Check Point Firewall Guide Performance Optimization: The Dual Default Gateway Problem

Is your Check Point Firewall connected to your core internal router on a dedicated VLAN/segment with no other systems present? In other words, is your firewall connected to your core internal router with a transit network used solely to forward traffic between the firewall and core router like this:

th1

Figure 3-4: A Private Firewall- Core Transit Network

Or do you have something like this:

download1

Figure 3‑5: Non-private Transit Network between Firewall and Core Route

Continue reading

Announcing indeni 5.3: more than 400 improvements!

capture

Welcome 5.3!

In this release we’ve included over 400 improvements to the underlying infrastructure and bugfixes, added new content and expanded our Palo Alto Networks firewalls’ support. Please reach out to our support team to get the updated release.

IMPORTANT NOTE TO CHECK POINT USERS: Starting with 5.3, indeni no longer uses port 8181 to communicate with the firewall. The advantages of using port 8181 prior to 5.3 are now built into the use of port 22, the standard SSH port.

NOTE: Customers who require support of a given product version prior to the main release can contact support@indeni.com and a running build will be provided.

Select new signatures: Continue reading

How To Do an IPSec VPN Configuration Between PAN Firewall and Cisco ASA

Step by Step Guide: IPSec VPN Configuration

Between a PAN Firewall and Cisco ASA

Overview:

This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode.

High Level Diagram:

IP schema specification:

Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration

Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:

Name: tunnel.1
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.

Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.

Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

Configure IPSec Phase – 1 configuration

To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)

Continue reading