Palo Alto Firewalls uses security policies to either allow or deny an access, Security Policies comprises of a list of security policy rules. Each Security policy rule comprises of objects like
- Address both source and destination
- Url Category
One can either use all the objects or some of the objects to configure a Security Policy rule (depends on the purpose of the policy). The Palo Alto Firewall takes an action for configured security policy only when a session matches all the defined fields of the security policy.
The above shown Security Policy will block YouTube access only when the session is sourced from trust zone with users alldevelopers and yasir, and destined towards untrust zone with an attempt to access YouTube, then the action the Palo Alto Firewall take is to block the YouTube access.
Like any other firewall, Palo Alto Networks Firewalls adopts the top down approach to evaluate the security polices and takes an action based on the matching policy, if the policy is found no further rules are evaluate, if not it keeps on looking for match until the last rule is evaluated. If there were no matches found the session will be dropped.
In our next post we will discuss more about Security Policy rules types.
In one of my previous post we discussed about Palo Alto Networks Firewall Virtual Router , how it works and what kind of protocols its capable of supporting. Configuring a static route in Palo Alto Firewall Virtual Router is quite simple, in this post lets see how we can configure a static route.
We will be using the following topology for our example
We have LAN with the subnet 172.16.32.0 which is the trust zone will accessing the Internet from the Network 192.168.1.0 which is untrust zone.
In order allow the internet access you should ensure that there is a default route toward the Internet gateway 192.168.1.1 and the Palo Alto Layer 3 interface s of both trust and untrust zone are configured with the following
In order to configure a default route in the Palo Alto Networks Firewall we need to do the following
Step 1 :Go to Network>Virtual Routers
Click Virtual Routers> default>Static Routes>Add
(Palo Alto firewall comes a Virtual Router default, if you want you can create a new virtual router and name according to your needs)
Step 2: Configure the default route towards Internet Gateway IP address as shown below
In our case any traffic sourcing from trust zone will be sent to the Internet Router IP Address as it default gateway ,
We will name the route as Static Route
Destination field will be 0.0.0.0/0 as any traffic that don’t have any specific route will be forwarded to Internet Gateway.
Select IP Address radio button in the Next Hop Field
Enter the IP address and mask 192.168.1.1/24
Click OK and save the configuration.
Make sure you configure a Security- Policy to allow the traffic from trust zone to untrust zone as shown below.
You can see from my laptop with an IP Address 172.16.32.2 I can ping the Inter gateway 192.168.1.1 and can also access internet.
You could see it s very to configure a static route in Palo Alto Firewall and one can see the routing table as shown below.
With the introduction of Cisco VIRL 1.0.0,capturing the traffic has become quite simpler. One can now directly click the link on a device and do a packet capture. , in this post lets see how we can capture the traffic in Cisco VIRL and analyse it.
Step 1: Login in to VRIL server form your web browser and you should see below screen, click on User Workspace Management (UMW)
Step 2 : Login to UWM portal using default credentials
Step 3: Select Overview and look out for active simulations and click the simulation you want to do the packet capture
Step 4: Select the node and interface you can to do the pack capture and click the eye shaped icon as demonstrated below
Step 5: Select Offline Capture and apply any filter needed and click create, in my case I am capturing all the traffic no filters are applied
Step 6: Download the capture data and analyze it using Wireshark
Below is the Wireshark snap shot of packet capture I did
The new Cisco VIRL 1.0.0 is really offering some cool Packet capturing features which are very easy to use
Cisco VIRL comes with an internal SSH and Telnet client which is quite good and it opens all the SSH and telnet sessions within VMMaestro GUI, but if some one wants to use Secure CRT on their MAC as external client, one can easily configure the changes in VIRL VMMaestro,
Change the title format to : %s
Select : Use external terminal applications
Use the following fields show below
By doing these minor changes you can use Secure CRT to SSH or Telnet VIRL Devices
When it comes to routing traffic between different networks one needs a router. Palo Alto Networks Firewalls are capable of routing the traffic between networks. Palo Alto uses a concept of “Virtual Routers” to route the traffic be it static routing or dynamic routing. Virtual Router uses virtualized or partitioned routing tables to do the routing job. Palo Alto Firewalls uses virtual routers to obtain the routes and uses best route to populates its routing table.
Palo Alto Networks Firewall is capable of supporting Dynamic routing protocols like RIP v2, OSPF ( OSPF v2 and V3) and BGP v4. The Palo Alto Network Firewalls comes with a Virtual router named default which can be used for routing provided the layer 3 interfaces or VLANs are part of that default Virtual router. One can also create a new Virtual Router and name it according to his/her organization standards and use it for both static routing and dynamic routing.
Palo Alto Networks Firewalls does comes with a dedicated out -of-band Management (MGT) Interface which is used to manage the Palo Alto Network Firewalls. By default SSH , HTTPS and ping is enabled to manage the Palo Alto Network Firewalls, apart from dedicated out-of-band management interface one can use any Layer 3 interface for the management of the Palo Alto Network Firewalls.
In order to manage the Palo Alto Network Firewalls using a Layer 3 interface one must enable a management profile . In order to configure the management interface follow the below mentioned steps
Network>Network Profiles > Interface Mgmt > Add
Configure the management profile by giving the name you like and select the services you want permit along with the IP address if you want.
Assign the Management Profile to any Layer 3 interface from where you want to manage the Palo Alto Networks Firewall as shown below.
Network>Interfaces>Ethernet> ethernet1/1>Advance>Management Profile
Management Profile is a quite good option, which comes quite handy when you want to allow management functions on any layer 3 interface.
Like any other firewalls, Palo Alto Networks Firewall can be deployed in Layer 2 mode. In a Layer 2 deployment mode, the Palo Alto Networks Firewalls provides switching between two or more networks. In Layer 2 deployment mode, a Vlan must be assigned each interface or Vlan object and additional layer 2 sub interfaces must be assigned to group of interfaces. The Palo Alto Networks Firewall will perform VLAN tag switching when Layer 2 sub interfaces are attached to a common VLAN object.
Palo Alto Networks Firewalls Layer interfaces are only capable of supporting 802.1Q trunks, however they are not capable of supporting any spanning tree protocols (STP) nor do they participate in spanning tree process. Palo Alto Networks Firewalls simply forwards the BPDUs, it receives from the peer Switch.
In past few posts we were talking more about what is Virtual wire? and how it can be implemented. Lets talk briefly about the Virtual wire sub interfaces in this post.
Virtual Wire Sub interfaces are quite useful when one needs to manage traffic in a multi-tenant network setup. It does offer lot of flexibilities in enforcing distinct policies especially when multi-tenant network are in place. Once can easily separate and classify traffic into different zones by using either VLAN tags or VLAN tags in conjunction with IP Classifiers. Yet one more deployment flexibility offered by Palo Alto Networks firewalls.
Configuring Palo Alto Firewall in Virtual Wire mode is quite easy, in this post using below topology I am going to demonstrate how to configure a Palo Alto Networks Firewall in Virtual Wire or V-Wire mode.
You could see from the above topology , we have a laptop with an IP Address 192.168.1.156 in VLAN 20 placed in the trust zone trying to access an internet in the untrust zone. The laptop is configured with a default gateway 192.168.1.1 which happens to the IP address of our Internet Router and this is in untrust zone and belongs to VLAN 1.
We have a Palo Alto Firewall with two interfaces connected to a Cisco Switch. One interface ,ethernet 1/2 connected to interface G1/0/2 in a Cisco Switch , configured as a part of V-Wire with VLAN 20 and this belongs to trust zone.
Where as the Palo Alto Firewall interface ethernet 1/1 is connected to Cisco Switch interface G1/0/1 and is configured as part of V-Wire with Vlan 1 and this belongs to Untrust Zone
Now lets configure the same and see how traffic flows
Step 1 – Configure Cisco Switch for trust zone interfaces with VLAN 20
interface gigabitEthernet 1/0/2
switchport access vlan 20
interface gigabitEthernet 1/0/3
switchport access vlan 20
Step 2 – Configure Cisco Switch for Untrust Zone Interfaces with VLAN 1
interface gigabitEthernet 1/0/1
switchport access vlan 1
interface gigabitEthernet 1/0/4
switchport access vlan 1
Step 3 – Configure Virtual Wire called Test-V-Wire by clicking
Network >Virtual Wire
You can use any name you want ,
In our case we will name Test-V-Wire and interfaces ethernet 1/1 and ethernet 1/2 part of Interface1 and Interface 2
Step 4 – Lets configure two zones names Untrust and Trust and assign ethernet 1/1 to be part of untrust zone and ethernet 1/2 to be part of trust zone.
Step 4 -A – Configure Trust Zone
Give the name Trust, select Type to be Virtual Wire and add the interface ethernet 1/2 to be part of Trust Zone as demonstrated below
Step 4 -B – Configure UnTrust Zone
Step 5 – Create a Security Policy to allow access from trust zone to untrust zone ( This can be configured as per your requirements with security profiles, URL filtering etc)
Give the name to your Security Policy ( V-Wire-Policy)
Add Source Zone ( Trust)
Add Destination Zone ( Untrust)
Allow the access, you can also configure Application policy and Service/URL Category if needed . In our case we are allowing all kind of traffic
The final Security Policy should look like this
You can also monitor the traffic passing through the V-Wire, you can see from the below snapshot I am accessing Skype, pinging the default gateway (Vlan1) from my laptop (Vlan 20) and my traffic is passing from Trust zone to Untrust zone by using the Rule V-Wire-Policy which we created
This is really a great feature from Palo Alto and the Virtual Wire can implemented easily without any modifications to existing network Design.
Cisco has announced a major revamp for their CCIE and CCDE written exams, starting July 26,2016 Cisco will include a new section titled “Evolving Technologies”. Except CCIE Data Center all other CCIE Lab exams remains intact. So those who will be appearing for CCIE and CCDE written exam after July 26,2016 should master the following Evolving technologies domain
1.1: Compare and contrast Cloud deployment models
- Infrastructure, platform, and software services (XaaS)
- Performance and reliability
- Security and privacy
- Scalability and interoperability
1.2: Describe Cloud implementations and operations
- Automation and orchestration
- Workload mobility
- Troubleshooting and management
- OpenStack components
- Network Programmability
2.1: Describe functional elements of network programmability (SDN) and how they interact
- Northbound vs. Southbound protocols
2.2: Describe aspects of virtualization and automation in network environments
- DevOps methodologies, tools and workflows
- Network/application function virtualization (NFV, AFV)
- Service function chaining
- Performance, availability, and scaling considerations
- Internet of Things
3.1: Describe architectural framework and deployment considerations for Internet of Things (IoT)
- Performance, reliability and scalability
- Security and privacy
- Standards and compliance
- Environmental impacts on the network
Looking at the new topics, one can assume how important technologies like cloud, network programmability, Internet of things are. And these topics covers 10% of the total score. Cisco is ensuring that evolving technology does play a vital role in coming days. The new recalibrated exam topics shown below are something which candidates need to focus on.
|Written Exam Topics Used for
Testing BEFORE July 25, 2016
|Written Exam Topics Used for Testing On
July 25, 2016 and Beyond
|CCIE Routing and Switching||Existing exam topics version 5.0||Recalibrated exam topics version 5.1|
|CCIE Wireless||Existing exam topics version 3.0||Recalibrated exam topics version 3.1|
|CCIE Security||Existing exam topics version 4.0||Recalibrated exam topics version 4.1|
|CCIE Service Provider||Existing exam topics version 4.0||Recalibrated exam topics version 4.1|
|CCIE Collaboration||Existing exam topics version 1.0||Recalibrated exam topics version 1.1|
|CCDE||Existing exam topics version 2.0||Recalibrated exam topics version 2.1|
|CCIE Data Center||Existing written exam 350-080 and its corresponding exam topics will be available for candidates who are scheduled to take the test BEFORE July 25, 2016.||The new unified exam topics version 2.0 will be used for the new written exam (400-151) and lab exam and is recommended for candidates scheduled to take the test on July 25, 2016 or beyond.|
I believe it’s a welcome move from Cisco and I could see Cisco wants to capitalize the market by ensuring the new CCIEs are aware of these new evolving technologies at least at some extent. Also I expect Cisco Press will come out with the appropriate study guides and titles.