Palo Alto Packet Flow Troubleshooting Issues

1. Incorrect Security Policies

• Issue: Traffic is being dropped due to misconfigured or missing security policies.
• Troubleshooting:
  • Verify the security policies using the CLI command show running security-policy or through the GUI.
  • Ensure that traffic matches the intended policy based on source, destination, and service.
  • Check the rule order and make sure no unintended policy overrides occur.

2. NAT Misconfigurations

• Issue: Traffic might not be properly translated due to incorrect Network Address Translation (NAT) rules.
• Troubleshooting:
  • Use the command show running nat-policy to verify NAT rules.
  • Confirm the source and destination NAT configurations, and ensure that the translated IPs are correct.
  • Utilize packet capture to see if the translation is occurring as expected.

3. Zone Misalignment

• Issue: Traffic is dropped because it is not traversing through the correct zones.
• Troubleshooting:
  • Confirm that the zones are correctly configured and that both the source and destination zones are assigned properly.
  • Check if the zones match the security policies for inter-zone or intra-zone traffic.

4. Routing Issues

• Issue: The firewall might not know how to route traffic to the next hop or the intended destination.
• Troubleshooting:
  • Check the routing table using the command  show routing route
  • Verify static and dynamic routing configurations.
  • Perform trace routes or ping tests to validate the reachability of the destination.

5. Session Table Problems

• Issue: Traffic may be dropped due to session table issues, such as an existing session not being cleared.
• Troubleshooting:
  • Use the command show session all to see the active sessions.
  • Clear the session related to the problematic traffic using the clear session id <session-id> command.
  • Check if session timeouts are configured too aggressively.

6. Application Identification (App-ID) Problems

• Issue: Traffic may be classified incorrectly due to App-ID issues, causing unexpected behavior.
• Troubleshooting:
  • Use packet capture or logs to verify how the application is being identified.
  • Adjust App-ID settings or override the App-ID as needed for specific traffic.
  • Monitor traffic using the “ACC” tab in the web interface to see how applications are being categorized.

7. Asymmetric Routing

• Issue: When traffic flows into one interface and the return traffic comes from another, the firewall may drop it.
• Troubleshooting:
  • Enable session synchronization for asymmetric traffic using session distribution or configuring source/destination zone-based routing.
  • Use packet captures and session lookups to trace asymmetric paths.

8. High Availability (HA) Configuration Issues

• Issue: Traffic might be dropped during failover or HA synchronization.
• Troubleshooting:
  • Ensure HA configurations are correct and both devices are synchronized.
  • Check the failover logs to determine if traffic was interrupted during an HA event.
  • Perform packet captures during HA transitions to analyze packet drops.

9. Decryption Issues (SSL/TLS Decryption)

• Issue: Misconfigurations in SSL/TLS decryption rules can cause traffic to be dropped or misclassified.
• Troubleshooting:
  • Review the SSL/TLS decryption policy.
  • Use decryption logs to check whether traffic is being decrypted as expected.
  • Analyze traffic using packet capture tools to confirm if decryption is causing issues.

10. GlobalProtect VPN Issues

• Issue: Traffic passing through GlobalProtect VPN might face issues due to misconfigurations or certificate problems.
• Troubleshooting:
  • Verify the GlobalProtect configuration and client settings.
  • Check for certificate-related errors.
  • Analyze the traffic through GlobalProtect using packet captures to identify where the issue lies.

11. Licensing and Feature Constraints

• Issue: Certain traffic may be dropped due to feature or license limitations, such as URL filtering or WildFire.
• Troubleshooting:
  • Ensure that all necessary licenses are active and not expired.
  • Review feature-specific logs to determine if traffic is being blocked due to licensing constraints.

12. Fragmentation Issues

• Issue: Packet fragmentation can cause issues with larger packets being dropped.
• Troubleshooting:
  • Check if fragmentation is enabled for relevant traffic.
  • Use packet captures to determine if fragmented packets are causing the problem.
  • Adjust Maximum Transmission Unit (MTU) settings as needed.

Each of these common issues can be addressed through packet captures, session monitoring, and careful analysis of the Palo Alto firewall’s traffic logs.

Firewall is a network security device which grants or rejects network access to traffic flowing between untrusted zone (External networks) to trusted (Internal networks) zone. Starting from initial days of Stateful inspection firewalls and then onto UTM (unified threat management), Application aware next generation firewalls have now become synonyms for firewalls.

Palo Alto is one such Next Gen firewall which provides flexible deployment options for your network, firewall platforms, available both for physical and virtual platforms. 

In this article we will learn more about how to reset Palo Alto firewall to factory default, why it is required and so on.

Reset Palo Alto Firewall to Factory Default Settings

There could be three scenarios or cases where it is required to reset the Palo Alto firewall to its default settings. In case you don’t have admin password or you have admin password or with admin password need to remove all logs and restore the default configuration of firewall.

Steps to Restore Default Configuration

To reset the firewall to default configuration you need to go to maintenance mode first. 

Step 1 : connect the console cable from console port to your system and verify console settings as under speed – 9600, data bits – 8, parity – none and stop bits – 1 

Step 2: enter maintenance mode and power on or reboot the device 

Step 3: during boot below screen will appear

Booting PANOS (sysroot0) after 5 seconds…

Entry: Type ‘Maint’ and Enter

Step 4: There will be multiple options on display you need to choose PANOS (maint) mode

Step 5: it will display the maintenance recovery section. Press enter to proceed further

Step 6: Choose ‘Factory reset’ and press enter

Step 7: Warning message will display along with factory reset option. Select factory reset and press enter.

The progress will be displayed on screen with percent complete 

Factory reset on completion will display as per screen below to complete process reboot the device

Continue Reading:

Palo Alto Troubleshooting CLI Commands

NAT Configuration & NAT Types – Palo Alto

In today’s topic we will learn about how to configure DHCP relay traffic to make use of SD-WAN rules.   

About SD-WAN Rules 

SD-WAN rules can be created using CLI or GUI interface. For GUI users Goto Network🡪 SD-WAN 🡪SD-WAN rules. 

From CLI 

config system sdwan

    config service

        edit <ID>

        next

    end

end

DHCP relay is a host or a router to forward DHCP packets between servers and clients. DHCP is used as a service in SD-WAN appliances to relay requests and replies between local DHCP clients and remote DHCP servers. Local hosts can acquire dynamic IP addresses from remote server. 

By default, when DHCP relay is configured on an interface, FortiGate does packet forwarding based on routing table lookups irrespective of the  configured SD-WAN rules.

Sample Configuration

Sample configuration of DHCP relay configuration on an interface

# config system interface

    edit “vlan-10”

        set vdom “root”

        set dhcp-relay-service enable

        set ip 10.9.62.254 255.255.255.0

        set allowaccess ping

        set device-identification enable

        set dhcp-relay-interface-select-method auto

        set dhcp-relay-ip “192.12.10.1” “192.12.10.2 “

        set interface “port1”

        set vlanid 20

    next

As default behaviour, on reaching relayed traffic to FortiGate it is considered locally originated and does not match any SD-WAN rule.

The setting ‘set dhcp-relay-interface-select-method auto’ means all traffic will use the best available interface

Options to Route Traffic for DHCP Relay

There are three options available to route the traffic for DHCP relay as under:

• Auto- Establish outgoing interface automatically (Which is default setting)
• SD-WAN – configure interface by SD-WAN or routing policy rules
• Specify – configure interface manually 

To configure interface to use SD-WAN rules the below setting needs to set as 

set dhcp-relay-interface-select-method sdwan

In today’s topic we will learn about SLA logging capability in FortiOS 6.2, how it is enabled, and how to configure SLA logging in Forti appliances. 

About SLA Logging 

SLA Logging is a daemon function which helps to keep a short 10-minute history of SLA which can be viewed via command line (CLI). The performance SLAs are related to selection of interfaces, failover of sessions, and other information logged. The logs can be used for monitoring of traffic issues for remote sites, and reports, views in Fortianalyzer. 

To Configure ‘fail’ and ‘Pass’ Logs Time Interval

config system virtual-wan-link

    config health-check

        edit “ping”

            set sla-fail-log-period 30

            set sla-pass-log-period 60

        next

    end

end

View 10-minute performance SLA link history

FGT_1 (root) # diagnose sys virtual-wan-link sla-log ping 1

Output 

Timestamp: Thu Jan 25 11:58:24 2024, vdom root, health-check ping, interface: R150, status: up, latency: 0.000, jitter: 0.000, packet loss: 0.000%.

Timestamp: Thu Jan 25 11:58:24 2024, vdom root, health-check ping, interface: R150, status: up, latency: 0.097, jitter: 0.000, packet loss: 0.000%.

Timestamp: Thu Jan 25 11:58:25 2024, vdom root, health-check ping, interface: R150, status: up, latency: 0.015, jitter: 0.25, packet loss: 0.001%.

Related: SLA vs SLO vs SLI 

SLA Pass Logs 

FortiGate generates SLA performance logs as per (sla-pass-log-period) interval 

3: date=2024-01-25 time=10:53:26 logid=”0100022926″ type=”event” subtype=”system” level=”information” vd=”root” eventtime=1551383304 logdesc=”Link monitor SLA information” name=”ping” interface=”R160″ status=”up” msg=”Latency: 0.005, jitter: 0.002, packet loss: 0.000%, inbandwidth: 0Mbps, outbandwidth: 0Mbps, bibandwidth: 0Mbps, sla_map: 0x1″

7: date=2024-01-25 time=11:52:26 logid=”0100022926″ type=”event” subtype=”system” level=”information” vd=”root” eventtime=1551383544 logdesc=”Link monitor SLA information” name=”ping” interface=”R160″ status=”up” msg=”Latency: 0.013, jitter: 0.002, packet loss: 0.000%, inbandwidth: 0Mbps, outbandwidth: 0Mbps, bibandwidth: 0Mbps, sla_map: 0x1″

In FortiAnalyzer (GUI)

SLA Fail Logs

FortiGate generates SLA performance logs as per (sla-fail-log-period) interval

6: date=2024-01-25 time=11:52:32 logid=”0100022926″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1551383551 logdesc=”Link monitor SLA information” name=”ping” interface=”R150″ status=”down” msg=”Latency: 0.000, jitter: 0.000, packet loss: 100.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0″

8: date=2024-01-25 time=11:52:02 logid=”0100022926″ type=”event” subtype=”system” level=”notice” vd=”root” eventtime=1551383521 logdesc=”Link monitor SLA information” name=”ping” interface=”R150″ status=”down” msg=”Latency: 0.000, jitter: 0.000, packet loss: 100.000%, inbandwidth: 0Mbps, outbandwidth: 200Mbps, bibandwidth: 200Mbps, sla_map: 0x0″

In FortiAnalyzer (GUI)

Related FAQs 

Q.1 What is SLA logging, and why is it important?

• SLA logging involves recording and tracking the performance metrics and service commitments outlined in an SLA. It’s important for ensuring that service providers meet agreed-upon standards, for accountability, and for identifying areas for improvement.

Q.2 What metrics are typically tracked in SLA logging?

• Common metrics include uptime or availability percentage, response and resolution times, incident frequency, and quality metrics such as error rates or customer satisfaction scores. These metrics help quantify performance and ensure compliance with SLA terms.

Q.3 How does SLA logging benefit both service providers and customers?

• SLA logging helps providers demonstrate compliance with agreed standards, potentially avoiding penalties and building trust. For customers, it ensures that service commitments are met, providing transparency and accountability in service delivery.

Q.4 What tools are commonly used for SLA logging?

• SLA logging often involves IT service management (ITSM) tools like ServiceNow, BMC Remedy, or Jira, which can automate logging and reporting. Some monitoring solutions like Datadog, SolarWinds, and Zabbix also offer SLA logging features.

Q.5 How frequently should SLA logs be reviewed and analyzed?

• Review frequency depends on the service’s criticality and SLA terms. Monthly reviews are common, but critical services may require daily or weekly checks. Regular analysis helps in proactive issue identification and improvement planning.

In today’s topic we will learn about how to configure route leaking between Virtual route forwarding (VRFs) FortiGate using command line interface (CLI). 

What is VRFs FortiGate?

Virtual routing and forwarding (VRFs) provides virtual router functionality on physical routers. Each VRF operates in isolation and maintains its routing table, configurations and interfaces. Each VRF is a self-realm in itself unaware of the existence of others. FortiGate is like a guardian who facilitates communication among these isolated VRFs. It has the capability to manage these delicate connections. FortiGate protects the pathway between VRFs.  

Configuring Route Leaking between VRFs FortiGate CLI   

VRF table routes can be leaked into the Global routing table to make traffic communication possible. This scenario requires enabling and configuring a BGP neighbour. 

1.Configure VDOM-Mode

Step 1:

Set the FortiGate to multi-vdom mode to create two inter-vdom links and assign them to separate VRFs. Multi-vdom creates one more virtual firewall on a single physical box. The inter-vdom created will remain in root vdom.

Configure system globa2

Set vdom-mode multi-vdom 

2. Subnet Overlapping 

Step 2:

By default, FortiGate on the same VDOM does not permit to configure duplicate or overlapping networks. The two inter-vdom links need to be on the same subnet.

configure vdom

edit root

config system settings

    set allow-subnet-overlap enable

3. Configuring Inter-VDOM links

Step 3:

On the same subnet, configure two inter-vdom links. The links are put in their respective VRFs using set vrf (<0> to <31>).

config vdom

edit root

config system interface

edit “npu1_vlink0”

        set vdom “root”

        set vrf 2

        set ip 10.300.0.1 255.255.255.0

        set allowaccess ping ssh snmp http https 

        set type physical

        set snmp-index 11

    next

    edit “npu1_vlink1”

        set vdom “root”

        set vrf 3

        set ip 10.300.0.2 255.255.255.0

        set allowaccess ping ssh snmp telnet http https

        set type physical

        set snmp-index 15

Put physical or virtual interfaces into respective VRFs using the below command. 

config system interface

edit “wan12”

        set vdom “root”

        set vrf 2

        set ip x.x.x.x 255.255.255.252

next 

  edit “vlan200”

        set vdom “root”

        set vrf 3

        set ip 10.200.0.254 255.255.255.0

end

wan12 is put in vrf 2 so that the default route from vrf2 to vrf 3 will be leaked so that vlan 200 can have Internet access.

4. Configuration of Prefix-list 

Configure the prefix-list of routes which you have intent to leak. We will be leaking here source subnet 10.200.0.0/24 of vrf3 and default route in vrf2. 

config router prefix-list

    edit “1”

        config rule

            edit 1

                set prefix 0.0.0.0 0.0.0.0

                unset ge

                unset le

            next

        end

    next

    edit “2”

        config rule

            edit 1

                set prefix 10.200.0.0 255.255.255.0

                unset ge

                unset le

            next

        end

    next

end

5. Configuring Route-Map 

Route map is used to identify subnets used in vrf leaking and matched against the prefix-list 

config router route-map

 edit “VRF2Routes”

        config rule

            edit 1

                set match-ip-address “1”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

    edit “VRF3Routes”

        config rule

            edit 1

                set match-ip-address “2”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

6. Configuring Route Leaking 

BGP neighbour connects to the dmz interface and this is specified in configuration using set update -source command in your interface. For vrf leaking to work any up neighbour is needed. 

config router bgp

    set as 65533

    set router-id 2.2.2.2

    config neighbor

        edit “198.168.2.254”

            set remote-as 65534

            set update-source “dmz”

        next

    end

    config redistribute “connected”

        set status enable

    end

    config redistribute “rip”

    end

    config redistribute “ospf”

    end

    config redistribute “static”

        set status enable

    end

    config redistribute “isis”

    end

    config redistribute6 “connected”

    end

    config redistribute6 “rip”

    end

    config redistribute6 “ospf”

    end

    config redistribute6 “static”

    end

    config redistribute6 “isis”

    end

    config vrf-leak

        edit “2”

            config target

                edit “1”

                    set route-map “VRF3Routes”

                    set interface “npu1_vlink1”

                next

            end

        next

        edit “1”

            config target

                edit “2”

                    set route-map “VRF2Routes”

                    set interface “npu1_vlink0”

                next

            end

        next

    end

end

7. Configure Firewall Policies

Configure policy from physical or VLAN interface to VDOM-link in vrf 3 and then policy from vdom-link to WAN interface in vrf 2. 

In today’s topic we will learn about mDNS gateway and understand how to configure it. 

What is mDNS Gateway?

Traditional networking is based on TCP/IP, network devices must know the IP address of each other before they could talk or communicate. Remembering numbers could be cumbersome compared to names so a network administrator can configure a DNS service which maps IP addresses to host names. A device must be configured with a DNS server for IP address resolution to the named host. 

In order to reduce manual configuration efforts, zero configuration networks terminology came into existence. Zero configuration networks are used widely in residential wireless networks and small office setups. This allows devices to automatically obtain IP addresses, resolution of domain names, and discover services in local networks.

Apple Inc. Bonjour is mDNS and DNS-SD based Layer 2 service. Most Apple products such as iTunes, iPod, iPhone, Apple TV use Bonjour. Bonjour implements only Intra-VLAN service. To implement service discovery across VLANs, a mDNS gateway is proposed. 

The mDNS gateway records a list of all available printing and other services and responds to requests of terminals so that service discovery can happen across network segments and VLANs.

Configuring mDNS Gateway  

Step 1

Create a service for mDNS gateway using mdns-sd service command. No mdns-sd disable mDNS gateway on VLAN interface. Multiple services IDs can be grouped into a single service.

Switch1(config)# interface vlan 20

Switch1(config-if-vlan)# mdns-sd

To disable use 

Switch1(config)# interface vlan 20

Switch1(config-if-vlan)# no mdns-sd

Provide description for each service using description command. No description deletes service description.

description <SERVICE-DESCRIPTION>

no description <SERVICE-DESCRIPTION>

Step 2

Create unique service IDs with id command. The service ID configured here should be the same as the service ID that is in the packet. no id removes service ID from service

id <SERVICE-ID>

no id <SERVICE-ID>

Step 3

Create a profile to be applied to a VLAN using mdns-sd profile command. Profile has a set of rules to define match parameters – service-name and service-instance-name.

Switch1(config)# mdns-sd profile test

Step 4

Add rules to profile using sequence-number command. This command adds a filter rule to the service profile. The configured sequence number determines the priority of the rule match. Lower sequence number indicates higher priority 

Filter match has two parameters:

• Service-name – matches against the service IDs the mDNS packets configured under the service name
• Service-instance-name – matches against the service instance name of the mDNS packets present in the mDNS packets.

Any mDNS packet will be matched if no match criteria is specified. Packets will be denied or permitted based on action defined in the rule. The no form of this command delete filter configured in this service profile. 

<SEQUENCE_NUMBER> {permit | deny}

 {service-name <SERVICE-NAME> | service-instance-name <SERVICE-INSTANCE-NAME>}

no <SEQUENCE-NUMBER> {permit | deny}

 {service-name <SERVICE-NAME> | service-instance-name <SERVICE-INSTANCE-NAME>}

Step 5

Enable mDNS gateway on VLAN using mdns-sd command 

Switch1(config)# interface vlan 20

Switch1(config-if-vlan) # mdns-sd

Step 6

Apply profile to VLAN with mdns-sd apply-profile tx command

Switch1(config)# interface vlan 20

Switch1(config-if-vlan)# mdns-sd

Switch1(config-if-vlan)# mdns-sd apply-profile test tx

You can view configuration of profile for an interface using show running-config interface command.

Switch1# show running-config interface vlan10

interface vlan20

    mdns-sd

    mdns-sd apply-profile test tx

    ip address 11.2.2.2/24

Step 7

To enable mDNS gateway globally use mdns-sd enable command

Switch1(config)# mdns-sd enable

Step 8

Type show mdns-ds summary command to view mDNS enabled at VLAN interface.

Switch1# show mdns-sd summary

global mdns-sd status: enabled

————————————-

VLAN-Id Status   Tx-Profile

————————————-

1       enabled test

2      disabled dev

Cisco FTD Packet Flow Troubleshooting Issues

1. Access Control Policy Issues

• Issue: Traffic is dropped due to incorrect or missing access control rules.
• Troubleshooting:
  • Verify the access control policy using Firepower Management Center (FMC).
  • Use system support trace and packet-tracer to trace packet flow through policies.
  • Check the logs for denied or dropped traffic.

2. NAT Configuration Errors

• Issue: Traffic fails due to incorrect or missing NAT rules.
• Troubleshooting:
  • Review NAT rules in FMC.
  • Use packet-tracer to simulate packet flow through NAT.
  • Check show nat detail to inspect NAT rule matches and translations.

3. Routing Issues

• Issue: Packets not reaching the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table using show route.
  • Use ping and traceroute to test network connectivity.
  • Ensure static or dynamic routing (e.g., OSPF, BGP) is properly configured.

4. Interface Configuration Issues

• Issue: Traffic dropped due to interface misconfiguration or VLAN mismatches.
• Troubleshooting:
  • Verify interface configurations using show interface and show vlan.
  • Ensure VLAN tagging is correct and matches the upstream switch configuration.
  • Use packet-tracer to confirm interface behavior.

5. Inspection Engine Blocking Traffic

• Issue: Legitimate traffic dropped by FTD’s deep packet inspection engine (IPS, URL Filtering, Malware Protection).
• Troubleshooting:
  • Review inspection settings in the FMC.
  • Check logs for inspection-related traffic drops.
  • Create bypass rules or tune inspection settings if false positives are identified.

6. SSL/TLS Decryption Issues

• Issue: SSL/TLS traffic is dropped due to decryption issues.
• Troubleshooting:
  • Review SSL policy configurations in FMC.
  • Check logs for SSL decryption failures.
  • Use packet captures (capture) to verify SSL traffic behavior.

7. High Availability (HA) Failover Issues

• Issue: Traffic disruption during failover or synchronization issues in an HA environment.
• Troubleshooting:
  • Check HA status with show failover and show failover history.
  • Ensure proper synchronization between HA members.
  • Use packet captures during failover events to analyze traffic flow.

8. Session Table Issues

• Issue: Traffic dropped due to incorrect session handling or session table overflow.
• Troubleshooting:
  • Check session entries with show conn.
  • Clear sessions if needed with clear conn.
  • Review session timeout settings and adjust if necessary.

9. VPN Configuration Issues

• Issue: VPN tunnels fail to establish or traffic is dropped within the VPN.
• Troubleshooting:
  • Verify VPN settings (phase 1/2) using show crypto ikev2 sa and show vpn-sessiondb.
  • Review logs for VPN negotiation failures.
  • Use packet-tracer to simulate VPN packet flow.

10. Licensing or Feature Activation Issues

• Issue: Traffic blocked or features disabled due to expired licenses or unlicensed features.
• Troubleshooting:
  • Verify licenses with show license.
  • Ensure that all necessary licenses (e.g., Threat, URL Filtering, Malware) are installed and valid.
  • Review logs for traffic blocked due to feature limitations.

11. Multicast Routing Issues

• Issue: Multicast traffic not being forwarded due to incorrect multicast configuration.
• Troubleshooting:
  • Verify multicast routing configurations with show igmp and show pim.
  • Ensure multicast traffic is routed correctly through the interfaces.
  • Use packet captures to analyze multicast traffic flow.

12. Policy Deployment Failures

• Issue: Changes made in FMC are not deployed correctly to FTD devices.
• Troubleshooting:
  • Check deployment status in FMC to ensure policies are applied.
  • Use system support diagnostic-cli to check the FTD device for errors.
  • Review the deployment log for errors or misconfigurations.

13. Latency and Performance Issues

• Issue: Traffic delays or performance degradation due to excessive inspection or resource overload.
• Troubleshooting:
  • Monitor resource utilization using show cpu usage and show memory.
  • Review inspection profiles and disable unnecessary features.
  • Use capture to analyze packet latency and response times.

14. Fragmentation Issues

• Issue: Fragmented packets being dropped or mishandled.
• Troubleshooting:
  • Adjust the Maximum Transmission Unit (MTU) on interfaces if necessary.
  • Use capture to analyze packet fragments.
  • Ensure fragmented packet handling is configured in the firewall policy.

15. Time Synchronization (NTP) Issues

• Issue: NTP time synchronization issues causing logging and event correlation problems.
• Troubleshooting:
  • Verify NTP configuration using show ntp and ensure synchronization is working.
  • Check logs for time drift issues.
  • Correct NTP server settings if necessary.

16. Logging and Monitoring Issues

• Issue: Insufficient logging or missing events in logs, making troubleshooting difficult.
• Troubleshooting:
  • Ensure logging is enabled for relevant access control and inspection rules.
  • Use show logging and review FMC to confirm logs are properly recorded.
  • Increase logging verbosity if needed for detailed analysis.

17. Threat Defense Rule Optimization Issues

• Issue: Rules not optimized, leading to traffic being dropped or misrouted.
• Troubleshooting:
  • Review rule order and optimization in the FMC.
  • Use system support trace to trace traffic and ensure it follows the intended path.
  • Reorder or refine rules to improve performance and accuracy.

These issues can typically be diagnosed using Cisco’s built-in tools like packet-tracer, capture, show conn, and system support trace, along with detailed analysis in Firepower Management Center.

Checkpoint Packet Flow Troubleshooting Issues

1. Security Policy Misconfiguration

• Issue: Traffic is dropped due to incorrect or missing security policies.
• Troubleshooting:
  • Review security policies in the SmartDashboard.
  • Use the command fw monitor to see how packets traverse through policy layers.
  • Ensure that source, destination, services, and actions in policies are configured correctly.

2. NAT Misconfiguration

• Issue: Traffic fails due to incorrect or missing NAT rules.
• Troubleshooting:
  • Check NAT rules in the SmartDashboard.
  • Use fw monitor or tcpdump to verify that the NAT translation is happening as expected.
  • Ensure proper ordering of manual NAT rules and automatic NAT rules.

3. Routing Problems

• Issue: Packets do not reach the destination due to routing issues.
• Troubleshooting:
  • Check the routing table using netstat -rn or ip route show.
  • Verify that static or dynamic routing protocols (e.g., OSPF, BGP) are correctly configured.
  • Perform a traceroute from the firewall to the destination to check path availability.

4. Anti-Spoofing

• Issue: Traffic is dropped due to Check Point’s anti-spoofing protection.
• Troubleshooting:
  • Review anti-spoofing settings in the network interface settings.
  • Ensure that the interfaces’ networks and the anti-spoofing configuration match.
  • Use fw ctl zdebug + drop to identify if traffic is being dropped due to anti-spoofing.

5. Session Table Problems

• Issue: Packets dropped due to session state issues or session table being full.
• Troubleshooting:
  • Use fw tab -t connections -s to check the session table size and utilization.
  • Clear specific sessions using fw tab -x if necessary.
  • Review session timeouts and adjust if needed.

6. Inspection Module Drops

• Issue: The firewall’s inspection engine drops traffic for security reasons.
• Troubleshooting:
  • Review SmartLog and the fw ctl zdebug output to see inspection engine logs.
  • Ensure the inspection profiles are correctly configured (IPS, Application Control, etc.).
  • Disable or modify specific inspection rules if they are triggering false positives.

7. High Availability (ClusterXL) Issues

• Issue: Traffic disruption due to HA failover or ClusterXL synchronization problems.
• Troubleshooting:
  • Check ClusterXL status using cphaprob stat.
  • Ensure that synchronization between cluster members is healthy (cphaprob syncstat).
  • Use tcpdump to capture traffic during failover events.

8. Interface and VLAN Issues

• Issue: Traffic may be dropped due to incorrect interface or VLAN configuration.
• Troubleshooting:
  • Check interface and VLAN configurations in the SmartConsole and the Gaia portal.
  • Use tcpdump to verify that traffic is reaching the correct interface.
  • Ensure that VLAN tagging is properly configured on both firewall and connected devices.

9. Encryption/Decryption (VPN) Issues

• Issue: VPN tunnels fail to establish or traffic is dropped inside the VPN.
• Troubleshooting:
  • Verify VPN configuration for phase 1/2 settings (IKE and IPSec).
  • Use vpn tu to reset tunnels and verify their state.
  • Review logs for encryption and decryption errors.

10. IPS Blocking Legitimate Traffic

• Issue: Legitimate traffic blocked due to IPS false positives.
• Troubleshooting:
  • Review the IPS logs and check if legitimate traffic is flagged.
  • Add exceptions or tune IPS profiles to reduce false positives.
  • Use SmartEvent or SmartLog to analyze the specific attack signatures triggered.

11. Global Properties Misconfiguration

• Issue: Traffic may be affected by incorrect global properties settings.
• Troubleshooting:
  • Review global properties, such as NAT settings, logging, and session timeouts.
  • Ensure that the security settings are aligned with your network requirements.
  • Use fw ctl debug to see if global property settings are affecting traffic.

12. SecureXL and CoreXL Issues

• Issue: Performance degradation due to incorrect configuration of SecureXL/CoreXL.
• Troubleshooting:
  • Check SecureXL status using fwaccel stat to ensure acceleration is enabled.
  • Review CoreXL CPU distribution using fw ctl affinity -l -a.
  • Disable SecureXL temporarily (fwaccel off) to see if acceleration is causing the issue.

13. Multicast Traffic Issues

• Issue: Multicast traffic not reaching its destination due to improper configuration.
• Troubleshooting:
  • Ensure multicast routing is configured correctly using cphaprob -a if and IGMP settings.
  • Use tcpdump to monitor multicast traffic on relevant interfaces.
  • Verify that routing protocols like PIM are correctly set up if needed.

14. Licensing or Blade Activation

• Issue: Features not functioning or traffic being blocked due to licensing issues.
• Troubleshooting:
  • Verify licenses using cplic print or the SmartUpdate tool.
  • Ensure that all required security blades (e.g., IPS, Application Control) are activated.
  • Check SmartLog for traffic that might be blocked due to license limitations.

15. Fragmentation Issues

• Issue: Large packets may be dropped due to improper handling of fragmented packets.
• Troubleshooting:
  • Use fw ctl debug to monitor for packet fragmentation issues.
  • Check the Maximum Transmission Unit (MTU) settings on interfaces.
  • Enable fragmented packet handling in the global properties if necessary.

16. Secure Policy Installation Issues

• Issue: New policies are not being installed or causing traffic issues after installation.
• Troubleshooting:
  • Use the fw stat command to verify if the policy has been installed.
  • Review policy installation logs in SmartConsole.
  • Reinstall or recompile policies if needed using the “Install Policy” button in the SmartDashboard.

17. Logging and Monitoring Configuration

• Issue: Insufficient logging or monitoring settings may prevent proper troubleshooting.
• Troubleshooting:
  • Ensure logging is enabled on relevant rules and features (e.g., IPS, VPN, etc.).
  • Use SmartView Tracker or SmartLog for real-time log monitoring.
  • Increase log verbosity for deeper analysis of traffic issues.

Each of these common issues can be diagnosed with Check Point’s packet capture tools (tcpdump, fw monitor), session monitoring, and log analysis, allowing administrators to quickly pinpoint and resolve packet flow problems.

Fortigate Packet Flow Troubleshooting Issues

1. Incorrect Firewall Policies

• Issue: Traffic is dropped due to misconfigured firewall policies.
• Troubleshooting:
  • Verify that policies are correctly configured for source, destination, and services.
  • Check policy order and make sure no unintended policy is overriding the expected rule.
  • Use the command diagnose firewall proute list to check the routing of packets through policies.

2. NAT Misconfigurations

• Issue: Traffic fails due to incorrect or missing NAT configurations.
• Troubleshooting:
  • Check NAT rules with diagnose firewall iprope lookup.
  • Confirm source and destination NAT configurations.
  • Use packet capture (diagnose sniffer packet any) to confirm whether traffic is being translated correctly.

3. Routing Issues

• Issue: Traffic doesn’t reach the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table with get router info routing-table all.
  • Use traceroute or ping to confirm reachability to the destination.
  • Check static and dynamic routing configurations (OSPF, BGP).

4. Session Handling

• Issue: Sessions may fail due to timeouts or not being properly cleared.
• Troubleshooting:
  • List sessions using diagnose sys session list.
  • Clear specific sessions using diagnose sys session clear.
  • Ensure session TTL (time-to-live) values are correctly set and not too aggressive.

5. Zone and Interface Mismatch

• Issue: Traffic dropped due to incorrect interface or zone configurations.
• Troubleshooting:
  • Verify interface assignments and zone configuration.
  • Use the command diagnose netlink brctl name list to check zone interface mappings.

6. SSL/TLS Decryption Issues

• Issue: Misconfigured SSL/TLS decryption profiles leading to traffic drop.
• Troubleshooting:
  • Check SSL/SSH inspection profile and confirm if traffic is being inspected as expected.
  • Analyze logs and packet captures to verify if decrypted traffic is handled correctly.
  • Review the certificate configuration for any mismatches or invalid certificates.

7. DNS Misconfigurations

• Issue: Incorrect DNS settings can prevent the firewall from resolving domain names.
• Troubleshooting:
  • Verify DNS server settings using get system dns.
  • Ensure that DNS servers are reachable and properly configured.
  • Check logs for DNS query failures.

8. High Availability (HA) Failover Issues

• Issue: Traffic disruption during HA failover or improper HA synchronization.
• Troubleshooting:
  • Verify HA status using get system ha status.
  • Check HA synchronization logs and event history for any failover issues.
  • Monitor traffic during failover events with packet captures.

9. IPS Blocking Legitimate Traffic

• Issue: False positives in IPS (Intrusion Prevention System) may block legitimate traffic.
• Troubleshooting:
  • Review IPS logs for blocked traffic patterns.
  • Create exceptions for legitimate traffic in the IPS profile.
  • Tune IPS signatures to reduce false positives.

10. Session Helpers (VoIP, FTP, etc.)

• Issue: Incorrect session helper configuration can cause issues with specific protocols (e.g., VoIP, FTP).
• Troubleshooting:
  • Check session helper configuration with show system session-helper.
  • Disable session helpers if causing issues and configure specific policies instead.
  • Review logs for protocol-specific traffic drops.

11. VLAN Misconfigurations

• Issue: Traffic dropped due to incorrect VLAN tagging or trunk configuration.
• Troubleshooting:
  • Verify VLAN settings with diagnose netlink vlan.
  • Ensure proper tagging on both FortiGate and connected switches.
  • Use packet captures to see if traffic is being tagged or dropped.

12. Licensing and Feature Restrictions

• Issue: Traffic blocked due to expired licenses or disabled features (e.g., antivirus, web filtering).
• Troubleshooting:
  • Verify license status using get system status.
  • Ensure all necessary features (web filtering, antivirus, etc.) are licensed and active.
  • Review logs for license-related blocking events.

13. IPSec VPN Issues

• Issue: IPSec tunnels may not establish or drop traffic due to misconfigurations.
• Troubleshooting:
  • Verify VPN settings and phase 1/phase 2 configuration.
  • Use diagnose vpn tunnel list to check the status of VPN tunnels.
  • Check logs for any negotiation or key exchange failures.

14. Traffic Shaping or Bandwidth Management Issues

• Issue: Traffic might be limited or dropped due to traffic shaping rules.
• Troubleshooting:
  • Verify traffic shaping policies with diagnose firewall shaper traffic-log.
  • Adjust bandwidth limits or create new shaping policies for critical traffic.

15. Multicast/Unicast Forwarding Issues

• Issue: FortiGate might drop multicast or broadcast traffic if not configured correctly.
• Troubleshooting:
  • Verify multicast routing configuration using get router info multicast.
  • Ensure proper multicast forwarding or IGMP settings.
  • Use packet captures to analyze multicast traffic flow.

Each of these issues can be diagnosed using FortiGate’s packet capture tools, session monitoring, and log analysis. Knowing where to look in the FortiGate system is key to efficiently troubleshooting packet flow problems.

NAT is a process that enables a single device such as a firewall or router to act as an agent between the internet or public network to LAN or private segment. 

NAT is usually use for below reasons

• It proves security, addresses behind the NAT device is virtually hidden
• It provides Public IP address for private IP addresses to make traffic routable 

**In the FortiGate firewall we can apply NAT directly to the policy without creating a separate NAT policy. 

FortiGate NAT

FortiGate provides below NAT features in the Firewall:

1. SNAT
2. DNAT
3. PAT

FortiGate NAT Modes  

Firewall Policy NAT – SNAT and DNAT must be configured for Firewall policies. SNAT takes the outgoing interface IP address of the firewall as a source address. DNAT uses configured VIP.

Central NAT – SNAT and DNAT are configured as per the VDOM (virtual Domain)

• SNAT rule is implemented from central SNAT Policy
• DNAT is configured from DNAT and VIPs

Firewall Policy NAT

We can configure Firewall policy NAT by applying two different ways

1. Use outgoing interface as a NAT IP address
2. Use predefined pool (dynamic pool)

Firewall policies can be configured by using below types of NAT

1. Static SNAT
2. Dynamic SNAT

Static SNAT

In Static SNAT all internal IP addresses will be translated to a single Public IP address by using multiple source ports.

E.g.

10.10.10.1-> source port 1110-> NAT IP address 172.16.100.1:5001

10.10.10.2-> source port 1111-> NAT IP address 172.16.100.1:5002

10.10.10.3->source port 1112->NAT IP address 172.16.100.1:5003

How to configure Static SNAT

1. Create Security Policy -> IPV4 Policy

2. Give the details in the policy TAB, add source address/subnet

3. Add Destination address/subnet

4. Add Service/port

5. Accept the policy

6. Select NAT-ON, Select Outgoing Interface Address

Dynamic SNAT

Dynamic SNAT maps private IP addresses with the IP pool of Public IP.

4-types of IP Pool are available in FortiGate Firewall

Overload

It contains more than one Public IP addresses. Internal IP addresses can use available IP addresses from public pools to exit the firewall. Source and destination ports are mapped from 1024 to 65533.

Configure Overload Dynamic SNAT

1. Create IP Pool for Public IP address>> Go to Policy & Objects

2. Name the pool and select type>> Overload

3. Select Pool Subnet IP or range

4. Apply the pool in the security policy

5. Select NAT-ON>> IP Pool Configuration Use Dynamic IP Pool

6. Choose Overload Pool>> NAT_POOL

One-to-One Dynamic SNAT

It means there is one-to-one IP match of internal IP address with external IP address, example

10.10.1.1>>>172.168.1.1

10.10.1.2>>>172.168.1.2

10.10.1.3>>>172.168.1.3

If there are 100 users in a LAN network for which one-to-one SNAT is used, then we would require 100 Public IP range.

Fixed Port Range

In Fixed Port Range we need to mention Internal/LAN IP address range. Here, we can define internal and external public IP ranges both.

Further FortiGate devices can calculate port range for each combination from source IP address range to translated IP address range.

1. Create NAT_POOL for Fixed Port Range
2. Select type Fixed Port Range
3. Add External IP Range
4. Add Internal IP range detail

Apply the Pool in Security policy

Central NAT

Before discussing Central NAT, we should know about VIP objects.

VIP is DNAT objects, for session mapping. VIP means destination address is translated which means public IP address translated to local server IP address.

Default VIP type is static NAT. Static NAT is one-to-one mapping which applies to incoming and outgoing connections(bi-directional). 

** VIP address must be routable towards external facing traffic for return connection/traffic.

By default, Central NTA is disabled in the firewall. Two types of options are provided by using central NAT.

1. Central SNAT
2. DNAT and Virtual IP

Central NAT can only be configured in policy-based Firewall mode.

Central SNAT

Central SNAT provides us more granular control to customise the policy like, we can select exit interface, ingress IP or specify source port or destination port as per our requirement. Once policy matches happen, then source address / destination address is parsed as per the configured NAT criteria in Central SNAT policy.

Prerequisites to define Central SNAT policy

• Configure IP Pool/interface IP address (outgoing IP)
• Configure NAT policy

First, enable central NAT in Firewall from cli

Policy will be matched by using below criteria

• Source Interface -> Inside
• Destination outgoing Interface-> Outside
• Source address-> 192.168.2.0/24
• Destination address-> wildcarddropbox.com
• Protocol/application port-> any
• Source port-> any
• Outgoing IP address/translated IP address -> 172.16.100.100/32

Central DNAT & VIP

Additionally in firewall VIPs are created as a destination address in security policy. On FortiGate you can configure DNAT and VIPs for Destination NAT. As soon as you configure VIP it automatically creates a rule in the kernel to allow DNAT.

As we all know destination NAT means traffic comes from the outside world to access internal servers or services by using Public IP address of the server.

Prerequisites to configure DNAT with VIP

• External IP address (external user)-> 1.2.3.1
• Internal Local server IP which is mapped to external IP -> 192.168.1.50
• Forwarding port-> 25 (source side)
• Translated port-> 25

After creating DNAT and Virtual IP you only need to create a policy as per your requirement.

That’s it.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

FortiGate VDOM Configuration: Complete Guide

UTM (Unified Threat Management) is a feature of a firewall in which multiple security profiles combine and provide protection from threats and attacks. These features are antivirus, web filtering, IPS, anti-spam etc.

UTM is the consolidated solution for an organisation against attacks and malicious traffic. In other words, UTM is a capsule of multiple security features.

FortiGate UTM Profiles

Let’s discuss FortiGate UTM profiles one by one.

Anti-Virus Profile

Antivirus Scanning Modes

FortiGate Antivirus is used to detect viruses in the traffic or files. FortiGate uses many techniques to detect viruses. This detection technique includes:

1. Anti-Virus Scan: This is the simplest and fastest way to detect malware. It detects viruses that are an exact match for a signature in the anti-virus database.
2. Grayware Scan: This scan detects unsolicited program known as Grayware that have been installed without the knowledge of user or consent. Grayware is not technically a virus, it is a bundle of a software which produces unwanted side-effects in the network or system.  
3. Machine Learning AI Scan: It tests the possibility of attack like Zero-Day Attacks. Zero-Day Attacks are the malwares that are new and known hence have no existing associated signatures. If your network has a frequent target, enabling an AI scan may be worth it for performance cause because it helps you to detect performance issues and attack in the network. 

Anti-virus can operate by using flow-based or Proxy-based inspection mode. Both inspection modes use a full AV database.

Flow-based Scanning Mode

In this mode anti-virus engines reaches to the payload of packet and caches the real packet. Further it forwards the packet to the receiver. It consumes more CPU than other modes. 

If a virus is detected in a TCP session, some packets are already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of file. However, the receiver has received almost part of the file, but the file is truncated and not able to open.

If an attacker tries to re-send the file to user, FortiGate firewall blocks the connection.

Proxy-based Inspection Mode

In this mode each protocol proxy picks up a connection and buffers the entire file first. Clients must wait for the scanning to be finished.

If a virus is detected, a block replacement page will be displayed. Because FortiGate must buffer the whole file, the firewall does the scanning which takes a long time to scan the data. Using a proxy-based scan process allows you to stream-based scanning which is enabled by default. Stream-based scanning scans large archive files by decompressing the files and scanning and extracting the files at the same time. This process optimises the memory process. Viruses can be detected in the middle of scan or at the end of scan.

Configuring Anti-Virus Profile and Policy

• Create Anti-virus Profile

• 1. Got to Security Profile TAB
  2. Select Antivirus Profile
  3. Create new Profile, name as ANTIVIRUS
  4. Select Scan Mode (proxy/Full or flow/Quick)
  5. Selection action if virus detected, Block—block the file. Monitor—generate alert of virus file.
  6. Select OK

• Apply Anti-Virus Profile to Security Policy

• 1. Create Internet Policy, Go to IPV4 Policy TAB
  2. Add Policy NAME- Antivirus Policy
  3. Go to the Security Profile section in Internet Policy and add ANTIVIRUS profile which is created above.
  4. Select OK.

Now traffic going to the internet will parse every file from anti-virus engine and take necessary action accordingly.

Web-Filter Profile

Web-filtering is the feature in FortiGate to control web traffic of firewalls by using block or allow action.

It uses two types of inspection mode for URL traffic

1. Flow Based: Default inspection mode and faster than other modes. 
2. Proxy Based: FortiGate buffers the traffic and examine it whole. It works as a mediator between client and web server.

Further NGFW modes are also used in Web-filtering configuration. These modes are:

Profile-based Mode: 

It requires application control and web-filter profiles and applies them to firewall policy. It uses flow-based OR proxy-based inspection. 

Policy-based Mode: 

Application control and web-filtering can directly apply to the firewall policy. It does not require profiles to be Application Control OR Web Filtering profiles.

Web-filtering has to control and manage the sites which people visited. It includes preserving employee productivity. It prevents network congestion by blocking malicious and un-authorised URLs. It prevents exposure of confidential data by scanning the web-URLs.

Configure Web-Filtering Profile 

1. Go to Security Profile
2. Select Web Filter
3. Create new Web Filter with name Web-Filter-Profile-1
4. Create a FortiGuard category-based filter and select customer categories.
5. Select any category which you wish to block/allow/monitor. Here the Potentially Liable category is blocked manually.
6. Select ok

Apply Web-Filter Profile in Security Policy

1. Create Security policy to apply web-filtering. Go to IPV4 Policy.
2. Create New policy name Internet-Policy-With-Webfilter
3. Assign incoming and outgoing interfaces.
4. Add source address
5. Add destination address
6. Add services
7. Select action as Accept
8. Go to Security Profiles and select Web Filter TAB. Select the web filtering profile which we have created above. And select OK. That’s it

IPS – Intrusion Prevention System Profile

We should implement IPS in our network to protect it from intrusion. IPS in FortiGate uses signature databases to detect anomalies and attacks. The purpose of the IPS filter is to protect the inside network from outside threats. Protocol decoders can also detect network errors and protocol anomalies. IPS engine can cover 

• Antivirus 
• Web Filter
• Email Filter
• Application Control

IPS Signature Updates

FortiGuard updates the IPS signatures and decoders with new signatures. That way IPS engines become effective against the new exploits. Regular updates or customised updates are configured in the FortiGate to fetch IPS signatures periodically. 

The default setting of updates is Automatic. Please refer to the image below to check the settings of IPS updates in FortiGate firewall.

After FortiGate downloads the FortiGuard package, new signatures will appear in the signature list. When configuring FortiGate you can change the action setting for each signature. However, the default action setting is often correct except in a few cases. We can create custom signatures with the help of the FortiGate DevOps team to parse custom applications. Sometimes false/positive alert triggers in the FortiGate IPS, you can enable/disable it as per the requirement. Moreover, FortiGate Support team can modify the false positive signature once you report the error on the support portal.

IPS Sensors

IPS Sensors contain a list of signatures in the profile which will later call-in security policy. There are two ways to configure IPS sensors 

1. Select the signatures individually, once you select sensors in the list, it automatically calls into the sensors database.
2.  You can add a sensor in IPS Profile by applying a filter in it. FortiGate adds all the sensors in profile which match the filters.

Configure IPS Profile in FortiGate Firewall

1. Go to Security Profiles
2. Select Intrusion Prevention
3. Create a new profile. Here we have created IPS Profile-1
4. Add Signature based IPS profile. Signature base means we can select signature from database of FortiGate IPS and add it into a single profile
5. Add filters in the profile and select a list of signatures from database.
6. Add signatures in the profile and apply it to the newly created Profile.

Apply IPS-Profile in Firewall Policy

      7. Now it’s turn to apply the IPS profile in firewall Policy. Go to IPV4 Firewall policy TAB. Add policy parameters            to which IPS profile is enabled, like source IP address, destination IP address and services or port.

      8. Go to Security Profiles section in Firewall policy and add IPS Profile-1

      9. Select OK to apply the parameters in policy.

DOS Policy Configuration in FortiGate

DOS- Denial of Service is a packet-based attack which consumes resources of infrastructure and makes it unavailable to legitimate traffic/users.

To block DOS attacks we can apply DOS-Policy on FortiGate that is located between the attacker and all the resources that you want to protect. DOS filtering is done early in the packet handling process which is handled by the kernel.

Let’s discuss type of DOS attack before implementing DOS policy in FortiGate firewall:

1. TCP SYN Flood: Incomplete TCP/IP connections are flooded to the victim which occupy the connection table of device and make it unavailable for legitimated users.
2. ICMP Sweep: ICMP traffic flood sent to the target device. Victim’s all sources become busy in responding to ICMP traffic which makes it unavailable for genuine users.
3. TCP Port Scan: Attacker sends TCP/IP connection to identify open ports in the network. Further the attacker exploits those ports and hampers network services.

Apply DOS Policy in FortiGate

1. Go to IPV4 DoS Policy
2. Create new policy, here we have named it DOS-Protection-1
3. Specify source and destination address and incoming interface
4. Specify service or port
5. Block/disable L3 anomalies
6. Select the source/destination session
7. Enable or disable DoS sessions and apply it to the incoming interface.

Application Control in FortiGate

• Application control detects applications that transfer over the network by using any port. Application control takes appropriate action on the application traffic to stop any malicious attack.
• Application controls detect application traffic like google talk, Facebook chat, Gmail hangout etc.
• This application works on port 443 or Web-browsing port. So, a firewall as a L4 device is not able to check if traffic is legitimated or there is any malicious content in the traffic.
• As we all know that port 443 carries normal browsing traffic and it also transfers application traffic like BitTorrent etc. Application control can differentiate the traffic based on the application used by it and block the site as per the policy configured in the firewall.
• Application control can be configured flow-based or Policy-based in the firewall. It performs a traffic scan which compares traffic to the known application patterns.
• It detects Peer-to-Peer applications. P2P traffic uses distributed architecture to forward traffic in the network.
• Traditional Client to Server Architecture uses client to server communication by using a simple port number which can easily be blocked by firewall policy.
• Peer to Peer download divides each file among the multiple peers and uses dynamic ports to transfer the data. Hence it is very difficult to identify the traffic and block it from firewall level based on port only. 

Application Control Signatures

FortiGuard subscription is required to download and enable application control signatures in the firewall. These signatures parse the traffic and scan dynamic application ports in the content.

Configure Application Control Policy

1. Go to Application Control
2. Create new Application control profile
3. Select category or application which you want to block, for example Proxy and P2P application is blocked in below image.
4. Select ok

You can add application signature by selecting Add Signatures Tab in Application Overrides

Apply Application Control Profile in the Policy

1. Go to IPV4 Policy
2. Enable Application Control and select the above created profile.

Continue Reading:

Fundamentals of FortiGate Firewall: Essential Guide

NGFW vs UTM

FortiGate VDOM or Virtual Domain split FortiGate device into multiple virtual devices. Each VDOM has independent security policies, routing table and by-default traffic from VDOM can not move to different VDOM which means two interfaces of different VDOM can share the same IP Address without any overlapping IP/subnet problem.

When VDOM is used in a firewall, a single FortiGate device becomes a virtual data centre of network security, UTM and secure network communication devices. By-default a FortiGate Firewall can support up to 10 VDOMs. However, anyone can customize and add further 10 more VDOMs in FortiGate High end firewall.

• Independent VDOMs: Some VDOMS are completely separated. There is no communication between them. Each VDOM has its own physical interface link to the internet. Such kind of set-up is used where multiple ISPs have been deployed in the network topology.
• Routing through the VDOM:  Traffic destined to the Internet will always be routed through the designated/assigned VDOM. Single routing VDOM will be used to route the traffic towards the internet. For example, if there are three VDOM in the firewall but they all will use the same routing VDOM to forward the traffic towards the outside world.
• Meshed VDOMs: VDOMs connect to the other VDOMs through inter-VDOM links. We can specify what kind of traffic goes to which VDOM.
• Management VDOM: It is used to forward system/Fortigate generated traffic such as system daemons, NTP traffic . It is the VDOM from where all management traffic for FortiGate firewall originates. Management VDOM must have access to all the global services like 
  • NTP
  • FortiGuard Update Queries
  • SNMP
  • DNS Filtering
  • Logs – Syslog and FortiAnalyzer 
  • Management related services 

FortiGate VDOM Administrators

Super_user OR admin account can configure and backup the VDOM. Select super_admin access profile when configuring the admin account similar to the account name Admin this account can configure all VDOMs.

• Per-VDOM Administrator: In most cases, creation of admin account per VDOM account is considered. Per-VDOM admin is solely responsible for its domain including the configuration backup of that VDOM. In larger organisations you may need to make multiple VDOM administrators. You can assign multiple administrators to each VDOM.  

*Per-VDOM admin can not access global settings of FortiGate Firewall*

• Create VDOM Administrator Account : Follow step 1 to step 5 to create VDOM admin Account in FortiGate Firewall

FortiGate VDOM Modes

There are two types of VDOMs modes in FortiGate – Split VDOM and Multi-VDOM.

• Split VDOM: In Split VDOM FortiGate has two VDOMs in total which includes root and FG-Traffic VDOM. You cannot add VDOM in Split VDOM mode. It keeps management and network traffic separate 

1. 1. Root :: management work can only allowed and has separate entries
   2. FG-Traffic :: can provide separate security policies and allow traffic through FortiGate. It is only for network traffic.

• Multi-VDOM : Can create multiple VDOMs that function as multiple independent units. We use multiple VDOM when we want to create multiple logical firewall features by using a single hardware device, each VDOM acts as an independent FortiGate Firewall. Such kind of configuration works for a setup for managed service provider leveraging multi tenant configuration or large enterprise organisation that desire departmental segmentation . You can give each individual tenant or department visibility and managed control  independently.

Configure & Enable VDOM in FortiGate Firewall

Login into the command line to enable VDOM property in FortiGate firewall.

1. Type command # config global system-> to enter global mode of firewall

2. Select VDOM mode by # set vdom-mode split-vdom OR set vdom-mode multi-vdom

3. Here we have selected multi-vdom mode

3.1 Let’s End the session

4. It will NOT Reboot the device to enable vdom mode, it just logs you out

5. Select Global VDOM from FortiGate WEB GUI

6. We can go to System

7. Select VDOM. By default root VDOM is available in the config

8. Lets create New VDOM

9. Name new VDOM – marketing 

10. NGFW Firewall mode->Profile based

11. WifiCountry-> select as per your available data in FortiGate Firewall

12. Select OK

Next step to add interfaces in new VDOM-> marketing 

13. Go to Global VDOM-> Select Network-> move to Interfaces

14. Select Physical/logical interface which you want to add in VDOM-marketing 

15. Choose Edit

16. Select marketing in Virtual domain field of interface LAN(port2)

17. Lets allocate another interface  port 3 in VDOM-marketing

18. Go to Edit button

19. Select marketing Virtual Domain in port 3 interface

20. Select marketing VDOM from FortiGate Firewall 

21. Move to the interfaces button and check if all the interfaces which are allocated to marketing domain are present in the interface TAB

22. Both port 2 and port 3 interfaces now available to marketing VDOM

This is how anyone can associate interfaces to virtual domains in FortiGate Firewall. Admin can configure each setting differently in VDOM. Examples are

• Firewall Policies
• Firewall Objects 
• Security Profiles , routes, network interfaces 
• Operating mode- NAT/route

Inter-VDOM Links

Inter-VDOM links route traffic between VDOMs. 

Each VDOM behaves like a separate FortiGate Firewall , with a separate FortiGate device we normally connect cables and configure routing and policies between them. Apparently VDOMs are on the same device/ FortiGate Firewall, then how should admin route traffic between them. 

The solution to the above requirement is Inter-VDOM-Link. Inter-VDOM-Link is a type of virtual interface that routes traffic between VDOMs. It removes the loop of physical cable requirement. 

Limitation -> Layer 3 interfaces are required, admin cannot interlink layer 2 or transparent mode interfaces in FortiGate.

Pre-requisites to configure Inter-VDOM links:

• Routes are required to forward the traffic from one VDOM to another
• Firewall policies are also required to allow traffic from other VDOMs , the same as the traffic coming from physical interface
• When creating inter-VDOM-link admin must create virtual interfaces 

Steps to Create Inter-VDOM-Link

1. Go to Global> Network >Interfaces

2. Select Create New> VDOM Link

3. Provide name to the link

4. Select the first FortiGate VDOM through which another VDOM link will be connected. Here first VDOM link is root and second VDOM link is marketing

5. We are creating point-to-point link hence we have give two IP addresses in IP/Netmask 10.10.100.1/30 in NAT mode

6. Select another V-link which is marketing

7. Provide IP address 10.10.100.2/30

8. Select OK to make the configuration changes

Now add static routing in marketing-VDOM to provide communication between root VDOM and Marketing VDOM.

9. Go to static routes

10. Add static route for marketing VDOM along with Gateway address and add vlink interface

Enable static routing in root VDOM as well

11. Assign marketing physical interface IP address as a destination. Here, we have taken port 2 whose IP address is 10.0.5.1/24

12. After login in root VDOM, go to static routes

13. Enter Destination IP address which is port 2 interface IP address of marketing VDOM

14. Gateway address

15. Interface of Marketing vlink

Enable Firewall Policy between FortiGate VDOMs

Now create firewall policy to allow traffic between two FortiGate VDOMs

1. Login in Marketing VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface LAN Port 2

4. Destination interface interlink 1

5. Disable NAT>> NAT is not required between these VDOMs

Create same policy in root VDOM

1. Login in root VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface inter_link0 (root interlink)

4. Destination interface port1 > WAN interface to internet

5. Enable NAT>> NAT is required to reach internet from FortiGate Firewall

After configuring firewall policies login in marketing VDOM and try to ping google.com. Policies are working fine if you get a ping response from google.com.

Related FAQs

Q.1 How many VDOMs can I create on my FortiGate?

The number of VDOMs you can create depends on the FortiGate model and the license purchased. Some models come with a base number of VDOMs, while others allow you to add more through licensing.

Q.2 What are the different VDOM modes in FortiGate?

• FortiGate supports two VDOM modes:
  NAT/Route Mode: The VDOM operates in routing mode, performing NAT and routing traffic between interfaces.
  Transparent Mode: The VDOM acts as a Layer 2 bridge, forwarding traffic between interfaces without changing IP addresses.

Q.3 Can I manage VDOMs separately?

Yes, each VDOM can be managed independently, including separate administrators, policies, routing, and configurations. You can assign specific administrators to specific VDOMs with different access levels.

Q.4 How do I enable VDOMs on a FortiGate device?

To enable VDOMs:
Log in to the CLI.
Use the command –

config system global
set vdom-admin enable
end

Reboot the device if necessary

Q.5 How do I assign an interface to a specific VDOM?

To assign an interface to a VDOM:
Access the CLI.
Use the command

config global
config system interface
edit <interface_name>
set vdom <vdom_name>
end

This will move the interface to the specified VDOM.

Q.6 Can I configure different security profiles for each VDOM?

Yes, each VDOM can have its own set of security profiles, including antivirus, web filtering, IPS, and more. These profiles are managed independently within each VDOM.

Q.7 Can I disable VDOM mode after enabling it?

Yes, you can disable VDOM mode by:
1. Accessing the CLI.
2. Using the command:

“`bash
config system global
set vdom-admin disable
end
“`

3. This will remove all VDOM configurations and reset the device to a single administrative domain. Ensure you back up your configurations before disabling VDOM mode.

Q.8  What is an inter-VDOM link?

An inter-VDOM link is a virtual interface that connects two VDOMs, allowing traffic to pass between them. This is useful for scenarios where different VDOMs need to communicate with each other while maintaining their own routing and firewall policies.

Continue Reading:

FortiGate SD-WAN Fundamentals

Palo Alto Security Profiles and Security Policies

We are using below topology to troubleshoot the FortiGate VPN IPSec tunnel issues

• Peer A -> 27.67.38
• Peer B -> 83.200.6
• LAN A -> 10.10.150.1/24
• LAN B -> 68.0.1/24
• User A  -> 10.150.75/24
• User B -> 168.0.33/24

You can see in the image above that the setup is very simple. Two firewalls are connected over IPSec VPN which means PC A can communicate to PC B

We have both firewalls Peer A and Peer B, both firewalls are using FortiGate firewalls side by side

# get vpn ipsec tunnel summary

# diagnose vpn ike gateway list name to <ip address>

# diagnose vpn ike log-filter dst-addr4 <ip-address>
# diagnose debug application ike -1
# diagnose debug enable

Now the current situation is that both the FortiGate VPN of Site A and Site B are down and when we try to establish the traffic and send traffic over VPN tunnel which should bring the tunnel up.

>ping 192.168.0.33 -t

 You need to ping the VPN from one source to another source which will initiate traffic from one VPN

to another VPN and bring the VPN up. 

Troubleshooting FortiGate VPN CASE 1: Issue with Pre-shared Key

Now we have changed some configuration settings in firewall which will manually bring down the VPN IPSec site.

And will troubleshoot the issue to identify the root cause.

 We will perform debug through cli to check the issue. And run debug IKE to capture the packets.

• diagnose vpn ike log-filter destination <peer gateway IP>
• diagnose debug application ike -1

Now capture the logs from cli and run below command to stop the packet capture

• diagnose debug reset

Now we can see the pre-shared key is mismatched.

Troubleshooting FortiGate VPN CASE 2: Issue with Negotiation Algorithms

Now take another scenario. Again we have changed and take the debug again to see the root cause of the issue.

The error which we have got that Negotiations mismatch error further we need to determine why we are getting negotiation error here

• diagnose vpn ike log-filter destination <peer gateway IP>

• diagnose debug application ike -1

Now capture the logs from cli and run below command to stop the packet capture

• diagnose debug reset

If we search out in debug logs we can see that there is common proposal from Firewall B with the settings.

Crypto hash value is sha-265

 Here our work is to compare the configuration with firewall B like encryption DES and authentication SHA methods. When we checked the proposals and found that the authentication methods are using sha-256 so the firewall has to match the same proposals settings on the peer firewall side.

We have made the changes in Firewall A and after that VPN starts showing up.

CASE 3: Issue with Negotiation Algorithms

In Case 3 again we have done another change in configuration of the firewall IPSec VPN settings. Now apply debug on the firewall. It looks very similar to the case 2 vpn issues however we need to see the 2 important differences here.

1.  IPSec is a error which indicates error in VPN IPSec phase II
2.  mismatch error logs in the phase II proposals

 Here, we are getting ISAKMP errors,

Similarly check logs in Firewall A where we have found that the Firewall A is sending the negotiation to firewall B.

Here we are not seeing proposals that are not listed because we are not trying to match them with the remote peer. Furthermore we can see error statement in debug logs 

• IPSEC SA error (which means issue with Phase II)

When we scroll the debug logs little up in the cli and can found that the log stream is indicating about Phase II by issuing a statement “matched phase2”.

Whereas we got the message that means firewall being notifying that there is no Proposal chosen which means firewall B not able to find a match for proposal in Phase II negotiation. All analysis indicates the problem of the VPN.

To fix the issue we need to match the configuration of IPSec Phase 2 proposal in Firewall B.

After enabling the configuration will fix the issue. We will be able to get access to the VPN tunnel for phase II.

Continue Reading:

Partial Redundant Route Based VPN FortiGate

IPSec VPN Set Up – Palo Alto

Commonly Used Commands: Juniper SRX

Here are some commonly used CLI commands for managing and configuring Juniper SRX devices:

Viewing System Information

show version:

Displays the Junos software version running on the device.

show system uptime:

Shows how long the device has been running since its last reboot.

show chassis hardware:

Provides hardware information such as model, serial number, and installed modules.

Interface Configuration and Status

show interfaces terse:

Displays brief information about all interfaces on the device.

show interfaces <interface-name>:

Shows detailed information about a specific interface.

show interfaces diagnostics optics <interface-name>:

Displays optical transceiver diagnostics information for a specific interface.

Routing and Forwarding Table

show route:

Shows the routing table.

show route forwarding-table:

Displays the forwarding table.

show route protocol <protocol-name>:

Shows routes learned via a specific routing protocol.

Security Policies and Zones

show security policies:

Displays security policies configured on the device.

show security zones:

Shows configured security zones and associated interfaces.

show security flow session:

Displays active sessions passing through the device.

NAT (Network Address Translation)

show security nat source:

Shows configured source NAT rules.

show security nat destination:

Displays configured destination NAT rules

VPN (Virtual Private Network)

show security ipsec security-associations:

Displays active IPsec security associations.

show security ike security-associations:

Shows active IKE (Internet Key Exchange) security associations.

show security ipsec vpn:

Displays configured IPsec VPNs.

System Logs and Monitoring

show log:

Displays system log messages.

show security flow session source-prefix <source-ip>:

Shows active sessions originating from a specific source IP address.

show security flow session destination-prefix <destination-ip>:

Shows active sessions destined to a specific destination IP address.

Packet Capture

monitor traffic interface <interface-name>:

Initiates packet capture on a specific interface.

monitor traffic interface <interface-name> extensive:

Initiates packet capture with more detailed information.

monitor traffic no-resolve:

Captures packets without resolving IP addresses to hostnames.

Commit and Rollback

commit:

Commits configuration changes to the device.

commit check:

Checks the configuration for syntax errors without committing.

commit full:

commit entire configuration

commit comment “{TEXT}”:

Add a comment after commit changes

rollback <rollback-number>:

Rolls back the configuration to a previous state.

rollback rescue:

Rollback the configuration to rescue point

Process Management

show system processes extensive:

Show processes

restart {process} gracefully:

Restart the process after all the present tasks have been completed

Miscellaneous

request system reboot:

Reboots the device.

request system storage cleanup:

Remove unwanted files

request support information:

Collects system information for troubleshooting purposes.

configure:

Enters configuration mode.

exit:

Exits configuration mode or the CLI.

Please Note:

These commands provide a basic overview of managing and configuring Juniper SRX devices via the CLI. The actual command syntax may vary depending on the Junos OS version and device model. It is advised to always refer to official documentation or consult with Juniper support for detailed information and assistance.

Continue Reading:

How to Configure Security Packet Capture on SRX?

How to configure SSL Forward Proxy on SRX?

Today we look more in detail about Juniper SRX Next generation firewalls, a true service gateway firewall and understand how to configure them. 

Steps to Configure Juniper SRX Firewall

In this topic we are covering how to configure NGFW and set up a new SRX device to connect to the Internet. 

When we login to a new SRX box there is no password for root.

1. Press enter.

login: root

Password:

— JUNOS 12.1X47-D20.7 built 2017-03-03 21:53:50 UTC

root@%

2. Use CLI to enter Operational mode

root@% cli

root>

3. Use configure command to enter configuration mode

root> configure

Entering configuration mode

[edit]

root#

Now we will configure Juniper SRX as gateway. Use commit command to apply as active configuration

4. Configuring root password

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root#

5. Create new user 

[edit]

root# set system login user mad1 class super-user authentication plain-text-password

New password:

Retype new password:

6. Provide host name

[edit]

root# set system host-name letsconfig-SRX

[edit]

root# commit

commit complete

[edit]

root@letsconfig-SRX#

8. DNS server setup on Juniper SRX

[edit]

root@letsconfig-SRX# set system name-server 8.8.8.8

9. Enable SSH on SRX 

[edit]

root@letsconfig-SRX# set system services ssh

10. Setup NTP and time zone

[edit]

root@letsconfig-SRX#set system time-zone Asia/India

[edit]

root@letsconfig-SRX# set system ntp server time.google.com

11. Assign IP address

set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.100/24

set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.1/24

*Family inet means IPv4 and inet6 means IPv6

12. Establish zone configuration

user@hostj#set security zones security-zone un-trust interfaces ge-0/0/1.0

user@hostj#set security zones security-zone un-trust host-inbound-traffic system-services all

user@hostj#set security zones security-zone un-trust host-inbound-traffic protocols all

user@hostj#set security zones security-zone trust1 interfaces ge-0/0/2.0

user@hostj#set security zones security-zone trust1 host-inbound-traffic system-services all

user@hostj#set security zones security-zone trust1 host-inbound-traffic protocols all

13. Establish security policy for zone

edit security policies from-zone trust1 to-zone un-trust policy our-internet-policy

            set match source-address any

            set match destination-address any

            set match application any

            set then permit

            exit

edit security policies from-zone un-trust to-zone trust1 policy our-deny-policy 

            set match source-address any

            set match destination-address any

            set match application any

            set then deny

            exit

commit

** everything is allowed in the outgoing path and deny everything in the incoming path.

14. Configure static route as routing protocol

set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1

15. NAT/PAT configuration

set security nat source rule-set ourr-nat-rule-set from zone trust

set security nat source rule-set ourr-nat-rule-set to zone untrust

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match source-address 10.1.1.1/24

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match destination-address 0.0.0.0/0

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule then source-nat interface

16. Enable Intrusion detection prevention(IDP) in SRX firewall

set security idp idp-policy recommended

set security idp idp-policy idpengine

17. Configuring one of the IDP policy as default policy

set security idp default-policy recommended

18. Check to confirm if default policy configured on device

show security idp default-policy

Continue Reading:

Introduction to Juniper SRX Firewall

NAT vs PAT: IP Address Translation Explained

• FortiGate1 has two WAN links and FortiGate2 has single WAN link
• Create site-to-site route based VPN with Redundant Connection
• Configure Dead-Peer-Detection failover
• Configure Link-Health

Partial Redundancy is where we don’t have primary and secondary WAN connections on both peer1 and peer2 sides so usually it can be headquarters that has multiple connections and there might be a remote office in which the setup has only one WAN link. To communicate in such a kind of network setup we need to create a redundant VPN. Redundant and partially redundant VPN uses Route Based VPN.

Create site-to-site route based VPN with Redundant Connection

In this example we have taken a FortiGate1 device with 2 WAN links and a FortiGate2 device with a single WAN. Hence redundancy will be established at FortiGate1 side because it has 2 different WAN links. (refer diagram shown above)

>>Configure Site-to-Site VPN in FortiGate1 (HQ) for WAN1 and WAN2-Route Based

Check WAN 1 and WAN2 interfaces and its IP addresses 

WAN 1 -> 10.200.3.1/24

WAN 2 -> 10.200.4.1/24

Check LAN IP address -> 10.10.1.0/24

Configure Phase-1 for WAN 1

1. Go to IPSec Wizard and select VPN Setup
2. Name VPN profile ToRemote1
3. Select Template Type -> Site to Site
4. NAT configuration is NO NAT
5. Select next tab Authentication
6. Select IP address
7. Select Remote IP Address of WAN1
8. Select Outgoing port WAN1
9. Enter Pre-shared Key which must be identical with peer site configuration
10. Select next tab Policy & Routing and add LAN interface port
11. Add Local subnets -> 10.10.1.0/24
12. Add remote site subnets-> 10.20.1.0/24
13.  Now Tunnel has been for WAN1 interface

Configure Tunnel for WAN 2

1. Add name for Phase 2 tunnel parameters
2. Add Remote Gateway outgoing IP address
3. Add WAN1 interface IP address
4. Select WAN 2 Port for outgoing interface
5. Enable Dead Peer detection
6. Add Authentication for phase 2 IDs. Add pre-shared keys.
7. Add Main Mode
8. Add encryption and Authentication methods
9. Enable Diffie-Hellman values
10. Add key-lifetime values.
11. Add local address -> 10.10.1.0/24
12. Add remote address -> 10.20.1.0/24

Both tunnels WAN1 and WAN2 have been created.

Configure Routes for WAN 1 and WAN 2 Tunnels

Go to tab Network > Static Routes.

1. Choose Create New, enter below entries and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     10.200.3.1

Distance (Advanced)             10  -> Lower Values

Add another route for WAN2, now go to Network > Static Routes.

2. Choose Create New, enter below entries select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN2

Gateway                                     10.200.4.1

Distance (Advanced)              15 -> Higher Value as it is secondary route

Create Security Policy for WAN 1 and WAN 2

>Create Security Policy for Wan 1 and WAN 2 traffic to communicate with Remote site

1. Go toPolicy & Objects > IPv4 Policy and select Create New-Policy.

2. Add below information in policy parameters:

Incoming Interface                   LAN

Outgoing Interface                   ToRemote2

Source Address                        LAN Subnets (Specific subnets which you want to allow)

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Create Security Policy From Remote site to FortiGate-HQ site

3. Enter the following information, and select OK:

Incoming Interface                   ToRemote2

Outgoing Interface                   LAN

Source Address                        required subnets for remote sites

Destination Address                 Local Subnets

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Configure Tunnel on Remote Peer FortiGate for WAN1

Configure tunnel on Remote Peer FortiGate for WAN1. Configure FortiGate in a similar way which we have configured FortiGate1-HQ. 

Two tunnels will be created on Remote-FortiGate, first for WAN1 link and second tunnel for WAN2 link. However Remote-FortiGate has a single link at their end.

1. Select VPN Wizard and go to VPN Setup
2. Name VPN Tunnel Name TOHQ1
3. Select Authentication Tab and add values to the mentioned parameters
4. Remote device IP address
5. Add IP address of Remote-FortiGate
6. Select Outgoing Interface WAN1 and add a pre-shared key which must be identical with FortiGate1-HQ’s pre-shared key.
7. Move to Policy & Routing tab, add parameters in secondary route
8. Add local subnets 10.20.1.0/24
9. Add remote subnets 10.10.1.0/24 and add these routes along with the tunnel and create the tunnel

Tunnel is ready on the Remote-FortiGate firewall for Link WAN1.  See below image to check added parameters.

Create Tunnel from Remote FortiGate to WAN 2

Now create another tunnel for FortiGate HQ with lower administrative distance. Here, we will select administrative distance 10 to prioritise the route.

Follow step 1 to step 10 to get the tunnel created on Remote FortiGate Firewall.

Configure Link-Health Monitor

>>Configure Link-Monitor on FortiGate-HQ

Here, probing is done by ToRemote1 interface.

We can also check the status of probing IP address by using below command

diagnose sys link-monitor status

>>Link-health monitor on Remote-FortiGate Firewall

These health monitors can probe the destination by sending signals to the WAN1 and WAN2 or vice-versa.  You can configure Link-Monitor through CLI only.

Continue Reading:

FortiGate NAT Policy: Types & Configuration

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Below is the network setup on which we will configure FortiGate SD-WAN with load balancing for two different ISPs.

Parameters which we have taken are

1. LAN Port & Segment -> LAN Port 3 & 10.10.10.108
2. WAN Port -> WAN1 -> ISP1
3. WAN Port 2-> ISP 2
4. WAN Port 1 Segment -> 192.168.0.108
5. WAN Port 2 Segment -> 14.140.40.108

1. Enable SD-WAN feature in FortiGate

Go to Feature Visibility option and select SD-WAN Interface. You must enable this feature to configure SD-WAN interfaces in the firewall.

• System ->Feature Visibility
• Select -> SD-WAN Interface
• Configure Interfaces as per above network diagram.
• Here, we have configured ISP1 (Port1)-> 192.168.0.108/24
• ISP2 (Port2) ->14.140.40.108/24
• Configure LAN port on port 3 (for downstream Switch)

2. Create SD-WAN Zone

• Create SD-WAN Zone
• Named as SD-WAN-Zone 
• Put WAN1 (ISP-1) and WAN2 (ISP-2) interfaces in it
• SD-WAN->Select SD-WAN-ZONE
• Create New ->SD-WAN-Member
• Add ISP-1 Values
• Interface-> ISP1 (port1)
• SD-WAN-Zone-> SD-WAN-ZONE
• Gateway-> 192.168.0.1
• Status-> Enable
• OK

In a similar way add ISP2 in SD-WAN-Zone member

• Interface->ISP2(port2)
• SD-WAN-ZONE (Zone must be same in both member 1 and member 2)
• Gateway-> 14.140.40.109
• Cost-> 1
• Status -> Enable
• OK

3. Configure Performance SLA

Next move to configure Performance SLAs Policy.

• Select -> SD-WAN
• Go to -> Performance SLAs

• Select-> Create New and add values in the tab
• Name-> SDWAN_SLA
• Detection Mode-> ACTIVE
• Protocol -> PING
• Server -> DNS Server/ Global DNS IP -> 8.8.8.8
• Enable SLA Target and put values in it
• Add values to Link Status
• Click OK

SLA Targets 

• Latency Threshold ->  maximum latency a link can manage to make decision
• Jitter Threshold ->Jitter for SLA to make the decisions
• Packet Loss Threshold->how much packet can loss when SD-WAN select SLA

Performance SLA shown in below diagram which contains values of both ISP1 and ISP2

1. Packet loss percentage of ISP1 and ISP2
2. Latency data of ISP1 and ISP2
3. Jitter values of ISP1 and ISP2

4. Configure SD-WAN Rules

• Go to SD-WAN ->SD-WAN Rules

• Source-Address -> LAN IP Gateway
• Destination -> Allow for ALL
• Protocol -> TCP/UDP or ANY
• Select strategy for how outgoing interfaces will be chosen

Manual: We can manually send traffic to any specific interface and provide preference to that particular WAN interface. However only one WAN interface can take part in Performance SLA and another WAN interface (example -WAN2) act as a backup link.

Best Quality: Decision based on Cost factor of link. SD-WAN will choose best link to forward the application traffic. For example, Management traffic is critical which means it should come under Best Quality option and must be forwarded to Best ISP link where latency and delay factors are low.

Lowest Cost: SLA preference goes to Lowest link. SD_WAN choses lowest link which forwards traffic to match the SLA.

Maximise Bandwidth (SLA): Traffic distributed among the available links however, load-balancing and transfer of traffic takes place after matching Latency parameter of link. By default, it uses the Round-Robin method.

• We have selected Maximum Bandwidth
• Interface Preferences -> Select Both port of ISP1 and ISP2
• Status -> Enable
• OK

5. Configure Static Routes

Now, it’s turn to configure static routes for the destination subnet. Here we have configured static routes from all internal subnets by SD-WAN interface.

• Create New Static Route Rule
• Destination ->0.0.0.0/0 or All
• Interface -> SD-WAN
• Status -> Enable

6. Firewall Policy

• Create Firewall policy to the Internet to allow LAN-to-WAN traffic.
• Name-> Add Policy Name
• Incoming Interface -> LAN (Port-3)
• Outgoing Interface -> SD-WAN
• Source IP Address -> LAN Subnet
• Destination -> ALL
• Service-> ALL
• Action-> Accept
• IP Pool Configuration -> Use Outgoing Interface Address
• OK

• Check Traffic stream from Firewall CLI.
• As per below logs traffic is going via ISP-1

Troubleshoot ISP1 and ISP2 Failover

As per above image traffic goes through ISP1, now we put ISP-1 down to check if traffic switches over to ISP 2.

• After enabling diagnosis logs in FortiGate CLI we have found that all the traffic moves to ISP-2

Load Balancing Algorithms

By default, SD-WAN uses the Round-Robin method to forward the traffic. However, we can change the selection of traffic by using different load-balancing traffic algorithms.

Two points must have been considered before selecting Load-balancing Algorithms

• We cannot apply Load-balancing algorithms on user defined policy
• Load-Balancing algorithms are applicable for implicit SD-WAN policies.

Let’s discussion the Algorithms in FortiGate Firewall (Version 7.0.0)

Load-Balancing modes and their definition:

• Source-IP-based ->Traffic is divided between WAN1 and WAN2 equally however session which starts communication from ISP1 will stick to same ISP till the end.
• Weight-based -> Percentage of sessions that are allowed are calculated by using weight parameter which is assigned to each interface. Then sessions are distributed to each interface accordingly.
• Usage-based -> threshold set on Ingress and Egress interface and distribution of sessions happens according to the percentage defined on each Ingress and Egress interfaces.
• Source-destination-IP-based -> Same source IP goes to same destination through-out the session. Means, the same source address sticks to the same destination.
• Measure-volume-based -> Volume weight is calculated by assigning weight to each interface and sessions are divided accordingly.

First, disable User based policy in SD-WAN-Rules. Load-Balancing is only applied to implicit rules.

#set load-balance-mode source-ip-based >>>>>>>>>>>>>>> CLI Configuration

Other methods are explained in Web-UI Format

Load Balancing Algorithm- Weight Based

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Sessions tab to enable weight-based Algorithm for load-balancing 
• Weight is divided here 98:2

Load Balancing Algorithm- Usage Based

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Sessions tab to enable usage-based Algorithm for load-balancing. This is also known as Spillover method
• Traffic is divided between Ingress and Egress interfaces.

Load Balancing Algorithm- Volume Based

In our network we will use VOLUME based selection of traffic.

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Volume tab to enable Volume-based Algorithm for load-balancing 
• Weight is divided here 90:10

When checked traffic in cli, 90% of traffic moves to ISP1 and 10% moves to ISP2

Most of the traffic has a destination IP of ISP1.

Thanks for reading!!

Continue Reading:

Palo Alto Prisma SD WAN: CloudGenix SD WAN

FortiGate SD-WAN Fundamentals

Firewall policies define which traffic matches them and what FortiGate does when traffic does match, should the traffic be allowed? Initially FortiGate basis this decision on simple criteria, such as the source of the traffic then if the policy doesn’t block the traffic FortiGate begins a more computational security profile inspection often known as Unified Threat Management (UTM), such as Antivirus, Application Control and Web Filtering if you have chosen it in the policy. 

Those scans could block the traffic if for example it contains the virus otherwise the traffic is allowed. Will Network Translation Address NAT be applied if Authentication is required, firewall policies also determine answers to these questions. 

After processing is finished FortiGate forwards the packet towards its destination. FortiGate looks for matching firewall policies from top to bottom and if the match is found the traffic is processed based on the firewall policy, if no match is found the traffic is dropped by the Default Implicit Deny firewall policy.

FortiGate Firewall Policy Types & Components 

Each FortiGate Firewall policy matches traffic and applies security by referring to the objects that are identified such as addresses and profiles. 

1. Objects used by the policies: 

• Interface and Zone
• Address, User, and Internet service object
• Service definitions
• Schedules 
• Nat Rules 
• Security Profiles

2. Policy Types:

• Firewall Policy (IPv4, IPv6)
• Firewall Virtual wire pair (IPv4, IPv6)
• Proxy
• Multicast
• Local-in Policy (Origin and Destination is FortiGate itself)
• DoS
• Traffic shaping

How are Policy Matches Determined?

When a packet arrives each policy has a matching criterion which you can define using following objects:

• Incoming interface and Outgoing interface
• Source IP address, User, Internet services
• Destination IP address or Internet Service
• Service IP Protocol and Port number
• Schedule applies during configure times

When the traffic matches the firewall policy FortiGate applies action configured in firewall policy. If the action is set to deny FortiGate drops the session and if the action is set to accept FortiGate applies other configured setting for packet processing, such as Antivirus scanning, Web Filtering or Source NAT.

Interfaces and Zones

Packets arrive on incoming or ingress interface, routing determines the outgoing or egress interface. In each policy you must set a source and destination interface even if one or both are set to any. Both interfaces must match the interface policy criteria to be a successful match. You can group interfaces into logical zones. 

By default, you can select a single interface as incoming interface and a single interface as outgoing interface, however you can enable multiple interface selections from firewall GUI. When you choose ANY interface option you cannot select multiple interfaces for that interface.

Policy Matching Criteria

Matching By Source:

In each firewall policy you must select the source address object. You can refine the definition of source address by also selecting a User or User Group, FQDN (Fully Qualified Domain Name) can also be used as source address, but it must be resolved by DNS and cached in FortiGate. 

If a User is added as a source, then FortiGate must verify the user before allowing or denying access based on the firewall policy. There are different ways a user can authenticate for local users; the username and password are configured locally on FortiGate.

For remote user such as LDAP or Radius FortiGate receives the username and password from the remote user and passes this information to the authentication server, the authentication server verifies the user login credentials and updates FortiGate after firewall receives that information it creates access to the Network based on the firewall policy. FortiGate Single Sign On (SSO) user information is retrieved from the domain controller access is granted based on group information on FortiGate.

Matching By Destination:

FortiGate checks destination addresses for a match you can use address objects, Internet Service Database (ISDB) objects in a policy. The address object may be a hostname, IP subnet or range. If you configure FQDN as an address object make sure you configure the FortiGate device with DNS servers, FortiGate uses DNS to resolve FQDN address objects to IP addresses, which are what appears in the IP headers. You can use geographic addresses or ranges of IP addresses allocated to a Country; you can update these objects through FortiGuard.

Why is there no option to select a user? The user identification is determined at the ingress interface and packets are forwarded only to the egress interface after user authentication is successful.

Internet Service Objects

Internet service is a database that contains the list of IP addresses, IP Protocols and Port Numbers used by the most common internet services. FortiGate periodically downloads the newest version of this database from FortiGuard, you can select these as Source or Destination in the firewall policies.

What happens if you want to allow traffic only for a few well known internet service destinations such as Facebook or Dropbox? 

When configuring firewall policy you can use Internet service as the destination, which contains all the IP addresses, Ports and Protocols used by that service. You cannot mix regular objects with Internet Service Database (ISDB) objects, and you cannot select service on a firewall policy, as the ISDB object already has services information which is part coded. Compared with address objects which you need to check frequently to make sure that none of the IP addresses have changed or appropriate ports are allowed. Internet service helps make this type of deployment easier and simpler.

Policy Scheduling

Schedule adds a time element to a policy. You might use a policy to allow backup software to activate at night or create a test window for remote addresses that is allowed for testing purposes. Schedule can be configured and use 24 hours’ time clock there are few configurations settings worth mentioning:

• Recurring: If you enable all day traffic will be allowed for 24 hours for the day selected. While configuring recurring scheduler if you configure stop time earlier than the start time the stop time will occur the next day.

• One Time: The start date and time must be earlier than the stop date and time. You can also enable Pre-expiration event log, which will generate an event log and number of days before the schedule expires.

Configuring FortiGate Firewall Policy

When you configure a new firewall policy on the GUI, you must specify a unique name for the firewall policy because it is enabled by default. This helps the administrator to quickly identify the policy they are looking for. You can make this feature optional on the GUI on the feature visibility page by Allowing Unnamed Policies.

There are many options you can configure on the firewall policies such as Firewall and Network options, Security profiles, logging options and enabling and disabling a policy. When creating firewall objects or policies a UUID (Universally Unique Identifier) attribute is added so that logs can record these UUID’S and improves functionality interpreting with FortiAnalyzer.

When creating firewall policies remember FortiGate is a stateful firewall as a result you need to create only one firewall policy that matches the direction of the traffic that initiates the session, FortiGate will automatically remember source, destinations and allow replies.

Please refer step 1 to step 14 to configure Security policy in FortiGate firewall

1. Go to Firewall Policy
2. Select Create New Tab in left most corner
3. Fill options in the screen, Name the policy
4. Select Incoming interface of the traffic
5. Select outgoing interface of the connection
6. Select list of IP address/subnet of source
7. Select list of IP addresses from Address objects
8. Select destination Address
9. Select Action as Accept/deny as per requirement
10. Select port/service 
11. Select the services from Service object (right most corner)
12. Allow logging to the sessions 
13. Select OK
14. Policy will look like the pic below.

Security Profiles

One of the important features that a firewall policy can apply is security profile, such as an IPS and Antivirus. A security profile inspects each packet in the traffic flow when the session is already conditionally accepted by the firewall policy.
When inspecting traffic FortiGate can use one of two methods. Flow based inspection or Proxy Based inspection. Different security features are supported by each security type.
Security profiles configured in firewall policies protect the network by blocking threats, controlling access to certain applications and URLs, and preventing specific data from leaving your network.

Continue Reading:

FortiGate VDOM Configuration: Complete Guide

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Reset  – Admin can only wipe-out the configuration

Factory-Reset/Default – Admin can wipe out the configuration of device and put the device in default operation/firmware.

For Example, when you buy a Firewall, it comes with a default operating system (like r80.10, r80.20). So, over the period admin has done the upgrade of the device. 

Let’s suppose the admin has upgraded the Checkpoint device to r80.30. But now he needs to perform factory reset. Device will boot up to the initial operating system r80.20 and it will take you back to the operating system which was the same at the time you bought the firewall.

However, in case of Reset, it only wipes out the configuration and you can still have an upgraded firmware version in the device.

Scenarios to perform Reset/Factory-Default

• When device starts misbehaving even after doing all the troubleshooting, but not able to find out the root cause of device hardware misbehaviour (like auto-reboot, crash state, hang state)
• Reset generally performed by admin when offices shut down the Data Center OR switch to new technology, in that scenario current firewall will no longer be required in the network and need to be removed from the topology.

Prerequisites to Reset Checkpoint Firewall 

1. Console Access -> You must have the access through console access
2.  Admin rights
3. Local site Engineer who can physically access the device. We require a Local site Engineer at the site to        remove the device from the network and provide us physical console access if the device is not able to boot up itself.

3 Ways to factory reset Checkpoint Firewall

We have 3 methods through which Factory reset can be performed on the Checkpoint Firewall

1. From Device Hardware (Hard Reset)
2. From Console Access (CLI)
3. From Console Access (Web GUI)

RESET from Hardware Device

1. Connect to the console and check the traffic flow in the console putty. Now, by using any sharp pin try to press the RESET button on Checkpoint Firewall.
2. Keep it pressing for 10-15 seconds
3. You can see multiple messages on the console access
4. You can remove the pin from RESET button 
5. Lights will turn on and off on the devices 
6. Device boot up itself 
7. You can login into the device by using the default IP https://192.168.1.1 address once it boots up after RESET action.

Factory-Reset from Checkpoint Web GUI

1. Login to the device and got to the DEVICE tab
2. System-> System Operations 
3. Appliance and select tab Factory Defaults
4. It will prompt Factory Reset message, click OK
5. Checkpoint device takes reboot and prompts the below message. After reboot the device return to default configuration and initial firmware version.

Factory-Reset from Checkpoint Console/CLI

1. Open Cli with admin right access
2. Type command   #reboot 
3. Press Ctrl + C multiple times in keyboard
4. You will get below options once you press Ctrl + C
5. Select option “4” by entering number 4 and press Enter

Device starts the boot up process once you press Enter. You can login again to the device via console access by using the default IP address.

Continue Reading:

How to Reset FortiGate Firewall with the Factory Default Setting?

How to Reset Palo Alto Firewall to Factory Default Settings

In today’s lesson we will cover in detail about Cisco proprietary protocol unidirectional link detection (UDLD), how it works and how to configure UDLD. 

UDLD Protocol 

UDLD is a Cisco proprietary protocol which enables switches to auto detect when a bi-directional link fails due to improper port connection, hardware failure and becomes unidirectional. Usually switches forward and receive data packets between source and destination , links required to be bi-direction to send / receive both. This ensures dual communication. Usually, fiber optics connections are prone to have undetected unidirectional link failures because they do not depend on loop paths to transmit data unlike Ethernet etc.

In electrical medium like twisted pair cables unidirectional link failures can occur and go unnoticed in endpoints. The presence of unidirectional links lead to magnitudes of problems which include forwarding and spanning tree loops that could lead to network outage / breakdown. Cisco UDLD needs to be configured on all switches and interfaces. A UDLD configured switch will send advertisements and expects to receive ‘hello’ response from its neighbours in designated hold time (by default it is 15 minutes), if no response is received in stipulated time, then unresponsive interface is disabled by UDLD. 

Configure UDLD Protocol 

Switches by default do not come enabled with UDLD so we have to configure them manually. The very first step is to set up the network. 

We assume switch A has two interfaces – GigabitEthernet0/0/0 and GigabitEthernet0/0/1 

Connect GigabitEthernet0/0/1 to GigabitEthernet0/0/0 switch B

Connect GigabitEthernet0/0/2 to GigabitEthernet0/0/0 switch C

Turn on UDLD in normal mode – udld port 

Turn on UDLD in aggressive mode – udld aggressive 

Switch A 

SwitchA> enable

SwitchA# configure terminal

In global configuration mode 

SwitchA(config)# interface gigabitethernet0/0/1

SwitchA(config-if)# udld port

SwitchA(config-if)# end

Now repeat same steps for interface gigabitethernet0/0/2

SwitchA(config)# interface gigabitethernet0/0/2

SwitchA(config-if)# udld port

SwitchA(config-if)# end

UDLD is now set for SwitchA 

Switch B

SwitchB> enable

SwitchB# configure terminal

In global configuration mode 

SwitchB(config)# interface gigabitethernet0/0/0

SwitchB(config-if)# udld port

SwitchB(config-if)# end

Switch C

SwitchC> enable

SwitchC# configure terminal

In global configuration mode 

SwitchC(config)# interface gigabitethernet0/0/0

SwitchC(config-if)# udld port

SwitchC(config-if)# end

To verify configuration state type below command

SwitchA# show udld gigabitethernet0/0/1

…

Port enable administrative configuration setting: Enabled

Port enable operational state: Enabled

Current bidirectional state: Bidirectional

Current operational state: Advertisement – Single neighbor detected

Message interval: 15

Time out interval: 5

This indicates UDLD protocol is enabled on switch interface but in normal mode it will mark it only as ‘undetermined’ with a notification and other network layers can still try to interface with it so solution to this problem is using aggressive mode. Let us see how to setup switch interface in aggressive mode. 

For SwitchA GigabitEthernet1/0/1 interface enter below command 

SwitchA> enable

SwitchA# configure terminal

SwitchA(config)# interface gigabitethernet0/0/1

SwitchA(config-if)# udld port aggressive

SwitchA(config-if)# end

Now UDLD is set up in aggressive mode so when a unidirectional link is encountered the protocol will mark it as ‘error disabled’ instead of ‘undetermined’ and that will stop all traffic to it.

Continue Reading:

What is VLAN Trunking Protocol (VTP)?

What is HSRP (Hot Standby Router Protocol) ?

Let’s troubleshoot VM Invalid status 

You can see multiple “invalid” VM machines in the image below. Here status is showing invalid.

Reason of Invalid VM Machine status could be related to the storage of underlying machine has been moved or changed, or corrupted, deleted and it moved to another storage device and as a result of which VMware ESXi hosts no longer knows what it is and consider VM Machines as invalid.

You need to delete the invalid VM Machines and add it manually if the machine does exist.

Please consider below points before deleting any VMware Machine 

• Check .vmx file for configuration of the host. It should be accessible to replicate the new VM after deleting invalid host.
• Check if .vmx file is in unlock state
• Check VM tools for installation like SSH/putty 

There -> Navigator -> Virtual Machines -> Select VM

Click on Action -> Right Click the Action Tab -> It will give you so many options to allow, delete, and unregister you the VMware Machine.

You can select unregister Tab to remove the device from here. However if you find the options in greyed-out colour then you need to unregister the devices from SSH access.

First you need to enable SSH for VMware ESXi machines and then connect to the machines by using a putty session.

Go to Manage -> Services -> TSM-SSH -> SSH -> Action -> Select Start

And apply a running option to enable the SSH application for the host.

Login to Putty session from Windows Machine. 

Make sure you can login as a root user.

Once you login into putty session type below command to provide the overview what is running in the ESXi host

# vim-cmd /vmsvc/getallvms

You can see that the output of the command can show you the list of VM IDs. You can pick the list of VM IDs which you want to remove from the VM host.

Now further you can check the list of VM IDs with invalid status along with ID number.

Case 1: Reload VM to recover from invalid state

Here first, we will try to recover the host by reloading the configuration. We can try to reload the VM as to rectify the issue but if it fails then we have to unregister the VM (case-2)

# vmsvc/reload <VM id>

Case 2: Unregister VM Host

Now we need to unregister the above invalid VM IDs from CLI by running below command followed by VM ID number

#vim –cm /vmsvc/unregister <VM id>

Further you can cross verify the removal of VM IDs from the Web GUI of host as well.

You can reconfigure the VM hosts once removing the VM IDs.

Thanks for reading!!!

Continue Reading:

Hyper V vs VMware : Detailed Comparison

What is VMware Horizon?

As enterprises are moving onto cloud their critical business applications, infrastructure services and use of hybrid clouds have evolved, secure networking is the demand of time along with performance and scalability of networks and applications. Controlling and managing traffic coming from the Internet is one of the key aspects of security.

The need is for a network which allows outbound communication to the Internet but prevents Internet from initiating connection to cloud instances. 

Today we look more in detail how firewalls whose primary job is traffic filtering can be configured to act as an egress gateway to an enterprise network to isolate traffic between enterprise Intranet and external network.

Firewall Service as the Egress Gateway 

Typical setup of a firewall acting as Egress gateway is depicted above in the diagram. It provides following functions: 

• Network Address Translation – The firewall provides a source NAT function and translates private IP address of a remote user to public IP address. It also functions as a NAT server to translate the Private IP address of a hosted server to a public IP address for access of external users. 
• Intelligent uplink selection modes are provided by firewall such as destination IP address based and application based using multiple Internet access links to ensure quality
• The firewall will isolate security zones using security policies using functions such as intrusion prevention, and Anti-DDoS. 
• Source Routing and Auditing – Firewall logs pre-NAT and post-NAT IP addresses and online and offline activities of remote users for source tracking and auditing. 

Configuration: Egress Gateway

Configuring IP address of WAN interface – choose Internet access mode as per information provided by ISP. Access mode could be DHCP, static IP address, PPPoE and LTE.

Firewall Registration with Campus Network

Continue Reading:

NAT Reflection: FortiGate Firewall

NAT Type 1 vs 2 vs 3 : Detailed Comparison

With the earlier versions, only stateful configuration was possible which involved the necessity of an intermediate presence of a DHCP (Dynamic Host Configuration Protocol) server. But, with the advent of IPv6, there is no such need of this support for connecting the network devices over the internet. The devices are able to automatically generate a local IP address and carry on with their tasks.

This feature became an absolute necessity because of the increased number of devices over the internet in these times. Therefore, with the IPv6, the need of having a DHCP server for IP address allocation is snapped out and instead easing out the process for the network devices.

Heading back to the name, “stateless” means that the DHCP server need not recognize the presence of a network device for allotting it an IP address.

Steps:

The steps that are followed by a device to auto generate the IP address are as listed below:-

1. Generation of local link address: A local address is allotted to the device that joins the internet. The address contains 10 bits going as 1111111010 and then follows 54 zeroes and an interface identifier of 64 bits.
2. The Uniqueness test: To check the uniqueness of the address, a uniqueness test of the device address is undertaken.
3. Address Assignment: Link local address is allotted to the IP interface after clearing the uniqueness test. This link is not usable for internet, but, only for the local network.
4. Contact with Router: A local router is contacted by the network device for moving ahead in the process of auto configuration.
5. Directions from Router: For the further steps in the configuration process, the device receives the directions from the local router.
6. Global Internet Address: A unique global internet address is generated by the device. The router assigns the address which includes the device identifier and network prefix.

 Merits of IPv6 Stateless Auto Configuration:

The advantages of stateless auto configuration are as follows:-

• The presence of a Dynamic Host Configuration Protocol (DHCP) is not required for the IP address assignment.
• No manual configuration of network devices is required on the network. The devices can immediately connect and auto configures IP addresses on the network.
• The stateless auto configuration is economical as the need of a proxy server or a DHCP server is evicted.
• It facilitates high speed communication and data transportation over the internet.
• It is compatible with wireless networks.

 Demerits of Stateless Auto Configuration:

• For the host to check whether the address is already in use or unique, more bandwidth use is needed.
• To prevent the auto configuration from happening, a DOS attack can be made by any unethical user or attacker.
• Until a dynamic DNS is used, the auto-configured address cannot be name served.

 Application:

Due to the influx of network devices over the internet, the advent of stateless auto configuration was bound to be made. It not only eases out the process of connection of network devices over the internet, but, also enables usage of wireless networks and permits multiple other network devices to access the internet from any hotspots of the world.

This feature of IPv6 has a variety of applications in communication and networking of digital devices like refrigerators, televisions, microwaves, washing machines and many more such devices with the internet. The plugging of the device to the internet has just become a matter of time taken in blinking of an eye and with this feature has also escorted a brand new era of Internet of Things wherein almost all of the electronic devices would be able to connect through the internet.

Related – Features of IPv6 Addressing

Before discussing Palo alto packet capture, let’s first understand the term packet capture. Packet capture is network interception of data packet which can be analysed , downloaded, archived or discarded. The reason for packet capturing is performed to identify threats, detect undesirable behaviours, network congestions, packet loss and analysis of network.

Packet capturing is performed in two ways

• one is by whole packet capturing and
• secondly by specific packet portion capturing.

There are several products available which let sniff or capture packets. Palo Alto network firewalls have capability to take packet captures of traffic and let them store to perform analysis.

In this article we will learn more about Palo Alto Packet capturing/packet Sniffing capabilities, its features , advantages and use cases etc.

Palo Alto Packet Capture 

Palo Alto network firewalls have built in capability of packet capture (pcap) feature that allows capture of packets which traverse the network interfaces on firewall. Packets can be captured for troubleshooting purposes or create custom signatures.

Packet capturing is a CPU intensive activity and degrade performance of firewall.

Types of Packet Capture

There are several types of packet capture which we can enable based on the need as under:

Custom Packet Capture –

The firewall capture all traffic or specific traffic based on defined filters. For example, we can configure firewall to capture packet coming from a specific source and going to a specific destination or port. We can then use packet capture to troubleshoot network problems or to gather application attributes which enable to create custom application signatures or request and application signature for Palo Alto firewall.

Threat Packet Capture –

It captures when firewall detects a virus , spyware or vulnerability. Feature needs to be enabled in Antivirus, anti-spyware and vulnerability protection security profiles. Threat log will have a link to export packet capture. These packet captures provide context around the threat and help to determine if attack was successful or learn about methods used by attacker. It can be submitted to Palo Alto networks to determine if threat was false-positive or false-negative.

Application Packet Capture –

It is a type of packet capturing based on specific application filters. Traffic log has view or export feature as per rule definition to capture packet.

Management Interface Packet Capture –

It is defined as capturing of packet on management interface (MGT). It is useful to troubleshoot services which traverse the interface such as firewall management authentication to external authentication services, software and content updates, log forwarding, SNMP servers communication, authentication requests for GlobalProtect and captive portal.

GTP Event Packet Capture –

Firewall captures single GTP event such as GTP-in-GTP , IP spoofing on end user, abnormal GTP messages, Making troubleshooting easier for mobile network operations.

How to capture packets in Palo Alto firewall?

To capture packets on Palo Alto firewall, go to Monitor à Packet capture à click Manage filters (hyperlink)

Click Add and in ID column select 1

Under Ingress interface column à choose Ethernet ½ (inside security zone)

Under source column type source 192.168.1.20 (inside client machine) > type destination 192.168.50.10 (DMZ machine) > under Proto > type 1 (ICMP)

Click toggle to make filtering ON

Under configure packet >stage>Add > Select stage : receive

Type name for file (ICMP -PCAP-1) > type packet count : 100>type byte count >1000> click Ok

The packet capture will automatically stop if packet count hits 100 or byte count hits 1000. It is advisable to keep size of packet capturing file small so as to have less impact on CPU and memory of firewall.

Click on Packet capture (OFF) to make it ON (Toggle) and initiate packet capture

Click ok to continue on warning message, Packet capture file will show on the left side under capture files. Click on captured file (ICMP-PCAP-1) and download the Pcap file. Wireshark network protocol analyzer is required to open pcap file.

At least one capture stage is required to be selected. Stage indicates the point at which packet capture is to start.

Continue Reading:

What is Packet Capture?

Why you should be worried about Network Packet Loss?

Palo Alto has been considered one of the most coveted and preferred Next generation Firewall considering its robust performance, deep level of packet inspection and myriad of features required in enterprise and service provider domain. When troubleshooting network and security issues for many different devices/platforms, an extensive set of commands with options are available which are great utilities in troubleshooting and fault finding, both in implementation and Operations phase.

Palo Alto Troubleshooting : CLI Commands

The following Palo Alto commands are really the basics and need no further explanation. Let’s have a look on below command table with description.

CLI COMMANDS	DESCRIPTION
show system info	-Shows session information
show system environmental show CPU usage show temperature show counters for everything show the statistics on application recognition	-Shows environmental health of system
show ntp	-Shows the network time server information
show arp {all | <interface-name>} show neighbor interface {all | <interface-name>}	-shows the ARP results
show mac all	-shows the mac table results
show jobs all show jobs id <id> show running resource-monitor	-Shows the processes running in the management plane
show system resource show system disk-space	– Shows the percent usage of disk partitions
request restart system	– Restart the device
show admins all show admins	-Shows the how many admin accounts are
show the uptime and the active sessions	-Shows the device uptime
show running security-policy	– Shows the running security policy
request license info	– Shows the licenses installed on the device
show vpn gateway	-Shows the list of all IPSec gateways configured on device with configuration
show vpn ike-sa	-Shows IKE phase 1 SAs
show vpn ipsec-sa	-Shows IKE phase 2 SAs
show vpn tunnel	-Shows a list of auto-key IPSec tunnel configurations
show vpn flow	-Shows the IPSec counters
show global-protect-gateway current-user show global-protect-gateway flow	GlobalProtect
show high-availability all	-Shows a summary of all HA runtime
show high-availability state show high-availability link-monitoring show high-availability path-monitoring show high-availability control-link statistics show high-availability state-synchronization	-Shows a local HA peer state
show high-availability flap-statistics	Shows a stats of sent and received messages.
scp export log system to <username@host:path_to_destination_filename> scp import software from <username@host:path> tftp export configuration from running-config.xml to <tftp-host> tftp import url-block-page from <tftp-host>	Export/Import Files
show user group-mapping state all	User-IDs and Groups
request system fqdn {show | refresh}	IP Addresses of FQDN Objects
show dns-proxy statistics all show dns-proxy cache all	DNS Proxy
show system setting url-database	Active URL Vendor/Database
show system setting url-cache all	PAN-DB URL Test & Cache
set system setting fan-mode auto	Fan Speed
show session id <id>	Reason for Session Close
show session all filter state discard show session all filter application dns destination 8.8.8.8 show session info show specific session	Examining the Session Table
set system setting additional-threat-log on	Zone Protection Logging
view-pcap follow yes filter-pcap	Live Viewing of Packet Captures
tcpdump snaplen 0 filter “port 53” view-pcap follow yes mgmt-pcap mgmt.pcap	Capturing Management Packets
less mp-log	Viewing Management-Plane Logs
show routing table	-Display the routing table.
show routing fib show routing protocol <protocol>	-Look at routes for a specific destination
set system setting arp-cache-timeout <60-65536>	-Change the ARP cache timeout setting from default
show system setting arp-cache-timeout show routing path-monitor debug routing path-monitor	-View the ARP cache timeout setting
ping host X.X.X.X	-Ping to a destination IP address
traceroute host X.X.X.X	-Trace destination network
ping host ipwithease.com	-Ping fqdn
show netstat statistics	-Show network statistics
find command	Find
show system statistics application show system statistics session	Live Session ‘n Application Statistics
show interface {all | <interface-name>} show the interface state (speed/duplex/state/mac) show interface HW settings show interface zone settings show interface counters	Shows Interface Status and counters and config etc.
show running nat-policy	-Shows the NAT policy table
test nat-policy-match	-Test the NAT policy
show running ippool show running global-ippool	-Shows NAT pool utilization
show routing bfd active-profile [<name>]	Shows BFD profiles
show routing bfd details [interface <name>] [local-ip <ip>] [multihop] [peer-ip <ip>] [session-id] [virtual-router <name>]	Shows BFD details
show routing bfd drop-counters session-id <session-id>	-Shows BFD statistics on dropped sessions.
show counter global | match bfd	-Show BFD packets.i.e. transmitted/received/dropped.
clear routing bfd counters session-id all | <1-1024>	-Clear counters of transmitted, received, and dropped BFD packets for particular session id.
clear routing bfd session-state session-id all | <1-1024>	-Clear BFD sessions for debugging purposes
show vlan all   show counter global	-Verify vlan configured on device   – Shows the counter of times the PVST
show system info | match system-mode	-Display the current operational mode
request system system-mode logger	– Changes from Panorama mode to Log Collector mode
show device groups name	– Shows the history of device group
show templates name <template-name>	– Shows the history of template
show config pushed-shared-policy	– Shows all the policy rules and objects pushed from Panorama to a firewall
show config pushed-template	-Shows all the template configured from Panorama to a firewall
show logging-status device <firewall-serial-number>	– Shows logging information to the Panorama

Download the descriptive command table here.

Conclusion

Palo Alto Network troubleshooting CLI commands are used to verify the configuration and environmental health of PAN device, verify connectivity, license, VPN, Routing, HA, User-ID, logs, NAT, PVST, BFD and Panorama and others.

In case, you are preparing for your next interview, you may like to go through the following links-

Palo Alto Firewall Questions and Answers in PDF

Palo Alto Firewall Architecture

Also if you are reading more about Network Security and Firewall we also have a combo product covering the details of ASA Firewall, Palo Alto, Checkpoint Firewall, Juniper SRX Firewall, Proxy, CCNA Security, Cisco, IPS/IDS, VPN

Click here to buy the Network Security Combo

A packet loss of even 1% can have a drastic impact on data transfer in a network, leading to performance and quality issues. Issues will only grow more problematic if left unchecked and allowed to persist. Packet loss has a direct correlation with quality of service and effectively impacts the stability of the network and end-user experience.

What causes Packet loss?

Packet loss is an early sign that your network’s health is deteriorating. If left unchecked for a long period, it could result in network downtime, costing the business dearly. There are multiple factors that can cause packet loss in a network, and it’s essential for IT administrators to identify and fix them in time.

Causes for Packet Loss

The top five causes for packet loss are:

• Hardware issues
• Network congestion
• Cybersecurity threats
• Overloaded devices
• Faulty configuration changes

1.Hardware Issues

Issues related to the hardware’s functionality such as outdated hardware configurations, faulty hardware, or use of legacy hardware that cannot maintain the required bandwidth have a direct correlation to the possibility of packet loss.

This is why it is important to periodically audit the hardware in your network using monitoring tools to ensure that your hardware capabilities keep pace with your company’s growth. If left unchecked, outdated hardware could even cause loss of connection.

2.Network Congestion

Network congestion occurs when there is too much data being relayed in a short amount of time, exceeding the bandwidth or capacity of the network. This can lead to data packets being delayed or dropped until previous requests are fulfilled or critical packets being lost.

3.Cybersecurity Issues

Packet drop attacks have become an increasingly concerning issue in the cybersecurity space. Hackers use packet drop attacks to tamper with your network by issuing commands to routers in your network to drop packets.

Packet loss in a network can also occur by means of a distributed denial-of-service (DDoS) attack. A DDoS attack occurs when the network gets hit with an artificial overload of traffic, causing packet loss for a prolonged period of time and halting all operations in the network. This makes it vital to monitor your network in real time to look for and analyze potential irregularities before they turn into larger issues.

4.Overloaded devices

When individual components in a network are expected to function at a higher capacity for which they were designed, it causes an overload of the device, resulting in slow network activities like the transfer of packets. Network packet loss due to excessive use of individual components is a common issue in enterprise networks due to the high volume of data involved. This means incoming packets arrive at the device quickly, but the device takes time to send the packets out.

When there is a slowdown of packet transfer, critical packets are dropped or lost as they wait for previous data requests to be executed. It is important to ensure that individual infrastructure components are monitored for overload and sufficient backup mechanisms are implemented in the network.

5.Faulty configuration changes

A faulty configuration change to a device can also cause packet loss. This can be avoided by conducting performance tests before rolling out any changes on the network and having a proper configuration process in place. Access to configuration changes should also be restricted based on user roles. Once changes are pushed, it is best to verify all critical performance metrics to ensure the changes are functioning as intended.

Troubleshoot packet loss proactively with OpManager

ManageEngine OpManager makes it easy to discover what’s causing your network to drop packets. It can provide you with visibility on issues to help you mitigate the effects of packet loss and increase network performance. You can use ManageEngine OpManager to proactively identify and resolve potential network issues.

1.Real-time packet loss monitoring and alerting

OpManager offers 24/7, end-to-end, real-time network packet loss monitoringto help IT admins mitigate the negative impacts of packet loss in their networks. OpManager pings all monitored devices at defined monitoring intervals, and if any device has packet loss that exceeds a predefined threshold, OpManager notifies you immediately by sending an email or text message.

With its advanced threshold-based alerting system, OpManager can identify and notify you immediately if your network is starting to experience congestion or any other issues.

2.Managing configuration changes and evaluating performance metrics

ManageEngine offers Network Configuration Manager as an add-on for OpManager to help IT admins reduce network packet loss by monitoring and managing the configuration changes of all the devices in your network. With this add-on, you can:

• Schedule configuration backups and restore trusted configuration versions in a single click.
• Detect changes in real time and know who made what configuration changes and when.
• Ensure complete security and compliance for every configuration change.

3.Managing hardware issues and errors

packet loss due to hardware issues with OpManager’s real-time hardware monitoring. OpManager provides real-time information on resources and hardware health, instant threshold-based alerts for hardware issues, and help with troubleshooting errors. This helps you prevent packet loss due to hardware issues.

4.Threshold-based alerting

OpManager sends alerts specifically to notify you about packet loss in your system along with which device is responsible for it. These alerts enable you to:

• Set specific thresholds and get notified when packet loss hits the set limit.
• Configure an increasing or decreasing threshold for packet loss.
• Add intelligent threshold configurations by specifying the number of violations allowed before triggering an alert. You can implement bulk threshold configurations, too.
• Locate overload in your network and reroute traffic as needed.
• Avoid false alerts by specifying rearm values to clear alerts.

5.Packet loss monitoring on a WAN

OpManager offers wide area network (WAN) monitoring to locate and monitor packet loss on WANs. Using WAN monitoring, you can get the most out of your shared WAN without impacting performance. If you experience an outage, OpManager uses a traceroute to help you precisely locate the hop at which the outage occurred.

Packet loss is a critical issue that has a major impact on network performance and productivity. The longer packet loss is allowed to persist in a network, the more drastic the impact. This is why its vital to proactively identify potential issues resulting in packet loss and troubleshoot them as quickly as possible.

ManageEngine OpManager’s real-time packet-loss monitoring capabilities provide you with a complete and cost-effective solution to troubleshoot issues and reduce packet loss using threshold-based alerts.

If you’re looking to fix packet loss in your network, try ManageEngine OpManager with a free, 30-day trial.

Continue Reading:

What is Packet Capture?

Top 10 Cybersecurity trends

Are you the one? Do you want to know what the error codes mean and how to fix them? If so, you are in the right place. 

Website Error Codes

In this article, you will get to know about the top 10 Website Error codes, and reason for their occurrence, and solutions to them. Okay without further ado, let’s get started. 

404 Not found: One of the most common website error codes

It is a common error all people will encounter once in their life. The 404 error indicates that the requested website is non-existent. This error usually occurs when the user closes the browser, clicks too quickly or when the file is too large to load and the server is slow. 

Solution:

Check whether the URL you entered is correct and try sometimes later. If your sites often experience 404 errors then opt for better hosting service or server. You can also use the redirection plugin to your site. 

500 Internal Server Error

When you face this type of error understand that there is something wrong with your server. It often happens when the server is overloaded, try reloading the page and clearing the cache on the browser. 

Solution:

If you encounter this error in your website contact your Web Hosting service provider, if you are using WordPress check all the third parties plugins you are using. 

401 Unauthorised 

This error message is shown when you attempt to load a site or page which is not accessible to you. It often takes place when you enter the wrong password or login credentials. 

Solution:

To resolve it, check whether the login URL is changed or delete the cache and try again. If you are a website owner you can password protect using your Cpanel account for extra production. 

403 Forbidden 

This error occurs when you try to access the file or site directory which is not allowed to you. This is mostly used by the website owner to secure the vulnerable data from getting hacked. 

Solution:

If you are a website owner you can log in to your Cpanel account and set how the various files in your server should be visible to the users. Try refreshing and reloading the page or check the URL entered. 

502 Bad Gateway 

It is a little different from all the above-mentioned errors. This error occurs when one internal server receives an invalid request from another one. It is usually shown when the server takes longer to complete a request. 

Solution:

Contact your Web Hosting provider to check the reason for it. Or try using other WordPress plugins and themes. 

302 Found 

It is a temporary error that occurs when the site is moved to a new URL. Most times it will redirect the users to the original site URL in a few seconds. If not, try refreshing the page. 

Solution:

The best way to get rid of this redirecting error is used to redirect WordPress plugins from the WordPress directory. 

410 Gone

This Code is mostly used by the Webmaster when they want to delete a website completely and use the content on a different site. It is more like a permanent 404 Error. 

Solution:

This tells Google that the requested site no longer exists and can be de-indexed from Google. 

301 Moved Permanently

To be clear, it is not an error in a general sense. It is just a message that communicates that the entered URL or site is moved permanently to a different URL. 

Solution:

You can use the WordPress Redirection tool to make the redirection flawless. You should keep the redirection active for a few months so that Google will know that the site has moved to a different URL. 

502 Temporarily Overloaded

This message is shown when the site experiences high web traffic, this will be resolved once the traffic is reduced. You can try deleting the caches and refreshing the page to fix this error. 

Solution:

If you are the Website owner, move to a large hosting plan or server if you experience this error regularly as it may increase the bounce rate for your site. 

400 Bad Request 

This message means there is something wrong with the browser. It is different from the 502 bad Gateway. If you are a Website owner you don’t need to worry about it. This is caused by the defective browser. 

Solution:

It occurs when there is an unstable internet connection, security issue, etc… Users can try updating their browser to get rid of this error. 

If you have any further questions regarding the above-said errors or any other things please leave them in the comment section below. 

Continue Reading:

Top 10 Web Scraping Tools

URL Filtering vs Content Filtering

Today nearly 1.5 billion people use Google Accounts and its services. Google has become a part of our life and most of us are depending on it for work and personal use. 

Whoever you are, you can be a Kid or Grandparent at 60’s. Nothing can be scary or annoying than losing your Google Accounts Access. But if you are facing this problem now, don’t worry. There are some simple steps to recover your account. 

Here in this article, you will learn about various Account Recovery options in Google and some additional tips to secure your account. Okay, enough talking let’s see the way to recover the Google Accounts in each scenario. 

Lost your Password?

As most of the time, your Google Accounts are logged on our devices, it is normal to forget your passwords. And the accounts would be created way back and you won’t be able to remember them. In this case – 

You can click the ‘Forgot Password’ option on the signature page. You will be given the following option in order. 

1. You will be asked to enter the last password you remember. If you don’t remember then click try another way. 
2. Here a verification code will be sent to your secondary recovery email or phone number or Google Account if you are logged in on other devices. 
3. If that doesn’t work click try another way. Now, Google will try to verify it is you within 6 hours. If not possible it will ask the questions like ‘What is your mother’s name’ etc.. which you stored in your account. 

By this time you would have recovered your account. Now set a new password and note it down in your diary or notes. 

Forgot your Email Address?

Well, you usually won’t forget your Gmail Address, unless you use multiple Gmail Accounts or if the Accounts are created by others or if you haven’t used it for a long time. Whatever the reason, here are the steps to recover your Gmail –

1. Click the “Forgot Email” option on the login page. 
2. Your secondary or recovery email or phone number will be asked.
3. If you don’t remember it you should enter your Username as per the Gmail Account. 

If your account was created in your work, school or office then try contacting your administrator for more information. 

If your Accounts was Hacked 

If you are unable to log in to your account, or if you find some changed your password or recovery phone number or deleted your account you can use Google’s Recovery page. 

All you need to do is to answer the questions you’re asked. If you have a two-step verification you can try it. But if you don’t get the codes in your phone or if your phone is lost then try contacting Google Support where you can recover your Account Directly. 

If Account was Deleted

If you accidentally or willingly deleted your Google Account and now you need to recover it you can do it. The Process is the same as in the previous scenario. However, if it’s been a while since you deleted your account, you may not be able to recover the data in your account.

But still, you can use it to access your Google play services and other accounts you logged in with it. 

Some tips to follow during the Google Account Recovery process:

• Try not to skip the question during your recovery process. If you don’t know the answer, try your best guess. 
• If possible, use a computer, phone, or tablet where you frequently sign in
• If possible, use the same browser (like Chrome or Safari) that you usually do
• If possible, be in a location where you usually sign in, like at home or work
• If you don’t remember your last password, use a previous one that you do remember. The more recent it was, the better. If you can’t recall any previous passwords, take your best guess.
• Consider a different variation of the answer. For example, try “NY” instead of “New York” or “Phil” instead of “Philip.

If you face any other problems while recovering your lost Google Accounts, please share them in the Comment section below. 

Continue Reading:

Google Account Security – Gmail Security

What is Google Duplex? and How does it work?

“Packet Capture” is defined as network interception of a data packet that is traversing a specific point through a data network. These kind of packets are captured using appropriate tools in real time which are stored for a short stint in order to be analyzed, downloaded, archived or discarded. The reason for capturing and examining network packets, is chiefly for identification of security threats, undesirable network behaviors, network congestions, packet loss and network analysis.

Packet capture is generally performed via two methods. The first one is by capturing the whole packet and the second is by capturing specific portions of a packet. A full packet is made up of two things: a payload and a header. The payload is defined as the main content of the packet, while the header contains metadata, the packet’s source and the destination’s address.

Packet Capture Tools

Some of the most frequently used tools across IT ecosystem for packet capturing are enlisted below:

• SolarWinds Network Performance Monitor: It is one of the best network monitoring platform in the industry. It contains a network packet analyzer that can capture data from upto 1200 applications at the same time. The most interesting part is the ability to measure packet transfer in real time using the embedded dashboard called Quality of Experience (QoE).

• Paessler PRTG Network Monitor: This platform is preferred for the internal packet sniffer-bandwidth monitoring service, which uses sensors in order to analyses IRC AIM, Citrix, FTP, Mail, HTTP, RDP, SSH, Telnet, and VNC The sensors also include a library of the Top Talkers, Top Connections, and Top Protocols. Each of these libraries can be visualized as percentage charts, making accurate estimations on how network resources are consumed across the devices.

• Wireshark: Wireshark is one of the best choices, when cost savings is one of key and functional requirements. It is a free open source packet analyzer which inspects network traffic in real time. The main advanced service that it offers, is the execution of a “Scan” in order to view the captured packets on screen. The amount of traffic captured can be modified/abstracted by applying display filters and can be exported in different file formats such as Text, CSV, XML or Postscript. Another key advantage of Wireshark is the distinction of different type of traffics by using different colors. For example, the user can set blue for TCP and red for UDP traffic. All the color options are available in the user’s interface.

• ManageEngine Netflow Analyzer: This particular tool can analyze real time network traffic with graphs, using NetFlow, sFlow, IPFIX, Netstream, J-Flow, and This software tool also provides metrics of the network bandwidth for different users, devices or applications and helps to allocate resources. Additionally, performance issues can be represented in Pie Charts and exported to various reports according to Data Points, Time Period, Device and Type.

• Collasoft Capsa: This platform is a network analyzer for Windows that monitors packets in real-time. It supports over 1800 different protocols that the user can monitor through the embedded dashboard technology. Furthermore, dashboard offers network usage visualization with different graphs and charts such as Top Application Protocols or Top IP Total Traffic. Colasoft Capsa is suitable for organizations that need a competitively priced network analyzer for Windows.

Conclusion on Packet Capture

This brings us the fag end of the article. Briefly, we discussed about packet capture techniques and how it can be implemented for understanding traffic flow, network troubleshooting, and investigating security incidents.

Previous sections shared some of the best tools in the industry and how they can be used for packet capture and analysis.

It is almost certain that in future need of packet capturing will continue to grow and more research and tools will be created. Every scientist and engineer will hunt for funding opportunities to improve portability, user interface and introduce new techniques for different network traffic loads.

Finally, from a security aspect it must be taken into account that such a technique is helpful in identifying and avoiding network attacks and vulnerabilities. Especially for system and infra administrators, this can be a crucial advantage considering that confidential & business critical information is stored with company’s domain (Company systems only) and not accessible to outside parties or attackers

NSLookup Overview

NSLookup (Name Server Lookup). NSlookup is a simple but very practical command-line tool which is used to find DNS records, or in other words, IP address that corresponds to a host or the domain name that corresponds to an IP address. Windows users can initiate this command via the command prompt and UNIX users via the terminal window. NSlookup command-line tool has two modes.

Interactive Mode – If you look up for only a single piece of data, use the non-interactive mode. For the first part of command after nslookup, type the name or IP address of the computer that you want to look up. For the second part, type the name or IP address of a DNS name server or fqdn.

Non interactive Mode – If you are looking for more than one piece of data, use interactive mode. Type a hyphen (-) for the first part and the name or IP address of a DNS name server for the second part. If you omit both parts, the tool uses the default DNS name server. Interrupt interactive commands by pressing CTRL+B and Exit by typing exit.

Authoritative – It contains information about the zone file.
Non-authoritative – When a name server is not in the list for the domain you did a lookup on.
Port – The DNS servers use port 53.

Syntax – Nslookup {parameters}

Related – DNS Interview Questions

NSLookup Parameters –

PARAMETER	DESCRIPTION
nslookup exit	Exits the nslookup command-line tool.
nslookup finger	Connects with the finger server on the current computer.
nslookup help	Displays a short summary of subcommands.
nslookup ls	Lists information for a DNS domain.
nslookup server	Changes the default server to the specified DNS domain.
nslookup root	Changes the default server to the server for the root of the DNS domain name space.
nslookup server	Changes the default server to the specified DNS domain.
nslookup set	Changes configuration settings that affect how lookups function.
nslookup set all	Prints the current values of the configuration settings.
nslookup set class	Changes the query class. The class specifies the protocol group of the information.
nslookup set d2	Turns exhaustive Debugging mode on or off. All fields of every packet are printed.
nslookup set debug	Turns Debugging mode on or off.
nslookup set domain	Changes the default DNS domain name to the name specified.
nslookup set port	Changes the default TCP/UDP DNS name server port to the value specified.
nslookup set querytype	Changes the resource record type for the query.
nslookup set recurse	Tells the DNS name server to query other servers if it doesn’t have the information.
nslookup set retry	Sets the number of retries.
nslookup set root	Changes the name of the root server used for queries.
nslookup set search	Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period.
nslookup set srchlist	Changes the default DNS domain name and search list.
nslookup set timeout	Changes the initial number of seconds to wait for a reply to a request.
nslookup set type	Changes the resource record type for the query.
nslookup set vc	Specifies to use or not use a virtual circuit when sending requests to the server.
nslookup view	Sorts and lists the output of the previous subcommand or commands.

Download the NSLookup Parameter Table here.

Error message –

Error message occurs when nslookup command fails.

ERROR MESSAGE	DESCRIPTION
timed out	The server didn’t respond to a request after a certain amount of time and a certain number of retries. You can set the time-out period with the nslookup set timeout command. You can set the number of retries with the nslookup set retry command.
No response from server	No DNS name server is running on the server computer.
No records	The DNS name server doesn’t have resource records of the current query type for the computer, although the computer name is valid. The query type is specified with the nslookup set query type command.
Non-existent domain	The computer or DNS domain name doesn’t exist.
Connection refused or Network is unreachable	The connection to the DNS name server or finger server could not be made. This error commonly occurs with finger requests.
Server failure	The DNS name server found an internal inconsistency in its database and could not return a valid answer.
Refused	The DNS name server refused to service the request.
format error	The DNS name server found that the request packet was not in the proper format. It may indicate an error in nslookup.

Download the NSLookup Error Message Table here.

Conclusion

NSlookup is widely used a command that lets you enter a hostname and find out the corresponding IP address or domain name system (DNS) record.