DoS Protection Profiles

DoS protection profiles provide detailed control for Denial of Service (DoS) protection policies. DoS policies allow you to control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. There are two DoS protection mechanisms that the Palo Alto Networks firewalls support.
 Flood Protection —Detects and prevents attacks where the network is flooded with packets resulting in too many half-open sessions and/or services being unable to respond to each request. In this case the source address of the attack is usually spoofed. See DoS Protection Against Flooding of New Sessions. Resource Protection — Detects and prevents session exhaustion attacks. In this type of attack, a large number of hosts (bots) are used to establish as many fully established sessions as possible to consume all of a system’s resources.

Palo Alto HA lite

HA-Lite is the name of the high-availability feature on the PA-200. It offers a lighter version of the HA capabilities found on the other Palo Alto Networks hardware platforms. A limited version of HA is necessary on PA-200s because of the limited number of ports available for synchronization.

HA-Lite offers the following capabilities:

  • A/P High Availability without session sync
  • Failover of IPSec Tunnels (sessions must be re-established)
  • DHCP Lease information
  • PPPoE lease information
  • Configuration sync
  • Layer 3 forwarding tables

Features not available in HA-Lite:

  • Jumbo Frames
  • Link Aggregation
  • A/A High Availability
  • A/P High Availability with session synchronization

Note: Configuration for HA-Lite is similar to configuring active/passive HA, except there is no configuration available for HA2. This is because HA2 is used for session sync and HA-Lite does not support session sync.

Source URL: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUzCAK

NAT and security Policy in Palo Alto

I confused a lot about the source/destination NAT and security policy in Palo Alto. But after watching the video from Palo Alto Networks Live Community Youtube Channel, no confusing anymore.

Here are the things you may need to remember.

NAT policy questions:
1. What is the ORIGINAL source address of the computers initiating the connection?
2. What zone is that address in?
3. What is my ORIGINAL destination address?
4. What zone is that address, or collection of address, in?

Security policy questions:
1. What is the ORIGINAL source address of the computers initiating the connection?
2. What zone is that address in?
3. What is my ORIGINAL destination address?
4. What zone will the packet FINALLY come to rest in?

Example of (1)Source NAT and security policy user access to internet and (2) destination NAT and security policy for access to server from internet.

NAT

SOURCE: Palo Alto Networks Live Community Youtube Channel

 

Alcatel omini switch factory default

  • List the files from /certified directory
    • ls /working/
  • List the files from /working directory
    • ls /certified/
  • Delete the /working/boot.cfg
    • delete /working/boot.cfg
  • Delete the /certified/boot.cfg
    • delete /certified/boot.cfg
  • Reload the switch
    • reload

In next boot, the switch will back to factory default.

Applicable Models: OS6850, OS6400, OS6250

Basic Alctel switch command

Assign static vlan to switch port

SW#vlan 101 members port 1/1/1 untagged

SW# vlan 101 port default 1/1 ( in some model)

Allow vlans in the trunk

SW#vlan 101 members port 1/1/1 tagged

SW#vlan 102 members port 1/1/1 tagged

SW#vlan 103 members port 1/1/1 tagged

SW#vlan 104 members port 1/1/1 tagged

SW#vlan 101 802.1Q 1/1 (in some model)

Description for the interface

SW#interfaces port 1/1/1 alias “CONNECT-TO-FW”

Seeing the configuration

SW#show configuration snap-shot

Seeing the configuration for the specific port

SW#show configuration snap-shot | grep 1/1/1

seeing the Master/Slave status (for stacking switches)

SW#show virtual-chassis topology

saving the running configuration

SW#write memory flash-synchro

Seeing working directory

SW# ls /flash/working/
Tos.img boot.md5 cloudagent.cfg imgsha256sum software.lsm vcboot.cfg vcsetup.cfg
SW#

Open the file

SW#cat /flash/working/vcsetup.cfg

Port mirroring

SW# port-mirroring 1 source port 1/1/1 destination port 1/1/2 bidirectional enable

Checking port-mirroring status

SW# show port-mirroring status

Dynamic LAG (LACP)
lacp linkagg 1 size 2 admin state enable
lacp linkagg 1 actor admin key 1
lacp agg 1/1 actor admin key 1
lacp agg 1/2 actor admin key 1

Static LAG
static linkagg 1 size 2 admin state enable
static linkagg 1 name AGG1
static agg 1/1 agg num 1
static agg 1/2 agg num 1