La red de Angel

 

In the example we will be using Google Chrome as our browser. Step 1 - Create .bat file in Notepad Open Notepad app in Windows and copy and paste the following text: start "" "c:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors Save the file as a .bat file  in your preferred location (I choose Desktop usually).  Make sure you choose "ALL Files (*.*)" as the File type when saving the file. Step 2 - Execute the file Make sure you have any no open Chrome session otherwise this will not work. This is specially useful whenever you going to configure a new network device via HTTPS where normally it comes with a Self-Signed certificate which by default not Trusted by the browser. With this technique you should be able to connect to the device while ignoring any SSL certificate warnings from the browser and of course as part configuring a network device a proper SSL certificate  will need to be installed for a secured web access to

@AZURE 1.1. Create SAML enteprise Applicarion. We will call it Fortigate SSL VPN 1.2.   Define AAD User groups that will have access to the Enterprise Application. Take note of the Object ID as it will use later in the Fortigate firewall. 1.3. Download Enterprise Application's SSL certificate. This will be imported in the Forigate firewall manually on later stage. @FORTIGATE FIREWALL NOTE: Forticlient SSLVPN settings are ignored in this step. 2.1. Import Azure's Enterprise Application SSL certificate on Fortigate Firewall (downloaded in Step 1.3) 2.2.   Create SAML Sign-Sign On group. We will call it ' ssl-azure-saml' 2.3. Create an User Group called 'AAD-SSL-VPN-USERS' pointing to the  Object Id of the and the AAD Group (this can be found in Azure in step 2). This User group will be used in the Firewall Policies in order to filter  2.4 .Create Firewall Policy to restrict traffic to VPN Users AAD group while using the AAD-SSL-VPN-USERS  object. If we wanted

 Requirements Palo Alto VM series firewall on KVM (in my case, hosted in EVE-NG) Terraform.exe file (Downloaded from Terraform official page) Visual Studio Code software Connectivity to Palo Alto machine from the host machine Step 0 - Create a folder to host all Terraform files C:\Users\angel\scripts\paloalto Step 1 - Download terraform.exe file from Official Terraform page  I am using Windows OS for this example but you can use Linux, MAC or other OS types as well Install | Terraform | HashiCorp Developer Extract terraform.exe in folder where all Terraform files are located --> C:\Users\angel\scripts\paloalto Step 2 - Open Visual Studio Code and download the following Terraform related extensions: Terraform Hashicorp Terraform Terraform advanced syntax higlighting Step 3 - Create main.tf on terraform files folder C:\Users\angel\scripts\paloalto\main.tf Step 4 - Edit main.tf with the following basic code. Make sure that indetation is well respected on file terraform {     required

## REST API POST call that creates a new Security Zone in an target Template in Panorama ## import requests import urllib3 import json urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = "https://{panoramaIP}/restapi/v10.2/Network/Zones?name={name_new_ZONE}&location=template&template={target_template}&vsys=vsys1" payload = json.dumps({ "entry": { "@name": "{name_new_ZONE}", "@location": "template", "@template": "{target_template}", "@vsys": "vsys1", "network": { "layer3": {}, "log-setting": "default" } } }) headers = { 'Content-Type': 'application/json', 'X-PAN-KEY': '{PANORAMA_API_KEY}' } response = requests.request("POST", url, headers=headers, data=payload, verify=False) print(response.text)

  En este post explicaremos como hacer failover en un HA "Activo-Pasivo" en Palo Alto Para ello, proponemos dos escenarios para ello: Escenario #1 - 1 linea de Internet (1 ISP) Escenario #2 - 2 lineas de Internet (2 ISPs) El objetivo de este Failover es lograr reemplazar el Activo por el Pasivo cuando ocurra lo siguiente: - La linea de Internet primaria (ISP1) se caiga --> Aplica a Escenario #1 y #2 - Firewall primario se caiga -> Aplica a Escenario #1 y #2 - Switch primario se caiga --> Aplica a Escenario #2 NOTA: La configuración de HA solo lo he conseguido hacerlo en local ya que desde Panorama da muchos problemas. Leyendo en varios foros de Reddit parece ser que mucha gente decide configurar el HA en local antes de añadir los firewalls a Panorama.