Network technologies and trends


March 30, 2017  5:19 AM

Cisco ASA VPN troubleshooting  – Decaps but No encaps

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, bug, Cisco ASA, Cisco VPN, firewall, NAT, Palo Alto Networks, Policies, Proxy, Troubleshooting, tunnel, VPN

Recently we observed a strange issue while building a site to site VPN tunnel between a Cisco ASA [9.1( 5) ] and Palo Alto Next Generation firewall.(PAN-OS 7.0.9) It was observed always phase 1 part of tunnel established successfully with peer however phase 2 failed to come up.

Always we were seeing issues with encapsulation, the packets sent were never encapsulated, however the packets received from remote peers were de capsulated, this means  the ASA was not encrypting the data. The below logs demonstrates the error,

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 74, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 74

 

We did a through troubleshooting and we ensured the following ay both ends of the firewalls

  • Ensure both the firewalls have an appropriate route for the interesting traffic / proxy id
  • Ensured the ACL / Policies are matched
  • Ensured NAT configuration is done properly as were using source based NATTing at both the end.
  • Ensured proper debugging is done at both ends,
  • Involved vendors to see what the issue was

Upon through troubleshooting it was discovered the ASA was hitting a bug CSCuo58411

This bug basically creates duplicate entries in tunnel manger and one could see from the below logs

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

The work around worked for us to fix this issue, was to upgrade the ASA from 9.1(5) to 9.5(3)6 . The other recommended work around to fix this issue is

Issue “debug menu ike-common 10” to remove the stale IKEv2 entries (this will delete all current IKEv2 connections)

March 20, 2017  1:17 PM

How to re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance from Cisco Integrated Management Controller?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Analytics, application, Cisco, Cisco security, DHCP, end point, End-user, Java, KVM, NAC, Security, Spoofing, threats, vulnerabilities

When it comes to re-imaging the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance , one can use the KVM console comes with Cisco Integrated Management Controller. If one wants to re-image the Cisco SNS-3415-K9  appliance  he/she could face huge challenges with the java especially when the appliance is running on Cisco IMC firmware version 2.0(1b).

cimc-firmware

ise-error-1

ise-error-2

The KVM console fails to open with most of the java versions except the Java 7 Update 21 version.

In this post we will see how one can use a KVM console to re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance.

Step 1 : Download the Cisco ISE 2.2 image from Cisco web site, make sure to have a valid CCO login id with support contracts.

Step 2: Connect to CIMC and log in using the CIMC credentials

Step 3 : Launch the KVM console

launch-kvm-console

Step 4 : Select Virtual Media and activate the virtual device

mapping-virtual-drive

Step 5 : Select Virtual Media>Map CD/DVD and select the ISE 2.2 ISO image and click Map Device

map-ise-imagemap-ise-image-1

Step 6 : Select Macros >Static Macros > Ctrl-Alt-Del to boot the ISE appliance with ISE 2.2 ISO image

step-6

Step 7 : Select Macros >Static Macros > Alt-F’s > Alt-F6  to enter into the boot menu

step-6

Step 8: At boot prompt, press 1 and Enter from KVM console to install ISE 2.2

step-8

Step 9: Once all the required files are copied type setup to configure the ISE appliance

setup-command

By following above steps one could re-image the Cisco Identity Services Engine (ISE) 2.2 on a Cisco SNS appliance.


March 9, 2017  7:36 AM

What’s new in Cisco Identity Services Engine (ISE) 2.2? – Series 3

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Analytics, application, Cisco, Cisco security, DHCP, end point, End-user, NAC, Security, Spoofing, threats, vulnerabilities

Cisco Identity Services Engine (ISE) 2.2 does offer lots of new features , in this post we will continue with those features which are focusing on stopping and containing the threats. These new features are quite helpful in reducing risk and contain threats by dynamically controlling network access.

  • Multiple Trustsec Matrices

Cisco Identity Services Engine (ISE) 2.2 offers flexibility to create different set of policies for different locations and scenarios. The Multiple Trustsec Matrices feature can now support up to 5 different policy sets and has an ability to assign different matrices to network devices

The feature addresses two use cases specifically:

  1. In the ISE DEFCON use case, administrators can create predefined policies to address different threat climates, and switch between them in the event that the nature or level of network threats changes. For major attacks, admins can immediately change policies to significantly restrict access

  1. The Separate Administrative Domains use case gives administrators the ability to create and implement policies that are specific to geographical locations, roles and responsibilities for their organization. Different admins can control their own policy sets, enabling greater flexibility.

figure-1-1-defcon-use-case

Source : Cisco Systems

The new enhancements in Multiple Trustsec Matrices  helps an ISE administrators to implement or apply predefined policy set based on threat levels or business location. This helps in

Increase the response time for threats.

Increases efficiency as policy changes can be applied to different operational zone with centralized management.

Offers Segmentation flexibility.

  • Threat-Centric NAC Enhancements

Cisco Identity Services Engine (ISE) 2.2 has expanded its  support for third-party vulnerability and threat data sources on an open platform. Now Cisco Identity Services Engine (ISE) 2.2  can take threat intelligence from Tenable, Rapid 7 and Cisco Cognitive Threat Analytics (CTA). These new capabilities will further enhance the posture assessments as there is an access for much broader range of threat-incident intelligence.

figure-1-2-threat-intelligence

Source : Cisco Systems

This enhancement comes very handy especially when the number of devices connected to networks are increasing day by day and at the same time their exposure to threats is increasing as well.  This can help in not only reducing the remediation time for undetected threats and vulnerabilities as the ISE 2.2 applies multiple vulnerabilities data sources but also an automated CoA is applied based on vulnerability intelligence.

  • Anomalous Behaviour Detection

Cisco Identity Services Engine (ISE) 2.2 can now detect device behaviour consistent with MAC Address spoofing. Now detections are based on

Any change to DHCP Class

Change in access method (Ex: Wired->Wireless

Significant Operating System change

Significant profile change

This enhancement helps in  quick threat  remediation by dynamically updating the policy to prevent or change access.

Cisco Identity Services Engine (ISE) 2.2 will certainly going add value to networks as they are focusing more controlling threats automatically and its worth to invest on this technology especially securing end points at an entry level.


March 4, 2017  7:07 PM

What’s new in Cisco Identity Services Engine (ISE) 2.2? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
802.1x, anti--spyware, Anti-virus, application, Applications, BYOD, Cisco, Cisco security, end point, End-user, P2P, Patch management, Program, Security, visibility, Wireless

Cisco Identity Services Engine (ISE) 2.2 comes with lots of new features, in our previous post we did discussed about

  • Enhanced Visibility
  • Next-level Posture Capabilities

The new enhancements doesn’t stop here, Cisco Identity Services Engine (ISE) 2.2 has much more to offer. Some of the enhancements which we will be highlighting in this post are

  • Easy ISE Setup for Wireless

Yes the Cisco Identity Services Engine (ISE) 2.2  eases the setup for Wireless networks, in past the ISE setup for wireless took great amount of time, as one needs to configure ISE, WLC and portal builder. Often multiple team members were involved to complete the necessary tasks.

Cisco Identity Services Engine (ISE) 2.2  comes with a built-in wizard which captures all of the data required for wireless deployments, which certainly reduces human errors .

Cisco claims with Cisco Identity Services Engine (ISE) 2.2  one could save the great amount of time and one can deploy ISE for wireless in as little as 10 minutes. This seems to be a great enhancement which Cisco has added with ISE 2.2, Cisco Identity Services Engine (ISE) 2.2  comes enabled with three different use cases

  1. 802.1X for wireless
  2. Guest services for wireless
  3. BYOD services for wireless

 

figure-1-1-cisco-ise-wireless-deployment

Source: Cisco Systems

This new enhancement ensures the faster setup of ISE and intuitive process minimises human errors. This certainly makes life easier for an ISE administrator.

  • Improved Posture Visibility

With improved posture visibility,  ISE 2.2 is capable of delivering enhanced application, user and device inventories. ISE 2.2 application libraries have been expanded with wider array of applications such as  P2P apps, patch management apps, anti-spyware, anti-virus, and anti-malware programs, and much more.  This empowers an administrator with greater visibility and more granular control over those applications as they can not only see the potential problems but also they can kill or uninstall the suspicious/ malicious  applications from end user end points.

figure-1-2-ise-posture-vibility

Source: Cisco Systems

Certainly the improved posture visibility offers  extensive visibility, great control and continuous monitoring features to an ISE administrator.


March 3, 2017  9:30 PM

What is an error “Subtype:Encrypt Result:Drop” in Cisco ASA Firewalls?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACL, ASA, Cisco, Cisco ASA, DROP, firewall, Packet Tracer, Routers, Security, VPN, VPN Tunnel

After building a site to site VPN tunnel between Cisco ASA and any other firewall or router, often the tunnel is tested using the packet-tracer command in Cisco ASA firewall.

While running a packet tracer when one sees an error “Subtype:Encrypt Result:Drop” as shown below

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The tunnel will never come up. And one might wonder what this error is?

The error was reported while we were trying to initiate the traffic from the source IP 192.168.1.1 to the destination IP 172.16.1.1 on port 80. The IP 192.168.1.1 happens to be the local IP which is natted to 172.17.1.1. In this case source NAT was used so that the actual IP was never disclosed to remote end.

ITKE-FW01# packet-tracer input INSIDE tcp 192.168.1.1 80 172.16.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

NAT divert to egress interface OUTSIDE

Untranslate 172.16.1.1/80 to 172.16.1.1/80

 

Phase: 4

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.10.1 using egress ifc  INSIDE

 

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface INSIDE

access-list INSIDE extended permit ip any any

Additional Information:

 

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

Static translate 192.168.1.1/80 to 172.17.1.1/80

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ITKE-FW01#

This error is reported when the interesting traffic ACL is mismatched between the VPN end points, the ACL should be mirrored at both VPN end points. Once the ACL is matched at both the VPN end points one could see the packet-tracer out put changes and it never drops the traffic as shown below.

ITKE-FW01# packet-tracer input INSIDE tcp 192.168.1.1 80 172.16.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

NAT divert to egress interface OUTSIDE

Untranslate 172.16.1.1/80 to 172.16.1.1/80

 

Phase: 4

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.10.1 using egress ifc  INSIDE

 

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface INSIDE

access-list INSIDE extended permit ip any any

Additional Information:

 

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

Static translate 192.168.1.1/80 to 172.17.1.1/80

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

 

Phase: 12

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4466556, packet dispatched to next module

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: allow

ITKE-FW01#

The key thing one need to ensure when an error “Subtype:Encrypt Result:Drop” is reported , they should ensure the interesting traffic ACL is matched at the both ends of VPN end points. By   mirroring the ACL at both the end points we were able to fix the issue.


February 17, 2017  12:10 PM

What’s new in Cisco Identity Services Engine (ISE) 2.2? – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, Cisco, Cisco security, end point, End-user, Security

The recent launch of Cisco Identity Services Engine (ISE) 2.2 has increased more visibility and also lots of new features are added. Some of the new enhancements one could see with Cisco Identity Services Engine (ISE) 2.2  are:

ise-2-2

 

Enhanced Visibility

The enhance visibility offered by ISE 2.2 helps an administrator to know more about who is on the network. With ISE 2.2 , administrators are empowered with deeper visibility as they can gain additional user and guest-based data like

  • User ID
  • Location
  • Type of endpoint
  • What applications they are running

Also an administrators can

  • Enable bulk actions with device filtering abilities.
  • Check port configuration for network access devices (NADs).
  • View detailed port connection and configuration information in Network Device Download Reports.

This particular feature enables ISE administrators to make better policy decision and enhance their organization’s security

Next-level Posture Capabilities

When it comes to posture enforcement its always been a challenging task for ISE administrators, as creating the workflows often proves to be very labor-intensive process and can be error-prone for administrators as well. Which sometimes may end with network interruptions.

The Cisco ISE 2.2 offers great improvements in terms of client provisioning for ISE Administrators

  • More options are available for client provisioning workflows.
  • AnyConnect can be deployed via external portal.
  • ISE 2.2 supports more 3rd party network access devices (NADs).
  • AnyConnect can be installed in stealth mode, when deployed in this mode the AnyConnect client is installed on a end user’s endpoint in background  without interrupting the user’s activities.

The enhanced posture capabilities  will certainly

  • Improves end user experience.
  • Offer more flexibility for deployments.

The ISE 2.2 enhancements doesn’t stops here , it will be continued in next blog post.


February 13, 2017  6:28 PM

What is Cisco Champion program?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Blogging, Cisco, Cisco Systems, Collaboration, data-centre, Internet of Things, iot, Networks, news, radio, Security

After being selected as Cisco Champion 2017, often people asked what is Cisco Champion? Some of them don’t know what Cisco Champion Program offers and what benefits they can avail be becoming a Cisco Champion.

ciscochampion2017-250

Cisco Champion Program was started by Cisco Systems with an aim to create and nurture a group of people ( Cisco geeks) who are highly influential IT technical experts, who enjoy sharing their knowledge , expertise, ideas and thoughts in innovative way across the social web be it in the form of blogs, supporting the online community by answering their queries  or with Cisco

The Cisco Champion program is open all the individuals who are either 18 years in age or older with following qualities

  • Is active on social media
  • Expresses balanced view of Cisco
  • Has Cisco-related expertise
  • Has overall expertise in IT industry
  • Chooses to actively participated in conversations relevant to Cisco and the IT industry

One can either nominate himself/ herself to Cisco Champion Program at the end of calendar year or their peers can nominate them. Generally the nominations begins after October and cover wide variety of topics. Some of main interest areas

  • Cisco Champions for Data Center
  • Cisco Champions for Collaboration
  • Cisco Champions for Enterprise Networks
  • Cisco Champions for the Internet of Things
  • Cisco Champions for Security

Cisco Champions are regarded as experts in Cisco products and technologies by their peers and actively share their knowledge, expertise, and thoughts in technical forums, communities, user groups, social media, speaking engagements, and across the social web with Cisco.

Some of the exclusive Cisco Champions benefits are

  • Networking with other Cisco Champions –  By joining exclusive Cisco Champion-only Community one could interact with like minded Technology enthusiasts from all over the globe
  • Communicate to share – Cisco Champions gets an exclusive opportunity to attend and participate in weekly live podcast as well as two blogging spots per year with Cisco Champion Blogger Program
  • Access to latest Cisco new – Yes Cisco Champions receive invitations to attend pre-launch briefings to find out the latest Cisco news before the rest of the world.

Its really an honour to be a Cisco Champion, as Cisco does recognize and support the individuals who contribute to community in various forms. One could certainly start contributing the knowledge they gained all over these years and can be part of Cisco Champions Program for year 2018.


February 10, 2017  8:12 PM

Cisco launches “Umbrella” Secure Internet Gateway

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Box, Cisco, cloud, DNS, GATEWAY, Internet, IP, IPS, malware, Network, Office 365, OpenDNS, Proxy, SaaS, Security, URL, Web

Cisco launches the industry first secure internet gateway (SIG) in the cloud with an intention to address the security requirements of todays; mobile, cloud-connected enterprise. And Umbrella happens to Cisco’s Secure Internet gateway product.

In past, organisations contained their services like email, software , ERP, HR solutions mostly into their own network perimeter, however with then advent of cloud things have changed. These days organisations are adopting  software-as-a-service products such as WebEx, Office 365, Salesforce, Box and Google Docs and relying on them to improve their productivity and at the same time they are aiming to reduce their OP-EX. Even, these days most of the branch offices are directly connected to Internet instead of backhauling their internet traffic to corporate.  Well all these new adoptions always raised security concerns, as one can work even without connecting to VPN  and its predicted by 2019 there will be 70% increase in SaaS app usage.

All these concerns are helping in evolving new security technologies and approaches, which are becoming more cloud centric.

secure-internet-gateway

With launch of Umbrella, Cisco wants to address the problem of security over  the cloud, with this new service Cisco wants to provide safe and secure access from anywhere and everywhere to their customers, even when they are off the VPN.

After acquiring OpenDNS in 2015, Cisco reengineered it with their own security portfolio to create Cisco Umbrella which can be described as the industry’s first Secure Internet Gateway. Cisco built this solution from OpenDNS Umbrella as the foundation, and brought together capabilities from the Cisco Web Security proxy and AMP file reputation and integrated them into this new platform. In future they are planning add Threat Grid sandboxing as well.

cisco-umbrella-making

Courtesy: Cisco Systems

Cisco says that the Secure Internet Gateway delivered from cloud is capable of providing safe and secure access, can acts as the first line of defense and inspection. The Secure Internet Gateway can prevent current and emergent threats also at the same time can block access to malicious domains, URLs, IPs and files before a connection is established or a file downloaded.


February 8, 2017  7:19 AM

Palo Alto Networks launches PAN-OS 8.0

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
AWS, Azure, cloud, Cyberattacks, Data Center, Firewalls, GATEWAY, Internet, KVM, NSX, OpenStack, Palo Alto Networks, Phishing, Private Cloud, Public Cloud, SaaS, Sandbox, VM, VMware, Wildfire

On February 7, 2017 Palo Alto Network launched PAN-OS 8.0 with more than 70 new enhancements and capabilities which can prevent successful cyberattacks.

figure-1-1-pan-os-8-0

Courtesy : Palo Alto Networks

As the market share of multi-cloud architectures is increasing day by day , this growth is often a source of security concern. Be it public could, private cloud or software-defined data centres they all pose the same challenge , may be the complexity varies. Keeping in this view Palo Alto Networks have optimised their virtualized next-generation firewalls with new VM-Series models. The newly released PAN-OS 8.0  expands the VM-Series with new models and optimized performance, making it the broadest, most powerful line of virtualized firewall appliances on the market. New scalability and resiliency features for Microsoft® Azure® and Amazon® Web Services enable organizations to build secure cloud centric architectures. Workflow automation features for VMware® NSX® and KVM with OpenStack® help streamline VM-Series deployments.

PAN-OS 8.0 includes numerous enhancements that will provide organizations with significant new capabilities to prevent successful cyberattacks and secure high-performance network, endpoint and cloud environments.

PAN-OS 8.0:

Enhances visibility, control and scale in all major clouds, such as AWS, Azure and SaaS.
Puts a stop to sandbox-evasive malware and automates the detection of command and control.
Greatly increases Panorama™ network security management performance, enriches context with Traps™ advanced endpoint protection logs, and automates actions and service ticketing tools, such as ServiceNow®.
Prevents automated credential theft and abuse, built in to PAN-OS 8.0.
Delivers high-performance new hardware, PA-5200 Series, PA-800 Series and PA-220 to address encrypted traffic and data center consolidation, and increase internet gateway demands.

One feature which caught our attention which worth mentioning is  “WildFire Phishing Verdict”. The new WildFire Phishing Verdict classifies phishing links detected in emails separately from other emailed links found to be exploits or malware. The firewall logs WildFire submissions that are phishing links to indicate that such a link has been detected in an email. With both a WildFire license and a PAN-DB license, you can block access to phishing sites within 5 minutes of initial discovery. However the WF-500 appliances are not capable of supporting the  new phishing verdict.

Since its  new release it may need some time to get matured, its always recommended to seek the guidance of Palo Alto TAC support for the most stable release to upgrade the Palo Alto Next Generation Firewalls.


February 7, 2017  9:13 AM

Apple iOS 10.2.1 and Palo Alto Global Protect issues

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
"Apple Store", Apple, GATEWAY, IOS, Palo Alto Networks

The recent Apple iOS 10.2.1 update has created an issue with Palo Alto global protect agent for iOS devices. Its been observed that the Palo Alto Global Protect client hangs and never opens. The only way one could open a Global Protect client is uninstall and reinstall it. Once the client is reinstalled it opens for first time and its gives an opportunity to enter Server details and login credentials. Once those details are entered, again the same issue occurs. Always the Global Protect client fails to open.

This situation holds good only when the an Apple device is upgraded to an iOS version 10.2.1 and the Global Protect portal is using a self-sign certificate.

The only way to overcome this issue, is to use a valid trusted certificate issued by trusted CA. Once a valid CA certificate is installed the issue will be resolved. However one has to delete the Global Protect Client and reinstall it from an Apple store as the certificate is automatically binded with an app and it cannot be revoked.

There is one more catch as one cannot use wild card certificates with Global Protect portal, often one will see an error ” Gateway xxxxx.com: Server certificate verification failed”. Its always recommended to use a specific certificate which includes the hostname (dns name) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate).

figure-1-1-global-protect-server-certificate-veri

 

Its been observed the recent iOS upgrade has also impacted Microsoft Active Sync as well, unconfirmed sources says Apple is aware of this  issue and they are expected to issue a fix in next iOS updates.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: