Since a few weeks I am using Tufin SecureTrack in my lab. A product which analyzes firewall policies about their usage and their changes by administrators (and much more). Therefore, the first step is to connect the firewalls to SecureTrack in two directions: SSH from SecureTrack to the device to analyze the configuration, as well as Syslog from the device to SecureTrack to real-time monitor the policy usage.

This blog post shows the adding of the following firewalls into Tufin: Cisco ASA, Fortinet FortiGate, Juniper ScreenOS, and Palo Alto PA.

I am running TufinOS 2.10 on a virtual machine. The Tufin Orchestration Suite (SecureTrack, etc.) is version R15-3.

Pre Note: No IPv6

Though the Tufin appliance can be configured with an IPv6 address, it is not able to communicate with firewalls via IPv6. All connections must traverse via the legacy Internet Protocol. I asked the Tufin support about that, which replied with: “It is not part of the current IPv6 plans, nor any road-map we are aware of.” Oh oh. At least IPv6 network objects can be analyzed, which is the main part of using SecureTrack. For the other features, I mailed a few feature requests to Tufin.

Start monitoring a new device

The configuration steps to add a new device are always the same. Under Settings -> Monitoring -> Manage Devices, select the device type under “Start monitoring a new device” and continue. Give the device a name and set the IP address to which Tufin should connect to. Since I am running OSPF as well as OSPFv3 between all of my firewalls, I am always enabling the “Collect dynamic topology information” feature. Finally, enter the login credentials for connecting via ssh to the firewall. I am always creating a new read-only user for Tufin. The “Monitoring Settings” configuration can be left as default.

The second step is to send syslog messages from each device to Tufin. This is solely done at the firewalls. Of course, all intermediate routers/firewalls must allow the traffic for ssh and syslog between Tufin and the monitored devices.

Cisco ASA

These are the steps for connecting to a Cisco ASA firewall via ssh and syslog. (ASA 5505, 9.2(4)).

Fortinet FortiGate

The ssh connection for a FortiGate is configured through the GUI. (FortiWiFi 90D, v5.2.4, build688).

Since I am already using a syslog-ng server, and since only one syslog server is configurable through the FortiGate GUI (oh Fortinet, why aren’t you improving your GUI?), this must be done via the CLI:

config log syslogd2 setting
    set status enable
    set server "192.168.120.19"
end

Juniper ScreenOS

The SSG firewalls are listed as “Juniper NetScreen” within Tufin. These are the steps. (SSG 5, 6.3.0r20.0).

Palo Alto PA

Finally, the Palo Alto. Note that every security policy rule needs the log forwarding profile attached. Furthermore, the “Config” log messages can be sent to Tufin, too. (PA-200, PAN-OS 7.0.3).

Verifying Syslog

If you want to have the rule and object usage analysis, it is crucial that Tufin receives syslog messages. But after adding a new monitored device, the appropriate icon turns green even though no syslog messages are received yet. Only after some time it will get yellow to warn that “Usage data is not being saved”, if there is no receiving of syslog messages.

If you want to verify that syslog messages are received by Tufin, use tcpdump from the CLI:

[root@jw-tufin01 ~]# tcpdump -i eth0 -vv -w /tmp/syslog.log  -s 1500 src 192.168.86.1 and udp dst port 514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
Got 662

Note that it is not relevant that the syslog messages come in from the same source IP address as the device is connected. Under certain circumstances, this can be the case. (E.g., I am connecting to my Juniper firewall via a different vrouter interface than the syslog messages are generated.) Tufin matches the received syslog messages to the correct device.

After some hours/days/weeks of information beeing processed by Tufin SecureTrack, you can analyse the configuration or run certain rule and object policy usage reports.

When using a multilayer firewall design it is not directly clear on which of these firewalls remote site-to-site VPNs should terminate. What must be considered in such scenarios? Differentiate between partners and own remote offices? Or between static and dynamic peer IPs? What about the default routes on the remote sites?

Following is a discussion about different approaches and some best practices. Since not all concepts work with all firewall vendors, the following strategies are separated by common firewalls, i.e., Cisco ASA, Fortinet FortiGate, Juniper ScreenOS, Palo Alto.

Of course, if there is only a single firewall in place, this discussion is not necessary at all. All VPN tunnels must solely terminate on this single firewall. You’re done. But most customers have at least a two-firewall strategy which is not a bad idea at all. While the first firewall is merely for stopping all unused IP connections and for allowing connections to the DMZ, the second firewall has next-gen features such as APT scanning, URL filtering, user recognition, etc. Normally, both firewalls have a default route directed to the Internet (if no proxies are used).

Who has a Static S2S Tunnel?

• Remote Offices: Locations that are owned by the same company. Mostly coming from static IP addresses. If the remote office has no local Internet breakout, it has a default route back to the headquarter. That is: all Internet traffic must be processed by the second, next-generation firewall (or web-proxy). The network behind this remote office can be considered as internal, but on another location. It should be treated in the same way os other internal traffic.
  
• Home Offices: Users that are working from home. Normally coming from dynamic IP addresses. No local Internet breakout -> all traffic must traverse through the second NGFW, too. (I.e., same as “remote office”, but from a dynamic IP address.)
• Partners: Other companies that must access certain services in the DMZ (such as servers or proxies). Almost coming from static IP addresses. No routing/ACLs for accessing the internal networks are required. That is: This traffic must not go through the second firewall.

The Problems

1. The first firewall has a default route to the Internet. Otherwise, no connections could be made from/to the firewall at all.
2. But for the remote- and home-offices, the traffic coming out of the VPN-interface need a default route to the second firewall (and not directly to the Internet). If all VPNs are terminated on the first firewall, this is not the case. -> The best approach is to have an own routing instance for the tunnel-interfaces with a default route to the second firewall.
3. Only a few firewall appliances implement the concept of “virtual routers” (Juniper ScreenOS, Palo Alto). For the FortiGate, policy-based forwarding can be used. For the Cisco ASA, none of these concepts work. Only a workaround can be used there (if it is not an option to buy a better firewall).

(Note that for some remote access VPN solutions, it is default to have two virtual routers / routing tables in the box. This is true, for example, for the Pulse Secure, formerly Juniper SA/MAG. With these devices, traffic coming out from the VPN has another default route than Internet traffic with its default route to the Internet.)

All following concepts describe the case in which the first firewall is from vendor X. It is not related to the second firewall.

Concept 1: Two Virtual Routers on the first firewall (Juniper, Palo Alto)

Both firewall vendors (Juniper ScreenOS and Palo Alto) have virtual routers implemented. That means, the “tunnel-interface” for the VPN can be on another virtual router with another default route. While the default virtual router can point to the Internet (for all outgoing connections and for terminating the VPN), the second virtual router (with the tunnel-interface in it) can point to the second firewall.

Concept 2: Policy-Based Routing/Forwarding (FortiGate)

Unluckily, the FortiGate has not virtual routers, but only virtual domains (vdoms). This is great for separating firewall instances, but does not solve the VPN problem here. However, it is possible to configure a policy route: All traffic coming out of the tunnel-interface has a “new” default route to the second firewall.

Concept 3: Partners on First, Remote Office on Second Firewall (Cisco ASA)

Cisco ASA has neither virtual routers nor policy-based routing. The only “concept” is to terminate the partners on the Cisco ASA and to allow the remote offices to access the second firewall for VPN termination. That is, the static IP addresses from the remote offices must be allowed in an ACL on the Cisco ASA to reach the second firewall directly. Note that it is NOT recommended to allow “from any” to the second firewall, which means that VPN connections from home offices (coming from dynamic IP addresses) will not work in this scenario. That’s definitely a major drawback.

Any Comments?

Please write a comment if I missed something or if you disagree with one of these concepts. Thanks a lot.

Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.

At first: Always remember that the default backspace key is “Ctrl + h” and not the backspace key itself!

Basics

These are the very basics on the command line:

get config
get config all                #configuration with default values
get config | incl <string>    #grep within the configuration
get system                    #serial #, software version, uptime, etc.
get event                     #event list (same as in the GUI)

How to turn off the LED alarm on the firewall:

clear led alarm
clear cluster led alarm       #on a cluster for all devices at once

Basic Networking

The reason why we are all here:

get arp
get route                                       #routing table
get route ip <ip-address>                       #routing table lookup for a specific IP
get vrouter <name-of-the-VR> route              #routing table from a specific virtual router
get vrouter <name-of-the-VR> protocol ?         #dynamic routing protocols such as OSPF or BGP
get counter statistics interface <interface>    #counters for hardware interfaces
get ndp                                         #IPv6 neighbor cache

ping <name|ip-address>
ping <name|ip-address> from <interface>         #ping from a specific interface
trace-route <name|ip-address>
trace-route <name|ip-address> from <interface>  #same for trace-route

Application Layer Gateway

I had some trouble with the application layer gateway functionality on the ScreenOS devices. Here are some hidden commands that help while troubleshooting the ALGs:

get alg                       #lists all available ALGs with an enabled/disabled statement
get service portmap           #which port is assigned to which application
get service application       #known applications by ScreenOS that trigger an ALG

And a few links concerning ALGs:

• How to show which TCP/UDP ports trigger an ALG ?
• Viewing list of ALGs and disabling an ALG differs on ScreenOS versions
• Which ALGs are unset by default in ScreenOS 6.x?
• What is the Policy keyword “Application NONE”?

NSRP (High Availability)

The following command lists all details about an NetScreen Redundancy Protocol (NSRP) cluster, i.e., the IDs of all connected units, the current master, encryption and authentication passwords (in plain text!), etc.:

get nsrp

To sync the configuration from the master to the local device (AND NOT VICE VERSA!!!) [Link]:

exec nsrp sync global-config save

And to do a manual failover. This brings the current master unit into backup mode. This command must be used on the current master! [Link]:

exec nsrp vsd-group 0 mode backup

Session & Log

The session commands list sessions that are currently active. The traffic log shows already finished sessions (of course only if they were logged):

get session
get session ?
get session scr-ip <ip-address>
get session policy-id <id>
get log traffic
get log traffic ?
get log traffic src-ip <ip-address>
get log traffic policy <id>

Link: “How to determine how long a session has been up in ScreenOS“.

IPsec VPN

This is one of the main use cases for using the CLI on the SSG firewalls: Many details about IPsec site-to-site VPNs, e.g., the proxy-IDs for policy-based VPNs:

get ike cookies         #phase 1
get vpn auto            #list of phase 2 VPNs
get vpn <name>          #details
get sa id <number>      #details of phase 2 filtered by the tunnel-id
get sa id 2             #values from 0-9 can be entered directly
get sa id 0x0000000b    #higher values must be entered in hexadecimal notation

Flow

To display the most detailed information about active flows, for example to see which policies trigger or which routing table lookups are used, etc. [Link]:

undebug all             #stop all other debuggings
get ff                  #if there are any filters set, remove them with the next line:
unset ff
set ff ?                #ff = flow filter
set ff src-ip <ip>
set ff dst-ip <ip>
get ff                  #verify all filters
clear db                #clear the debug buffer
debug flow basic        #now the debug will be logged. Generate your traffic now
undebug all             #after the traffic is finished, stop debugging
get db stream           #and display the debug stream
unset ff                #finally, unset all filters to not confuese further troubleshooting sessions

Common Problems

Some more links to common problems or other scenarios:

• Packet taking the wrong route due to the route-cache feature
• What does ‘set flow mac-cache mgt’ do?
• Behavior of ScreenOS ‘set flow’ commands in asymmetric routing scenario
• How can I find the serial number for my Juniper Networks device?
• How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware

NSM Stuff

And finally some notes concerning the “Network and Security Manager“.

• Default port from ScreenOS device to NSM:

  TCP/7800

   .
• Default https port to download the Java GUI:

  https://<ip>:8443

   .
• Default port from Java GUI to NSM:

  TCP/7808

   .

To become root on the NSM CLI:

sudo su -

And some links:

• What ports are used for communication between the Management System (NSM), the GUI client, and Juniper Firewall devices?
• Recommended starting and stopping sequences for NSM services
• Export NSM logs to CSV file from the NSM CLI

Yes, ScreenOS is end-of-everything (EoE), but for historical reasons I still have some of them in my lab. ;D They simply work, while having lots of features when it comes to IPv6 such as DHCPv6-PD. However, using IPv6-only NTP servers is beyond their possibilities. :(

Anyway, I tried using NTP authentication with legacy IP. Unfortunately, I had some issues with it. Not only that they don’t support SHA-1 but MD5, this MD5 key was also limited in its length to 16 characters. Strange, since ntp-keygen per default generates 20 ASCII characters per key. Let’s have a look:

I am using an SSG 5 with firmware version 6.3.0r20.0.

IPv6: Configurable but Failing

Entering an IPv6-only NTP server at Configuration -> Date/Time is possible without any errors:

However, having a deeper look reveals that it is not working at all since it tries to connect to an IPv4 address of 0.0.0.0 rather than the actual IPv6 address:

IPv6-Lab-> debug ntp detail
IPv6-Lab-> get db stream
## 2019-03-26 16:25:18 : NTP registers DNS for ntp3.weberlab.de.
## 2019-03-26 16:25:23 : NTP:Auto Update: START
## 2019-03-26 16:25:23 : NTP:[sock 79]: sendto() ret -10995, dest_ip 0.0.0.0, ifp default
## 2019-03-26 16:25:23 : ntp_task: try next from ntp task
## 2019-03-26 16:25:23 : NTP:[sock 79]: sendto() ret -10995, dest_ip 0.0.0.0, ifp default
## 2019-03-26 16:25:23 : ntp_task: try next from ntp task
## 2019-03-26 16:25:23 : NTP:[sock 79]: sendto() ret -10995, dest_ip 0.0.0.0, ifp default

Note that, for whatever reason, the debug command “debug ntp detail” is NOT documented. ;D Neither on the official docs nor in the CLI when using the question mark. Strange.

NTP Auth with Legacy IP Failing As Well

Ok, at first I configured an NTP server with legacy IP, but yet without authentication, which has worked correctly:

IPv6-Lab-> get db stream
## 2019-03-26 16:26:46 : NTP registers DNS for ntp3-v4.weberlab.de.
## 2019-03-26 16:27:23 : NTP:Auto Update: START
## 2019-03-26 16:27:23 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 16:27:23 : NTP: process_recd: server 87.190.30.119, auth info 0, authed 0
## 2019-03-26 16:28:24 : NTP:Auto Update: START
## 2019-03-26 16:28:24 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 16:28:24 : NTP: process_recd: server 87.190.30.119, auth info 0, authed 0
## 2019-03-26 16:29:24 : NTP:Auto Update: START
## 2019-03-26 16:29:24 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 16:29:24 : NTP: process_recd: server 87.190.30.119, auth info 0, authed 0
## 2019-03-26 16:30:24 : NTP:Auto Update: START
## 2019-03-26 16:30:24 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 16:30:24 : NTP: process_recd: server 87.190.30.119, auth info 0, authed 0

Adding MD5 authentication (since I read in the “ScreenOS Cookbook” that it only supports MD5):

Now it became strange. There was no error when configuring this key at the GUI. However, the authentication was not working:

IPv6-Lab-> get db stream
## 2019-03-26 16:42:27 : NTP:Auto Update: START
## 2019-03-26 16:42:27 : NTP:[sock 79]: Send: auth keyid 3
## 2019-03-26 16:42:27 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 16:42:27 : ntp_recv_response: Received key-id only (auth will fail)
## 2019-03-26 16:42:27 : ntp_task: try next from ntp task
## 2019-03-26 16:42:27 : NTP:[sock 79]: Send: no key id found for server
## 2019-03-26 16:42:27 : ntp_task: try next from ntp task
## 2019-03-26 16:42:27 : NTP:[sock 79]: Send: no key id found for server

Capturing with tcpdump on the NTP server itself (not on the SSG) reveals an incoming key ID, while the server responds with “key id: 0” with is the crypto-NAK (line 23), refer to Packet Capture: Network Time Protocol (NTP):

16:05:30.524531 IP (tos 0x0, ttl 60, id 47648, offset 0, flags [none], proto UDP (17), length 96)
    p4FE245A7.dip0.t-ipconnect.de.50126 > 192.168.30.3.123: [udp sum ok] NTPv4, length 68
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3762605130.000000000 (2019/03/26 16:05:30)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3762605130.000000000 (2019/03/26 16:05:30)
        Key id: 50331648
        Authentication: 25cc8975d32be499444e29cefad098cb
16:05:30.525143 IP (tos 0xb8, ttl 64, id 51806, offset 0, flags [DF], proto UDP (17), length 80)
    192.168.30.3.123 > p4FE245A7.dip0.t-ipconnect.de.50126: [udp sum ok] NTPv4, length 52
        Server, Leap indicator:  (0), Stratum 1 (primary reference), poll 3 (8s), precision -18
        Root Delay: 0.000000, Root dispersion: 0.437576, Reference-ID: PZF^@
          Reference Timestamp:  3762605128.036574449 (2019/03/26 16:05:28)
          Originator Timestamp: 3762605130.000000000 (2019/03/26 16:05:30)
          Receive Timestamp:    3762605130.524534523 (2019/03/26 16:05:30)
          Transmit Timestamp:   3762605130.525092899 (2019/03/26 16:05:30)
            Originator - Receive Timestamp:  +0.524534523
            Originator - Transmit Timestamp: +0.525092899
        Key id: 0

MD5 Key Limited to 16 Chars

I tried entering the MD5 key through the CLI which gave me a hunch:

IPv6-Lab-> set ntp server key-id 4 preshare-key }qcCM:BI|^laK>oL',0&
Preshare key cannot be more than 16 characters

Failed command - set ntp server key-id 4 preshare-key }qcCM:BI|^laK>oL',0&

Uh, “Preshare key cannot be more than 16 characters“. I have not seen this information in any kind of documentation. At least the error message tells it. Thanks.

Finally, I generated a 16 character MD5 key on my NTP server (Meinberg M200) which indeed worked:

IPv6-Lab-> get db stream
## 2019-03-26 17:05:51 : NTP registers DNS for ntp3-v4.weberlab.de.
## 2019-03-26 17:06:30 : NTP:Auto Update: START
## 2019-03-26 17:06:30 : NTP:[sock 79]: Send: auth keyid 10
## 2019-03-26 17:06:30 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 17:06:30 : NTP: process_recd: server 87.190.30.119, auth info 1, authed 0
## 2019-03-26 17:07:30 : NTP:Auto Update: START
## 2019-03-26 17:07:30 : NTP:[sock 79]: Send: auth keyid 10
## 2019-03-26 17:07:30 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 17:07:30 : NTP: process_recd: server 87.190.30.119, auth info 1, authed 0
## 2019-03-26 17:08:30 : NTP:Auto Update: START
## 2019-03-26 17:08:30 : NTP:[sock 79]: Send: auth keyid 10
## 2019-03-26 17:08:30 : NTP:[sock 79]: sendto() ret 0, dest_ip 87.190.30.119, ifp default
## 2019-03-26 17:08:30 : NTP: process_recd: server 87.190.30.119, auth info 1, authed 0

Similar log events in the “get event” output (which is also displayed in the GUI):

IPv6-Lab-> get event
Total event entries = 1027
Date       Time     Module Level  Type Description
2019-03-26 17:35:34 system notif 00531 The system clock was updated from
                                       primary NTP server type
                                       ntp3-v4.weberlab.de with an adjustment
                                       of -141 ms. Authentication was
                                       Required. Update mode was Automatic
2019-03-26 17:35:34 system notif 00531 The system clock will be changed from
                                       2019-03-26 17:35:34 to 2019-03-26 17:
                                       35:35 received from primary NTP server
                                       ntp3-v4.weberlab.de
2019-03-26 17:34:34 system notif 00531 The system clock was updated from
                                       primary NTP server type
                                       ntp3-v4.weberlab.de with an adjustment
                                       of -161 ms. Authentication was
                                       Required. Update mode was Automatic
2019-03-26 17:34:34 system notif 00531 The system clock will be changed from
                                       2019-03-26 17:34:34 to 2019-03-26 17:
                                       34:34 received from primary NTP server
                                       ntp3-v4.weberlab.de

Capturing on the NTP server again, you can now see a working NTP authentication since the server replies with the key ID and the MAC (lines 23+24):

16:06:30.679902 IP (tos 0x0, ttl 60, id 47879, offset 0, flags [none], proto UDP (17), length 96)
    p4FE245A7.dip0.t-ipconnect.de.50126 > 192.168.30.3.123: [udp sum ok] NTPv4, length 68
        Client, Leap indicator:  (0), Stratum 0 (unspecified), poll 0 (1s), precision 0
        Root Delay: 0.000000, Root dispersion: 0.000000, Reference-ID: (unspec)
          Reference Timestamp:  0.000000000
          Originator Timestamp: 0.000000000
          Receive Timestamp:    0.000000000
          Transmit Timestamp:   3762605191.000000000 (2019/03/26 16:06:31)
            Originator - Receive Timestamp:  0.000000000
            Originator - Transmit Timestamp: 3762605191.000000000 (2019/03/26 16:06:31)
        Key id: 167772160
        Authentication: ddd56ee3c620023ffa7493563c72804d
16:06:30.681187 IP (tos 0xb8, ttl 64, id 54378, offset 0, flags [DF], proto UDP (17), length 96)
    192.168.30.3.123 > p4FE245A7.dip0.t-ipconnect.de.50126: [udp sum ok] NTPv4, length 68
        Server, Leap indicator:  (0), Stratum 1 (primary reference), poll 3 (8s), precision -18
        Root Delay: 0.000000, Root dispersion: 0.000228, Reference-ID: PZF^@
          Reference Timestamp:  3762605184.036936558 (2019/03/26 16:06:24)
          Originator Timestamp: 3762605191.000000000 (2019/03/26 16:06:31)
          Receive Timestamp:    3762605190.679905176 (2019/03/26 16:06:30)
          Transmit Timestamp:   3762605190.681111216 (2019/03/26 16:06:30)
            Originator - Receive Timestamp:  -0.320094853
            Originator - Transmit Timestamp: -0.318888783
        Key id: 167772160
        Authentication: 0ea89c97468d448bc88a4f16dbb02f00

In the end, this was my NTP config on this ScreenOS device:

set ntp server "ntp3-v4.weberlab.de"
set ntp server key-id 10 preshare-key "M1z+bLfrNWxaOos/G1CrNHdySwnDJucDu3zRlFL2oP3nxFqYKTNm7ZM="
set ntp interval 1
set ntp auth "required"

Ok, hm. I’m not happy at all. However, it’s an outdated firewall anyway, you know. So I don’t bother.

Have a good time! Ciao.

Featured image “rusted boiler#24553” by prof.bizzarro is licensed under CC BY 2.0.

My lab rack of 2019 consists of multiple Cisco routers and switches, as well as Juniper ScreenOS firewalls for routing purposes, a Palo Alto Networks firewall, a Juniper SRX firewall, a server for virtualization and some Raspberry Pis. That is: This rack can be used for basic Cisco courses such as CCNA or CCNP, or for even bigger BGP/OSPF or IPsec VPN scenarios since those ScreenOS firewalls are perfect routers as well. Of course, everything is IPv6 capable. Having some PoE-powered Raspberry Pis you can simulate basic client-server connections. A Juniper SA-2500 (aka Pulse Connect Secure) for remote accessing the Lab rounds things up.

I am just writing down a few thoughts on why I have “designed” the rack in that way. It’s basically a reminder for myself. ;)

Let’s have a look at the rack first. I ordered one with wheels for easy transport. Previously the devices were mounted into several 19″ racks in the data center, which was not that movable. ;D Now the rack can be used by any of my colleagues for test purposes. I am using 24 rack units while some are left free for the cables. On the back side, I have two power strips. All power cables disappear in the rack space.

Initial Thoughts

These are the basic ideas about how to use this lab rack. Of course, everything can be changed. Again, a picture is worth a thousand words:

1. Remote access connection via a Juniper SA-2500 / Pulse Connect Secure VPN gateway.
2. A simple server aka Raspberry Pi with a webcam in order to get some traffic through the lab. The Pi is PoE powered by a small PoE module (yellow cable from the upper switch, a Cisco C3750G-48PS).
3. Simulation of an ISP with three routers aka Juniper ScreenOS SSG 140 firewalls capable of BGP. All of them with one 6-port SFP Gigabit PIM module in the back. Oh, they were that expensive those days… No need for them here, but, you know, because I can. ;)
4. Simple Cisco switch (C3560-24PS-S) in between to be flexible about the port connections.
5. Simulation of the own backbone routing with four Cisco routers (2x 2851, 2x 2811). Note the very short blue serial cable between the two 2811 routers.
6. Again a simple Cisco switch (C2960-24TC-L) in between for being flexible.
7. Palo Alto Networks PA-3050 firewall for separating the internal network from the “Internet”. This device is not licensed, hence I don’t have a current PAN-OS. However, it fits for basic policies and VPN setups. Of course, it is connected via fiber cables. ;)
8. Internal LAN with three Cisco switches (2x C3750G-48TS, 1x C3750G-48PS with PoE), interconnected with a couple of network cables to play with STP. The last two switches are connected via stacking cables, too.
9. Simple client aka Raspberry Pi with PoE power (laying above the three switches) used for accessing the upper Pi throughout the complete lab.
10. A Juniper SRX firewall which can be used as a router-on-a-stick or the like.
11. Finally an old IronPort M160 aka Dell PowerEdge R200, Intel Pentium Dual CPU E2200 @ 2.20GHz, 4 GiB DDR2 Memory. It can be used for VMware ESXi to use a couple of VMs, or just as a real server.

What’s missing?

• Serial console server for using all serial ports directly. Currently, you can only use SSH to access those appliances. This does not fit for an initial configuration. ;(
• Remotely controllable power switches for using the lab completely off-site.

Featured image “Colours and Casks” by Jens Comiotto-Mayer is licensed under CC BY 2.0.

Yes, I know I know, the Juniper ScreenOS devices are Out-of-Everything (OoE), but I am still using them for a couple of labs. They simply work as a router and VPN gateway as well as a port-based firewall. Perfect for labs.

For some reasons I had another lab without native IPv6 Internet. Hence I used the IPv6 Tunnel Broker one more time. Quite easy with the SSGs, since HE offers a sample config. But even through the GUI it’s just a few steps:

I am using a SSG 140 with ScreenOS 6.3.0r27.0. Prerequisite is a static IPv4 address on the Internet facing “untrust” interface.

The “Example Configuration” from Hurricane Electric is already almost complete. You simple have to replace the “untrust” keyword for your layer 3 untrust interface:

Step-by-Step through the GUI

Anyway, doing it by hand through the GUI involves these steps:

1. Creating a new tunnel interface within the “Untrust” zone.
2. Enabling IPv6 type “host” on that tunnel interface, IPv6 address as the “Client IPv6 Address” from the HE tunnel information.
3. Disable NUD, the Neighbor Unreachability Detection.
4. Enable and configure the 6in4 tunnel aka “IPv6 in IPv4 Tunneling Encapsulation Settings”.
5. Add a (permanent) default route.
6. Add IPv6 subnets to your internal interfaces with “Allow RA Transmission” and so on as always.
7. Add security policies as always.

GUI Screenshots:

CLI Commands

CLI commands incl. user subnet config. I am using ethernet0/8 as my untrust interface and bgroup0/0 as my trust interface:

set interface "tunnel.1" zone "Untrust"
set interface "bgroup0/0" ipv6 mode "router"
set interface "bgroup0/0" ipv6 ip 2001:470:6d:a1::1/64
set interface "bgroup0/0" ipv6 enable
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 ip 2001:470:6c:a1::2/64
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if ethernet0/8 dst-ip 216.66.86.114
set interface bgroup0/0 ipv6 ra link-address
set interface bgroup0/0 ipv6 ra transmit
set interface bgroup0/0 ipv6 nd nud
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0
set route ::/0 interface tunnel.1 gateway 2001:470:6c:a1::1 permanent

Up and Running

Just a few IPv6 related CLI commands (link for some more):

ssg-> get interface tunnel.1
Interface tunnel.1:
  description tunnel.1
  number 20, if_info 16168, if_index 1, mode route
  if_signature 0x4e53434e
  sess token 4, flow flag 0x60 if flag 0xc00203 flag2 0x0
  link ready, admin status up
  ipv6 is enable/operable, host mode.
  ipv6 operating mtu 1480, learned mtu 0
  ipv6 Interface-ID: 00000000c118e30a
  ipv6 fe80::c118:e30a/64, link local, PREFIX
  ipv6 2001:470:6c:a1::2/64, global aggregatable, STATEFUL
  ipv6 ff02::1:ff00:2, solicited-node scope
  ipv6 ff02::1:ff18:e30a, solicited-node scope
  vsys Root, zone Untrust, vr trust-vr
  hwif tunnel flag 0xc00200 flag2 0x0 flag3 0x10000000, vsys Root
  admin mtu 1480, operating mtu 1480, default mtu 1500
  *ip 0.0.0.0/0
  *manage ip 0.0.0.0
  pmtu-v4 disabled, pmtu-v6 enabled(1480),
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled

  OSPF disabled  OSPFv3 disabled  BGP disabled  RIP disabled  RIPng disabled
  mtrace disabled
  PIM: not configured  IGMP not configured
  MLD not configured
  NHRP disabled
  bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
tunnel: local ethernet0/8, remote 216.66.86.114
  encap: IP6IN4_MANUAL (2)
  keep-alive: off, interval 10(using default), threshold 3(using default)
      status: last send 0, last recv 0
ssg->
ssg->
ssg-> get route v6


IPv6 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv6 Dest-Routes for <trust-vr> (5 entries)
--------------------------------------------------------------------------------------
         ID                                   IP-Prefix       Interface
                                                Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
*         3                                        ::/0           tun.1
                                      2001:470:6c:a1::1  SP   20      1     Root
*         1                         2001:470:6c:a1::/64           tun.1
                                                     ::   C    0      0     Root
*         5                       2001:470:6d:a1::1/128       bgroup0/0
                                                     ::   H    0      0     Root
*         4                         2001:470:6d:a1::/64       bgroup0/0
                                                     ::   C    0      0     Root
*         2                       2001:470:6c:a1::2/128           tun.1
                                                     ::   H    0      0     Root

ssg->
ssg->
ssg-> get ndp
usage: 3/2048 miss: 0 always-on-dest: disabled
states(S): N Undefined, X Deleted, I Incomplete, R Reachable, L Stale, D Delay,
P Probe, F Probe forever S Static, A Active, I Inactive, * persistent
--------------------------------------------------------------------------------
IPv6 Address                            Link-Layer Addr S Interface    Age      Pk
2001:470:6d:a1::dcfb:123                001395243404   R bgroup0/0    00h00m17s 0
fe80::d842:5672                         0000d8425672   A*tunnel.1     00h00m01s 0
fe80::213:95ff:fe24:3404                001395243404   R bgroup0/0    00h00m23s 0
ssg->
ssg->

Happy IPv6-firewalling! ;D

Featured image “Rabštejn – Lightpaint” by david_drei is licensed under CC BY-NC-ND 2.0.