Palo Alto: Vsys & Shared Gateway – Zones, Policies, and Logs

It was not easy for me to understand the type of zones and “from – to” policy definitions when working with a Palo Alto firewall that has multiple vsys’s and shared gateways. I was missing an at-a-glance picture that shows which zones to use. (Though this document describes the whole process quite good.) So, here comes one…

Continue reading

Grep Commands for Cisco ASA Syslog Messages

In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.

Continue reading

Basic syslog-ng Installation

This post shows a guideline for a basic installation of the open source syslog-ng daemon in order to store syslog messages from various devices in a separate file for each device.

I am using such an installation for my routers, firewalls, etc., to have an archive with all of its messages. Later on, I can grep through these logfiles and search for specific events. Of course it does not provide any built-in filter or correlation features – it is obviously not a SIEM. However, as a first step, I think it’s better than nothing. ;)

Continue reading

Juniper ScreenOS Firewall autocorrects Route Entries

I was a bit confused today as I saw a “wrong” route entry in the config of an SSG firewall. The route had not the correct “network/netmask” notation but a “host-address/netmask-of-the-network” notation. However, the SSG autocorrected this false route entry to the correct subnet id in its routing table.

Continue reading

S2S VPN Juniper ScreenOS - Cisco Router w VTI

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router w/ VTI

And finally: A route-based VPN between a Juniper ScreenOS SSG firewall and a Cisco router with a virtual tunnel interface (VTI). Both sides with tunnel interfaces and IPv4 addresses. Both sides with a real routing entry in the routing table. Great. ;)

(The VPN between those two parties without a tunnel interface on the Cisco router is documented here. However, use the route-based VPN where you can. It is easier and more flexible. Routing decisions based on the routing table. This is how it should be.)

Continue reading

S2S VPN Palo Alto - Cisco Router w VTI

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router w/ VTI

One more VPN article. Even one more between a Palo Alto firewall and a Cisco router. But this time I am using a virtual tunnel interface (VTI) on the Cisco router which makes the whole VPN set a “route-based VPN”. That is: Both devices decide their traffic flow merely based on the routing table and not on access-list entries. In my opinion, this is the best way to build VPNs, because there is a single instance (the routing table) on which a network admin must rely on in order to investigate the traffic flow.

Note that I also wrote a blog post about the “policy-based VPN” between a Cisco router and the Palo Alto firewall. This here is mostly the same on the Palo Alto side while some other commands are issued on the Cisco router.

Continue reading

Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch

Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep inspection expires and the device still has an old sigpack version. Since the NSM later on has newer ones, it marks the firewall with a yellow symbol. To have a consistent “green” view of all firewalls, the following steps can be done to remove the exclamation mark.

Continue reading

P1260955 Ins Rohr

Portable Autofanfare

Was haben eine Weltmeisterschaft und eine Hochzeit gemeinsam? Nach wenigen Minuten im Autokorso ist die Stadiontröte leer!

Da ich lautstärketechnisch immer gerne vorne mitspiele, hatte ich in den letzten Jahren die ein oder andere “klassische” Stadiontröte, also eine Hupe, welche mit einer kleinen Druckluftflasche angetrieben wird. Mein Problem dabei war aber stets: Entweder, ich hatte ein paar Minuten großen Spaß und dann war aus, oder ich musste immerzu auf eine gleichmäßige Nutzung achten, damit auch nach 20 Minuten noch Gas vorhanden war. Eine Alternative musste her!

Also habe ich mir eine 2-Klang Auto-Fanfare inkl. Kompressor bei eBay gekauft. Beim Autoschrotthändler gabs für kleines Geld eine alte aber funktionstüchtige Autobatterie. Somit habe ich nun eine schier unendlich trötende Hupe, deren Lautstärke echt überzeugt! :)

Continue reading

S2S VPN Cisco Router - FritzBox

IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.

Continue reading

S2S VPN Juniper ScreenOS - Cisco Router

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG firewall, the tunnel is established directly after the configuration and stays active all the time without the need of “real” traffic.

I am using the policy-based VPN solution on the Cisco router and not the virtual tunnel interface (VTI) approach. That is: No route is needed on the router while the Proxy IDs must be set on the Juniper firewall. (However, I also documented the route-based VPN solution between a ScreenOS firewall and a Cisco router here.)

Continue reading