Category Archives: Vendor/Device/OS

It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

ICMP/ICMPv6, Palo Alto Networks, , , , , , , ,

The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.

The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. 😂 The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.

Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Palo Alto Networks, , , , , ,

For a few weeks, our PlayStation stopped downloading game updates. I figured it was just a temporary issue with the PS4. Since it didn’t affect me directly but only the kids, I didn’t pay much attention at first. I planned to wait for a firmware update from Sony. When such an update eventually came but didn’t solve the issue, I started getting suspicious – especially when I found almost no relevant results online for the official error code, which reads “(HTTP Status Code : 416) (CE-40862-0)”.

After conducting further detailed searches, I finally came across a post in the Palo Alto Networks LIVEcommunity. That definitely caught my attention. If there’s one thing that sets my home network apart from most “normal” households, it’s the fact that I have a Palo Alto firewall running – not your average consumer-grade router. 😂

Continue reading Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Redundant VPN with Failover on a Palo NGFW

Internet Access, IPsec/VPN, Palo Alto Networks, Tutorial/Howto, , , , , ,

This goes out to anyone who uses more than one Site-to-Site VPN tunnel between two locations that are secured by firewalls from Palo Alto Networks. Using two (or even more) VPN tunnels, you need an automatic way to failover the traffic flow from one VPN to the other in case of failures. Here’s how to accomplish that requirement:

Continue reading Redundant VPN with Failover on a Palo NGFW

Wireshark Feature Added: Connecting ICMP Errors

ICMP/ICMPv6, Wireshark, , , ,

It’s really just a small thing, but very practical for me: In Wireshark, a feature request I submitted has been implemented. Now, when you click on an ICMP error, the corresponding (original) packet is highlighted.

Previously, clicking on a packet belonging to a flow would show all related packets, including any ICMP errors. However, if you selected an ICMP error packet itself, nothing happened. If you had many ICMP errors from different sessions, you had to go through the cumbersome process of figuring out which sessions they actually belonged to.

Now, you can simply scroll through the packet list as usual and immediately see whether related packets are present — and if so, which ones. Very handy.

Continue reading Wireshark Feature Added: Connecting ICMP Errors

ICMP ‘Destination Unreachable’ Messages @ SharkFest’24 EU

Conference Talks, ICMP/ICMPv6, Internet Access, Wireshark, , , , , , ,

I did a presentation at SharkFest’24 EU in Vienna, the “Wireshark Developer and User Conference“, about the topic: “Unveiling Network Errors – A Deep Dive into ICMP ‘Destination Unreachable’ Messages“. It covers the following:

“Effective troubleshooting of network issues is a critical concern for network technicians. While many are familiar with basic ICMP tools like ping and traceroute, the breadth of ICMP capabilities often goes underutilised. This session delves into ICMP messages, specifically the ‘Destination Unreachable’ type, and the insights they provide into network errors.

We will explore methods for capturing and analysing network traffic, highlighting practical tips and tricks for using Wireshark to diagnose and resolve issues efficiently. Attendees will gain a deeper understanding of ICMP message functions and how to leverage them for improved network troubleshooting.”

You can watch the whole session and download the slides. And you can do the six challenges at the end of the session as well. (The answers are not in the PDF, but shown in the video.)

Continue reading ICMP ‘Destination Unreachable’ Messages @ SharkFest’24 EU

Editing Palo Configs by Scripts: pan-os-php

Palo Alto Networks, Tutorial/Howto, , , , , , ,

There are recurring cases where tasks cannot be edited quickly and easily using the classic Palo Alto Networks GUI or Panorama. For example, editing multiple policies at once, such as during a zone migration. Or checking which policies haven’t log forwarding enabled, hence enabling it directly. Or finding unused objects, including deleting them.

For these situations (and many more!), there’s a tool with a wealth of predefined scripts: pan-os-php. This first blog post covers installation and some initial use cases.

Continue reading Editing Palo Configs by Scripts: pan-os-php

Azure PTP Accuracy

Microsoft Azure, NTP, , ,

The Network Time Protocol (NTP) is widely used to synchronize computer clocks. The Precision Time Protocol (PTP) can be used as a time source as well, which is expected to be accurate within microseconds. However, at Microsoft Azure VMs, PTP-derived time-of-day errors could exceed 50,000 microseconds, which may be inadequate. Let’s go into some details:

Continue reading Azure PTP Accuracy

Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing

Palo Alto Networks, , , ,

Palo Alto Networks, a global leader in cybersecurity solutions, has announced a significant strategic shift. The company will transition from its core cybersecurity business to exclusively focus on apparel manufacturing.

Continue reading Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing

Which KPIs to monitor on a Palo Alto Firewall?

Monitoring, Palo Alto Networks, , , , , ,

We wanted to monitor some of our Palo firewalls from our monitoring system via the API. But: Which enhanced metrics/KPIs shall we monitor? While there are some obvious ones such as interface counters, uptime, software versions, license expiry dates, or HA-states, we dug a little deeper to get more out of it, such as mgmt-/data-plane stats, packet rates, drop counters (all global counters?), and routing entries.

Here are some ideas on which values a monitoring system could observe. I’m listing the required API calls along with some demo values that can be used to develop monitoring tools/scripts.

Continue reading Which KPIs to monitor on a Palo Alto Firewall?

Dual-Stack PPPoE on a FortiGate Firewall

Fortinet, Internet Access, IPv6, , , , , , ,

You can use a FortiGate to connect to the Internet (that is: Dual-Stack!) directly in various ways. In my current setup, I’m using a PPPoE residential xDLS connection. It’s not that easy to configure everything correctly since it requires the use of many different protocols such as PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. But here it is:

Continue reading Dual-Stack PPPoE on a FortiGate Firewall

DHCPv6 Prefix Delegation on a FortiGate Firewall

DHCP/DHCPv6, Fortinet, IPv6, , , , , , ,

I got DHCPv6-PD aka prefix delegation up and running on a FortiGate. Yes! ✅ Configuring it is tricky since it’s not always clear which options to use. You cannot see everything in the GUI (it even changes depending on other options made later on or selects hidden and wrong default values), hence, you must set specific options via the CLI. I navigated around some bugs and finally got it running. Here we go:

Continue reading DHCPv6 Prefix Delegation on a FortiGate Firewall

Dual-Stack PPPoE on a Palo Alto Firewall

Internet Access, IPv6, Palo Alto Networks, , , , , , ,

If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)

So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:

Continue reading Dual-Stack PPPoE on a Palo Alto Firewall

xDSL-Modems

FRITZ!Box, Internet Access, , , , , ,

Wenn man eine Enterprise-Firewall an einem klassischen DSL-Anschluss verwenden möchte, benötigt man ein extra DSL-Modem. Dies unterscheidet sich von Heimkundenroutern wie der Fritzbox, die immer schon ein DSL-Modem mit eingebaut hat. Back to the roots – so wie damals, als man ein Dreiergespann aus Splitter, Modem und Router hatte – kennt ihr es noch? ;)

In meinem Fall wollte ich eine Palo bzw. Forti an einem Telekom VDSL-Anschluss betreiben. Zwei Varianten habe ich getestet: Eine zum Modem degradierte Fritzbox (Bastellösung) und ein reines DSL-Modem aus dem Hause DrayTek. Hier ein paar Notizen und Screenshots:

Continue reading xDSL-Modems

Joining an Active Directory: A Packet Capture

Network, Windows, , , , , , , , , , ,

What happens on the network if you’re joining a Microsoft Active Directory domain? Which protocols are used? As I suspected, it’s a bit more complex than just seeing a single known protocol like HTTPS. ;)

Since a PCAP is worth a thousand words, I captured the process of a Windows PC joining an AD. Let’s have a look at it with Wireshark and NetworkMiner. And, as always, you’re welcome to download the packet capture to analyse it by yourself.

Continue reading Joining an Active Directory: A Packet Capture