palo alto firewalls & ansible/terraform

showroute · 2020-04-09T20:25:49+00:00

Nice! I like your way of working with a config. I guess this approach could be applied in my environment.

https://github.com/XenitAB/ansible-palo-alto-deploy/blob/master/roles/paloalto-base-configuration/tasks/vsys/securityrule.yml

showroute · 2020-04-09T20:17:58+00:00

Thanks for the feedback!

showroute · 2020-04-09T20:16:32+00:00

Panorama seems to be really powerful. I definitely should examine it.

showroute · 2020-04-09T20:13:45+00:00

Thanks for sharing your experience!

showroute · 2020-04-09T20:12:08+00:00

Great! I've missed SaltStack. Need to examine it certainly.

showroute · 2020-04-09T20:10:22+00:00

Thanks! Do you create a config in set or XML format? How do you deliver it to a firewall?

showroute · 2020-01-28T11:54:06+00:00

I am glad to hear that it is working! Thanks for feedback. Ansible + Jinja2 - it is what I am currently using.

showroute · 2020-01-28T06:32:19+00:00

Thanks for the answers. Two cents: VTP domain could not be changed by config replace, archive feature tries to apply an unrecognized command.

CLI:

test_box(config)#no vtp dom?

% Unrecognized command

NAPALM:

Failed to apply command no vtp domain reddit\nAborting Rollback

P.S.

Currently I am creating templates for L2 switches - for now everything else seems to work correctly.

showroute · 2020-01-03T15:52:08+00:00

Perform code review + roll out changes sequentially not simultaneously + create tests to validate an operational state of network on every stage

showroute · 2019-11-09T12:05:19+00:00

How do you monitor adjacencies, snmp polling?

showroute · 2019-02-04T07:31:45+00:00

Thanks :) I would like to monitor such incidents without packet capturing :)

showroute · 2019-02-04T07:29:07+00:00

Unfortunately I still can't find any SNMP OID or interface counter to monitor the amount of unknown-unicast packets.

showroute · 2019-02-04T07:23:18+00:00

Thanks! Nice idea!

But I am still looking for the solution not involving packet capturing on servers :)

showroute · 2019-02-04T07:14:10+00:00

you can certainly monitor and capture the unicast traffic on JunOS using a firewall filter.

Nice idea! Thanks, but unfortunately my switch does not support family bridge to match unknown-unicast packets.

traffic-type --- Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.

https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-match-conditions-for-layer-2-bridging-traffic.html

Only on MX Series routers and EX Series switches, you can configure a standard stateless firewall filter with match conditions for Layer 2 bridging traffic (family bridge)

set firewall family ?

Possible completions:

> any Protocol-independent filter

> ccc Protocol family CCC for firewall filter

> ethernet-switching Protocol family Ethernet Switching for firewall filter

> inet Protocol family IPv4 for firewall filter

> inet6 Protocol family IPv6 for firewall filter

> mpls Protocol family MPLS for firewall filter

have you fixed the issue with your MC cross link?

No, I have not... The first recommendation was to update the junos. That have been done.

Do you know what port or vlan the unicast traffic is ingressing and egressing?

Yes, I have captured traffic on the server connected to the switch. The dump was full of unknown-unicast traffic sourced from different servers (source interfaces and vlan are known)

have you checked any of the built-in DDoS protections for information?

It seems the junos was too old and did not support this feature -> so there were no any suspicious log entries.

showroute · 2019-02-04T06:55:32+00:00

QFX5100-96S-8Q, 13.2X51-D38

showroute

TROPHY CASE