Configure inter-vlan routing in Paloalto Firewall

When I need to implement inter-vlan routing in a small/branch office, I prefer the firewall to do instead of a Layer3 switch for the following reasons

– you do not need a high cost Layer 3 switch in small offices

– you can configure port/application level access from 1 VLAN to another so you do not need to blindly open all access between VLANs and avoid unnecessary traffic flows

– firewall has in-built features like Dashboard which let you review access logs between VLANs in the readable format(Who access what), where as you need a syslog server to review logs of Layer 3 switch

so here I am working on PA 200 firewall to configure it as a one arm routing, also called as router on a stick.

Paloalto firewall-Inter-vlan routing diagram

Paloalto Firewall Configuration

Paloalto Support has detailed document explaining the steps to achieve inter-vlan routing, Download Paloalto Firewall Design Guide.pdf and view Section 4.8. We do not want to repeat the steps here but one thing we want to convey is configuring inter-vlan routing in Paloalto Firewall is so simple. All you need to follow are these 2 steps –

1) Configure interfaces, sub-interfaces and VLANs (I have attached a screenshot as an example from one of my PAFW)

2) Allow traffic from one zone to another in Security Policies and you are done in PAFW.

Paloalto-subinterface-interlan-routing

Switch Configuration

Configure the switch port as

(config)# interface gi 0/24

(config-if)# switchport trunk encapsulation dot1q

(config-if)# switchport mode trunk

Review of Web based Password Manager

Web based Password Management Tools such as Password Vault Manager provide easy and secure management of all your passwords and sensitive information in a centralized location. When you first evaluate these web based tools, they look to be a perfect solution for your core issue of password management in your organization. They provide plenty of features and very specifically

* Centralized storage of your passwords in MS SQL Server / mySQL or any other free database.

* Passwords are encrypted and stored in databaes

* Integrate with your Active Directory and apply restrictions

* Web based interface

and so many eye-catching features…

But think about what will happen during disaster situation, say your Password Management server crashed all of a sudden? You lost access to all your passwords! You then need to prepare a database server, restore your database from backup to finally get access to your passwords. Doesn’t it sound hard during disaster?

Paloalto Firewall Commands Reference

Group-Mapping:

1. view the state of Group Mapping whether any error occurred:

admin@HNSPAFW (active) > show user group-mapping state all

2. View list of Active Directory members synced with PA: say you have newly added a user to an internet access group in AD and want to check that it is reflected in PA

admin@HNSPAFW (active) > show user group name “hsngroup.net\level-internet-access-group”

3. Refresh members of specific AD Group in group mapping: say you have newly added a user to an internet access group in AD but he is still not able to browse, then refresh Group Mapping, below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping …………

4. Refresh members of all AD Groups in group mapping: below command doesn’t affect your existing traffic

admin@HNSPAFW (active) > debug user-id refresh group-mapping all

Juice Jacking – Free mobile charging stations can steal your data

Are you a frequent traveler and have habit of charging your mobile phone via public mobile charging stations? This article is for you and read further…

Juice jacking is a way of stealing mobile data via public mobile charging units or stations that basically provides you an USB cable to charge your phone. Hackers can hijack such mobile stations (or even hide a tiny computer inside) and steal the data from the mobile phone that you plugged in actually just to charge your dying phone. Sometimes, they inject malwares into your phones to facilitate later exploitation.

These mobile charging stations are almost available in many public places – malls, airports and in conference rooms.

How to protect your data?

All you need to follow is just prevent USB charging cords in public places from transmitting data.

1. Carry your own power socket charger – the most safest and simplest option of all

charger

 

2. Purchase and carry your mobile power bank. 

3. There are times when you can’t find a power socket, then in that case, buy and use juice jack defending devices (you can see a tiny device plugged into USB charging station as if a connector). These “juice jack defending devices will prevent transmitting data while you are charging your phone via USB.

Where to buy such juce-jack defenders – www.chargedefense.com sells such device for $15

Step by Step guide to upgrade Cisco ASA IOS and ASDM Version

Important: Even though below steps are common to upgrade any version of Cisco ASA IOS and ASDM, you need to verify in cisco.com website to understand the vendor recommended upgrade path. Below is the step by step guide to upgrade Cisco ASA IOS version from 8.6(1)2 to 9.1(2).

Refer Cisco recommended upgrade path for Cisco ASA  IOS Version

(config)# show version
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
Compiled on Fri 01-Jun-12 02:16 by builders
System image file is “disk0:/asa861-2-smp-k8.bin”
Config file at boot was “startup-config”

so, our upgrade path is as follows

first upgrade 8.6(1) to 9.0(2) and finally to 9.1(2), simultaneously we will upgrade our ASDM version to 7.1(5) that supports 9.1(2) version of IOS

Upgrade ASA version from 8.6(1)2 to 9.0(2)

Note: No need to upgrade ASDM version at this stage as we still need to upgrade to our final version 9.1(2) so we can upgrade ADSM at the later stage.

Step 1: Verify that you have enough disk space in Cisco ASA to load new bin, I have 3.7 Gbytes space, so no worries!
Note: Use Whatsbyte.com for bytes conversion

asa-disk-space

Step 2: Download following versions from cisco.com (you need a smartnet login!)

  • Download 9.0(2) and 9.1(2) version of IOS
  • Download 7.1(5) version of ASDM

Step 3: Download and setup TFTP server from solarwinds.com

Step 4: Upload 9.0(2) version to ASA via tftp server
(config) # copy tftp: disk0:
Run ‘show disk0:‘ command to verify that bin is copied to ASA

asa-upgrade-tftp-disk0

Step 5: Set ASA to boot with new image 9.0(2) when it is rebooted next time (don’t forget to save the image!).
(config)# boot system disk0:/asa902-10-smp-k8.bin
(config)# wr mem
(config) # reload

asa-boot-new-bin

Step 6: Once ASA started operating, run ‘Show Version‘ and verify that the running IOS version is 9.0(2)

Upgrade ASA version from 9.0(2) to 9.1(2)  and ASDM version to 7.1(5)

Note: Nothing new, except we are going to upload latest ASDM version

Step 1: Upload 9.1(2) version to ASA via tftp server

asa-upload-bin-912

Step 2: Upload ASDM 7.1(5) version to ASA via tftp server

asa-upload-asdm-715

Step 3: Set ASA to boot with new image 9.1(2) and also ASDM with 7.1(5) when it is rebooted next time (don’t forget to save the image!).

(config)# boot system disk0:/asa912-smp-k8.bin

(config)# asdm image disk0:/asdm-715.bin

asa-boot-912

Step 4: Verify that the loaded version is 9.1(2) and then We are done!