How To Do an IPSec VPN Configuration Between PAN Firewall and Cisco ASA

Step by Step Guide: IPSec VPN Configuration

Between a PAN Firewall and Cisco ASA

Overview:

This document describes the step by step guide on how to configure IPSec VPN and assumes the Palo Alto Firewall has at least 2 interfaces in Layer 3 mode.

High Level Diagram:

IP schema specification:

Steps to be followed on Palo Alto Networks Firewall for IPSec VPN Configuration

Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:

Name: tunnel.1
Virtual router: default
Please refer this article if you need any help to configure Virtual Router on Palo Alto Networks.

Zone: (select the layer 3 internal zone from which the traffic will originate)
Please refer this article if you need any help to configure Layer 3 interface on Palo Alto Networks.

Note: If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

Configure IPSec Phase – 1 configuration

To Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
(These parameters must match on the Cisco ASA firewall for the IKE Phase-1 negotiation to be successful)

Continue reading

How to Export Palo Alto Networks Firewall Configuration to a Spreadsheet

Data connections and led lights in an industrial building grain visable in areas and colours removed from certain images to enhance them., Low aperture used to create a shallow DOF on on connections or lights
How to export Palo Alto Networks Firewalls configuration to a spreadsheet

Sometimes it becomes very important and necessary to have the configured policies, routes, and interfaces in a spreadsheet to be shared with the Design Team, the Audit team and for some other purposes. The below method can help in getting the Palo Alto Configuration in a spreadsheet as and when you require. This requires little manual effort and just a few minutes of your time. Here you go:

 

 

1. First of all, login to your Palo Alto Firewall and navigate to Device > Setup > Operations and click on Export Named Configuration Snapshot:

2. From the pop-up menu select running-config.xml, and click OK. Save the file to a desired location.

Continue reading

Cisco vs Palo Alto Networks: The Hidden Battle

Capture

In my conversations with firewall users I often hear references to the “battle of the titans” between Check Point and Palo Alto Networks. Both are leaders in the Gartner Magic Quadrant, their security technologies are often compared and the marketing slander has been seen often in all the different mediums.

As everyone is aware, PANW’s aggressive growth outpaces the growth of the firewall market. This means that a large portion of the growth is coming from the displacement of their competitors. A point PANW’s CEO, Mark McLaughlin, made recently.

However, very little attention has been given to this:

download

The sum of the percentages is greater than 100% as some customers migrated from multiple vendors to PANW.

Continue reading

Palo Alto Networks Firewalls Alert Guide: Group ID Conflict Detected

This is a real life sample alert from indeni alert guide for Palo Alto Firewalls.

 

Description:

This cluster has the same Group ID as the other clusters listed below. A conflict may arise if they share a VLAN with this cluster.

Other Clusters:

buny-fw1 (10.10.24.1)

Manual Remediation Steps:

Consider changing the Group ID. For more information, see DOC-5843.

How does this alert work?

indeni automatically identifies the HA clusters in the environment and then compares the Group ID that is set on the active member of each of those clusters.

For even more alerts and in depth analysis to make your network high availability and failure proof, check out our device management solution for PAN Firewalls.

Firewall in Maintenance Mode. Palo Alto Network Alert Guide

indeni, cisco

This is a real life sample alert from our indeni alert guide for Palo Alto Networks Firewall.

Description:

The firewall has entered maintenance mode due to an unknown reason. indeni will stop collecting data from this firewall until it exits maintenance mode.

Manual Remediation Steps:

Connect to the firewall using SSH (see DOC-5719) and determine the cause.

How does this alert work?

indeni uses a mix of SSH, API calls and SNMP to communicate with Palo Alto Networks firewalls. If it identifies that the firewall is in maintenance mode (for example, via SSH), it will alert.

How to Pull and View Logs Using Automation for Palo Alto Networks Firewalls

Many network monitoring tools on the market today are just good at that: monitoring. They fail to go in depth and dig deep into devices to pull the gritty data important to IT teams. We build indeni with those users in mind. Our goal is to simplify network management, not just monitor it. For example:

There are two sets of log “components” in Palo Alto Networks firewalls:

  • The easily accessible logs (for lack of better name):
  • indeni@Peanut(active)> show log > alarm Show alarm logs > appstat Show appstat logs > configShow config logs > dailythsumShow dailythsum logs > dailytrsumShow dailytrsum logs > dataShow data logs > hipmatchShow hipmatch logs > hourlythsum Show hourlythsum logs > hourlytrsum Show hourlytrsum logs > iptag Show iptag logs > mdm Show mdm logs > systemShow system logs > threatShow threat logs > thsum Show thsum logs > traffic Show traffic logs > trsum Show trsum logs > url Show url logs > useridShow userid logs > weeklythsum Show weeklythsum logs > weeklytrsum Show weeklytrsum logs > wildfireShow wildfire logs  indeni@Peanut(active)>

A different kind of logs.

indeni is now capable of accessing the SSH-only logs and analyzing those. So, if you have certain log lines you’d like to automatically collect and analyze from these files, please feel free to email us at sales@indeni.com and share your needs. We’ll be sure to include those in our software, in addition to the thousands of other log lines that are already on our list.

Palo Alto Networks firewalls: Job(s) stuck in pending

This is a real life sample alert from the indeni alert guide for Palo Alto Networks Firewalls.

Description:

One or more jobs running on this device have been stuck in “pending” state for more than 30 minutes.

Affected Jobs:

  • EBLRefresh

  • Install

Manual Remediation Steps:
Review the jobs listed above for possible issues. You may want to stop and re-issue the job if possible. For more information read DOC-2259.

How does this alert work?
indeni reviews the current list of jobs on a regular basis by running “show jobs all”. For this alert, indeni looks for jobs that have been stuck in PEND for more than 30 minutes.

Pan(w)achrome for Palo Alto Networks firewalls from the indeni perspective

Pan(w)achrome is a chrome extension written by Luigi Mori, a solutions architect at Palo Alto Networks. The extension lets you connect to your Palo Alto firewalls and keep track of certain vital stats – mostly CPU, memory, traffic and a variety of counters.

This is a good step in the right direction – every product we support today has some sort of tool for visualizing some basic stats. Check Point has SmartView Monitor. Juniper has Junos Space. Fortinet has the capabilities in the Fortigate’s web UI as well as within FortiManager. The nice touch with Pan(w)achrome is that it’s built into the browser (through the extension) so it’s a bit easier to access.

As PAN-OS progresses (see the recent release – 7.0), we, at indeni, hope that an investment into Pan(w)achrome will be made. Firstly by taking ownership of the extension at the R&D level (and not a side project), as well as providing much deeper visibility into important elements of the Palo Alto Networks firewalls.

At indeni, we see tools like this as a great means of providing customers with some visibility. The challenge, though, is that these tools are not capable of analyzing configurations and logs (as these are too complicated and are not graphable) and cannot be used as alerting systems. It’s simply far outside their scope.

So, if you’re looking for in-depth configuration and log analysis, as well as comprehensive operational data collection, give indeni for Palo Alto Networks firewalls a spin. Takes just 45 minutes to set up.

RX Traffic Drastically Reduced Post Fail Over. Palo Alto Networks Alert Guide

This is a real life sample alert from indeni alert guide for Palo Alto Networks Firewall.

Description:

This device is receiving far less traffic than expected. It is receiving 142 packets/sec at the moment, compared to 15921 packets/sec it received a few minutes ago. This can be a result of a fail over of this firewall cluster.

Manual Remediation Steps:

Consider clearing the ARP cache, as detailed in DOC-4575. Review the comments of that DOC.

How does this alert work?

indeni tracks the traffic flow on firewalls to identify situations where there is a sharp decrease in RX traffic (as opposed to TX traffic). Such a drop in RX traffic means the surrounding network equipment isn’t forwarding traffic to the firewall, usually due to ARP issues.

Pulling Data via SNMP, SSH or API – PAN Firewall Best Practices

When querying a firewall, what’s the best protocol to use? SNMP, SSH or API?

If you are looking to integrate Palo Alto firewalls as part of some automated system – scripts, central NOC, software-defined-whatever, etc. – you’d want to hear what we have to share. You should also read this post if you like learning about interesting technical aspects of the products you use.

As you may know, we have started supporting Palo Alto Networks (PANW) firewalls in our product late last year. We are currently developing new support and are working with large and small organizations throughout the globe. One interesting thing we’ve noticed that’s worth sharing is that PANW’s customers are very open to embracing new technologies. That is great for us 🙂

Continue reading