Friday, December 25, 2015

PALO ALTO reset to default

In this post I will show you how to reset a PaloAlto firewall back to  factory settings. You 1st need to acquire the unit SN#






You now login via ssh by using the username maint and with  the password of the unit SN#. The main window will have a ncurse like menu that will allow you to select the factory_reset operation





Select it and sit back and wait. It can take approx 3-7mins for the unit to redo it's self back to factory.







After the unit has reconfigured and has reboot, you can login back in via username/password  admin/admin

You will to re-license/activate the unit and dynamic updates all license keys and updates are reverted





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \







Merry Christmas

Will it's the end of the year...will almost. Merry Christmas here's a few tips and info.

1st

PAN-OS 7.0.4 came out a few days ago.



I'm in  the process of reviewing the fixes.

https://downloads.paloaltonetworks.com/software/PAN-OS-7.0.4-RN.pdf

2nd

In a dual-stacked fortigate how do you know exactly how many session per-vdom or ipv4 or ipv6 in one glance. The following dianose command can provide these details.

 diag sys vd list | grep ses_num



Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Tuesday, December 22, 2015

HOWTO determine what files are modify FortiOS

Have you ever been interested as to what files changes when you modify the cfg in a Fortigate? We have a simple cmd that will list the changed file(s).

diag sys list-modified-files



Here's the command executed before we make any change;










And now our change, we will add a host in the firewall address.



And now we re-execute the file listing command;






The hidden fnsysctl command can also list the files in  the /data/config  directory also.





Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

fortiOS v5.4.0 is out

With the bad taste left from 5.2.x I wonder what's tobe expect on v5.4 for FortiOS. I didn't even bother to participate in  beta 5.4 testing.




https://en.wikipedia.org/wiki/Fortinet


Read the release notes whenever they post them for the general pubic ( http://docs.fortinet.com/fortigate/release-information ) , this is the wild wild west ;)


You might want to do a execute reboot and interrupted the boot process and run the new image from memory before committing the image into the onboard flash.


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Friday, December 18, 2015

hidden vdom fortiOS multi-vdom mode

FortiOS has a few hidden vdoms that can be strange to see from the basic eye. Here's my local vdoms on a fgt unit








Simple right?



No so fast , we really have  2x more vdoms that are  define but are not directly accessible as demo'd below;



What's you need to know the dmgmt-vdom  has support for configurable interfaces.



This vdom is part of the  dedicate management;

http://docs-legacy.fortinet.com/fgt/handbook/cli52_html/index.html#page/FortiOS%205.2%20CLI/config_system.23.017.html

You can't  delete it per-se


Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \




SSLVPN diag commands fortiOS

All Fortigates allows for you to monitor ssl vpn sessions,  and you have a simple means for showing what client has established and by what means.

Take the following cli cmd  .



This will list all sslvpn web session, changing the web to tunnel will list all tunnel sessions. Specifying neither will list both types.


Alternative, you can use the following diag command and grep the user of interest.









note: the  grep does not work with the execute command outputs

To destroy a session you must know the index ID and use the del commands




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \






Friday, December 11, 2015

Vlan considerations NX-OS

In this post, I want to bring forward a few items that should be taken under consideration in  Nexus OS when it pertains to vlans an design vlan-id details.

In cisco IOS and NX-OS , you have certain  internal vlan usage. So the full range of  vlan-IDs 1 thru 4094 are NOT always available. Outside of the vlans that are hardcoded for specific functions  ( i.e vlan IDs ; 1 1002-1005, 4095, etc...) you have to take in considerations of these vlan-ids.

So in NX-OS you need to know the default reserved vlan id ranges. The cmd cli show system vlan  reserved will provide this detail.







 The config mode will allow you to adjust this range but keep in mind you still will have  128 reserved vlan-ids.






Next, cisco has always had a 32 character or less naming convention for vlan names.

In NX-OS we can use cmd   system vlan long-name to allow for names longer than 32 character but most show commands will still limited the displayed output to 32characters.

 







 



If you define a vlan name longer than 32 characters, the switch will complain if you try to no out the command.












Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Thursday, December 10, 2015

PALO ALTO ipv6 features and tips

In this post I will explain & show issues to be aware with PAN-OS & IPv6.

1st, ICMPv6 RA support low/medimu/high router preferences. This is good since my experience with cisco ASA, Fortinet Fortigate , and Juniper SRX show this not available feature
 The Low/Medium/High are case sensitive






This feature  helps if you have multiple RT-advertisers and need a redundant ipv6 next-hop gateway


2nd, the loopback address requires a   /128 mask  ( this sucks  ) or you must  specify no-mask.




3rd, OSPFv3 is well supported. So now we can authenticate  OSPFv3 with other OSPFv3 routers.




4th, you can src SYSLOG with  ipv6-src address. So if you have a syslog that listens on a ipv6 interface, you can send logs via the management interface or any layer3 by using a service route

 


5th, you can backup  the configuration to a ipv6 host






These are some of the based items I've  notices in PAN-OS v7 & with regard to ipv6.


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \