Secure IT

Where to terminate Site-to-Site VPN Tunnels? When using a multilayer firewall design it is not directly clear on which of these firewalls remote site-to-site VPNs should terminate. What must be considered in such scenarios? Differentiate between partners and own remote offices? Or between static and dynamic peer IPs? What about the default routes on the remote sites? Following is a discussion about different approaches and some best practices. Since not all concepts work with all firewall vendors, the following strategies are separated by common firewalls, i.e., Cisco ASA, Fortinet FortiGate, Juniper ScreenOS, Palo Alto. (This is one of many VPN tutorials on my blog. Have a look at this full list .) Of course, if there is only a single firewall in place, this discussion is not necessary at all . All VPN tunnels must solely terminate on this single firewall. You’re done. But most customers have at least a two-firewall strategy whi...

Palo Alto Software Download Failure I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to delete older software, dynamic updates, etc., and to use the “set max-num-images count” command did not lead to a successful download. Finally, the TAC support could solve the problem via root access to the Palo Alto firewall and by manually moving data files… This was the disk space on the firewall before the TAC support corrected it (note the 5th line with 92 % usage): 1 2 3 4 5 6 7 8 weberjoh @ fd - wv - fw02 > show system disk - space   Filesystem             Size   Used Avail Use % Mounted on / dev / sda3         ...

Palo Alto VPN Speedtests Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN . Similar to my VPN speedtests for the FortiGate firewall , I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing. (This is one of many VPN tutorials on my blog. Have a look at this full list .).) Lab My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5 . I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The Iperf tests ran in both directions. Here are some configuration screenshots: ...

Palo Alto FQDN Objects While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN objects with more than 32 IP addresses , which are the maximum that are supported due to the official Palo Alto documentation. Here we go: Some Notes I am using a Palo Alto PA-200 with PAN-OS 7.1.4-h2 . A description of how to use the FQDN objects by Palo Alto Networks is this “ How to Configure and Test FQDN Objects ” article. To show and refresh them via the CLI, these commands can be used ( refer to my list of CLI troubleshooting commands ): 1 2 request system fqdn show request system fqdn refresh Note that at least one policy must use an FQDN object to be queried by the firewall. Otherwise, it won’t be resolved at all. The release notes from PAN-OS 7....