All posts by Johannes Weber

PQC VPN-Tunnel with Palo

2026-06-10IPsec/VPN, Palo Alto Networks, Post-Quantum (PQC)IKEv2, ML-KEM, Palo Alto Networks, PAN-OS, Post-Quantum Cryptography, PQC, Site-to-Site VPNJohannes Weber

As the advent of practical quantum computing draws closer, security vendors are increasingly introducing post-quantum cryptographic (PQC) algorithms to protect existing security architectures against future threats. One important use case is site-to-site VPN connectivity, where organisations must address the “harvest now, decrypt later” risk – the possibility that encrypted traffic captured today could be decrypted by quantum computers in the future.

To mitigate this threat, Palo Alto Networks has implemented several approaches for quantum-resistant VPN tunnels, including Post-Quantum Preshared Keys (PPK), Key Encapsulation Mechanisms (KEM), and Quantum Key Distribution (QKD). Each method offers a different balance of security, complexity, and operational requirements.

In this blog post, we will examine these approaches in detail, with a particular focus on KEM-based solutions, which are generally considered the preferred path forward. We will also demonstrate how to configure a site-to-site VPN tunnel that combines traditional Diffie-Hellman (DH) key exchange with post-quantum algorithms such as Kyber (standardised by NIST as ML-KEM), providing both classical and quantum-resistant security.

Continue reading PQC VPN-Tunnel with Palo →

FortiGate Enables NAT for IPv6 by Default 🤦

2026-05-27Fortinet, IPv6Central NAT, fail, FortiGate, Fortinet, IPv4 Thinking, IPv6, NAT, NAT66Johannes Weber

Fortinet has a misstep in its IPv6 settings: NAT66 is enabled by default for every policy. Not only does this make no technical sense and go against established best practices, but in my view, there’s an even bigger issue at play here:

Given the widespread use of FortiGate devices and the still limited level of IPv6 expertise among many administrators, this default setting risks creating false knowledge. Many admins may come away believing that NAT for IPv6 is just as normal as it is for IPv4 – after all, it’s enabled out of the box. And as with any default, people will quickly get used to it.

In this blog post, I’ll therefore look at a few practical workarounds to move away from this approach as quickly as possible.

Continue reading FortiGate Enables NAT for IPv6 by Default 🤦 →

Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate

2026-05-05Certificate, Palo Alto NetworksCertificate, Palo Alto Networks, SSL Decryption, SSL Inbound Inspection, TLSJohannes Weber

I had a use case where I wanted to use the SSL Inbound Inspection on a Palo, but with a different X.509 certificate than the one on the server itself. That is: the backend server has its self-signed (or internal PKI-signed) certificate along with its hostname, while the decryption policy on the Palo uses a publicly trusted signed certificate for the same hostname. Just like a reverse proxy / load balancer / WAF.

TL;DR: While it would be technically feasible, this configuration is not working. :(

Continue reading Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate →

Basic IPv6 Messages (v2): Wireshark Captures

2026-04-23IPv6, MemorandumColoring Rules, DHCPv6, Dual-Stack, IPv6, IPv6 Duplicate Address Detection, Neighbor Discovery, pcap, ProfiShark, Router Advertisement, Ultimate PCAP, Windows, WiresharkJohannes Weber

In my IPv6 classes, I always teach the basic IPv6 messages as seen on the wire. There’s so much new stuff, such as Router Advertisements, Duplicate Address Detections, Neighbour Solicitations, and so on. Therefore, I’m using a rather simple packet capture showing the starting process of a client getting its addresses.

For the last 10 years, I used this capture, which I took on a Knoppix Linux along with a German Speedport router, in which SLAAC was used for getting the addresses. However, it turned out that in enterprise-grade networks, stateful DHCPv6 is used more commonly. Hence, I did it again and captured the very first IPv6 messages as seen on an IPv6 node, but this time on a Windows 11 PC and a Debian 13, along with stateful DHCPv6.

Continue reading Basic IPv6 Messages (v2): Wireshark Captures →

Decrypting TLS with Wireshark

2026-04-13Security, TLS, Tutorial/Howto, WiresharkDecrypted, Follow HTTP Stream, Follow TCP Stream, Follow TLS Stream, HTTPS, TLS, Ultimate PCAP, WiresharkJohannes Weber

Did you know that you can easily decrypt TLS (mostly HTTPS) traffic with Wireshark? Well, only if you have the keys. ;) This really is a game-changer if you’re stuck with troubleshooting encrypted data. Let’s do an example:

Continue reading Decrypting TLS with Wireshark →

Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite

2026-04-01Bandwidth/Delay, FortinetAcceleration, April 1st, Fortinet, Fortnite, IPv6, LatencyJohannes Weber

After years of customers confusing Fortinet with Fortnite, the two companies finally decided to lean into the chaos. The result: FortiNite — a joint innovation designed to deliver “next‑gen latency acceleration” for Fortnite players worldwide, a groundbreaking collaboration with Epic Games’ Fortnite.

Continue reading Introducing FortiNite: Fortinet’s Low‑Latency Power‑Up for Fortnite →

Protocol Independent Multicast (PIM) Capture

2026-03-18RoutingCisco Router, ffmpeg, IGMP, IPv6, MLD, Multicast, PIM, ProfiShark, Raspberry Pi, Ultimate PCAP, VLC, WiresharkJohannes Weber

You never stop learning. One topic that hadn’t crossed my path in the past decade is: Multicast. Whew. Alongside all the technical literature, online presentations, and various blog posts, I decided to approach it the classic way – through packet captures. ;)

So here’s a new part of the #UltimatePCAP, which contains quite a bit of PIM traffic, including Hello, Join/Prune, Register (via unicast!), and more. Of course, for IPv6 and legacy IP (IPv4). Let’s have a look:

Continue reading Protocol Independent Multicast (PIM) Capture →

Multicast Routing w/ Palo

2026-03-05Palo Alto Networks, RoutingIGMP, Multicast, Palo Alto Networks, PIMJohannes Weber

A rare use case on a Palo (at least from my point of view): Multicast Routing. And it can become as complex as you want. Fortunately, the basics are relatively easy to configure, at least if you have a rough understanding of multicast and routing with PIM and IGMP. (Recommended YouTube session here.) Let’s have a look at the common configuration steps on PAN-OS, the needed security policies to the special destination zone type of “multicast”, as well as some “show” outputs that can be used for troubleshooting:

Continue reading Multicast Routing w/ Palo →

Don’t Trust Packet Captures on Firewalls

2026-02-18Packet CapturePacket Capture, Palo Alto Networks, ProfiShark, TAP, WiresharkJohannes Weber

The other day, I was troubleshooting some network-related stuff, using the built-in Packet Capture on a Palo Alto Networks firewall. And while it did the job at a first glance, I stumbled upon some packets that were simply not correct, read: were not present on the Ethernet cable at all and/or were missing some content.

This proves again what the TAP vendors always claim: Don’t use internal packet captures / SPAN ports at all when you’re really serious about the truth. You MUST use network TAPs!

Continue reading Don’t Trust Packet Captures on Firewalls →

OSPFv3 Authentication on a Palo Alto (Logical Router)

2026-02-05Authentication, IPv6, Palo Alto Networks, RoutingAH, Authentication, IPv6, OSPFv3, Palo Alto Networks, SHA-1, WiresharkJohannes Weber

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Continue reading OSPFv3 Authentication on a Palo Alto (Logical Router) →

DNS Tunneling: iodine

2026-01-12DNS/DNSSEC, Security, Tutorial/HowtoAttack, DNS, DNS Tunneling, FortiGate, Infoblox, iodine, Palo Alto Networks, Proxy, Ultimate PCAP, WiresharkJohannes Weber

This post guides through a basic DNS tunneling setup with the usage of the appropriate tool “iodine“. It shows how DNS tunneling works and lists the commands needed to run this type of attack. That is, you can tunnel IPv4 packets through this DNS channel via the (internal) recursive DNS resolver! Nice approach. ;)

In the end, I’m pointing out how to block these tunnelling attempts with the DNS appliances from Infoblox, and the firewalls from Palo Alto Networks and Fortinet.

Continue reading DNS Tunneling: iodine →

DNS Security Overview

2025-12-10At a Glance, DNS/DNSSEC, SecurityAttack, DDoS, DNS, DNS Exfiltration, DNS Spoofing, DNS Tunneling, DNSSEC, DoH, Malware, MITMJohannes Weber

On the Internet, it’s not only “always DNS” – it’s also about securing DNS. DNS faces a wide range of attack vectors, each requiring different defensive strategies. Here comes an overview of DNS security, which gives you all the keywords at a glance.

Continue reading DNS Security Overview →

DNS Security @ SharkFest’25 EU

2025-12-09Authentication, Conference Talks, DNS/DNSSEC, PrivacyAttack, DNS, DNS Exfiltration, DNS Spoofing, DNS Tunneling, DNSSEC, DoH, DoT, MITM, SharkFestJohannes Weber

I was presenting at the annual “Wireshark Developer and User Conference“, the SharkFest’25 EU, talking about “Securing DNS – Attacks and Defences“. It covered all the buzzwords related to DNS security, such as malware using DNS, DNS spoofing, DNS exfiltration & tunnelling, while defending them with the keywords as DNSSEC, DoH/DoT, feeds & blocklists, and so on.

Quite many techniques. ;) Luckily, the whole session was recorded. So if you’re interested, have a look!

Continue reading DNS Security @ SharkFest’25 EU →

DNS Packet Capture: DoT, DoH, DoQ, DoH3

2025-11-26DNS/DNSSEC, Privacydig, DNS, DNSDiag, dnsping, DoH, DoH3, DoQ, DoT, Palo Alto Networks, Ultimate PCAP, WiresharkJohannes Weber

While I was working on my presentation about “Secure DNS” for this year’s SharkFest, the Wireshark Developer and User Conference, I recognised that I’m still missing some DNS-related packet captures in the Ultimate PCAP, that is DNS over TLS and DNS over HTTPS. And while working on it with the DNSDiag toolkit (thanks, Babak!), I came across DNS over QUIC and DNS over HTTP/3. 😂 Here we go:

Continue reading DNS Packet Capture: DoT, DoH, DoQ, DoH3 →

It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

2025-11-13ICMP/ICMPv6, Palo Alto NetworksFragmentation, GRE, ICMP, MSS, MTU, Palo Alto Networks, Wireshark, Zone Protection, ZscalerJohannes Weber

The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.

The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. 😂 The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.

Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP