Palo Alto service insertion for Cross Vcenter NSX-V

Palo Alto service insertion for Cross Vcenter NSX-V  References: Multi-site with Cross-VC NSX and Palo Alto Networks Security https://blogs.vmware.com/networkvirtualization/2016/09/multi-site-cross-vc-nsx-palo-alto-networks-security.html/ Cross Vcenter NSX design guide https://blogs.vmware.com/networkvirtualization/2016/07/nsx-v-multi-site-options-cross-vc-nsx-design-guide.html/ Palo Alto service insertion in a single vcenter hosted in single DC   A brief about the Software Defined Data Center topology above: - A single vcenter.- A single NSX manager- … Continue reading Palo Alto service insertion for Cross Vcenter NSX-V

Advertisements

Troubleshooting Distributed Firewall in NSX-V – How to check firewall rules for a VM

Troubleshooting Distributed Firewall in NSX-V Blog reference: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSphere/6.4/com.vmware.nsx.troubleshooting.doc/GUID-20234847-3E7A-4FE8-AEE1-31FFB3652481.html  In my earlier post on Microsegmentation, we referenced the below topology and we put the workloads for different tiers - Web, App and DB on the same NSX Logical Switch.With NSX micro segmentation, firewall is applied at vnic level of each virtual machine. Topology Below firewall rules … Continue reading Troubleshooting Distributed Firewall in NSX-V – How to check firewall rules for a VM

VMware NSX Microsegmentation – Securing Collapsed Architectures

VMware NSX Microsegmentation - Securing Collapsed Architectures As depicted in above topology, NSX-V Distributed Firewall feature is enabled. And as shown in figure above, firewall is effectively applied at each vNic of virtual machine. In this topology: BGP is used as routing protocoliBGP is used within NSXeBGP is used between NSX edges and the physical … Continue reading VMware NSX Microsegmentation – Securing Collapsed Architectures

VMWare NSX Distributed Firewall

We tried to cover VXLAN and VXLAN traffic flow earlier. Every solution has three main components to it - Management, Control and Data Plane. NSX Manager is the management component of VMware NSX solution We now try to know more about Data Plane components of NSX. Data Plane of NSX has: ·         Logical Switch ·         … Continue reading VMWare NSX Distributed Firewall

QoS on Palo Alto Firewall

Quality of Service on Palo Alto Firewall Reference:   https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/quality-of-service/configure-qos  1. The process of classification Anyone who has prior experience of Modular QoS CLI (MQC) on Cisco IOS will know that you first classify traffic that needs to be prioritized against other types of traffic. Similar logic is applied while configuring QoS on Palo Alto firewall. … Continue reading QoS on Palo Alto Firewall

DNS Sinkhole feature on Palo Alto Firewall

DNS Sinkhole feature on Palo Alto Firewalls References: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/60/pan-os/NewFeaturesGuide/section_3.pdf https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523 Why use DNS Sinkhole? Picture this that you have infected hosts on your network that are connecting to malicious websites, websites and portals that are totally not secure. DNS resolution and DNS queries play a vital role here in such communication. When there is a … Continue reading DNS Sinkhole feature on Palo Alto Firewall

Content Filtering Techniques on Palo Alto Firewall

Content filtering techniques on Palo Alto firewall 1. URL filtering URL filtering allows you to block web browsing based on URL category. For example, you could block these categories available on Palo Alto - abused drugs, alcohol and tobacco, phishing, peer to peer. Palo Alto also allows you to check URL category for a particular … Continue reading Content Filtering Techniques on Palo Alto Firewall

Palo Alto – x forwarded for feature

Enterprise internet set ups incorporate systems like Proxy Servers. Such systems help cache internet data and eventually save a lot of internet bandwidth and cost. What do proxy servers additionally do? a. Source NAT (SNAT) client IPs and source internet traffic from itself. Here you are hiding/masking client IP address. Such mechanism prevents client IP … Continue reading Palo Alto – x forwarded for feature

Usage of failover exec mate command in Cisco ASA

So, recently I came across this situation  where I had to check the TACACS shared secret on standby ASA without directly logging into it. Reason being that the standby firewall just wouldn't let me log in directly.Standby unit was earlier integrated with the AAA server. My efforts of firstly removing the standby device from AAA … Continue reading Usage of failover exec mate command in Cisco ASA