Path Monitoing With Palo Alto Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi there for today's video i'm going to show you something that came up a few days ago interesting topic and i have to tell you up front this is not applicable to big environments with a thousand or two thousand users this is i would say applicable to mainly small office home offices uh 300 users or less network footprint is small and you're looking for a way to have multiple uplinks and switch to let's say backup link without you having to press a button so um let's begin like i said this is not applicable to big environments where you have let's say bgp over the edge of your network even though you can use it that's not a problem normally this situation with 2bgp routers and peering with two separate providers it doesn't break that often i would say it's a fairly solid situation but what if you don't have bgp let's just say this is just a static route to the internet you're doing just active active load balancing meaning you have um the same metric on the outgoing interfaces on the on the palo and this is not bgp which is just steady ground right so what if you lose this particular device fair enough you can switch to this one what if you lose this guy at the same time let's say you're hosting everything into one dc and boom and again this is a very small environment one dc possibly one rack and you got 300 users shouting at you that oh this is a bad design and of course you don't want to be in that situation so your manager comes up to you and say hey why not using lte why not using i don't know whatever else any medium of internet connectivity right so in this example i'm just going to say lte box so if you have an lte obviously bandwidth is not going to be cheap so you don't want to use this all the time you want to have it as a backup how do you do that and of course this is achievable with any brand cisco let's say 40 net any other thing but um for the sake of keeping this video short i'm going to stick to how auto firewall so let's begin [Music] so i'm going to go to my lab and show you guys how to do it so if you recall this situation that i basically started deploying a new lab let me actually zoom a little bit out so you guys can see what's going on so this is the palo alto situation and one of the sites one of the customer sites that i configured palo alto for internet connectivity and this is our user that is able to go out to the internet this connection is bgp mainly peering up with this provider and i can get to the rest of this network which i call it internet so everything is golden and golden until this very moment that i shut down this interface or something happens you know this cable is cut so then of course we do not have redundant connection at the moment this situation is broken here so let's just imagine that i don't have this router this is another bgp router but let me just say we haven't configured that just don't see it so we have a single internet link so my manager came up to me and said you know what we got lte and it's not that expensive maybe we can use it as a backup give me a solution right so in here let me zoom in a little bit in here i'll say okay we got an lte box fair enough i can plug this to palo alto and be able to browse the internet so i'm gonna simulate that for you sort of so we have a redundant internet link now read this as lte which is spanning across going to this provider right here and from there i can break to the internet right so this is like i said it's not emulation of lte is just a simulation so any backup link lte is popular but fill in the blank with anything that you have all right so my link goes down i want my users to be able to go out to the internet using this link and for that short period of time where this link is recovering i want the users to be able to still browse the internet so now you understand the situation let's log into paolo and i'm going to show you guys how to do it so this is my palo alto and under the network interfaces this is my primary internet link which is healthy i'm gonna log into the host that i have right and um i'm gonna try to reach to a host on the internet let's just say a loopback interface on this guy and this guy is this router so i'm going to pick this one right so if i go to my user and i say i want to ping let's just say this is a very important destination for my users on the internet so i'm gonna try to ping it and it works just fine right now on the palo alto i got another interface interface one slash three which is well let me zoom in a little bit and refresh this slightly out of order okay this is eth one slash three and if i zoom back out this is going to this service provider so on that service provider i actually configured an interface with this ip address and on the palo alto i have this is just a slash dirties i have another ip address for my palo interface and nothing else so i assigned it with the outside security zone so far it's not doing anything and let me go to my routing table as you can see this is my default route not much going on here just a basic default route and i'm browsing things through the internet through this link right okay so so let me add my second default route and show you guys how does this work so so far no big deal we got metric 10 and default route i'm gonna add another one so in here i'm gonna say backup default and i'm gonna say zero zero zero and uh next hop oh next hop is gonna be this guy interface is this one one zero slash uh one slash three and then the metric since this is an expensive connection i don't want to use it all the time so i'm gonna assign it with a metric of 100 fair enough right so far not a big deal you know this already and we love golden so i'm gonna press on okay and commit and let's go to the panel itself so i'm going to try to ping from source which is 97 which is 98 which is my interface to let's say a host that is let's just pick this guy that is on the internet right so i can get to it no problems that means that our default route is working so let's see what's the situation with the user so this user down below is still using this route and like i said imagine that this thing doesn't exist right so this router doesn't exist i have just a single internet router so this user is still traveling through this link and goes to the internet let's see that so i'm going to do traceroute for that destination and fair enough i'm passing through my internet connection the internet router that i have in here if i'm not mistaken no not this one yeah this is my internet router so i'm passing through this guy right i'm not using that default route because uh obviously it has a higher metric but what if something bad happens here let me just tell you it's not necessarily a cable cut it could be that your connection is up physically and that is why when power outa sees that interface and it sees that this connection this link this particular interface is up it's not going to take it out from the routing table right i'm pretty sure you have experience with that your bgp connection goes down or something happens with the provider but your physical status your physical link is still up so the default route in here let me show you the default route with a lower metric doesn't disappear that's a problem right so what if that happens what is your way out you of course you can monitor it you can do you can wait for service tests to call you but there is a better way to do that for and i'm going to simulate that for you so let's go to the provider this guy this is 817. all right show ippgp summary so this is my peering if i'm not mistaken yeah that's appearing that i have with this guy but before we take anything down let me actually configure path monitoring which is a feature in palo alto i'm going to show you how to do it and we see how it works and after that i'm going to test it take the bgp down with this service provider so physical link doesn't go down but the service goes down and then we're going to see if we successfully switch over to lte or not so let me go to the virtual router and then i'm going to click on static route and the default route that i have that is taking the service provider path this guy so i'm going to go here and enable path monitoring so what this does is that it uses the source interface which is this guy let me actually add it here so i'm just going to say monitor so i'm going to take this source interface and what this thing does is that let me grab the destination like i said this is a very important destination right so it can be anything so i'm telling this guy that if you lose access not necessarily the default gateway think about it if the internet service from the provider side is down but the physical link is up you don't want to ping the default gateway that the provider has given to you right because there's nothing wrong with physical link you might want to try let's say google dns service to as an indication that if something goes down with the provider at least you will lose access to google dns service right so in this case this is an important destination for me i'm going to say if you lose access or if you cannot monitor this particular destination you don't get any response this is a situation that constitutes outage right and i'm gonna pick this one any and click on ok and okay and commit right so let's go to palo and try to ping it from the primary interface so as you can see it's working no problems my first interface what i'm doing basically let me explain it to you so what i'm doing here is that i'm saying from this interface i'm pinging this destination and everything is golden so so far we have no outage everything is good let me try to do one more trace wrap so we are passing through the internet router no problems i'm gonna put this guy into continuous pain change the ip address destination ip address to this guy and i'm going to say trace ping should be ping okay so everything is golden no problems our users can get to that important destination so i'm gonna simulate that outage that service down right not the physical link down so i'm going to go to the service provider and say sure section bgp oh my peering with this neighbor i'm gonna take it down let me just say i didn't pay the bill so i'm gonna cut the service shutdown okay you see that destination host unreachable but and let's take a look at the client client also lost internet connection you know destination unreachable but the physical status of the link is up right so that is a situation where the palo alto should switch over to the secondary route and it does you see that so my link is down but now if i go to the virtual router and take a look at the default route you see that i'm switched over to the backup internet link which is lte so i'm now being routed through this guy isn't that beautiful i think it is so you don't have to really respond to this situation you see how many icmp traffic did we lose let's actually try that okay there is a cache that i'm going to explain it to you but let's go to the palo alto side so you see we lost a little bit of traffic which we can adjust the timers but the moral of the story is that you don't have to really actively respond to the situation of course someone in let's say half an hour two hours gonna take a look at the monitoring dashboard and they're gonna notice that okay we are switched over to lte so we have to call that service provider but the situation can be at least mitigated with relatively an easy click right and you might be wondering why i lost icmp traffic um that's because i have to enable nat on the backup internet link which i'm going to enable it and then commit it and hopefully we should get our users back online again so don't forget to enable nat obviously you have to do it on this is just basic so i'm just translating them to the interface and as you can see the internet connection is back online so um by the way if you have problems with the timers you can obviously go and change the timers but you know you have to kind of be careful my advice to you is that don't set it too aggressive because there are situations that you lose one or two packet but you don't still you don't want to switch over so the default values work for me and they are just fine and by the way since we did this and we brought the service down let's go to the service provider and bring this neighbor back online let's just say they settled their bill so i'm gonna bring the bgp relationship back up and you might be wondering okay will i be switched back to the default route so let's check the routing table i'm still using this guy but there is a cache to that and that is preemptive hold time so let's say if your provider recovers and your service is restored it's going to wait for two minutes and if the service is stable for two minutes then it's gonna switch back to the primary route so so far we are i think still into this less than two minutes let's just wait a little longer i'm not going to press any button just going to make sure that it does it automatically and the other way to do that would be to go to this provider [Music] now this provider debug ip icmp let's see my source okay i apparently just have been switched over or not let me yeah i've been switched over to the other one let's just refresh it so that two minutes time has passed and now i'm switched over so if this is too much for you you can obviously go there and change it to a lower value but like i said this is a safe value to stick to so i hope this video has been useful to you if it was give it a thumbs up consider subscribing and turn on the notification for this channel so i get some sort of support from youtube thank you very much have a good one
Info
Channel: William Shanaei
Views: 14
Rating: undefined out of 5
Keywords: vpn, site to site, asa, configuration, access list, troubleshoot, ikev1, cisco, config, nat, exempt, sha, aes, transform set, virtual private network, diffuse-hellman, ipsec, isakmp, crypto, connection, policy based, tunnel, gns3, routing, bgp, route, vti, policy, asav, training, free, palo alto, william, shanaei, top, video, youtube, best, eve-ng, eve, ng, asdm, aaa, user, ssh, http, gui, easy, cli, command, virtualization, linux, dynamips, server, lab, juniper, palo, alto, paloalto, pa, setup, panorama, virtual, path, monitoring, ip sla, ip, sla
Id: otbtj32gkn8
Channel Id: undefined
Length: 21min 9sec (1269 seconds)
Published: Sun Dec 12 2021
Related Videos
Let's Talk About Palo Alto - Site to Site VPNs with Cisco Router
Rob Riker's Tech Channel
1.8K
Palo Alto Firewall Basic Setup
William Shanaei
53
How to: Attach an email to an email in Gmail
Google Workspace
1.1K
Cisco ASA & Juniper SRX - Route Based VPN
William Shanaei
50
Cisco ASA - High Availability Scenario (Intermediate)
William Shanaei
48
Checkpoint Installation,Deployment and Configuration - cyber security detection, firewall, vpn
Technocraft
55K
Cisco ASA High Availability with ASDM
William Shanaei
77
Unboxing and Initial Setup of Synology NAS DS920+
William Shanaei
87
Cisco Catalyst 9K Series - Upgrade IOS-XE
William Shanaei
240
Console To Your Cisco Switch With a Bluetooth Dongle
William Shanaei
166
Site to Site VPN Theory
Jayachandran
69K
Install Ubiquiti Network Controller on Ubuntu 20.04
William Shanaei
526
NAT on Cisco ASA with ASDM
William Shanaei
200
NAT and Port Forwarding on Cisco ASA with ASDM
William Shanaei
402
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.