Palo Alto High Availability

Down Time is not Acceptable in Any Environment
And here were the term High Availability comes to play.

To Configure the high availability in Palo Alto you need to have Two Links in each device, one for the Control Link (HA1) and one for Data Link (HA2)
both Palo Alto Device Exchange a hello message and a Heartbeat through the Control Link (HA1). if any of that not receive the Backup Palo Alto Peer will Assume that the Active Peer is Down and Take Control
(Note. this Scenario is on Active/Passive Mode)
be Aware that Both Palo Alto Device should have the Prerequisite:
1- Same model
2- Same interfaces
3- Same PAN-OS
4- License

well i’m working here on PAN-OS 7.0.1
My Active Palo Alto IP Address: 192.158.208.222
My Passive Palo Alto IP Address: 192.168.208.111

So i Show you earlier how to configure Palo Alto from scratch in the earlier Blog
Now I add extra Network card for the (HA1) & (HA2)
So to Configure the Palo Alto interface
Go to Network – Interface – Select interface
Ethernet 1/3 will represent HA1
Ethernet 1/4 will represent HA2

Now to Peer Configuration
so i Give the Active Peer IP Address
192.168.209.140 (HA1)
192.168.209.142 (HA2)
and for the Passive Peer
192.168.209.141(HA1)
192.168.209.143 (HA2)
Go to Device – High Availability – General Tab – Setup settings
Enable HA and choose a Group ID and fill the Peer IP Address and choose the mode

Then go to Control link (HA1 Configuration) and Choose my Ethernet 1/3 as the HA1 and put the IP Address 192.168.209.140 and Netmask

After that i go to my Data Link (HA2) and Enable the Session for Synchronization and Put the IP Address i choose earlier 192.168.209.142 and Netmask and Gateway and for my Transport i select IP

Now to Election setting and to make Sure that 192.168.208.222 is the Active one i have to Put a Lower Priority
The Default is 100 so i Configure it to 90 and select Preemptive and heartbeat Backup (Heartbeat backup use the management interface which protect against Split Brain)

now go to Dashboard Tab – widgets – System – and Select HIGH Availability
so i can see the status in the Dashboard

and as you can see the status is so red

Now in the Other Peer i need to Configure the Same Interfaces for HA1 & HA2 and same configuration for HIGH Availability except the IP Addressing and for Election Setting i will just keep it the default
and then go Back to the Active Peer 192.168.208.222 and you will see the HA1 & HA2 turn to Green and now choose to Sync to Peer

It will Ask you to Overwrite Peer Configuration just Select yes

And now All our Configuration is Synchronized

Go to Passive Peer and you will See the Local Peer is the Passive
and the Active is 192.168.208.222

if you check the Passive Network interface you find it’s Red
And now to Test it i will ping 8.8.8.8 Non Stop and power off the Active Peer
and as you can see it just took only 3 request timeout which less than 6 second and user will not notice it qqq
and if you check the System log in Dashboard you will see your passive peer notice the HA1 Control Link Went Down and the Passive become the Active

And our Red Interfaces Become Green

by default link monitor enable on all links but if you want to specify the important link like Trust, Untrust and DMZ then
Go to Device - High Availability - Link and Path Monitoring - Link Group
add those interface to it

;D

Palo Alto

Palo Alto LDAP Integration (Agentless User-ID)

Active Directory Integration
In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. Now Active directory allow me to control who can have an access to internet Per User and also monitor exactly whom watching who and this is the configuration

Let’s start by Microsoft Side
lets start by creating a user in the Active Directory for the mapping integration
go to Tools – Active Directory Users and Computers

Go to the user container and right click New – User
i created a user aysar.mohamed@ccieroot.com

put the password and since this is an integration user no need to change the password and to never expire

Click Finish

go to the user settings

go to the member tab
the user should be Member of :
(Distribute COM User, Event Log Readers, Server Operation)

In Windows 2003, the service account must be given the “Audit and manage security log” user right through a group policy. Making the account a member of the Domain Administrators group provides rights for all operations. The built-in group named “Event Log Readers” is not available in Windows 2003.
Add those Group

Press OK

Second we need to check if the Domain configure to log successful logon
Open Group Policy Management

Then select Domains – ccieroot.com – Default Domain Policy – edit

go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Audit Policy
Select Audit Account logon events

Check box Define these Policy settings
Success & Failure

Now it’s about time to update the policy
Go to cmd and update the policy using the command (gpupdate)
then do the WMI Authentication part as The device uses WMI Authentication and the user must modify the CIMV2 security properties on the AD server that connects to the device.
go to cmd and input the command (wmimgmt.msc)

Right Click and select properties

go to Security Tab – Root – CIMV2 and click on Security button

click on Add to add the user (aysar.mohamed) that i created earlier

and give him permission:
Enable Account
Remote Enable

Now The Palo Alto Side
1st check the Internal Zone to have User-ID Enabled

Second make sure the Service route is configure to use the Inside Network for (LDAP, DNS and Kerberos)
go to Device – Setup – Service Feature – Customize
000

Next Go to Device > User Identification > Palo Alto Network user-ID Agent Setup > Click on settings button on the corner
in WMI Authentication i will use the username and password i created
Then Enable the Server Monitoring

Optionally if you enable the NTLM is to discover domain you have to enable DNS configuration under
service – DNS – internal primary dns server
Also Enable the Client Probing and press ok
client probing is useful in huge environment because change will reflect on firewall immediately
every 20 minute

After That i will add my Active directory Under the server Monitoring

Then the Domain Controllers will show with a status of Connected.

First go to Device – Server Profiles – LDAP – add
Base DN: auto generate
Bind DN : (this account must be a member of the built-in Server Operators group in AD)
Also uncheck the box Require SSL/TLS secured connection

Then we need to create an Authentication Profile
Login Attribute: sAMAccountName

then Select Advanced tab and in the Allow list select to add (All)
Like that we done from Active Directory Integration

Now we create our group mappings so we can use these Active Directory groups in our security policies.
navigating to the Group Mapping Settings tab – Add new

then go to the group include list tab at the top. as long you see the OU in your AD then it mean you can see everything correctly

Just for testing i Add the IT Staff

Now on our Internet Rule Select under User tab and Add my user or group
now as you can see under the Monitoring Tab i see my Username when i Access any website

Note:
Because WMI probing trusts data that is reported back from an endpoint, Palo Alto Network recommends that you do not use this method to obtain User-ID mapping information in a high-security network. If you configure the User-ID agent to obtain mapping information by parsing Active Directory (AD) security event logs or syslog messages, or using the XML API, Palo Alto Networks recommends you disable WMI probing.
If you do use WMI probing, do not enable it on external, untrusted interfaces.

Firewall, Palo Alto

Configure Palo Alto to allow inside DMZ (FTP server)

So DMZ
In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. so today i will show you how to allow your customer to come inside to your FTP Server
first i Configure my Ethernet 1/1 with the Public IP Address 37.76.249.42
Go to Networks – Interface – Ethernet Edit
Change type to Layer 3, Configure Virtual Router and Zone (Outside)
Then go to IPv4 and configure an IP Address of 37.76.249.42/27Then Configure Ethernet 1/2 for DMZ gateway
Change type to Layer 3, Configure Virtual Router and Zone (DMZ)
Then go to IPv4 and configure an IP Address of 192.168.250.250/24
Now the most important step is to configure NAT Policy
Go to Policies – NAT – Add new
I choose name : NatMyFTPServer
Choose your
Source Zone (DMZ)
Destination Zone (Outside)
Destination interface (Ethernet 1/1)
then i have to add my Source Address so Click on Address
Choose a name (MyFTPServer)
Type : IP Netmask
Put the Local IP Address (192.168.250.16)
And it’s added
and btw in case you have many Server that serve different services and only one Public IP you can adjust the services to be one for FTP, second for HTTPS and one for Remote access which consider as (Static Nat with Port Translation )
but in our case its only one server to one public ip

Now go to Translated Packet
Translated type: static IP
and Type the translated Address which is the public IP Address i Configure Earlier and to make sure translation go both way check the box Bi-directional
Now Finally let’s configure Security Policy Rule
Let me Educate you here (The Policy always is The destination Zone is Post-NAT and the Destination IP is Pre-NAT)
so you destination after the NAT is the DMZ
and your destination IP is the Pre-NAT which is your public IP Address
Confusing i know but it took me 2 years to understand it thanks to a friend of mine (Adel ;D)
Go to Policies – Security policy – Add new
Choose a Name and Rule Type as (interzone)
Select the Source as Outside since the traffic coming from outside
Configure the Destination as (DMZ) zone and Destination Address is your Public IP Address

You can custom the Application and Service/URL Category to Allow FTP Service only but since this is a Lab just select any
Select Any in Application
Also here in case you have many Server that serve different services and only one Public IP you can adjust the services to be one for FTP, second for HTTPS and one for Remote access which consider as (Static Nat with Port Translation )
but since we have one server select Any in Service/URL Category Tab
Then select Allow as an action for this traffic
Now in my laptop i install 3CDaemon which a great FTP server and Choose the Upload/Download Directory in my D:\IOS\ which contain my files.
I also configure a profile (Aysar) so i can use this as my login instead of anonymous 13b
And now for the BIG Test
from any Customer PC i open cmd and go to ftp to the public IP Address of the FTP Server
and as you see Authentication went well
Just type
dir
which list all the file under my D:\IOS\

Palo Alto

Palo Alto HA Sync Issue & APP and Threat Mismatch

Just when i think everything okay a Nice View Such as Below Appear

I Checked All my HA Configuration and it’s Fine SO
i Define this as Two Issue
Synchronize
App and Threat Mismatch

First lets Solve the Synchronized and it’s a simple Step
Just Next to Running Config Press (Sync to Peer) so it Push the Configuration to the Passive HA

It will Ask you to Overwrite Peer Configuration Just press yes

Now it Start as you See (Synchronization in Progress)
And as you can see now it finished and now its Synchronized
and now here in the Passive HA and Also show the Same
Now Lets Move to Next step which is the APP & Threat Mismatch
Lets Check the Version of the Application First
Go to Device – Dynamic updates – and Check the Applications and threats

so Go to 654-3805 which is my Latest Update also you can See in the lower of screen (Check Update)
Then Press Install on Right Side of the Application
Check to Synch to HA Peer
press Continue Installation

Now it will Progress

And Automatically will Transfer a copy to HA Peer
As you See now a Copy Transferred and Installed in HA Peer
And Finally the all your HA Item in the Active Peer is Green

Firewall, Palo Alto, Security

Palo Alto to Internet

TOP 10 Next Generation Firewalls
Palo Alto
After Spending Many Years in Cisco Security ASA and Worked with microsoft TMG the Company Decided to go to New technology
After Reading About it I realized that Gartner agree that Palo Alto Consider to be the leader when it comes to Next Generation Firewall appliances
So let me guide you with the First Step of Initial Setup and Configure it to Internet Access for users
and before you say anything it’s an old version 6.1.0

Well first Let start Login to the ESXI host

Then Choose to Deploy the OVA File

Browse to my Folder were i Save the OVA
Press Next

Type a Name of your Choice
I Prefer to Select Thin Provision is i will not Reserve the Whole Size
Select the Network
Now Press Finish
The Deploying Procedure StartNow we Finished with The Installation of the OVA

Depend on your Scenario and how many Network Card you Need
in my Scenario i Need 4 (Management, WAN, LAN and DMZ)
in my ESXI i have this Already Configured as you see in the Picture

Now i will Edit My Virtual Machine
Configure the Network Adapter 2 to be my Outside

Click Add and Select my Third Network Card for LAN
Choose the Network Label (Inside) Which Represent the LAN Also DO the Same for Server Side which Represent by (DMZ)

Press Finish and Its Created

Now Start the Machine
Username: admin
Password:admin
and Set your IP Address for the Machine
Now Set the Default Gateway and Save it (Commit)
You can check your Management IP configuration by issuing the command
show interface management
Now Go to the Web Page Https://192.168.208.222
Enter the Default username and Password
normal Warning Regard the Default username and Password
Go to the Device – Setup – Management – Management Interface Settings and you Can Edit the Service or IP Address
Second Go to Device – Setup – Service – Services and Configure the DNS and NTP

Second Go to Network – Zones and Add the Zones (Outside, Inside and DMZ) Repeat the Same Step Below to Create Each

Now Go to Network – Virtual Router and Create New One and Name it
Second Go to Network – Interfaces – Edit Each interface (Ethernet 1/1, 1/2 and 1/3)
Outside, inside and DMZ
Type of Layer 3
Select the virtual Router and Security Zone
then Go to IPv4 tab and Add the IP Address
Second go to Advanced Tab – Other info – Management profile and press new
Select Name and Edit the Service Permitted
And Then Select the Management profile
Repeat the Same Step to Each Interface (LAN and DMZ)
here the Zone is Different for inside
and Add the LAN IP Address : 192.168.250.250

Now Go back to Virtual Router and Add a Static Routes to Default Route to your internet ISP Router in my Case : 37.76.249.91
Now time to Configure your Security Rule
Go to Policies – Security and Add one
Name : Allow-Net
Type: Interzone

Choose the Source to be Inside
Choose the Destination: Outside
Select the Service/ URL category : Any
Select the Action : Allow
Log Setting Enable Log at Session Start and END

Now Go to to Configure the PAT (Port Address Translation)
Policies – NAT add new
Choose Name

Choose your Security Zone:Inside
Destination Zone: outside
Destination interface: Ethernet 1/1 (My WAN Network)

Then Select the Translated Packet and Configure it As below
Dynamic IP and Port for PAT

Now i go to my Client and I too IP from DHCP
Test the PING and Now the ping is working perfectly to IP Address 8.8.8.8
and i Test the Web browsing and It’s Working Perfectly

Note. you can see the session in Palo Alto cmd
show session all
or
show session id

IOS

SSH (Secure Shell)

as a network administrator our job is to protect our network
well there is too many ways and telnet is not one of them
using hacking software can show the Password in a clear text so now you fired

Secure Shell (SSH) is a cryptography network protocol provides a secure channel over an unsecured network
i will guide you in the way to configure it in Switch

First Configure the Hostname

Then Configure the Domain Name
Then Generate Key and Choose your Encryption
Last thing Enable SSH Version

Finally under VTY Configure the Transport Input to Allow SSH only
Now Configure the User
Now there is many tools you can use for SSH
I Choose Putty
My Switch IP : 192.168.188.5
Connection Type: SSH

Accept the Security Alert

Login with my User that i created earlier
username:ccieroot
password:ccieroot
That it ;D

CUCM, Media Resource Group, Uncategorized

Media Resource Groups

The Most Important Element in CUCM World is the Media Resource. it’s used in order to allow an administrator to allocate media resources to particular devices.
There are five types of media resources available in Cisco:
Annunciator, Conference Bridges, Media Termination Point, Transcoder and Music On Hold
Annunciator is uses Cisco media streaming application service to play prerecorded announcements

Conference Bridges Without Saying it explain it self and can be either software or hardware applications

Media Termination Point or MTP can be used to transcode G.711 a-law audio packets to G.711 mu-law packets and vice versa. CUCM Software MTP can only work for G711 codec, however IOS MTP can have multiple codes

Transcoder when two Phones using different codecs would not be able to communicate so here were the Transcoder Job Come
Such Case Like conferencing, CUE use only G.711 so if another Coded used you need Transcoder, UCCX Support G.711 or G.729 so in case you need Both you need a Transcoder. Forward and transfer Call in case of Different Codec Also you need a Transcoder.

Music on Hold is the Boring Music that everyone hear when someone put us in hold ;D

So here i will guide you on how to configure my 4 Most Charming Feature (MTP, Transcoder, Conference and MOH)

First We start by Configure the IOS Side
Allocating DSPs to a DSP Farm on Router

Then i Start to Configure the DSP-farm profiles for Each (MTP, Transcoder and Conference)

Note.Make Sure to Issue Command No Shut after Each Profile Configuration
After the profiles are set up i start by the SCCP Configuration
The routers use their Gigabit Ethernet 0/0 interface as the SCCP source interface, and the primary Cisco Unified Communication Manager should be 192.168.200.229 which my Publisher and for Better Practice it should be the Subscriber but i Only have one in the Lap

Last thing in IOS I Configure the SCCP Group
associated the CUCM with priority
associated Each Media Profile and Register with a name that i will use later in the CUCM Registration

Now the CUCM Part first start with MTP
go to Media Resource – Media Termination point – Add New
Select Cisco IOS Enhanced Software Media termination point
put the Name in the IOS which (MAINMTP)
Select the Device pool
Save – Reset

Now the Transcoder
go to Media Resource – Transcoder – Add New
Choose Cisco IOS Enhanced Media Termination point
Choose Device Name Configured in IOS Whcih (MAINXCODER)
Select the Device Pool
Save – Reset
and Last the Conference
go to Media Resource – Conference Bridge – Add New
Choose Cisco IOS Enhanced Conference Bridge
Choose Device Name Configured in IOS Whcih (MAINCFB)
Select the Device Pool, Location and Device Security Mode as Non Secure
Save – Reset

Last But Not Least to Configure MOH
Add the Audio File
Media Resources – MOH Audio File Management – Upload File From Desktop

Then Create an MOH Source
Go to Media Resources – Music On Hold Audio Sources – Add New
Choose Number and Select the Audio Source that you Just Upload

Last Thing is to Configure the MOH Server
Go to Media Resources – Music On Hold Server Audio Sources
Select the Device Pool, Location
Note.in Case of Multi Casting then you need to Check the Box for Enable Multi-cast Audio Sources on this MOH Server
Now Assign the MOH to the Phones
Finally we Done with the Resources, it’s Time to add them all Under one group
go to Media Resource – Media Resource Group – Add New
Name it in my Case i Name it (MainOffice)
Choose the Resource you Just Configured (MAINMTP, MAINXCODER, MAINCFB and MOH_2 (MOH))
Add them
Save

Note.Also be Aware in case of Multi casting you need to Check the Box Use Multi-cast for MOH Audio (If at least one multi-cast MOH resource is available)
Now Create an Media Resource List and add the Group to it
go to Media Resource – Media Resource Group List – Add New
Name it in my Case i Name it (MainOffice)
Choose the Media Resource Group I Just Configured

Finally Assign the Media Resource Group List to the Device pool
And Done
now you Allocated the Media Resource List i Configure for Each Member of this Device Pool

For Conference check this Link
For Music on Hold Video check this link

Troubleshooting, WLC

Flexconnect Issue in AIR-AP1852E

I am working in a new project were the vendor installed over 10 Access point model AIR-AP1852E on a WLC5508 with Software Version 8.2.100.0
but i can’t configure those AP in Flexconnect Mode.
Cisco documentation Confirm that the available modes are “Centralized local”, “Standalone”, “Sniffer”, “Cisco FlexConnect”, “Monitor”, “OfficeExtent” and “Mesh”.

but it only show you the “Local” & “Sniffer” so i will guide you how to fix it

so i login to Cisco web site and downloaded the Newer image 8.2.130.0 and Save it to file

unless you have a service contract you will not be able to download it
then Login to WLC

now to upload to the WLC
go to Commands – Download File and Fill the Detail of your TFTP and WLC File Name and then press the Download Button
you can see in your TFTP it Start to upload

After it finish the Upload it will ask you to Reboot
I Choose Save and Reboot
Now you see it change and show all Mode

Now go to Flex Connect and Check the Box of VLAN Support
and put the Native Vlan ID in your Branch – Apply
Then Press Button Vlan Mappings
Then Configure your SSID with the Proper VLAN and
Note. even if you are Having this VLAN in another Site it doesn’t matter as long your Access Point is Flexconnect then it will take the branch IP Addressing

and Finally as you see i took my branch IP Address

BAT, Uncategorized

Cisco Bulk Administration Tool (BAT)

I Call this : The Quick and dirty way

in earlier post i explain the Latest CUCM 10 feature SELF-Provisioning were End user should input His Self-Service user ID to Provision a phone.
Today I guide you through the most powerful tool of Cisco Unified Communications Manager mainly use to insert users, phones …etc.
BAT is an Old Feature for CUCM and usually use during big phone deployments.
please refer to Cisco Web for a complete guide on how to use bat.
i am here only to explain to you how to add Phones using BAT.

First Go to Bulk Administration – Upload/Download Files – Select bat.xlt and press Download Selected

Open the bat.xlt and Excel sheet will open then Choose to create File Format

Adjust the File as you wish
MAC Address, Description, Directory Number, Line Description, Alerting Name …etc Then press bellow Magic Button (Create)

it will ask you to overwrite the Excel file just press Yes

Then Fill the Detail you need and Choose Export to BAT Format
and Save the File in your Desktop

Successfully Saved

Now Back to CUCM Bulk Administration – Upload/Download Files – and this time choose to Upload a new File
Choose your BAT that you saved in Desktop and Select the transaction Type then Save.
it will be uploaded

Now go to Bulk Administration – Phones – Phone Template -Create New one for the Specific Phone Model

Configure your Device pool, Phone button template …etc

Then Configure the Directory line, Partition and Calling Search Space
After That we need to Validate our BAT File with the Phone Template
go to Bulk Administration – Phones – Validate Phones
Select the BAT and Phone Template

After that to check everything gone correctly go to Bulk Administration – Job Scheduler
it successfully Validate
you can also check the text Report
Now time to insert the Phones
go to Bulk Administration – Phones – Insert phones
Choose the BAT File and Phone template & Run Immediately

Again you need to check everything gone Smoothly so
go to Bulk Administration – Job Scheduler
it Successfully Passed
Also Check the Text To for any Error

Here is the Best part when i see My Phone Registered Just Fine ;D

CUCM, Self-Provisioning

SELF-Provisioning For End User Phones

Okay

I saw many post from people complain about self-provisioning they cant get it to work or they hear IVR keeps saying “This device could not be associated with your account…”I decide to make my own and try the service my self

The Self-Provisioning feature been introduced in CUCM version 10 it allows an end user to plug a new phone out of the box into the network and follow a few prompts to identify the user and Walla it’s working with minimal administrative effort.

It’s been released to make the lives of the administrators easier. So Smile ;D
Lets start

go to User Management – User/Phone Add – Universal line Template – Add New
Name the Template
and choose to fill the line Description and Alerting Name as you wish i did first name and last name plus my description Also the Route Partition and CSS

Also you have option to fill the Call forwarding if you want

Second go to User Management – User/Phone Add – Universal Device Template – Add New
Fill the Name and Device Description as you Wish and Choose Device pool and Security Profile and Also the SIP Profile and Phone button template just to make sure your phone get all the detail instead of going back and Edit

go to User Management – User Settings – User Profile – Add New
Name it and from Drop Down Select the Device Template you create fir your Desk Phone and Mobile and Remote if you have and Also Choose the Line Template and Make Sure to Check the Box to Allow End User to Provision Their Own Phones

Now time for LDAP Configuration i Already Blog before about it Earlier Here
so Go to System – LDAP – LDAP System and Check the box and Choose your LDAP Sevrer Type

First make Sure to Edit the user in Active Directory to have their Extension in the IP Phone Filed
Then Go to System – LDAP – LDAP Directory and click Add New
now this is CUCM 10 and you can see there is New Field so
after filling the Required Data go to Access Control Group and add Standard CCM End Users
and Check the Box to Apply Mask to Synced Telephone Number to Create A new line for inserted user and Mask of XXXX
if this Box not checked your end User will not have a Self -Service user ID or Primary Extension which Both Required to Provision a Phone
After Save Press the Button: Perform Full Sync Now

Now go to User Management – End User and Check it Auto take the Self-Service user ID and Primary Extension

Now go to Device – CTI Route Point – Add New
Giv it a Name, Device Pool and a Location Then Save
Now Add the Directory Number Which will be Use by the End User to get the Prompt
Now Create and Application user and Associate the CTI with it and Give Standard CTI Enable Permission

Now go to Server and Enable Auto Registration
Select the Device Template, line template and Starting and Ending Directory that Phone will take Temporarily
Finally Now Activate the Service under CUCM Serviceability

now Redirect the user to enter the CTI Number in the Phone and Press the Number it will Ask the User to Enter the Self-user ID
after press the ID which in my Case 7156
it will ask to confirm by pressing Pound and then Phone will Restart
you can see the Video in my Youtube Channel
and Finally the Phone Registered by my name and Extension ;D
last
Smile life Is Beautiful