Archive

Category Archives for "Networking"

Palo Alto How to Configure SSL Decryption?

Palo Alto How to Configure SSL Decryption?

Most websites we access today use HTTPS, and to fully leverage a Next-Generation Firewall (NGFW) like Palo Alto, inspecting encrypted HTTPS sessions is crucial. Configuring SSL decryption isn't just a set-it-and-forget-it task. It requires careful consideration and ongoing improvements. In this blog post, we'll explore how to configure SSL decryption in Palo Alto firewalls and highlight some pitfalls to be aware of. So, let's get to it.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Palo Alto How to Block Specific URLs?
In this blog post, we’ll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we’ll cover both options.
Palo Alto How to Configure SSL Decryption?

SSL Decryption Considerations

As I mentioned earlier, configuring SSL decryption isn’t as simple as flipping a switch. Decryption allows your firewall to inspect the contents of encrypted sessions. Normally, HTTPS traffic is encrypted from your browser to the server, ensuring the sessions are private. However, with SSL decryption, the firewall acts as a man-in-the-middle, inspecting the traffic in plain text. It’s crucial Continue reading

Hedge 256: The Impact of Your First Language

Richard Wexelblat published an article in 1980 titled: “The consequences of one’s first programming language.” We’ve all seen C code written like Python, or Python code written like C, so it’s obvious a coder’s first language has a long lasting effect on their style. What about network engineers? Are there times and places where the first of anything a network engineers encounters has a long lasting impact on the way they think and work? In this roundtable, Tom, Eyvonne, and Russ consider different ways this might apply to network engineering.

download

Use BGP Outbound Route Filters (ORF) for IP Prefixes

When a BGP router cannot fit the whole BGP table into its forwarding table (FIB), we often use inbound filters to limit the amount of information the device keeps in its BGP table. That’s usually a waste of resources:

  • The BGP neighbor has to send information about all prefixes in its BGP table
  • The device with an inbound filter wastes additional CPU cycles to drop many incoming updates.

Wouldn’t it be better for the device with an inbound filter to push that filter to its BGP neighbors?

Sturgeon’s Law, VRRPv3 Edition

I just wasted several days trying to figure out how to make the dozen (or so) platforms for which we implemented VRRPv3 in netlab work together. This is the first in a series of blog posts describing the ridiculous stuff we discovered during that journey

The idea was pretty simple:

  • Create a lab with the tested device and a well-known probe connected to the same subnet.
  • Disable VRRP (or interface) on the probe and check IPv4 and IPv6 connectivity through the tested device (verifying it takes over ownership of VRRP MAC and IP addresses).
  • Reenable VRRP on the probe and change its VRRP priority several times to check the state transitions through INIT/BACKUP(lower priority)/MASTER(change in priority)/BACKUP(preempting after a change in priority).

NAN083: Cox Gets Network Automation Right, and Proves It at DEF CON (Sponsored)

Today’s Network Automation Nerds episode discusses Cox Communications’ journey to getting network automation right. We also talk about how they used network automation to support operating the network at the DEF CON hacker convention. Our guests are David Ezell, Joshua Watkins and Eric Hansen from Cox Communications. We dive into initial steps and challenges in... Read more »

D2DO263: An Anthropologist’s Advice for Improving IT Cultures

It’s tempting to run IT organizations the same way we run infrastructure: as resource units to be applied to various jobs. But people aren’t infrastructure. They have opinions. They form teams. They operate on different incentives, which sometimes clash within an organization (i.e. sales vs. product managers, or infosec vs. everybody). Today’s guest, Lianne Potter,... Read more »

Running EVE-NG in Proxmox

Running EVE-NG in Proxmox

If you follow my blogs, you might know that I recently switched to Proxmox from VMware Workstation Pro for my home lab. I’ve already migrated most of my VMs, including Cisco CML, to Proxmox, and the last piece left was EVE-NG. In this blog post, we’ll go through the steps to install EVE-NG in Proxmox. Let’s get started!

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Running Cisco CML in Proxmox
In this blog post, we’ll go through how to install Cisco CML (specifically CML 2.8 Free Tier) on Proxmox.
Running EVE-NG in Proxmox

Overview

EVE-NG doesn’t have official documentation for Proxmox, but it works perfectly fine, and I haven’t faced any issues so far. For this example, I’m using

  • Proxmox version 8.3.0
  • EVE-NG Community Edition 6.2.0

Most of the VM’s settings can be left at their default values, but there are a couple of changes I had to make. Before diving in, let's have a quick look at Nested Virtualization.

Nested Virtualization

Nested virtualization allows you to run virtual machines Continue reading

Record-breaking 5.6 Tbps DDoS attack and global DDoS trends for 2024 Q4

Welcome to the 20th edition of the Cloudflare DDoS Threat Report, marking five years since our first report in 2020.

Published quarterly, this report offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2024 and look back at the year as a whole.

Cloudflare’s unique vantage point

When we published our first report, Cloudflare’s global network capacity was 35 Terabits per second (Tbps). Since then, our network’s capacity has grown by 817% to 321 Tbps. We also significantly expanded our global presence by 65% from 200 cities in the beginning of 2020 to 330 cities by the end of 2024.

Using this massive network, we now serve and protect nearly 20% of all websites and close to 18,000 unique Cloudflare customer IP networks. This extensive infrastructure and customer base uniquely positions us to provide key insights and trends that benefit the wider Internet community.

Key DDoS insights

  • In 2024, Cloudflare’s autonomous DDoS defense systems blocked around 21.3 million DDoS attacks, representing a 53% increase compared to 2023. On average, in 2024, Cloudflare blocked 4,870 Continue reading

The fall and rise of TikTok (traffic)

The United States ban on TikTok went into effect on January 19, 2025, and although service began to be restored after just 14 hours, it was only close to the inauguration of Donald Trump as the 47th President of the United States that associated DNS traffic started to recover to closer to previous levels. In this post, we analyze the events of January 19 and 20, and what they meant for TikTok-related DNS traffic, but also other competitors (including their growth outside the US).

For context, we wrote an initial blog post about the TikTok ban on Sunday, January 19, 2025. The ban was part of the "Protecting Americans from Foreign Adversary Controlled Applications Act," proposed in Congress, which ordered ByteDance to divest due to alleged security concerns. The bill was signed into law by Congress and President Biden in April 2024, and was upheld by the Supreme Court on January 17, 2025.

Aggregated data from our 1.1.1.1 DNS resolver shows — as we’ve posted on social media — that the TikTok shutdown in the US began to impact DNS traffic to TikTok-related domains on January 19, just after 03:30 UTC (22:30 ET on January Continue reading

IBGP Is the Better EBGP

Whenever I was explaining how one could build EBGP-only data center fabrics, someone would inevitably ask, “But could you do that with IBGP?”

TL&DR: Of course, but that does not mean you should.

Anyway, leaving behind the land of sane designs, let’s trot down the rabbit trail of IBGP-only networks.

NB510: CISA Says US Tech Inherently Insecure; AI Now Included in Google Workspace

Take a Network Break! Guest co-host John Burke joins Drew Conry-Murray for this week’s analysis of tech news. They discuss a string of serious vulnerabilities in Wavlink Wi-Fi routers, Fortinet taking a one-two security punch, and CISA director Jen Easterly calling out US hardware and software companies for being “inherently insecure.” Microsoft and Google put... Read more »

Concise Link Descriptions in netlab Topologies (Part 1)

One of the goals we’re always trying to achieve when developing netlab features is to make the lab topologies as concise as possible1. Among other things, netlab supports numerous ways of describing links between lab devices, allowing you to be as succinct as possible.

A bit of a background first:

  • In the end, netlab collects all links in the links list before starting the data transformation process.
  • Every entry in the links list is a dictionary. That dictionary can contain link attributes and must contain a list of interfaces connected to the link.
  • Every interface must have a node (specifying the lab device it belongs to) and could contain additional interface attributes.