Category Archives: Palo Alto Networks

PQC VPN-Tunnel with Palo

IPsec/VPN, Palo Alto Networks, Post-Quantum (PQC), , , , , ,

As the advent of practical quantum computing draws closer, security vendors are increasingly introducing post-quantum cryptographic (PQC) algorithms to protect existing security architectures against future threats. One important use case is site-to-site VPN connectivity, where organisations must address the “harvest now, decrypt later” risk – the possibility that encrypted traffic captured today could be decrypted by quantum computers in the future.

To mitigate this threat, Palo Alto Networks has implemented several approaches for quantum-resistant VPN tunnels, including Post-Quantum Preshared Keys (PPK), Key Encapsulation Mechanisms (KEM), and Quantum Key Distribution (QKD). Each method offers a different balance of security, complexity, and operational requirements.

In this blog post, we will examine these approaches in detail, with a particular focus on KEM-based solutions, which are generally considered the preferred path forward. We will also demonstrate how to configure a site-to-site VPN tunnel that combines traditional Diffie-Hellman (DH) key exchange with post-quantum algorithms such as Kyber (standardised by NIST as ML-KEM), providing both classical and quantum-resistant security.

Continue reading PQC VPN-Tunnel with Palo

Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate

Certificate, Palo Alto Networks, , , ,

I had a use case where I wanted to use the SSL Inbound Inspection on a Palo, but with a different X.509 certificate than the one on the server itself. That is: the backend server has its self-signed (or internal PKI-signed) certificate along with its hostname, while the decryption policy on the Palo uses a publicly trusted signed certificate for the same hostname. Just like a reverse proxy / load balancer / WAF.

TL;DR: While it would be technically feasible, this configuration is not working. :(

Continue reading Palo Alto Networks NGFW “SSL Inbound Inspection” with different Certificate

Multicast Routing w/ Palo

Palo Alto Networks, Routing, , ,

A rare use case on a Palo (at least from my point of view): Multicast Routing. And it can become as complex as you want. Fortunately, the basics are relatively easy to configure, at least if you have a rough understanding of multicast and routing with PIM and IGMP. (Recommended YouTube session here.) Let’s have a look at the common configuration steps on PAN-OS, the needed security policies to the special destination zone type of “multicast”, as well as some “show” outputs that can be used for troubleshooting:

Continue reading Multicast Routing w/ Palo

OSPFv3 Authentication on a Palo Alto (Logical Router)

Authentication, IPv6, Palo Alto Networks, Routing, , , , , ,

I had a hard time figuring out how to configure OSPFv3 authentication on a Palo Alto Networks NGFW due to its different configuration formats compared to a Cisco router.

TL;DR: The SPI must be set in hexadecimal, while the actual key (40 chars, hexadecimal) must be grouped in 5 sections, separated with hyphens.

Continue reading OSPFv3 Authentication on a Palo Alto (Logical Router)

It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

ICMP/ICMPv6, Palo Alto Networks, , , , , , , ,

The other day, I was troubleshooting an issue where users reported that “some websites are working while some are not“. Uh. This is almost the worst scenario to face from a networker’s perspective. It’s way easier if things do or don’t work at all, but not this “some don’t” situation.

The scenario: Using Zscaler for outbound Internet connections, connected via a GRE tunnel from a Palo Alto Networks firewall. TL;DR: If it’s not DNS, it’s MTU. šŸ˜‚ The “Suppress ICMP Frag Needed” option within the ICMP Drop section of the Zone Protection Profile did what it is meant to do: block “ICMP fragmentation needed” messages. Unfortunately, this killed *some* sessions which had the “Don’t fragment” bit set but exceeded the (lower) MTU of the GRE tunnel.

Continue reading It was MTU! Zscaler over GRE behind Palo, blocking ICMP Frag Needed

Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Palo Alto Networks, , , , , ,

For a few weeks, our PlayStation stopped downloading game updates. I figured it was just a temporary issue with the PS4. Since it didnā€™t affect me directly but only the kids, I didnā€™t pay much attention at first. I planned to wait for a firmware update from Sony. When such an update eventually came but didnā€™t solve the issue, I started getting suspicious – especially when I found almost no relevant results online for the official error code, which reads “(HTTP Status Code : 416) (CE-40862-0)”.

After conducting further detailed searches, I finally came across a post in the Palo Alto Networks LIVEcommunity. That definitely caught my attention. If thereā€™s one thing that sets my home network apart from most ā€œnormalā€ households, itā€™s the fact that I have a Palo Alto firewall running – not your average consumer-grade router. šŸ˜‚

Continue reading Palo vs. PlayStation: How a Security Feature Blocked Our PlayStation Updates

Redundant VPN with Failover on a Palo NGFW

Internet Access, IPsec/VPN, Palo Alto Networks, Tutorial/Howto, , , , , ,

This goes out to anyone who uses more than one Site-to-Site VPN tunnel between two locations that are secured by firewalls from Palo Alto Networks. Using two (or even more) VPN tunnels, you need an automatic way to failover the traffic flow from one VPN to the other in case of failures. Here’s how to accomplish that requirement:

Continue reading Redundant VPN with Failover on a Palo NGFW

Editing Palo Configs by Scripts: pan-os-php

Palo Alto Networks, Tutorial/Howto, , , , , , ,

There are recurring cases where tasks cannot be edited quickly and easily using the classic Palo Alto Networks GUI or Panorama. For example, editing multiple policies at once, such as during a zone migration. Or checking which policies haven’t log forwarding enabled, hence enabling it directly. Or finding unused objects, including deleting them.

For these situations (and many more!), there’s a tool with a wealth of predefined scripts: pan-os-php. This first blog post covers installation and some initial use cases.

Continue reading Editing Palo Configs by Scripts: pan-os-php

Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing

Palo Alto Networks, , , ,

Palo Alto Networks, a global leader in cybersecurity solutions, has announced a significant strategic shift. The company will transition from its core cybersecurity business to exclusively focus on apparel manufacturing.

Continue reading Palo Alto Networks Announces Strategic Shift to Apparel Manufacturing

Which KPIs to monitor on a Palo Alto Firewall?

Monitoring, Palo Alto Networks, , , , , ,

We wanted to monitor some of our Palo firewalls from our monitoring system via the API. But: Which enhanced metrics/KPIs shall we monitor? While there are some obvious ones such as interface counters, uptime, software versions, license expiry dates, or HA-states, we dug a little deeper to get more out of it, such as mgmt-/data-plane stats, packet rates, drop counters (all global counters?), and routing entries.

Here are some ideas on which values a monitoring system could observe. I’m listing the required API calls along with some demo values that can be used to develop monitoring tools/scripts.

Continue reading Which KPIs to monitor on a Palo Alto Firewall?

Dual-Stack PPPoE on a Palo Alto Firewall

Internet Access, IPv6, Palo Alto Networks, , , , , , ,

If you want to establish an Internet connection (that is: IPv6 and IPv4) right away from your firewall through xDSL connections, you need quite some technologies: PPPoE and PPPoEv6 (PPP IPV6CP) along with DHCPv6-PD. Fortunately, with PAN-OS 11.0 and 11.1, those missing IPv6 links were finally added by PANW to their Strata firewalls. (I have been awaiting them since 2015!)

So, here it is: Connecting a Palo through an xDSL modem to a residential ISP:

Continue reading Dual-Stack PPPoE on a Palo Alto Firewall

Getting started with the APIs from Palo Alto Ntwks

API, Palo Alto Networks, Tutorial/Howto, , , , ,

You can talk to firewalls and Panorama from Palo Alto Networks in various ways. The well-known GUI (which I really love, by the way) and the CLI are quite common at first glance. Nearly everyone using the Palos is familiar with these configuration options.

When it comes to automation at some point, either to configure those devices or just to read out some KPIs for your monitoring, APIs are in place. Plural because Palo has two APIs: The so-called “XML API” and the “REST API“. Let’s get started with both of them:

Continue reading Getting started with the APIs from Palo Alto Ntwks

PANW: Dynamic Routing between Logical Routers

Palo Alto Networks, Routing, , , , , ,

How to route traffic between multiple logical routers aka Inter-LR Routing on a Palo Alto Networks Strata firewall? More precisely, inclusive route redistribution rather than a few static routes. –> Via iBGP through loopback interfaces. āœ… Let’s go:

Continue reading PANW: Dynamic Routing between Logical Routers

BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

Palo Alto Networks, Routing, , , , , ,

With PAN-OS 10.2, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR).

The Advanced Routing Engine simplifies operations with a standards-based configuration, which reduces your learning curve since it is similar to that of other router vendors.

The neat thing, as always: You can configure everything through the GUI. Here’s a basic example of how I’m using a prefix list to filter incoming BGP routes:

Continue reading BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)