Clik here to view.
IPv6 Site-to-Site VPN Recommendations
With global IPv6 routing, every single host has its own global unicast IPv6 address (GUA). No NAT anymore. No dirty tricks between hosts and routers. Great. Security is made merely by firewalls and...
View ArticleClik here to view.
Juniper ScreenOS: DHCPv6 Prefix Delegation
The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom,...
View ArticleClik here to view.
IPv6 VPN Routing with Dynamic Prefixes
How to route traffic inside an IPv6 site-to-site VPN tunnel if one side offers only dynamic IPv6 prefixes? With IPv4, the private network segments were statically routed through the tunnel. But with a...
View ArticleClik here to view.
IPv6 Dyn Prefix Problems
I am lucky to have a full dual-stack ISP connection at home. However, the ISP only offers a dynamic IPv6 prefix with all of its disadvantages (while no single advantage). In this post, I am summarizing...
View ArticleClik here to view.
Palo Alto Remote Access VPN for Android
For a basic remote access VPN connection to a Palo Alto Networks firewall (called “GlobalProtect”), the built-in VPN feature from Android can be used instead of the GlobalProtect app from Palo Alto...
View ArticleClik here to view.
Cisco ASA Remote Access VPN for Android
The native Android IPsec VPN client supports connections to the Cisco ASA firewall. This even works without the “AnyConnect for Mobile” license on the ASA. If only a basic remote access VPN connection...
View ArticleClik here to view.
Basic IPv6 Configuration on a FortiGate Firewall
It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6...
View ArticleClik here to view.
CLI Commands for Troubleshooting FortiGate Firewalls
This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI. It is not complete nor very detailled, but provides the basic commands for troubleshooting network related...
View ArticleClik here to view.
Where to terminate Site-to-Site VPN Tunnels?
When using a multilayer firewall design it is not directly clear on which of these firewalls remote site-to-site VPNs should terminate. What must be considered in such scenarios? Differentiate between...
View ArticleClik here to view.
ntopng Installation
Some time ago I published a post introducing ntopng as an out-of-the-box network monitoring tool. I am running it on a Knoppix live Linux notebook with two network cards. However, I have a few...
View ArticleClik here to view.
Network Transfer: 1 Big vs. 100 Small Files
A common mistake when analyzing network speed/bandwidth between different applications and servers is to fully rely on the mere size of the files being transferred. In fact, one big file will transfer...
View ArticleClik here to view.
FortiGate VPN Speedtests
Triggered by a customer who had problems getting enough speed through an IPsec site-to-site VPN tunnel between FortiGate firewalls I decided to test different encryption/hashing algorithms to verify...
View ArticleClik here to view.
FRITZ!Box VPN Speedtests
Ähnlich zum dem Site-to-Site VPN Throughput Test der FortiGate Firewalls wollte ich mal den FRITZ!Boxen auf den Zahn fühlen und herausfinden, in wie fern sich der VPN-Durchsatz bei den Modellen...
View ArticleClik here to view.
FortiGate IPv4 vs. IPv6 Performance Speedtests
I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running Iperf....
View ArticleClik here to view.
RTTs with different ISPs
Just a short post this time, but an interesting fact concerning different Internet Service Providers (ISPs) and their routing to/from other countries. I have a customer in Germany that has a remote...
View ArticleClik here to view.
FortiGate Virtual IPs with Interface “Any”
On the FortiGate firewall, address objects and virtual IPs (VIPs) can be set up with an interface. For address objects this has no technical relevance – the address objects simply only appear on...
View ArticleClik here to view.
FortiGate Virtual IPs without Reference
Migrating from Juniper ScreenOS firewalls to FortiGates, there are some differences to note with static NATs, i.e., Mapped IPs (MIPs) on a Netscreen and Virtual IPs (VIPs) on a FortiGate. While the...
View ArticleClik here to view.
IPv6 through IPv4 VPN Tunnel with Palo Alto
The most common transition method for IPv6 (that is: how to enable IPv6 on a network that does not have a native IPv6 connection to the Internet) is a “6in4” tunnel. Other tunneling methods such as...
View ArticleClik here to view.
Advanced Ping: httping, dnsping, smtpping
I really love ping! It is easy to use and directly reveals whether the network works or not. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. At least outgoing pings...
View ArticleClik here to view.
Palo Alto IPv4 vs. IPv6 Performance Speedtests
After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and...
View Article