Tag Archives: Palo Alto Networks

Using Case Sensitive IPv6 Addressing on a Palo Alto

2019-04-01IPv6, Palo Alto NetworksApril 1st, case sensitive, Features, IPv6, IPv6 Global Unicast Address, Palo Alto NetworksJohannes Weber

IPv6 brings us enough addresses until the end of the world. Really? Well… No. There was an interesting talk at RIPE77 called “The Art of Running Out of IPv6 Addresses” by Benedikt Stockebrand that concludes that we will run out of IPv6 addresses some day.

Luckily Palo Alto Networks has already added one feature to expand the IPv6 address space by making them case sensitive. That is: you can now differentiate between upper and lower case values “a..f” and “A..F”. Instead of 16 different hexadecimal values you now have 22 which increases the IPv6 space from $2^{128}$ to about $2^{142}$ . Here is how it works on the Palo Alto Networks firewall:

Continue reading Using Case Sensitive IPv6 Addressing on a Palo Alto →

Trying to change an IPv6 Link-Local Address on a FortiGate

2018-11-30Fortinet, IPv6fail, FortiGate, Fortinet, IPv6, IPv6 Interface Identifier, Link-Local Address, Palo Alto Networks, Router Advertisement, WiresharkJohannes Weber

I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.

Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!

Continue reading Trying to change an IPv6 Link-Local Address on a FortiGate →

MP-BGP Capture

2018-10-03IPv6, RoutingAuthentication, BGP, CCNP, Cisco Router, Dynamic Routing, Follow TCP Stream, FortiGate, Fortinet, IPv6, MD5, MP-BGP, Palo Alto Networks, pcap, WiresharkJohannes Weber

For those who are interested in analyzing basic BGP messages: I have a trace file for you. ;) It consists of two session establishments as I cleared the complete BGP session on two involved routers for it. Refer to my previous blog post for details about the lab, that is: MP-BGP with IPv6 and legacy IP, neighbouring via both protocols as well, with and without password. The involved routers were 2x Cisco routers, one Palo Alto Networks firewall, and one Fortinet FortiGate firewall.

Continue reading MP-BGP Capture →

Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet

2018-09-24Authentication, Cisco Systems, Fortinet, IPv6, Palo Alto Networks, RoutingAuthentication, BGP, CCNP, Cisco Router, Dynamic Routing, FortiGate, Fortinet, IPv6, Loopback, MD5, MP-BGP, Palo Alto Networks, Password, RedistributionJohannes Weber

While playing around in my lab learning BGP I configured iBGP with Multiprotocol Extensions (exchanging routing information for IPv6 and legacy IP) between two Cisco routers, a Palo Alto Networks firewall, and a Fortinet FortiGate firewall. Following are all configuration steps from their GUI (Palo) as well as their CLIs (Cisco, Fortinet). It’s just a “basic” lab because I did not configure any possible parameter such as local preference or MED but left almost all to its defaults, except neighboring from loopbacks, password authentication and next-hop-self.

Continue reading Basic MP-BGP Lab: Cisco Router, Palo Alto, Fortinet →

Route- vs. Policy-Based VPN Tunnels

2018-07-10Design/Policy, IPsec/VPNCisco ASA, Crypto Map, FortiGate, IKE, IPsec, Juniper ScreenOS, Palo Alto Networks, Policy-Based VPN, Proxy-ID, Route-Based VPN, Security Association, Site-to-Site VPN, uRPF, VPNJohannes Weber

There are two methods of site-to-site VPN tunnels: route-based and policy-based. While some of you may already be familiar with this, some may have never heard of it. Some firewalls only implement one of these types, so you probably don’t have a chance to configure the other one anyway. Too bad since route-based VPNs have many advantages over policy-based ones which I will highlight here.

I had many situations in which network admins did not know the differences between those two methods and simply configured “some kind of” VPN tunnel regardless of any methodology. In this blogpost I am explaining the structural differences between them along with screenshots of common firewalls. I am explaining all advantages of route-based VPNs and listing a table comparing some firewalls regarding their VPN features.

Continue reading Route- vs. Policy-Based VPN Tunnels →

File Blocking Shootout – Palo Alto vs. Fortinet

2018-06-27Fortinet, Palo Alto Networks, PasswordData Leak Prevention, DLP, Encrypted, fail, File Blocking, FortiGate, Fortinet, Microsoft Office, Palo Alto Networks, Password, PDF, Protected, ZIPJohannes Weber

We needed to configure the Internet-facing firewall for a customer to block encrypted files such as protected PDF, ZIP, or Microsoft Office documents. We tested it with two next-generation firewalls, namely Fortinet FortiGate and Palo Alto Networks. The experiences were quite different…

TL;DR: While Fortinet is able to block encrypted files, Palo Alto fails since it does not identify encrypted office documents! [UPDATE: Palo Alto has fixed the main problem, see notes below.]

Continue reading File Blocking Shootout – Palo Alto vs. Fortinet →

Palo Alto policy-deny though Action allow

2018-06-18Certificate, Palo Alto NetworksCertificate, Palo Alto Networks, Pinning, PolicyJohannes Weber

I came across some strange behaviors on a Palo Alto Networks firewall: Certain TLS connections with TLS inspection enabled did not work. Looking at the traffic log the connections revealed an Action of “allow” but of Type “deny” with Session End Reason of “policy-deny”. What?

Continue reading Palo Alto policy-deny though Action allow →

Notes regarding Palo Alto HA2 Session Sync

2018-06-13Palo Alto NetworksCluster, HA, High Availability, Palo Alto Networks, Session Sync, TroubleshootingJohannes Weber

Just a quick note concerning the session sync on a Palo Alto Networks firewall cluster: Don’t trust the green HA2 bubble on the HA widget since it is always “Up” as long as the HA interface is up. It does NOT indicate whether the session sync is working or not. You MUST verify the session count on the passive unit to be sure. Here are some details:

Continue reading Notes regarding Palo Alto HA2 Session Sync →

Palo Alto Application: First Packets Will Pass!

2018-06-07Design/Policy, Palo Alto NetworksApp-ID, Application, FTP, Next-Generation Firewall, Palo Alto Networks, PolicyJohannes Weber

I am using an almost hidden FTP server in my DMZ behind a Palo Alto Networks firewall. FTP is only allowed from a few static IP addresses, hence no brute-force attacks on my server. Furthermore, I have an “allow ping and traceroute from any to DMZ” policy since ping is no security flaw but really helpful while troubleshooting.

Now, here comes the point: My FTP server logfile showed dozens of connections from many different IP addresses from the Internet. WHAT? For the first moment I was really shocked. Have I accidentally exposed my FTP server to the Internet? Here is what happened:

Continue reading Palo Alto Application: First Packets Will Pass! →

Generating SSHFP Records Remotely

2018-02-08DNS/DNSSEC, Linux, Security, SSH, Tutorial/HowtoCisco Router, DNSSEC, DSA, FortiGate, Fortinet, Juniper ScreenOS, Juniper SSG, Nmap, Palo Alto Networks, SSH, ssh-keygen, ssh-keyscan, SSHFP, WorkaroundJohannes Weber

Until now I generated all SSHFP resource records on the SSH destination server itself via ssh-keygen -r <name>. This is quite easy when you already have an SSH connection to a standard Linux system. But when connecting to third-party products such as routers, firewalls, whatever appliances, you don’t have this option. Hence I searched and found a way to generate SSHFP resource records remotely. Here we go:

Continue reading Generating SSHFP Records Remotely →

IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate

2017-09-21Fortinet, IPsec/VPN, IPv6, Palo Alto NetworksFortiGate, Fortinet, IKEv2, IPsec, IPv6, Palo Alto Networks, Site-to-Site VPNJohannes Weber

And one more IPsec VPN post, again between the Palo Alto Networks firewall and a Fortinet FortiGate, again over IPv6 but this time with IKEv2. It was no problem at all to change from IKEv1 to IKEv2 for this already configured VPN connection between the two different firewall vendors. Hence I am only showing the differences within the configuration and some listings from common CLI outputs for both firewalls.

Continue reading IKEv2 IPsec VPN Tunnel Palo Alto <-> FortiGate →

IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate

2017-09-11Fortinet, IPsec/VPN, IPv6, Palo Alto NetworksFortiGate, Fortinet, IPsec, IPv6, Palo Alto Networks, Site-to-Site VPNJohannes Weber

Towards the global IPv6-only strategy ;) VPN tunnels will be used over IPv6, too. I configured a static IPsec site-to-site VPN between a Palo Alto Networks and a Fortinet FortiGate firewall via IPv6 only. I am using it for tunneling both Internet Protocols: IPv6 and legacy IP.

While it was quite easy to bring the tunnel “up”, I had some problems tunneling both Internet Protocols over the single phase 2 session. The reason was some kind of differences within the IPsec tunnel handling between those two firewall vendors. Here are the details along with more than 20 screenshots and some CLI listings.

Continue reading IPv6 IPsec VPN Tunnel Palo Alto <-> FortiGate →

Palo Alto NDP Monitoring

2017-08-30IPv6, Palo Alto NetworksIPv6, IPv6 Neighbor Cache, IPv6 Neighbor Discovery, NDPMon, Neighb, Palo Alto NetworksJohannes Weber

With PAN-OS version 8.0 Palo Alto Networks introduced another IPv6 feature, namely “NDP Monitoring for Fast Device Location“. It basically adds a few information to the existing neighbor cache such as the User-ID (if present) and a “last reported” timestamp. That is: the admin has a new reporting window within the Palo Alto GUI that shows the reported IPv6 addresses along with its MAC addresses. This is really helpful for two reasons: 1) a single IPv6 node can have multiple IPv6 addresses which makes it much more difficult to track them back to the MAC address and 2) if SLAAC is used you now have a central point where you can look up the MAC-IPv6 bindings (comparable to the DHCP server lease for legacy IPv4).

Continue reading Palo Alto NDP Monitoring →

PAN NGFW IPv6 NDP RA RDNSS & DNSSL

2017-08-23DNS/DNSSEC, IPv6, Palo Alto NetworksDNS, DNS Suffix Search List, DNSSL, IPv6, Palo Alto Networks, RDNSS, rdnssd, Router Advertisement, Ubuntu, Windows, WiresharkJohannes Weber

Haha, do you like acronyms as much as I do? This article is about the feature from Palo Alto Networks’ Next-Generation Firewall for Internet Protocol version 6 Neighbor Discovery Protocol Router Advertisements with Recursive Domain Name System Server and Domain Name System Search List options. ;) I am showing how to use it and how Windows and Linux react on it.

Continue reading PAN NGFW IPv6 NDP RA RDNSS & DNSSL →

Palo vs. Forti: Blog Stats

2017-06-16Commentary, Fortinet, Palo Alto NetworksCLI, Fortinet, Palo Alto Networks, StatisticsJohannes Weber

I want to talk about a fun fact concerning my blog statistics: Since a few years I have some “CLI troubleshooting commands” posts on my blog – one for the Palo Alto Networks firewall and another for the FortiGate firewall from Fortinet. If you are searching on Google for something like “palo alto cli commands” or “fortigate troubleshooting cli” my blog is always listed amongst the first 2-4 results.

But for some reasons the article for Fortinet has much more hits. I don’t know why but I have two different ideas. What do you think?

Continue reading Palo vs. Forti: Blog Stats →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP