Let's Talk About Palo Alto - Virtual Wire or vWire and Tap Interface

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how's it going everybody in this video we're going to take a look at our next palo alto feature for interfaces known as v wire so what is v wire well there are cases where you don't want to you can't re-ip address or inject another route or what have you into an environment but you still need to provide the ability to inspect the traffic that's passing through the device so cisco's got the capability of doing transparent uh transparent mode uh so does ftd where in this case here we're not going to be changing the mode of the firewall we're going to be changing some interfaces to say you know what they're only gonna they're not even gonna be layer two so basically v wire is is acting as if it's not even there there's no there's no mac address learning there's no ip addressing it literally just passes the traffic between the two interfaces and you can inspect the rules that way this would be great if you're trying to take advantage of a connection between the internet router and your default gateway and you need to be inspecting the traffic so this would be that's a common place to put it there's been scenarios in the past where i've had to go out and deploy something like this where you have the you have an internet enabled device sitting here right here's your internet and then coming off this guy you have a router so this guy right here is terminating a public internet service whether i don't care what it is what service provider you're using but it's uh internet communication so you have some sort of public interfaith public internet ip here but you also have some public internet back here meaning that you the customer owns their own address space so let's say this is this is provider this is provider actually let me change this up a little bit this is going to be provider aggregated meaning the provider is the one that's doing this connectivity between here and here and then you have another box back here this is provider independent meaning that the customer owns the routes you know they own the slash 24 or whatever so you take that capability what you would do is right here is where you would inject your this would be your p your pa firewall and what you would do by doing that you're injecting the firewall in between them but it's almost as if the firewall is in layer two mode and you you can do the same rewire power or vlans the same concept applies but unlike the layer 2 capability of the interfaces there's no macro just learning you're literally just inspecting the traffic as it's coming through so you have to create a v wire object you create the object and then once the object is created then you map the interfaces this interface here in this interface here will both be tied to a v wire and then once that's done then they're going to be able to pass the traffic back and forth and go from there so we'll go through the steps to get it working and operational but testing wise i'm not 100 sure if the vm supports it because in prior testing it didn't work the way that it was advertised so i'm gonna i know it works on physical boxes because a couple of customers that i've worked with have deployed v wire enabled firewalls in different parts of the network there's been a handful of customers that i've worked with that have replaced asas with pas and i mean it doesn't i don't really care which way they go but i've had to work with them and then the palo alto does a really good job of doing tap mode as well we'll talk about tap mode in the next video where we basically use the pa box completely out of band and we use it just for network monitoring so let's go ahead and take a look at those details we go and clear the screen so we're going to basically convert router 4 and router 5 these interfaces one slash two and one slash three we're going to put them into v-wire mode so let's go ahead and do that real quick let me go ahead and get out of the way we're going to go over to network we're going to go over to interfaces and on interface 1 2 we're going to change the mode or the type from layer 2 to be virtual wire virtual wire there is none but we can create one we're going to go ahead and the v wire we're going to call it v wire and we're going to say interface we're going to go ahead and click on ok and we're going to say the tags allow we're going to say tag zero so basically just an untagged connectivity we're gonna click on that and then the security zone we don't have one i'm gonna go ahead and create a new security zone called v wire and click on okay and then click ok there and then what we'll be able to do is on ethernet 1 3 we will layer two will be converted to v wire the virtual wire will get mapped here and the virtual wire will get mapped here we're gonna click on ok and that's pretty much it there's really not much more to it than that virtual wires we can see the v wire is created link state pass-through is enabled so again it's not learning the mac addresses it's like it's unlike any other networking capability out there it's pretty much its own design where it's basically treating itself as a physical wire it's a virtual wire so there's like there's pretend like there's nothing there at all and it's just an extension of the physical cable that's basically what it's trying to do we're gonna go ahead and we're going to commit that click ok and that what we're going to do is pull up secure crt and we will see the connection go down but now we've created a security zone and remember intro zone communication is allowed by default we should be in pretty good shape so we're going to let that commit i'm going to go ahead and pause the video while that's doing its thing all right so the configuration is in play we're going to click on close and now that we have that enclosed we can go back to the monitor tab and session browser and because we have that communication going back and forth if we come in here and we do a show ip eigrp neighbors we still have our neighbor we ping 10.4.5.5 the ping goes through and if we refresh the session we should see pings going back and forth so we know it's working with v wire and so if we wanted to do some advanced config we could enable a policy for the v wire so i don't think that i actually did the security zone before now i did now i know it works but v wire it does work the way that it's advertised um so i i've the most commonly rolled out deployment for a palo alto firewall that i've seen is a v wire because people like to just stick it in place there's and they plug it in right and then it just acts as another it just extends the cable between the interfaces you know it's like there's nothing in there but you can close clearly see through the ping data that it's it's working the way that it needs to so we know that's working the way that it it's advertised so but that's pretty much that so we've done v wire as well which as you can see is pretty straightforward so we'll take a look at tap we're not going to be able to demo tap only because the fact that i don't have um the switch i don't have any devices in here that support tap mode or i mean i don't have the ability of doing span on the switches that i'm working with i mean i probably could configure span somewhere in my network and connect it but um as a matter of fact let's just talk about span real quick uh the tap mode let me go back over to network and then we'll go to interfaces and we'll just pick a random interface let me go ahead and grab this we'll say we'll grab one slash seven because nothing's physically plugged into one slash seven so like one slash seven for example you can communicate the type is tap and then you would obviously create a security zone called tap and what that basically would allow you to do is think of it like a wireshark collection so i can sit there and grab a bunch of information from that particular interface and then i can just start to see what's happening so if you have a numbered device like a switch that you can basically do a port mirroring on let me whiteboard this out a little bit just so you guys can follow along so the concept is actually very simple let's assume that we have a switch sitting here and we have let's say we have our internet router here let's say ir here and we have our edge router here and so between these two guys we're passing data back and forth we'll say this is vlan 10 this is vlan 10. well what we can do is we can create a span port and say okay on the monitor session when we configure it we'll say the source is going to be vlan 10 right and the output port let's say is this guy which is gig 0 8. so our output is going to be on gig zero slash eight so what's going to end up happening is all the data going between these two ports in vlan 10 will actually get piped or mirrored or port copied however you want to refer to it to get slash eight gig zero slash eight will be plugged into a palo alto firewall pa here and this port right here will be configured as tap mode if i could write the tap you create a security zone for it and then what's going to end up happening is all that data is going to come into the into the firewall and the firewall is going to be able to look at and go oh there's a whole lot of information here so then if you want to this is data collection because think of this like intrusion detection so i'm sure you guys have heard of ids ips this would be an ids system okay an ids means it's out of band and it's only looking seeing what's happening taking information in something like this this right here would be ips mode where you're in the data path and you have the ability of going in and be a via a security policy blocking traffic if you want to so think of those details as you're going forward in your career ids is out-of-band ips is in-band so you're actually you're physically in the way of the traffic traffic has to physically pass through you in order to get to where it's got to go so i have seen there's been a few customers that have proof of concept palo alto and tap mode was used we brought in uh like a 5000 series i believe it was it was some larger platform i think or 500 5000. i don't remember i don't have the the platforms memorized but we took a a very a larger platform box that was able to handle the sorry 5200 that's what it was i knew i was in the neighborhood anyway we took a we took a larger box we plugged it in on a spam port and then we just started receiving data we started receiving data but that gave us a lot of visibility because then we were able to use app id and content id to look at the details and figure out what's going on the network look at the session look at the logs and by doing that we were able to get a much better idea what's going on because at the time we were using older juniper netscreen firewalls they were doing the job but they're no different than a later than a regular layer 3 or layer 4 firewall so it didn't really give us the visibility that we needed pa did we never went with pa only because the fact that we never did i thought it was a good idea but i was well i was overruled by somebody else but you know it is what it is at the end of the day we were looking for the ability of taking the information in and being able to figure out what we wanted to do with it i was in favor of palo alto they were not so and we never went forward with it but that's basically what tap mode is designed to do um i don't have a tap mode option i probably could figure it out but at the end of the day it's not a big enough deal for me to to monkey with it so that's basically how that process comes into play in case anybody was wondering but that's that's the long and the short of it so um you've been able to see v wire in this video we talked about tap we're going to talk about uh layer three sub interfaces in the next video until next time guys take it easy

Info

Channel: Rob Riker's Tech Channel

Views: 2,857

Rating: undefined out of 5

Keywords: Palo Alto, Palo, Alto, firewall, security, virtual wire, vwire, tap, passive, network, connectivity

Id: tUUA_2WMaNc

Channel Id: undefined

Length: 13min 8sec (788 seconds)

Published: Wed Aug 26 2020