Thursday 28 July 2022

test policy on palo alto similar to packet tracer

 I haven't had much luck with this, it doesn't seem to work as well as packet tracer. It's often returning that the traffic is blocked when in fact it is allowed.


Anyway you can give it a go, its down the bottom in the GUI "Test policy match"


On CLI:

test security-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 53 protocol 17


test security-policy-match source 192.168.0.1 destination 8.8.8.8 destination-port 443 protocol 6


Protocol 17 = udp
Protocol 6 = tcp

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/use-the-cli/test-the-configuration/test-policy-matches

Posted by at No comments:
Labels: , ,

NAT on palo alto firewall

 I find switching from ASA to palo alto NAT confusing because they work in a different way and I've worked on ASA for so long.


nat rule (to nat traffic)

outside -> outside

Destination address is customer public IP: 100.200.200.114

Destination translations address is inside IP of the server: 192.168.0.1


policy rule (to allow traffic)

outside -> inside

Source IP is outside source public 8.8.8.8

inside destination IP is the public IP: 100.200.200.114



The main thing there is a public IP NAT is outside to outside on palo. On ASA its outside to inside for a public IP NAT.

  • Source zone: outside
  • Destination zone: outside
  • Destination interface: eth1/1 (outside)
  • Source add: any
  • Destination address: 100.100.100.50 (public IP of server)
  • Service: port 443
  • Source translation: "none"
  • Destination Translation:
    • destination-translation (translation type "static IP")
    • address: 192.168.100.50 (inside IP)
    • port: 443

Posted by at No comments:
Labels: , , ,

Wednesday 13 July 2022

check when a S2S VPN established

 show vpn-sessiondb l2l filter ipaddress x.x.x.x


Connection   : x.x.x.x

Index        : 69987                  IP Addr      : x.x.x.x

Protocol     : IKEv1 IPsec

Encryption   : IKEv1: (1)AES256  IPsec: (2)AES256

Hashing      : IKEv1: (1)SHA1  IPsec: (2)SHA1

Bytes Tx     : 6629603                Bytes Rx     : 9801553

Login Time   : 07:20:46 UTC Wed Jul 13 2022

Duration     : 4h:12m:59s

Tunnel Zone  : 0


Some useful items we can see the login time (time of last rekey)

Duration, how long the VPN has been up since then.


You can check 
sh crypto isakmp sa detail | b x.x.x.x

IKE Peer: x.x.x.x
Type    : L2L             Role    : initiator
Rekey   : no              State   : MM_ACTIVE
Encrypt : aes-256         Hash    : SHA
Auth    : preshared       Lifetime: 86400
Lifetime Remaining: 70716

Here you can see the lifetime and lifetime4 remaining. You can use these values to work out when next rekey should be.

86400 / 60 /60 = 24 (hours)

70716 /60 /60 = 19.6 (hours

That matches up to the 4 hour duration so everything looks good there. If you keep checking in on it or are able to monitor the VPN you might spot that is rekeying randomly and that needs to be investigated.
Posted by at No comments:

how to look at office macros without running them

 olevba is a good linux tool to look at the macro code without opening the file in MS office tc.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)