Jared Heinrichs

You are here: Home / Archives for Networking

By Leave a Comment

How to perform a basic setup of a Palo Alto Firewall

Welcome to the first of many posts about Palo Alto Firewalls. This post will go over using a physical Palo Alto Firewall.

The model I will be using is a PA-200 with a PAN-OS of 8. As long as you use the same OS the screenshots should look identical. Older versions of PAN-OS should be similar or the same.

Palo Alto Firewalls have two “Planes”. They have the Management Plane and the Data Plane. These concepts are important to understand when setting up the device.

  1. Management Plane – Is essentially tied to the Management Port. It will have it’s own IP address, DNS and Default Gateway. In order to update your firewall, you will need to make sure the Management Plane/Port is set up correctly. This post will go over these tasks
  2. Data Plan – The data plane is the area in which the data flows. Typically the External Port will have a default gateway as well. This post will not cover this.

I will be creating a LAB setup that will be a subset of an existing network. The purpose of this setup is to allow you to play and work with a Palo Alto firewall from the comforts of a working network.

The first thing you need to know when setting up a Palo Alto is that the device’s management port is set to the IP address of 192.168.1.1.

If you plan to plug this port into your existing network and your IP range is also in 192.168.1.1 you will need to change this IP address by plugging a computer directly into the Managment port rather then plugging the management port into your existing network infrastructure.

My network is not part of the 192.168.1.X network so I will plug my Palo Alto management port into a switch and make sure that the Palo Alto device and Computer are on the same VLAN/Physical Network.

I will change my IP address from it’s 192.168.101.x network address to 192.168.1.2 /24. Doing this will allow my machine to talk with the Palo Alto firewall.

  • Open your favorite browser (I find Chrom works the best) and go to https://192.168.1.1

You will be greeted with a warning that you are using a private cert instead of cert from a certificate authority. Tell your browser it is ok.

You will see the login page for the Palo Alto firewall. The default username and password is:

  • user: admin
  • pass: admin

When you have entered the login credentials click “Log In“.

You will see a warning that you haven’t changed the default password yet. Click “OK”

Click the Device Tab

To change things like

  • Hostname
  • Domain
  • Time Zone
  • Time

Click SetupManagement TAB and then the General Settings Cog icon.

A window will pop open and you can enter the information. Here is an example of what I entered into the Palo Alto Device. When done click “OK”.

Please note that this setting and the rest of the settings we change will not be applied on the Palo Alto Firewall until I have hit commit!

Next we will update the DNS servers that the Management Plane. To do so stay in the setup section and click the Service TAB – then click the Services Cog

Enter your preferred DNS servers. Typically you would enter your Active Directory DNS servers. Today I chose to use the Google DNS server. Click OK

The next things we will change is the IP address of the Management Port. To do this stay in the setup section. Click the Interfaces TAB – Click Managment Interface.

As we have seen the default IP address is 192.168.1.1. We can specify the IP Address to be DHCP (only newer versions of PAN OS allow for this!) or a static IP address. Here is how I setup my device:

The next thing we will need to do is change the default password of your Palo Alto Firewall. To do this click on:

  • Device TABClick Administrators Section – then click on admin

Change the password to your liking:

Now that we have finished the basic setup of the Palo Alto Firewall we will now need to commit our settings.

PLEASE NOTE – Since we are changing the IP address from 192.168.1.X network to the 192.168.101.x Network the progress bar will never reach 100%. The reason for this is the browser won’t be able to update progress bar to 100%. This “issue” is pretty typical on network devices that are being configured via it’s web managment. If you were using the command console it would complete as expected.

In my instance, the device got to 98%. Click Close.

You can now switch your computer’s IP address back to its normal network and you should be able to talk to the Palo Alto on the new IP address!

When you log in it is good to verify that the settings you have entered were applied. Notice right away you can tell the device was named propperly and that we are now logging in from the new network in the logs.

The last thing we should do is check our ability to SSH into our device and test connectivity using Ping and trace Route.

Open your favorite SSH client I use PuTTy. Enter the settings into the client. Here is mine:

accept thew SSH Key:

Log into the box using your username and password you enter into the Web Interface.

The first thing we want to do is ping google.com. The command to do this is:

  • ping host google.com

You should see that the name is resolved using DNS and that the box should be able to ping the server:

Another good test is a Trace Route. I blurred out my information.

I really hope you find this post informative and concise!

 

By Leave a Comment

How to figure out what switch port your computer is plugged into

Do you have a live port that wasn’t documented? Normally if you had a huge budget you might have a Fluke device on hand. Unfortunately, not everyone can afford a Fluke Testing Device.

For this article, you will need to have a laptop with Wireshark installed.

Plug in the laptop and start Wireshark. Once you start Wireshark you will want to start the packet capture on the network card that is attached to the port in question.

Once you see that traffic is flowing you should enter the “Filter Expression”:

  • CDP

If you leave Wireshark up and running long enough you will see only the CDP packets start to come in.

The CDP packets will tell you many things. Some of the most useful things are:

  • Device ID – This is the name of the switch
  • Software Version – Firmware Version of the switch
  • Addresses- IP address of the switch
  • Port ID – The switch port the computer is plugged into
  • Cluster Management
  • VTP Domain info
  • VLAN info
  • Duplex Info
  • Management IP address of switch

Here is what you might see:

Once you have one packet captured that is all you will need. Stop the packet capturing and take a look at the first packet.

There will be 4 Main sections of the packet. The section we are going to care about is: “Cisco Discovery Protocol”.

If it isn’t already open please do so now. Scroll down until you see:

Depending on the make and model you might see FastEthernet, GigabitEthernet or just plain Ethernet. The 1/0/4 says the name of the port on the switch!

NOTE- You could also write down the MAC address of the laptop, log into the switch console and look the Mac Address up in the ARP cache. What is nice about the Wireshark method is that you can get this info without having login credentials for the switch!.

Let me know if you have any issues.

By Leave a Comment

How to reset a Mitel Voicemail Password (MiCollab)

NOTE – You will need to know what the person’s mailbox number is. In the second step you can only open the mailbox if you know what the number is.

Log into the Web administration. The URL will look something like this: https://mas.domain.com/server-common/cgi-bin/login?cookie_probe=1

Once you are logged in on the left hand side there is a column. There should be an item called “NuPoint Web Console”. Click it.

mitel-MiCollab-01aa

Click On “Mailboxes” and then enter the person’s mailbox number.

mitel-MiCollab-02a

After searching for the mailbox number. You will need to click the link in the Number box.

mitel-MiCollab-03a

Change the “passcode” and hit save

mitel-MiCollab-04a

 

By Leave a Comment

CCNA–Cisco Etherchannel in plain English

Etherchannel is a Cisco term that allows a selection of ports to be grouped into a single virtual connection.

PROS

  1. Able to move more data than a single dedicated line.
  2. Provides Redundancy & Instantaneous failover if a line/port does down.
  3. The switch views the virtual connect essentially just like any other line. ie Protocols like STP and VTP work over it.

CONS

  1. More Ports used on the switch may have a great cost associated with it.
  2. 4x100Mb/sec lines means there is still only a max of 100Mb/sec for each individual conversation.
  3. All Ports have to be Identical (Ie. All FastEthernet or All Gigabit)
  4. All ports have to be configured the same (ie. Duplex, Speed etc)

Setting up Etherchannel

There are 3 main steps when setting up Etherchannel

  1. Specify the ports needed
  2. Specify Etherchannel Protocol. There are 2 main protocols:
    • a.) IEEE – LACP
    • b.) Cisco – PAgP
  3. Specify the Channel Group ID and Mode. This is done in the same command.
    • a.) Because you can have multiple Etherchannels per switch you will need to specify an ID for each one
    • b.) Depending on if you choose LACP or PAgP you will need to specify different modes.
  4. Turn the Ports into trunking mode
  5. Because Ports are in trunking mode please also turn on encapsulation ie. dot1q

Commands to setup Etherchannel

Here’s a screenshot from Live Cisco 2960 Switches being setup with Etherchannel:

Switch1

sw1-etherchannel

Switch2

sw2-etherchannel

What do the happens when something goes wrong with one of the lines with the etherchannel?

Switch2 – Unplug Port fa0/22, wait a few minutes and then plug the port back in:

sw2-unplug-port-22-then-plug-back-in

Let’s go over the last image.

  1. Unplug cable.
  2. Look at how fast the etherchannel reports the issue. It’s actually BEFORE the port actually goes down!
  3. Port goes down
  4. I hit <enter> a couple of times to break up the output.
  5. Plug the cable back into port fa0/22
  6. Interface comes back up
  7. Etherchannel rebuilds itself

Main commands to troubleshoot:

show etherchannel summary

  • Displays info on status of group, port-channel, protocol and port

sw2-show-etherchannel-summary

show etherchannel port-channel

  • Displays configured properties of port-channel, port state, protocol, port security, fast switchover and load share. It also lists the ports and timing info.

sw2-show-etherchannel-port-channel

show interface trunk

  • Displays info about all the trunk interfaces.

sw2-show-interface-trunk

Try searching this site!