Network technologies and trends


January 21, 2016  5:08 AM

What is an error “Number of interfaces…not consistent” in ASA Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASA, Cisco ASA, Cisco Firewall, Cisco IOS, IOS, Standby

If you are planning to do a hitless upgrade of a failover pair of ASA 5500 X Series firewall from 8.4(6) trail to 9.2(4) trail, you need to be little cautious. As you cannot do a direct upgrade, you need to rely on a interim release.

Most people tend to try 9.1(2) as an interim upgrade, when you first upgrade your secondary firewall to the 9.1(2) version you will notice lots of logs are generated with an error “Number of interfaces…not consistent”. These logs are generated especially when you are trying re-enable the failover on the standby  ASA firewall.

This version of IOS is hit by a bug CSCug88962 which results in failure of synchronisation between ASAs. Also when you verify the MD5 hash it never matches with hash value mentioned in Cisco Website. This version never allows you to have a zero down time upgrade of Cisco ASA 5580 X Series firewalls, the only work around for  those who end up in these kind of situation is to downgrade the ASA firewall the previous version of IOS, which was working fine. And then they can plan the upgrade of ASA 5500 X Series firewall  by using the interim version 8.4(7) which is bug free and then to 9.2(4).

January 20, 2016  5:29 AM

How to configure log forwarding in Palo Alto Networks Firewall? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, logging, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

In this post we will continue the configuration of log forwarding in Palo Alto Networks Firewall, in previous post we saw how to add a Syslog Server Profile

Step 4 –  Provide any valid name for the Log Forwarding profile and select the Syslog Server configured in Step 2

You could see Palo Alto Network Firewalls logging profile has many options , one has the flexibility to forward the logs to all the options available. The good thing I see you can even email the critical Threats or WildFire actions by email. In this post we will stick to configuring Syslog.

Log forwarding 4

Step 5 – Select the log field you want to forward to your Syslog Server, it always better to chose the Severity based on your organizational needs as shown below

Log forwarding 5

Your final log forwarding Profile should look like this

Log forwarding 6

Step 6 – Applying the log forwarding action

In Palo Alto Firewalls one can apply Log Forwarding action to either Security Policy Rule or Zone , both are independent logs.

Log forwarding 7

By following the above mentioned steps one can enable log forwarding in Palo Alto Networks Firewall.

 


January 20, 2016  5:21 AM

How to configure log forwarding in Palo Alto Networks Firewall? – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, logging, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

We all know the importance of having historical logs for any references or forensic analysis. I have personally benefitted from historical records for various reasons and  it happens to be a good practice to forward all the logs of your firewall  to a logging server. The logging server could be as simple as Syslog Server, Palo Alto Panorama  or any SIEM solution like ARC Sight or QRadar etc., Also we all know firewalls cannot hold the logs for long time, once the log buffer is full the firewall losses the old logs. However I have noticed, compared to their competitors Palo Alto Networks Firewalls does posses good amount logging space.

In this post lets see how we can configure Palo Alto Networks Firewalls to forwards all the logs it generates to a logging server.

Step 1 – Add the Syslog Server

Device > Server Setting > Syslog > Add

Log forwaring 1

Step 2 – Configure the Syslog Server Profile

  1. Name : Provide a valid Name
  2. Click Add Button
  3. Provide a valid name for Syslog Server
  4. Assign the IP Address as shown below
  5. By default Syslog server listen on UDP port 514, if you are using custom port you can modify it

If you need to add multiple Syslog Servers then follow the Steps from step b to step e

Log forwarding 2

Step 3 – Create a Log Forwarding Profile

Objects > Log Forwarding > Add

In this step we are going to create a log forwarding profile which can be applied to Security rules to forward the logs

Log forwarding 3

To be continued…….


January 19, 2016  4:46 AM

How to enable logging in Palo Alto Networks Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

When it comes to live troubleshooting or to ensure certain traffic is either blocked or allowed one relies heavily on logs, Palo Alto Network Firewalls does provides very good logging options and fields. Its quite easy to read them and understands them. By default when some one creates any security policy Palo Alto Networks Firewall logs the details at the end of the session. So one does not need to enable logging, if he/she wants to monitor session since it started then they have enable the it.

Palo Alto logs 1

One can enable logging, directly from the security policy he/she creates as shown below

Palo Alto logs 2


January 4, 2016  5:04 AM

How to restore Cisco ASA Firewall to factory default?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ASDM, Cisco, Cisco Firewall, Console port, DHCP, IOS commands

 

Restoring the Cisco ASA Firewall to default settings is quite easier , there are two ways to do this. In this post lets see how we can do this using the Cisco IOS Command

config factory-default

Step 1

Connect the console cable to the console port of an ASA Firewall and to the serial port of your laptop or desktop

Step 2

Connect to the Cisco ASA Firewall using your favorite terminal client  ( I am using Secure CRT ) with following serial setting

Baud rate 9600
Data Bit 8
Parity None
Stop bits 1

ASA - Reset1

Step 3

After login to Cisco ASA Firewall through the console port enter to enable mode

ASA - Reset2

Step 4

Enter to Config mode and enter the following Cisco IOS command and press enter

config factory-default

ASA - Reset4

You could see the Cisco ASA Firewall is configured to factory default setting, reload the Cisco ASA Firewall with an IOS command

reload save-config noconfirm

By following the above steps one can reset the Cisco ASA Firewall to factory default settings , now you are free to access the firewall using either a console port  or ASDM using the default IP address of 192.168.1.1, provided that you are connected to Cisco ASA firewall on an ethernet or management port, this depends on the model please do check the data sheet of your firewall, in my case its a Cisco 5540 Firewall and the IP address is assigned to management interface and the DHCP pool is also configured.

ASA - Reset7

The moment I connect my laptop to the management port of the Cisco ASA Firewall  I will got an IP address from the DHCP server of ASA Firewall as shown below

ASA - Reset5

I could login to Cisco ASA Firewall using my browser and I can manage the Cisco ASA Firewall by downloading the ASDM as shown below

ASA - Reset6


December 31, 2015  5:20 AM

What is Palo Alto Security Policy –  Intrazone rule ?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Business, DMZ, firewall, Palo Alto Networks, Security policy

When comes to Palo Alto Networks Firewalls, they work on the concept of zones not the security levels. They are no different when compared to other leading Firewall vendors. While designing the Network one must focus on number of zones the business is looking for and what kind of scalability the business is looking for?  As Palo Alto Network Firewalls security zones are platform dependent and there is a limit as well.

Coming back to security policy , its always applied to a zone not to an interface so one can decide what kind of zones need to be created again this completely relies on the Organisational needs.

By default Palo Alto Firewall with a PAN-OS of  6.1 or above  offers there security Policy rules type

  • Intrazone
  • Interzone
  • Universal (default)

PA- Security rules

Intrazone Rules are basically used to allow the traffic within same zones , for example you have two zones name DMZ1 and DMZ2 , using an Intrazone rule traffic from DMZ1 is forwarded to DMZ1 not to DMZ2.

PA- Security rules-2

Intrazone rules mathes only the traffic within the specified source zone not between them , one cannot specify the destination zone  for Intrazone rules.


December 28, 2015  4:12 AM

How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACL, Cisco, CRYPTO, IPsec, VPN

In my previous post we talked briefly about IPSec. We will be using the below topology for our set up.

Site to Site IPSEC VPN

The whole topology was built using Cisco VIRL , in the above example we will built a Site-to-Site IPSec VPN between Router R1 and R2 and allow the communication between R1 Lan Subnet 192.168.1.0 to R2 Lan Subnet 10.10.2.0.

Before starting make sure you have reachability to peer routers, i.e you can ping R2 WAN IP 2.2.2.2 from R1 and vice versa

Site-to-Site VPN1

Step 1: Configure an Interesting traffic which you want to encrypt on the public domain using the ACL.

R1

ip access-list extended VPN-ACL

permit ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

R2

ip access-list extended VPN-ACL

permit ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Step 2 : Configure  NAT exemption ( If you are using NAT on the  Routers for internet access then this step is must, if you not using NAT then you can skip this step and proceed to step 4.). Basically we use ACLs to exclude the NATing for the VPN traffic passing through VPN tunnel from Site 1 to Site 2

R1

ip access-list extended NO-NAT-ACL

deny   ip 192.168.1.0 0.0.0.255 10.10.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

R2

ip access-list extended NO-NAT-ACL

deny   ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.2.0 0.0.0.255 any

Step  3: Configure the NAT on both the routers and enable the NAT functionality ( Use this step if step 2 was configured if not proceed to step 4)

R1

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

 

R2

ip nat inside source list NO-NAT-ACL interface GigabitEthernet0/1 overload

interface GigabitEthernet0/1

ip nat outside

interface GigabitEthernet0/2

ip nat inside

Step 4:  Configure Phase 1 (ISAKAMP) of IPSec so that a secure tunnel is established between R1 and R2, we will be using following parameter for phase 1 part

Encryption 3DES ( we can use DES and AES as well)
Hash MD5 (SHA can also be used)
Pre-Shared key itke
Group Deffie-Helman Group 2 ( Other options are also available )

Site-to-Site VPN2

R1

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

 

crypto isakmp key itke address 2.2.2.1

 

R2

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

exit

crypto isakmp key itke address 1.1.1.1

Step 4 : Lets configure  Phase 2 (IPSEC) , in this phase IPSec security parameter are negotiated

 R1

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 2.2.2.1

set transform-set MYSET

match address VPN-ACL

exit

 

interface gi 0/1

crypto map MYVPN

R2

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

exit

crypto map MYVPN 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address VPN-ACL

exit

interface gi 0/1

crypto map MYVPN

By following above steps one can configure Site-to-Site IP Sec VPN. Now lets try verify if the IPSEC tunnel is established between Site 1 and Site 2

The most important command to verify the Security Association establishment between two router is use “show  crypto isakmp sa

Site-to-Site VPN 3

We could see from the above output the Security Association is not established , why is this so?

Unless the traffic is not initiated from either of site the SA will never come up, let try to ping Site 1 IP 192.168.1.1 from R2 sourcing its Lan network

Site-to-Site VPN3

After initiating the traffic we could SA is established , the state QM_IDLE and status : ACTIVE are very important parameters, these  two parameters ensure the IPSec tunnel is established successfully.

One more verification command “show crypto ipsec sa” verifies and reports weather the data transmitted over the tunnel is encrypted and decrypted

Site-to-Site VPN4

The above output ensures that both encryption and decryption is occurring over the tunnel and our traffic is safe over the internet. If some one wants the VIRL topology they can ping me I can email the VIRL topology file by email.


December 27, 2015  5:26 PM

How to configure Site-to-Site IPSec VPN on Cisco Routers? – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACL, Cisco, Cisco Routers, IPsec, IPsec VPN, Topology, VPN

IPSec is the protocol one can use to establish a Site-to-Site VPN , as it is widely used because its an open standard protocol which offers secure and encrypted communication over the public internet domain. IPSec works at Network later and only pass unicast traffic. I will brief you all about how IPSec works

IPSEC works on 5 parameters

  1. Interesting Traffic
    1. ACL
  2. Phase 1 (ISAKMP/ IKEv1)
    1. IPSec device negotiate an IKE Security Policy & establish a secure channel for communication
  3. Phase 2 (IPSEC)
    1. IPSec devices negotiate an IPSec security policy to protect data
  4. Data Transfer
    1. Data is transferred based
      1. IPSec  parameters
      2. Keys negotiated
  5. IPSec Tunnel Terminated
    1. IPSec SAs terminate when timing out or a certain data volume is reached

Site to Site IPSEC VPN

We will be using the following topology to configure site-to-site IPSec VPN between two Cisco Routers. In the upcoming post lets see how to configure the Site-to-Site IPSec VPN using Cisco Routers

 


December 27, 2015  5:03 AM

How to configure a Login Banner in Palo Alto Networks Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

When it comes to following the best practices for any Network Security Appliances, one should configure a Login Banner. Configuring a Login Banner in Palo Alto Networks Firewall is quite simple . Lets see how we can configure a login banner in Palo Alto Networks Firewall

Step 1:Device>Setup>Management>General Settings(Edit Icon)

PA - Login Banner 1

Step 2 : Device>Setup>Management>General Settings(Edit Icon)>Login Banner

Type the Organization approve banner in the Banner Box as shown below and click ok

PA - Login Banner 2

By following these simple step one can configure a Login Banner in Palo Alto Network Firewall. When ever someone tries to SSH or login using a browser  he/she will see the below screen with Login Banner

PA - Login Banner 3


December 26, 2015  4:31 AM

What is Palo Alto Security Policy – Series 1?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, HA, Interface, Layer 2, LAYER3, Loopback, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN, YouTube

Palo Alto Firewalls uses security policies to either allow or deny an access, Security Policies comprises of a list of security policy rules. Each Security policy rule comprises of objects  like

  • Address both source and destination
  • Applications
  • Users
  • Services
  • Url Category
  • Action
  • Profile

PA Security Policy

One can either use all the objects or some of the objects to configure a Security Policy rule (depends on the purpose of the policy). The Palo Alto Firewall takes an action for configured security policy only when a session matches all the defined fields of the security policy.

Palo Alto Security Policy

The above shown Security Policy will  block YouTube access only when the session is sourced from trust zone  with users alldevelopers and yasir, and destined towards untrust zone with an attempt to access YouTube, then the action the Palo Alto Firewall take is to block the YouTube access.

Like any other firewall, Palo Alto Networks Firewalls adopts the top down approach to evaluate the security polices and takes an action based on the matching policy, if the policy is found no further  rules are evaluate,  if not it keeps on looking for match until the last rule is evaluated. If there were no matches found the session will be dropped.

In our next post we will discuss more about Security Policy rules types.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: