Monthly Archives: October 2014 - Page 2

Client VPN IP Overlap (12 of 30)

I am surprised that not more vendors have solved this issue. You will often see solutions for where the user’s IP space overlaps with the client pool given out, e.g here, here and here.

An example would be client pool is and the hotel network you are on it The most common solution given is to create a separate profile with a different ip pool.

However, there is another similar issue, that even though haven’t seen to often, is still a concern.… Read more

Filter Incomplete Sessions on Palo Alto Firewalls (11 of 30)

A short tip today.

Here is a quick way to filer out in your logs packets that were never established (e.g. syn, but no syn/ack.)

(bytes_received geq 1) and (bytes_sent geq 1)

Of course if you are only getting a syn and not a syn/ack, the IP should probably be closed off all together, but you may have some situations where this is to be expected.

 … Read more

Text Tools take 2 (10 of 30)

If you missed my first post on Text Tools, you can find it here, where you can also read my full disclaimer. In that example, you replace multiple items in one config, in this example you have a few variables for highly repeatable configs. Think you have a bunch of interfaces and the only thing that changes is interface, vlan, and description.

Go to, and fill the left side with your variable replacements, and the right side with the repeatable configs.… Read more

Palo Alto Debug (9 of 30)

If you are using Palo Alto Firewalls it could be at times difficult to see whether or not packets are being dropped. If they are being dropped by a policy, you can see that in the traffic logs, but if they are being dropped do to illegal tcp operation, which could manifest itself from asymmetric packets (you see the syn come in zone A leave Zone B and return zone C,) the session has timed out, but the application is using a longer timeout and tries to use a dead session, or many other reasons.… Read more

Cisco CLI “Filter from –more–” (8 of 30)

I know it’s a mouthful that doesn’t seem to make sense. But that is what Cisco calls it, and what it is similar to the | (pipe) you are probably familiar with. I was not until recently aware of these commands.

With the pipe you have include, exclude and begin and have to enter them before you run the show command. You have similar options after running the show command, using +, -, and / respectively. After issuing your “show” command, using the ‘/’ it allows you to find the next occurrence of a string and everything after that.… Read more

It’s the Network’s Fault, I promise you (7 of 30)

So you probably presume I am entering some tirade in which explain the story of someone insisting that there is a network issue, and after days or weeks the issue is finally found out to not be a network issue, leaving me the unsung hero. Well, this is not that story, if you have been in the network business for any period of time you have this happen many times, and my story is no more unique then yours. While it does help to to relieve some of that frustration, not much to be gained from it.… Read more

Text Tools–Take 1 (6 of 30)

I have been a fan of Text Mechanic a site uses javascript to perform a bunch of actions on a given set of text. What is nice about it being javascript is everything is within browser. However it doesn’t meet all my needs. I have started to create some text tools of my own, but I am doing it in Perl, so please note that the configlets are seen by my server, and though I have no intention of logging them, I am not responsible for them either 🙂 I plan on releasing this and more on github, so stay tuned.… Read more