Secure IT

How to configure Site-to-Site VPN on Cisco ASA? Access-Lists Add the ACLs which we will need to NAT, the encryption domain and the group policy. access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80 access-list Example_Policy_ACL extended deny ip any any access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN Group Policy Create your group policy which will restrict traffic between hosts within your encryption domain. group-policy Example_Policy internal group-policy Example_Policy attributes vpn-filter value Example_Policy_ACL default-group-policy Example_Policy NAT Add your No NAT for traffic within the encryption domain nat (outside) 0 access-list Example_VPN_ACL Tunnel Group Create your tunnel group which will include your pre-shared key. tunnel-group [Peer IP] type ipsec-l2l tunnel-group [Peer IP] general-attributes default-group-

What is DoS attack? How can it be prevented? DoS (Denial of Service) attack can be generated by sending a flood of data or requests to a target system resulting in a consume/crash of the target system’s resources. The attacker often uses ip spoofing to conceal his identity when launching a DoS attack.

What is difference between DoS vs DDoS attacks? In a Denial of Service (DoS) attack, a hacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., RAM and CPU). On the other hand, D istributed Denial of Service (DDoS) attacks are launched from multiple connected devices that are distributed across the Internet. These multi-person, multi-device barrages are generally harder to deflect, mostly due to the sheer volume of devices involved. Unlike single-source DoS attacks, DDoS assaults tend to target the network infrastructure in an attempt to saturate it with huge volumes of traffic. DDoS attacks also differ in the manner of their execution. Broadly speaking, DoS attacks are launched using homebrewed scripts or DoS tools (e.g., Low Orbit Ion Canon), while DDoS attacks are launched from botnets—large clusters of co

How to modify SSH/HTTP/Telnet time out in Cisco ASA firewall? By default tcp idle timeout is 1:0:0 hh:mm:ss. If in case you need to modify it you can do it by MPF (Modular Policy Framework). Let us setup a custom timeout when traffic is coming from particular host 10.77.241.129. !— Match the traffic using the access-list —! object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq ssh port-object eq telnet access-list outside_mpc extended permit tcp host 10.77.241.129 <source ip> any object-group DM_INLINE_TCP_1 !— Define the class map Cisco-class –! class-map Cisco-class match access-list outside_mpc !— Call this class-map into policy map and set the connection reset after 10 min when traffic is coming from particular host —! policy-map Cisco-policy class Cisco-class set connection timeout idle 0:10:00 reset !— Apply the policy-map Cisco-policy on the interface. —! service-policy Cisco-polic

How to setup the internet access through the Cisco ASA firewall? Basic Guidelines for setting Internet through the Cisco ASA firewall: At first we need to configure the interfaces on the firewall. !— Configure the outside interface. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.165.200.226 255.255.255.224 !— Configure the inside interface. interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ. Security levels are numeric values, ranging from 0 to 100, used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security l

How to enable multiple context in the Cisco ASA firewall Cisco ASA firewall is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you are upgrading then you might need to convert from single mode to multiple mode. The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match with the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup

How to enable logging in Palo Alto Networks Firewall? When it comes to live troubleshooting or to ensure certain traffic is either blocked or allowed one relies heavily on logs, Palo Alto Network Firewalls does provides very good logging options and fields. Its quite easy to read them and understands them. By default when some one creates any security policy Palo Alto Networks Firewall logs the details at the end of the session. So one does not need to enable logging, if he/she wants to monitor session since it started then they have enable the it. One can enable logging, directly from the security policy he/she creates as shown below

What are the modes in which interfaces on Palo Alto can be configured? When configuring the Ethernet ports on your firewall, you can choose from virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of network segments, you can configure different types of interfaces on different ports. The following sections provide basic information on each type of deployment. -Virtual Wire Deployments -Layer 2 Deployments -Layer 3 Deployments Virtual Wire Deployments In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together. By using a virtual wire, you can install the firewall in any network environment without reconfiguring adjacent devices. If necessary, a virtual wire can block or allow traffic based on the virtual LAN (VLAN) tag values. You can also create multiple subinterfaces and classify traffic according to an IP Address (

What are the modes in which interfaces on Palo Alto can be configured? When configuring the Ethernet ports on your firewall, you can choose from virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of network segments, you can configure different types of interfaces on different ports. The following sections provide basic information on each type of deployment. -Virtual Wire Deployments -Layer 2 Deployments -Layer 3 Deployments Virtual Wire Deployments In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together. By using a virtual wire, you can install the firewall in any network environment without reconfiguring adjacent devices. If necessary, a virtual wire can block or allow traffic based on the virtual LAN (VLAN) tag values. You can also create multiple subinterfaces and classify traffic according to an IP Address (

Etherchannel There are three types of Etherchannels negotiation mechanism PAgP  (Port Aggregation Protocol)- Cisco’s proprietary negotiation protocol LACP (Link Aggregation Protocol)  – Standards-based negotiation protocol Static Persistence (“On”) – No negotiation protocol is used There are two types of Etherchannels 1) Layer2   2) Layer3 1) Layer2 Etherchannels: Switch1(config)# interface range gigabitethernet0/1 -4  Switch1(config-if-range)# switchport access vlan 100 Switch1(config-if-range)# channel-group 5 mode ? active–Enable LACP unconditionally auto–Enable PAgP only if a PAgP device is detected desirable–Enable PAgP unconditionally on–Enable Etherchannel only “Manual On Mode” passive–Enable LACP only if a LACP device is detected Switch1(config-if-range)# channel-group 5 mode desirable 2) Layer 3 Etherchannels: Switch1(config)# interface port-channel 2 Switch1(config-if)# no switchport Switch1(config-i

common Switch troubleshooting commands For CPU related issues: Show process cpu sorted Show process cpu history Show platform port-asic stats drop Show controllers cpu-interface Debug platform cpu-queues Show plat for ip For memory issues Show memory statistics Show process memory sorted Show buffers For link issues Show interface status | inc connected Test cable-diagnostics tdr interface <> Show cable-diagnostic tdr interface <> Show interface <> Show interface <> counters Show interface <> counters errors Show interface counter errors Show controller Ethernet-controller <> Show platform pm if-numbers Show controllers Ethernet-controller port-asic statistics Show platform port-asic stats drop <> Layer 2 forwarding issues Show interface <> status Show spanning-tree interface <> Show interface <> counter Show mac address-table interfa

                                                 IPSEC IPSEC consist of multiple protocols: Internet Security Association and Key Management Protocol (ISAKMP) A framework for the negotiation and management of security associations between peers (traverses UDP/500) Internet Key Exchange (IKE) Responsible for key agreement using asymmetric cryptography Encapsulating Security Payload (ESP) Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH) Provides data integrity and peer authentication, but not data encryption; IP protocol 51 Encryption algorithm:   Type Key Length (Bits) Strength DES Symmetric 56 Weak 3DES Symmetric 168 Medium AES Symmetric 128/192/256 Strong RSA Asymmetric 1024+ Strong HASH Algorithm: Length (Bits) Strength   MD5 128   Medium   SHA-1 160   Strong IPSEC Phase: Phase 1 A bidirectional ISA

Checkpoint firewall common commands part1 For starting or stopping firewall services cpstop -Stop all Check Point services except cprid . You can also stop specific services by issuing an option with cpstop. For instance cpstop FW1 stops FW-1/VPN-1 or use cpstop WebAccess to stop WebAccess. cpstart -Start all Check Point services except cprid . cpstart works with the same options as cpstop . cprestart -Combined cpstop and cpstart . Complete restart. cpridstop, cpridstart, cpridrestart -Stop, start or restart cprid , the Check Point Remote Installation Daemon. fw kill [-t sig] proc -Kill a Firewall process. PID file in $FWDIR/tmp/ must be present. Per default sends signal 15 (SIGTERM).Example: fw kill -t 9 fwm fw unloadlocal – Uninstalls local security policy and disables IP forwarding. For getting basic firewall information : fw ver [-k] , fwm [mds] ver, vpn ver [-k], fgate ver -Show major and minor version as well as build numb

Checkpoint firewall common commands part 2 For basic firewall informaton gathering: fgate stat -Status and statistics of Flood-Gate-1. fwaccel <stat|stats|conns>  – View status, statistics or connection table of SecureXL. fw getifs -Show list of configured interfaces with IP and netmask. cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples: cpstat fw -f policy – verbose policy info cpstat os -f cpu – CPU utilization statistics cpinfo -y all   -List all installed patches and hotfixes. cpd_sched_config print -Show task scheduled with CPD scheduler. enabled_blades -View enabled software blades avsu_client [-app <app>]   , get_version <app>  -Get signature version and status of content security .Without the -app option “Anti Virus” is used. show configuration -Show

Checkpoint firewall common commands Part 3 For administration and configuration tasks: cpconfig  -Menu based configuration tool. Options depend on the installed products and modules. sysconfig -Start SPLAT OS and Check Point product configuration tool. cp_conf admin add <user> <pass> <perm> -Add admin user with password pass and permissions perm where w is read/write access and r is read only. Note:permission w does not allow account administration. cp_admin_convert -Export admin definitions created in cpconfig to SmartDashboard. fwm lock_admin -v -View list of locked administrators. fwm lock_admin -u <user> -Unlock admin user . Unlock all with -ua . cp_conf admin del <user> -Delete the admin account user . fwm expdate <dd-mmm-yyy> [-f <dd-mmm-yyyy>] -Set new expiration date for all users or with -f for all users matching the expiration date filter: fwm expdate 31-Dec-2020 -f 31-Dec-2014.

Palo Alto-CLI cheat sheet Device management: Show general system-health information –> show system info Show percent usage of disk partitions –> show system disk-space Show the maximum log file size –> show system logdb-quota Show running processes –> show system software status Show processes running in the management plane –> show system resources Show resource utilization in the dataplane –> show running resource-monitor Show the licenses installed on the device –> request license info Show when commits, downloads, and/or upgrades are completed –> show jobs processed Show session information –> show session info Show information about a specific session –> show session id <session-id> Show the running security policy –> show running security-policy Show the authentication logs –> less mp-log authd.log Restart the device –> request -restart system Display the routing table –&g

                              PACKET FLOW CHECKPOINT AND PALOALTO Checkpoint packet IN -> antispoofing -> rule Base (connection table) -> Nat for destination -> routing -> NAT for source -> ( NATted) Packet out Paloalto Basic: Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing Advance: Initial Packet Processing  —-> Source Zone/Source Address —-> Forward Lookup —-> Destination Zone/Destination Address —-> NAT policy evaluated Security Pre-Policy  —-> Check Allowed Ports —-> Session Created Application  —-> Check for Encrypted Traffic —-> Decryption Policy —-> Application Override Policy —-> Application ID Security Policy —-> Check Security Policy —-> Check Security Profiles Post Policy Processing  —-> SSL Re-Encrypted —-> NAT applied —-> Packet forwarding

How ARP works?

What is the use of default route?

VLAN, TRUNKING, VTP Vlan trunking -Vlan divides the broadcast domain -In New switch, Default Vlan = Native Vlan = Vlan 1 -Native Vlan can be changed from Vlan 1 to Vlan10, 20 etc. -Vlan 1 cannot be deleted even after entering command -Vlan 1 carries critical traffic like CDP, VTP etc. -Access port carries traffic of only one vlan -Trunk port carries traffic of more than one vlan -Voice vlan can carry traffic of two vlan’s -Layer 3 vlan required for Inter-Vlan communication -On Router, For Inter-Vlan comunication, “Router on Stick” is implemented -On Switches, For Inter-Vlan comunication,”Layer 3 vlan or SVI” is implemented -To allow end to end communication, we need to allow Vlan on all the trunk ports in between -Vlan can be created on Router, Switch, Firewall etc. -Trunking is the process to enable multiple vlan’s traffic between different switches -Conditions -Connected Port should be trunk, Encapsulation should match, Allowed Vlans o

OSI layer in short with example 7. Application layer -Responsible for initiating or services the request. e.g SMTP, DNS, HTTP, and Telnet 6. Presentation layer -Formats the information so that it is understood by the receiving system e.g Compression and encryption depending on the implementation 5. Session layer – Responsible for establishing, managing, and terminating the session e.g NetBIOS 4. Transport layer -Breaks information into segments and is responsible for connection and connectionless communication e.g TCP and UDP 3. Network layer -Responsible for logical addressing and routing e.g IP, ICMP, ARP, RIP, IGRP, and routers 2. Data Link layer- Responsible for physical addressing, error correction, and preparing the information for the media e.g MAC address, CSMA/CD, switches, and bridges 1. Physical layer -Deals with the electrical signal e.g Cables, connectors, hubs, and repeaters

How packet flow in Palo Alto Firewall? Basic: Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing Advance: Initial Packet Processing  —-> Source Zone/Source Address —-> Forward Lookup —-> Destination Zone/Destination Address —-> NAT policy evaluated Security Pre-Policy  —-> Check Allowed Ports —-> Session Created Application  —-> Check for Encrypted Traffic —-> Decryption Policy —-> Application Override Policy —-> Application ID Security Policy —-> Check Security Policy —-> Check Security Profiles Post Policy Processing  —-> SSL Re-Encrypted —-> NAT applied —-> Packet forwarding

Policy Based Forwarding on a Palo Alto with different Virtual Routers This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections . This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used. There are two documents from Palo Alto that give advises how to configure PBF. I am using a PA-200 with PAN-OS 7.0.1. My lab is the following: (Note that, unlike Juniper ScreenOS, a zone is not tied to a virtual router. You actually can merge interfaces on different vrouters into the same zone. However, I prefer to configure an extra zone for each ISP to keep my security policies clearly separated.) These are the configuration steps. See the descriptions under the screenshots for details: Two virtual routers: d

Palo Alto Remote Access VPN for Android For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto itself. If the additional features such as HIP profiling are not needed, this variant fits perfectly. I am showing a few screenshots and logs from the Android smartphone as well as from the Palo Alto to show the differences. This post is very similar to the post about the iPhone . I am running a PA-200 with PAN-OS version 7.0.3 . The phone is a Samsung Galaxy S4 Mini with Android version 4.4.2 . The GlobalProtect app from Palo Alto works without any problems if a correct Portal and Gateway are already configured. In order to use the native “IPSec Xauth PSK” on Android, the “X-Auth Support” must be enabled on the GlobalProtect Gateway, such as shown here in my post about the Linux vpnc client . Glo