Monday, February 3, 2014

Palo Alto Firewall Appliance PA-VM - Useful Commands

If you have every worked on any Juniper Box with JUNOS CLI, you will feel at home when working on Palo Alto Firewall Appliance....

 Operational Mode and Configuration Modes
username@hostname> (Operational mode)
username@hostname> configure
Entering configuration mode
[edit]
username@hostname# (Configuration mode)

 Moving between Modes
up—changes the context to one level up in the hierarchy.
Example:
[edit network interface] (network level)
@abce# up
[edit network]

 username@hostname# (now at the network level)

 top—changes context to the top level of the hierarchy.
Example:
[edit network interface vlan] (network vlan level)
username@hostname# top
[edit]
username@hostname# (now at network vlan level)

Changing modes
username@hostname# exit

 Software Version, Mgmt Address etc.
dmin@PA-VM> show system info

 Grep/Match
admin@PA-VM> show system info | match model
model: PA-VM

 Find commands with following keyword
username@hostname# find command keyword hsm

Restart Appliance
>request restart system

 Show Configuration Hierarchy
username@hostname# show network interface ethernet
ethernet {
  ethernet1/1 {
    virtual-wire;
  }
  ethernet1/2 {
    virtual-wire;
  }
  ethernet1/3 {
    layer2 {
    units {
      ethernet1/3.1;
    }
  }
}
ethernet1/4;
}
[edit]
username@hostname#

Configure IP Address to a given Port
IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
[edit]
username@hostname# set network interface ethernet ethernet1/4 layer3 ip10.1.1.12/24

 Check pending changes (uncommitted)
username@hostname# check pending-changes

 Saves a snapshot of the firewall configuration or the device state files
username@hostname# save config to savefile

 Get Hw Address of Interfaces
show system state | match hwaddr

Routing Table
> show routing route


Show running-configuration
admin@PA-VM#show

Logs
admin@PA-VM> less mp-log  ? (you will see all possible logs)

 Packet Capture:-
admin@PA-VM> debug dataplane packet-diag set log on 
admin@PA-VM> debug dataplane packet-diag set filter on
admin@PA-VM> debug dataplane packet-diag set filter match source <ip Address>
Removing Filters
If setting command shows two filters configured and we want to remove on of them, then we can use
admin@PA-VM> debug dataplane packet-diag clear filter <filter number>
Export pcap file
scp export filter-pcap from <file> to <SCP_serv>
Viewing Packet Hitting Filter in live mode


admin@PA-VM> view-pcap follow yes filter-pcap test1_capture 
Show Packet Capture Setting
admin@PA-VM> debug dataplane packet-diag show setting

 Management Traffic Capture:-
Their Mgmt Interface is eth0
admin@PA-VM> tcpdump filter "dst 49.0.0.254"
Press Ctrl-C to stop capturing

 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
11 packets captured
22 packets received by filter

 0 packets dropped by kernel

admin@PA-VM> tcpdump filter "dst 49.0.0.254"
admin@PA-VM> view-pcap mgmt-pcap mgmt.pcap

 Show all Sessions
>show session all
Posted by at 2 comments:
Labels: , , ,

Monday, January 27, 2014

F5-BIG-IP Redundancy Configuration

Used BIG-IP Config Utility (GUI) to setup the Redundancy.

Followed Steps as mentioned in Creating an Active-Standby Configuration Using the Setup Utility

    | external                 external |
    |                                   |
[bigip1]-----------------------------[bigip2]
    |   HA                        HA    |
    | internal                internal  |

Three different networks needs to be configured for internal/external and HA VLANs

After giving IP addresses to each interface (internal, external and HA). Make sure, you are able to ping external/internal and HA interface from each BIG-IP appliance to other BIG-IP appliance.

You need to create Floating IP for internal and external interfaces only. This configuration has to be done on each bigip appliance.

After the second device has discovered (Steps in "Discovering a peer device" Section in Creating an Active-Standby Configuration Using the Setup Utility) the first device, the two devices have a trust relationship and constitute a two-member device group. Also, each device in the pair contains a default traffic group named Traffic-Group-1. By default, this traffic group contains the floating IP addresses that you defined for VLANs internal and external.

At this time, both the devices are paired, and prompt changes to Active (bigip2 in my case):-
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos)#

and on standby it looks like

root@(bigip1)(cfg-sync Awaiting Initial Sync)(Standby)(/Common)(tmos)#


Go ahead and change some config on e.g. bigip2 (Say create a pool and add member node to it). You can see the prompt changed to "Changes Pending" on Active and Standby as below:-
root@(bigip2)(cfg-sync Changes Pending)(Active)(/Common)(tmos)#

root@(bigip1)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)#

Now, its time to Sync the Config.

Follow Synchronizing the BIG-IP configuration section. If all goes well, then the prompt changes to:-
root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos)#
root@(bigip1)(cfg-sync In Sync)(Standby)(/Common)(tmos)#

You can also verify that the config done on Active (bigip2) is not present on Standby (bigip1).

Sync status for device groups





Posted by at 4 comments:
Labels: ,

F5-BIG-IP LTM Useful Commands

Version
(tmos)# show sys version
11.4.1

Running Config
root@(bigip1)(cfg-sync Disconnected)(Active)(/Common)(tmos)# show running-config 

Save Configuration
tmsh sys save config 
or
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf

Show IP Address of All Interfaces
 tmsh show sys ip-address 

Transferring files to or from an F5 system
scp -p <local_filename> <username>@<server>:<remote_filename>
scp -p myfile.bin root@10.90.101.50:/var/tmp/myfile.bin

 Failover of Active BIG-IP
run /sys failover standby

 Logging on BIG-IP
Configuring the BIG-IP system to log TCP RST packets

Auto-Last Hop Feature
Good Blog on Auto-Last-Hop

BIG-IP IP Interface Configuration

 BIG-IP VLAN Configuration


Posted by at No comments:
Labels: , ,

Sunday, January 26, 2014

Howto License F5 BIG-IP LTM Appliance

Licensing a F5 BIG-IP® Local Traffic Manager™ (LTM) Virtual Edition (VE) is a multiple Step process. Let me run through it Step-by-Step.

These steps assumes following:-

  1. You already know howto bring-up BIG-IP Virtual Appliance on your Hypervisor. I used KVM for this. 
  2. You already have got the 'Registration Key' from F5 to activate this appliance.

Steps

  1. Bring UP BIG-IP Virtual Appliance (Login: root Password: default)
  2. Assign IP Address to it (Use 'config' command on BIG-IP to assign IP, Subnet and Default Gateway), so that it can be accessed via your Web Browser. 
  3. This is how Non-Lisensed BIG-IP's prompt would look:-                                           [root@localhost:NO LICENSE:Standalone] config #
  4. Open web interface to BIG-IP https://<mgmtIP> (Login: admin Password: admin)
  5. Goto Setup-Utility->License and select Manual Method (Make sure you already have the "Registration Key" Typically 25 Digit Value), 
  6. Enter the Registration Key, and press Next Tab
  7. A Dossier would be generated by BIG-IP (based on your Registration Key). Copy this Dossier and Click on Step 2 which opens a new window and takes you to F5's Licencing Server ie. F5 Licencing Server
  8. Enter the Dossier here, and click Next. 
  9. Accept the Licencing Agreement here and Click Next
  10. The next page has your License. Copy the whole License.
  11. Now go back to the Local BIG-IP browser window form which you got the Dossier (see Step 6 above), and you would see "Step 3: License". Please paste the License here and click Next
  12. If all goes fine, your device is Licensed and Activated....
  13. Please Note the prompt would change now to:- (with 'Active' word)[root@localhost:Active:Standalone] config # 




Posted by at No comments:
Labels: ,

Thursday, January 9, 2014

BIG-IP VM Appliance Configuration (KVM)

Hypervisor: KVM
Host OS: Centos 

VM Minimum Requirements:-
1. Cores 2
2. Memory 4 Gig

Get the qcow2 image of the Appliance VM

Deploying VM:-
I used Virtual Machine Manager to create the VM. 

Some VM properties:-
Target Dev: virtio
Boot Options: From HDD

VM comes up with single interface. You can add Two or More Interfaces (For Internal, External and HA)

Other details regarding Deployment are explained at following link:- BIG-IP VE KVM deployment

Management Port is eth0 with default address 192.168.1.245/24 (You need to change this to reflect your network Mgmt Address)

After VM is started, either you can go to VMs console from Virtual Machine Manager. 
Username: root Password: default

You can not get to the BIG-IP Configuration Utility via any browser https://<mgt IP>
Login: admin Password: admin

Now, you need to license the VM once you have the license in place the prompt would say 'Active' in Prompt
e.g.  
[root@hostname:Active]#





Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)