How to Best Use Panorama Templates and Stacks?

I’ve been working with Palo Alto Firewalls and Panorama for a few years now, yet the best ways to use Templates still seem somewhat mysterious. I bet many of you feel the same way. Since every network is unique, there isn’t one “right” way to manage this. In this blog post, I’ll break down what Templates and Template Stacks are in Panorama and share some effective strategies for organizing them. Let’s dive in.

A Quick Note on Panorama

If you’re new to Panorama, it’s a centralized management tool that simplifies managing multiple Palo Alto firewalls from a single place. There are two key concepts in Panorama which are Device Groups and Templates. Device Groups manage the configurations you’d usually find under the Policies and Objects tabs on the firewall, while Templates manage with configurations from the Network and Device tabs.

It’s important to note that Device Groups and Templates serve different purposes and manage different parts of the configurations. This blog post will focus exclusively on Templates. If you need a refresher on Device Groups and Templates, I’ve covered that in a previous post. Feel free to check it out here for a quick recap.

Arista Network Test Automation (ANTA) Example

When I was at Autocon1, I visited the Arista booth and had an interesting chat with their team. They mentioned a tool called Arista Network Test Automation (ANTA), which sounded promising, and I wanted to try it out in my lab. As with anything related to automation, I always want to experiment and share my findings with my readers.

What is ANTA?

In a nutshell, if you work with Arista devices, you can use the ANTA Python library to write tests using a simple YAML declarative syntax. From a very high level, you define some tests, run them, and they either pass or fail. This straightforward approach helps you quickly verify the health and configuration of your network.

Here are some of the tests you can write.

• Checking if all your EOS devices are running a specific EOS version,
• Ensuring all BGP peers are up and running
• Verifying if you have a specific route on all or specific devices
• Verify PortChannels and Interfaces
• And many more

Here is a very simple test that checks if all my routers (6 in total) have the specified two routes in their routing tables. The test will fail if the route doesn't Continue reading

Consistency – Making Progress One Step at a Time

People often ask me how I manage to write so many blog posts. With 5-6 posts a month, it might seem like a lot, but my answer is always the same, consistency. I’ve been blogging for over three years now, and writing has become a part of my daily life. It’s all about sticking to it day after day. In this post, I’ll share how maintaining consistency has not only improved my blogging but can also help you in any area of your life.

I want to start off by acknowledging that while it’s easy to talk about being consistent, actually implementing it can be really tough. Take my own struggle with running, for example. I’ve been trying to make it a consistent part of my life for the past few years, but it’s been a real challenge. I might run for a week, then give up, start again, and then stop. It’s a cycle that’s hard to break. So, I understand that being consistent isn’t always straightforward or easy. I just wanted to get that out of the way before we proceed into this topic.

Palo Alto Firewall Packet Capture

Packet capture is very useful when you troubleshoot network connectivity issues or monitor suspicious activity.

Diagram

Few things to consider

1. Four packet capture filters can be added with a variety of attributes.
2. Packet captures are session/flow based, so having a single filter is enough for capturing both inbound and outbound traffic.

Packet Capture Stages

There are four stages:

1. drop - where packets get discarded. Example, security polciy denying the traffic
2. firewall - captures packets in the firewall stage.
3. receive - captures the packets as they ingress the firewall interface before they go into the firewall engine (pre-NAT)
4. transmit - captures packets as they egress out of the firewall engine (post-NAT)

Example 1 - Packet Capture without NAT

Initiate a ping from CLIENT to the SERVER and capture both ICMP echo request and ICMP echo reply.

You can configure packet capture by going to Monitor > Packet Capture

• Packets 1 & 2 are ingressing the firewall
• Packets 3 & 4 are egressing the firewall
• Packets 1 & 3 are the same
• Packets 2 & 4 are the same

Step 1 - Configure capture filters

The filter shown below captures both echo request and echo reply on Continue reading

Palo Alto – Find and Remove Unused Objects

If you work with Palo Alto firewalls, you might know there's no straightforward way to find and remove unused address objects. When I googled for solutions, I found that others suggested using Expedition or some kind of automation. In this blog post, I'll show you a very simple script to find these objects and remove them if needed.

Expedition or Automation

I tried using Expedition a few years back, but it required a dedicated VM, and I struggled to wrap my head around how to use it. I just needed a simple solution. While I could also use Palo Alto's REST API or even the Python SDK, setting everything up takes a bit more time.

Palo Alto 'Set' Commands

Then it occurred to me that Palo Alto provides 'set' commands, and you can use the 'delete' version of those commands to remove something. With that in mind, I thought, "Hmm, what if I get the whole config from either the firewall or Panorama in the 'set' format, run it through a regex, and extract all the object names?" Once I have the object names, I can go through the configuration line by line to check if the objects are Continue reading

What Is Python concurrent.futures? (with examples)

As a Python learner, I've faced several challenges, but so far, one of the most difficult topics to understand has been concurrency. In the beginning, it can be incredibly confusing, especially if you're a beginner. The aim of this blog post is to simplify concurrency by breaking it down with a couple of examples and an analogy to help you understand this challenging concept. So, let's get started.

Why does Concurrency Matter?

When writing Python programs, you might find yourself needing to execute multiple tasks simultaneously or in parallel. This is where concurrency comes in. Concurrency allows your program to run multiple tasks at the same time, which can significantly improve performance and efficiency, particularly when handling time-consuming tasks.

The Magic of Python concurrent.futures

Python's concurrent.futures module simplifies concurrent programming by providing a high-level interface for asynchronously executing callable (functions/methods). ThreadPoolExecutor and ProcessPoolExecutor are two popular classes within this module that enable you to easily execute tasks concurrently, using threads or processes, respectively.

When deciding between ThreadPoolExecutor and ProcessPoolExecutor, consider the following analogy - ThreadPoolExecutor is like having multiple chefs in a shared kitchen, while ProcessPoolExecutor is like having multiple chefs, each with their own kitchen.

ThreadPoolExecutor is Continue reading

VyOS – A Great Open-Source Router and Firewall

As a Network Engineer or someone working in IT, I always needed a firewall for my home network. Whether it's for learning purposes or using a VPN to connect back home while working remotely, having a reliable firewall is essential. If you are a small company, you might also need a free or cost-effective firewall for various experiments. The use cases can be anything.

There are numerous paid and free options out there, but VyOS stands out with its powerful enterprise-level features. In this blog post, I'll show you how easy it is to get started with the VyOS router/firewall. We'll cover how to download it, installation options, and some basic configurations. So, let's get started.

Why VyOS?

There are numerous free and paid firewalls out there. Of course, I would love to have the latest and greatest firewalls like Palo Alto or FortiGate, but they are way over my budget. Even if I could afford the Continue reading

Configuring AAA on Arista EOS Devices Using TACACS+ and ISE

In this blog post, let's look at how to configure TACACS+ AAA authentication on Arista EOS devices using Cisco ISE. When someone tries to log in to the device, we want the Arista device to authenticate and authorize the user against Cisco ISE. We'll go through the necessary configurations and steps to set up this integration between Arista EOS and Cisco ISE.

Local Authorization vs ISE Authorization

You could configure this in two ways with a slight difference. With the first method, ISE authenticates the user and tells Arista which role to apply. Arista devices come with two predefined roles, network-admin and network-operator. For example, if we have two different groups of users, network engineers who need full access and NOC engineers who only need read-only access. When the users log in, depending on the policy, ISE will send TACACS+ attributes that tell the switch which role to apply. With this method, the authorization happens locally at the switch.

For the second method, we will not use these two predefined roles. Each command the user enters on the CLI will be authorized by Cisco ISE. For example, we can allow all commands for network engineers and prevent NOC engineers from Continue reading

NetBox in the Cloud, for Free

Yes, you read that right. NetBox Labs is now offering a generous free plan for their SaaS version of NetBox. This change is a big win for many of us who no longer need to worry about managing our own NetBox instances. With this free plan, you can take advantage of all the powerful features of NetBox without the hassle of maintenance and updates.

Why This Matters to Me?

As a blogger, I create a lot of labs and practice a lot of automation. I rely on NetBox for IP Address Management (IPAM) and other network-related tasks. Before this, I had my NetBox running as a Docker container on one of my VMs. However, there were times when I wanted to access NetBox and found out the VM was powered off. This free plan is music to my ears. There is a 100-device limit, but that's more than enough for my needs.

How to Get it?

Getting started with the free plan is as simple as going to their website and signing up for a free plan. I was up and running within a few minutes. The free plan includes up to 100 devices, 500 IP addresses, and 10k API Continue reading

My Network Lab is a Text File

Yes, you read that right. My Network Lab is indeed a text file (YAML file to be more specific). I can share the file with anyone, put it into version control, and never worry about re-creating the lab manually. No more clicking through the GUI and connecting interfaces. How is that even possible? You must be thinking this is clickbait right? Well, I'm talking about using Containerlab to create and manage your network topologies and labs.

My Life Before Containerlab

I started my networking journey with Packet Tracer, then moved on to GNS3. Most of the time, I've used EVE-NG and some Cisco CML. EVE-NG is a great tool, and I still use it for building complex, large topologies with Cisco ISE, multiple firewalls, Active Directory, etc. But when it comes to labbing up pure networking protocols like BGP, OSPF, STP, or even simple IP routing, I needed something very simple that is easy to deploy and manage.

That's when I came across Containerlab which is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Containerlab provides a command-line interface (CLI) that Continue reading

A Simple Network CI/CD Pipeline

In this blog post, let's look at a very simple Network CI/CD pipeline that manages my Containerlab network topology and configurations. We'll start with the benefits of using CI/CD, cover some basic terminology, and then go through an example.

To give an overview, I use Containerlab to deploy my network labs and Nornir to deploy the configurations. Before CI/CD, my typical workflow involves using containerlab commands to manage the topology. Once the lab is up and running, I use Python to run the Nornir script. This works well because I'm the only one using it. However, I ideally want to put all the configurations into a Git repo to track my changes over time. I also want to test my code (to ensure there are no syntax errors, for example) and automatically push the updates to the devices.

Here is the project repo if you want to clone it and follow along.

Suresh V / simple_bgp_lab · GitLab

GitLab.com

GitLab

What Exactly is CI/CD?

CI/CD stands for Continuous Integration and Continuous Delivery. In simple terms, it means automatically testing and delivering your code. With Continuous Integration (CI), every time you make a change to your code, it's tested automatically Continue reading

Running Palo Alto Firewall in Containerlab

Hi all, in this quick blog post, let's look at how to run Palo Alto firewalls in Containerlab. If you've been following me for a while, you might know that I've started using Containerlab more often in my projects. If you're new to Containerlab or need a quick recap, check out my other introductory post below. Now, let's dive in.

Containerlab - Creating Network Labs Can’t be Any Easier

What if I tell you that all you need is just a YAML file with just a bunch of lines to create a Network Lab that can run easily on your laptop? I’ll walk you through what Containerlab is

PacketswitchSuresh Vina

boxen or vrnetlab

Palo Alto doesn't provide a containerized VM image (not CN-Series), it only has a VM-based image. You can create a container from this VM image using two methods. The official documentation recommends using 'boxen' to generate a container image from the VM. However, I chose to use the vrnetlab project instead.

Creating a containerized image using vrnetlab

First things first, download the VM image (qcow2) from the Palo Alto support portal. You might need a valid support contract to access this image. For this Continue reading

Managing Multiple Python Versions with pyenv

In my Python journey, I've always stuck to just one version of Python at a time. I happily used Python 3.9 for quite a while, then switched to Python 3.10 without any issues. Everything was perfect until recently when I tried installing a Python application using pip, but no matter what I did, the installation kept failing. I couldn't fix the issue even after hours of Googling.

That's when I finally decided to check the documentation (which I should have done from the start), and there it was, this application requires a minimum Python version of 3.8 and was only tested on versions 3.8 and 3.9. That made me think, maybe I should have installed it using Python 3.9, but how? I'm no expert in Linux or Unix systems, and I worried that reinstalling Python 3.9 could mess up other projects I'd built on 3.10.

So, I started exploring how to manage multiple Python versions on the same machine, and that's when I stumbled upon a tool called 'pyenv'. This seemed like the perfect solution to my problem, so I decided to learn more about it.

Engineer’s Dilemma: Constant Learning and Forgetting

As a Network Engineer, I've noticed we're in a constantly evolving field. Traditional networking is already a deep pool of knowledge, covering a wide range of topics. But the tech world doesn't stand still – it's moving at a fast pace.

Now, we're not just dealing with routers and switches. We've got a whole new set of skills to learn. There's Cloud, then there's Automation. We're also diving into tools like Ansible, Docker and Terraform and let's not forget Python. With all these new areas to explore, the big question is how do we keep up? How do we learn all these new skills without forgetting the fundamentals that got us here?

Do You Keep Forgetting?

Let me pull out EIGRP as an example. Back when I was studying for my CCNP certification, EIGRP and I were best buddies. I could set up labs, get EIGRP running between them, and troubleshoot any issues that popped up. Ask me about it now. Well, it's a bit embarrassing, but I'd be scratching my head. I remember something about a 'feasible route', but that's about it.

Simple BGP Lab with Containerlab and Nornir (Lab-as-a-Code)

I'm sure many of you can relate to the familiar headache that comes with setting up Network Labs. Suppose you just want to test some BGP functionalities, perhaps exploring how to use Route Map with BGP route filtering. Normally, you'd start by setting up a lab environment. This involves selecting a platform like EVE-NG or Cisco CML, adding a bunch of routers, and connecting everything with virtual cables.

Once your setup is physically ready, the real "fun" begins. You start configuring each router, setting interface IPs, adding descriptions, and configuring BGP attributes like neighbours and network statements. If this sounds tedious, that's because it is! I've configured interfaces countless times myself, and it never gets any less painful. Ever typed the wrong IP and then spent hours troubleshooting why you can't ping your peer? If you're nodding in agreement, you're definitely not alone. I know how to configure an interface already, I just don't want to do it for the 1000th time this year.

And just when you think about doing some automation or integrating with 3rd party tools (NMS, NCM etc), you're faced with another set of challenges. Setting up local user accounts, configuring management IPs, creating SSH keys—it Continue reading

Why Did No One Tell Me About This VSCode Remote – SSH Feature?

I just discovered the VSCode Remote - SSH feature, and it's a game-changer (at least for me). This tool lets you code directly on a remote server (Linux VM for example) through SSH, right from your local VSCode. It brings your remote environment to your local workspace, making remote development much easier.

The Visual Studio Code Remote - SSH extension allows you to open a remote folder on any remote machine, virtual machine, or container with a running SSH server and take full advantage of VS Code's feature set. Once connected to a server, you can interact with files and folders anywhere on the remote filesystem.

No source code needs to be on your local machine to gain these benefits since the extension runs commands and other extensions directly on the remote machine.

What Problem Does it Solve?

Let me share a challenge I faced until recently. My main machine runs Windows, but for my work with automation tools like Python, Ansible, Terraform, and others such as containerlabs and Git, I prefer a Mac or Linux command line environment. I didn't want to install these tools directly on Windows due to potential issues.

Initially, I thought about using WSL, but Continue reading

Nornir Network Automation

Nornir is a Python library designed for Network Automation tasks. It enables Network Engineers to use Python to manage and automate their network devices. Unlike tools like Ansible which rely on domain-specific languages, Nornir leverages the full power of Python, giving you more flexibility and control over your automation scripts.

Nornir feels like what you'd get if Ansible and Python had a baby. If you're used to Ansible, you know that you first set up your inventory, write tasks, and execute them on all or selected devices concurrently. Nornir operates similarly, but the big difference is you use Python code instead of any Domain Specific Language.

My Life Without Nornir

Before I discovered Nornir, my approach to Python automation involved manually setting up a list of devices, specifying each one's vendor, and credentials. This setup could be a simple Python list or a dictionary. Then, I'd loop through each device with a for loop, using libraries like Netmiko or Napalm to execute tasks. These tasks ranged from getting data from the devices to sending configurations. Here is a very simple snippet of managing the devices and using them with Netmiko. This method can get complicated very easily once you start Continue reading

Getting Started With Juniper PyEZ Library

In this blog post, we're diving into how to use the PyEZ Python library to interact with Juniper devices. I'll be working with a Juniper vMX device as our example, but PyEZ can work with any other Junos-based device. So, whether you have a vMX, an SRX, or any other Junos device, you'll find this guide helpful.

What we will cover?

• What is Juniper PyEZ?
• Why do we need PyEZ?
• Prerequisites
• Getting facts from Juniper vMX
• Getting Interface Stats and Errors
• A few things to note
• Closing thoughts

What is Juniper PyEZ?

Junos PyEZ is a microframework for Python that enables you to manage and automate Junos devices. Junos PyEZ is designed to provide the capabilities that we would typically get from the CLI.

You can use Junos PyEZ to retrieve facts or operational information from a device, execute remote procedure calls (RPC) available through the Junos XML API and even install or upgrade the Junos software. But for the sake of this example, we will retrieve the facts from the vMX and then retrieve some interface statistics.

But, Why Do I need PyEZ?

If you're wondering why we need PyEZ, here's a straightforward reason from my experience. I often Continue reading

My Experience with IP Fabric Automated Network Assurance Platform

I've been following IP Fabric for some time now, checking out their updates and reading their blog posts. It made me curious to want to give their platform a try myself. So, I did just that and thought it'd be helpful to share my thoughts and experiences with you.

If you're curious about IP Fabric too, they offer a 90-day lab license, which is a great way to get hands-on with the platform. The nice people over at IP Fabric set me up with a trial license and I found the setup process to be very straightforward. In fact, it took me less than an hour to get everything up and running.

What we will cover?

• What is IP Fabric?
• Installation
• Automated Network Discovery
• What is a Snapshot?
• Topology Visualization
• Intent-based Verification
• Compliance and Security Checks
• Other Useful Features
• Closing thoughts

What is 'IP Fabric Automated Continue reading

Containerlab – Creating Network Labs Can’t Be Any Easier

What if I tell you that all you need is just a YAML file with just a bunch of lines to create a Network Lab that can run easily on your laptop? You'd call me crazy, right?

Well, in this blog post, I'll walk you through what Containerlab is and how it can simplify creating and managing your labs with ease. Let's dive in.

What we will cover?

• What is containerlab?
• Comparing EVE-NG/GNS3 to Containerlab
• Installation and initial setup
• Lab images (Arista cEOS)
• Containerlab terminology
• Lab example
• Cleaning up
• Closing thoughts

Cisco Restconf - Get Operational Data

In this blog post, we’ll use Restconf to pull operational data from a Cisco switch. So far in our previous posts, we’ve looked at getting and changing configuration data.

PacketswitchSuresh Vina

What is Containerlab?

The official definition is "Containerlab provides a CLI for orchestrating and managing container-based networking labs. It starts the containers, builds a virtual wiring between them to create lab topologies of users choice and manages labs lifecycle."

Simply put, containerlab is a Lab-as-a-code tool that helps you set up and manage your network labs easily. Instead of dealing with complex setups and configurations, containerlab simplifies everything for you. Continue reading