Palo Alto firewalls have a nice packet capture feature. It enables you to capture packets as they traverse the firewall. While you might be familiar with the four stages that the Palo can capture (firewall, drop, transmit, receive), it’s sometimes hard to set the correct filter – especially when it comes to NAT scenarios. (At least it was hard for me…)
I am using the packet capture feature very often for scenarios in which the IP connections are in fact working (hence no problems at the tx/rx level nor on the security policy/profile) but where I want to verify certain details of the connection itself. I’m simply using the Palo as a capturing device here, similar to a SPAN port on a switch. (Yes, I’m aware of all disadvantages of not using a real TAP and a real capture device.) In the end, I want a single pcap which shows all relevant packets for a client-server connection, even if NAT is in place. Wireshark should be able to correlate the incoming/outgoing packets into a single TCP stream. Furthermore, I definitely want to use a filter to limit the amount of captured packets. This is how I’m doing it:
Continue reading Palo Packet Capture: Choosing the Right Filter →
I just had a hard time figuring out that a network routing setup was not working due to a correctly enforced IP Spoofing protection on a Palo Alto Networks firewall. Why was it a hard time? Because I did not catch that the IP spoofing protection kicked in since there were no logs. And since we do log *everything*, a non-existent log means nothing happened, right? Uhm, not in this case. Luckily you can (SHOULD!) enable an additional thread log on the Palo.
Continue reading PAN: Logging of Packet-Based Attack Protection Events e.g. Spoofed IP →
Ich durfte zu Gast bei der #heiseshow zum Thema IPv6 sein. In Anlehnung an die Artikelserie über IPv6 in der c’t 7/2022, in der auch mein Artikel über die Vorteile von IPv6-Adressen erschienen ist, ging es bei diesem Video-Podcast um gängige Fragen zu IPv6 sowohl im Heimanwender- als auch im Enterprise-Segment. Ne knappe Stunde lief die Schose und ich empfand es als ziemlich kurzweilig. ;)
Continue reading #heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen →
This post is about adding an own (trusted) X.509 certificate for the HTTPS GUI of the Cisco Application Policy Infrastructure Controller aka APIC. You can do this via the GUI itself or via the API. Here are both ways:
Continue reading Cisco APIC: New Certificate →
Neben dem Gebastel mit technischen Geräten macht mir vor allem das Spielen von Saiteninstrumenten viel Spaß. So haben sich mit der Zeit ein paar Insturmente aller Couleur angesammelt: E-Gitarren, Akustik-Gitarren, Bässe, Ukulelen. Gleichermaßen begeistern mich schon seit Jahren die tollen Metall-Kreisel von ForeverSpin, einem kanadischen Unternehmen, welches aus massiven Blöcken per CNC-Drehmaschine sehr akurate Kreisel herstellt. Neben bekannten Metallen wie Stahl, Aluminium oder Messing kommen auch Exoten wie Magnesium, Zirconium, Titan oder Wolfram (!) zum Einsatz.
Nun, die Verbindung dieser beiden Interessen besteht wie folgt: In den letzten Jahre habe ich diese Kreisel (englisch: top) auf verschiedenen Gitarren Oberflächen (englisch ebenfalls: top) fotografiert. Die entstandenen Bilder sind allesamt auf Unsplash zu sehen. In diesem Blogpost geht es nun um die individuellen Zusammenstellungen der Kreisel zu den Gitarren und was sich der Künstler dabei gedacht hat. ;) Es bringt dem Otto Normalverbraucher also eigentlich nichts, hier weiterzulesen. Eher macht es vor allem mir einfach Spaß.
Continue reading Top on Top: ForeverSpin Kreisel auf Gitarren →
You probably know already the concept of the Pi-hole. If not: It’s a (forwarding) DNS server that you can install on your private network at home. All your clients, incl. every single smartphone, tablet, laptop, and IoT devices such as smart TVs or light bulb bridges, can use this Pi-hole service as their DNS server. Now here’s the point: it not only caches DNS entries, but blocks certain queries for hostnames that are used for ads, tracking, or even malware. That is: You don’t have to use an ad- or track-blocker on your devices (which is not feasible on smart TVs or smartphone apps, etc.), but you’re blocking this kind of sites entirely. Nice approach!
Yes, there are already some setup tutorials for the Pi-hole out there. However, it’s not only about installing the mere Pi-hole, but setting it up with your own recursive DNS server (since the default installation forwards to public DNS servers), using DNSSEC, and adding some more adlists. That’s why I am listing my installation procedure here as well. However, it’s not a complete beginners guide. You’ll need some basic Linux know-how.
Continue reading Pi-hole Installation Guide →
Endlich war es soweit: Das eigene Haus stand vor der Tür und Johannes hat sich um die Netzwerkverkabelung und das Netzwerkdesign gekümmert. Hier eine Zusammenfassung meiner Gedanken und deren Umsetzung – offen für kritische Rückfragen, Verbesserungsvorschläge und Bewunderungsbekundungen. :)
Continue reading Das Webernetz dahoam →
As we have just set up a TLS capable syslog server, let’s configure a Fortinet FortiGate firewall to send syslog messages via an encrypted channel (TLS). Let’s go:
Continue reading FortiGate Syslog via TLS →
As we have just set up a TLS capable syslog server, let’s configure a Palo Alto Networks firewall to send syslog messages via an encrypted channel. While it was quite straightforward to configure I ran into a couple of (unresolved) problems as I added and deleted some syslog servers and their certificates. Uhm.
Continue reading Palo Alto Syslog via TLS →
Some years ago I wrote a blog post called “Basic syslog-ng Installation“. While I used it myself quite often in my labs or at the customers’ sites, it shows only basic UDP transport which is both unreliable and insecure. So, let’s have a look at a fresh installation of syslog-ng with TLS support for security reasons. However, TCP and UDP as transport are covered as well for the support of legacy systems.
Continue reading syslog-ng with TLS: Installation Guide →
We have run into an annoying situation: A hardware-dependent limit of user groups on a Palo Alto Next-Generation Firewall. That is: We cannot use more Active Directory groups at our firewalls. The weird thing about this: We don’t need that many synced groups on our Palo, but we have to do it that way since we are using nested groups for our users. That is: Palo Alto does not support nested groups out of the box, but needs all intermediary groups to retrieve the users which results in a big number of unnecessary groups.
I am asking you to give me some input on how you’re using user groups on the Palo. How are you using group filters? What count of AD groups do you have? Are you using nested groups (which is best practice)?
Continue reading Palo Alto: User Group Count Exceeds Threshold →
The Cisco Email Security Appliance (ESA) is well-known for its very good Anti-Spam features. But it completely lacks a usable implementation for mail encryption with S/MIME or OpenPGP. That is: We are using other appliances for that such as Zertificon, SEPPmail, or totemo.
However, the Cisco ESA still remains the main MTA for incoming and outgoing mails, hence mails must be routed to the encryption appliance of your choice for signing/encrypting (outgoing) or verifying/decrypting (incoming) mails. Such mail routings should be done with CLI-only message filters, rather than content filters. Here we go:
Continue reading Cisco ESA: Mail Flow for Encryption Appliances →
For whatever reason, I had a Palo Alto Networks cluster that was not able to sync. A manual sync was not working, nor did a reboot of both devices (sequentially) help. Finally, the PAN support told me to “Export device state” on the active unit, import it on the passive one, do some changes, and commit. Indeed, this fixed it. A little more details:
Continue reading Palo Alto Networks Cluster “not synchronized” →
Again and again, I am adding some protocol samples to the Ultimate PCAP. Just for reference. And because I can. ;D
Continue reading Again some more protocols & variants →
Quite spontaneous I gave a small talk on the 3rd german DDI (DHCP/DNS/IPAM) user group which took place on June, 17th, 2021. (I was asked to do a talk just two days before the meeting.) It’s based on my blog post about accidental hostname disclosure through the certificate transparency log. To be honest, there’s not much more information in the slides than in my initial blog post. ;D
Continue reading DDIUGv3: Certificate Transparency Disclosure →