Category: NETWORKING

Networking posts

Cisco IT Blog Awards 2021 – Finalist..!

Leave a comment

It’s a great pleasure to announce that we are selected as one of the finalists in the IT Blog Awards 2021, hosted by Cisco. Can’t explain how it feels to be in the list among leading IT blogs, for the Third Time (2018,2020 and 2021 now).

We would like to Congratulate all the finalists and wish them the best in the competition.

There are 58 entries in the Blogs category and 17 entries in the Vlogs and Podcasts category. There are only these categories this time, unlike previous times (where awards were given in different categories of contents).

You can vote now for the best blogs and vlogs/podcasts, based on the value they are creating, the quality of contents etc… This is your opportunity to vote for the contents which always help you at work or in your studies. Read more

You can select upto 5 Blogs and 5 Vlogs/Podcasts and rank them 1-5. We would be happy if you are having our site as well in your 5.

VOTE NOW

You can find more details/rules in the above voting link. Have a detailed look at the blogs/vlogs/podcasts, and vote NOW..!

Brocade SAN switch CLI Commands for troubleshooting minor issues

3 comments

We have already discussed about, Brocade SAN switch Zoning steps Via CLI and CISCO MDS Zoning steps via CLI

This write-up, focuses on the basic trouble shooting commands used in Brocade SAN switch. For better understanding of the commands, let us first understand the day to day operational challenges faced in the SAN fabric. Listed below are few of the operational error codes/prompts:

  1. Alias/port went offline
  2. Bottlenecks
  3. Port error
  4. Hanging zones
  5. Rx Tx Voltage/Power Issue

let’s read in brief about, how to identify the errors and how to troubleshoot them. Read more

Alias/port went offline

This error is recorded due to the following reasons:

  1. Reboot/ Shutdown of the host
  2. Faulty cable
  3. Issue in the HBA card.

——————- advertisements ——————-

———————————————————

Thus, when ‘WWN/ Alias went offline’ is recorded, use the below mentioned commands to identify, when the port went offline and which port went offline.

#fabriclog -s                                                                              States the ports which went offline recently.

#fabriclog -s |grep -E “Port Index |GMT”                               This command states the ports which went offline before. Note: This command will fail in case the FOS upgrade or Switch reboot activity was performed. As both the activities clear the fabriclog.

In order to know the zoning details through the WWN of the device, use below mentioned command:  

#alishow |grep wwn -b2                                                              This lists the alias.

then use below command

#zoneshow –alias Alias_Name                                                    This lists the zone name and component aliases.

——————- advertisements ——————-

———————————————————

Bottlenecks

There are many kinds of bottlenecks. But, the once prominent in SAN fabric are Latency bottleneck and congestion bottleneck.

Latency bottleneck occurs when a slow drain device is connected to the port. Even initiator or target ports can report latency, no matter what kind of port it is, if a slow drain device is attached, there will be bottleneck in that port. A

Slow drain devices, is a device which either has all or any one of the bellow mentioned issues:

  1. Unsupported firmware.
  2. Hardware issues.
  3. SFP which has a voltage or power issue.

Whereas, Congestion bottleneck occurs due to high rate of data transfer in the port. In the next write-up we will discuss in detail, about the causes of a congestion bottleneck.

——————- advertisements ——————-

———————————————————

The commands used to identify latency as well as congestion bottleneck are:

#errdump

#mapsdb –show

If there is latency or congestion bottleneck, it should to be fixed by logging a support case with Server/Storage hardware vendor.

Port errors

There are many kinds of port errors. Most of the time, its due to bottleneck issue/ physical layer issue. Bottleneck issue we have already addressed above. Physical layer issue is, either Cable issue or SFP issue.

Below are the commands to identify the port errors:

#porterrshow                                                       This will list all ports in error state.

#porterrshow port_number                       

#porterrorshow -i Port_Index                              Both these commands will list the errors in a particular port.

——————- advertisements ——————-

———————————————————

In case an error is listed, before troubleshooting clear the status using below commands and observe it again.

#statsclear

#slotstatsclear

#portstatsclear port_number

Apart from this, there are other commands to display the current data transfer rate of a port or all ports, such as:

#portperfshow

#portperfshow port_number

Hanging Zone

Hanging zones are the purposeless zones residing in the zoning configuration. The zone in which all initiators or all targets are inactive are considered as hanging zone.

There is no specific command to list out hanging zones in the fabric, we have to use SAN health to identify the hanging zone. To check if all the aliases of a zone are active or not use the command mentioned below:

#zonevalidate “zonename

In the result of the above command, there will be have a ‘*’ mark at the end of each active alias in the zone.

Rx Tx Voltage/Power Issue

The Rx & Tx Voltage and power of an SFP can be validated only if, there is connectivity in the SFP with its port in online state.

The command below will display the voltage, power and all the details related to the SFP.

#sfpshow port_number -f

__________________________________________________________________________________________________

Please feel free to connect with us in case of any queries. Also, please give us your feedback, it will help us to improve our skill sets.

Top 50 CISCO ACI interview questions & answers

One comment

Cisco ACI is a part of Software Defined Network (SDN) product portfolio from Cisco . Cisco ACI is an emerging technology on DC build up and disruptive technology for traditional networking .This Question and Answers guide will help you to understand Cisco ACI from basics to advanced level and give confidence to tackling the interviews with positive result . 

Read more

1.What is Cisco ACI.?
Cisco ACI, the industry-leading software-defined networking solution, facilitates application agility and data center automation with two important concepts from SDN solution, overlays and centralized control. ACI is a is a well defined architecture with centralised automation and policy-driven application profiles. ACI uses a centralised controller called the Application Policy Infrastructure Controller (APIC),It is the controller that creates application policies for the data center infrastructure.

2. What are the three components of ACI architecture .?
Application Network Profile (ANP)– a collection of end-point groups (EPG), their connections, and the policies that define those connections
Application Policy Infrastructure Controller (APIC)– a centralized software controller that manages downstream switches and act as management plane.
ACI fabric : This is connection of Spine and Leaf switches. In the ACI world Spine and Leaf are the Cisco Nexus 9000 Series Switches (N9k) , and they are act as Control and the Data plane of the ACI. It is running re written version of NX-OS in ACI mode.

3. Describe about ACI Fabric connection terminology.?
• You should use One or more spine switches to be connected to each Leaf, Models supported are Cisco Nexus 9336PQ, 9504, 9508, or 9516 switches
• You should use One or more leaf switches to be connected to End Points and APIC cluster , Models supported are Cisco Nexus 93128TX, 9332PQ, 9372PX, 9372PX-E, 9372TX, 9396PX, or 9396TX etc switches
• Spin switches can be connected to leaf switches but not each other.
• Leaf switches can be connected only to spine switches and endpoint devices including APIC devices , so this means APIC will be connected only to Leaf switches
• ACI Switches are not running spanning tree.
• Minimum 3 APIC controller should require in ACI fabric
• Max APIC can be used are 5
• Max Spine switches can be used are 6
• Max Leaf switches can be used are 200

4. What is the use of Application Policy Infrastructure Controller (APIC) on ACI Fabric.?
This is the network controller is responsible for provisioning policies to physical and virtual devices that belong to an ACI fabric. Minimum a cluster of three controllers is used. Following are the main APIC features.

  • Application and topology monitoring and troubleshooting
  • APIC shows Physical and logical topology (who is connected to whome)
  • Third-party integration (Layer 4 through Layer 7 [L4-L7] services & VMware vCenter/ vShield)
  • Image management (spine and leaf)
  • Cisco ACI inventory and configuration
  • Implementation on a distributed framework across a cluster of appliances
  • Health scores for critical managed objects (tenants, application profiles, switches, etc.)
  • Fault, event, and performance management
  • Cisco Application Virtual Switch (AVS), which can be used as a virtual leaf switch

5. How Cisco ACI differs from other SDN controllers.?
Open SDN architecture separates control plane and data plane . Control plane resides on the central controller and data plane resides on switches. If the switches lost connection to controller, it won’t function for new connections and applying traffic policies. In CIsco ACI architecture , the APIC is not control plane, rather switches still hold control plane and data plane and can function properly if the controller down.

6. What are the different object model implementation in ACI.?
Within the ACI object model, there are essentially three stages of implementation of the model, the Logical Model, the Resolved Model, and the Concrete Model.
Logical Model: The logical model is the interface for the system. Administrators are interacting with the logical model through the API, CLI, or GUI. This is a Policy layer which include endpoint configuration on the controller .Changes to the logical model are then pushed down to the concrete model, which becomes the hardware and software configuration.
Resolved Model : The Resolved Model is the abstract model expression that the APIC resolves from the logical model. This is essentially the elemental configuration components that would be delivered to the physical infrastructure when the policy must be executed (such as when an endpoint connects to a leaf)
Concrete Model : The Concrete Model is the actual in-state configuration delivered to each individual fabric member based on the resolved model and the Endpoints attached to the fabric.This is include actual configuration of device and resides on fabric (spines and leafes )

7.What is Policy layer and Concrete Layer in ACI model.?
Concrete layer is the ACI fabric and policy layer is controllers

8.What you mean by Tenant .?
Basically a Tenant (fvTenant) is logical container for application policies to isolate switching and routing function. A tenant represents a unit of isolation from a policy perspective, but it does not represent a private network. Tenants can represent a customer in a service provider setting, an organisation or domain in an enterprise setting, or just a convenient grouping of policies.
Four types of Tenant available

  1. User
  2. Common
  3. Management
  4. Infra

9 . Difference between management tenant and infrastructure tenant.?
Management Tenant : Used for infrastructure discovery and also used for all communication/integration with virtual machine controllers. It has separate Out Of Band (OOB) address space for APIC to Fabric communication, it is using to connect all fabric management interfaces
Infrastructure Tenant : It governs operation of fabric resources like allocating VXLAN overlays and allows fabric administrator to deploy selective shared services to tenants

10.What you mean by Context/VRF on ACI .?
The top level network construct within an ACI tenant is the VRF or Context . It is called as tenant network and available as ‘private network’ in the ACI GUI .Following are the important point about VRF’s
• A VRF defines Layer 3 address domain
• One or more bridge domain can associated with VRF
• All of the endpoints within the Layer 3 domain (VRF) must have unique IP addresses because it is possible to forward packets directly between these devices if the policy allows it.
• A tenant can contain multiple VRFs How ARP handled by ACI.?

Below are some of the additional questions available on PDF

  • How ARP and broadcast handled by ACI.?
  • Why and when you require contract in ACI Fabric.?
  • How to perform unicast routing on ACI.?
  • In Fabric, which switch will act as default gateway for pertucler subnet.?
  • How Cisco ACI differentiate Layer 2 traffic and Layer 3 traffic.?
  • How VLAN working in Cisco ACI.?
  • How can you configure trunk and access port on ACI.?
  • What is micro segmentation and how to configure.?
  • How to configure inter-VRF and Inter-tenant communication.?
  • How can you integrate Cisco ACI with VmWare.?
  • Explain about ACI fabric discovery process .?
  • Explain about traffic flow lookup on ACI fabric.?


Hope you have enjoyed reading. Kindly share your feedback/suggestions in the comments section. For Q&A posts on other topics, please click here.

 

Ref:
https://www.sdxcentral.com/data-center/definitions/what-is-cisco-aci/

https://www.cisco.com/c/en_in/solutions/data-center-virtualization/application-centric-infrastructure/index.html

 

Update service-now ticket using a Python script

3 comments

How cool it will be if you can upload the output of your script in to Service now incident notes or task notes automatically. This python script helps you to run set of command against the Cisco switches and routers and the output of command will upload to service now incident automatically. This will help you to increase the response time of NOC L1  team in troubleshooting task.

Service-now a IT Service management (ITSM) tool based on cloud platform provides end to end transformation of IT services. Service Now provides REST API to communicate with SNOW instance. We will use REST API in our program to interact with service now instance.

We are explaining step by step procedure to achieve this

Following are the components required: Read more

  1. Service now developer account
    2. Service now instance
    3. Python with Service now API installed

——————- advertisements ——————-

———————————————————-

Create service now developer account and instance

Please refer our post ‘Create service now developer account and instance’ and create new user for API calls.

Setup environment

We would  require ‘netmiko’ package to take ssh of devices. Please read part 1 and part 2  of our post for details about installing python and running your first program. Please read part 4 if you want to know how to take SSH of a switch.

Install python service-now API package

We also require ‘pysnow’ package which is using to interact with service now using REST API call. Please click here if you would like to know more about ‘pysnow’ package.

Install ‘psysnow’ using following command

‘pip install psynow’

please click here if you did not know how to install a package on python using pip

Script Definition:

The script will get service-now information and device credential initially. Then it will continuously run on server so user can update multiple incident by running the commands against multiple devices. All the required commands have to be saved on ‘command.txt’ file.

——————- advertisements ——————-

———————————————————-

It is using class ‘inc_update’ to gather information and update service-now.  Inside the class, the function ‘collectdata’ using to SSH to device and taking the out put of commands.  The function ‘inc_update’ using to update service now instance with the output.

Following are the script. It is easy to understand, and we have put inline comments for making it easy.

import pysnow
import getpass
from netmiko import ConnectHandler

print “=============================\n”
print “Program to update service now incident notes\n”
print “\n=============================\n”

##class to connect device
class cls_incident:
#initialising variables
def __init__(self,uname,password):
#initialising variables
self.uname = uname
self.password = password
self.secret=password
self.dev_type=’cisco_ios’
self.ip=”
self.output=”

——————- advertisements ——————-

———————————————————-

#creating dictionery for netmiko
self.dict_device = {
‘device_type’: self.dev_type,
‘ip’: self.ip,
‘username’: self.uname,
‘password’: self.password,
‘secret’: self.secret,
‘global_delay_factor’:1,

}

#function to login to device and collect output of command
def collectdata(self,ipaddress):
self.dict_device[‘ip’]=ipaddress
self.net_connect = ConnectHandler(**self.dict_device)
#opening command file
cmd_file=open(‘command.txt’)
self.output=”
#loop for reading command one by one
for line in cmd_file:
cmd=line.lstrip()
self.output+=”\nOutput of command “+cmd+” \n”
self.output+=self.net_connect.send_command(cmd)
cmd_file.close()

——————- advertisements ——————-

———————————————————-

print self.output
print “\nCommand Output collected”

#function to update service now
def inc_update(self,inc_number,s_uname,s_password,s_instance):
#connecting with service now
snow = pysnow.Client(instance=s_instance, user=s_uname, password=s_password)
incident = snow.resource(api_path=’/table/incident’)
#payload=self.output
update = {‘work_notes’:self.output, ‘state’: 5}
#updating incident record
updated_record = incident.update(query={‘number’:inc_number}, payload=update)
print “Incident note updated ”

def main():

#Collecting service now details
instance=raw_input(“Enter service now instant name in format of ‘company.service-now.com’ :”)

——————- advertisements ——————-

———————————————————-

instance=instance.rstrip(‘.service-now.com’)
s_uname=raw_input(“Enter service now user name:”)
s_password=getpass.getpass(“Password:”)

##Collecting device credential
dev_uname=raw_input(“\nEnter Device user name :”)
dev_passwd=getpass.getpass(“Password:”)

objDev=cls_incident(dev_uname,dev_passwd)

while True:
try:
inc_number=raw_input(“Enter incident number :”)
ip_address=raw_input(“Enter IP address of device:”)
print “Connecting device and collecting data ”
#creating class object
objDev.collectdata(ip_address)

print (“Updating service now”)
#updaing service nw
objDev.inc_update(inc_number,s_uname,s_password,instance)
print “\nThis program will keep on running, press ctrl C to exit”
print “Enter details for next incident \n”
except Exception,e:
print “Error on execution :”,e
if __name__== “__main__”:
main()

——————- advertisements ——————-

———————————————————-

How to run :

Download the ‘command.txt‘ and ‘incident-update.txt‘ in to same folder of your system. rename ‘incident-update.txt’ in to ‘incident-update.py’. Open the file ‘command.txt’ and add your required commands which need to be run on networking device.. Run the program from command prompt using ‘ python incident-update.py’ . Please provide your input and test . Please ensure you have the reach-ability to service-now instance and network devices from your machine.

Program screen shot

——————- advertisements ——————-

———————————————————-

Service-now screen shot

You could see service now incident notes updated with command output automatically

Hope this will ease your life a bit.. 🙂

Please comment below if you would require customized script based on your requirement which will support multiple device model like Cisco ASA, Juniper, Palo Alto, Checkpoint etc.

Palo Alto Interview Questions and Answers – Part II

8 comments

Plao Alto Interview Questions and Answers

This post is a continuation to one of our recent post where we discussed a few questions and answers on Palo Alto firewall. Here we are adding another set of Q&A based on our readers interest. Hope this will help you in improving your knowledge of the PA firewall.

1. How to publish internal website to internet. Or how to perform destination NAT ?

To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside .We can see how to perform NAT and policy configuration with respect to following scenario Read more

Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone

——————- advertisements ——————-

———————————————————-

Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 12.67.5.2 and the destination zone would be Trust-L3 as the translated IP address belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup . Please click here to understand detailed packet flow in PA firewall.  Just remember the following technique so it will be easy to understand

In firewall rule,

Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Final Configuration looks like below:

2. What is Global Protect ?

——————- advertisements ——————-

———————————————————-

GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client.  Following are the component

Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent

Portal: Centralized control which manages gatrway, certificate , user authentication and end host check list

Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall interfaces and security zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS. Networking functions including static and dynamic routing are not controlled by virtual systems. If routing segmentation is desired for each virtual system, we should have an additional virtual router.

——————- advertisements ——————-

———————————————————-

4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.

Control Link :  The HA1 links used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, User-ID information and synchronize configuration . The HA1 should be layar 3 interface which require an IP address

Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow.

4. What protocol used to exchange heart beat between HA ?

ICMP

——————- advertisements ——————-

———————————————————-

5. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication

HA2: Use protocol number 99 or UDP-29281

6. What are the scenarios for fail-over triggering ?

->if one or more monitored interfaces fail

->if one or more specified destinations cannot be pinged by the active firewall

->if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)

7. How to troubleshoot HA using CLI ?

>show high-availability state : Show the HA state of the firewall

>show high-availability state-synchronization : to check sync status

>show high-availability path-monitoring : to show the status of path monitoring

>request high-availablity state suspend : to suspend active box and make the current passive box as active

8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>

9.Command to check the NAT rule ?

>test nat-policy-match

10. Command to check the system details ?

>show system info  // It will show management IP , System version and serial number

11. How to perform debug in PA ?

Following are the steps

Clear all packet capture settings

>debug dataplane packet-diag clear all

set traffic matching condition

> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on

——————- advertisements ——————-

———————————————————-

Enable packet capture

> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

View the captured file

view-pcap filter-pcap rx.pcap

12. What you mean by Device Group and Device Template.?

Device group allows you to group firewalls which is require similar  set of policy , such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. The Objects and Policies are only part of Device Group.

Device Template :

Device Templates enable you to deploy a common base configuration like Network and device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama

13. Why you are using Security Profile .?

Security Profile using to scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy. You can add security profiles that are commonly applied together to a Security Profile Group

Following are the Security Profiles available

  • Antivirus Profiles
  • Anti-Spyware Profiles
  • Vulnerability Protection Profiles
  • URL Filtering Profiles
  • Data Filtering Profiles
  • File Blocking Profiles
  • WildFire Analysis Profiles
  • DoS Protection Profiles

Enjoyed Reading.? If you found the above contents useful and easily understandable, you can download a bundle of most frequently asked interview question and answers via the below link. We are sure it will help you increase your confidence in Palo Alto and will help you in tackling the interviews with positive results.Please click below link (you will be re-directed to the payment gateway  – Instamojo) to Download PDF for less than 6 USD (INR 400). This contains 45 + Most frequently asked PA interview question on the following topics with detailed explanation.

  • Question from VPN setup and troubleshooting
  • Migration of ASA into PA
  • Questions from AppID and Vulnerability Protection
  • PA Best practices
  • Other Hot questions and explanation

Hope this helped in improving your Palo Alto knowledge or clearing some of your doubts. Please let us know if you have any queries/comments.

Palo Alto Interview Questions and Answers – Part I

5 comments

Plao Alto Interview Questions and Answers

Some of our readers had requested for a post with some of the common questions and answers for the Palo Alto Firewall, after reading our post on PA Firewall. Following are some of the questions normally asked for PA interview. Please use the comment section if you have any questions to add

1. Why Palo Alto is being called as next generation firewall ?

Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the single platformparallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other venders in terms of Platform, Process and architecture Read more

2. Difference between Palo Alto NGFW and Checkpoint UTM  ?

PA follows Single pass parallel processing while UTM follows Multi pass architecture process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low latency – with all security functions active.  It also offers single, fully integrated policy which helps simple and easier management of firewall policy

——————- advertisements ——————-

———————————————————-

4. Explain about Single Pass and Parallel processing architecture ?

Single Pass : The single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once.  Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.

Parallel Processing :   PA designed with separate data and control planes to support parallel processing. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups to perform several critical functions.

  • Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware
  • User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.
  • Content-ID content analysis uses dedicated, specialized content scanning engine
  • On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.

5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing implemented on software while higher models have dedicate hardware processer

6. What are the four deployment mode and explain ?
  1. Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port
  2. Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together

——————- advertisements ——————-

———————————————————-

  1. Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.
  2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and other packet-based attacks. For each security zone, you can define a zone protection profile that specifies how the security gateway responds to attacks from that zone. The following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.

-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources using public IP addresses of Untrust zone.

——————- advertisements ——————-

———————————————————-

Let’s explain based on below scenario.

In above example, the website company.com (192.168.10.20) statically NAT’ed with public IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the 192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will resolve to the public IP in the Internet zone. The basic destination NAT rules that provide internet users access to the web server will not work for internal users browsing to the public IP .

Following are the NAT rule and policy definition.

  Next Page

Enjoyed Reading.? If you found the above contents useful and easily understandable, you can download a bundle of most frequently asked interview question and answers via the below link. We are sure it will help you increase your confidence in Palo Alto and will help you in tackling the interviews with positive results.Please click below link (you will be re-directed to the payment gateway  – Instamojo) to Download PDF for less than 6 USD (INR 400). This contains 45 + Most frequently asked PA interview question on the following topics with detailed explanation.

  • Question from VPN setup and troubleshooting
  • Migration of ASA into PA
  • Questions from AppID and Vulnerability Protection
  • PA Best practices
  • Other Hot questions and explanation

Click Here for Part 2 of this post, another set of questions for you.

Network Automation using Python – Part VII – SSL certificate status validation and alert configuration

One comment

Python SSL Certificate Checker 

Continuing our Networking Automation using Python blog series, here is the Part 7.

In this part we are explaining python script which will check the expiry date of a SSL certificate from a list of IP address and send an e-mail automatically if the certificate expiry date is nearing. The IP addresses can be of your load balancer VIP or Server IP address or any device IP address. You can use same script to check SSL certificate for any port number like 443,587,993,995,465 etc.

Basic Requirements Read more

  1. Python 3.6
  2. server_ip.txt , a text file which contains all device IP address
  3. A email account on www.outlook.com . You can use any other mail account by editing SMTP server detail on the script. Please let us know if you want customised script which will sent mail from your corporate mail account or Microsoft Outlook.

Please read part 1 and part 2 to get started with python and how to run your first program.

This script have two files

  1. server_ip.txt -> this file store all the device IP address
  2. sslcheck.py -> This is the python script

——————- advertisements ——————-

———————————————————-

How to run :

Step 1. Download the sslcheck and server_ip to the same folder

Step 2. Change the sslcheck.txt to sslcheck.py

Step 3. Open server_ip.txt and save with all your device IP address with port number whose SSL certificate need to be check.

Step 4. Open command prompt “CMD” and navigate to the folder where you have saved script and ‘server_ip.txt’

Step 5. Run script by typing “python sslcheck.py”  on command prompt

Step 6.It will ask for threshold date, from mail id , to mail id and credentials. Please provide the same

Step 7. Script will go though each device SSL certificate and sent mail if anything going to expire within given number of days.

 

Script Details

import ssl
from datetime import datetime
import pytz
import OpenSSL
import socket
import getpass
from datetime import timedelta
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText

——————- advertisements ——————-

———————————————————-

print(“Program to check SSL certificate validity \n”)
##opening file
ipfile=open(‘server_ip.txt’)
cur_date = datetime.utcnow()
mailbody=””
expcount=0

##getting details
expday=input(“Please provide threshold expiry date :”)
from_mail=input(“Your mail id : “)
passwd=getpass.getpass(“password : “)
to_mail=input(“Target mail id : “)
##checking certificate validity. for loop to go through each IP in server_ip.txt file

for ip in ipfile:
try:
host = ip.strip().split(“:”)[0]
port = ip.strip().split(“:”)[1]
print(“\nChecking certifcate for server “,host)
ctx = OpenSSL.SSL.Context(ssl.PROTOCOL_TLSv1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, int(port)))
cnx = OpenSSL.SSL.Connection(ctx, s)
cnx.set_connect_state()
cnx.do_handshake()
cert=cnx.get_peer_certificate()
s.close()
server_name = cert.get_subject().commonName
print (server_name)

——————- advertisements ——————-

———————————————————-

##checking expiry date
edate=cert.get_notAfter()
edate=edate.decode()

##converting in to system time format
exp_date = datetime.strptime(edate,’%Y%m%d%H%M%SZ’)
days_to_expire = int((exp_date – cur_date).days)
print(“day to expire”,days_to_expire)
##preparing mail body
if days_to_expire < int(expday) :
expcount=expcount+1
mailbody=mailbody+”\n Server name =”+server_name+”, Days to expire:”+str(days_to_expire)

except:
print (“error on connection to Server,”,host)
print (mailbody)

#sending mail if any certificate going to expire within threshold days
if expcount >= 1 :
try:
print(“\nCertifcate alert for “+str(expcount)+” Servers,Sending mails”)

body=”Following certificate going to expire, please take action \n”+mailbody
s = smtplib.SMTP(host=’smtp-mail.outlook.com’, port=587) # change here if you want to use other smtp server
s.starttls()
s.login(from_mail,passwd)

——————- advertisements ——————-

———————————————————-

msg = MIMEMultipart() # create a message
msg[‘From’]=from_mail
msg[‘To’]=to_mail
msg[‘Subject’]=”Certificate Expire alert”
# add in the message body
msg.attach(MIMEText(str(body),’plain’))

# send the message via the server set up earlier.
s.send_message(msg)
print(“Mail sent”)
s.close()
except:
print (“Sending mail failed”)
else :
print(“All certificate are below the threshold date”)

print (‘\nCert check completed’)

 

Sample Output 

Below images are sample script and a sample e-mail alert.

——————- advertisements ——————-

———————————————————-

Sample e-mail alert

Hope this post helped you. You can read more posts on Network automation using Python here. Please use the comments section for any queries/suggestions .

Reference :

https://www.python.org/

http://www.tutorialspoint.com/python/ 

Network Automation using Python – Part VI – Automatic backup of multiple switches

24 comments

Python Backup Script

 

Continuing our Networking Automation using Python blog series, here is the Part 6.

Here we are explaining a simple script to take the backup of multiple Cisco switches/routers quickly. You can schedule the script using crone or job scheduler so it will automatically take daily backup without your intervention. The script will take the output of ‘sh run’ and save to the file. The file name would be  device IP address + today’s date .

Please read part 1 and part 2 to get started with python and to run your first program. Please read part 4 for detailed steps on how to take an SSH session of a switch.

Read more

The script have two files

  1. ipfile.txt -> this file store all the device IP address
  2. autobackup.py -> This is the python script

How to run :

Step 1. Download the autobackup and iplist to the same folder

Step 2. Change the autobackup.txt to autobackup-cisco.py

Step 3. Open iplist.txt and save with all your device IP address which need to be backed up.

——————- advertisements ——————-

———————————————————-

Step 4. Open command prompt “CMD” and navigate to the folder where you have saved script and ‘iplist.txt’

Step 5. Run script by typing “python autobackup-cisco.py”  on command prompt

Step 6. You can see the backup of device on same folder with the filename device IP address+ date

——————- advertisements ——————-

———————————————————-

Sample screenshot below.

Hope this post helped you.

You can read more posts on Network automation using Python here. Please use the comments section for any queries/suggestions .

Reference :

https://www.tutorialspoint.com/python

https://www.python.org/

Network Automation using Python – Part V – running a set of commands on Cisco switches

11 comments

Python Script to run set of commands

Continuing our Networking Automation using Python blog series, here is the Part 5.

This post details about an all-in-one script which will helps you to execute series of commands in multiple switches. This script can be utilized by peoples who does not have much idea in scripting. We have made this task in three file to simplify the operation so that you don’t have to change the script every time .

Please read part 1 and part 2 for details about installing python and running your first program. Please read part 4 if you want to know how to take SSH of a switch.

Read more

File details :
  1. Configuration file-> This file include all the configuration commands need to be executed on remote switches. The name of the file is ‘configfile.txt’
  2. IP File -> This file contains IP address of all the devices, file named ‘ipfile.txt’
  3. Script file -> This files contains python script to execute commands specified on configuration file on all devices. (filename here is ‘configcommand.py’)

For example , if i need to update ACL 101 which is  applied to outside interface of all routers, follow the below steps.

——————- advertisements ——————-

———————————————————-

Step 1. Open your ‘configfile.txt’ and add following commands

config terminal
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
end
write

Step 2. Open ‘iplist.txt’ and add all your router IP address

Step 3. Open command prompt and give following command to execute

cmd->python configcommand.py

 

Working : 

The script will login to the first device whose IP address mentioned in ‘ipfile.txt’ and execute all the commands given in ‘configfile.txt’ file. Once it is done, the script will login to the next IP address and execute all the commands. The process will continue until the last IP address on the ‘ipfile.txt’ fetch and execute.

——————- advertisements ——————-

———————————————————-

You can use the same script to execute any kind of command like SNMP modification, interface configuration etc. All you just want to edit ‘configfile.txt’ and no need to edit the script file.

 

Complete Script – Download

Click below links to  download script (to SSH to a device and run multiple commands) and other file  Please change the file extension from .txt to .py for executing directly.

Script- configcommand

Configfile –configfile

iplist.txt –iplist

Also, keeping a copy here in this post below.

——————- advertisements ——————-

———————————————————-

from netmiko import ConnectHandler
import getpass,sys,time

device = {
‘device_type’: ‘cisco_ios’,
‘ip’: ‘192.168.43.10’,
‘username’: ‘username’,
‘password’: ‘password’,
‘secret’:’password’
}
ipfile=open(“iplist.txt”)
print (“Script for SSH to device, Please enter your credential”)
device[‘username’]=input(“User name “)
device[‘password’]=getpass.getpass()
device[‘secret’]=input(“Enter enable password: “)
configfile=open(“configfile.txt”)
configset=configfile.read()
configfile.close()

for line in ipfile:

device[‘ip’]=line.strip(“\n”)
print(“\n\nConnecting Device “,line)
net_connect = ConnectHandler(**device)
net_connect.enable()
time.sleep(2)
print (“Passing configuration set “)
net_connect.send_config_set(configset)
print (“Device Conigured “)

ipfile.close()

Hope you enjoyed reading. You can read more posts on Network automation using Python here. Please use the comments section for any queries/suggestions .

Reference :

https://www.python.org/

https://www.tutorialspoint.com/python

Network Automation using Python – Part IV – SSH to Cisco Device

9 comments

SSH Cisco Device

Continuing our Networking Automation using Python blog series, here is the Part 4.

We had explained the ways to take a Telnet session to the Switches in our previous posts. Now here we are explaining the steps to SSH to Cisco switch using Python script and to configure IP on vlan interface. IP configuration is an example here, once you have SSH’ed to the switch, you can perform any other configuration as per your requirement, by just modifying the script a bit. Please read part 1 and part 2 to get an idea about how to install python and run your first program.

We are using netmiko module for taking SSH session of device.

What is Netmiko ?

Read more

Netmiko is open-source Python library that simplifies SSH management to network devices. This is a common and easy to use library as netmiko supporting multi vendor devices.You can read more about netmiko from here . Following are the some of the vendor devices supported by Netmiko .

——————- advertisements ——————-

———————————————————-

Arista vEOS
Cisco ASA
Cisco IOS
Cisco IOS-XR
Cisco NX-OS
Cisco SG300
HP Comware7

Cisco IOS-XE
HP ProCurve
Juniper Junos
Linux

How to install Netmiko

Netmiko package not available by default. You should have netmiko library installed on your machine .Following are the steps to download and install netmiko in Python 3.6

Step 1. Working internet connection and Python 3.6 installed on machine

Step 2. On command prompt, type following command, this will automatically fetch netmiko from internet and install on your machine

“python -m pip install netmiko”

——————- advertisements ——————-

———————————————————-

Following are the steps to start with netmiko on your script

Import netmiko to your Script

Use the following command to import netmiko package to your script

from netmiko import ConnectHandler

Create Device template 

We have to create device template using python dictionary data type.

device= {
‘device_type’: ‘cisco_ios’,
‘ip’: ‘10.10.10.10’,
‘username’: ‘admin’,
‘password’: ‘Beginnersforum’,
‘port’ : 22,
‘secret’: ‘enablepassword’# optional, replace with your enable password ”
}

——————- advertisements ——————-

———————————————————-

where,

device->This is name of template, you can give any name like cisco_2960,juniper_sw etc

‘device_type’ -> Here we are specifying the type of device we are taking ssh,

secret -> Here we are giving the enable password

Port and secret are optional here and the default value for port is 22.

Establish an SSH connection to the device

We are establishing SSH connection to device by passing the above defined template

ssh_connect = ConnectHandler (**cisco_switch)

Run Show command 

Here the ‘show ip int brief” command will execute on remote device and output will store to ‘result” variable. We can print “result” to see the output on window

result = ssh_connect.send_command(show ip int brief) print(result)

——————- advertisements ——————-

———————————————————-

Sample output :

Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 10.10.10.10 YES manual up up
Vlan1 unassigned YES unset down down

Complete Script – Download

You can download script (to SSH to a device and add IP address to vlan 10) from here. Please change the file extension from .txt to .py for executing directly.

Also, keeping a copy here in this post below.

from netmiko import ConnectHandler
import getpass
import sys

#create device template

device = {
‘device_type’: ‘cisco_ios’,
‘ip’: ‘192.168.43.10’,
‘username’: ‘username’,
‘password’: ‘password’,
‘secret’:’password’
}

#Getting the user credential

print (“Script for SSH to device, Please enter your credential”)
device[‘username’]=input(“User name “)
device[‘password’]=getpass.getpass()
device[‘secret’]=input(“Enter enable password”)

#Establishing SSH connection
ssh_connect = ConnectHandler(**device)

#changing to enable mode
ssh_connect.enable()
ssh_connect.send_command(‘config t’)
ssh_connect.send_command(‘int vlan 10’)
ssh_connect.send_command(‘ip add 10.10.10.1 255.255.255.0)
ssh_connect.send_command(‘end’)
ssh_connect.send_command(‘write’)
ssh_connect.disconnect()

Hope you enjoyed reading. You can read more posts on Network automation using Python here. Please use the comments section for any queries/suggestions .

Reference :

https://www.tutorialspoint.com/python

https://www.python.org/

1 2