Introduction to Arista PyeAPI

The Python Client for eAPI (pyeapi) is a Python library that simplifies working with Arista eAPI, removing the need to deal with the specifics of its implementation. It's straightforward to configure and use. In this blog post, we'll look at how to install pyeapi and go through some examples.

If you're familiar with Arista's eAPI, you know that you can browse to the device's IP in a browser, run commands, and get the output directly. You can also achieve the same result using Python, but it typically requires understanding which libraries to use and how to construct the REST API requests.

However, pyeapi simplifies all of this. You don't need to worry about what's happening behind the scenes. Below is a screenshot of running show vlan command via the REST API, and in the following examples, we'll see how to get the same output using pyeapi.

PyeAPI Installation

To install pyeapi, you can use pip, which is the standard package manager for Python. It's a good practice to use a virtual environment (venv) to keep your dependencies isolated and avoid conflicts with other projects. First, create and activate a virtual environment. Once your virtual Continue reading

Juniper EX Switch Port Mirroring

In this blog post, we will look at how to set up port mirroring on Juniper EX switches. The goal is to mirror all the traffic coming in and going out of one switch port to another port. By doing this, we can connect a laptop to the mirrored port and capture all the traffic. This is particularly useful when you can't directly capture traffic from a device, such as a CCTV camera, TV, or other similar devices. Let's get started.

In this example, we have a database server connected to port ge-1/0/1, and we want to mirror all traffic going in and out of this port to port ge-1/0/4, where our laptop is connected. With this setup, we can use Wireshark on the laptop to capture the mirrored traffic.

configure
edit forwarding-options
edit analyzer my_capture

set input ingress interface ge-1/0/1
set input egress interface ge-1/0/1
set output interface ge-1/0/4

commit

The ingress and egress parts of the configuration refer to the traffic coming into the port (ingress) and leaving the port (egress). Ideally, we want to capture traffic in both directions, but you have the option to mirror traffic in only one direction if needed.

If you Continue reading

Running Cisco IOL Devices in Containerlab

Containerlab v0.58.0 supports running Cisco IOL images, which is something I was very much looking forward to. IOL nodes are an implementation of Cisco IOS-XE that does not run as a full virtual machine. Therefore, the IOL nodes generally consume much less CPU and memory.

Containerlab already has great documentation on how to use Cisco IOL devices, but I'll cover it here as well for any of my readers who are interested. You can check out the official documentation for more info.

If you have Cisco CML (you may need version 2.7 or later), it should include the IOL images. You'll need to use vrnetlab to convert the binary file into a Docker container, which can then be used within Containerlab like any other container/image.

First, I have downloaded these two Cisco IOL files to the Downloads folder. One for L3 and another one for L2.

• x86_64_crb_linux-adventerprisek9-ms
• x86_64_crb_linux_l2-adventerprisek9-ms.bin

Next, clone the hellt/vrnetlab repository to your local machine.

git clone https://github.com/hellt/vrnetlab.git

Then, copy these two images into the vrnetlab/cisco/iol directory Continue reading

Caddy Reverse Proxy With Docker

I currently run multiple Docker containers across two hosts, each hosting various applications on different ports. UniFi Controller exposes the web GUI on 8443, Pi-hole on 8080, and Memos on 5230. Remembering each port number for every application started to become a hassle.

Additionally, most of these applications, like Pi-hole and Memos, do not support HTTPS out of the box. After searching for a solution to simplify this setup, I found that Caddy Reverse Proxy offers one of the simplest and most effective ways to manage these services. In this blog post, we’ll look at how to use Caddy Reverse Proxy with my Docker containers running across two hosts.

What is a Reverse Proxy?

A reverse proxy is a server that sits in front of one or more web servers and forwards client requests to them. It acts as an intermediary, handling incoming traffic and distributing it to the appropriate server. This setup can help improve security, manage SSL/TLS encryption, and simplify network traffic management by consolidating multiple services under a single domain.

What is Caddy?

Caddy is an open-source web server and reverse proxy software that is known for its simplicity and ease of use. It automatically handles HTTPS Continue reading

Global Protect VPN SAML SSO with Entra-ID

In this blog post, we will look at how to use Entra-ID SAML SSO with GlobalProtect VPN. This guide assumes you are already familiar with GlobalProtect VPN and have an existing VPN solution with other forms of authentication. If you are new to GlobalProtect VPN, feel free to check out my other blog post, which is linked below.

Palo Alto Global Protect VPN Configuration Example

In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.

PacketswitchSuresh Vina

Adding GlobalProtect to the Admin Centre

1. Sign in to the Microsoft Entra admin centre and navigate to Identity > Applications > Enterprise applications > New application.
2. Add the Palo Alto Networks - GlobalProtect application.
3. Once added, select Palo Alto Networks - GlobalProtect > Single sign-on.

On the Set up single sign-on with SAML page, click the pencil icon in the Basic SAML Configuration section to edit the settings.

Global Protect Internal Host Detection & Internal Gateways – Lessons Learnt

I already had Palo Alto GlobalProtect VPN configured with an external gateway and portal, allowing me to connect back to my home network when I'm outside. Even when I'm inside my internal network, I can still connect to the VPN. However, I wanted to use the Internal Host Detection feature of GlobalProtect VPN, so that if I'm on my internal network and try to connect, it won't connect to the external gateway. Throughout the configurations, I learned a few lessons. Let’s dive in.

If you're completely new to GlobalProtect VPN, please check out my introductory blog post linked below.

Palo Alto Global Protect VPN Configuration Example

In this blog post, we will cover how to configure Palo Alto Global Protect VPN. We’ll go through setting up the portal, gateway, authentication profile, IP pools, split-tunnel, security policy, NAT policy and other necessary components.

PacketswitchSuresh Vina

Please note that this setup was tested on PAN-OS 10.2.9-h1 and the GlobalProtect macOS client version 6.2.4.

What is Internal Host Detection?

If you're already in your office or internal network, there's no need to connect to the VPN, what’s the point, right? This is especially relevant if you're using an Continue reading

Building a Simple HTTP Source for Firewall EDL

Recently, I wanted to add a list of domains to the Palo Alto DNS policy to block them from resolving. However, I soon realized that I couldn't just add a list of domains directly to the firewall, I needed to use an External Dynamic List (EDL). Palo Alto and I believe other firewalls as well, require a simple HTTP URL that hosts a list of domains or IP addresses. While there are amazing EDL projects available, in this blog post, we'll explore the simplest way to deploy an EDL.

Python HTTP Server

Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.

All you need to do is create a list of domains, save it as a text file, and run python -m http.server 8085 from the directory where the file is saved. You can use any port, but remember that a lower number of ports like 80 require admin privileges. Once the server is running, navigate to http://IP_ADDRESS:8085/domains.txt in Continue reading

How to Protect GlobalProtect Portal from Brute Force Attacks?

As soon as you configure GlobalProtect and go to the monitor tab, you will see hundreds or even thousands of attempts on your firewall's public IP on port 443. While protecting your portal with MFA generally mitigates major concerns, it’s still wise to implement as many security measures as possible. In this blog post, we will look at some simple ways to protect your GlobalProtect deployment.

We will look at the following methods.

1. Disable GlobalProtect Portal
2. Block access from malicious IPs (EDL)
3. Security policy based on geo IPs
4. Blacklist IPs using a Vulnerability Profile

Understanding Intrazone Policy

Before we proceed, just a quick note on how Intrazone policy works. By default, the firewall comes with two predefined security rules at the very bottom. The Interzone rule denies traffic between two zones that are not matched by a specific policy above.

However, the default intrazone action is to allow, so traffic within the same zone is allowed by default. If someone initiates traffic from the WAN zone to Palo Alto’s public interface in Continue reading

Memos – Amazing Open Source, Self-hosted Notes App

I've tried many note-taking apps like Evernote, OneNote, and Apple Notes, but none really satisfied me, if I'm being honest. I've always wanted something simple, without any over-complication, and either free or cost-effective. Although, I have to admit, at the moment, I'm using an app called 'Bear Notes,' which costs around £2 per month, and I love the app. It's so minimalist and very user-friendly, but it doesn't have a web GUI or an app for Windows. I'm an Apple user, so it's not a big issue.

That being said, I recently stumbled upon another great self-hosted note-taking app called 'Memos' I just couldn't believe that I didn't know about this until very recently. It's so minimalist and has a Twitter-like feed where you can just chuck on any note, links, or even attachments.

Memos Installation

If you already have Docker installed, the installation will take just a few seconds. You can use either docker run or docker-compose.

docker run -d \
  --init \
  --name memos \
  --publish 5230:5230 \
  --volume ~/.memos/:/var/opt/memos \
  neosmemo/memos:stable

services:
  memos:
    image: neosmemo/memos:stable
    container_name: memos
    volumes:
      - ~/.memos/:/var/opt/memos
    ports:
      - 5230:5230

In the Docker configuration for Continue reading

Auto Scaling Palo Alto VM-Series Firewalls in AWS

In this blog post, we're going to explore how to Auto-Scale Palo Alto VM-Series Firewalls in AWS. It's a known fact that running heavy instances in AWS can be costly, and it's not wise to have more firewalls running than necessary. But what happens when demand spikes unexpectedly? If we're not prepared, things can get messy quickly.

Auto-scaling these firewalls isn't as simple as pressing a button. There are several components to consider, but don't worry - once you grasp the basics, it's as straightforward as any other topic in the cloud and network world.

This blog post is based on the ideas from the Palo Alto Github repo - https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/centralized_design_autoscale

Assumptions

As we get into the specifics of auto-scaling Palo Alto VM-Series firewalls in AWS, there are a few assumptions I'd like to lay out. This Continue reading

Adding Palo Alto PA-440 to My Home Lab

When I started my home lab, I used a Raspberry Pi 4 that functioned as a router/firewall, and I was pretty happy with it. Then, I needed something solid and cost-effective. There were multiple options like VyOS, PfSense, UniFi, etc, but MikroTik, specifically the hAP ax2, stood out for me. I've been using this for almost a year now, and I absolutely love it. It works as a switch, and firewall and runs my WireGuard VPN, and it has never let me down even once.

Why Palo Alto?

Fast forward to today, I started adding more and more devices to the lab, so I was looking for an upgrade. After debating between FortiGate and Palo Alto, I finally settled on buying a Palo Alto PA-440 firewall.

But I would say the main reason behind this decision is that I write a lot of content on Palo Alto, and not having a dedicated device was such a pain. Every time I wanted to write a post, I had to start the lab, and try things out, and not having licenses was preventing me from trying new features and sharing them via a post. Now, with a dedicated unit and Continue reading

Managing Palo Alto App-ID Changes Using Threat Signature Indicators (TSID)

If you rely heavily on Palo Alto App-IDs, you know the challenge of managing new and modified App-IDs. Palo Alto regularly updates its App-ID database, introducing new App-IDs every month (typically on the third Tuesday) and modifying existing ones more often.

Each release can include hundreds of new and updated App-IDs. It's almost impossible to understand each of them and decide whether or not we are affected by the change. In this blog post, we will look at using Threat Signature Indicators (TSID) to help you get an advanced indication of any impact on your traffic as a result of upcoming App-ID changes.

The Problem with App-ID Changes

Let’s imagine for a moment that currently, Palo Alto doesn’t have a specific App-ID for ‘chatgpt’ (although they do, let’s assume they don’t for this example). If there isn’t an App-ID, the traffic would be identified as ‘ssl’. If Palo Alto decides to introduce a new App-ID for ‘chatgpt’, they will announce this in the new App-ID release notes. However, the challenge is that hundreds of other new App-IDs could be introduced at the same time that we might never have heard of.

So, when I go to Continue reading

How XtendISE Helps with 802.1X Management in ISE?

XtendISE is a simple web application connected to your Cisco ISE, which helps with everyday routine tasks and common challenges related to 802.1X without the need to train everyone in Cisco ISE. XtendISE can help you manage MAC addresses and troubleshoot 802.1X authentications. It also helps with managing the switch's 802.1x configuration or validating the configurations to make sure that they are configured as intended.

All the mentioned features save time for us Network Engineers and help us to do our job efficiently as we do not waste our time on routine tasks. It also increases network security because it makes sure that our network is configured correctly and thus is safe and secured.

Register For Webinar

What Company Is XtendISE Intended For?

XtendISE is suitable for a company of any size with Cisco ISE and Cisco network devices. However medium or large companies will better use XtendISE features because they are more likely affected by the mentioned problems.

XtendISE helps the Helpdesk or IT Support with

• Easy to use MAC address management and troubleshooting
• They save time and there is no need for extra knowledge on ISE
• They can manage switch port configurations
• They do not Continue reading

Palo Alto App-ID – How Does It Work?

If you've ever worked with traditional Layer 4 firewalls, you might be familiar with configuring security policies based on TCP or UDP port numbers. For instance, to allow DNS, you'd create a policy for UDP/53, or for LDAP, a policy for TCP/389.

This approach is normal with firewalls like Cisco ASA. But it's 2024, and Next-Generation Firewalls (NGFWs) have become the standard, offering a more sophisticated way to manage security. Instead of relying solely on port numbers, NGFWs like those from Palo Alto Networks encourage defining security policies based on the actual applications termed 'App-ID'. For example, instead of specifying port numbers, a policy could simply be defined to allow 'DNS' and 'LDAP', focusing on the applications themselves.

Palo Alto App-ID Introduction

Okay, that sounds simple, so why continue reading you may ask? Well, while Palo Alto’s App-ID does work well most of the time, there are nuances that you need to understand. For applications like DNS, NTP, and LDAP, App-ID works very well. However, the most common applications involve SSL or web browsing, typically associated with ports 80 and 443.

Palo Alto provides App-IDs for both SSL and Web-Browsing (called ssl and web-browsing Continue reading

Running a Simple HTTP Server with Python

I think this is going to be the shortest blog post of all time because running a Python HTTP server is incredibly straightforward. Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.

You can start the Python HTTP server with the command python -m http.server 8000, which serves files from the current directory on port 8000. You can choose any port number by replacing 8000 with your preferred port. However, if you select a lower port number, such as 80, you might need administrator privileges to run the server.

In this example, I have two files in a directory - one is a text file with a list of domains and the second is a simple YAML file.

If I run the command python -m http.server 8000, it starts a web server and I Continue reading

Creating a Simple GUI Application with Python Tkinter

A few years ago, I used a simple application called 'TypeItIn'. It kept a small GUI window open with some buttons and labels. You could configure each label with your own text. If you wanted to type one of these texts into a window, all you needed to do was click on the label, and it would start typing the text into whatever window you opened. It was such a time-saver, especially if you had multiple texts that you often used.

Fast forward a few years, I really needed such a tool and then realized I knew a bit of Python, so I should be able to create the same functionality using Python. So, in this blog post, let's go through how you can create a simple GUI application with just a few lines of code.

What Is Tkinter?

Tkinter is the standard GUI toolkit for Python, providing a fast and easy way to create simple GUI applications. It is built into Python, so there’s no need to install anything separately if you already have Python.

Tkinter is widely used due to its simplicity and the vast availability of widgets like buttons, menus, and text fields, which help Continue reading

How to Use GitPython to Manage Git Repositories?

I know what you're thinking, we usually manage our Python code via Git to track changes, but what do I mean by using GitPython to manage Git repositories? I recently faced a situation where I needed to automate a Git workflow. This includes pulling the latest changes from a Git repository, creating a branch, making some changes, viewing the diff, committing, and then pushing my branch back to the remote repository.

Doing this repeatedly was time-consuming, and I figured there must be a way to automate this. With Python, virtually anything is possible. I found a Python library called 'GitPython' that does exactly this. So, let's get to it.

What Is GitPython?

GitPython is a Python library that lets you work with Git repositories. It allows you to manage Git tasks using Python code, making it easy to automate things like commits, branches, and pushes without using the command line. This is useful for automating repetitive Git tasks directly from Python.

For example, you can use it to pull the latest updates from a repository, create new branches, and commit to your changes. It also provides a way to view diffs, so you can see what has changed Continue reading

Network CI/CD Pipeline – Speed Up Your CI Jobs with GitLab Cache

In the previous pipelines, I’ve been using Python and had to install multiple pip modules. Suppose we have 5 different jobs, we would be installing the pip modules again and again for each job, which takes a while to complete. Remember, each job runs in its own pristine environment, meaning it builds a fresh Docker container and installs all the required modules before running the script we need. This repetition can slow down the pipeline significantly.

In this blog post, let’s look at how you can use GitLab Cache to speed up your jobs and avoid unnecessary reinstallations.​ If you are new to GitLab or CI/CD in general, I highly recommend checking out my previous GitLab introduction post below.

Network CI/CD Pipeline - GitLab Introduction

In this part, we’ll discuss what exactly GitLab is and the role it plays in the whole CI/CD process. We’ll explore how to use GitLab as a Git repository, how to install GitLab runners

PacketswitchSuresh Vina

The Problem With My Previous Approach

This is how my pipeline looked before. Though it worked perfectly fine, it took around 45 seconds to run each job and just over 3 minutes for the entire pipeline to Continue reading

Private VLAN (PVLAN) Configuration Example

We all know that by default, all the devices in the same VLAN can talk to each other. For example, if you have a switch with multiple devices connected to it and if they are part of the same VLAN, they can communicate without any restrictions. But there are times when you might want to keep the devices in the same VLAN while preventing them from talking to each other. This is where Private VLANs come into play, offering control over who can talk to each other within the 'same VLAN'. So, let’s get started and we will cover the following topics.

1. Isolated VLAN, Community VLAN and Promiscuous Port
2. A very Simple Private VLAN example
3. Private VLAN with Multiple Switches (Trunk)
4. Private VLAN to Default Gateway over Trunk

Private VLAN (PVLAN) Introduction

Let's break down how Private VLANs work with a simple scenario. Imagine we have a "users" VLAN where all the laptops connect. Suppose we have a mix of Windows and Linux devices. We want to ensure that Windows devices can't communicate with each other at all. However, it's okay for Linux devices to talk to each other, but they shouldn't communicate with the Windows devices either.

Continue reading

Network CI/CD – Configuration Management with Napalm and Nornir

Hi all, welcome back to part 4 of the Network CI/CD blog series. So far, we've covered the purpose of a Network CI/CD pipeline, the problems it solves for Network Engineers, and how to set up GitLab, including creating projects, installing runners, and understanding GitLab executors. We also looked at how to use GitLab variables to securely hide secrets.

In this part, we'll explore how to manage a campus network using Nornir and Napalm and deploy configurations through a CI/CD pipeline. Let's get to it!

Network CI/CD Pipeline - What’s the Point?

Hi all, welcome to the ‘Network CI/CD’ blog series. To kick things off, let’s ask the question, “Why do we even need a CI/CD pipeline for networks?” Instead of diving straight into technical definitions

PacketswitchSuresh Vina

As I mentioned previously, I'm not a CI/CD expert at all and I'm still learning. The reason for creating this series is to share what I learn with the community. The pipeline we are building is far from perfect, but that's okay. The goal here is to create a simple pipeline that works and then build upon it as we go. This way, you can start small and gradually Continue reading