Transparent Firewalling using Palo Alto Virtual Wire

We all know the story. You deploy a network to extremely tight specifications, and when you ask – just to make sure you understand the requirements, of course – if it’s absolutely certain that the client IP ranges will never change, that this system will never need to be accessible from the Internet and that there is no way they will need more than eight host addresses; people just laugh at you and say things like “a fully built-out system can’t physically handle more than five servers, so yeah – we’re never even going to need the eight you’ve given us!”.  Of course you know better than to trust project design engineers, so you make sure the system runs on public IP addresses, accessible from anywhere in your network and you set aside 27 (or better make it 59) IPs for host addresses just to be sure; so when they sheepishly come back after three months and say “Umm, we need some help…” you can do the whole Told-You-So-routine and then magically appear to fix the issue within a few minutes.  (It’s okay to keep complaining for a couple of hours first.)  Again, you’re the hero!

After a couple of years in the industry, you’re bound to run into situations that, while you may have predicted them, you can’t engineer around them easily. I ran into one of those a few years back.  We deployed a platform that includes components that were accessible to our end-customer CPEs; and when our customers access certain services, a connection from CPE to server is automatically initiated.  The IP address of this system is provided to the CPE from a catalogue server, and due to the architecture of the platform (as given to us by the integrator), there is no way to change this IP once it’s been set – it is hardcoded in too many places.  What really tripped me up here was that specific issue, in combination with the two first statements above – from initially being accessible from three private IP ranges, strictly controlled by us, we needed to make sure that this server was suddenly accessible to the Internet.  Yay.  (Good thing I was clever enough to use a public IP address for the server, huh?)

The system, let’s call it DAVE, is connected in a VLAN with a number of other devices that do not need to (in fact, should not) be accessible from the outside world.  Before, we knew that all clients allowed through the Cisco ACL was an authorized CPE (there was no way to get an IP address in that range and get so far as to be able to make a request to this server otherwise) but with a wide open ACL, the attack vector is so much bigger, and I want to make sure that DAVE is as secure as possible – there are some strange people on the Internet.  After a few false starts with a half-hearted NAT attempt and an attempt at placing DAVE behind a load-balancer and do some clever stuff with layer-7 filters there I gave up (apparently, that version of AlteonOS would only load balance that particular protocol on its IANA assigned port number, not the non-standard port we used) and contacted a consultancy company we work with for assistance, and they came up with a pretty neat solution – using a “Virtual Wire” on a Palo Alto Networks firewall.  A true square plug in a square hole solution.

This works exactly like you envision a firewall to work – you have your interfaces, your trust zones, your policies and enough host and group objects to force you to come up with a naming convention for them… There’s only one thing missing that you’d normally expect to find – you don’t actually have any IP addresses on the firewall itself.  The firewall acts like a transparent bridge between the two ports – it’s essentially a layer-7 aware patch cable* that you insert between the 6500 and DAVE.  (* = Patch cable not included.)  DAVE keeps his old IP configuration and the 6500 – and the rest of the VLAN – is none the wiser.  In fact, the PA will even bridge DAVE’s MAC address to appear directly on the 6500 access port.  (I understand that the Cisco ASA can do something similar – Jimmy will cover this in a later post.)

Configuration is simple – you need to configure the participating interfaces as Virtual Wire interfaces, then create the Virtual Wire itself, and finally configure the zone mappings for the interfaces before you proceed to configure the actual policies as usual.  These steps can be performed through the web GUI or via the CLI, and I’ll show you the CLI style here.  Policies are better configured through the web GUI, though; but we’ll leave that to a future post if there is interest.

set network interface ethernet 1/1 virtual-wire
set network interface ethernet 1/2 virtual-wire

set network virtual-wire DAVE interface1 ethernet 1/1
set network virtual-wire DAVE interface2 ethernet 1/2
set network virtual-wire tag-allowed 123,456**
set network virtual-wire link-state-pass-through enable yes***

set zone DAVE network virtual-wire 1/1
set zone UNTRUST network virtual-wire 1/2

(**= Allow tagged VLAN’s 123 and 456 through.  If you’re on an untagged port, just skip this line.
***= This means that if the link between DAVE and the PA goes down, the PA will bring down the link between PA and 6500; effectively telling the Cisco “DAVE’s not here, man.”.)

That’s the Virtual Wire configured (remember to commit your changes).  Now you can have the Palo Alto policies delve into the actual packets and verify the layer-7 contents: Is it properly formed?  Does it go to a valid URI?  Has it got the correct User-Agent?  Does it have a valid session-token?  Et cetera.  This is another layer of protection the evil-doers will need to get through in order to access DAVE; and it makes me as an admin sleep better at night.

Tagged with: , , , , , , , ,
Posted in Palo Alto Security
8 comments on “Transparent Firewalling using Palo Alto Virtual Wire
  1. What if you plan your meals around healthy alternatives? They are now available in different sizes, shapes and colors, and they are made from all kinds of different materials. In a time when few companies can afford high priced incentives, many employers are looking for ideas for employee recognitions. Advent WindowsAdvent windows are a church’s way of conveying graphically one ofmanager Alex Ferguson the most important holidays of the year. This sneakers online sets the mood for BGC’s story of a near-future post-disaster Tokyo with a rhythmic punch that still sounds like rock from the future even 10 years after it was originally recorded. Oigina Coach handbags jst can’t be sod fom someone’s ca tnk. Best played in the squad that won the Football League Championship in 1965, defeating Leeds United, and won again iHawaii. The sides am more difficultn 1967. Apple CEO TIn the maket of xy handbags and accessoiesim Cook issued a rare public apology and promised improvements. My lonely days are over, And life is like a sneakers online. “We wouldn’t even be getting married if it wasn’t for her. I look at this ring and think all of those things about the man I will marry. Coldwater fatty fish, such as salmon, herring and sardines, contain high amounts of eicosisabel marant sneakersapentaneoic acid and docosahexaneoic acid. No one marvels at refrigeration any more-they’re more likely to worry over the use of Freon. Hundreds of bags bearing the Louis Vuitton logo are crammed onto metal hooks. Never change only one tire, as this can affect tire performance and can be equally dangerous. But on the nightside electrons accumulate and surface voltages can climb to hundreds or thousands of volts. A lot of women say christian louboutin 2011 spring footwear is the most comfy heels they’ve actually worn. It is not unusual for professional teams to have a number of football kits, for example, a second kit to facilitate playing against other teams with similar colours. – Ae the meta decoation made of bass? The constant soreness in his left knee could be traced back to when he was 21 playing football (soccer). Eassee3D® is developed and made in Germany. With this agility engine generates 170 horse power of energy. It is the best solution to avoid potential problems that you might encounter. In addition, when you’ve got don a specific thing resistant to the desires with temperatures, you might be plainly likely to indulge your image along with seriously important factor connected with ease. It is likely going to lead to a very exsneakers onlinesive lawsuit for Johns Hopkins especially as more and more women come forward. what will happen with the schedule, at this stage it’s too early to tell,” spokesman Colin Lippiat told AAP. Other major savings can be achieved by swapping sneakers onlines, sports equipment and even boats, by not having to dine out every night, even by playing as a guest at your host sports/golf club. As Gucci Long Coin Wallet began creating beautiful dresses, everyone who saw them wanted to buy them so Gucci Long Coin Wallet added them to my online craft store. Others may be better with artists or album names. Although sneakers online designer sunglasses are certainly the finest, too many counterfeiters try to copy them on the market although no fake will ever be even remotely equal to the authentic sneakers online products.

  2. Tuyet says:

    Suddhanshu Mittal is a good provide electrical contractor ever again. The second time in their wallet.

    A good siding contractor for his heating and air contractor
    and make provide your bathroom, although quite normal in summer air conditioners are
    electrical panels and much more! Yes, Yes, Yes, and demands.

    My page; homepage (Tuyet)

  3. You’re so cool! I do not think I have read through a single thing like that before.
    So nice to discover somebody with unique thoughts on this issue.
    Really.. thank you for starting this up. This web site is something that is needed on the web, someone with some originality!

  4. vps says:

    My sister advised I would personally perhaps like this website. He was once entirely proper. The following send truly manufactured the day. You cannot take into consideration exactly how a whole lot moment I had put together used for this info! Thanks!

  5. Karma says:

    My blog post :: site (Karma)

  6. artist says:

    I would advice for Nodevps.net for Virtual Private Servers, they can beat most of the linux vps hosting sellers with their prices and 24H support.

  7. Well, you can certainly turn to traditional department and discount shops but your selection will be limited.
    How can you quickly discover the recipes that are perfect and right for
    your family. All of us always envy people that may prepare at-home.

  8. KAYSWELL says:

    very good publish, i certainly love this website, keep on it

3 Pings/Trackbacks for "Transparent Firewalling using Palo Alto Virtual Wire"
  1. […] Transparent Firewalling using Palo Alto … – What if you plan your meals around healthy alternatives? They are now available in different sizes, shapes and colors, and they are made from all kinds of different … […]

  2. […] Transparent Firewalling using Palo Alto … – What if you plan your meals around healthy alternatives? They are now available in different sizes, shapes and colors, and they are made from all kinds of different … […]

  3. […] Transparent Firewalling using Palo Alto … – What if you plan your meals around healthy alternatives? They are now available in different sizes, shapes and colors, and they are made from all kinds of different … […]

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test