Network technologies and trends

February 26, 2016  4:28 PM

Palo Alto Firewall with PAN-OS 7.02 have issues with OSPF

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, OSPF, Palo Alto Networks, router

When it comes to Palo Alto Networks Firewall, we all know PAN-OS 6.x is a quite stable version, Palo Alto announced PAN-OS version 7 almost 8 months back,  but I see very few people are using this version of PAN-OS.

Those who are considering  a migration from PAN-OS 6.x to PAN-OS 7.x  they need to  be very careful as some interesting issues might occur. Recently I did tried a migration from 6.1.7  > 7.0.2 and finally planned to migrate to PAN-OS 7.0.4 but ended up with some issues, which forced me to revert back to the old version of PAN-OS 6.1.7.

There are some bugs in PAN-OS 7.0.2 which are not yet reported by Palo Alto neither in their website nor their TAC team is aware of.  One such bug or an issue is related to OSPF.

One should never consider to use  Palo Alto Firewall with PAN-OS 7.x  as an ABR . As Palo Alto never forms an adjacency with its neighbors in non 0 Area, the  Palo Alto Firewall gets struck in Exchange state with its neighbor and it never goes into two way or full OSPF state.  Even if you restart the OSPF process nothing changes, the firewall always struck in the exchange state. Interestingly it was forming an Adjacency with an Area 0 router.

Palo Alto - ABR OSPF

From the above scenario, Palo Alto Firewall with PAN-OS 7.0.2 will never form’s an OSPF  adjacency with its peer router R3 in Area 5 unless you downgrade the  PAN-OS of the Palo Alto Firewall to 6.x.  However you would notice with the same PAN-OS version 7.0.2 the Palo Alto Firewall will form an OSPF adjacency with R1 which is in Area 0.

So far I didn’t found a fix for this issue , the only way I could use Palo Alto Firewall as an ABR is to downgrade the Palo Alto Firewall to PAN-OS  6.1.7. Hopefully Palo Alto comes out with a solution for this issue.

February 24, 2016  12:55 PM

Using ECMP with Palo Alto Firewalls? Make sure you’re running PAN-OS 7

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
BGP, firewall, OSPF, Routing

When it comes to using Equal Cost Multipath in Palo Alto Firewalls, one needs to be very careful as this feature is not available in all PAN-OS versions by default.  Most of the Network Engineers assume ECMP is supported by default,  and they are shocked to discover ECMP is not working when they configure or enable ECMP using either OSPF or  BGP on Palo Alto Firewall running PAN-OS 6.x trail.

You don’t need to panic as Palo Alto doesn’t support ECMP on PAN-OS 6.x or lesser PAN-OS trail. Palo Alto introduced  Equal Cost Multipath (ECMP) as a new feature in  PAN-OS 7.0.  Palo Alto Firewall supports a maximum of 4 equal cost paths and supports this on OSPF and BGP protocols.

One can use Equal Cost Multipath to increase throughput, redundancy and reduce convergence times. This feature also can substantially increase bandwidth performance by load-balancing traffic over multiple paths.

February 22, 2016  5:54 AM

Cisco launches fully integrated next-generation firewall

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, ISE, NGFW, Throughput

Recently Cisco announced their  first fully integrated, threat-focused Cisco Firepower™ Next-Generation Firewall (NGFW) , its good to see Cisco  jumping into the Next Generation Firewall business , despite being late into this segment its quite interesting to see how Cisco is going to capture the Next Generation Firewall market segment. We could see leaders like Palo Alto and Check Point are doing great in this segment.  For sure Cisco is going to give a tough fight and I believe they hold an upper hand, especially  when it comes to integration with the Campus Network. Products like Cisco Identity Services Engine (ISE)  and AMP will add more value to their NGFW.

The good thing I see with the newly announced  4100 Series NGFW is the through put they offer and the also the size of the firewall. Most of them are 1 U firewall and can offer throughput up to 60 Gbps and can also work at 40 Gbps speed.

Coming days will say how Cisco is going to capture the market as leaders like Palo Alto are far ahead in Next Generation Firewall race.

February 16, 2016  8:50 AM

Cisco VIRL is now on cloud

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, cloud, Hardware

Cisco VIRL is going one step closer to provide their services on the cloud, as this will open new opportunities for many of us,  especially for those who want to test some complex scenarios and they don’t have powerful hardware to run . Now VIRL is available on Packet’s bare metal cloud platform, which certainly helps end-users, as they need to pay for what they used , the deployment time will be reduced.

In order to run VILR on cloud one need to register for a Packet account and have a valid VIRL license key. The set up procedure will be provided by VIRL team and they claim it’s a quite easy deployment.

Hurry up as VIRL license node limit will be doubled for free, when I use my VIRL key on Packet its will be increased from 20 to 40.

Register for free and receive $25 usage credit today on Packet:


February 13, 2016  8:40 AM

How does Palo Alto Networks Firewall examines an UDP Packet to identify an application?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, Application firewalls, DNS, firewall, Next Generation Networking, Packets, Palo Alto Networks, UDP

In the below example, a single DNS query packet is trying to query  the domain This packet contains all the information needed by a Palo Alto Network Firewalls to identify an app,  by inspecting the below UDP packet it can determine

Palo Alto UDP Packet Inspection

Is the packet  genuine and trying to use DNS as an application to do a query?

We could see both source IP , destination IP address along with destination port no and application is  identified by a Palo Alto Networks firewall, once the application is identified , the traffic is processed by security policy. By using this approach Palo Alto networks Firewalls are quite affective is stopping evasive applications

The good thing about  Palo Alto Networks Firewall is, mostly  it needs only one UDP packet to identify an application which are UDP based.

February 11, 2016  8:14 PM

Cisco ASA Firewalls can be exploited by sending crafted UDP packets

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Cisco ASA, firewall, IPsec, IPsec VPN, LAN, UDP, vulnerabilities

Yesterday I received an email from Cisco Security Advisories about the critical vulnerability related IKE version 1 and IKE version 2 code of ASA Software which could empower an unauthenticated remote attacker to reload or even execute a code remotely on a affected ASA firewall.


Those who are terminating their VPN tunnels by using either IKEv1 or IKEv2 for any of the following  VPN tunnels

  • LAN-to-LAN IPsec VPN
  • Remote access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
  • IKEv2 AnyConnect

They should immediately check if their ASAs are affected. If so then they should upgrade the ASA, as there is not other fix from Cisco

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system

Following versions of IOS are affected , one should upgrade immediately  to the recommended IOS version

Cisco ASA Major Release  First Fixed Release 
7.21 Affected; migrate to 9.1(7) or later
8.21 Affected; migrate to 9.1(7) or later
8.31 Affected; migrate to 9.1(7) or later
8.4 8.4(7.30)
8.51 Not affected
8.61 Affected; migrate to 9.1(7) or later
8.7 8.7(1.18)
9.0 9.0(4.38)
9.1 9.1(7)
9.2 9.2(4.5)
9.3 9.3(3.7)
9.4 9.4(2.4)
9.5 9.5(2.2)

Further details can be found at the below url

February 8, 2016  1:04 PM

What is Palo Alto Networks App ID?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
application, DNS, firewall, Gartner, IPS

When it comes to treating an Application every vendor has a way of treating an App, most of the traditional firewalls treats Applications mostly on port numbers. For example traditional Firewalls treats DNS as port 53 application. And a rule  is configured in traditional firewall to allow port 53 for DNS traffic .  Suppose  an evasive application like BitTorrent attempts to use port 53 for P2P file sharing.  The traditional firewall cannot stop an evasive application unless an external IPS appliance is involved.

PA App1

How ever Palo Alto Networks Next Generation Firewalls treats an Application in different way.  First of all Palo Alto defines application as

” a specific program or feature that can be detected, monitored and blocked if required”

This approach of Palo Alto towards an application is what making them outstanding and hence they are the leaders when it comes to Next Generation Firewalls. Till date they are the leaders even in Gartner Magic Quadrant.

By adopting multiple tactics to classify an application,  When configured to only allow DNS as an application, Palo Alto Networks  Next Generation Firewalls are in position them to block all kind of traffic on port 53 except DNS.

PA App2

Palo Alto Networks  Next Generation Firewalls have complete visibility of the complete traffic flow and pattern, hence they are very affective as a Next Generation Firewall.

February 5, 2016  10:51 AM

Cisco intents to acquire Jasper Technologies

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, cloud, Internet of Things, iot, SaaS, Software as a Service

The era of technology is evolving and trends are moving towards a connected world, be it humans , machines, automobiles or household appliances, people are making efforts to connect them. So did the word “Internet of Things” (IoT) emerged. I could see Cisco is quite serious on this direction and are making a  great progress.

With the intent of acquiring a startup company Jasper Technologies,Inc., based in Santa Clara which delivers cloud-based IoT service platforms, Cisco is further enhancing its stake in IoT segment. It’s the commitment , delivery and acquisitions what made Cisco stronger in many technology domains.  I believe this acquisition of Cisco will make them pioneers in the IoT segment.

“I am excited about the opportunity for Cisco and Jasper to accelerate how customers recognize the value of the Internet of Things,” said Chuck Robbins, Cisco Chief Executive Officer. “Together, we can enable service providers, enterprises and the broader ecosystem to connect, automate, manage, and analyze billions of connected things, across any network, creating new revenue streams and opportunities.”

“IoT has become a business imperative across the globe. Enterprises in every industry need integrated solutions that give them complete visibility and control over their connected services, while also being simple to implement, manage and scale,” said Jahangir Mohammed, Jasper Chief Executive Officer. “By coming together, Jasper and Cisco will help mobile operators and enterprises accelerate their IoT success.”

Cisco is planning to close this acquisition by third fiscal quarter of 2016,  and the current CEO of  Jasper Technologies  CEO Jahangir Mohammed  will run the new IoT Software Business unit .

February 1, 2016  6:37 AM

Oracle to stop Java browser plug-in

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
ACS, ASDM, Cisco, Java, Network security appliances, Oracle

Oracle recently announced their decision to stop its Java browser plug-in, well this is a great move from Oracle. Their next Java Development Kit “JDK 9” will be shipped without a browser plug-in.

These days most of the browsers stopped supporting Oracle Java plug-in for oblivious reasons like vulnerabilities and threats found.  I wish companies like Cisco, Blue Coat stop using Java browser plug-ins  for their products, especially for ASDM , ACS and Blue Coat Proxy SG.

Often those who are into Network Operations have to install many versions of Java to manage many security appliances. I am quite hopeful this new announcement form Oracle will redefine the  GUI management of Network Security Appliances.

January 31, 2016  5:26 AM

What are Address Objects in Palo Alto Networks Next Generation Firewall?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Administrator, application, Default route, Ethernet, Firewalls, FQDN, HA, Interface, IP range, IPv4, IPv6, Layer 2, LAYER3, Loopback, objects, Palo Alto Networks, Security policy, Services, Static route, tunnel, URL, Users, VLAN

Like all other firewalls , Palo Alto Networks Firewall supports Address objects. These Address Objects are basically named objects which can be configured on a Palo Alto Networks Firewall . The address object can include an IPv4 or IPv6 address or the FQDN. The address can be configured based on an

  • Single IP address
  • IP Range
  • FQDN

An Address object can be reused as source or destination address across all the security policy rules. Palo Alto Networks Firewalls comes with very handy features of tags, these little simple features makes life easier of a Firewall Administrator as he/she  can easily distinguish the tag object by adding colour to the tag.

In order to add a an  Address Object one need to

  Step 1 – Select Objects > Addresses, and click Add

Adding Object

Step 2- Enter a Name and a Description for the address object.

Address Object Step 2

Step 3- Select Type —IP Netmask, IP range or FQDN

Address Object Step 3

You can also select a Tag  this is optional . Click Ok to save the Address object. One can apply address objects to the security Policies as shown below

Address Object Step 5

Object Group is not a new feature but it comes handy for day to day Firewall Administration.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: