Have you ever had this scenario?
and
It's always important to make sure the deviceid is associated to the correct tmpl/devgrp
Title: Exploring the Top Firewalls: Enhancing Network Security
Introduction: In today's interconnected world, where cybersecurity threats are increasingly sophisticated, implementing robust network security measures has become paramount. Among the essential components of a comprehensive security infrastructure, firewalls play a crucial role. Firewalls act as a protective barrier between internal networks and external threats, filtering and monitoring network traffic to prevent unauthorized access. In this blog, we will explore some of the top firewalls available in the market, renowned for their features and effectiveness in safeguarding networks.
Cisco ASA: Cisco ASA (Adaptive Security Appliance) is a widely recognized and trusted firewall solution known for its advanced threat protection capabilities. It offers a broad range of features, including stateful packet inspection, intrusion prevention system (IPS), virtual private network (VPN) support, and application visibility and control. Cisco ASA provides granular control over network traffic and offers options for scalability, making it a popular choice for small to large enterprises.
Palo Alto Networks Next-Generation Firewall: Palo Alto Networks has established itself as a leader in network security, and their Next-Generation Firewall (NGFW) is highly regarded for its innovative approach to threat prevention. It combines traditional firewall functionality with advanced features such as application-aware security, user identification, and content filtering. Palo Alto firewalls leverage machine learning and artificial intelligence to detect and prevent sophisticated threats, making them an excellent choice for organizations focused on proactive security measures.
Fortinet FortiGate: Fortinet's FortiGate firewall series is widely deployed across various industries due to its comprehensive security capabilities and high-performance architecture. FortiGate firewalls offer a wide range of security features, including intrusion prevention, web filtering, application control, and sandboxing. They are known for their centralized management system, allowing administrators to efficiently monitor and control network security policies across multiple devices.
Check Point Next Generation Firewalls: Check Point is a leading provider of network security solutions, and their Next Generation Firewalls (NGFWs) are renowned for their robust security features. Check Point firewalls offer threat prevention capabilities such as application control, antivirus, URL filtering, and sandboxing. Their unified security management platform allows for simplified administration and comprehensive visibility into network traffic.
Juniper Networks SRX Series: The Juniper Networks SRX Series of firewalls combines traditional firewall functionality with advanced threat prevention capabilities. They offer features such as deep packet inspection, application identification, and virtualization support. Juniper firewalls provide flexible deployment options and are known for their high-performance architecture, making them suitable for networks with demanding security requirements.
Conclusion: Selecting the right firewall for your organization is crucial to ensuring robust network security. The firewalls mentioned above, including Cisco ASA, Palo Alto Networks Next-Generation Firewall, Fortinet FortiGate, Check Point Next Generation Firewalls, and Juniper Networks SRX Series, are among the top choices available today. Each firewall solution brings its unique set of features and strengths to the table. It's important to consider factors such as the organization's security requirements, scalability, ease of management, and integration capabilities when making a decision. By implementing a reliable firewall solution, organizations can strengthen their network defenses and protect sensitive data from ever-evolving cyber threats.
The REST-api or XML-api is very simple to use. I'm going to show you a few examples.
1st with RESTapi you have to call your API-KEY as a header "X-PAN-KEY: biglogapikey".
tip:
You have to specify the API version also. if you specify the wrong version you will received a error similar to;
:[{"code":1,"module":"panui_restapi","description":"Version Not Supported: v10.1"}]}]}%
tip:
If you have typos , the key will not work
tip:
Do not add the key as a HTTP query string
examples;
restapi
# retrieve all objects from fw
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Objects/Addresses?location=vsys&vsys=vsys1"
# all services
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Objects/services?location=vsys&vsys=vsys1"
# addressGroups
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Objects/AddressGroups?location=vsys&vsys=vsys1"
# security polices
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Policies/SecurityRules?location=vsys&vsys=vsys1"
# NAT rules
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Policies/NatRules?location=vsys&vsys=vsys1"
# zones
curl -H "X-PAN-KEY:LUFRPT1zQ05XOHhPbXpFWk9GWTVFcXVaMkhDVTY4dEE9bFg3VnFtc3RlSGN1L1U2eGd1bVA3NGJRN0wwaUxkcEZVVlYvN1o5VTZ6cklsRi9QZjA4NEhqc1NkblJqd3FROQ==" -k "https://192.168.11.99/restapi/v10.0/Network/zones?location=vsys&vsys=vsys1"
The XML-API can use the key within a http query string, just append it to the HTTP get query.
xml-api
#list devices XPath
curl -k 'https://csockets-panorama01.socpuppets.net/api/?type=op&cmd=<show><config><running><xpath>devices</xpath></running></config></show>&key=LUFRPT1wWno4WEprSHlqV1hkNGtuWllXckxXaVFtOWM9a0ZmdTlKMFQxZWRVMVhkd29pSVlqZU1JL2UvcVF6L1AvbmZKYUR3Yi8xeXdkS0XnedRscXk2Z043OWJMbEtpdw=='
# list shared xpath
curl -k 'https://csockets-panorama01.socpuppets.net/api/?type=op&cmd=<show><config><running><xpath>shared</xpath></running></config></show>&key=LUFRPT1wWno4WEprSHlqV1hkNGtuWllXckxXaVFtOWM9a0ZmdTlKMFQxZWRVMVhkd29pSVlqZU1JL2UvcVF6L1AvbmZKYUR3Yi8xeXdkS0XnedRscXk2Z043OWJMbEtpdw=='
# check operational mode
curl -k 'https://panorama01.socpuppets.net/api/?type=op&cmd=<show><operational-mode></operational-mode></show>&key=LUFRPT1lL0I0YkFhMFNIOUs1SDSiUFFBVDAvOXdxNjQ9WmNaa1JrblVuMEVubFBBNlVJT3loWk9VT0F5VThiK0s1UmFjTVhwa0oyVXVyV21YREFSeFFnZmFXVzUrb0luZw=='
# fetch license
curl -k 'https://panorama01.socpuppets.net/api/?type=op&cmd=<request><license><fetch/></license></request>&key=LUFRPT1lL0I0YkFhMFNIOUs1SDSiUFFBVDAvOXdxNjQ9WmNaa1JrblVuMEVubFBBNlVJT3loWk9VT0F5VThiK0s1UmFjTVhwa0oyVXVyV21YREFSeFFnZmFXVzUrb0luZw=='
curl -k 'https://panorama01.socpuppets.net/api/?type=op&cmd=<request><license><info/></license></request>&key=LUFRPT1lL0I0YkFhMFNIOUs1SDSiUFFBVDAvOXdxNjQ9WmNaa1JrblVuMEVubFBBNlVJT3loWk9VT0F5VThiK0s1UmFjTVhwa0oyVXVyV21YREFSeFFnZmFXVzUrb0luZw=='
# display the license details
curl -k 'https://panorama01.socpuppets.net/api/?type=op&cmd=<show><system><info></info></system></show>&key=LUFRPT1lL0I0YkFhMFNIOUs1SDSiUFFBVDAvOXdxNjQ9WmNaa1JrblVuMEVubFBBNlVJT3loWk9VT0F5VThiK0s1UmFjTVhwa0oyVXVyV21YREFSeFFnZmFXVzUrb0luZw=='
# save the config file
curl -k 'https://panorama01.socpuppets.net/api/?type=op&cmd=<save><config><to>config.save</to></config></save>&key=LUFRPT1lL0I0YkFhMFNIOUs1SDSiUFFBVDAvOXdxNjQ9WmNaa1JrblVuMEVubFBBNlVJT3loWk9VT0F5VThiK0s1UmFjTVhwa0oyVXVyV21YREFSeFFnZmFXVzUrb0luZw=='
here's an example of a license info
XML is sometimes slightly harder but you have multiple items that can be done from show operational and commit commands.
RESTapi is easier but if you ever upgrade your FW and have hardcoded scripts, the API version will come back and haunt you.
I've always found myself using a combination of REST and XML API calls.
One of my colleagues was discussing a way to backup panorama cfg vrs with the "schedule backup export" option that Palo has.
The problem with Scheduled Config Export the save file does not have the time stamps in the name
By using the API you can set the timestamp by using the date cmd
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-use-cases/query-a-firewall-from-panorama-api
e.g
I was working in my day job with a customer that has a sonicwall and they need to change from specific proxy-ids for src/dst to 0.0.0.0/0:0
In order to do this you need to change the VPN from site2site to tunnel. Check out the screenshots of the two modes and take notice of how the "network" option disappears when you do tunnel mode
So I was doing some work for a friend of mine in the Market Delivery Network who's using a linux host and we ran into an issue where our ipsec tunnel was up but the GRE encapsulation over the tunnel was not working.
We had put this design into place over 2 years ago and it was moved to a new host and had issues. So I was scratching my head to figure out what was happening.
What we found was the gre interface had TX errors;
So after hours and hours recreating the gre interface, I finally figured out the SRC IP of our GRE1 interface was not configured. So the tunnel had no means to source the gre traffic
Once we set up the src.ip on a dummy interface, the tunnel came up and our pim neighborship was established
sample dummy1 interface sysconfig;
[root@host01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-dummy1
DEVICE=dummy0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
BRIDGE=virbr10
IPV6INIT=no
IPADDR=10.247.0.39
NETMASK=255.255.255.255
Sample ipsec.conf strongswan
# CERT FEEDS 69.50.112.0/25
# CERT/NR A-Feed/B-Feed MDP Source Range
#CERT FEEDS 69.50.112.128/25 CERT/NR Mediator IP Source Range
#
#CERT FEEDS 69.50.112.254/32 CERT/NR A-Feed/B-Feed RP
conn CERT01
type=tunnel
compress=no
authby=secret
left=<my public address>
right=164.74.129.26
ikelifetime=86400s
lifetime=3600s
keyexchange=ikev1
keyingtries=%forever
rekey=yes
auto=start
ike=aes256-sha1-modp1024
esp=aes256-sha1
#dpdtimeout= 120s
#dpdaction=restart
conn CERT01A
# phase2 for unicast traffic e.g order entry CME group
leftsubnet=10.247.39.64/26
rightsubnet=69.50.112.128/25
also=CERT01
# phase2 for GRE and multicast CME group
conn CERT01B
leftsubnet=10.247.0.39/32
rightsubnet=10.247.254.1/32
also=CERT01
leftupdown=/etc/strongswan/cme_mcast.sh
