AWS ELB Characteristics:

Load balancers are used to improve application performance  and we also can make our application high availability:

ELB

Characterstics:

  1. ELB is highly available and highly scalable load balancing service from AWS.
  2. AWS maintains redundant copies of ELB, if any AZ fails it automatically failovers to the ELB in different AZ.
  3. ELB is a region specific i.e it can load balance instance present in same region.
  4. ELB supports both external and internal
  5. ELB does health checks on instance and routes traffic to health instances, if it finds any instance unhealth that instance is taken out of rotation. If ELB finds unhealth instances are healthy, it brings them automatically into rotation.
  6. ELB supports SSL termination.
  7. ELB can be secured using security groups
  8. ELB types:
  9.   A. Classic load balancer (legacy load balancer)
  10.   B. Application load balancer (deisgined for microservices and dockers)
  11.   C. Network Load balancer

 

 

Backup and Restore Fortigate Firewall configurations:

Backing up the configuration using the GUI:

  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
  2. Direct the backup to your Local PC or to a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

  1. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
  2. If backing up a VDOM configuration, select the VDOM name from the list.
  3. Select Encryption.

Encryption must be enabled on the backup file to back up VPN certificates.

  1. Enter a password and enter it again to confirm it. You will need this password to restore the file.
  2. Select OK.
  3. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI:

Use one of the following commands:

execute backup config management-station <comment>

or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password>

Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom

edit <vdom_name>

Restoring the configurations:

To restore the FortiGate configuration – GUI:
  1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
  2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

  1. Enter the path and file name of the configuration file, or select Browse to locate the file.
  2. Enter a password if required.
  3. Select Restore.
To restore the FortiGate configuration – CLI:

execute restore config management-station normal 0

or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

How to failover traffic from Palo Alto Active firewall to passive device:

  1. For redundancy, deploy your Palo Alto Networks next-generation firewalls in a high availability configuration. There are two HA deployments:
    active/passive—In this deployment, the active peer continuously synchronizes its configuration and session information with the passive peer over two dedicated interfaces. In the event of a hardware or software disruption on the active firewall, the passive firewall becomes active automatically without loss of service. Active/passive HA deployments are supported with all interface modes—virtual-wire, Layer 2 or Layer 3.
  2. active/active—In this deployment, both HA peers are active and processing traffic. Such deployments are most suited for scenarios involving asymmetric routing or in cases where you want to allow dynamic routing protocols (OSPF, BGP) to maintain active status across both peers. Active/active HA is supported only in the virtual-wire and Layer 3 interface modes. In addition to the HA1 and HA2 links, active/active deployments require a dedicated HA3 link. HA3 link is used as packet forwarding link for session setup and asymmetric traffic handling.
  3. In an HA pair, both peers must be of the same model, must be running the same PAN-OS and Content Release version, and must have the same set of licenses. In addition, for the VM-Series firewalls, both peers must be on the same hypervisor and must have the same number of CPU cores allocated on each peer.
  4. Important Considerations for Configuring HA
    The subnet that is used for the local and peer IP should not be used anywhere else on the virtual router.
    The OS and Content Release versions should be the same on each firewall. A mismatch can prevent peer firewalls from synchronizing.
    The LEDs are green on the HA ports for the active firewall and amber on the passive firewall.
    To compare the configuration of the local and peer firewalls, using the Config Audit tool on the Device tab by selecting the desired local configuration in the left selection box and the peer configuration in the right selection box.
    Synchronize the firewalls from the web interface by clicking Push Configuration in the HA widget on the Dashboard. Note that the configuration on the firewall from which you push the configuration overwrites the configuration on the peer firewall. To synchronize the firewalls from the CLI on the active firewall, use the command request high-availability sync-to-remote running-config.

 To failover traffic from active device to passive :

 Failover on the current active member with the CLI command:
CLI:

 request high-availability state suspend

Webui:

From the WebGUI > Device > High Availability > Operational Commands – click Suspend local device

Enable Packet Captures on Palo Alto:

  • This document describes the basic steps and commands to configure packet captures on Palo Alto firewalls.
  • Create Packet Captures through CLI:
  • Create packet filters:
    • debug dataplane packet-diag set filter match source <IP_1> destination <IP_2>
    • debug dataplane packet-diag set filter on
    • debug dataplane packet-diag show setting
  • If no source or destination IP address is specified, then “any” (0.0.0.0) is assumed.
  • Define the packet capture stages and the corresponding files
    • debug dataplane packet-diag set capture stage transmit file <filename_transmit>
    • debug dataplane packet-diag set capture stage receive file <filename_receive>
    • debug dataplane packet-diag set capture stage firewall file <filename_firewall>
    • debug dataplane packet-diag set capture stage drop file <filename_drop>
  • Start the packet captures
    • debug dataplane packet-diag set capture on

    Note: Before starting the captures, make sure that the capture filters have been configured and that the filtering is turned on. For example:

    admin@PAN-FW> debug dataplane packet-diag show setting

    ——————————————————————————–

    Packet diagnosis setting:

    ——————————————————————————–

    Packet filter

      Enabled:                   yes

    Match pre-parsed packet:   no

    Index 1: 192.168.0.1[0]->10.20.30.1[0], proto 0

    ingress-interface any, egress-interface any, exclude non-IP

    Important! Starting a capture without filtering may overload the firewall

  • Stop the packet capture
    • debug dataplane packet-diag set capture off
  • View the capture files
    • view-pcap filter-pcap <filename>

    To view the capture file in real-time while the capture is running, use the following command:

    • view-pcap follow yes filter-pcap <filename>
  • Export the capture files
    • scp export filter-pcap from <file> to <SCP_serv>
    • <SCP_Serv> = user@server:path
    • tftp export filter-pcap from <file> to <tftp_Server_addr>
  • Clear the packet filters and captures
    • debug dataplane packet-diag set filter off
    • debug dataplane packet-diag clear filter all
    • debug dataplane packet-diag clear capture all

     

  • Enable Packet Captures on webui:
    • On the WebUI
      1. Go to Monitoring > Packet Capture
      2. Create and Enable a Packet Filter:
      3. Create stages to capture packets and specify file names:
      4. Click OK to enable captures
      5. Download the capture file(s) via HTTP by clicking on the corresponding links after refreshing the capture page.

       

Cisco-ASA-Firewall-Basic-Commands

Basic commands to verify the status of ASA firewall:

  • Cisco firewall mode : show firewall
  •  Cisco firewall version : show version
  • Verify CPU usage : show cpu usage
  • Verify memory status : show memory
  • Verify failover status : show failover
  • Verify failover history : show failover history
  • List interface names : show nameif
  • List interface IP address: show ip
  • List route table : show route
  • List nat table : show xlate
  • Verify logs : show logging