Network technologies and trends

October 5, 2015  3:51 AM

Review for CCNA Security 210-260 Official Cert Guide

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCNA, CCNA Security, Cisco, Cisco Press, Email security, IPS, ISE, malware, Network security, Security threats, Social engineering, tacacs, VPN, Web security

I would like to thank my old time professional friend from Cisco Press Jamie Shoup for providing me a copy of newly released Cisco Press title ” CCNA Security 210-260 Official Cert Guide” penned by Omar Santos & John Stuppi.

This title comes with 19 chapters, which shows that the contents covered are in quite dept. CCNA is always a great starting point for fresh network engineers, Cisco ensures that by completing CCNA, one does possess good understanding of basic concepts and terminologies, so is this title. This ensures that one understands the concepts like fundamentals of Network Security, Security Threats, AAA, VPN, IPS, Email Security, Web Security , Securing virtual environments, ISE, Layer 2 security, NGIPS etc.

CCNA Security

The authors have done a  great job, the content is really written in very engaging way , I simply couldn’t able resist reading for at least couple hours with out any break.

I really liked the way how chapter 2 is penned down which deals with concepts like Social Engineering, different types of attacks, Malware detection tools etc.

This title begins with a typical Cisco Press title ” Do I Know this Already? Quiz” which really good which gives you an idea on how good you are and what are things you may need to focus more.Also the chapter ends with “Review all the Key Topics” is very handy and revises what you read.

One thing certainly needs some more clarity, is the chapter that deals with AAA  and TACACS+ configurations, its not easy to find good resources on AAA or ACS , so if the examples were explained with a sample topology and configurations would have added more value.

The Premium edition of this title comes with Pearson IT Certification Practice Test, which is really great and one can certainly monitor his/her progress by taking those tests. I have one more recommendations to the publishers is to provide the test engine for  MAC operating Systems as well.

To conclude really well written title which not only helps CCNA Security aspirers to archive their goal but also a great reference guide for any Network Security Engineer.

October 3, 2015  7:27 AM

Palo Alto Networks firewalls Account Administration Roles -101 – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Firewalls, LDAP, Palo Alto Networks, Radius, tacacs

Palo Alto Network Firewalls by default comes with a predefined admin account; further additional admin accounts can be added. Before jumping into types of roles Palo Alto Networks firewalls offers its better to get aware what different method Palo Alto Networks Firewall offers for Administrators authentication?

One can authenticate an Administrator account using:

  • Local Data Base
  • LDAP
  • Kerberos
  • Active Directory
  • User Certificates
  • TACACS+ *

* TACACS+ authentication option is available only after the 7.0 PAN-OS releases, prior to 7.0 PAN-OS one has to rely on RADIUS.

Adding TACACS+ option to new release of PAN-OS 7.0 is a great move from Palo Alto this shows how all other vendors are accepting TACACS+.

September 25, 2015  7:27 PM

CCNA Security version 3.0 is here

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, CCNA, CCNA Security, Cisco, Cisco Press, cloud, Security, Virtualization

Cisco announces changes in the current CCNA Security exam, with new announcement Cisco ensured to include many newer technologies, which are widely deployed in today;s Enterprise Networks. The great thing in the CCNA Security version 3 is the addition of Cloud Web Security, Cloud and Virtualization. This shows how these technologies are going to dominate in coming days.

With addition of Cisco FirePOWER and FireSIGHT services it was anticipated that Cisco would come out with the revision of CCNA Security. I hope soon Cisco will make major revamp to CCIE Security exams.

Cisco Press also released new title “CCNA Security 210-260 Official Cert Guide” authored by Omar Santos and John Stuppi. This title can be purchased from Cisco Press website either in hard cover format or electronic format.

Soon I will come out with the review for this title as I do have a copy of this title. The first impressions look great but a through reading is needed to come out with an appropriate review.

September 23, 2015  8:24 AM

How to start the Journey of CCDE?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CCIE, Cisco

After completing my CCIE R&S I was wondering what to do next? Thought of continuing the journey with one more CCIE, but was not convinced of having multiple CCIEs, yet thinking what should be my next move.

Started focusing on other vendors, technologies and certifications and was quite happy and satisfied with its progress, planning to continue the same. CCDE is one such track, which always grabbed my attention, as it’s completely vendor neutral certification and now I am thinking of starting my journey of CCDE and I already started my planning with the same powerful questions which I asked myself before starting my CCIE journey.

When some one wants to start a new journey he needs to  plan the path and the road of success, while doing so I discovered Cisco Learning Network has everything one can imagine to start the journey of CCDE. I would recommend those who are planning for CCDE written exam to have a look at CLN CCDE page, its quite impressive as one can measure where he/she stands in terms of understanding the concepts, what are his/her strong points? What are the key technologies or concepts he/she needs a more attention.

It’s a one pit stop for all CCDE aspirers as in the Streamlined CCDE Written Preparation resources one can not only see what books to be referred, but also there are links for Cisco Validated Designs, YouTube videos and Cisco live videos. The credit goes to the early CCDEs and program mangers like

Orhan Ergun  – CCIE & CCDE

Elaine Lopes – CCDE and CCAr Program Manager

Andre Laurent – CCIE & CCDE

Virgilio Spaziani – CCIE & CCDE

Their hard work and commitment to help aspiring CCDEs is really commendable.

One can find me on both Google CCDE study group and Cisco Learning Network CCDE Study group for any further collaboration on the preparations of CCDE. I wish all the CCDE aspirers all the best.

September 19, 2015  4:43 PM

Palo Alto Networks Firewall Configuration Management Auditing

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Auditing, Configuration management, firewall, router, Troubleshooting

Palo Alto Network Firewall offers configuration-auditing feature, using this feature one can compare any two configuration files and see the difference. Palo Alto firewalls after comparing any two configuration files, highlights the differences using color coding schemes. Following color codes are used to highlight the changes in comparison between any two configuration files.

Yellow: Indicates a change

As you can see from the below snap shot when the Palo Alto Networks Firewall was started it didn’t had any IP address assigned to interface Ethernet 1/1

After adding an IP address the audit result shows the addition in Yellow color

Screen Shot 2015-09-19 at 7.40.04 PM

Green: Indicates an addition

The below snapshot shows an that Ethernet 1/1 was added to virtual router and this reflected by green color.

Screen Shot 2015-09-19 at 7.26.38 PM

Red: indicates a deletion

The below snapshot clearly shows that virtual router was deleted and its been highlighted in red color.

Screen Shot 2015-09-19 at 7.30.09 PM

This innovative and graphical way of doing comparison between different versions of configuration proves to be a very handy tool for troubleshooting. These kinds of tiny little features makes Palo Alto Networks Firewall really of the next generation. Palo Alto came out with some unique features which differentiates them from rest of the player.

September 17, 2015  9:46 AM

Three golden rules for designing a Networks

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, LINKS, Network design, Routing protocols

When it comes to either designing a network  or upgrading an existing network with new design most of us think from technical prospective like what kind of hardware we need, what routing protocols we need to use , what type of links needed etc. This comes true for those who are deeply involved in technical tasks. Rather we need to focus more on the characteristics of the network, what is the motive or goals of the network design we are preparing for and how the network transports the traffic to its destination such that it serves the business needs.

The network which we are designing should be capable of the following characteristics

  • Reliable and resilient
  • Manageable
  • Scalable

These are the three golden rules which one can consider while designing a network.

September 17, 2015  5:06 AM

How to ace Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Palo Alto Networks

It’s a known fact that there are very limited resources one can avail for the preparations of the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.  One has to rely completely on Palo Alto resources, as in the market you are not going to find any Palo Alto press books (there is no Palo Alto Press either) or any third party books or study material.

Things becomes quite challenging for those who are not either Palo Alto customers or Partners, as they cannot register to Palo Alto Networks Education site to avail some of the free training or attempt the Palo Alto ACE exam.  I think Palo Alto Networks should rethink on this policy.

Those who are aiming to be accomplish Palo Alto Networks Certified Network Security Engineer (PCNSE6) they can take either of two paths, one is to gain enough experience on Palo Alto Networks Security products or attend the official training offered by Palo Alto Networks training partners.

The most essential training one could require to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) are

Essentials 1: Firewall Installation and Management (201)

Essentials 2: Extended Firewall Management (205)

I took both of these training and was benefited in enhancing my knowledge about Palo Alto Network Firewalls.  I really liked the way the course was conducted by Domagaj Tos, he presented the course in very easy format and his notes and drawings were quite useful to understand the concepts.

One could certainly think about the Palo Alto Virtual Trainings offered by Consigas, they are quite good and helpful to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6).

Apart from the official trainings one must certainly think of benefiting from additional important resources like

These resources are quite handy does contain most of the information required to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam, but they are scattered.

September 16, 2015  9:18 AM

What is Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Configure, Design

Recently I took Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam and by the grace of Almighty I passed the exam. The Palo Alto Networks Certified Network Security Engineer (PCNSE6) happens to be one of toughest exam I took. It’s not an easy exam to pass especially because one should not only have a deep understanding Palo Alto technologies but also good hands on experience on Palo Alto Security products like Palo Alto Networks next generation firewalls and Panorama.


One should certainly possess in-depth knowledge to design, install, configure, maintain and troubleshoot the vast majority of implementations based on the Palo Alto Networks platform to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.

Palo Alto Networks delivers the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam through the third-party testing company Kryterion and it’s proctored by them as well. Since the exam is delivered online one can experience occasional slowness in accessing exam questions.

In coming post I will try to highlight on the approach I took for the preparations of the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.

September 13, 2015  5:18 AM

Configuration Management – A holistic way to manage Palo Alto Firewall Configurations

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Configuration management, Firewalls, FTP, TFTP, XML

Palo Alto Network Firewalls are quite different and have powerful options compared to their competitors.  The flexibility and the ease they offer is quite impressive.

Managing the Configurations of the Palo Alto firewall is one such example which proves to be very handy. One can access complete set of configuration management actions by going to

Device>Setup>Operations pages as shown below

Palo Alto Config Mang

Palo Alto Firewall offers many options from the Configuration Management page.

  • One can revert back to the last saved configuration by using this option one can certainly avoid the use of FTP or TFTP servers to save these kinds of configuration backups.
  • One can save the named configuration snapshot, this can be used as a template for future deployments and can be loaded from load named configuration snapshot.

Named Config

Load named

  • One can export names configuration snapshot in XML format and same can be imported as well either in same firewall or any other Palo Alto firewall.

These are the few Configuration Management option which makes life easier of the Network Security Engineer especially when they have to deal with hundreds of firewall in their daily operation tasks.

September 12, 2015  10:38 AM

What is the difference between Candidate configuration & Running Configuration in Palo Alto Firewalls?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CLI, configuration, Firewalls, Palo Alto Networks, router, virtual

Palo Alto Networks Firewalls comes with following config types

  • Candidate Configuration
  • Running Configuration

When ever some one creates a new policy or changes the configuration settings of an existing Security Policy or any other parameters like zone, Virtual router etc. in the Palo Alto firewall and click OK as shown below, the Candidate Configuration is either created or updated and this type of configuration is known as Candidate Configuration.

Screen Shot 2015-09-12 at 12.47.17 PM

However when Commit tab at the top right corner of Web UI of the Palo Alto Firewall is clicked the Candidate Configuration is applied to the running configuration of the Palo Alto firewall. And the applied configuration is called running configuration.

Screen Shot 2015-09-12 at 1.15.19 PM

Also by using “commit” cli command in the configuration mode on can apply candidate configuration to the running configuration.

admin@PA-500# commit

Palo Alto console configuration

Candidate Configuration never becomes active unless it’s saved to the Running Configuration so it’s always recommended to click commit whenever someone creates or modify the configuration in the Pal0 Alto Networks Firewall

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: