Palo Alto Information

Palo Alto VPN Speedtests

2016-07-26Bandwidth/Delay, IPsec/VPN, Palo Alto NetworksBandwidth, Iperf, Knoppix, Palo Alto Networks, Site-to-Site VPN, ThroughputJohannes Weber

Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.

Lab

My lab consists of two PA-200 firewalls with PAN-OS 7.1.1 installed. They were plugged into a simple layer 2 switch. The two notebooks were booted with Knoppix 7.6.1 and used Iperf version 2.0.5.

I first tested the throughput with only routing and then built the VPN. After every test I changed the phase 2 parameters. The Iperf tests ran in both directions. Here are some configuration screenshots:

IKE Gateway

Ike Gateway Advanced

IPsec Tunnel

Traffic Log with different Zones

Of course I verified the correct IPsec algorithms after each change, such as here:

1 2 3 4 5 6 7

weberjoh@fd-wv-fw02> show vpn ipsec-sa tunnel VPN-Test   GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB) --------------  ----   ------------           ---------------                                ---------          -------  -------- ------------ 20              24     80.154.108.226         VPN-Test(VPN-Test)                             ESP/3DES/SHA1      9AA65C85 D49DF3F6 3481/0   Show IPSec SA: Total 8 tunnels found. 1 ipsec sa found.

Test Results

Here are the results, each Tx/Rx in Mbps:

foobar	No VPN Tx	No VPN Rx	3des-sha1-group2 Tx	3des-sha1-group2 Rx	aes128-sha1-group5 Tx	aes128-sha1-group5 Rx	aes256-sha256-group14 Tx	aes256-sha256-group14 Rx	aes256-sha512-group20 Tx	aes256-sha512-group20 Rx
blubb	937	934	198	228	215	271	205	254	212	260

And the raw values:

• Only routing: 937/934
• esp-3des-sha1-group2-1h: 198/228
• esp-aes128-sha1-group5-1h: 215/271
• esp-aes256-sha256-group14-1h: 205/254
• esp-aes256-sha512-group20-1h: 212/260

That is: All tests are around 200 Mbps. The Tx direction is always a bit slower, which might be a test failure. The AES algorithms are faster than the old 3DES cipher. This might be related to the fact that AES is made to be fast in software and in hardware.

Conclusion

Wow, these are really high values. The data sheet talks about 50 Mbps, even for the bigger PA-500 firewall. I don’t know why, but my test results are four times greater than the official notes. Ok, I can live with that. 😉

Palo Alto IPv4 vs. IPv6 Performance Speedtests

2016-07-19Bandwidth/Delay, IPv6, Palo Alto NetworksApache, Bandwidth, Iperf, IPv4, IPv6, Knoppix, Palo Alto Networks, ThroughputJohannes Weber

After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and without security profiles, i.e., with and without threat prevention.
It turned out that the throughput is much higher than the official information from Palo Alto. Furthermore, I was not able to test the threat prevention at all, because non of my traffic (Iperf and mere HTTP) went through the antivirus engines. I have to test this again. However, here are the measured values so far:

Laboratory & Scenarios

I had a single PA-200 with PAN-OS 7.1.1 installed. The two test notebooks ran Knoppix 7.6.1 and Iperf version 2.0.5. This time I only used the TCP test. For the HTTP tests I used an Apache2 webserver on the one side and wget on the other side.
I tested the following scenarios, all of them routed through the Palo Alto:

1. Iperf, single policy rule, NO security profiles, both directions. This was recognized as “unknown-tcp” though the application “iperf” exists. (Refer to Applipedia.)
2. Iperf, with security profiles, still recognized as unknown-tcp, both directions.
3. Iperf, with security profiles and app-override, now displayed as “iperf”, both directions.
4. HTTP, with security profiles, recognized as “web-browsing”, only server to client direction, but with enabled server response inspection.

Here are a few screenshots of the policies and the traffic log:

And a listing from one wget HTTP test:

1 2 3 4 5 6 7 8 9 10

root@Microknoppix:~# wget http://[2003:51:6012:171:221:70ff:fee9:bb47]/1G-file --2016-05-06 11:14:49--  http://[2003:51:6012:171:221:70ff:fee9:bb47]/1G-file Verbindungsaufbau zu [2003:51:6012:171:221:70ff:fee9:bb47]:80 … verbunden. HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK Länge: 1048576069 (1000M) Wird in »»1G-file.1«« gespeichert.   1G-file.1                     100%[=================================================>]   1000M  88,1MB/s    in 11s   2016-05-06 11:15:01 (87,7 MB/s) - »»1G-file.1«« gespeichert [1048576069/1048576069]

Results

These are the test results:

IP-Version	Iperf w/o sec Tx	Iperf w/o sec Rx	Iperf w/ sec Tx	Iperf w/ sec Rx	Iperf w/ sec and app override Tx	Iperf w/ sec and app override Rx	HTTP w/ sec Rx
IPv4	940	934	939	934	942	936	774
IPv6	926	921	926	921	929	923	704

All measured values are almost around 930 Mbps, except the Apache/wget/HTTP traffic. I suppose that this comes from other parameters such as the Apache server, the local file reading/writing, or wget.
For the sake of completeness, these are the raw values, each with Tx/Rx in Mbps:

• Iperf without security profiles, unknown-tcp: IPv4 = 940/934, IPv6 = 926/921
• Iperf with security profiles, unknown-tcp: IPv4 = 939/934, IPv6 = 926/921
• Iperf with security profiles and app override -> iperf: IPv4 = 942/936, IPv6 = 929/923
• HTTP with security profiles, web-browsing, single direction: IPv4 = 774, IPv6 = 704

Conclusion

Ok, this is really strange! Palo Alto lists a firewall throughput for the PA-200 of 100 Mbps and a threat prevention throughput of 50 Mbps. My tested results are way beyond that.
Much better compared to the results from the FortiGate are the “v4 vs. v6” differences. Both protocols are almost at the same speed.
Concerning the security profiles: As long as the application is not recognized correctly (and only shown as unknown-tcp), the threat prevention will not work. That’s ok. Similar to the app override, refer to this PAN documentation: “An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection.” But why is the threat prevention not working for the web-browsing traffic? The throughput should dramatically decrease when the whole traffic is scanned for viruses, etc., shouldn’t it?

Palo Alto Software Download Failure

2016-05-24Palo Alto NetworksBug, Download, Fail, Palo Alto NetworksJohannes Weber

I had an error on my PA-200 with PAN-OS 7.0.5 while trying to download a new firmware version. “Error: There is not enough free disk space to complete the desired operation. […]”. Even the tips to delete older software, dynamic updates, etc., and to use the “set max-num-images count” command did not lead to a successful download.
Finally, the TAC support could solve the problem via root access to the Palo Alto firewall and by manually moving data files…

This was the disk space on the firewall before the TAC support corrected it (note the 5th line with 92 % usage):

1 2 3 4 5 6 7 8

weberjoh@fd-wv-fw02> show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda3             1.9G  1.5G  393M  79% / /dev/sda5             6.6G  5.8G  541M  92% /opt/pancfg /dev/sda6             1.9G  685M  1.2G  38% /opt/panrepo tmpfs                 1.3G  116M  1.2G  10% /dev/shm /dev/sda8             2.4G  1.9G  372M  84% /opt/panlogs

And on my monitoring server I could see that the management config partition increased its usage a few weeks ago:

The supporter now used the  debug tac-login challenge  and  debug tac-login response  commands to gain root access on my PA-200. (Interesting…) He said that the problem is due to not deleted AV- and content-packages. He then did the following steps:

1. He navigated to the folder in which the AV and content packages reside.
2. He moved the “newav” folder to another partition. Now there was enough disk space on the current partition.
3. Via the GUI, he upgraded the content packages. This worked and PAN-OS correctly deleted the temporary content files.
4. He then moved back the AV files (newav) to the original partition
5. and upgraded the AV packages appropriately. This worked, too, and PAN-OS correctly deleted the temporary AV files, too.

Now the usage of /dev/sda5, mounted on /opt/pancfg, was about 73 %:

1 2 3 4 5 6 7 8

weberjoh@fd-wv-fw02> exitshow system disk-spacejobs allsystem disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda3             1.9G  1.5G  391M  79% / /dev/sda5             6.6G  4.6G  1.8G  73% /opt/pancfg /dev/sda6             1.9G  685M  1.2G  38% /opt/panrepo tmpfs                 1.3G  116M  1.2G  10% /dev/shm /dev/sda8             2.4G  2.0G  330M  86% /opt/panlogs

This is the daily graph of the management config partition which shows the decrease of the space usage during the support call:

After this procedure, I was able to update man PAN-OS to a newer version. Thank you. And hopefully this bug will be fixed in an upcoming version! (Bug number 94106.)

[UPDATE]

After I ran into this issue one more time, I received an answer from the Palo Alto Support with the following link: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Free-Up-Disk-Space-in-PAN-OS-5-0/ta-p/63151. And in fact, after deleting some files etc., the download of new dynamic updates worked again. This link was also sent to me by the support, but I did not need it here: https://live.paloaltonetworks.com/t5/Management-Articles/How-and-When-to-Clear-Disk-Space-on-the-Palo-Alto-Networks/ta-p/55736.
These are the commands I used in my case. The usage of /opt/pancfg decreased from 92% to 86%:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

weberjoh@pa> show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda2             1.9G  1.5G  347M  82% / /dev/sda5             6.6G  5.7G  555M  92% /opt/pancfg /dev/sda6             1.9G  739M  1.1G  41% /opt/panrepo tmpfs                 1.3G  116M  1.2G  10% /dev/shm /dev/sda8             2.4G  2.0G  338M  86% /opt/panlogs   weberjoh@pa> delete content cache > curr-content   Remove cache files based on Engine version and type > old-content    Remove ALL old content   weberjoh@pa> delete content cache old-content   <Enter>  Finish input   weberjoh@pa> delete content cache old-content   successfully removed oldcontent path /opt/pancfg/mgmt/updates/oldcontent/cache weberjoh@pa> show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda2             1.9G  1.5G  347M  82% / /dev/sda5             6.6G  5.5G  848M  87% /opt/pancfg /dev/sda6             1.9G  739M  1.1G  41% /opt/panrepo tmpfs                 1.3G  116M  1.2G  10% /dev/shm /dev/sda8             2.4G  2.0G  338M  86% /opt/panlogs   weberjoh@pa> delete anti-virus update   panup-all-antivirus-1945-2425.tgz   2016/07/21 22:25:37    71526.1K   panup-inc-antivirus-1944-2424.tgz   2016/07/20 22:23:00    15243.8K   <value>                             Filename   weberjoh@pa> delete anti-virus update panup-all-antivirus-1945-2425.tgz   successfully removed panup-all-antivirus-1945-2425.tgz weberjoh@pa> delete anti-virus update   panup-inc-antivirus-1944-2424.tgz   2016/07/20 22:23:00    15243.8K   <value>                             Filename   weberjoh@pa> delete anti-virus update panup-inc-antivirus-1944-2424.tgz   successfully removed panup-inc-antivirus-1944-2424.tgz weberjoh@pa> show system disk-space   Filesystem            Size  Used Avail Use% Mounted on /dev/sda2             1.9G  1.5G  347M  82% / /dev/sda5             6.6G  5.4G  933M  86% /opt/pancfg /dev/sda6             1.9G  739M  1.1G  41% /opt/panrepo tmpfs                 1.3G  116M  1.2G  10% /dev/shm /dev/sda8             2.4G  2.0G  338M  86% /opt/panlogs   weberjoh@pa>

My monitoring system shows the decrease of the disk usage as well as a successful installation of antivirus patterns at 5 am:

IPv6 through IPv4 VPN Tunnel with Palo Alto

2016-05-04IPsec/VPN, IPv6, Palo Alto Networks, RoutingIPsec, IPv6, Palo Alto Networks, Site-to-Site VPN, Transition MethodJohannes Weber

The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as Teredo or SixXS are found on different literatures as well. However, another method that is not often explained is to tunnel the IPv6 packets through a normal VPN connection. For example, if the main office has a native IPv6 connection to the Internet as well as VPN connections to its remote offices, it is easy to bring IPv6 subnets to these stations. Here comes an example with two Palo Alto firewalls.

(This post is very similar to this one in which I covered Juniper ScreenOS firewalls.)

I assume that there is already a VPN connection between two Palo Alto firewalls in place. If so, the steps to tunnel IPv6 through this VPN tunnel are quite easy. (Note that this is NOT a 6in4 tunnel! It is simply a forwarding of IPv6 packets through a common IPsec site-to-site VPN.)

Tunneling

I am using two PA-200 firewalls with PAN-OS 7.1.1. One firewall has a static IPv4 address, the other one is dynamic. I am routing a /60 through the tunnel to have a maximum of 16 subnets on the remote site. This is how the lab looks like:

The basic step is to enable IPv6 on the tunnel interfaces and to route the IPv6 traffic appropriately. Of course, all other interface configuration steps such as router advertisements as well as security policies must be configured, too.

Main Site

These are the configuration steps on the main site in order to route the IPv6 subnet through the tunnel. See the screenshot descriptions for more details:

Remote Site

Very similar: the remote site. Note the default IPv6 route through the tunnel:

Latency & Hop Count

After committing everything the traffic log shows some IPv6 connections, either from trust to vpn-s2s (on the remote site), or from vpn-s2s to untrust (on the main site):

It is interesting to see the IPv6 ping times from the remote site compared to the IPv4 ping times. Since the IPv6 connections must travel through the IPv4 VPN tunnel via the Internet before reaching the real destination, the RTT should be much higher than the IPv4 times. However, everything is relative. 😉 The ping times (IPv6 and IPv4) on my main site are both around 5-8 ms in the following example:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

C:\Users\weberj>ping -4 www.insinuator.net   Ping wird ausgeführt für www.insinuator.net [62.159.96.203] mit 32 Bytes Daten: Antwort von 62.159.96.203: Bytes=32 Zeit=8ms TTL=57 Antwort von 62.159.96.203: Bytes=32 Zeit=6ms TTL=57 Antwort von 62.159.96.203: Bytes=32 Zeit=8ms TTL=57 Antwort von 62.159.96.203: Bytes=32 Zeit=5ms TTL=57   Ping-Statistik für 62.159.96.203:     Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0     (0% Verlust), Ca. Zeitangaben in Millisek.:     Minimum = 5ms, Maximum = 8ms, Mittelwert = 6ms   C:\Users\weberj> C:\Users\weberj> C:\Users\weberj>ping -6 www.insinuator.net   Ping wird ausgeführt für www.insinuator.net [2003:60:4010:11b0::12] mit 32 Bytes Daten: Antwort von 2003:60:4010:11b0::12: Zeit=5ms Antwort von 2003:60:4010:11b0::12: Zeit=5ms Antwort von 2003:60:4010:11b0::12: Zeit=5ms Antwort von 2003:60:4010:11b0::12: Zeit=5ms   Ping-Statistik für 2003:60:4010:11b0::12:     Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0     (0% Verlust), Ca. Zeitangaben in Millisek.:     Minimum = 5ms, Maximum = 5ms, Mittelwert = 5ms

But since my remote site is a DSL connection with a slower latency at all, the IPv6 burden is not that high, as seen here. Both connections are around 30 ms:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

C:\Users\Johannes Weber>ping -4 www.insinuator.net   Ping wird ausgeführt für www.insinuator.net [62.159.96.203] mit 32 Bytes Daten: Antwort von 62.159.96.203: Bytes=32 Zeit=32ms TTL=54 Antwort von 62.159.96.203: Bytes=32 Zeit=31ms TTL=54 Antwort von 62.159.96.203: Bytes=32 Zeit=31ms TTL=54 Antwort von 62.159.96.203: Bytes=32 Zeit=31ms TTL=54   Ping-Statistik für 62.159.96.203:     Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0     (0% Verlust), Ca. Zeitangaben in Millisek.:     Minimum = 31ms, Maximum = 32ms, Mittelwert = 31ms   C:\Users\Johannes Weber> C:\Users\Johannes Weber> C:\Users\Johannes Weber>ping -6 www.insinuator.net   Ping wird ausgeführt für www.insinuator.net [2003:60:4010:11b0::12] mit 32 Bytes Daten: Antwort von 2003:60:4010:11b0::12: Zeit=35ms Antwort von 2003:60:4010:11b0::12: Zeit=29ms Antwort von 2003:60:4010:11b0::12: Zeit=30ms Antwort von 2003:60:4010:11b0::12: Zeit=29ms   Ping-Statistik für 2003:60:4010:11b0::12:     Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0     (0% Verlust), Ca. Zeitangaben in Millisek.:     Minimum = 29ms, Maximum = 35ms, Mittelwert = 30ms

That’s it.

Palo Alto Remote Access VPN for Android

2015-11-03Android, IPsec/VPN, Palo Alto NetworksAndroid, GlobalProtect, IPsec, Palo Alto Networks, Remote Access VPNJohannes Weber

For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto itself. If the additional features such as HIP profiling are not needed, this variant fits perfectly.
I am showing a few screenshots and logs from the Android smartphone as well as from the Palo Alto to show the differences.

This post is very similar to the post about the iPhone. I am running a PA-200 with PAN-OS version 7.0.3. The phone is a Samsung Galaxy S4 Mini with Android version 4.4.2.
The GlobalProtect app from Palo Alto works without any problems if a correct Portal and Gateway are already configured. In order to use the native “IPSec Xauth PSK” on Android, the “X-Auth Support” must be enabled on the GlobalProtect Gateway, such as shown here in my post about the Linux vpnc client.

GlobalProtect App vs. Native VPN

The following Android screenshots show the configuration steps for the native IPsec VPN tunnel. The “IPSec Xauth PSK” type must be chosen:

Just for a comparison: The GlobalProtect app looks like that:

Palo Alto Logs

It is interesting to see the differences in the Palo Alto logs, i.e., the GlobalProtect Previous User, System Log and Traffic Log. Here are the differences:

Policy Based Forwarding on a Palo Alto with different Virtual Routers

2015-08-26Palo Alto Networks, Routing, Tutorial/HowtoDSL, ISP, NAT, Palo Alto Networks, Policy Based Forwarding, Policy-Based RoutingJohannes Weber

This guide is a little bit different to my other Policy Based Forwarding blog post because it uses different virtual routers for both ISP connections. This is quite common to have a distinct default route for both providers. So, in order to route certain traffic, e.g., http/https, to another ISP connection, policy based forwarding is used.

There are two documents from Palo Alto that give advises how to configure PBF.

I am using a PA-200 with PAN-OS 7.0.1. My lab is the following:

(Note that, unlike Juniper ScreenOS, a zone is not tied to a virtual router. You actually can merge interfaces on different vrouters into the same zone. However, I prefer to configure an extra zone for each ISP to keep my security policies clearly separated.)
These are the configuration steps. See the descriptions under the screenshots for details:

Palo Alto High Availability Heartbeat

2015-08-14Palo Alto NetworksHigh Availability, Palo Alto NetworksJohannes Weber

Beside the HA1 and HA2 interfaces on a Palo Alto Networks firewall, there are the HA1/HA2 Backup and Heartbeat Backup options. I was a bit confused while reading the documentation of the high availability instructions since it did not clearly specify when and where to use the dedicated management port for what kind of “backup”.
Basically, it should read that there are two different ways on how to use the dedicated management for a HA Backup: the heartbeat backup OR the HA1 backup.

(The screenshots are from a PA-5050 with PAN-OS version 6.1.5 running. The official Palo Alto Networks links are here: High Availability Resources.)

I was confused because the Palo Alto documentation says about the heartbeat backup: “Uses the management ports on the HA devices to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required.”

And for the HA1 backup, it says: “The recommended configuration for the HA control link connection is to use the dedicated HA1 link between the two devices and use the management port as the Control Link (HA Backup) interface. In this case, you do not need to enable the Heartbeat Backup option in the Elections Settings page.”
–> It was not clear for me, where to use the management port and when to enable the heartbeat backup.

Solution

The heartbeat backup option should only be used if the management interface is not used at HA1 or HA1 backup. Otherwise, the heartbeat backup should not be used.
The following two screenshots show the different options. Either the heartbeat backup is activated, or the HA1 backup link is the management interface:

In any case, the HA1 Backup bubble should be green:

Note that the heartbeat backup is ONLY using heartbeat and hello messages, while the HA1/backup link does more: “Control Link: The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, and User-ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer.” –> Choose the option in which the managenent interface is the real HA1 backup and not only the heartbeat backup!

Supplement

Just while searching for all that HA stuff I found a list in the admin guide for version 6.1 that exactly describes when or when not to use the “heartbeat backup” option. 😉 On page 143 it lists (among others) this cases:

1 2 3

HA1: Dedicated HA1 port HA1 Backup: In-band port Recommendation: Enable Heartbeat Backup

and:

1 2 3

HA1: Dedicated HA1 port HA1 Backup: Management port Recommendation: Do not enable Heartbeat Backup

Now it’s clear.

Palo Alto: DNS Proxy for Management Services

2015-04-08DNS, Palo Alto NetworksBug, DNS, Palo Alto Networks, ProxyJohannes Weber

The Palo Alto firewall has a feature called DNS Proxy. Normally it is used for data plane interfaces so that clients can use the interfaces of the Palo for its recursive DNS server. Furthermore, this DNS Proxy Object can be used for the DNS services of the management plane, specified under Device -> Setup -> Services. However, there was a bug in PAN-OS that did not process the proxy rules and static entries when a DNS proxy object was used in the management plane. This bug was fixed in PAN-OS 6.0.0. I tested it in my lab with PAN-OS 6.1.0 running. Here are the successful results.

The fixed bug in version 6.0.0 was bug ID 41472: “When a DNS Proxy object was configured with static entries, hostnames assigned to the DNS Proxy were resolved as expected to the IP addresses listed on the Static Entries tab (Network > DNS Proxy) . However, when setting the DNS Proxy Object as the DNS Service on the Device > Setup > Services dialog, all DNS queries from the management interface ignored the defined static entries.”

DNS Proxy

I added a DNS proxy called “Google” with their two public DNS servers, as well as a few proxy rules to other DNS servers and static entries. This proxy object was then referenced for the management services as a “DNS Proxy Object”:

Tests

After a commit, I pinged a few hosts from the management plane. The first one should use the default DNS server, while the three following requests should use the proxy rules. The last object was the static entry in the DNS proxy.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

weberjoh@fd-wv-fw02> ping host heise.de PING heise.de (193.99.144.80) 56(84) bytes of data. 64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=1 ttl=245 time=44.0 ms 64 bytes from redirector.heise.de (193.99.144.80): icmp_seq=2 ttl=245 time=12.5 ms ^C --- heise.de ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev = 12.514/28.279/44.044/15.765 ms weberjoh@fd-wv-fw02> ping host webernetz.net PING webernetz.net (80.237.133.136) 56(84) bytes of data. 64 bytes from wp367.webpack.hosteurope.de (80.237.133.136): icmp_seq=1 ttl=55 time=86.9 ms 64 bytes from wp367.webpack.hosteurope.de (80.237.133.136): icmp_seq=2 ttl=55 time=66.9 ms ^C --- webernetz.net ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1004ms rtt min/avg/max/mdev = 66.965/76.949/86.933/9.984 ms weberjoh@fd-wv-fw02> ping host ra.webernetz.net PING ra.webernetz.net (192.168.112.4) 56(84) bytes of data. 64 bytes from 192.168.112.4: icmp_seq=1 ttl=62 time=1.13 ms 64 bytes from 192.168.112.4: icmp_seq=2 ttl=62 time=1.20 ms ^C --- ra.webernetz.net ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev = 1.139/1.170/1.201/0.031 ms weberjoh@fd-wv-fw02> ping host www.formel1.de PING www.formel1.de (78.138.119.82) 56(84) bytes of data. 64 bytes from f1-lb01.formel1.de (78.138.119.82): icmp_seq=1 ttl=53 time=11.9 ms 64 bytes from f1-lb01.formel1.de (78.138.119.82): icmp_seq=2 ttl=53 time=52.4 ms ^C --- www.formel1.de ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1009ms rtt min/avg/max/mdev = 11.925/32.206/52.487/20.281 ms weberjoh@fd-wv-fw02> ping host asdf.foobar.com PING asdf.foobar.com (1.2.3.4) 56(84) bytes of data. ^C --- asdf.foobar.com ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms

Since the default route of the management interface points through one of the data interfaces of the Palo Alto, I could easily do a packet capture on the Palo itself. It correctly revealed the three different DNS servers for the requests. Of course, the request to the static entry is not shown since it did not trigger a DNS request to a server.

Works as Expected

The tests showed that the function of a DNS proxy for the management services works as expected. Not only the default DNS servers, but also the proxy rules and static entries are used through the management plane.
Note that the following scenarios do NOT work:

• Pre PAN-OS 6.x, the DNS Proxy object used in the management services sent all requests to the primary and secondary DNS servers but NOT to the proxy rules. The static entries were not used, too.
• It is not possible to set a “DNS Server” in the management services to the IP address of a data interface of the Palo Alto itself. This won’t work since the Palo uses some kind of internal path when sending packets to an own data interface. This means, if a DNS Proxy object should be used, it must be selected as a “DNS Proxy Object” and not as an entry of “DNS Servers”.

Palo Alto: Save & Load Config through CLI

2015-02-19Palo Alto NetworksCLI, Configuration, Console, Fail, Palo Alto NetworksJohannes Weber

When working with Cisco devices anyone knows that the output of a “show running-config” on one device can be used to completely configure a new device. On a Palo Alto Networks firewall, this is not that obvious. There are several commands that must be used to achieve the same.
However, I tested this procedure a few times and it did NOT work. 🙁 So, the short version is: If you want to replace a Palo Alto firewall, move your configuration files (xml) through the GUI or tftp/scp. But do not use the mere CLI.

The most common way to save a Palo Alto config is via the GUI at Device -> Setup -> Operations ->  Export xyz. And even on the CLI, the running-config can be transferred via scp or tftp, such as scp export configuration from running-config.xml to username@host:path . This configuration file can be loaded into a new device, again, via the GUI (Import) or the CLI ( scp import configuration from username@host:path ).

Save

However, to save the complete configuration in the “set” format, the following CLI commands must be used. The first one is used to output the configuration in single “set” lines (instead of XML blocks), and the second one switches the output to not stop after a few lines on the terminal. To capture long lines without a “carriage return”, the terminal width should be adjusted to the maximum of 500. Then, the “configure” command enters the configuration mode, while the “show” command displays the whole running configuration.

1 2 3 4 5

> set cli config-output-format set > set cli pager off > set cli terminal width 500 > configure # show

And Load

To load the config into a new device, a few commands must be used before. At first, the terminal width should be adjusted again. Furthermore, the scripting-mode must be enabled in order to send a bulk of CLI commands without an error. The reason for that is, that several objects are referenced in the configuration before they are added to the device. E.g., the set commands for the “security rules” are before the set commands for the “application groups”. That is, an application group is used by a security rule before it is added to the config. 🙁
Finally, the whole bunch of set commands from above can be pasted into the CLI session.

1 2 3 4

> set cli terminal width 500 > set cli scripting-mode on > configure # set ...

Errors, Errors, Errors

I wanted to load a complete configuration from a firewall to another. (Both firewalls were of the same type, OS version (6.0.x) and license.) I used the console port on the device. But even with the aforementioned commands that should make this procedure possible, I got only errors, such as: “Invalid syntax.” or “Unknown command: …”.
Furthermore, the terminal session looked like a complete chaos:

1 2 3 4 5 6 7 8 9 10 11 12

admin@PA-5050# Server error :  -> from 'trustL3' is not an allowed keyword -> from 'trustL3' is not a valid reference ir-update firefox-update google-update java-upd[edit]                                                                                                                                                                           admin@PA-5050# Server error :  -> to 'untrustL3' is not an allowed keyword -> to 'untrustL3' is not a valid reference ate ms-update ] set application-group test-shar[edit]                                                                                                                                                                           admin@PA-5050# ed-appgroup [ 2ch-posting 4shared ] set appli [edit]

Conclusion

Only use the complete XML-based configuration files and not the set commands!

Minor Palo Alto Bug concerning IPv6 MGT

2015-02-03IPv6, Palo Alto NetworksBug, IPv6, IPv6 Neighbor Cache, Management, Palo Alto Networks, VLANJohannes Weber

A few month ago I found a small bug in PANOS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).
Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).

I was using the layer 2 mode for some switch tests about STP. During these tests I noticed that I was not able to connect to the MGT interface via IPv6 anymore.
The Palo Alto in my lab has a VLAN interface (vlan.120) and the corresponding VLAN on a layer 2 subinterface. The management port is plugged into a switch in the same VLAN. The IPv6 address on the MGT interface is 2003:51:6012:120::2/64 .

Bug

For example, when trying to ping or to ssh to the MGT interface from another machine …

1 2 3 4 5 6 7 8 9 10 11 12 13 14

weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes ^C --- 2003:51:6012:120::2 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5039ms   weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ weberjoh@jw-nb08:~$ ssh -v pa-mgmt.webernetz.net OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to pa-mgmt.webernetz.net [2003:51:6012:120::2] port 22. ^C

… the neighbor cache did not show the MGT IPv6 address:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

weberjoh@fd-wv-fw02> show neighbor vlan.120   maximum of entries supported :      500 default base reachable time:        30 seconds total neighbor entries in table :   27 total neighbor entries shown :      7   interface         ip address                              hw address        status -------------------------------------------------------------------------------- vlan.120          2003:51:6012:120::10                    00:1d:92:53:58:12 STALE vlan.120          2003:51:6012:120::13                    00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:febe:674d                00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:fefb:69c4                00:0c:29:fb:69:c4 STALE vlan.120          fe80::219:e2ff:fea1:f986                00:19:e2:a1:f9:86 STALE vlan.120          fe80::21d:92ff:fe53:5812                00:1d:92:53:58:12 STALE vlan.120          fe80::b60c:25ff:fe05:8e00               b4:0c:25:05:8e:00 STALE

However, I was able to ping from that MGT interface IPv6 address. Interestingly, the neighbor cache revealed the ::2 address, but only with the status “PROBE” and only for a very few seconds:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

weberjoh@fd-wv-fw02> ping inet6 yes source 2003:51:6012:120::2 host heise.de PING heise.de(redirector.heise.de) from 2003:51:6012:120::2 : 56 data bytes 64 bytes from redirector.heise.de: icmp_seq=0 ttl=54 time=72.8 ms 64 bytes from redirector.heise.de: icmp_seq=1 ttl=54 time=24.8 ms 64 bytes from redirector.heise.de: icmp_seq=2 ttl=54 time=22.0 ms 64 bytes from redirector.heise.de: icmp_seq=3 ttl=54 time=26.4 ms ^C --- heise.de ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3029ms rtt min/avg/max/mdev = 22.081/36.543/72.831/21.008 ms, pipe 2   weberjoh@fd-wv-fw02> show neighbor vlan.120   maximum of entries supported :      500 default base reachable time:        30 seconds total neighbor entries in table :   27 total neighbor entries shown :      7   interface         ip address                              hw address        status -------------------------------------------------------------------------------- vlan.120          2003:51:6012:120::2                     b4:0c:25:05:8e:00 PROBE vlan.120          2003:51:6012:120::13                    00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:febe:674d                00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:fefb:69c4                00:0c:29:fb:69:c4 STALE vlan.120          fe80::219:e2ff:fea1:f986                00:19:e2:a1:f9:86 STALE vlan.120          fe80::21d:92ff:fe53:5812                00:1d:92:53:58:12 STALE vlan.120          fe80::b60c:25ff:fe05:8e00               b4:0c:25:05:8e:00 STALE   weberjoh@fd-wv-fw02> show neighbor vlan.120   maximum of entries supported :      500 default base reachable time:        30 seconds total neighbor entries in table :   26 total neighbor entries shown :      6   interface         ip address                              hw address        status -------------------------------------------------------------------------------- vlan.120          2003:51:6012:120::13                    00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:febe:674d                00:0c:29:be:67:4d STALE vlan.120          fe80::20c:29ff:fefb:69c4                00:0c:29:fb:69:c4 STALE vlan.120          fe80::219:e2ff:fea1:f986                00:19:e2:a1:f9:86 STALE vlan.120          fe80::21d:92ff:fe53:5812                00:1d:92:53:58:12 STALE vlan.120          fe80::b60c:25ff:fe05:8e00               b4:0c:25:05:8e:00 STALE

The traffic log on the Palo Alto shows that incoming connections did not succeed, while outgoing connections did:

Fixed in 6.1.2

with bug ID 67719: “The management interface was not receiving IPv6 connections for traffic from the dataplane when the firewall was in Layer 2 mode. An update was made to the MAC address learning process so that the Management interface receives IPv6 traffic from the dataplane when the firewall is in Layer 2 mode.”
Now I can ping to the IPv6 MGT address:

1 2 3 4 5 6 7 8 9 10

weberjoh@jw-nb08:~$ ping6 2003:51:6012:120::2 PING 2003:51:6012:120::2(2003:51:6012:120::2) 56 data bytes 64 bytes from 2003:51:6012:120::2: icmp_seq=1 ttl=62 time=1.54 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=2 ttl=62 time=1.05 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=3 ttl=62 time=1.17 ms 64 bytes from 2003:51:6012:120::2: icmp_seq=4 ttl=62 time=1.16 ms ^C --- 2003:51:6012:120::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 1.056/1.235/1.547/0.189 ms

And the neighbor cache correctly shows the REACHABLE/STALE neighbor:

1 2 3 4 5 6 7 8 9 10 11

weberjoh@fd-wv-fw02> show neighbor vlan.120   maximum of entries supported :      500 default base reachable time:        30 seconds total neighbor entries in table :   10 total neighbor entries shown :      2   interface         ip address                              hw address        status -------------------------------------------------------------------------------- vlan.120          2003:51:6012:120::2                     b4:0c:25:05:8e:00 STALE vlan.120          fe80::b60c:25ff:fe05:8e00               b4:0c:25:05:8e:00 STALE

OSPFv3 for IPv6 Lab: Cisco, Fortinet, Juniper, Palo Alto, Quagga

2015-09-14Cisco Systems, Fortinet, IPv6, Juniper Networks, Palo Alto Networks, Quagga, RoutingCisco ASA, Cisco Router, Dynamic Routing, FortiGate, Fortinet, IPv6, Juniper ScreenOS, Juniper SSG, OSPFv3, Palo Alto Networks, Quagga, WiresharkJohannes Weber

Similar to my test lab for OSPFv2, I am testing OSPFv3 for IPv6 with the following devices: Cisco ASA, Cisco Router, Fortinet FortiGate, Juniper SSG, Palo Alto, and Quagga Router. I am showing my lab network diagram and the configuration commands/screenshots for all devices. Furthermore, I am listing some basic troubleshooting commands. In the last section, I provide a Tcpdump/Wireshark capture of an initial OSPFv3 run.
I am not going into deep details of OSPFv3 at all. But this lab should give basic hints/examples for configuring OSPFv3 for all of the listed devices.

Lab

This is my test lab. All devices are directly connected via a layer 2 switch:

General Information

• Everything takes place in area 0.0.0.0 (backbone area)
• Juniper SSG should be the DR: interface priority set to 100.
• Palo Alto should be the BDR: interface priority set to 50.
• Router-ID is always set manually according to my IPv4 sheme: 172.16.1.x, where x = the interface-ID from the IPv6 addresses (from ::1 to ::6).
• Cost for the interfaces as seen in the figure.
• Passive-interface on all user/access interfaces.
• Redistribution of the remote access VPN clients on the Cisco ASA (AnyConnect).
• No authentication is used .

The following devices are in alphabetic order. Beneath each screenshot is a detailed description of the the configuration that is shown.
During the tests, a single Cisco AnyConnect client was connected and therefore redistributed with a /128 IPv6 address prefix. The Quagga router was added to this lab after most of the listings were saved. That is: The Quagga router (172.16.1.8) is not shown on any other firewalls/routers.

Cisco ASA

The Cisco ASA 5505 is running version 9.2(4). Following are the configuration and monitoring screenshots:

This are the relevant CLI commands for the OSPFv3 config:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

interface Vlan130 ipv6 address 2003:51:6012:130::1/64 ipv6 address autoconfig ipv6 enable ipv6 ospf cost 100 ipv6 ospf 1 area 0 ipv6 ospf encryption null ! ipv6 router ospf 1 router-id 172.16.1.3 passive-interface insideASA130 passive-interface insideASA131 log-adjacency-changes redistribute static metric 1000 !

While this CLI commands can be used to show the OPSFv3 runtime values:

Click To Expand Code

Cisco Router

I am running a Cisco 2811 router with version 15.1(4)M9. The configuration commands are the following: (Just for fun I set the OSPF process to “17”.)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

interface FastEthernet0/0 ipv6 address 2003:51:6012:101::5/64 ipv6 enable ipv6 nd ra suppress ipv6 ospf 17 area 0.0.0.0 ! interface FastEthernet0/1 ipv6 address 2003:61:6012:102::1/64 ipv6 enable ipv6 ospf 17 area 0.0.0.0 ! ipv6 router ospf 17 router-id 172.16.1.5 auto-cost reference-bandwidth 10000 passive-interface default no passive-interface FastEthernet0/0

And the show commands:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

fd-wv-ro03#show ipv6 ospf Routing Process "ospfv3 17" with ID 172.16.1.5 Event-log enabled, Maximum number of events: 1000, Mode: cyclic Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 1. Checksum Sum 0x004DAC Number of areas in this router is 1. 1 normal 0 stub 0 nssa Graceful restart helper support enabled Reference bandwidth unit is 10000 mbps     Area BACKBONE(0.0.0.0)         Number of interfaces in this area is 2         SPF algorithm executed 23 times         Number of LSA 19. Checksum Sum 0x098B75         Number of DCbitless LSA 6         Number of indication LSA 0         Number of DoNotAge LSA 0         Flood list length 0   fd-wv-ro03# fd-wv-ro03# fd-wv-ro03#show ipv6 ospf neighbor   Neighbor ID     Pri   State           Dead Time   Interface ID    Interface 172.16.1.1      100   FULL/DROTHER    00:00:35    880             FastEthernet0/0 172.16.1.2       50   FULL/DR         00:00:32    16              FastEthernet0/0 172.16.1.3        1   FULL/DROTHER    00:00:38    14              FastEthernet0/0 172.16.1.6        1   FULL/DROTHER    00:00:30    6               FastEthernet0/0 fd-wv-ro03# fd-wv-ro03# fd-wv-ro03#show ipv6 ospf database               OSPFv3 Router with ID (172.16.1.5) (Process ID 17)                   Router Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Fragment ID  Link count  Bits 172.16.1.1      622         0x80000123  1            1           None 172.16.1.2      1455        0x80000124  0            1           E 172.16.1.3      243         0x80000103  0            1           E 172.16.1.5      892         0x80000102  0            1           None 172.16.1.6      389         0x80000123  0            1           None                   Net Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Link ID    Rtr count 172.16.1.2      1453        0x80000122  16         5                   Link (Type-8) Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Link ID    Interface 172.16.1.5      131         0x80000007  4          Fa0/1 172.16.1.1      667         0x8000011E  880        Fa0/0 172.16.1.2      330         0x8000011F  16         Fa0/0 172.16.1.3      1766        0x80000101  14         Fa0/0 172.16.1.5      892         0x80000101  3          Fa0/0 172.16.1.6      459         0x8000011E  6          Fa0/0                   Intra Area Prefix Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID 172.16.1.1      662         0x80000244  1          0x2001      0 172.16.1.2      1455        0x80000124  1          0x2001      0 172.16.1.2      1448        0x80000129  458752     0x2002      16 172.16.1.2      1455        0x8000011F  589824     0x2002      257 172.16.1.3      1766        0x80000101  0          0x2001      0 172.16.1.5      131         0x80000007  0          0x2001      0 172.16.1.6      388         0x80000121  2          0x2001      0                   Type-5 AS External Link States   ADV Router       Age         Seq#       Prefix 172.16.1.3      1426        0x80000001  2003:51:6012:133:FEED:CAFE:0:10/128 fd-wv-ro03# fd-wv-ro03# fd-wv-ro03#show ipv6 ospf database self-originate               OSPFv3 Router with ID (172.16.1.5) (Process ID 17)                   Router Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Fragment ID  Link count  Bits 172.16.1.5      898         0x80000102  0            1           None                   Link (Type-8) Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Link ID    Interface 172.16.1.5      137         0x80000007  4          Fa0/1 172.16.1.5      898         0x80000101  3          Fa0/0                   Intra Area Prefix Link States (Area 0.0.0.0)   ADV Router       Age         Seq#        Link ID    Ref-lstype  Ref-LSID 172.16.1.5      137         0x80000007  0          0x2001      0 fd-wv-ro03# fd-wv-ro03# fd-wv-ro03#show ipv6 route IPv6 Routing Table - default - 15 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route        B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP        I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary        D - EIGRP, EX - EIGRP external, NM - NEMO, ND - Neighbor Discovery        l - LISP        O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2        ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S   ::/0 [1/0]      via 2003:51:6012:101::1 C   2003:51:6012:101::/64 [0/0]      via FastEthernet0/0, directly connected L   2003:51:6012:101::5/128 [0/0]      via FastEthernet0/0, receive O   2003:51:6012:110::/64 [110/200]      via FE80::219:E2FF:FEA1:F98A, FastEthernet0/0 O   2003:51:6012:120::/64 [110/110]      via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0 O   2003:51:6012:121::/64 [110/110]      via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0 O   2003:51:6012:123::/64 [110/110]      via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0 O   2003:51:6012:124::/64 [110/110]      via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0 O   2003:51:6012:125::/64 [110/110]      via FE80::B60C:25FF:FE05:8E10, FastEthernet0/0 O   2003:51:6012:130::/64 [110/200]      via FE80::2A94:FFF:FEA8:772D, FastEthernet0/0 OE2 2003:51:6012:133:FEED:CAFE:0:10/128 [110/1000]      via FE80::2A94:FFF:FEA8:772D, FastEthernet0/0 O   2003:51:6012:160::/64 [110/200]      via FE80::A5B:EFF:FE3C:115D, FastEthernet0/0 C   2003:61:6012:102::/64 [0/0]      via FastEthernet0/1, directly connected L   2003:61:6012:102::1/128 [0/0]      via FastEthernet0/1, receive L   FF00::/8 [0/0]      via Null0, receive fd-wv-ro03# fd-wv-ro03#

https://blog.webernetz.net/2015/09/14/ospfv3-for-ipv6-lab-cisco-fortinet-juniper-palo-alto/

Share on FacebookPlus on Google+

SUBSCRIBE MORE CONTENTS