Palo Alto Save-Load Config 2

Palo Alto: Save & Load Config through CLI

When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.

However, I tested this procedure a few times and it did NOT work. :( So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.

Continue reading Palo Alto: Save & Load Config through CLI


Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)

Similar to my test with Diffie-Hellman group 14 shown here I tested a VPN connection with the elliptic curve Diffie-Hellman groups 19 and 20. The considerations why to use these DH groups are listed in the just mentioned post – mainly because of the higher security level they offer. I tested the site-to-site IPsec connections with a Juniper ScreenOS firewall and a Fortinet FortiGate firewall. (Currently, neither the Palo Alto nor the Cisco ASA support these groups.)

Continue reading Site-to-Site VPNs with Diffie-Hellman Groups 19 & 20 (Elliptic Curve)


“IPv6-Präfixe würfeln” – Was soll das?

Seit Monaten sieht man auf heise online an der rechten Seite den Link zu einem Artikel namens “IPv6-Präfixe würfeln“. Dabei geht es darum, OpenWRT einen Teil des IPv6-Präfixes innerhalb gewisser Zeitspannen würfeln zu lassen, damit normale IPv6-Clients nicht nur die Interface-ID der Adresse per Privacy Extensions regelmäßig ändern, sondern auch die Subnetz-ID. Da diese Idee aber so gar keinen Vorteil für den Datenschutz mit sich bringt, möchte ich hier mal etwas dazu schreiben.

Continue reading “IPv6-Präfixe würfeln” – Was soll das?

F to A-

Palo Alto PANOS 6.1.2: No more SSLv3/POODLE

Another fixed issue in the just released PANOS version 6.1.2 from Palo Alto Networks is bug ID 71321: “Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive Portal due to CVE-2014-3566 (POODLE).” I scanned my lab unit before (6.1.1) and after the OS upgrade (6.1.2) and here are the results.

Continue reading Palo Alto PANOS 6.1.2: No more SSLv3/POODLE

Palo Alto IPv6 MGT interface reachable

Minor Palo Alto Bug concerning IPv6 MGT

A few month ago I found a small bug in PANOS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).

Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).

Continue reading Minor Palo Alto Bug concerning IPv6 MGT

S2S VPN FortiGate - Cisco Router w VTI

IPsec Site-to-Site VPN FortiGate <-> Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

Continue reading IPsec Site-to-Site VPN FortiGate < -> Cisco Router

Log Parsing Commands 3

Logfile Parsing

While parsing logfiles on a Linux machine, several commands are useful in order to get the appropriate results, e.g., searching for concrete events in firewall logs.

In this post, I list a few standard parsing commands such as grep, sort, uniq, or wc. Furthermore, I present a few examples of these small tools. However, it’s all about try and error when building large command pipes. ;)

Continue reading Logfile Parsing