Palo Alto firewalls comes with a built in out of band management interface, labeled MGT and a serial console cable.
One can access the Palo Alto firewall by connecting his/her laptop with an IP address in 192.168.1.0/24 subnet to the management interface and can access the firewall using a web-browser connection https://192.168.1.1. The default username is admin and password is admin as well.
One can change the management IP Address by selecting
Device>Setup>Management and click gear icon on Management Interface setting panel
The other way to access the Palo Alto Firewall is by using the console port with serial port values of 9600-8-N-1.
One can also change the management IP address of the firewall by using following commands
admin@PA-500# set deviceconfig system ip-address 192.168.1.15 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 192.168.1.1
Palo Alto firewalls have a dedicated management interface which can be used only for management of the firewall, however one can enable firewall management over other interfaces which are used to forward the traffic, however management interface cannot be used for to forward the normal traffic.By default HTTP, Telnet and SNMP are disabled on the MGT Interface of the firewall
With the dominance of Virtualized environments like VMware, KVM, Citrix SDX and Amazon AWS, there is a challenge of securing East-West traffic. Like many other security vendors Palo Alto does offers various Virtual Platforms to protect virtualized data center and East-West traffic.
Palo Alto offers following Virtualized Platforms and can be installed on
- VMware®ESXi™ and NSX™
- Citrix®Netscaler SDX™
- KVM/OpenStack (Centos/RHEL, Ubuntu®)
- Amazon Web Services (AWS)
The interesting fact I see here is the support of VMware NSX™ which certainly makes the SDN platform more secure and flexible.
The Palo Alto VM-Series are no different than the Physical Firewalls in many aspects like next-generation firewall and advanced threat prevention features, however the VM-Series is not capable of supporting virtual systems.
The Palo Alto VM-Series supports the automation features like VM monitoring, dynamic address groups and a REST-based API, these features allows you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.
Palo Alto takes a good approach in designing the architecture for their next generation firewalls. Palo Alto offers processors dedicated to security function that work in parallel.
Palo Alto firewall contains separate Control Plane and Data Plane. By separating them Palo Alto is ensuring that each plane runs independently and they do have dedicated processors, memory and hard drives. Some of the high end firewall comes with 2 to 6 core CPU dedicated either in Data Plane or Control Plane. You can read the product specifications for more details.
Control Plane is used for management of Palo Alto firewalls, and it provides configuration, logging reporting and route updates
Date Plane consists of three type of processor that are connected by high speed 1 Gbps busses are extensively used by Signature Processor, Security Processor and Network Processor
Security Matching Processor: Performs vulnerability and virus detection.
Security Processor: Performs hardware acceleration and handle security tasks such as SSL decryption, IPsec decryption,
Network Processor: Performs routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.
When it comes to Next Generation firewalls, it’s quite common to see most of the Next Generation firewalls does serial processing, of various policies applied in that particular NG Firewall, which in turn delays the processing of various policies like firewall policy, URL Filtering, IPS, AV, etc. or consumes all the available Firewall hardware resources like CPU consumption, or memory utilization.
However Palo Alto Next Generation firewall takes an approach of Single Pass Parallel Processing (SP3) engine.
With the help of Single Pass Parallel Processing approach, Palo Alto Firewalls are in position to
- Classify traffic with App-ID
- Can do both user and group mapping
- Perform content scanning like threats, URLs etc.
- Can make use of One Policy to process various tasks
- Can do Parallel Processing
- Can provide separate Data and Control plane
One of the advantages I see with this kind approach is that, the traffic can be scanned as it crosses the Palo Alto firewall with minimum amount of buffering, which in turn can allow to enable the advance features like virus/ malware scanning without effecting the firewall performance.
On 29th of July 2015, Microsoft announced the Public release of Windows 10. With less than 24 hours of release it was it was reported over 14 million copies of Windows 10 installed world wide. Looks like people were waiting for this release quite eagerly.
“We’re humbled and grateful to see the response to Windows 10,” writes Microsoft’s Yusuf Mehdi on the Windows Blog. “We have seen unprecedented demand for Windows 10, with reviews and customer feedback overwhelmingly positive around the globe.”
Windows 10 happened to be free for those who are using a genuine copy of Windows 7 or Windows 8 they can download their free copy of Windows 10 from Microsoft Software Download site.
However for those who are not using Genuine Windows 7/8 copy they have buy from Microsoft Store
I believe Windows 10 will go to make a good impact and will exceed the expectations of its users. I am certainly going to download Windows 10 and test it offerings.
Palo Alto Networks offers few Certifications tracks which are quite interesting and challenging to pass. Their advance certificate Palo Alto Networks Certified Network Security Engineer (PCNSE) is very challenging certification exam to pass, especially for those who don’t have exposure to Palo Alto Next Generation firewalls.
Palo Alto is currently offering following certifications tracks
- Accredited Configuration Engineer (ACE)
- Palo Alto Networks Certified Network Security Engineer (PCNSE)
- Certified Network Security Engineer (CNSE 5.1)
The Accredited Configuration Engineer (ACE) exam tests your knowledge of the core features and functions of Palo Alto Networks next-generation firewalls. The ACE exam is web-based and consists of 50 multiple-choice questions. The exam is not timed, and you can retake it as many times as necessary to earn a passing score.
A Palo Alto Networks Certified Network Security Engineer (PCNSE) is capable of designing, deploying, configuring, maintaining and troubleshooting the vast majority of Palo Alto Networks-based network security implementations. So does the Certified Network Security Engineer (CNSE 5.1), however CNSE focuses on PAOS version 5.1 where as Palo Alto Networks Certified Network Security Engineer (PCNSE) tests you on the PAOS version 6 and 6.1
Palo Alto Networks is continuing to make their strong presence in the Security Domain especially into Next Generation Firewalls domain. Gartner in its Magic Quadrant rates them as leaders.
However Palo Alto certifications are not as popular as Cisco, Juniper or VMware Certifications. Still I believe Palo Alto needs a long time to make their impact on the certification domain. Palo Alto may need to adopt certain directions like their competitors have done, in order make their certifications more popular they may need to promote their certifications tracks, provide virtual resources and a dedicated Education community should be established along abundant learning resources. VMware does provide great Hands on Labs for the VMware community.
I hope soon Palo Alto Networks will come out with a better vision and strategy towards their certifications program.
Every year in the month of July Cisco releases their Midyear Security Report, which provides an overview of major threats observed in the first half of the year 2015. The report is quite intensive in nature as it addresses the current threats observed which includes exploit kits, Microsoft office exploits, malware research, java exploits and so on. Also there is section dedicated to future trends. The report is freely available download.
Some of the key things, which really drew my attention, are as follows
Exploits of Adobe Flash vulnerabilities are increasing.
This chart displays the most commonly observed attacks
Its worth to read this report, I recommend to download this report
Cisco conducts certain Technical Webinars only for CCIE community, which proves to be the great source of knowledge and information. I had the privilege to attend couple of Technical Webinars, both of them were quite good.
The great thing about these technical webinars is they address the topics, which are quite trending; the webinar, which was on open stack really gave an over view of Open Stack, how Open Stack involved and the contribution of major technological players in Open Stack development.
On August 12,2015, Cisco is coming out with one more CCIE Community Technical Webinar, which will focus more about Fog Architecture. Those who are CCIE’s they should get an email from Learning@Cisco about this event, if not please do update your CCO profile and opt for updates from CCIE community.
When we look at the Blue Print of the Cisco Cloud Fundamentals (CLDFND) exam (210-451), it quite clear that Cisco is looking at NIST definition of cloud.
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” (Source NIST)
Before the adoption of cloud if any consumer wants to provision any computing capabilities, such a Servers, Network devices, Storage or even software they have to go through the process of approvals, lots of human interaction and dependent on many third party vendors to delivered the required computing resources, this is often time consuming and most delayed the project deployments or testing certain features of the new releases etc.
With the advent of cloud, things have evolved. One could provision computing capabilities these days with the click of mouse with very less human interaction, provided they have a good cloud solution. This kind of provisioning is better known as “On-demand self service”.
“On-demand self service” is one of the common cloud characteristics and from Cisco Cloud Fundamentals (CLDFND) exam (210-451) perspective, its better we know what it does and why we need “On-demand self service”