Network technologies and trends


September 19, 2015  4:43 PM

Palo Alto Networks Firewall Configuration Management Auditing

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Auditing, Configuration management, firewall, router, Troubleshooting

Palo Alto Network Firewall offers configuration-auditing feature, using this feature one can compare any two configuration files and see the difference. Palo Alto firewalls after comparing any two configuration files, highlights the differences using color coding schemes. Following color codes are used to highlight the changes in comparison between any two configuration files.

Yellow: Indicates a change

As you can see from the below snap shot when the Palo Alto Networks Firewall was started it didn’t had any IP address assigned to interface Ethernet 1/1

After adding an IP address the audit result shows the addition in Yellow color

Screen Shot 2015-09-19 at 7.40.04 PM

Green: Indicates an addition

The below snapshot shows an that Ethernet 1/1 was added to virtual router and this reflected by green color.

Screen Shot 2015-09-19 at 7.26.38 PM

Red: indicates a deletion

The below snapshot clearly shows that virtual router was deleted and its been highlighted in red color.

Screen Shot 2015-09-19 at 7.30.09 PM

This innovative and graphical way of doing comparison between different versions of configuration proves to be a very handy tool for troubleshooting. These kinds of tiny little features makes Palo Alto Networks Firewall really of the next generation. Palo Alto came out with some unique features which differentiates them from rest of the player.

September 17, 2015  9:46 AM

Three golden rules for designing a Networks

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, LINKS, Network design, Routing protocols

When it comes to either designing a network  or upgrading an existing network with new design most of us think from technical prospective like what kind of hardware we need, what routing protocols we need to use , what type of links needed etc. This comes true for those who are deeply involved in technical tasks. Rather we need to focus more on the characteristics of the network, what is the motive or goals of the network design we are preparing for and how the network transports the traffic to its destination such that it serves the business needs.

The network which we are designing should be capable of the following characteristics

  • Reliable and resilient
  • Manageable
  • Scalable

These are the three golden rules which one can consider while designing a network.


September 17, 2015  5:06 AM

How to ace Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Palo Alto Networks

It’s a known fact that there are very limited resources one can avail for the preparations of the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.  One has to rely completely on Palo Alto resources, as in the market you are not going to find any Palo Alto press books (there is no Palo Alto Press either) or any third party books or study material.

Things becomes quite challenging for those who are not either Palo Alto customers or Partners, as they cannot register to Palo Alto Networks Education site to avail some of the free training or attempt the Palo Alto ACE exam.  I think Palo Alto Networks should rethink on this policy.

Those who are aiming to be accomplish Palo Alto Networks Certified Network Security Engineer (PCNSE6) they can take either of two paths, one is to gain enough experience on Palo Alto Networks Security products or attend the official training offered by Palo Alto Networks training partners.

The most essential training one could require to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) are

Essentials 1: Firewall Installation and Management (201)

Essentials 2: Extended Firewall Management (205)

I took both of these training and was benefited in enhancing my knowledge about Palo Alto Network Firewalls.  I really liked the way the course was conducted by Domagaj Tos, he presented the course in very easy format and his notes and drawings were quite useful to understand the concepts.

One could certainly think about the Palo Alto Virtual Trainings offered by Consigas, they are quite good and helpful to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6).

Apart from the official trainings one must certainly think of benefiting from additional important resources like

These resources are quite handy does contain most of the information required to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam, but they are scattered.


September 16, 2015  9:18 AM

What is Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Configure, Design

Recently I took Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam and by the grace of Almighty I passed the exam. The Palo Alto Networks Certified Network Security Engineer (PCNSE6) happens to be one of toughest exam I took. It’s not an easy exam to pass especially because one should not only have a deep understanding Palo Alto technologies but also good hands on experience on Palo Alto Security products like Palo Alto Networks next generation firewalls and Panorama.

PAN_PCNSE_Logo

One should certainly possess in-depth knowledge to design, install, configure, maintain and troubleshoot the vast majority of implementations based on the Palo Alto Networks platform to pass the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.

Palo Alto Networks delivers the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam through the third-party testing company Kryterion and it’s proctored by them as well. Since the exam is delivered online one can experience occasional slowness in accessing exam questions.

In coming post I will try to highlight on the approach I took for the preparations of the Palo Alto Networks Certified Network Security Engineer (PCNSE6) exam.


September 13, 2015  5:18 AM

Configuration Management – A holistic way to manage Palo Alto Firewall Configurations

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Configuration management, Firewalls, FTP, TFTP, XML

Palo Alto Network Firewalls are quite different and have powerful options compared to their competitors.  The flexibility and the ease they offer is quite impressive.

Managing the Configurations of the Palo Alto firewall is one such example which proves to be very handy. One can access complete set of configuration management actions by going to

Device>Setup>Operations pages as shown below

Palo Alto Config Mang

Palo Alto Firewall offers many options from the Configuration Management page.

  • One can revert back to the last saved configuration by using this option one can certainly avoid the use of FTP or TFTP servers to save these kinds of configuration backups.
  • One can save the named configuration snapshot, this can be used as a template for future deployments and can be loaded from load named configuration snapshot.

Named Config

Load named

  • One can export names configuration snapshot in XML format and same can be imported as well either in same firewall or any other Palo Alto firewall.

These are the few Configuration Management option which makes life easier of the Network Security Engineer especially when they have to deal with hundreds of firewall in their daily operation tasks.


September 12, 2015  10:38 AM

What is the difference between Candidate configuration & Running Configuration in Palo Alto Firewalls?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
CLI, configuration, Firewalls, Palo Alto Networks, router, virtual

Palo Alto Networks Firewalls comes with following config types

  • Candidate Configuration
  • Running Configuration

When ever some one creates a new policy or changes the configuration settings of an existing Security Policy or any other parameters like zone, Virtual router etc. in the Palo Alto firewall and click OK as shown below, the Candidate Configuration is either created or updated and this type of configuration is known as Candidate Configuration.

Screen Shot 2015-09-12 at 12.47.17 PM

However when Commit tab at the top right corner of Web UI of the Palo Alto Firewall is clicked the Candidate Configuration is applied to the running configuration of the Palo Alto firewall. And the applied configuration is called running configuration.

Screen Shot 2015-09-12 at 1.15.19 PM

Also by using “commit” cli command in the configuration mode on can apply candidate configuration to the running configuration.

admin@PA-500# commit

Palo Alto console configuration

Candidate Configuration never becomes active unless it’s saved to the Running Configuration so it’s always recommended to click commit whenever someone creates or modify the configuration in the Pal0 Alto Networks Firewall


September 9, 2015  7:11 AM

How to access Palo Alto firewall for the first time?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, HTTP, Palo Alto Networks, SNMP, Telnet

Palo Alto firewalls comes with a built in out of band management interface, labeled MGT and a serial console cable.

One can access the Palo Alto firewall by connecting his/her laptop with an IP address in 192.168.1.0/24 subnet to the management interface and can access the firewall using a web-browser connection https://192.168.1.1. The default username is admin and password is admin as well.

One can change the management IP Address by selecting

Device>Setup>Management and click gear icon on Management Interface setting panel

Screen Shot 2015-09-09 at 8.29.52 AM

PastedGraphic-2

 

The other way to access the Palo Alto Firewall is by using the console port with serial port values of 9600-8-N-1.

One can also change the management IP address of the firewall by using following commands

admin@PA-500>configure
admin@PA-500# set deviceconfig system ip-address 192.168.1.15 netmask 255.255.255.0 default-gateway 192.168.1.1 dns-setting servers primary 192.168.1.1
admin@PA-500# commit

Palo Alto

Palo Alto console configuration

Palo Alto firewalls have a dedicated management interface which can be used only for management of the firewall, however one can enable firewall management over other interfaces which are used to forward the traffic, however management interface cannot be used for to forward the normal traffic.By default HTTP, Telnet and SNMP are disabled on the MGT Interface of the firewall


September 7, 2015  5:51 AM

Palo Alto Networks Virtual Platforms are good for Securing East –West traffic    

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
AWS, Data Center, KVM, OpenStack, Palo Alto Networks, VMs, VMware

With the dominance of Virtualized environments like VMware, KVM, Citrix SDX and Amazon AWS, there is a challenge of securing East-West traffic. Like many other security vendors Palo Alto does offers various Virtual Platforms to protect virtualized data center and East-West traffic.

Palo Alto offers following Virtualized Platforms and can be installed on

  • VMware®ESXi™ and NSX™
  • Citrix®Netscaler SDX™
  • KVM/OpenStack (Centos/RHEL, Ubuntu®)
  • Amazon Web Services (AWS)

Palo VM Firewalls

The interesting fact I see here is the support of VMware NSX™ which certainly makes the SDN platform more secure and flexible.

The Palo Alto VM-Series are no different than the Physical Firewalls in many aspects like next-generation firewall and advanced threat prevention features, however the VM-Series is not capable of supporting virtual systems.

The Palo Alto VM-Series supports the automation features like VM monitoring, dynamic address groups and a REST-based API, these features allows you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.


September 3, 2015  5:43 AM

Palo Alto Network Firewall Architecture – Know how

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, IPsec, NAT, Palo Alto Networks, SSL

Palo Alto takes a good approach in designing the architecture for their next generation firewalls. Palo Alto offers processors dedicated to security function that work in parallel.

Palo Alto firewall contains separate Control Plane and Data Plane. By separating them Palo Alto is ensuring that each plane runs independently and they do have dedicated processors, memory and hard drives. Some of the high end firewall comes with 2 to 6 core CPU dedicated either in Data Plane or Control Plane. You can read the product specifications for more details.

Palo Alto FW Architecture

Control Plane is used for management of Palo Alto firewalls, and it provides configuration, logging reporting and route updates

Date Plane consists of three type of processor that are connected by high speed 1 Gbps busses are extensively used by Signature Processor, Security Processor and Network Processor

Security Matching Processor:  Performs vulnerability and virus detection.

Security Processor: Performs hardware acceleration and handle security tasks such as SSL decryption, IPsec decryption,

Network Processor: Performs routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.


September 1, 2015  5:07 AM

What is Single Pass Parallel Processing (SP3) Architecture?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Application firewalls, Palo Alto Networks, URL

When it comes to Next Generation firewalls, it’s quite common to see most of the Next Generation firewalls does serial processing, of various policies applied in that particular NG Firewall, which in turn delays the processing of various policies like firewall policy, URL Filtering, IPS, AV, etc. or consumes all the available Firewall hardware resources like CPU consumption, or memory utilization.

However Palo Alto Next Generation firewall takes an approach of Single Pass Parallel Processing (SP3) engine.

Single Pass

With the help of Single Pass Parallel Processing approach, Palo Alto Firewalls are in position to

  • Classify traffic with App-ID
  • Can do both user and group mapping
  • Perform content scanning like threats, URLs etc.
  • Can make use of One Policy to process various tasks
  • Can do Parallel Processing
  • Can provide separate Data and Control plane

One of the advantages I see with this kind approach is that, the traffic can be scanned as it crosses the Palo Alto firewall with minimum amount of buffering, which in turn can allow to enable the advance features like virus/ malware scanning without effecting the firewall performance.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: