Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.
After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and without security profiles, i.e., with and without threat prevention.
It turned out that the throughput is much higher than the official information from Palo Alto. Furthermore, I was not able to test the threat prevention at all, because non of my traffic (Iperf and mere HTTP) went through the antivirus engines. I have to test this again. However, here are the measured values so far:
Auch ich merke, dass ich älter werde. Mittlerweile ist es soweit, dass Technik, die “zu meiner Jugendzeit” hochaktuell war, total veraltet ist. Ein schönes und für mich trauriges Beispiel ist die Maglite. DIE Taschenlampe der Cops in den USA, welche man sogar als Schlagstock verwenden kann! Längst wurde sie durch eine high-tech LED Taschenlampe (in meinem Fall eine ThruNite) ersetzt. Hier ein paar Abschiedszeilen…
Nachdem meine selbst gebauten ADS-B Antennen bereits sehr gut laufen hat mich jemand auf die Idee gebracht, mal eine speziell auf diesen Frequenzbereich zugeschnittene ADS-B Antenne bei eBay zu kaufen (siehe diesen Kommentar). In der Tat ist man mit wenigen Euros bereits dabei. Ob eine solche semi-professionelle Antenne einen weiteren Empfangsbereich als meine Antenne bringt musste in einem Vergleichstest bewiesen werden.
Juchu, endlich mal wieder ein Bastelprojekt. Für den Spielzeug-Synthesizer Monotron von Korg gibt es eine kleine Platine namens MIDI-IF, die anstelle des nicht ernsthaft zu spielenden Ribbon-Controller ein MIDI-Keyboard als Eingabequelle verwenden kann. Sprich: Man kann richtige Töne damit spielen, da man die Tasten einer Klaviatur natürlich viel besser bedienen kann als den Ribbon-Controller, bei dem man nur ungefähr die richtige Taste treffen kann. Für knapp 30,- € (inkl. Versand) und ein paar Stunden Löt- und Bastelarbeit kann man loslegen.
Zusätzlich habe ich die Schose in ein Alugehäuse gebaut und mit einer DI-Box versehen. Somit kann es direkt groß losgehen. 😉
Sometimes you want to reinstall your Raspberry Pi without switching the SD-card or via remote since it is located on another physical location. Here is a solution to reinstall the operating system remotely.
Since almost two years I am running a RIPE Atlas Probe in my server room. It resides in an own security zone on a Palo Alto firewall (which also powers the probe via its USB port :)). With this post I publish a few traffic statistics about the RIPE Atlas Probe.
I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to delete older software, dynamic updates, etc., and to use the “set max-num-images count” command did not lead to a successful download.
Finally, the TAC support could solve the problem via root access to the Palo Alto firewall and by manually moving data files…
I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running.
I was sitting at the customer’s site replacing the DMZ firewall. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). However, ping was not allowed. Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Great!
This post shows the installation and usage of httping, dnsping, and smtpping on a Linux machine, in my case a Ubuntu server 14.04.4 LTS, as well as some Wireshark screenshots from captured sessions.
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as Teredo or SixXS are found on different literatures as well. However, another method that is not often explained is to tunnel the IPv6 packets through a normal VPN connection. For example, if the main office has a native IPv6 connection to the Internet as well as VPN connections to its remote offices, it is easy to bring IPv6 subnets to these stations. Here comes an example with two Palo Alto firewalls.
Migrating from Juniper ScreenOS firewalls to FortiGates, there are some differences to note with static NATs, i.e., Mapped IPs (MIPs) on a Netscreen and Virtual IPs (VIPs) on a FortiGate. While the Juniper MIPs on an interface are always used by the firewall whenever a packet traverses the interface, the virtual IP objects on a FortiGate must be used at least once in the security policy before they are really used by the firewall.
On the FortiGate firewall, address objects and virtual IPs (VIPs) can be set up with an interface. For address objects this has no technical relevance – the address objects simply only appear on policies if the appropriate interface is selected. But for virtual IPs, this setting has relevance on how connections are NATed. This can be problematic.
Just a short post this time, but an interesting fact concerning different Internet Service Providers (ISPs) and their routing to/from other countries. I have a customer in Germany that has a remote office in France, connected via a site-to-site VPN. Around April last year the french office decided to change the ISP to a cheaper competitor that offers the same speed/bandwidth and therefore has no disadvantages… Well, I disagree.
I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running Iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.