When I started my home lab, I used a Raspberry Pi 4 that functioned as a router/firewall, and I was pretty happy with it. Then, I needed something solid and cost-effective. There were multiple options like VyOS, PfSense, UniFi, etc, but MikroTik, specifically the hAP ax2, stood out for me. I've been using this for almost a year now, and I absolutely love it. It works as a switch, and firewall and runs my WireGuard VPN, and it has never let me down even once.
Fast forward to today, I started adding more and more devices to the lab, so I was looking for an upgrade. After debating between FortiGate and Palo Alto, I finally settled on buying a Palo Alto PA-440 firewall.
But I would say the main reason behind this decision is that I write a lot of content on Palo Alto, and not having a dedicated device was such a pain. Every time I wanted to write a post, I had to start the lab, and try things out, and not having licenses was preventing me from trying new features and sharing them via a post. Now, with a dedicated unit and Continue reading
If you rely heavily on Palo Alto App-IDs, you know the challenge of managing new and modified App-IDs. Palo Alto regularly updates its App-ID database, introducing new App-IDs every month (typically on the third Tuesday) and modifying existing ones more often.
Each release can include hundreds of new and updated App-IDs. It's almost impossible to understand each of them and decide whether or not we are affected by the change. In this blog post, we will look at using Threat Signature Indicators (TSID) to help you get an advanced indication of any impact on your traffic as a result of upcoming App-ID changes.
Let’s imagine for a moment that currently, Palo Alto doesn’t have a specific App-ID for ‘chatgpt’ (although they do, let’s assume they don’t for this example). If there isn’t an App-ID, the traffic would be identified as ‘ssl’. If Palo Alto decides to introduce a new App-ID for ‘chatgpt’, they will announce this in the new App-ID release notes. However, the challenge is that hundreds of other new App-IDs could be introduced at the same time that we might never have heard of.
So, when I go to Continue reading
XtendISE is a simple web application connected to your Cisco ISE, which helps with everyday routine tasks and common challenges related to 802.1X without the need to train everyone in Cisco ISE. XtendISE can help you manage MAC addresses and troubleshoot 802.1X authentications. It also helps with managing the switch's 802.1x configuration or validating the configurations to make sure that they are configured as intended.
All the mentioned features save time for us Network Engineers and help us to do our job efficiently as we do not waste our time on routine tasks. It also increases network security because it makes sure that our network is configured correctly and thus is safe and secured.
XtendISE is suitable for a company of any size with Cisco ISE and Cisco network devices. However medium or large companies will better use XtendISE features because they are more likely affected by the mentioned problems.
XtendISE helps the Helpdesk or IT Support with
If you've ever worked with traditional Layer 4 firewalls, you might be familiar with configuring security policies based on TCP or UDP port numbers. For instance, to allow DNS, you'd create a policy for UDP/53, or for LDAP, a policy for TCP/389.
This approach is normal with firewalls like Cisco ASA. But it's 2024, and Next-Generation Firewalls (NGFWs) have become the standard, offering a more sophisticated way to manage security. Instead of relying solely on port numbers, NGFWs like those from Palo Alto Networks encourage defining security policies based on the actual applications termed 'App-ID'. For example, instead of specifying port numbers, a policy could simply be defined to allow 'DNS' and 'LDAP', focusing on the applications themselves.
Okay, that sounds simple, so why continue reading you may ask? Well, while Palo Alto’s App-ID does work well most of the time, there are nuances that you need to understand. For applications like DNS, NTP, and LDAP, App-ID works very well. However, the most common applications involve SSL or web browsing, typically associated with ports 80 and 443.
Palo Alto provides App-IDs for both SSL and Web-Browsing (called ssl
and web-browsing
Continue reading
I think this is going to be the shortest blog post of all time because running a Python HTTP server is incredibly straightforward. Python's HTTP server module lets you create a basic web server using just a single command. This server can serve files from a directory over the network, making it an excellent tool for quick testing and file sharing without the complexity of setting up a full-fledged web server.
You can start the Python HTTP server with the command python -m http.server 8000
, which serves files from the current directory on port 8000. You can choose any port number by replacing 8000
with your preferred port. However, if you select a lower port number, such as 80, you might need administrator privileges to run the server.
In this example, I have two files in a directory - one is a text file with a list of domains and the second is a simple YAML file.
If I run the command python -m http.server 8000
, it starts a web server and I Continue reading
A few years ago, I used a simple application called 'TypeItIn'. It kept a small GUI window open with some buttons and labels. You could configure each label with your own text. If you wanted to type one of these texts into a window, all you needed to do was click on the label, and it would start typing the text into whatever window you opened. It was such a time-saver, especially if you had multiple texts that you often used.
Fast forward a few years, I really needed such a tool and then realized I knew a bit of Python, so I should be able to create the same functionality using Python. So, in this blog post, let's go through how you can create a simple GUI application with just a few lines of code.
Tkinter is the standard GUI toolkit for Python, providing a fast and easy way to create simple GUI applications. It is built into Python, so there’s no need to install anything separately if you already have Python.
Tkinter is widely used due to its simplicity and the vast availability of widgets like buttons, menus, and text fields, which help Continue reading
I know what you're thinking, we usually manage our Python code via Git to track changes, but what do I mean by using GitPython to manage Git repositories? I recently faced a situation where I needed to automate a Git workflow. This includes pulling the latest changes from a Git repository, creating a branch, making some changes, viewing the diff, committing, and then pushing my branch back to the remote repository.
Doing this repeatedly was time-consuming, and I figured there must be a way to automate this. With Python, virtually anything is possible. I found a Python library called 'GitPython' that does exactly this. So, let's get to it.
GitPython is a Python library that lets you work with Git repositories. It allows you to manage Git tasks using Python code, making it easy to automate things like commits, branches, and pushes without using the command line. This is useful for automating repetitive Git tasks directly from Python.
For example, you can use it to pull the latest updates from a repository, create new branches, and commit to your changes. It also provides a way to view diffs, so you can see what has changed Continue reading
In the previous pipelines, I’ve been using Python and had to install multiple pip modules. Suppose we have 5 different jobs, we would be installing the pip modules again and again for each job, which takes a while to complete. Remember, each job runs in its own pristine environment, meaning it builds a fresh Docker container and installs all the required modules before running the script we need. This repetition can slow down the pipeline significantly.
In this blog post, let’s look at how you can use GitLab Cache to speed up your jobs and avoid unnecessary reinstallations. If you are new to GitLab or CI/CD in general, I highly recommend checking out my previous GitLab introduction post below.
This is how my pipeline looked before. Though it worked perfectly fine, it took around 45 seconds to run each job and just over 3 minutes for the entire pipeline to Continue reading
We all know that by default, all the devices in the same VLAN can talk to each other. For example, if you have a switch with multiple devices connected to it and if they are part of the same VLAN, they can communicate without any restrictions. But there are times when you might want to keep the devices in the same VLAN while preventing them from talking to each other. This is where Private VLANs come into play, offering control over who can talk to each other within the 'same VLAN'. So, let’s get started and we will cover the following topics.
Let's break down how Private VLANs work with a simple scenario. Imagine we have a "users" VLAN where all the laptops connect. Suppose we have a mix of Windows and Linux devices. We want to ensure that Windows devices can't communicate with each other at all. However, it's okay for Linux devices to talk to each other, but they shouldn't communicate with the Windows devices either.
Hi all, welcome back to part 4 of the Network CI/CD blog series. So far, we've covered the purpose of a Network CI/CD pipeline, the problems it solves for Network Engineers, and how to set up GitLab, including creating projects, installing runners, and understanding GitLab executors. We also looked at how to use GitLab variables to securely hide secrets.
In this part, we'll explore how to manage a campus network using Nornir and Napalm and deploy configurations through a CI/CD pipeline. Let's get to it!
As I mentioned previously, I'm not a CI/CD expert at all and I'm still learning. The reason for creating this series is to share what I learn with the community. The pipeline we are building is far from perfect, but that's okay. The goal here is to create a simple pipeline that works and then build upon it as we go. This way, you can start small and gradually Continue reading
Hi all, welcome back to our Network CI/CD blog series. In the previous posts, we covered what CI/CD is and why you need it for Network Automation. We also covered GitLab basics and how to set up your first pipeline. In this post, we’ll look into how to keep your credentials secure by hiding them from the repository and using GitLab variables. Let’s get to it!
In GitLab CI/CD, variables play an important role in managing dynamic values throughout your pipeline. These variables can store anything from environment-specific settings to sensitive information like credentials. By using variables, you can easily manage and change values without hardcoding them in your scripts or playbooks.
GitLab provides a secure way to store sensitive data such as passwords or API tokens. You can define these variables in your project’s Settings > CI/CD > Variables section, and they will be securely injected into your pipeline during runtime.
If you recall, in our previous examples, we had the username and password hardcoded in the Ansible variables file. This is not secure at all, and you should never expose sensitive information like credentials directly in your repository. By using GitLab variables, you can securely Continue reading
Hi everyone, welcome back to the Packetswitch blog. Today, we're going to look into NetPicker, a tool that not only performs Network Compliance Tests but also takes backups of your network devices. In this post, we'll walk you through downloading and installing NetPicker, adding devices, taking backups, and setting up backup schedules.
As of September 2024, according to NetPicker’s pricing page, there’s a ‘Free for Life’ plan that allows unlimited backup of your device configurations and unlimited automated tests for up to 10 devices. This means you can manage backups for all of your devices without spending a penny. If you need to run tests on more than 10 devices, you’ll likely need to consider purchasing a license.
To get started with NetPicker, navigate to their website and fill out the form with your name and email. After you complete this step, you'll receive an email with detailed installation instructions. You have two main options for installation.
I just realized how much I didn't know about Python Object-Oriented Programming. I thought I knew the basics, but a few days ago, while going through a Python course, I found out I was wrong. Before I forget what I’ve learned, I wanted to write this blog post and share it with you.
In this blog post, we’ll cover the difference between functions and methods, and what exactly ‘self’ means in Python. So, let’s get to it.
class MyClass:
def say_hello():
print('Hello')
In this snippet, we’ve defined a Class called MyClass with a function named say_hello
. But here’s a question for you - what do you call say_hello
? Is it a function or a method?
It’s a common misconception to think that simply defining a function inside a Class automatically makes it a method. However, the distinction lies in how the function is accessed.
Hi all, welcome back to the Packetswitch blog. In today's post, we'll explore how to use NAPALM for managing device configurations. We'll focus on Arista EOS as our example. We'll cover the methods available in NAPALM and how to push, commit and revert configurations on Arista devices.
We'll start by explaining what NAPALM is and why you might want to use it. Then we'll move on to a few examples and take a look at what happens behind the scenes. This approach will give you a clear understanding of NAPALM's role in network configuration management and how it works with Arista EOS devices.
NAPALM stands for Network Automation and Programmability Abstraction Layer with Multivendor support. It's a Python library that helps network engineers manage and automate different network devices using a common set of functions. NAPALM solves the problem of dealing with multiple vendor-specific interfaces by providing a unified way to interact with network devices from various manufacturers. This means you can use the same code to manage devices from Cisco, Juniper, Arista, and others, saving time and reducing the complexity of network automation tasks.
Hi all, welcome back to our Network CI/CD blog series. In this part, we’ll discuss what exactly GitLab is and the role it plays in the whole CI/CD process. We’ll explore how to use GitLab as a Git repository, how to install GitLab runners, and how to write a GitLab CI/CD pipeline, among other topics. So let’s get to it.
Before we proceed, let’s go over some prerequisites. This part of the series assumes you have some familiarity with Git, Ansible, and basic Docker concepts. I’m not an expert in any of these, but I have a basic understanding of what each tool does and how to configure and use them. Even if you’re not very familiar, you can still follow along as we go step by step.
Git is a version control system that allows you to track changes to your code, collaborate with others, and manage different versions of your projects. It's a fundamental tool for network automation that works with code or configuration files.
Hi all, welcome to the 'Network CI/CD' blog series. To kick things off, let's ask the question, "Why do we even need a CI/CD pipeline for networks?" Instead of diving straight into technical definitions or showing you how to build a CI/CD pipeline, which might make you lose interest, we’ll focus on the reasons behind it. Why should network teams even consider implementing CI/CD?
In this post, we’ll talk about the benefits and the problems it solves, so you can see why it's worth learning. Let's get to it.
Even though I call it the “traditional way,” most of us (myself included) still make changes via the CLI. So, let’s imagine you and two colleagues are managing a campus network with 10 access switches. One of your tasks is to configure VLANs on all of Continue reading
Hi all, welcome back to another blog post on VyOS. In the previous post, we covered how to install VyOS and set up the initial configurations. In this blog post, we'll cover how to configure firewall rules in VyOS. To demonstrate, we'll create a hypothetical office setup with a VyOS router/firewall. The router will have two interfaces - one facing the Users and another facing the Internet. Our goal is to allow the Users subnet to access the Internet for ICMP, DNS, and general web traffic.
Our example is based on the following diagram. I don't have a public IP address on my lab but just play along and pretend that 10.10.0.7 is a public IP 😊 (This IP is behind my ISP's router)
As you can see in the diagram, the VyOS router has two interfaces. The interface connected to the Users subnet (Eth1) has an IP address of 10.1.1.1/24
. There's also a test machine in this subnet with the IP address 10.1.1.15
. Our goal is to ensure that this test machine can successfully ping an Internet IP address and browse the general Internet.
Hi all, if you are here, I assume you're looking to learn about Palo Alto Firewalls, and you've come to the right place. In this blog post, we will cover the very basics of Palo Alto firewalls and how to get started.
This blog post assumes you have a basic understanding of networking concepts such as routing, Layer 3 interfaces, traffic flow, subnets, and the necessity of a firewall. If you’ve previously used firewalls from different vendors, that’s even better, and you should find it easier to understand the concepts. When I first started with Palo Alto firewalls, I was already working as a network engineer and had experience with Cisco ASA firewalls. However, it still took some time for me to fully understand the nuances. Therefore, my focus here is to explain the nuances of Palo Alto firewalls using simple examples.
In this post, we’ll touch on several key topics related to Palo Alto firewalls, providing an overview without diving too deep into any single area. I’ve written numerous posts on Palo Alto firewalls, and I will include links to those for more in-depth exploration. Here’s what we’ll cover.
Recently, walking has become a habit for me, and I absolutely love taking short walks while listening to music or podcasts. It helps me rest and recover mentally, emotionally, and physically. Walking clears my mind and helps me process my emotions and thoughts. In this post, I will cover the benefits I experience from walking and how it improves my productivity.
Every time I feel stressed or need a break from everything around me, I go for a walk. It's a simple act, but it refreshes me more than anything else. These quiet moments alone with my thoughts are important for recharging and gaining a new perspective on whatever is bothering me. Walking not only gives me the physical exercise I need but also eases my mind and allows me to return to my tasks with renewed energy and focus.
Hi all, welcome back to another Palo Alto Firewall blog post. In this post, we will explore how to add a VM-Series Firewall into VMWare Workstation, set up the interfaces, and make initial configurations. This guide is designed for beginners who want to try the Palo Alto Firewall in their home lab but aren’t sure where to start.
The first step is to download the image from the Palo Alto Customer Support Portal. To do this, you will need a valid support contract, as sharing the image with others is not allowed. I understand this can be frustrating, as it may seem like vendors make it difficult for users to access and use their products. However, if you use Palo Alto products at work, you might be able to download it there.
To download the required file, navigate to Updates > Software Updates in the portal. Look for the PA-VM section and download the file named PA-VM-ESX-10.1.3.ova
(note that the version might differ).
When setting up the Palo Alto Firewall in VMWare Workstation, I usually allocate 8 GB of RAM, 60 GB of disk space, Continue reading