[Palo Alto]Bytes needed for unknown-tcp

Reference: https://live.paloaltonetworks.com/t5/Management-Articles/What-does-the-Number-of-Bytes-in-the-Traffic-Log-represent/ta-p/56208 https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711 https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711 I have a rule that uses icmp/ping/traceroute as application, and the service is Any instead of the correct "application-default", nmap will show that a lot of ports are opened. I use a telnet to the target with the port, and keep pressing enter to send data over the firewall. the firewall … Continue reading [Palo Alto]Bytes needed for unknown-tcp →

Palo Alto Networks: Active/Active High Availability

Scenario The pair of PA5050 firewalls are at the edge of the network, the downstream of PA5050 pairs has a pair of Cisco Catalyst 6506 and a pair of Cisco Catalyst 4506 switches. The diagram is illustrated as below. The pair of Cisco Catalyst 6506 is configured as a virtual switching system, which unifies the … Continue reading Palo Alto Networks: Active/Active High Availability →

Palo Alto Networks: OSPF and L3 Link aggregation

The previous post about Cisco VSS is to integrate with Palo Alto Firewalls. Layer 3 link aggregation on PA firewall Click on Network tab and select Interfaces from the menu on the left. There is an "Add Aggregate Group" at the bottom of the page, it may seem quite unnoticeable. After the link aggregation link … Continue reading Palo Alto Networks: OSPF and L3 Link aggregation →

Palo Alto Networks: Mocked up project task

Introduction An organisation has gone through the gap analysis by consultant and engaged your company to do phase 1 implementation based on the treatment plan by consultant. This is a new office by the organisation. The implementation phases are broken down, you will first implement phase 1. Scope 1. Implement VLAN to segregate networks. 2. … Continue reading Palo Alto Networks: Mocked up project task →

Palo Alto Networks: Ping firewall interface

Suppose you want to verify if your packet actually reach the untrust interface of Palo Alto Network firewall, you can let the untrust interface of the firewall to send echo reply by using set network profiles interface-management-profile command. Firewall policy will not influence the firewall to send echo reply back to the originator. Note that … Continue reading Palo Alto Networks: Ping firewall interface →

Palo Alto Networks: Default route in command line

Suppose your virtual-router profile has to be applied on both layer3 interfaces you can do the following configuration in command line.

Palo Alto Networks: Configuration basics

Configuring Layer 3 interfaces Command line interface Web interface Click on Network tab then select Interfaces. Define zone for L3 interface Command Line Interface Web Interface Click Network then select Zones, you can create your zone or use the default trust and untrust zones. Create virtual router to define default route Command Line Interface Web … Continue reading Palo Alto Networks: Configuration basics →

Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco)

Dynamic NAT translation using IP and port To enable one single routed interface IP address to be reused for translation several time, the layer4 information is attached to the source address. This can be easily done in web interface, in CLI however it is quite hard to find the hierarchy. NAT is under the rulebase … Continue reading Palo Alto Networks: NAT policy using dynamic IP and port (PAT in Cisco) →

Palo Alto Networks: Layer3 interface

Change default interface to routed interface By default the PA5050 comes pre-configured with virtual-wire pair on ethernet1/1 and ethernet1/2, I would want to change to layer3 instead, layer3 interface is known as routed port. Reconfiguration Supposed you have misconfigured an uncommitted configuration, you cannot simply use the set command and think the configuration will replaced … Continue reading Palo Alto Networks: Layer3 interface →

Palo Alto Networks: Virtual wire pair

Virtual Wire This is exactly the same technique used by intrusion detection system, but instead of IPS this is applied to Palo Alto firewall. This technique is also known as bump wire where a pair of physical interfaces is paired as a single "wire", to the switch and router that is connected virtual wire firewall … Continue reading Palo Alto Networks: Virtual wire pair →