In today’s topic we will learn about virtual firewalls and three use cases of virtual firewalls in detail. 

About Virtual Firewall

A virtual firewall provides network security for virtualized environments such as cloud. Virtualization process allows creation of multiple virtual instances of a physical device or a server and allows more efficient utilization of underlying physical resources and more flexibility for network management. Virtualization technologies brought some new set of security risks as well such as unauthorised access to virtual resources and increased data breaches.

The virtual firewalls become the gatekeeper or keeper of perimeter security again like their physical avatars. Virtual firewalls operate at the virtualization layer and protect virtual machines (VMs) or any other virtualized resources in cloud networks. Virtual firewalls provide additional functions such as VPN connections, intrusion detection and prevention and malware protection.  

Virtual firewalls secure cloud deployments and so they are also called cloud firewalls. They can scale with virtual environments and protect against north-south traffic and allow fine grained network segmentation within virtual networks. 

Benefits of using a Virtual / Cloud Firewall

• Cloud native virtual firewalls centralize security and apply policies consistently to all virtual machines and applications
• Virtual firewall upgrades are easier compared to management and upgrades of physical firewalls
• Virtual firewalls are safest way to quickly rollout cloud applications 
• More cost effective as compared to their physical counterparts
• Provide cloud native threat detection and prevention capabilities to secure data and applications.

Virtual Firewall Use Cases 

Use Case 1: Securing Public Clouds 

Public clouds such as Google cloud platform (GCP), Amazon web services (AWS) and Microsoft Azure host virtual machines to support different types of workloads, virtual firewalls secure these workloads. 

Virtual firewalls are deployed to implement advanced security capabilities such as threat detection and segmentation to isolate critical workloads to meet regulatory requirements such as GDPR, HIPAA, PCI-DSS etc.

To secure flow of traffic moving laterally within cloud networks Virtual firewalls implement inline threat prevention mechanism.

Use Case 2: Security Extension to branches and SDNs

Virtual firewalls help in securing systems at branch offices and for software defined networks. In SDN environments data routing and networking is controlled with software virtualization. Deployment of virtual firewalls in SDN environments allow organizations to secure their perimeter, segmentation of network and extend protection to remote branches.

Advanced firewalls in SDN networks provide consistent network security and help to manage branch network security from a centralized console, segmentation of networks to support isolation, secures the live network flow and sets the stage for secure migration of applications to cloud. 

Use Case 3: Protection of Cloud Assets 

Virtual firewalls enhance security of private cloud assets. They come with policy based, auto provisioning of security capabilities for networks and help in securing private cloud assets quickly and support in workload isolation from one another. 

Palo Alto Firewall Architecture : An Overview

Palo Alto Firewall Architecture is based upon an exclusive design of Single Pass Parallel Processing (SP3) Architecture. This setup enables high-throughput, low-latency network security integrated with remarkably features and technology. Palo Alto Networks fixes the performance problems that impact today’s security infrastructure with the SP3 architecture (, which is composed of two key components:

1. Single Pass software
2. Parallel Processing hardware

Single Pass Software

Palo Alto Networks Next-Generation Firewall is provided with a Single Pass Software. It processes the packet to perform features such as networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for detecting threats and malicious contents. Processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall significantly reduces the overhead of packet processing.

On the contrary, other firewall vendors leverage a different type of network architecture, which produces a higher overhead when processing packets traversing the firewall. Another notable feature introduced in other Firewall vendor’s Next-Generation Firewalls is Unified Threat Management (UTM) which processes the packet and then verifies the contents of packet. As a result, spike in CPU overhead affects latency and throughput of the Firewalls, a degradation in performance.

Single Pass software is designed to achieve two key parameters.

• Firstly, the single pass software performs operation per packet. When packet is processed in this mechanism the functions like policy lookup, application identification and decoding and signature matching for all threats and content are all performed just once.
• Secondly, the packet processed in Single Pass software is stream based, and uses uniform signature matching to detect and block threats. Single Pass does not use separate engines and signature sets and file proxies requiring for file download prior to scanning, the single pass software in our next generation firewalls scans packets once and stream based fashion to avoid latency and throughput.

This Single Pass software content processing enables high throughput and low latency with all security functions active. It also offers the additional feature of a single fully integrated policy, enabling easier management of enterprise network security.

Related – Palo Alto Administration & Management

Parallel Processing Hardware

Palo Alto Networks Parallel Processing hardware makes sure function specific processing is done in parallel at the hardware level, which in conjunction with the dedicated data plane and control plane, produces amazing performance results. By separation of the data plane and control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the platform.

Palo Alto Firewall Architecture : Control Plane & Data Plane

Control plane is liable for tasks such as management, configuration of Palo Alto firewall and it also takes care of logging and reporting features. Palo Alto Networks Next-Generation Firewall’s main feature is the set of dedicated processors which are responsible for specific functions (all of these work in parallel). The data plane in the high end models contains three types of processors (CPUs) connected by high speed of 1Gbps busses.

Types Of Processors:

The three type of processors are-

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection tasks.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar other tasks.
3. Network Processor: Dedicated processor responsible for network tasks such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

First, Palo Alto Firewall Architecture design split up the 2 planes i.e. it has separate data plane and control plane. This separation means that heavy utilization of one plane will never impact the other. The second important element is the Parallel Processing hardware which includes discrete specialized processing groups that work in harmony to perform several key functions.

• Routing, flow lookup, traffic analysis statistics, NAT and similar other functions are performed on network specific hardware.
• User-ID, App-ID and policies all occur on a multi core security engine with hardware acceleration for encryption, decryption and compression, decompression.
• Content-ID content analysis uses dedicated and specialized content scanning engine.
• On the control plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging and reporting without interfering user data.

Conclusion

Network Architecture of Palo Alto consists of Single Pass software and Parallel Processing hardware, which is perfectly apposite combination in network security and empowers the Palo Alto Networks next-generation firewalls to restore visibility and control over enterprise networks.

Continue Reading:

SSL VPN Configuration in Palo Alto

Palo Alto GlobalProtect

Firewall is a network security device which grants or rejects network access to traffic flowing between untrusted zone (External networks) to trusted (Internal networks) zone. Starting from initial days of Stateful inspection firewalls and then onto UTM (unified threat management), Application aware next generation firewalls have now become synonyms for firewalls.

Palo Alto is one such Next Gen firewall which provides flexible deployment options for your network, firewall platforms, available both for physical and virtual platforms. 

In this article we will learn more about how to reset Palo Alto firewall to factory default, why it is required and so on.

Reset Palo Alto Firewall to Factory Default Settings

There could be three scenarios or cases where it is required to reset the Palo Alto firewall to its default settings. In case you don’t have admin password or you have admin password or with admin password need to remove all logs and restore the default configuration of firewall.

Steps to Restore Default Configuration

To reset the firewall to default configuration you need to go to maintenance mode first. 

Step 1 : connect the console cable from console port to your system and verify console settings as under speed – 9600, data bits – 8, parity – none and stop bits – 1 

Step 2: enter maintenance mode and power on or reboot the device 

Step 3: during boot below screen will appear

Booting PANOS (sysroot0) after 5 seconds…

Entry: Type ‘Maint’ and Enter

Step 4: There will be multiple options on display you need to choose PANOS (maint) mode

Step 5: it will display the maintenance recovery section. Press enter to proceed further

Step 6: Choose ‘Factory reset’ and press enter

Step 7: Warning message will display along with factory reset option. Select factory reset and press enter.

The progress will be displayed on screen with percent complete 

Factory reset on completion will display as per screen below to complete process reboot the device

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

• IPSec
• IKE
• Site to Site VPN between two FortiGate Sites
• Phase I and Phase II Parameters
• Tunnel Configuration
• Troubleshooting Commands

IPSec VPN Configuration: Fortigate Firewall

IPsec: It is a vendor neutral security protocol which is used to link two different networks over a secure tunnel. IPsec supports Encryption, data Integrity, confidentiality.

IPsec contains suits of protocols which includes IKE.

IKE is used to authenticate both remote parties, exchange keys, negotiate the encryption and checksum that is used in VPN Tunnel. IKE uses port 500 and USP 4500 when crossing NAT device.

IKE allows two remote parties involved in a transaction to set up Security Association.

Security Association are basis for building security functions into IPsec. IPsec parameters like encryption algorithm, authentication methods, Hash value, pre-shared keys must be identical to build a security association between two remote parties.

Site To Site VPN Between FortiGate FWs

Phase I and Phase II Parameters are:

Firewall -1, check internal interface IP addresses and External IP addresses

IPSec VPN Configuration Site-I

Follow below steps to Create VPN Tunnel -> SITE-I

1. Go to VPN > IPSec WiZard

2. Select VPN Setup, set Template type Site to Site

3. Name – Specify VPN Tunnel Name (Firewall-1)

4. Set address of remote gateway public Interface (10.30.1.20)

5. Egress Interface (Port 5)

6. Enter Pre-shared Key, Pre-shared key is used to authenticate the integrity of both parties. It must be same on both sides.

7. Select IKE version to communicate over Phase I and Phase II

8. Mode of VPN – Main mode/Aggressive Mode. Main mode is the suggested key-exchange method because it hides the identities of the peer sites during the key exchange.

9. Encryption Method, it must be identical with remote parties. Encryption method provides end-to-end confidentiality to the VPN traffic.

10. Authentication method – it must be identical with remote site. Authentication methods verify the identity of peer user which means traffic is coming from correct user and there is no man-in-middle attack.

11. DH Group- Must be identical with remote peer (DH-5). Diffie-Helliman is a key exchange protocol and creates a secure channel by exchanging public key /master key.

12. Key Lifetime – it defines when re-negotiation of tunnels is required. Key lifetime should be identical. However, if the lifetime of key mismatched then it may lead to tunnel fluctuations.

VPN Phase-II

13. Add Phase II proposals

14. Select Encrytpion method AES256

15. Select Authentication method SH-I

16. Enable Anti-Replay Detection è Anti-replay is an IPSec security method at a packet level which helps to avoid intruder from capturing and modifying an ESP packet.

17. PFS (Enable Perfect Forward Secrecy)-Must be enabled at both peers end,

18. DH Group- Select 5

19. Key lifetime for Phase II

Phase II Selector

20. Share Local LAN subnet which will communicate once VPN is established

21. Share remote end LAN subnet

Create Static Route towards VPN Tunnel Interface

22. Static Route

23. Local LAN subnet going via Tunnel Interface To-FG-2

24. Allocate Tunnel Interface

25. Assign Administrative distance 10 (static Routes)

Create VPN- Policy for interesting traffic & allow ports according to requirement

26. Assign name to the policy in IPV4 Policy Tab

27. Traffic incoming from Inside Zone/Interface and Outgoing Interface will be Tunnel Interface

28. Source address which will be 80.25.0/24

29. Destination address will be remote site Local LAN subnet 10.100.25.0/24

30. Services/protocol – select all or you can select specific servuces like FTP/HTTP/HTTPS

31. Accept the action.

32. NAT is OFF and Protocol Options are Default

33. Basic Anti-Virus has been enabled and Basic Application Control is enabled

34. SSL Certificate is enabled to authenticate over SSL Inspection/ Its completely optional

35. Enable ALL session logs

36. Add Policy Comment and Enable the Policy

37. Select OK

**If requires,  create a reverse clone policy for the connection to enable bi-direction action.

From Step 1 to Step 37, VPN configuration has been completed for Firewall -1/Site-1.

Let’s move to Firewall -2/Site II

• Check Internal and External Interface IP address and Ports

IPSec VPN Configuration Site-II

Start following step-1 to step-22 to complete the VPN configuration in Firewall-2.

• Monitor VPN traffic status in IPSec Monitor TAB for further Troubleshooting.

Troubleshooting Commands

Run debug and basic troubleshooting commands if tunnel status in not showing or visible in IPSec Monitor TAB,

Debug commands:

Initiate the connection and try to bring up the tunnel from GUI

Disable the Debug to stop packets

Continue Reading:

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Types of Firewall: Network Security

NAT is a process that enables a single device such as a firewall or router to act as an agent between the internet or public network to LAN or private segment. 

NAT is usually use for below reasons

• It proves security, addresses behind the NAT device is virtually hidden
• It provides Public IP address for private IP addresses to make traffic routable 

**In the FortiGate firewall we can apply NAT directly to the policy without creating a separate NAT policy. 

FortiGate NAT

FortiGate provides below NAT features in the Firewall:

1. SNAT
2. DNAT
3. PAT

FortiGate NAT Modes  

Firewall Policy NAT – SNAT and DNAT must be configured for Firewall policies. SNAT takes the outgoing interface IP address of the firewall as a source address. DNAT uses configured VIP.

Central NAT – SNAT and DNAT are configured as per the VDOM (virtual Domain)

• SNAT rule is implemented from central SNAT Policy
• DNAT is configured from DNAT and VIPs

Firewall Policy NAT

We can configure Firewall policy NAT by applying two different ways

1. Use outgoing interface as a NAT IP address
2. Use predefined pool (dynamic pool)

Firewall policies can be configured by using below types of NAT

1. Static SNAT
2. Dynamic SNAT

Static SNAT

In Static SNAT all internal IP addresses will be translated to a single Public IP address by using multiple source ports.

E.g.

10.10.10.1-> source port 1110-> NAT IP address 172.16.100.1:5001

10.10.10.2-> source port 1111-> NAT IP address 172.16.100.1:5002

10.10.10.3->source port 1112->NAT IP address 172.16.100.1:5003

How to configure Static SNAT

1. Create Security Policy -> IPV4 Policy

2. Give the details in the policy TAB, add source address/subnet

3. Add Destination address/subnet

4. Add Service/port

5. Accept the policy

6. Select NAT-ON, Select Outgoing Interface Address

Dynamic SNAT

Dynamic SNAT maps private IP addresses with the IP pool of Public IP.

4-types of IP Pool are available in FortiGate Firewall

Overload

It contains more than one Public IP addresses. Internal IP addresses can use available IP addresses from public pools to exit the firewall. Source and destination ports are mapped from 1024 to 65533.

Configure Overload Dynamic SNAT

1. Create IP Pool for Public IP address>> Go to Policy & Objects

2. Name the pool and select type>> Overload

3. Select Pool Subnet IP or range

4. Apply the pool in the security policy

5. Select NAT-ON>> IP Pool Configuration Use Dynamic IP Pool

6. Choose Overload Pool>> NAT_POOL

One-to-One Dynamic SNAT

It means there is one-to-one IP match of internal IP address with external IP address, example

10.10.1.1>>>172.168.1.1

10.10.1.2>>>172.168.1.2

10.10.1.3>>>172.168.1.3

If there are 100 users in a LAN network for which one-to-one SNAT is used, then we would require 100 Public IP range.

Fixed Port Range

In Fixed Port Range we need to mention Internal/LAN IP address range. Here, we can define internal and external public IP ranges both.

Further FortiGate devices can calculate port range for each combination from source IP address range to translated IP address range.

1. Create NAT_POOL for Fixed Port Range
2. Select type Fixed Port Range
3. Add External IP Range
4. Add Internal IP range detail

Apply the Pool in Security policy

Central NAT

Before discussing Central NAT, we should know about VIP objects.

VIP is DNAT objects, for session mapping. VIP means destination address is translated which means public IP address translated to local server IP address.

Default VIP type is static NAT. Static NAT is one-to-one mapping which applies to incoming and outgoing connections(bi-directional). 

** VIP address must be routable towards external facing traffic for return connection/traffic.

By default, Central NTA is disabled in the firewall. Two types of options are provided by using central NAT.

1. Central SNAT
2. DNAT and Virtual IP

Central NAT can only be configured in policy-based Firewall mode.

Central SNAT

Central SNAT provides us more granular control to customise the policy like, we can select exit interface, ingress IP or specify source port or destination port as per our requirement. Once policy matches happen, then source address / destination address is parsed as per the configured NAT criteria in Central SNAT policy.

Prerequisites to define Central SNAT policy

• Configure IP Pool/interface IP address (outgoing IP)
• Configure NAT policy

First, enable central NAT in Firewall from cli

Policy will be matched by using below criteria

• Source Interface -> Inside
• Destination outgoing Interface-> Outside
• Source address-> 192.168.2.0/24
• Destination address-> wildcarddropbox.com
• Protocol/application port-> any
• Source port-> any
• Outgoing IP address/translated IP address -> 172.16.100.100/32

Central DNAT & VIP

Additionally in firewall VIPs are created as a destination address in security policy. On FortiGate you can configure DNAT and VIPs for Destination NAT. As soon as you configure VIP it automatically creates a rule in the kernel to allow DNAT.

As we all know destination NAT means traffic comes from the outside world to access internal servers or services by using Public IP address of the server.

Prerequisites to configure DNAT with VIP

• External IP address (external user)-> 1.2.3.1
• Internal Local server IP which is mapped to external IP -> 192.168.1.50
• Forwarding port-> 25 (source side)
• Translated port-> 25

After creating DNAT and Virtual IP you only need to create a policy as per your requirement.

That’s it.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

FortiGate VDOM Configuration: Complete Guide

Fortinet covers many technologies within a single umbrella such as VPN, UTM, Security Profiles, FortiManager, FortiAnalyzer and many more.

Here, we will discuss all important features and technologies covered by Fortinet. Let’s start then…

Fundamentals of FortiGate Firewall

Below is the list of components supported by FortiGate. However, we have covered important components in this document.

FortiGate Firewall Dashboard

FortiOS Dashboard consists of graphical view and stats of alerts. Widgets are static views of the FortiGate properties. It consists of:

• System Information contains hostname, IP address, Serial Number Firmware
• Licenses shows list of licences installed on the system and respective expiry date
• ForitCloud represents statistics of FortiCloud data
• Security Fabric shows summary of devices who have using Security Fabric feature
• Administrator all connected admin and their logged in time along with IP address 
• CPU utilisation of device 
• Memory, live utilisation of device 
• Sessions shows number of sessions firewall is processing per second or minute

Other Widgets present in Dashboard

• HA status 
• Log rate
• Interface Bandwidth
• Botnet Activity
• Advanced threat Protection 

FortiGate Security Fabric

Fortinet Security Fabric involves different components that work together to secure the network.

Combination of below devices are required to create Security Fabric.

FortiGate Firewall

Firewall acts as a security component between ISP and downstream LAN devices. It secures networks from outside unknown attackers.

FortiAnalyzer

As its name defines, FortiAnalyzer can scan, monitor, collect logs of live traffic and create reports accordingly. It shows historical logs and events of any network which parse through the firewall.

FortiAnalyzer has below tabs available in the device to check logs:

• FortiView
• Threats
• Traffic
• Applications and Websites
• VPN
• System
• Security, Application Control, Web Filter, DNS
• Custom View
• Log Browse
• Log Group

LogView from FortiAnlyzer device:

FortiManager

FortiManager provides remote management to FortiGate Firewall. It uses port TCP 541 to communicate with the firewall.

FortiManager pushes Anti-virus, IPS and latest UTM updates from ForitManager to all connected devices.

FortiManager contains below tabs:

• Add Device
• Device Group
• Firmware
• License

FortiSandbox

It is a cloud-based technology which generates the latest signatures based on malicious attacks.  A FortiSandbox is a device that runs a sample in an isolated VM or cloud environment. 

Copy of threat logs forward to FortiSandbox where it can check if the traffic has malicious content in it. 

FortiSandbox has performed 3 types of scanning when receives any file from FortiGate

• Pre-Scan Group– it is the initial place where initial scan is performed by FortiSanbox. Several filtering is applied to the new file like pattern matching, checksum code sequence and TCP/IP attributes along with behavioural analysis of file/traffic pattern.
• Static Scan – Mainly deal with anti-virus and static AI scan. Antivirus is a traditional pattern matching feature however static AI scan uses machine learning to detect malware based on collected malware attributes from millions of samples.
• Dynamic Scan- It uses VM scan where the submitted file is processed in an isolated environment. Dynamic Scan also uses PEXBOX(code emulator) in which  window files are parsed.

FortiSandbox Dashboard

FortiADC

Application Delivery Controller is used to improve scalability of firewalls. It uses advanced server load balancer which routes traffic to available destination server based on the availability of backend server.

It helps to manage applications reliably, responsible and easy to manage.

ForiADC performs below task:

• Security
• Server Load Balancing 
• Link Load Balancing 
• Global Load Balancing 

FortiADC benefits:

• Scale application with server load balancing feature
• Apply persistence with servers to maintain connection
• Reduce bandwidth needs and improve user QoE 
• Provide redundancy and WAN optimization for applications
• We can apply traffic prioritization by applying QoS (Quality of Services)
• Improves SSL offloading win firewall for fast processing

Dashboard of FortiADC

FortiAP

FortiAP units are thin wireless access points supporting the latest Wi-Fi technologies and easy deployment. For larger deployment FortiAP controllers can carry a dedicated wireless network and FortiAP models support a dedicated monitor to check radio signals.

FortiAP, FortiAP-C, FortiAP-S, FortiAP-W2, and FortiAP-U units are offered in a diversity of models to address particular use cases and management modes.

Wireless access points can be added in any network to provide wireless connection to users. 

FortiClient 

FortiClient is a VPN (IPSec and SSL) client just like Cisco AnyConnect. It can be used as an Anti-virus client and a host vulnerability scanners. Moreover it supports Web Filtering as well.  In FortiGate you get at least 10 free licenses if you want to use those clients.

FortiClients helps to protect all the endpoints of your network including laptops, desktops and other devices.

These devices are either directly connected to your FortiGate devices or remotely connected through VPN.

• After admin set-up endpoint security on FortiGate , first time user with unregistered endpoints attempts to internet
• Captive portal will be displayed to download and install FortiCLient on the system.
• Once Installed FortiClient registered system to FortiGate 
• Endpoint security profiles will be applient through FortiClient to local user system
• After successful registration windows PC will become a compliant endpoint.

FortiMail

FortiMail is a secure email solution which can provide a protection against inbound attacks , outbound attack , data loss issues in the network. As it captures email related threats like phishing, spamming, malware, zero-day attacks.

It protects emails from: 

• Known and unknown threats
• Whaling Attack
• Spams
• Malicious link in email

4 types of modes used in FortiMail to protect emails from attack.

1. Gateway Mode – FortiMail acts as an email gateway or a device which is used for Mail Transfer Agent. It fetches emails, scans the content and transfers it to the email server. Change in network topology will be required to implement FortiMail in the existing network.
2. Transparent Mode – As the name specifies Fortimail acts as a Transparent proxy/device. It fetches the email, scans them and directly transfers it to the email server. No topology changes are required.
3. Server Mode—It acts as a Local email server to the emails. It receives emails, scans it, and directly forwards them to users. Yes, topology change is required in the implementation of this mode.

FortiGate VPN

FortiGate supports IPSec VPN and SSL VPN.

• SSL VPN – It is used for remote users to access applications from remote sites.

1. 1. Tunnel Mode- FortiClient VPN is required to install on users system to user system.
   2. Web Mode- Services are accessible via web-browser. But some applications and services are not supported.

• IPSec VPN – Site to Site tunnel needs to be created in the network  to transfer data in an encrypted format.

1. 1. Site to site VPN initiated between to end points or physical devices
   2. IPSec Remote VPN also used in organizations to provide remote access to the Network by using remote VPN.

Security Profiles

Profiles which contain security features are known as Fortinet Security Profiles.

It includes below information about configuration.

• Anti-Virus: It identifies and block virus after scanning network traffic. FortiGate has offered two types of anti-virus features.

1. Proxy-based: useful to mitigate suspicious malicious code.
2. Flow-based: high performance based

• Web Filter: This feature takes action on internet URLs based on allow/block category in firewall. You can customize the URL Category in the firewall as well.
• Intrusion Prevention: It detects  threat in network  and mitigate malicious traffic in the network by applying signatures. We can create custom signatures as well.

Log and Report

Logging and reporting are useful to check and understand any network logs. It covers event logs, system logs, VPN logs, threat logs, UTM logs and customized reports. 

FortiGate supports several other log  devices like FortiAnalyzer , Cloud, and syslog server.

Moreover, the log severity level is defined in every traffic log.

We can filter logs by using below options:

Conclusion

Fortinet brings high-performance network infrastructure security that ensures protection of any network, associated users, and components of traffic. FortiGate provides top rated solutions and centralized management systems to handle end to end security of an organisation.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Palo Alto vs Fortinet Firewall: Detailed Comparison

FortiGate VDOM or Virtual Domain split FortiGate device into multiple virtual devices. Each VDOM has independent security policies, routing table and by-default traffic from VDOM can not move to different VDOM which means two interfaces of different VDOM can share the same IP Address without any overlapping IP/subnet problem.

When VDOM is used in a firewall, a single FortiGate device becomes a virtual data centre of network security, UTM and secure network communication devices. By-default a FortiGate Firewall can support up to 10 VDOMs. However, anyone can customize and add further 10 more VDOMs in FortiGate High end firewall.

• Independent VDOMs: Some VDOMS are completely separated. There is no communication between them. Each VDOM has its own physical interface link to the internet. Such kind of set-up is used where multiple ISPs have been deployed in the network topology.
• Routing through the VDOM:  Traffic destined to the Internet will always be routed through the designated/assigned VDOM. Single routing VDOM will be used to route the traffic towards the internet. For example, if there are three VDOM in the firewall but they all will use the same routing VDOM to forward the traffic towards the outside world.
• Meshed VDOMs: VDOMs connect to the other VDOMs through inter-VDOM links. We can specify what kind of traffic goes to which VDOM.
• Management VDOM: It is used to forward system/Fortigate generated traffic such as system daemons, NTP traffic . It is the VDOM from where all management traffic for FortiGate firewall originates. Management VDOM must have access to all the global services like 
  • NTP
  • FortiGuard Update Queries
  • SNMP
  • DNS Filtering
  • Logs – Syslog and FortiAnalyzer 
  • Management related services 

FortiGate VDOM Administrators

Super_user OR admin account can configure and backup the VDOM. Select super_admin access profile when configuring the admin account similar to the account name Admin this account can configure all VDOMs.

• Per-VDOM Administrator: In most cases, creation of admin account per VDOM account is considered. Per-VDOM admin is solely responsible for its domain including the configuration backup of that VDOM. In larger organisations you may need to make multiple VDOM administrators. You can assign multiple administrators to each VDOM.  

*Per-VDOM admin can not access global settings of FortiGate Firewall*

• Create VDOM Administrator Account : Follow step 1 to step 5 to create VDOM admin Account in FortiGate Firewall

FortiGate VDOM Modes

There are two types of VDOMs modes in FortiGate – Split VDOM and Multi-VDOM.

• Split VDOM: In Split VDOM FortiGate has two VDOMs in total which includes root and FG-Traffic VDOM. You cannot add VDOM in Split VDOM mode. It keeps management and network traffic separate 

1. 1. Root :: management work can only allowed and has separate entries
   2. FG-Traffic :: can provide separate security policies and allow traffic through FortiGate. It is only for network traffic.

• Multi-VDOM : Can create multiple VDOMs that function as multiple independent units. We use multiple VDOM when we want to create multiple logical firewall features by using a single hardware device, each VDOM acts as an independent FortiGate Firewall. Such kind of configuration works for a setup for managed service provider leveraging multi tenant configuration or large enterprise organisation that desire departmental segmentation . You can give each individual tenant or department visibility and managed control  independently.

Configure & Enable VDOM in FortiGate Firewall

Login into the command line to enable VDOM property in FortiGate firewall.

1. Type command # config global system-> to enter global mode of firewall

2. Select VDOM mode by # set vdom-mode split-vdom OR set vdom-mode multi-vdom

3. Here we have selected multi-vdom mode

3.1 Let’s End the session

4. It will NOT Reboot the device to enable vdom mode, it just logs you out

5. Select Global VDOM from FortiGate WEB GUI

6. We can go to System

7. Select VDOM. By default root VDOM is available in the config

8. Lets create New VDOM

9. Name new VDOM – marketing 

10. NGFW Firewall mode->Profile based

11. WifiCountry-> select as per your available data in FortiGate Firewall

12. Select OK

Next step to add interfaces in new VDOM-> marketing 

13. Go to Global VDOM-> Select Network-> move to Interfaces

14. Select Physical/logical interface which you want to add in VDOM-marketing 

15. Choose Edit

16. Select marketing in Virtual domain field of interface LAN(port2)

17. Lets allocate another interface  port 3 in VDOM-marketing

18. Go to Edit button

19. Select marketing Virtual Domain in port 3 interface

20. Select marketing VDOM from FortiGate Firewall 

21. Move to the interfaces button and check if all the interfaces which are allocated to marketing domain are present in the interface TAB

22. Both port 2 and port 3 interfaces now available to marketing VDOM

This is how anyone can associate interfaces to virtual domains in FortiGate Firewall. Admin can configure each setting differently in VDOM. Examples are

• Firewall Policies
• Firewall Objects 
• Security Profiles , routes, network interfaces 
• Operating mode- NAT/route

Inter-VDOM Links

Inter-VDOM links route traffic between VDOMs. 

Each VDOM behaves like a separate FortiGate Firewall , with a separate FortiGate device we normally connect cables and configure routing and policies between them. Apparently VDOMs are on the same device/ FortiGate Firewall, then how should admin route traffic between them. 

The solution to the above requirement is Inter-VDOM-Link. Inter-VDOM-Link is a type of virtual interface that routes traffic between VDOMs. It removes the loop of physical cable requirement. 

Limitation -> Layer 3 interfaces are required, admin cannot interlink layer 2 or transparent mode interfaces in FortiGate.

Pre-requisites to configure Inter-VDOM links:

• Routes are required to forward the traffic from one VDOM to another
• Firewall policies are also required to allow traffic from other VDOMs , the same as the traffic coming from physical interface
• When creating inter-VDOM-link admin must create virtual interfaces 

Steps to Create Inter-VDOM-Link

1. Go to Global> Network >Interfaces

2. Select Create New> VDOM Link

3. Provide name to the link

4. Select the first FortiGate VDOM through which another VDOM link will be connected. Here first VDOM link is root and second VDOM link is marketing

5. We are creating point-to-point link hence we have give two IP addresses in IP/Netmask 10.10.100.1/30 in NAT mode

6. Select another V-link which is marketing

7. Provide IP address 10.10.100.2/30

8. Select OK to make the configuration changes

Now add static routing in marketing-VDOM to provide communication between root VDOM and Marketing VDOM.

9. Go to static routes

10. Add static route for marketing VDOM along with Gateway address and add vlink interface

Enable static routing in root VDOM as well

11. Assign marketing physical interface IP address as a destination. Here, we have taken port 2 whose IP address is 10.0.5.1/24

12. After login in root VDOM, go to static routes

13. Enter Destination IP address which is port 2 interface IP address of marketing VDOM

14. Gateway address

15. Interface of Marketing vlink

Enable Firewall Policy between FortiGate VDOMs

Now create firewall policy to allow traffic between two FortiGate VDOMs

1. Login in Marketing VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface LAN Port 2

4. Destination interface interlink 1

5. Disable NAT>> NAT is not required between these VDOMs

Create same policy in root VDOM

1. Login in root VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface inter_link0 (root interlink)

4. Destination interface port1 > WAN interface to internet

5. Enable NAT>> NAT is required to reach internet from FortiGate Firewall

After configuring firewall policies login in marketing VDOM and try to ping google.com. Policies are working fine if you get a ping response from google.com.

Related FAQs

Q.1 How many VDOMs can I create on my FortiGate?

The number of VDOMs you can create depends on the FortiGate model and the license purchased. Some models come with a base number of VDOMs, while others allow you to add more through licensing.

Q.2 What are the different VDOM modes in FortiGate?

• FortiGate supports two VDOM modes:
  NAT/Route Mode: The VDOM operates in routing mode, performing NAT and routing traffic between interfaces.
  Transparent Mode: The VDOM acts as a Layer 2 bridge, forwarding traffic between interfaces without changing IP addresses.

Q.3 Can I manage VDOMs separately?

Yes, each VDOM can be managed independently, including separate administrators, policies, routing, and configurations. You can assign specific administrators to specific VDOMs with different access levels.

Q.4 How do I enable VDOMs on a FortiGate device?

To enable VDOMs:
Log in to the CLI.
Use the command –

config system global
set vdom-admin enable
end

Reboot the device if necessary

Q.5 How do I assign an interface to a specific VDOM?

To assign an interface to a VDOM:
Access the CLI.
Use the command

config global
config system interface
edit <interface_name>
set vdom <vdom_name>
end

This will move the interface to the specified VDOM.

Q.6 Can I configure different security profiles for each VDOM?

Yes, each VDOM can have its own set of security profiles, including antivirus, web filtering, IPS, and more. These profiles are managed independently within each VDOM.

Q.7 Can I disable VDOM mode after enabling it?

Yes, you can disable VDOM mode by:
1. Accessing the CLI.
2. Using the command:

“`bash
config system global
set vdom-admin disable
end
“`

3. This will remove all VDOM configurations and reset the device to a single administrative domain. Ensure you back up your configurations before disabling VDOM mode.

Q.8  What is an inter-VDOM link?

An inter-VDOM link is a virtual interface that connects two VDOMs, allowing traffic to pass between them. This is useful for scenarios where different VDOMs need to communicate with each other while maintaining their own routing and firewall policies.

Continue Reading:

FortiGate SD-WAN Fundamentals

Palo Alto Security Profiles and Security Policies

Firewall technologies have evolved at a very rapid pace since its inception and from initial packet filtering firewalls which use to inspect packet traffic and took decision to allow or reject packets, which is then replaced with stateful packet inspection files which were designed to protect network layer threats by analyzing ports and protocols. Then Next generation firewalls came which were deep packet inspection firewalls to scan the entire packet payload in order to provide advanced threat protection. 

In today’s topic we will look at Sonicwall firewalls which are Next Generation firewalls (NGFW), their architecture and features. 

What is a Sonicwall Firewall?

Sonic firewall which was earlier called by name ‘Interpol’ in the late 1990s rebranded as Sonic firewall a dedicated hardware appliance with firewall and VPN software intended for the small business segment. Sonic firewalls enable to identify and control all applications which are running in the network.

It identified applications based on their unique signatures instead of protocols or ports. It visualizes application traffic to determine usage patterns and develop granular policies for applications, users, or user groups and other parameters such as time of the day etc. 

Working of Sonicwall Firewall

Sonicwall application recognition is based on their ‘DNA’ instead of less unique attributes such as source port, destination port, protocol type based on an extensive, automatically updated database of application signatures. SSL encrypted traffic-based controls analyze the encrypted traffic the same way as unencrypted traffic.  

Sonicwall firewall controls to track and manage and enforce specific versions of applications being used. There is no need for a physical check on every system to determine the version of application but simply set a Sonicwall application intelligence and control policy to achieve this. 

You can create a policy to prioritize bandwidth for live meeting applications, the deep packet inspection engine will search for application signature or name and increase the bandwidth on priority for live meeting application. 

Peer-to-peer applications like BitTorrent, often utilized for downloading unauthorized copies of copyrighted content, not only take up bandwidth but also pose a significant risk for transmitting malware. New P2P applications are constantly being created and it makes it difficult to manually block any single P2P application. The Sonicwall application intelligence and regulated databases receive regular updates to incorporate newly emerging P2P applications.

Social networking sites such as Facebook, Instagram, and YouTube can be blocked or restricted only to specific users at the workplace.

Sonicwall capture enhances firewall threat prevention capabilities by detection and prevention of unknown and zero day attacks via cloud.

Data leakage can be prevented with outbound traffic routed through a firewall and it can detect and prevent ‘data-inmotion’.

Features of Sonicwall Firewall

• Single configuration for management of all threats 
• Single UI interface to view and manage all threat events so there is no need to separately look at log entries on multiple devices such as firewalls, Antivirus, web content filtering, Intrusion prevention systems and data leakage prevention systems
• Improved control over applications by category, bandwidth management, user access, destination control etc.
• Gives a single view of network security 
• Easy to manage and secure VPN systems for secure remote access

How to set up a Sonicwall firewall?

• Connect a system to Sonicwall LAN (X0) interface or a network switch connected to LAN interface. It will automatically receive an IP address from Sonicwall appliance. 
• Open a web browser to https://192.168.168.168 to access firewall
• While accessing first time it gives option to use a setup wizard or go directly to management interface 
• At sonic wall management interface login page, the default admin and password is: admin/password
• The default password is to be changed 
• Select a timezone from ‘time zone’ drop down and click ok.
• At WAN network mode page select the option cable/mode-based connections for DHCP assigned IP addresses 
• Select option Router-based connections for static IP address and netmask 
• At LAN setting page accept the LAN settings default or enter IP address and netmask and click next 
• At Sonic wall configuration summary page review the configuration and click Apply 
• In SonicOS click Monitor and then current status | system status 
• To register click on register links which takes you to license page
• Enter your MySonicwall username, password at this page and click on submit 

Quick fact!

Market share: Sonic firewall (0.4%) in network security space.

Continue Reading:

Perimeter Firewall vs Internal Firewall: Detailed Comparison

What is an ML Powered NGFW?

In this blog, we will discuss the comparison, firewall vs proxy in detail.

FIREWALL

A firewall is a security tool that oversees the flow of incoming and outgoing network traffic. It uses a set of security protocols to determine whether to permit or prohibit specific traffic. Firewalls are essential components of network security and serve as the first line of defense against potential threats. Their primary function is to separate secure and regulated internal networks from untrusted external networks, such as the Internet. Firewalls can be either hardware/software/combination of both.

Types of Firewalls:

1.Packet Filtering

Fundamentally, messages are divided into packets that include the destination address and data. Packets are transmitted individually and often by different routes. Once the packet reach their destination, they are recompiled into the original messages.

Packet filtering is a firewall in its most basic form. Primarily, the purpose is to control Access to specific network segments as directed by a preconfigured set of rules, or rule base, which defines the traffic permitted Access. Packet filters usually function at layers 3 (network) and 4 (transport) of the OSI model.

In general, a typical rule base will include the following elements:

• Source address
• Destination Address
• Source port
• Destination Port
• Protocol

Packet filtering firewalls are the least secure type of firewall, because they cannot understand the context of a given communication, making them easier for intruders to attack.

2.Stateful inspection firewall

Check Point has developed and patented Stateful Inspection technology, which adds layer 4 awareness to the standard packet-filter firewall architecture.

Stateful Inspection and static packet filtering are two different methods of examining a packet. While static packet filtering only looks at the header of a packet to gather information about its source and destination, Stateful Inspection goes a step further by examining the content of the packet up through the application layer to gather more information. This involves monitoring the state of the connection and creating a state table to compile the information. The advantage of this approach is that it allows the firewall to filter packets based on the context established by previous packets that have passed through it.

For Example,

Stateful-inspection firewalls offer protection against port scanning by keeping all ports closed until a specific port is requested.

3.Unified threat management (UTM) firewall

A UTM system is a network hardware appliance, virtual appliance, or cloud service that provides businesses with simplified security protection by combining and integrating multiple security services and features. Its purpose is to safeguard businesses from potential security threats.

UTM devices are commonly available as network security appliances that offer comprehensive security to networks from multiple threats. They provide protection against malware and simultaneous attacks that can target different areas of the network.

UTM cloud services and virtual network appliances are gaining popularity for network security, particularly among small and medium-sized businesses. These solutions eliminate the need for on-premises network security appliances, while offering centralized control and simplicity in constructing a layered network security defence.

NGFWs were initially created to address the shortcomings of conventional firewalls in securing networks. They offer a wide range of security features such as application intelligence, intrusion prevention systems, and denial-of-service protection. Unified threat management devices, on the other hand, provide comprehensive network security by combining various security measures like next-generation firewalls, antivirus, VPN, spam filtering, and URL filtering for web content.

4.Next-generation firewall (NGFW)

Firewalls have come a long way from basic packet filtering and stateful inspection. Nowadays, many businesses are utilizing next-generation firewalls to thwart contemporary risks such as application-layer attacks and advanced malware.

As per Gartner, Inc.’s definition, a next-generation firewall must include:

• Standard firewall capabilities like stateful inspection
• Integrated intrusion prevention
• Application awareness & control to block the risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

PROXY

A proxy server, which is also known as an application gateway, is responsible for regulating application level traffic by scrutinizing data using header fields, message size, and content. It is a component of the firewall, as a packet firewall alone cannot differentiate between port numbers. The proxy server acts as a proxy and makes decisions on how to handle application specific traffic flow by using URLs.

How does a Proxy server work?

A proxy server is positioned between the client and original server. It operates as a server process, receiving requests from the client to access the server.

The proxy server performs a complete content check when it receives a request. If the request and its content are deemed valid, the proxy server forwards the request to the actual server as if it were a client. However, if the request is not deemed valid, the proxy server rejects the request and sends an error message to the external user.

One of the benefits of using a proxy server is its ability to cache. This means that when a request for a page is made, the server checks if the response is already stored in the cache. If it is, the server sends the stored response instead of making a new request to the server. This reduces the traffic, load on the main server, and improves the latency.

Comparison: Firewall vs Proxy

Basics:

The Firewall is a security feature that prevents harmful traffic from entering or leaving a public network. It serves as a barrier for incoming and outgoing data. The Proxy Server, on the other hand, is a part of the firewall that allows communication between the client and the server if the client is verified as a legitimate user. It plays a dual role of both client and server.

Filtration:

Firewalls and proxy servers are two different types of network security measures. While a firewall filters IP packets, a proxy server filters requests on the basis of its application level content.

Network Layer:

The firewall relies on data from the network and transport layers, whereas the proxy server also takes into account data from the application layer.

Overhead Generation:

The firewall creates more overhead than a proxy server since the proxy server can handle fewer aspects by using caching.

Final Words

A firewall and proxy server collaborate to safeguard the system from harmful cyber attacks. Both firewalls and proxy servers can be used to add an extra layer of security against malware and intruders when using the internet. As a firewall component, a proxy server can be utilized by many modern firewall providers to enhance security, as well as provide efficiency and feasibility. Therefore, using both can be beneficial for additional security.

Continue Reading:

6 Types of Firewall: Network Security

CASB vs Proxy: Understand the difference

In today’s topic we will learn about the WatchGuard network security firewall, how it works, its architecture, key features etc. 

WatchGuard Network Security Firewall   

WatchGuard network security firewall is a next generation firewall (NGFW). WatchGuard has two firewall series known as:

Tabletop Firebox Appliances (T-series) 

It is ideal for small, home and branch office setups. These firewalls are built in PoE having optional Wi-Fi. These firewalls have SD-WAN inbuilt and provide a cheaper alternative to expensive MPLS and 4G/LTE for improved network resiliency with enhanced security features. Logging and reporting with over 100+ dashboards to support regulatory framework requirements such as HIPAA and PCI-DSS. 

Routing is supported with IPv6, DHCP, LDAP, NAT and RADIUS. Based on RapidDeploy cloud technology to create and store Firebox configuration data over cloud and appliance is ready to ship and just a simple plugin at user end. This series had four models as under: 

• Firebox T-15 – is cost effective to deliver VPN services, enabling flexible remote access for branch office connectivity. Secure and encrypted connections with Gigabit Ethernet port support high speed LAN backbone and WAN connections. Supports up to 10 VLANs with authenticated user limit of 200. 
• Firebox T-20 – brings full UTM protection for small sites and remote workers. It supports 150 Mbps throughput, 10 VLANs, branch office VPN tunnels 10 no’s, high availability with Active/passive and active/active mode. 
• Firebox T-40 – enterprise level networks to small branch offices. Support for total security suite, AI-powered malware protection, threat correlation and DNS filtering. Includes a special Power over Ethernet (PoE) port to power peripheral devices such as cloud managed wireless access points from WatchGuard. It supports 50 VLANs with firewall throughput of 1 Gbps. VPN tunnels 30 No’s. 
• Firebox T-80 – high end firewall with optional port expansion module (Fibre connectivity). Support with total security suite and advanced features like sandboxing on cloud, AI-powered malware protection, and DNS filtering. Includes a special Power over Ethernet (PoE) port to power peripheral devices such as cloud managed wireless access points from WatchGuard. 1 Gbps SFP or 10 Gbps SFP+extension module is also available. It supports 75 VLANs with firewall throughput of 1.32 Gbps. VPN tunnels 60 No’s. 

Rackmount Firebox Appliances (M-series) 

It is meant for midsize and distributed enterprise level organizations. Can be mounted as 1U rackmount. This series had three models as under:

• Firebox M270/M370 – are meant for small and medium networks having 150 users. It provides 4.9 Gbps throughput (M270 series) and 8 Gbps throughput (M370 series), supports 100 VLANs (M270 series) and 200 VLANs (M370 series). VPN tunnels 50 No’s and 100 No’s.
• Firebox M470/M570 & M670 – Supports up to 850 users. Firewall throughput 19.6 Gbps (M470 series), 26.6 Gbps (M570 series), 34 Gbps (M670 series). 300 VLANs (M470 series), 500 VLANs (M570 series) and 750 VLANs (670 series). VPN tunnels 250 No’s, 500 No’s and 750 No’s. 
• Firebox M4600/ M5600 – ideal for centralized data centers for large distributed enterprises. They usually serve as hub appliances and management and security of all communications between headquarters and remote sites is taken care of by them. Firewall throughput of 40 Gbps (M4600 series), 60 Gbps (M5600 series). 100 VLANs (M4600 series) and unlimited VLANs (M5600 series). VPN tunnels 5000 No’s and unlimited. 

Architecture & Features: WatchGuard Firewalls

WatchGuard firewalls are designed with a robust and scalable architecture to provide comprehensive security for various network environments. Here is an overview of the key components and architecture of WatchGuard firewalls:

Core Components

1. Hardware and Virtual Appliances:
   • Firebox Hardware Appliances: Physical devices ranging from small desktop units for SMBs to high-performance rack-mounted units for large enterprises.
   • Virtual Firebox Appliances: Software-based firewalls that can be deployed in virtual environments such as VMware, Hyper-V, and cloud platforms like AWS and Azure.
2. Operating System:
   • Fireware OS: WatchGuard’s proprietary operating system that powers all Firebox appliances, providing a consistent and high-performance platform for security services.
3. Security Engines:
   • Packet Filtering Engine: Analyzes and filters network traffic based on rules and policies.
   • Deep Packet Inspection (DPI) Engine: Inspects the contents of packets for malicious activity, including encrypted traffic through SSL/TLS decryption.
   • Intrusion Prevention System (IPS): Detects and prevents network intrusions by comparing traffic against a database of threat signatures.
   • Antivirus and Anti-Malware Engines: Scans for viruses, malware, and other threats in real-time.
   • Application Control Engine: Identifies and controls applications based on policies, allowing or blocking them as necessary.

Security Services Integration

WatchGuard firewalls integrate multiple security services, which can be managed and configured through a unified interface. These services include:

• Threat Detection and Response (TDR): Correlates network and endpoint threat data to detect and respond to advanced threats.
• Network Discovery: Provides visibility into all devices connected to the network.
• DNSWatch: Protects against phishing and other web-based threats by filtering DNS requests.
• APT Blocker: Uses sandboxing to detect and block advanced persistent threats (APTs).
• Data Loss Prevention (DLP): Prevents sensitive data from leaving the network unauthorized.
• SpamBlocker: Filters out spam and malicious emails.

Management and Control

1. WatchGuard System Manager (WSM):
   • A centralized management console for configuring, monitoring, and managing multiple WatchGuard firewalls.
   • Provides a graphical interface for policy management, real-time monitoring, and detailed reporting.
2. WatchGuard Cloud:
   • A cloud-based management platform that offers centralized control, monitoring, and reporting for all WatchGuard devices.
   • Enables easy deployment and management of firewall policies across multiple sites.
3. Web UI:
   • A web-based interface that allows for local management of individual firewalls.
   • Provides access to all configuration settings, logs, and diagnostic tools.
4. Command Line Interface (CLI):
   • Allows advanced users to configure and manage the firewall using text-based commands.
   • Useful for scripting and automation.

High Availability and Scalability

1. High Availability (HA):
   • Supports active/passive and active/active HA configurations to ensure continuous network availability.
   • Enables failover to a backup firewall in case the primary firewall fails.
2. Clustering:
   • Allows multiple firewalls to be grouped together to increase throughput and provide load balancing.
   • Ensures that traffic is distributed across multiple devices for better performance and reliability.

Connectivity Options

1. VPN Support:
   • Supports various VPN technologies, including SSL/TLS VPN, IPsec VPN, and mobile VPNs, to provide secure remote access.
   • Enables site-to-site VPN connections for secure communication between multiple locations.
2. Network Interfaces:
   • Multiple network interface options, including Gigabit Ethernet, fiber, and wireless, to connect to different types of networks.
   • Supports VLANs for network segmentation and improved security.

Threat Intelligence and Automation

1. WatchGuard Threat Intelligence:
   • Leverages threat intelligence feeds to enhance security capabilities.
   • Provides real-time updates to security signatures and threat databases.
2. Automation:
   • Automates routine tasks such as firmware updates, threat signature updates, and policy enforcement.
   • Uses scripting and APIs to integrate with other security tools and platforms.

Deployment Models

1. Perimeter Firewall:
   • Deployed at the network edge to protect against external threats and control inbound and outbound traffic.
2. Internal Segmentation Firewall (ISFW):
   • Deployed within the internal network to segment different network zones and provide granular security controls.
3. Cloud and Virtual Deployments:
   • Deployed in virtual environments to protect cloud-based workloads and hybrid network infrastructures.

By combining these components and features, WatchGuard firewalls provide a comprehensive security solution that can adapt to the needs of different network environments, ensuring robust protection against a wide range of cyber threats.

Continue Reading:

Introduction to Juniper SRX Firewall

Introduction to Sonicwall Firewall

Palo Alto Panorama is the centralized management server that offers a global visibility and control over the multiple Palo Alto Networks next generation firewalls from web interface console. Panorama manage multiple Palo Alto Networks firewalls all from a central location.

Key Features of Palo Alto Panorama

• Application Command Center (ACC): ACC provides a visual summary of application, web, threat and data transfer activity.
• App-Scope: App-Store provides a comparison view of application activity across either multiple devices or a single device.
• Policy-Based Application Usage Control: Using a policy editor application can be developed, deployed and managed the application usage control.
• Shared Policies: Panorama deploys a set of global policies across a set of distributed firewalls. Panorama administrator can modify or remove policy.
• Centralized Update Management: Panorama can be used to manage licenses and performs device or content updates (virus patterns, threat signatures, App-ID).
• Logging: Detailed logs are collected locally, leveraging device storage and eliminating the need for centralized logging.
• Reporting: Reporting feature of panorama can generate more than 30 predefined reports, can be used as is or modified and saved for future use. Reports can be exported to PDF format and also scheduled for email delivery.

Panorama Management Architecture

Panorama provides many features to manage their Palo Alto Networks firewalls using a model that provides both central and local control. Panorama features a number of tools for centralized administration:

Templates: Templates can be used to manage configuration centrally and then push the changes to all managed Palo Alto firewalls.

Device Groups: Panorama manages common policy and objects via device groups. Device groups are used to centrally manage the Palo Alto with common requirements and common policies.

Role-based Administration: This feature can be used to assign role-based administration access (enabled, read-only, or disabled and hidden from view) to different users.

Software, Content and License Update Management: Software update, license management can be flooded in network by Panorama in organized manner.

Panorama Deployment

Panorama can be deployed in either as a hardware appliance or as a virtual appliance.

Hardware Appliance:

Panorama uses M-100 hardware appliance for high performance dedicated hardware and the separate the Panorama management and logging functions for large volumes of log data. Panorama running on the M-100 appliance can be deployed in the following ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA. (Related – High Availability Palo Alto)

Distributed: Management and logging function can be parted across multiple devices. This feature can be divided between Panorama manager and Panorama log collector.

Panorama Manager: Panorama Manager does not store log data locally; it saves log separately. Manager analyzes the data saved in the log collectors for centralized reporting.

Panorama Log Collector: Dedicated log collector device deployed to collect high logging volume that will aggregate log information from multiple managed firewalls.

Virtual Appliance:

Panorama can be deployed as a virtual appliance on VMware ESXi to support virtualization initiatives and integrates the rack space which is limited and costly in a data center. Virtual Appliance can be deployed in following two ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA.

Distributed: Management and logging function can be parted across multiple devices. It supports a combination of the hardware and virtual appliance.

Panorama Manager: Virtual appliance acts as a Panorama manager and is responsible for handling the tasks associated with policy and device configuration across all managed devices.

Panorama Log Collector: Panorama log collectors are responsible for offloading log collection and processing tasks and may be deployed using the M-100. Virtual appliance is not to be used as a Panorama log collector.

PANORAMA SPECIFICATIONS
Number of Devices Supported	Up to 1,000
Administrator Authentication	Local database, RADIUS
High Availability	Active/Passive
Log Storage	Maximum of 2 Terabytes (TB)
Command Line Interface	SSHv2, Telnet or Console
Web Interface	HTTPS, HTTP
Device Connection	SSLv2
Management Tools and APIS	Graphical User Interface (GUI) Command Line Interface (CLI) XML-Based Rest API
VIRTUAL APPLIANCE SPECIFICATIONS
Minimum Server Hardware Requirements	40 GB 4 GB RAM Quad-Core CPU (2GHz+)
VMware Support	VMware ESX 4.1 or greater
Browser Support	IE v7 or greater Firefox v3.6 or greater Safari v5.0 or greater Chrome v11.0 or greater
Log Storage	VMware Virtual Disk: 2TB maximum NFS

Conclusion

Panorama manages multiple Palo Alto Networks firewalls all from a central location and provides features such as templates, device groups, role-based administration and update management. Organizations can delegate appropriate access to all management functions; visualization tools, policy creation, reporting and logging at both a global level and local level.

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

• High Availability
• HA Modes
• FGCP (FortiGate Clustering Protocol)
• Heartbeat Interfaces and Virtual IP Interfaces
• HA Requirement
• Configure Primary FortiGate Firewall
• Configure Secondary FortiGate Firewall
• HA-Troubleshooting

What is High Availability?

High Availability (HA) is a feature of Firewalls in which two or more devices are grouped together to provide redundancy in the network. HA links and synchronises two or more devices. In FortiGate HA one device will act as a primary device (also called Active FortiGate). Active device synchronises its configuration with another device in the group. Other FortiGate devices are called Secondary or Standby devices.

Fortigate HA Modes

There are two Fortigate HA modes available:

• Active / Passive- Configuration of primary and secondary devices are in synchronisation. In Active/Passive mode the primary device is the only equipment which can actively process the traffic. Secondary FortiGate device remains in Passive mode and monitors the status of the primary device. If the problem is detected in the Primary FortiGate, the secondary device takes over the primary role. This event is called HA failover.

• Active / Active-All HA configuration must be in-synchronisation. Only difference in Active / Active mode is that in A/A mode all the FortiGate devices are processing the traffic.

FGCP (FortiGate Clustering Protocol) 

HA Protocol used by FortiGate Cluster to communicate. FGCP travels between FortiGate cluster devices over the heartbeat links and uses TCP port 703 with Ethernet type values:

TCP port 23 is used by FGCP for configuration synchronisation.  Firewall cluster uses FGCP to elect the primary, synchronize configuration, discover another firewall that belongs to the same HA and detect failover when any of the HA device fails.

In Active/Passive, Primary Firewall performs below tasks:

• Exchange heartbeat Hello messages with secondary device over control link
• Synchronizes routing table, DHCP information, running configuration 
• Traffic sessions

Secondary Firewall performs below tasks:

• Monitor Primary device as to check if reachability is working in-between cluster or not
• If problem encountered with the Primary Firewall, secondary device take-over the traffic sessions
• Maintain Data Plane Processes like Forwarding Table, NAT Table, Authentication record

Heartbeat Interfaces and Corresponding IP addresses

Virtual IP addresses are assigned to heartbeat Interfaces based on the serial number of FortiGate Firewall

Cluster uses these virtual IP addresses to differentiate cluster members and update configuration changes in clustered devices.

Fortigate HA Requirements

Fortigate HA Configuration

Configuring Primary FortiGate for HA

1. Go to System ->Select HA

2. Select mode Active-Passive Mode

3. Once Active-Passive mode selected multiple parameters are required

4. Mode- Active/ Passive

5. Set Device Priority -200. More numerical value higher the priority. Here Priority is set 200, secondary devices must have lower numerical value than Primary Firewall.

6. Device Group–  Group name must be the same for both primary and secondary devices. Here we have given the name HA-GROUP. Device Group is used in HA to assign two or more devices to be part of the same HA Group.

7. Password – same password must be provided to both primary and secondary Firewall.

8. Heartbeat Interface—Add Port 3/HA1 and Port 4/ HA2 port in heartbeat interfaces through which both primary and secondary devices can interchange hello messages to check liveliness of the peer device.

9. Select OK

• The FortiGate exchanges messages to peer devices to establish an HA cluster. When Admin select OK connectivity can be lost with the FortiGate as the HA cluster negotiates and the FGCP initiate new MAC address of the FortiGate interfaces. 
• Power off the FortiGate.
• Repeat the steps in Secondary devices and connect Port 3 and Port 4 with Secondary FortiGate Firewall.

Configuring Secondary FortiGate for HA

Repeat Step 1 to Step 9 in Secondary Firewall.

—————————————————————————————————————————————–

Check HA status in Secondary devices. Refresh the entries and check sync status in Primary and Secondary HA monitoring Dashboard.

—————————————————————————————————————————————–

Dashboard widget shows below status if HA status is in sync.

Troubleshooting Commands: Fortigate HA

Use Config Global Mode

get system ha status –>        shows HA and Cluster failover Information

Master selected using:

Configuration Status:

System Usage stats:

HBDEV stats:

MONDEV stats:

Check the checksum mismatch and compare for the cluster checksum. Run command to go in rough for discrepancy VDOM’s by using command:

Use grep to filter the configuration  

Repeat above commands on secondary device to compare the mismatch output

Initiate and re-calculate checksum if no mismatch found.

Command to re-calculate the checksum

Above command re-calculates the checksum for all the devices.

Debug HA logs

communication between HA devices

Mismatch in HA can be calculated by using below command

Continue Reading:

IPSec VPN Configuration: Fortigate Firewall

High Availability Palo Alto

Palo Alto Security Profiles & Security Policies

While security policy rules enable to allow or block traffic in network, security profiles scans applications for threats, such as viruses, malware, spyware, and DDOS attacks. When traffic matches the rule set in the security policy, rule is applied for further content inspection such as antivirus checks and data filtering.

Antivirus Profiles

Antivirus profiles blocks viruses, worms, and Trojans as well as spyware. Palo Alto protects user data from malware without impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript viruses and compressed zipped files.

Anti-Spyware Profiles

Anti-Spyware profiles block spyware on hosts, allowing to detect malicious traffic leaving the network from infected clients. Anti-Spyware profile is applied on various levels of zones. Profile can be customized or one of the following profiles types can be selected when applying Anti-Spyware to a Security policy rule:

Vulnerability Protection Profiles

Vulnerability Protection profiles protects from unauthorized access to the systems. It protects against threat entering into the network. For example, it helps in protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. Default option in vulnerability protection profile protects clients and servers from all the critical high and the medium severity threats. When the firewall detects a threat event, the following actions can be configuring:

URL Filtering Profiles

URL Filtering profiles enable to monitor and control how users access the web over HTTP and HTTPS. By default, firewall have default profile that is configured to block URL like malware, phishing and adult content. New action can be added in default URL profile that will have all categories set to allow for visibility into the traffic in network. Customization of newly added URL profiles and add lists of specific websites that should always be blocked or allowed, which provides more granular control over URL categories.

Data Filtering Profiles

Data filtering profiles protect sensitive information like credit card details or social security numbers when leaving a protected network. Data filtering profile filter on keywords, like sensitive project name or the word confidential. Custom data pattern can be created and then attached to a Data Filtering profile. Create data pattern objects based on following:

File Blocking Profiles

File blocking profiles are used to block particular file types over particular applications and in the defined session flow direction (inbound/outbound/both). Alerts can be set on upload and/or download on an application. In file blocking profile, custom block pages can be configured that will appear when a user attempts to download the specified file type. File blocking profiles allow the user to take a moment to consider they want to download a file.  Custom File Blocking profile can be defined or we may choose one of the following:

• Basic File Blocking: Security policy allows traffic less sensitive. It blocks traffic that are malware. In this profile, files are blocked while uploading and downloading like executable .scr, .cpl, .dll, .ocx, .pif, and Java files like .class, .jar, and .chm, .hlp and other critical malicious file types having .vbe, .hta, .wsf, .torrent, .7z, .rar, .bat. Prompts appears on user’s screen to acknowledge when they attempt to download encrypted .rar or encrypted .zip files.

• Strict File Blocking: This allows access to your most sensitive applications. Add on to basic file blocking, it blocks additionally .tar, multi-level encoding, .cab, .msi, encrypted .rar, and encrypted .zip files.

Wildfire Analysis Profiles

Wildfire analysis profile is used to forward unknown files or email links. Analysis are based upon application file type and transmission direction ie whether for upload or download. Files or email links matching the profile rule are forwarded either to the Wildfire public cloud or the Wildfire private cloud, depending on the analysis location defined for the rule.

DoS Protection Profiles

DoS (Denial of Service) protection policies allow to control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. Following are two DoS protection mechanisms in Palo Alto Networks firewalls.

Flood Protection: In this method, packet is flooded in the network and as a results many sessions are half-open with service being unable to serve each request. This method protects user from this kind of attack.

Resource Protection: This method is used to prevent session exhaustion attacks. Large number of hosts are used to establish as many fully established sessions and henceforth they consume system’s resources. This method is used to protect from resource usage.

Zone Protection Profiles

Zone Protection Profiles protect the network zone from attack and are applied to the entire zone. In this profile, packets per second (pps) thresholds limits defined for zone, the threshold is based on the packets per second that do not match a previously established session.

Conclusion on palo alto security profiles and security policies:

Security policy rules allow or block traffic in network, while security profiles scans the applications for threats, such as viruses, malware, spyware, and DDOS attacks.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Checkpoint Firewall Policy: Rules & Configuration

Today we look more in detail about two firewalls from Sophos – Sophos Unified Threat Management (UTM) firewall and Sophos XG firewall, understand their key differences and features.

About Sophos UTM 

Sophos UTM is a threat management system designed to protect businesses from emerging threats related to malware including viruses, Worms, rootkit, spyware and ransomware. Sophos UTM provides variety of functions related to web and email filtering, network protection, network routing services, advanced threat protection, authentication, Email encryption, Data Leakage Prevention (DLP), web policies, VPN IPsec client, VPN SSL client and clientless VPN, Logging and reporting. 

Features of Sophos UTM

• Simplification of security management and reduction in complexity of multiple point solutions
• Detailed reports to give insight into how to improvise network performance and protection
• Complete control to block, allow, shape and prioritization of applications
• Two factor authentication with OTP
• Integrated wireless controller
• Allows to connect remote offices securely with VPN and Wi-Fi services

About Sophos XG firewall 

Sophos XG firewall is next generation network firewall (NGFW) which provides capabilities to expose hidden risks, blocks unknown threats and automatically responds to incidents by doing isolation of compromised systems, and exposes hidden users, applications and threat risks in the network. It includes synchronized security (linking endpoints and firewall to enable to share and communicate information, identification of compromised systems and put them in isolation until they are cleaned up), a web application firewall, email protection, ransomware protection, phishing prevention and unified interface for all firewall rules with a secure web gateway.

Features of Sophos XG Firewall

• Deep packet inspection with IPS, ATP, URL filtering, and in-depth reporting 
• Bidirectional AV (antivirus) for WAF (web application firewall) with authentication offloading
• Path based routing and country level blocking 
• Self-services SSL
• Synchronized security to link endpoints, cloud workloads and firewall to relay health status and immediate response to network threats

Sophos UTM Vs Sophos XG Firewall

• Sophos UTM is a Universal Threat Manager while Sophos XG is just a hardware firewall.
• Sophos UTM update cycles are extremely extended, usually updates come once in four months and no new features. Sophos XG firewall OS is completely different and almost every seven weeks new maintenance releases and 1 or 2 minor releases with new features come up.
• Sophos UTM is not compatible with APX access points. The Sophos XG firewall hardware supports APX access points (portfolio of access points with Wi-Fi 5 (802.11ac Wave 2) technology) to support better performance, throughput and security.
• Sophos UTM has less integration since it is a separate product and formerly was Astaro firewall. Sophos XG has integration with other products like intercept X and admin from Sophos central.
• Sophos UTM do not permit assigned of its own name to firewall rules. Sophos XG firewall management of firewall rules is much cleaner and can be grouped together such as one group for IoT devices and you can assign firewall rule its own name. Longer comments are supported to record who created rule and what the purpose it is created for. Each rule is assigned an ID and same can be referenced in log to identify what traffic goes through it.
• Sophos UTM don’t have the synchronized security feature. Sophos XG offers synchronized security which interacts between endpoints and firewall and help to contain lateral movement of an infected system.

Below table summarizes the differences between the two types of Sophos Firewalls:

Download the comparison table: Sophos UTM vs Sophos XG

Continue Reading:

Introduction to Sophos UTM Firewall

What is an ML Powered NGFW?

• Routing in Fortinet FortiGate
• Configuration Steps of Static Routing
• Configuration Steps of Dynamic Routing (BGP)
• Policy Base Routing
• Routing Monitor GUI
• Troubleshooting Commands for Routing in FortiGate

Routing in Fortinet FortiGate Firewall

Routing means how a packet can be sent from a source to destination in a Network.

To perform routing every firewall has a routing table. A routing table contains series of rules which specify the next-hop and active routing sessions. Each routing hop in routing path requires a routing table lookup to pass the packet along as it reaches the destination.

Firewall first find the routing rule in routing table that matches based on the destination address in packet, when performing this match FortiGate evaluate the entire routing table and select most specific route before forwarding the packet to next hop.

What is route lookup?

When a packet arrives on a Firewall interface, Firewall inspects the IPv4 header, detects the destination IPv4 address, and proceeds through the route lookup process.

For each session FortiGate performs route lookup twice.

First lookup performs for the first packet sent by initiator and then for the first reply packet coming from responder. After completing these two lookups firewall updates routing information in session table.

Sequence of packets are routed according to the session table. After a routing table change, route information is flushed from the sessions and must be re-learned.

Static Route

Static Route: Manually configured route, when you are configuring static route, you are telling Firewall to see the packet for specific destination range and specific interface. Example shown in this slide is default static route which means all subnet (0.0.0.0/0) traffic will go via port 1 by using gateway 10.0.3.1 if no matches found in the routing table.

Static Route Configuration in FortiGate:

• GUI-> Network-> Static Routes
• Add New Static Route
• Destination->0.0.0/0
• Gateway-> Firewall Gateway (10.0.3.1)
• AD-> 10(value for static route)

Dynamic Route

For large Network manually configuring routes may not be a practical. Therefore, dynamic routing has been introduced in firewall to learn the route automatically.

Dynamic Routing Protocols supports by FortiGate Firewall

• RIP
• OSPF
• BGP
• IS-IS

In dynamic routing, FortiGate communicates with nearby routers to discover their paths and to advertise its zones to directly connected subnets. Discovered paths are automatically added to the routing table, so verify that neighbour routers are trusted and secure.

Refer below images to configure BGP in FortiGate Firewall.

You can verify the routes in Routing Monitor

Policy Based Routing

Policy based routes can match more than only destination IP address. For example if you have 2 ISP links 10 Gpbs and 5 Gbps , one is for higher management for fast internet access and another one for users for average internet reachability.

Policy Based routing has feature to forward traffic on the basis of policy criteria defined in the firewall. If packet matched the policy, firewall bypasses the any routing table. Policy Based route has maintained separate routing table apart for normal firewall routing table.

Moreover, in Policy Based routing Firewall performs

• Traffic is being forwarded by using specified egress interface to the specified gateways
• Uses the routing table instead and Stops policy routing

Routing Table Monitor

Routing Table Monitor: In the FortiGate Firewall, GUI shows the active routes. Routing Monitor captures static routes data, directly connected subnets assigned to FortiGate interfaces, connected routes.

If the link is not established or down, route will not be captured by the monitor tab

Steps to check Route Lookup in Routing Monitor

Select Route Lookup-> Add search Criteria -> Check Logs

Each of the route listed in routing table includes several attributes with associated values

Network Column: list the destination IP address and subnet mask which matched the routing table.

Interface Column: list the interface that will be used to deliver the packet

Distance Column: or administrative distance is used to rank routes from most preferred to least preferred. If multiple routes to the same destination, then smaller distance will be considered for packet transfer.

Routing Troubleshoot

CLI Command to check active Routes in FortiGate Firewall:

Active, Standby and Inactive Routes

Standby Route

Common Troubleshooting Commands for FortiGate Routing

Some of the commonly used FortiGate CLI commands are:

Continue Reading:

Types of Firewall: Network Security

Palo Alto Firewall Architecture

Are you preparing for your next interview?

If you want to learn more about Fortigate, then check our e-book on Fortigate Interview Questions and Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Single Sign On (SSO) is a process that allows users to automatically log into every application after being identified, regardless of platform, technology, and domain.

FortiGate Single Sign On (FSSO) is a software agent that enables FortiGate to identify network users to access security policies or provide VPN access. FSSO is a process which allows users to access multiple applications without having to re-authenticate.

Users who are already authenticated by the network can access applications without providing credentials multiple times.

• FSSO can identify the user’s user-id, IP address, group membership
• FortiGate allows access based on membership in FSSO group configured on Firewall
• Each FSSO method gathers login events differently
• FSSO method uses directory services, such as Windows Active Directory or Novell eDirectory

FSSO deployment depends on the server which provides Active Directory services.
Microsoft Active Directory (AD) – It uses a collector agent for FSSO, Domain Controller.

Working Modes

Two working modes for user sign-on activities on windows

• DC Agent Mode
• Polling Mode

FSSO DC Agent Mode-

This mode is the most recommended mode. DC agents monitor and forward user login events to monitor collector agents. A collector agent is another FSSO component. Collector agent is generally installed on Windows Server that is the member of the domain you are trying to monitor.

A consolidate of events received from a DC agent and then forwards them to FortiGate. Collector agents are responsible for group verification, workstation checks and FortiGate updates of login records.

FSSO collector agent can send domain security group, Organisational Units and Global security information to FortiGate Firewalls. It can also be customized for global DNS.

Ways to Configure FortiGate Single Sign On in the Network

DC Agent mode- it is the most recommended mode in FSSO. One DC agent installed on each window DC. If any organisation has multiple DC which means multiple DC agents would require.

• User authentication done by Windows DC
• DC agents check the login event and forward the same to collector agent
• In a similar way collector agent forward the event log to FortiGate
• FortiGate knows the user based on IP address, so user doesn’t need authentication

Polling Mode –  can be collector agent based or Agentless.

First lets check the feature of collector agent based-polling mode. Like DC Agent Mode collector agent based mode require a collector agent which is installed on Windows server.

• NO FSSO DC Agent is required
•  The Collector Agent polls each DC for user login events in every few seconds. Collector Agent uses SMB -TCP-445 protocol to request the event logs and TCP-135, TCP-139 and UDP-137 as fallbacks
• Installation is less complex than other modes which reduces maintenance
• Polling Mode methods commonly users are
• NetAPI
• WinSecLog
• WMI

Collector Agent-Based Polling Mode Process

• User authenticates with DC
• Collector Agents polls DC to get the login events data
• Collector Agent forwards login data to FortiGate Firewall
• User doesn’t require to authenticate

Agentless Polling Mode Process

Another Method for polling is Agentless and is called as Agentless Polling Mode Process

• FortiGate frequently polls Domain Controller to get user event logs
• User authenticates with the Domain Controller
• FortiGate discovers polling login event in next poll
• User doesn’t need to authenticate as FotiGate already aware whose traffic it is receiving

FSSO Configuration and Installation

Step -1 FSSO Agent Installation

Download FSSO Agent on Window AD Server 

1. Visit FortiGate support website https://support.fortinet.com

2. Download🡪 Firmware Images

3. Select FortiGate and the click Download

4. Click v7.00 > 7.0 > 7.0.0 > FSSO 

Install the Collector Agent on PC as Administrator

1. Set Username for FSSO Domain Admin

2. Set Password for Domain Admin

3. Monitor user login sessions

4. Set Standard features

Step- 2 After installing FSSO Agent , move ahead for DC Agent Installation Process

Please follow step 1 to step 5

1. Set Collector Agent IP address  and Set Installation listening  port

2. Select domain which will be monitored 

3. Exempt any user which you don’t want to monitor or comes under exceptional list

4. Select domain controllers

5. Set working mode as DC Agent Mode

FSSO Collector Client Configuration

1. Enable 🡪 Monitor user login events

2. Enable/Disable NTLM authentication

3. Listening port for FortiGate firewall – 8000

4. Listening port for DC Agent – 8002

5. Enable authentication between FortiGate and Collector Agent and provide password for authentication validation

6. Set timer for polling 

Group Filter

FSSO collector Agent manages FortiGate Group filters. Group filters can decide which information of a user should be sent to FortiGate. Group Filters are associated with FortiGate Serial numbers. FortiGate has capability to support 256 Windows AD user groups.

1. Set Group Filter 

2. FortiGate Filter List TAB will open

3. Select ADD 

4. Create NEW Group filter and associate the Serial number of FortiGate device to it.

Configure FSSO in FortiGate Firewall

1. Configure LDAP , 

2. User & Device 🡪 LDAP Servers and Select Create NEW

3. Set AD server name and IP address

4.Set Common Name CN Identifier and its values

5. Provide Security Password and enable connection Successful

6. Go to Security Fabric

7. Select Fabric Connectors

8. Select SSO/Identity, select Fortinet Single Sign-On Agent.

9. Put Name for connector Setting

10.Add Primary FSSO Agent IP address and Password

11.Apply and Refresh configuration

12.Select View tab to add FSSO Group Filters

13.Add Group filter to the FSSO and Click OK

14.Again go to Users & Device 🡪 Users Group

15.Add new User Group, Name it and select Type of FSSO

16.Also Add FSSO in user members

17.Create Policy for User Group, Go to Policy & Objectsand select IPV4 Policy

18.Name Security policy

19.Add Source Zone , source IP address which is FSSO Users-members

20.Select destination Web-Browser, fill other details 

21.Select OK

Monitor Connectivity and Login Details of Users

Continue Reading:

Fortinet FortiGate HA (High Availability)

IPSec VPN Configuration: Fortigate Firewall

Network Address Translation (NAT) allows to translate private, non-routable IP addresses to one or more globally routable IP addresses, thereby saving an organization’s routable IP addresses. Palo Alto firewall supports NAT on Layer 3 and virtual wire interfaces. In PAN-OS, NAT policy rules instruct the firewall what action have to be taken.

Palo Alto NAT Policy Overview

NAT rule is created to match a packet’s source zone and destination zone. Zones are created to inspect packets from source and destination. Palo Alto evaluates the rules in a sequential order from the top to down. Palo Alto firewall checks the packet and performs a route lookup to find the egress interface and zone. Next, it verifies the packet and matches one of the NAT rules that have been defined in zones, based on source and destination zone. Policy is created and then applied to match the packet based on source and destination address.

One to one NAT is called in Palo Alto as static NAT. Palo Alto Firewall reads the pre-NAT parameters like

• Pre-NAT IP address
• Pre-NAT zone

Step by Step process  –  NAT Configuration in Palo Alto

STEP 1: Create the zones and interfaces

1. Login to the Palo Alto firewall and navigate to the “network tab”.
2. Create the three zones
   • Trust
   • un trust A
   • un trust B
3. Create the layer 3 interfaces and tie them to the corresponding zones along with the IP addresses.

STEP 2: Configure layer 3 routing

1. Navigate to the virtual router workspace and configure any layer 3 requirement of your network.

STEP 3: Create the NAT statements

1. Define the NAT statements on the firewall. Go to the policies tab and select the NAT workspace.
2. Our purpose is to allow traversal of traffic from the internal user subnet going into the lab devices on “un trust B” using the routable private IP space.

STEP 4: Create the matching security rule

1. Every NAT rule should be paired with a corresponding security rule. Go to the security workspace on the policies tab.
2. As established earlier, the pre-NAT IP is preserved at least on how the firewall processes the packet so the security rule will still utilize the pre-NAT IP addresses.

NAT Types – Palo alto

1. Many-to-One, Hide NAT, Source NAT

Hide NAT is the most common use of address translation. It hides all internal local LAN subnets behind a single external public IP. NAT policy will translate subnet originating from the trust zone, going out to the untrust zone and will change the source address to the IP assigned to the external physical interface. It will also randomize the source port. When packets are received back from destination, it will automatically be reverse translated and the firewall maintains a state table tracking all active sessions and their NAT actions.

2. Many-to-Many NAT

In this NAT type, the address is changed from Interface to translated address. Palo Alto Firewall selects an IP from the available pool based on a source IP address. Source address will remain the same for all translated IPs. Source port is randomized. If the source ports remains the same (depends upon application where a specific source port may be require) the translation type is Dynamic NAT, which will preserve the client’s source port per translation.

3. One-to-One NAT, Static NAT

This is one to one mapping of internal IP with external global IP. Webserver is mapped with single global IP to get access from internet. One-to-one NAT policy translates and forwards incoming connections to the specific server. Following are two ways to achieve this: –

Bi-directional policy:

In a bi-directional policy, flag is set which allows the system to create an (invisible) implied inbound policy. Bi-directional policy will source from trust and will be destined for untrust, with a source address set to the server’s internal IP and Source Translation being its public NAT address. Policy created with a source zone of untrust and destination of any, destination IP of the public NAT address and translation to the server’s IP address.

Uni-directional policy:

Uni-directional NAT policy has less control than bi-directional NAT policy and it allows for PAT or Port Address Translation. With PAT, we get a great benefit when only a single public IP address an be used for multiple internal services.

Related – NAT Type 1 vs 2 vs 3

Source and Destination NAT

In case of U-Turn situation, internal hosts need to connect to an internal server that is on the same network as the client, on its public IP address. To be able to reach internal resources on a public IP, a new NAT policy needs to be created to accommodate trust to untrust translation.

Further, asymmetric loop is created if server receives a packet with the original source address and it then sends reply packets directly to the client. The flow will be Client -> Palo Alto Firewall -> Server -> Client and the firewall session will be terminated as it violates TCP sanity checks. Solution is to add source translation to the firewall IP, so the server’s reply packets are sent to the firewall allowing for stateful sessions.

NAT on a VWire

VWire is a Virtual wire, which provides benefit of security transparently to the end devices. Because interfaces in a VWire do not have an IP address assigned, hence IP address must be assigned from pool. When performing NAT on VWire interfaces, Source address is translated to a different subnet on which the neighboring devices are communicating.

Conclusion

NAT in PAN OS allows use to create a rule that instructs the firewall what to do with packet, which packet are from trusted or untrusted zone, which packet port need translation and what the translated addresses and ports are.

A VPN connection that allows you to connect two Local Area Networks (LANs) securely is called a site-to-site VPN. Route based VPN can be configuring to connect Palo Alto Networks firewalls located at two sites or to connect a Palo Alto Networks firewall with a third-party security device at another location. Palo Alto firewall can also communicate with third-party policy-based VPN devices. Palo Alto sets up route based VPN tunnel to take routing decision to choose destination and all traffic handled by VPN tunnel.

IP Security (IPSec) set of protocols is used to set up a secure tunnel for the VPN traffic, and the information in the TCP/IP packet is secured by ESP encryption. The IP packet (header and payload) is embedded into another IP payload, a new header is applied and then passed through the IPSec tunnel. Source IP address in new header is local VPN peer and destination IP address is far end peer. When packet reaches far end, header is removed and only original IP packet is left.

Diagram above depicts a VPN tunnel between two sites. When a user that is secured by VPN Peer A needs data from a server located behind VPN peer B. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters (IKE phase 1) to establish a secure connection and authenticate with VPN Peer B. VPN tunnel is established by using the IPSec Crypto profile to allow the secure transfer of data between the two sites.

IPSec VPN Set Up: Palo Alto Networks

Setting Up Site-to-Site VPN

Site-to-Site VPN with Static Routing

In this scenario, VPN connection between two sites is set up by using static routes. Tunnel interfaces on VPN Peer A and VPN Peer B do not require an IP address because the firewall uses the tunnel interface as the next hop for routing traffic across the sites. Static IP address is assigned to each tunnel interface for monitoring.

Site-to-Site VPN with OSPF

In this case, each site uses OSPF for dynamic routing of traffic.

Site-to-Site VPN with Static and Dynamic Routing

In this scenario, one site uses static routes and the other site uses OSPF. When the routing protocol is different between two peers, redistribution profile must be configured on firewall to participate in both static and dynamic routing process. Without this redistribution profile routing protocol do not exchange any route information with other protocols running on the same router.

Conclusion

Virtual private networks (VPNs) create tunnels that allow users systems to connect securely over a public network to transfer data. To set up a VPN tunnel, both end Palo Alto Networks firewalls need to authenticate each other and encrypt the data traffic between them.

In our previous article, we studied IPSec VPN Set Up. In this article we will run through CLI commands and GUI steps to configure an IPSec VPN, including the tunnel and route configuration on a Palo Alto Networks firewall. Let’s discuss the VPN configuration in Palo alto in detail.

SSL VPN Configuration : Palo Alto

Configuring the GRE Tunnel on Palo Alto Firewall:

IPSec Tunnel creation commands should be executed in the order listed below:

Verification commands to validate IPSEC Tunnel configuration:

SSL Decryption with Certificate in Palo Alto:

Conclusion

In this article, we configured the GRE, IPSec and SSL/TLS including defining a certificate, GlobalProtect Portal and GlobalProtect Gateway and Security policies to permit the traffic which is received from the GlobalProtect tunnel interface.

Continue Reading:

Palo Alto SSL Decryption

Palo Alto Troubleshooting CLI Commands

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

What is Decryption?

Palo Alto firewalls can be decrypt and inspect traffic to gain visibility of threats and to control protocols, certificate verification and failure handling. Decryption can apply policies on encrypted traffic so that the firewall handles encrypted traffic according to the customer’s configured security policies. Decryption is carried out for traffic content that entering into network and encryption is performed for  content that leaving network. Below are different ways that Palo Alto can help decrypt traffic.

• SSH Proxy
• SSL Inbound Inspection
• SSL Forward Proxy (SSL Decryption)

SSH Proxy

SSH Proxy is a way that the firewall can decrypt and inspect tunneled SSH traffic passing through the firewall. It does not require certificates and the key used to decrypt SSH sessions is generated automatically on the firewall during boot up. With SSH decryption enabled, the firewall decrypts SSH traffic based on your decryption policy. Traffic is re-encrypted as it exits the firewall.

Configuration of SSH Proxy

SSL Inbound Inspection

SSL Inbound Inspection is required to inspect the communication of a web server protected by the firewall, to decrypt the traffic using the internal web servers SSL Certificate. With an SSL Inbound Inspection decryption policy configured, the firewall decrypts all SSL traffic. Firewall blocks, restricts, or allows the traffic based on the decryption profile applied to the traffic, including any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles.

Configuration of SSL Inbound Inspection

 Related – Palo Alto Firewall Architecture

SSL Forward Proxy (Palo Alto SSL Decryption)

SSL Forward Proxy (SSL Decryption) is an advance feature of firewall to inspect traffic inside the SSL encrypted packet. SSL Decryption is the ability to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall:

• Without SSL Decryption: Firewall has no access to the information inside of an encrypted SSL packet.
• With SSL Decryption:  Traffic generated from source own network, there will be visibility into the SSL packet to find hidden applications and threats inside SSL traffic.

Configuration of SSL Forward Proxy

TLSv1.3

TLSv1.3 is the latest version of the TLS (Transport Layer Security) protocol, which is the improved version of SSL.

Verify Decryption

• View decrypted traffic sessions.
• View SSL Traffic sessions that are not decrypted in session logs.
• View the log for a particular session in the decryption log by applying filter on the Session ID.
• View all TLS and SSH traffic, filter the traffic logs to view both decrypted and undecrypted TLS and SSH traffic.

Conclusion

SSL Decryption refers to view inside of Secure HTTP traffic (SSL) as it passes via the Palo Alto Networks firewall. Before SSL Decryption, Palo Alto firewall would have no access to the information inside an encrypted SSL packet. Palo Alto firewall decrypts the SSL traffic to allow Application Control features such as the URL Filter, Virus Scanner, or File Content policy to scan the traffic. It dynamically creates a certificate and signs it with the SSL Inspection root certificate.

Continue Reading:

SSL Certificate types : Intermediate Certificate and Root Certificate

IPSec VPN Set Up – Palo Alto

High Availability (HA) Overview

While setting up two Palo Alto firewalls as an HA pair, it is essential that HA peers same have same version of PAN-OS device. High availability (HA) minimizes downtime and makes sure that a secondary firewall is available in the event when the active firewall fails. Dedicated HA ports in the firewalls are used to synchronize data, object and policy configurations and maintain state information with passive firewall. There are some Firewall specific configuration which are not synchronized between peers such as management interface IP address and administrator profiles and log data and Application Command Center (ACC).

High Availability Modes:

There are two modes of firewall deployment in HA pair.

Active/Passive: In this mode, one firewall actively manages traffic while the other is synchronized and ready to transition to the active state if a failure occurs in network. Both firewalls in a HA mode share the same configuration settings and one firewall actively manages traffic. When the active firewall fails, the passive firewall transitions to the active state and takes over role as active node. A/P (Active/passive) HA is supported in the virtual wire, Layer 2 and Layer 3 deployments.

Active/Active:  In this HA mode, both firewalls in the A/A mode process the traffic and work synchronously to organize session setup and session ownership. Both firewalls individually maintain routing tables and synchronize to each other. A/A (Active/ Active) HA is supported in virtual wire and Layer 3 deployments.

Failover

When a failure occurs in network where one firewall goes down and the other peer takes over the role, the event is called a failover. A failover is triggered when heartbeat and hello messages fail to respond, physical link goes down or ICMP response fails. Below is the explanation of each parameter: –

• Heartbeat Polling and Hello messages:  Hello message and heartbeat polling is used to verify the status of peer firewall, i.e. whether it is alive and operational. Hello messages are sent from one peer to the other at the configured parameter.
• Link Monitoring: Physical interfaces to be monitored are grouped into a channel group and their state (link up or link down) is monitored.
• Path Monitoring: Path monitoring uses ICMP to verify reachability of the IP address. The default interval for ping is 200ms.

Device Priority and Preemption

Firewalls in a High Availability (HA) pair can be configured with a device priority value to highlight a preference for which firewall should consider as the active. Enable the preemptive behavior on both the firewalls and configure the device priority value for each firewall. Firewall with the lower numerical value, and therefore higher priority, is designated as an active and the other firewall is the act as a passive firewall.

Floating IP Address and Virtual MAC Address

In a HA deployment of A/A mode, floating IP addresses moves from one HA firewall to the other if a link or firewall goes down. Firewall responds to ARP requests with a virtual MAC address. Floating IP addresses are recommended when layer 3 redundancy functionality such as Virtual Router Redundancy Protocol (VRRP) is configured on firewall. It can also be used to implement VPNs and source NAT.

ARP Load-Sharing

In a HA deployment active/active configuration, ARP load-sharing allows the firewalls to share an IP address and provide gateway services. Use ARP load-sharing, when there is no Layer 3 device between the firewall and end hosts.

Route-Based Redundancy

In an active/active HA deployment, firewalls use dynamic routing protocols to determine the best path. In such a scenario, no floating IP addresses is necessary. If link failure or any topology changes occurs, routing protocol (RIP, OSPF, or BGP) handles the rerouting of traffic.

HA Firewall States

Configure Active/Passive HA

Configure Active/Active HA

Verify Failover

Conclusion

In High availability (HA), two firewalls are combined together in a group and their configuration is synchronized to prevent a single point of failure in a network. A heartbeat connection between the firewall peers keeps sending keep alive signal to ensure entire failover in the event that a peer goes down. Deploy two firewalls in an HA pair provides redundancy and allows you to ensure business continuity with 99.99% uptime.

Continue Reading:

 IPSec VPN Set Up – Palo Alto

NAT Configuration & NAT Types – Palo Alto   

Packet Flow in Palo Alto

Introduction: Packet Flow in Palo Alto

Packet passes through the multiple stages such as ingress and forwarding/egress stages that make packet forwarding decisions on a per-packet basis. Following are the stages of packet flow starting from receiving the packet to being transmitted out an interface –

Stages : Packet Flow in Palo Alto

Ingress Stage 

This stage receives packet, parses the packets and passes for further inspection. Firewall continues with a session lookup and other security modules. After that firewall forwards the packet to the egress stage.

Packet Parsing

Packet inspection starts with the parameter of Layer-2 header on ingress port like 802.1q tag and destination MAC address are used as key to lookup the ingress logical interface. Packet will be discarded if interface not found.

The firewall will discard the packet in IPV4 case if mismatch of Ethernet type and IP version, Truncated IP header, IP protocol number 0, TTL zero, Land attack, Ping of death, Martian IP address, IP checksum errors. It will also discard the packet in IPV6 case if there is mismatch of Ethernet type and IP version, Truncated IPv6 header, Truncated IP packet (IP payload buffer length less than IP payload field), Jumbo Gram extension (RFC 2675), Truncated extension header.

The Layer-4 (TCP/UDP) header is parsed.

TCP: Firewall will discard the packet if TCP header is truncated, Data offset field is less than 5, Checksum error, Invalid combination of TCP flags.

UDP:  Firewall will discard the packet if UDP header truncated, UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field), Checksum error.

Tunnel Decapsulation

Firewall performs decapsulation/decryption at the parsing stage. Firewall decapsulates the packet first and checks for errors and if error is found, packet will be discarded.

IP Defragmentation

Firewall parses IP fragments, reassembles using the defragmentation process and then feeds the packet back to the ingress with the IP header.  Firewall discards the packet if packet is effected with tear-drop attack, fragmentation errors, buffered fragments (max packet threshold).

Related – Palo Alto Firewall Architecture

Firewall Session Lookup

Firewall inspects the packet and performs the lookup on packet. Firewall session includes two unidirectional flows, where each flow is uniquely identified. In PAN-OS, the firewall finds the flow using a 6-tuple terms:

• Source and destination addresses: IP addresses from the IP packet.
• Source and destination ports:  Port numbers from TCP/UDP protocol headers
• Protocol: The IP protocol number from the IP header is used to derive the flow key.
• Security zone: This field is derived from the ingress interface at which a packet arrives.

Zone Protection Checks

When packet arrives on a firewall interface, the ingress interface performs the inspection of packet whether any zone profile exists. If zone profile exists, the packet is passed for evaluation as per profile configuration.

TCP State Check

Firewall firstly checks the SYN bit set in packet received, if it is not found, then packet will be discarded.  If the SYN Flood protection action is set to Random Early Drop (RED) and this is default configuration, firewall simply drops the packet. SYN Cookies is preferred way when more traffic to pass through.

Forwarding Setup

Packet forwarding of packet depends on the configuration of the interface. Below are interface modes which decides action: –

NAT Policy Lookup

NAT is applicable only in Layer-3 or Virtual Wire mode. The ingress/egress zone information evaluates NAT rules for the original packet.

• For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone.
• For source NAT, the firewall evaluates the NAT rule for source IP allocation. If the allocation check fails, the firewall discards the packet.

User-ID

Firewall uses the IP address of the packet to gather the information from User-IP mapping table. The corresponding user information is fetched from user-group mapping table and fetches the group mapping associated with this user.

DoS Protection Policy Lookup

Firewall checks the DoS (Denial of Service) protection policy for traffic based on the DoS protection profile. DoS protection policy action is set to Protect, the firewall checks the specified thresholds and if there is a match, firewall discards the packet.

Security Policy Lookup

Firewall uses application ANY to inspect the packet and perform the lookup and check for a rule match.  If the policy action is set to ‘deny’, the firewall drops the packet if no rule match. The firewall permits intra-zone traffic by default.  This default behavior for intra-zone and inter-zone traffic can be modified from the security policies rule base.

Session Allocation

Firewall allocates a new session entry from the free pool if all checks are performed. Session allocation failure occurs if VSYS session maximum reached or firewall allocates all available sessions.

Firewall Session Fast Path

Session fast path checks the packet from layer 2 to layer 4 and passes under below conditions: –

• If the session is in discard state, then the firewall discards the packet.
• If the session is active, refresh session timeout.
• If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet or RST packet, session is closed as of these timers expire.
• If NAT is applicable, translate the L3/L4 header as applicable.

Security Processing

When packet is inspected and matches an existing session, it will be subject to further processing when the packet has TCP/UDP data (payload), or it is a non-TCP/UDP packet.  Firewall checks for session application, if not found, it performs an App-ID lookup. If the App-ID lookup is non-conclusive, the content inspection module performs the known protocol decoder to check the application. If the firewall detects the application, the session is forwarded to content inspection if any of the following applied:

• Application Layer Gateway (ALG) is involved.
• Application is tunneled application.
• Security rule has security profile associated.

Captive Portal

If the user information was not found for the source IP address extracted from the packet and the packet forwarded toward destination, firewall performs a captive portal rule lookup and forwards for captive portal authentication.

Application Identification (App-ID)

Firewall firstly performs an application policy lookup to see if there is a rule match. If there is no application rule, then application signatures are used to identify the application.

Content Inspection

Firewall performs content Inspection, identifies the content and permits as per security policy rule. Next, it forwards the packet to the forwarding stage.

Forwarding/Egress

• Firewall performs QoS shaping as applicable in the egress process. Firewall inspects the packet MTU size and the fragment bit settings on the packet at egress interface and performs fragmentation if required.
• If the egress interface is a tunnel interface, then IPsec/SSL-VPN tunnel encryption is performed.

Related – Palo Alto Cheatsheet 

Conclusion

Packet is inspected by Palo Alto Firewall at various stages from ingress to egress and performs the defined action as per policy / security checks and encryption. Packet passes from Layer 2 checks and discards if error is found in 802.1q tag and MAC address lookup. Packet is forwarded for TCP/UDP check and discarded if anomaly in packet. Next is defragmentation/decapsulation and NAT, followed by zone check. Later on, User-ID lookup and DoS attack protection and other security checks in zone are executed as per configured rule.

Firewall is a network security device that permit or denies network access to traffic flows between an untrusted zone and a trusted zone. Palo Alto Firewall is one of the globally coveted and widely preferred Security Firewall in enterprise cyber security space. Infact, due to its efficacy and security features, Palo Alto earned itself place in Leaders Quadrant of Gartner Magic Quadrant.

In this article we will understand the Administration & Management of Palo Alto –

Features and Benefits of Palo Alto

• Application-based policy enforcement (App-ID)
• User identification (User-ID)
• Threat prevention
• URL filtering
• Traffic visibility
• Networking versatility and speed
• Global Protect
• Fail-safe operation
• Malware analysis and reporting
• VM-Series firewall
• Management and Panorama

Firewall Administration:

Configuration, Management and Monitoring of Palo Alto firewalls can be performed via web interface, CLI and API management interface. Administrator can customize role-based access to the management interfaces for specific tasks or permissions.

Roles and authentication method are defined by administrator. Authentication method relies on a local firewall database or an external service. If you have already configured the authentication profile or you will use Local Authentication without a firewall database. Below are steps to configure profile on firewall.

Select Device > Add an account.

1.Enter a user Name

Account will be added in local database of firewall. Enter the name that you specified for the account in the database (see Add the user group to the local database.)

2.Select an Authentication Profile or sequence if you configured either for the administrator.

Select None (default) and enter a Password.

3.Select the Administrator Type.

If a custom role is configured for the user, select Role Based and select the Admin Role Profile.

4.(Optional) Select a Password Profile for administrators that the firewall authenticates locally without a local user database.

5.Click OK and Commit.

Keywords and Options:

Administration and Maintenance for the firewall can be done by defining Management Settings. Below are the keywords and options wrt each keyword/feature –

General

Select the Device > Setup > Management > General Settings

• Hostname
• Domain
• Login Banner
• Time Zone
• Locale
• Time
• Serial Number
• Geo Location
• Automatically acquire commit lock
• Certificate Expiration Check
• Multi Virtual System Capability

Authentication

Select the Device > Setup > Management > Authentication Settings

• Authentication Profile
• Certificate Profile
• Idle Timeout
• Failed Attempts
• Lockout Time

Panorama

Select the Device > Setup > Management > Panorama Settings

• Panorama Servers
• Receive Timeout for connection to device/Panorama
• Send Timeout for connection to device/Panorama
• Retry Count for SSL send to device/Panorama
• Share Unused Address and Service Objects with Devices (Panorama only)
• Shared Objects Take Precedence (Panorama only)

Management Interface

Select the Device > Setup > Management > Management Interface Settings

• MGT Interface Speed
• MGT Interface IP Address
• Netmask
• Default Gateway
• MGT Interface IPv6 Address
• Default IPv6 Gateway
• MGT Interface Services
• Permitted IPs

Logging and Reporting

Select the Device > Setup > Management > Logging and Reporting Settings

• Log Storage
• Max Rows in User Activity Report
• Max Rows in CSV Export
• Number of Versions for Config Audit
• Number of Versions for Config Backups
• Average Browse Time (sec)
• Page Load Threshold (sec)
• Send Hostname in Syslog
• Stop Traffic when LogDb full
• Enable Log on High DP Load
• Buffered log forwarding from device
• Get Only New Logs on Convert to Primary
• Only Active Primary Logs to Local Disk

Password Complexity

Select the Device > Setup > Management > Minimum Password Complexity

• Enabled
• Minimum Length
• Block Repeated Characters
• Expiration Warning Period (days)
• Post Expiration Grace Period (days)
• Allowed expired admin login (count)

Operations

Defining Operations Settings

Select the Device > Setup > Operations

• Validate candidate Config
• Revert to last saved Config
• Revert to running config
• Save named configuration snapshot
• Save candidate config.
• Load named configuration snapshot
• Load configuration version
• Export named configuration snapshot
• Export configuration version
• Export device state
• Import named config snapshot
• Import device state

Device Operations

Select the Device > Setup > Device Operations

• Reboot Device
• Shutdown Device
• Restart Data Plane

Services

Defining Services Settings

Select the Device > Setup > Services

• DNS
• Primary DNS Server
• Secondary DNS Server
• Primary NTP Server
• Secondary NTP Server
• Update Server

Proxy

Select the Device > Setup > Proxy Server

• Server
• Port
• User
• Password/Confirm Password
• Service Route Configuration

Content

Defining Content ID Settings

Select the Device > Setup > Content-ID

• URL Filtering
• Dynamic URL Cache Timeout
• URL Continue Timeout
• URL Admin Override Timeout
• URL Admin Lockout Timeout
• x-forwarded-for
• Strip-x-forwarded-for
• Allow Forwarding of Decrypted Content

URL Admin Override

Select the Device > Setup > Content-ID > URL Admin Override

• Settings for URL Admin Override
• Manage Data Protection
• Container Pages

Session

Defining Session Settings

Select the Device > Setup > Session

• Rematch Sessions
• ICMPv6 Token Bucket Size
• ICMPv6 Error Packet Rate
• Jumbo Frame/Jumbo Frame MTU
• Enable IPv6 Firewalling
• NAT64 IPv6 Minimum Network MTU
• Accelerated Aging

Session Features

Select the Device > Setup > Session > Session Features

• Decryption Certificate Revocation Settings
• Enable
• Receive Timeout
• Enable OCSP
• Receive Timeout
• Block Session with Unknown Certificate Status
• Block Session On Certificate Status
• Check Timeout Certificate Status
• Timeout

SNMP

Select the Device > Setup > Operations

• SNMP Setup
• Physical Location
• Contact
• Version

Statistics Service

Select the Device > Setup > Operations

• Application and Threat Reports
• Unknown Application Reports
• URL Reports
• Device traces for crashes

Management options:  

Note – Do not enable management access from the internet or from other untrusted zones

• Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH (recommended), Telnet, or the console port.
• Use the Web Interface to perform configuration and monitoring tasks with relative ease. GUI allows you to access the firewall using HTTPS (recommended) or HTTP and it is the best way to perform administrative tasks.
• Use the XML API to streamline your operations and integrate with existing, internally developed applications and repositories. XML API can be implemented using HTTP/HTTPS requests and responses.
• Use Panorama to perform web-based management, reporting, and log collection for multiple firewalls. Panorama web interface is somewhere same as the firewall web interface but with additional functions for centralized management.

Physical Interface Types:

Palo Alto has five types of interfaces enlisted as below:

1. Tap mode – This interface simply listens to a span/mirror port of a switch
2. Virtual wire – This type is used to logically bind two Ethernet interfaces together, hence allowing all traffic to pass between the interfaces.
3. L2 – In this mode, multiple interfaces can be configured into a “virtual-switch” or VLAN.
4. L3 – In this mode, IP address is required. This interface includes all layer-3 operations.
5. HA – On all devices except the 4000 and 5000 series, you must configure two traffic ports as the HA ports.

Logical Interface Types:

Below are the types of logical interfaces supported on Paloalto Firewall:

• Sub interfaces (802.1q)
  • Up to 4094 VLAN supported per port
  • Max of 4094 VLANs per system
• Aggregate interfaces (802.3ad)
  • Only on PA-4000 and PA-5000 series
  • Up to 8 physicals 1 Gig interfaces can be placed into an aggregate group
  • Up to 8 aggregate groups are supported per device
  • Each interface in a group must be the same physical media (all copper, or all fiber)
• Tunnel interfaces– Used for IPsec or SSL VPNs
• Loopback interfaces

Available Features in Different Interface Modes

• Vwire
  • No VPN
  • No “auto” setting for HA passive link
• L2
  • No VPN
  • No NAT (FYI in PAN-OS 4.1 you can do NAT in Vwire mode)
  • No “auto” setting for HA passive link
  • If IPv6 is passing, security policies can be written for this traffic
  • No Multicast support
• L3
• If IPv6 is passing, security policies can be written for this traffic

Interface Management

• An interface management profile specifies which protocols can be used to manage the firewall.
• Management profile can be assigned to:
  • L3 interfaces
  • Loopback interfaces
  • VLAN interfaces

Device Management

• Managing the firewall (via GUI, SSH, etc.) is performed via the MGT interface on the PAN by default.
• You can specify different physical interfaces to use for specific management services via Device tab -> Setup -> Service Route Configuration.

Related – Palo Alto CLI Cheatsheet

Palo Alto has been considered one of the most coveted and preferred Next generation Firewall considering its robust performance, deep level of packet inspection and myriad of features required in enterprise and service provider domain. When troubleshooting network and security issues for many different devices/platforms, an extensive set of commands with options are available which are great utilities in troubleshooting and fault finding, both in implementation and Operations phase.

Palo Alto Troubleshooting : CLI Commands

The following Palo Alto commands are really the basics and need no further explanation. Let’s have a look on below command table with description.

CLI COMMANDS	DESCRIPTION
show system info	-Shows session information
show system environmental show CPU usage show temperature show counters for everything show the statistics on application recognition	-Shows environmental health of system
show ntp	-Shows the network time server information
show arp {all | <interface-name>} show neighbor interface {all | <interface-name>}	-shows the ARP results
show mac all	-shows the mac table results
show jobs all show jobs id <id> show running resource-monitor	-Shows the processes running in the management plane
show system resource show system disk-space	– Shows the percent usage of disk partitions
request restart system	– Restart the device
show admins all show admins	-Shows the how many admin accounts are
show the uptime and the active sessions	-Shows the device uptime
show running security-policy	– Shows the running security policy
request license info	– Shows the licenses installed on the device
show vpn gateway	-Shows the list of all IPSec gateways configured on device with configuration
show vpn ike-sa	-Shows IKE phase 1 SAs
show vpn ipsec-sa	-Shows IKE phase 2 SAs
show vpn tunnel	-Shows a list of auto-key IPSec tunnel configurations
show vpn flow	-Shows the IPSec counters
show global-protect-gateway current-user show global-protect-gateway flow	GlobalProtect
show high-availability all	-Shows a summary of all HA runtime
show high-availability state show high-availability link-monitoring show high-availability path-monitoring show high-availability control-link statistics show high-availability state-synchronization	-Shows a local HA peer state
show high-availability flap-statistics	Shows a stats of sent and received messages.
scp export log system to <username@host:path_to_destination_filename> scp import software from <username@host:path> tftp export configuration from running-config.xml to <tftp-host> tftp import url-block-page from <tftp-host>	Export/Import Files
show user group-mapping state all	User-IDs and Groups
request system fqdn {show | refresh}	IP Addresses of FQDN Objects
show dns-proxy statistics all show dns-proxy cache all	DNS Proxy
show system setting url-database	Active URL Vendor/Database
show system setting url-cache all	PAN-DB URL Test & Cache
set system setting fan-mode auto	Fan Speed
show session id <id>	Reason for Session Close
show session all filter state discard show session all filter application dns destination 8.8.8.8 show session info show specific session	Examining the Session Table
set system setting additional-threat-log on	Zone Protection Logging
view-pcap follow yes filter-pcap	Live Viewing of Packet Captures
tcpdump snaplen 0 filter “port 53” view-pcap follow yes mgmt-pcap mgmt.pcap	Capturing Management Packets
less mp-log	Viewing Management-Plane Logs
show routing table	-Display the routing table.
show routing fib show routing protocol <protocol>	-Look at routes for a specific destination
set system setting arp-cache-timeout <60-65536>	-Change the ARP cache timeout setting from default
show system setting arp-cache-timeout show routing path-monitor debug routing path-monitor	-View the ARP cache timeout setting
ping host X.X.X.X	-Ping to a destination IP address
traceroute host X.X.X.X	-Trace destination network
ping host ipwithease.com	-Ping fqdn
show netstat statistics	-Show network statistics
find command	Find
show system statistics application show system statistics session	Live Session ‘n Application Statistics
show interface {all | <interface-name>} show the interface state (speed/duplex/state/mac) show interface HW settings show interface zone settings show interface counters	Shows Interface Status and counters and config etc.
show running nat-policy	-Shows the NAT policy table
test nat-policy-match	-Test the NAT policy
show running ippool show running global-ippool	-Shows NAT pool utilization
show routing bfd active-profile [<name>]	Shows BFD profiles
show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>]	Shows BFD details
show routing bfd drop-counters session-id <session-id>	-Shows BFD statistics on dropped sessions.
show counter global | match bfd	-Show BFD packets.i.e. transmitted/received/dropped.
clear routing bfd counters session-id all | <1-1024>	-Clear counters of transmitted, received, and dropped BFD packets for particular session id.
clear routing bfd session-state session-id all | <1-1024>	-Clear BFD sessions for debugging purposes
show vlan all   show counter global	-Verify vlan configured on device   – Shows the counter of times the PVST
show system info | match system-mode	-Display the current operational mode
request system system-mode logger	– Changes from Panorama mode to Log Collector mode
show device groups name	– Shows the history of device group
show templates name <template-name>	– Shows the history of template
show config pushed-shared-policy	– Shows all the policy rules and objects pushed from Panorama to a firewall
show config pushed-template	-Shows all the template configured from Panorama to a firewall
show logging-status device <firewall-serial-number>	– Shows logging information to the Panorama

Download the descriptive command table here.

Conclusion

Palo Alto Network troubleshooting CLI commands are used to verify the configuration and environmental health of PAN device, verify connectivity, license, VPN, Routing, HA, User-ID, logs, NAT, PVST, BFD and Panorama and others.

In case, you are preparing for your next interview, you may like to go through the following links-

Palo Alto Firewall Questions and Answers in PDF

Palo Alto Firewall Architecture

Also if you are reading more about Network Security and Firewall we also have a combo product covering the details of ASA Firewall, Palo Alto, Checkpoint Firewall, Juniper SRX Firewall, Proxy, CCNA Security, Cisco, IPS/IDS, VPN

Click here to buy the Network Security Combo