In my previous post , I did mentioned Palo Alto Networks Firewall having issues in running OSPF protocol and forming an adjacency with its neighbor especially when its used as an ABR.
This issue generally occurs if a zone protection profile (ZPP) is applied on the interface which is forming an adjacency with remote routers, the moment the ZPP is removed OSPF adjacency will form and Palo Alto Firewall can be used as an ABR.
In upcoming post I will try to talk more about Zone Protection Profile.
When it comes to identifying an application Palo Alto Firewall is quite accurate and yield great results in either allowing or dropping the traffic based on security policy applied. I believe App-ID is the strongest point of Palo Alto Firewalls and it makes them leaders in the Next Generation Firewall segment.
App-ID™ is a patented traffic classification technology of Palo Alto Next Generation firewalls and it uses multiple identification mechanisms to identify applications traversing the network.
Based on the above App-ID flow , Palo Alto Firewall applies following mechanisms to identify the application
- Initially the traffic will be classified based on an IP Address and port number used.
- An application is identified on the allowed traffic by applying Signatures.
- If encryption is use and decryption policy is in use then the application is decrypted and application signatures are applied on the decrypted flow.
- Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger used across HTTP).
- For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
Once an application is identified , the policy check will decide how to treat the application, based on the policy defined it will either allow, block or scan for threats/files transfers/data patters, or rate-limit using QoS.
When it comes to routing, most of us are quite comfortable in using dedicated routers in Enterprise networks. Some time the Business need or the existing network design forces an Organisation to use a traditional firewall not only as a firewall but also as a router. Well this works well, if some one is using basic routing. However challenges are seen when some one wants to use ECMP or wants to use the Firewall as an ABR using an OSPF routing protocol. Based on my experience Cisco ASA firewalls works like a charm especially with routing features , they do support ECMP for both OSPF and BGP as a routing protocols. Also the Cisco ASA Firewall works well as a ABR, one will not experience any issues in OSPF adjacency.
However if the same scenario used with Palo Alto next generation firewalls one will face huge challenges with routing. Palo Alto Firewalls, as a next generation firewalls are great, they do offer quite unique features, hence they are the leaders in Gartner Magic Quadrant. But when it comes to routing, they need some really good enhancements.
In the above scenario Palo Alto Firewall works well as an ABR with 6.x PAN-OS , it can form an OSPF adjacency with Area 5 router (R3) how ever it does not support ECMP for OSPF and BGP routing protocols. Only one router will be used to route the traffic. The other router will form an adjacency with Palo Alto Firewall but it will never route the traffic through other router until the active router fails.
In order to support ECMP one need to upgrade the Palo Alto Firewall to 7.x PAN-OS. By upgrading one may fix the ECMP issue with additional configurations, but at the same time it fails to work as an ABR. The Palo Alto Firewall will never form an OSPF adjacency with Area 5 router ( R3).
Currently with PAN-OS 6.x or 7.x one cannot use the above mentioned scenario , one has to compromise either on ECMP by using PAN-OS version 6.x or change his routing design by not using Palo Alto firewall as ABR with PAN-OS version 7.x.
Note: These are my observations and my views which might not be true for other kinds of Network Designs.
When it comes to Palo Alto Networks Firewall, we all know PAN-OS 6.x is a quite stable version, Palo Alto announced PAN-OS version 7 almost 8 months back, but I see very few people are using this version of PAN-OS.
Those who are considering a migration from PAN-OS 6.x to PAN-OS 7.x they need to be very careful as some interesting issues might occur. Recently I did tried a migration from 6.1.7 > 7.0.2 and finally planned to migrate to PAN-OS 7.0.4 but ended up with some issues, which forced me to revert back to the old version of PAN-OS 6.1.7.
There are some bugs in PAN-OS 7.0.2 which are not yet reported by Palo Alto neither in their website nor their TAC team is aware of. One such bug or an issue is related to OSPF.
One should never consider to use Palo Alto Firewall with PAN-OS 7.x as an ABR . As Palo Alto never forms an adjacency with its neighbors in non 0 Area, the Palo Alto Firewall gets struck in Exchange state with its neighbor and it never goes into two way or full OSPF state. Even if you restart the OSPF process nothing changes, the firewall always struck in the exchange state. Interestingly it was forming an Adjacency with an Area 0 router.
From the above scenario, Palo Alto Firewall with PAN-OS 7.0.2 will never form’s an OSPF adjacency with its peer router R3 in Area 5 unless you downgrade the PAN-OS of the Palo Alto Firewall to 6.x. However you would notice with the same PAN-OS version 7.0.2 the Palo Alto Firewall will form an OSPF adjacency with R1 which is in Area 0.
So far I didn’t found a fix for this issue , the only way I could use Palo Alto Firewall as an ABR is to downgrade the Palo Alto Firewall to PAN-OS 6.1.7. Hopefully Palo Alto comes out with a solution for this issue.
When it comes to using Equal Cost Multipath in Palo Alto Firewalls, one needs to be very careful as this feature is not available in all PAN-OS versions by default. Most of the Network Engineers assume ECMP is supported by default, and they are shocked to discover ECMP is not working when they configure or enable ECMP using either OSPF or BGP on Palo Alto Firewall running PAN-OS 6.x trail.
You don’t need to panic as Palo Alto doesn’t support ECMP on PAN-OS 6.x or lesser PAN-OS trail. Palo Alto introduced Equal Cost Multipath (ECMP) as a new feature in PAN-OS 7.0. Palo Alto Firewall supports a maximum of 4 equal cost paths and supports this on OSPF and BGP protocols.
One can use Equal Cost Multipath to increase throughput, redundancy and reduce convergence times. This feature also can substantially increase bandwidth performance by load-balancing traffic over multiple paths.
Recently Cisco announced their first fully integrated, threat-focused Cisco Firepower™ Next-Generation Firewall (NGFW) , its good to see Cisco jumping into the Next Generation Firewall business , despite being late into this segment its quite interesting to see how Cisco is going to capture the Next Generation Firewall market segment. We could see leaders like Palo Alto and Check Point are doing great in this segment. For sure Cisco is going to give a tough fight and I believe they hold an upper hand, especially when it comes to integration with the Campus Network. Products like Cisco Identity Services Engine (ISE) and AMP will add more value to their NGFW.
The good thing I see with the newly announced 4100 Series NGFW is the through put they offer and the also the size of the firewall. Most of them are 1 U firewall and can offer throughput up to 60 Gbps and can also work at 40 Gbps speed.
Coming days will say how Cisco is going to capture the market as leaders like Palo Alto are far ahead in Next Generation Firewall race.
Cisco VIRL is going one step closer to provide their services on the cloud, as this will open new opportunities for many of us, especially for those who want to test some complex scenarios and they don’t have powerful hardware to run . Now VIRL is available on Packet’s bare metal cloud platform, which certainly helps end-users, as they need to pay for what they used , the deployment time will be reduced.
In order to run VILR on cloud one need to register for a Packet account and have a valid VIRL license key. The set up procedure will be provided by VIRL team and they claim it’s a quite easy deployment.
Hurry up as VIRL license node limit will be doubled for free, when I use my VIRL key on Packet its will be increased from 20 to 40.
Register for free and receive $25 usage credit today on Packet: https://www.packet.net/promo/virl/
In the below example, a single DNS query packet is trying to query the domain www.yasirirfan.com. This packet contains all the information needed by a Palo Alto Network Firewalls to identify an app, by inspecting the below UDP packet it can determine
Is the packet genuine and trying to use DNS as an application to do a query?
We could see both source IP , destination IP address along with destination port no and application is identified by a Palo Alto Networks firewall, once the application is identified , the traffic is processed by security policy. By using this approach Palo Alto networks Firewalls are quite affective is stopping evasive applications
The good thing about Palo Alto Networks Firewall is, mostly it needs only one UDP packet to identify an application which are UDP based.
Yesterday I received an email from Cisco Security Advisories about the critical vulnerability related IKE version 1 and IKE version 2 code of ASA Software which could empower an unauthenticated remote attacker to reload or even execute a code remotely on a affected ASA firewall.
Those who are terminating their VPN tunnels by using either IKEv1 or IKEv2 for any of the following VPN tunnels
- LAN-to-LAN IPsec VPN
- Remote access VPN using the IPsec VPN client
- Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
- IKEv2 AnyConnect
They should immediately check if their ASAs are affected. If so then they should upgrade the ASA, as there is not other fix from Cisco
The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system
Following versions of IOS are affected , one should upgrade immediately to the recommended IOS version
|Cisco ASA Major Release||First Fixed Release|
|7.21||Affected; migrate to 9.1(7) or later|
|8.21||Affected; migrate to 9.1(7) or later|
|8.31||Affected; migrate to 9.1(7) or later|
|8.61||Affected; migrate to 9.1(7) or later|
Further details can be found at the below url
When it comes to treating an Application every vendor has a way of treating an App, most of the traditional firewalls treats Applications mostly on port numbers. For example traditional Firewalls treats DNS as port 53 application. And a rule is configured in traditional firewall to allow port 53 for DNS traffic . Suppose an evasive application like BitTorrent attempts to use port 53 for P2P file sharing. The traditional firewall cannot stop an evasive application unless an external IPS appliance is involved.
How ever Palo Alto Networks Next Generation Firewalls treats an Application in different way. First of all Palo Alto defines application as
” a specific program or feature that can be detected, monitored and blocked if required”
This approach of Palo Alto towards an application is what making them outstanding and hence they are the leaders when it comes to Next Generation Firewalls. Till date they are the leaders even in Gartner Magic Quadrant.
By adopting multiple tactics to classify an application, When configured to only allow DNS as an application, Palo Alto Networks Next Generation Firewalls are in position them to block all kind of traffic on port 53 except DNS.
Palo Alto Networks Next Generation Firewalls have complete visibility of the complete traffic flow and pattern, hence they are very affective as a Next Generation Firewall.