. Doch um Fehlerursachen zu ermitteln und zu beseitigen, brauchen Firmen- und Heim-Admins ein weitreichendes VerstĂ€ndnis der ZusammenhĂ€nge.
This time (2023) at the yearly Wireshark Developer and User Conference in Europe, I gave a talk about DNS. How could it have been any different –> The title simply had to be ‘It’s Always DNS‘. đ
“This session dives deeper into the Domain Name System, covering recursive vs. iterative DNS queries, resource records types, TTL & caching, DNS errors, a little DNSSEC, flags, and of course: Wireshark with its useful display filters, custom columns, colouring rules, and so on. And we will explore some other tools to analyze and troubleshoot DNS even further.”
You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)
We all know the DNS, right? But when we need to troubleshoot it, it’s getting much more complicated than initially thought. DNS â DNS â DNS. And unfortunately: It’s Always DNS.
To get a better understanding of those different kinds of DNS servers (authoritative vs. recursive), DNS messages (recursive, iterative, zone transfer, …) as well as other techniques (conditional forwarding, DoH, …), I draw a poster to have it all at a glance! Here it is:
Die Aufgabenstellung war klar: Eine Wallbox fĂŒrs Eigenheim muss her, schlieĂlich ist das Laden an öffentlichen SĂ€ulen ein Trauerspiel. Aber die Entscheidung, welche Wallbox es sein soll, war dann alles andere als leicht. đ„Ž Welche Kriterien muss eine Wallbox erfĂŒllen? Welche Kriterien gibt es ĂŒberhaupt? 22 kW? PV-Ăberschuss, und wenn ja, wie? Integrierter StromzĂ€hler (MID-konform?) und Authentifzierung per RFID? Dann aber bitte auch getrennte ZĂ€hler pro User. Wie sieht es mit Schnittstellen aus? OCPP, evcc? Und gibt es auch eine (gute!) App?
Uiuiui, das war eine lĂ€ngere Prozedur als ursprĂŒnglich geplant. Viele DuckDuckGo-Recherchen, YouTube-Videos, persönliche Interviews und Testberichte spĂ€ter war meine Shortlist dann zwar kleiner, aber immer noch nicht offensichtlich. Hier fasse ich meine Gedanken mal zusammen und liste meine Tabelle als Entscheidungsgrundlage auf. Möge es euch dienen und weitere Diskussionen entfachen. đ
Seit einem Monat fahre ich erstmalig ein E-Auto. Und ebenso positiv euphorisch bin ich an das Laden an öffentlichen SĂ€ulen herangegangen. Dazu gab es auch allen Grund: Ăberall sieht man solche Stationen aus dem Boden sprieĂen und auch die Tank-App zeigt einem, wie dicht besiedelt Autodeutschland mit selbigen ist.
Die ErnĂŒchterung folgte prompt: Bei meinen ersten zehn Ladeversuchen haben fĂŒnf nicht geklappt. Fehlerraten = 50 %. Ungelogen! Nahezu jeden erdenklichen Grund habe ich bereits erlebt. Die Daten in den Apps sind falsch, die Ladestationen dann doch nicht einsatzfĂ€hig oder belegt, wenn ĂŒberhaupt die Ladekarte klappt oder die SĂ€ule reagiert. Uff.
Hier ein ehrlicher Bericht. Und fĂŒr mich eine Verarbeitung der Erlebnisse. đ
Continue reading Laden an öffentlichen SÀulen: Ein Trauerspiel!
What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)
Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.
Continue reading Joining an Active Directory: A Packet Capture