8/26/2019 Panorama Local Config Audit (Panorama)

Panorama Local Config Audit (Panorama)

Mon Aug 26 16:07:28 EEST 2019

Administrators: duc.le@relexsolutions.com

Legend: Added Modified Deleted

Local Panorama Changes

Running Configuration Candidate Configuration
1917 source-user any; 1917 source-user any;
1918 category any; 1918 category any;
1919
application [ "Group RELEX Default Apps" "Group We 1919
application [ "Group RELEX Default Apps" "Gro
b" "Group Zabbix"]; up Web" "Group Zabbix"];
1920 service application-default; 1920 service application-default;
1921 hip-profiles any; 1921 hip-profiles any;
1922 tag AWS; 1922 tag AWS;
1923 action allow; 1923 action allow;
1924 log-start yes; 1924 log-start yes;
1925
description "Customer specific for running PC SaaS"; 1925
description "Customer specific for running PC S
aaS";
1926 } 1926 }
  1927
"RELEX Office NET and VPN Charlie - Radeberge
r" {
  1928 target {
  1929 negate no;
  1930 }
  1931 to "VPN EXT";
  1932 from "VPN RELEX";
  1933
source [ GP-VPN-RELEX "Hel Office PA850 user
s"];
  1934 destination "Radeberger Remote Net";
  1935 source-user any;
  1936 category any;
  1937 application "Group RELEX Default Apps";
  1938 service any;
  1939 hip-profiles any;
  1940 tag [ AWS Customer];
  1941 action allow;
  1942 description NOC-170;
  1943 }
1927 "INT - Log Central" { 1944 "INT - Log Central" {
1928 target { 1945 target {
1929 negate no; 1946 negate no;
1930 } 1947 }
1931 to "VPN RELEX"; 1948 to "VPN RELEX";
1932 from INT; 1949 from INT;
1933 source "TeHDC INT"; 1950 source "TeHDC INT";
1934
destination [ "AWS FRA kafka IP" "AWS FRA log-centra 1951
destination [ "AWS FRA kafka IP" "AWS FRA lo
l IP"]; g-central IP"];
1935 source-user any; 1952 source-user any;
1936 category any; 1953 category any;
...   ...  
5464 source "Dynamic Branches Office"; 5481 source "Dynamic Branches Office";
5465 destination "Office DMZ"; 5482 destination "Office DMZ";
5466 category any; 5483 category any;
5467 application "Group RELEX Default Apps"; 5484 application "Group RELEX Default Apps";
5468 service application-default; 5485 service application-default;
5469 hip-profiles any; 5486 hip-profiles any;
5470 tag [ Office Branch]; 5487 tag [ Office Branch];
5471 action allow; 5488 action allow;
5472
description "Allow branches office to access HEL Offic 5489
description "Allow branches office to access HE
e DMZ"; L Office DMZ";
5473 } 5490 }
  5491 "Office to External Network" {
  5492 target {
  5493 negate no;
  5494 }
  5495 to "VPN RELEX";
  5496 from Office;
  5497 source "Office Test Network";
  5498 destination "External Customer NET";
  5499 source-user any;
  5500 category any;
  5501 application "Group RELEX Default Apps";
5502

https://panorama.mgmt.relexsolutions.com/php/device/show-config-diff.php?isGecko=0&width=850&height=500&type=panorama&filepath=50379… 1/5
8/26/2019 Panorama Local Config Audit (Panorama)
  service application-default;
  5503 hip-profiles any;
  5504 tag [ Office EXT Customer];
  5505 action allow;
  5506
description "Allow office to External network ter
minated in remote DC";
  5507 }
5474 "GP to local Office DMZ network" { 5508 "GP to local Office DMZ network" {
5475 target { 5509 target {
5476 negate no; 5510 negate no;
5477 } 5511 }
5478 to DMZ; 5512 to DMZ;
5479 from GP-VPN-RELEX; 5513 from GP-VPN-RELEX;
5480 source Helsinki-Office-GP-subnet; 5514 source Helsinki-Office-GP-subnet;
5481 destination any; 5515 destination any;
5482 source-user any; 5516 source-user any;
5483 category any; 5517 category any;
...   ...  
5587 source Helsinki-Office-GP-subnet; 5621 source Helsinki-Office-GP-subnet;
destination [ "AWS Frankfurt net" "AWS PC N-Virginia n destination [ "AWS Frankfurt net" "AWS PC N-V
5588 et" "AWS SA all NET" "Azure NET" "Dynamic DC Group"]; 5622 irginia net" "AWS SA all NET" "Azure NET" "Dynamic DC Gro
up"];
5589 source-user any; 5623 source-user any;
5590 category any; 5624 category any;
5591 application any; 5625 application any;
5592 service any; 5626 service any;
5593 hip-profiles any; 5627 hip-profiles any;
5594 tag GP-VPN; 5628 tag GP-VPN;
5595 action allow; 5629 action allow;
5596 } 5630 }
  5631 "GP to External Network" {
  5632 target {
  5633 negate no;
  5634 }
  5635 to "VPN RELEX";
  5636 from GP-VPN-RELEX;
  5637 source Helsinki-Office-GP-subnet;
  5638 destination "External Customer NET";
  5639 source-user any;
  5640 category any;
  5641 application "Group RELEX Default Apps";
  5642 service application-default;
  5643 hip-profiles any;
  5644 tag [ EXT GP-VPN Customer];
  5645 action allow;
  5646
description "Allow Office GP-VPN to External ne
twork terminated in remote DC";
  5647 }
5597 "GP to IMAP mail for linux clients" { 5648 "GP to IMAP mail for linux clients" {
5598 target { 5649 target {
5599 negate no; 5650 negate no;
5600 } 5651 }
5601 to untrust; 5652 to untrust;
5602 from GP-VPN-RELEX; 5653 from GP-VPN-RELEX;
5603 source Helsinki-Office-GP-subnet; 5654 source Helsinki-Office-GP-subnet;
5604 destination any; 5655 destination any;
5605 source-user any; 5656 source-user any;
5606 category any; 5657 category any;
...   ...  
5695 tag { 5746 tag {
5696 WIP; 5747 WIP;
5697 AWS; 5748 AWS;
5698 IPSEC-PEER; 5749 IPSEC-PEER;
5699 GCP; 5750 GCP;
5700 GP-VPN { 5751 GP-VPN {
5701 color color31; 5752 color color31;
5702 } 5753 }
5703 INT; 5754 INT;
5704 Azure; 5755 Azure;
  5756 EXT {
  5757 color color1;
  5758 }
  5759 Customer {
  5760 color color22;
  5761 }
5705 } 5762 }
5706 application-filter { 5763 application-filter {
5707 Gaming { 5764 Gaming {
5708 disable-override no; 5765 disable-override no;
5709 subcategory gaming; 5766 subcategory gaming;
https://panorama.mgmt.relexsolutions.com/php/device/show-config-diff.php?isGecko=0&width=850&height=500&type=panorama&filepath=50379… 2/5
8/26/2019 Panorama Local Config Audit (Panorama)
5710
technology client-server; 5767
technology client-server;
5711 } 5768 }
5712 } 5769 }
5713 address { 5770 address {
5714 "AWS-SA-Production IPSec 1" { 5771 "AWS-SA-Production IPSec 1" {
...   ...  
5773 } 5830 }
5774 EQHE6Z3-FW-Int-MGMT-IP { 5831 EQHE6Z3-FW-Int-MGMT-IP {
5775 ip-netmask 10.23.11.246; 5832 ip-netmask 10.23.11.246;
5776 } 5833 }
5777 TeHDC-FW-MGMT-IP { 5834 TeHDC-FW-MGMT-IP {
5778 ip-netmask 10.24.11.253; 5835 ip-netmask 10.24.11.253;
5779 } 5836 }
5780 EQAT1-FW-MGMT-IP { 5837 EQAT1-FW-MGMT-IP {
5781 ip-netmask 10.32.11.253; 5838 ip-netmask 10.32.11.253;
5782 } 5839 }
  5840 "Radeberger Remote Net" {
  5841 ip-netmask 10.184.7.192/27;
  5842 tag [ EXT Customer];
  5843 }
5783 } 5844 }
5784 address-group { 5845 address-group {
5785 "AWS Mordor instance group" { 5846 "AWS Mordor instance group" {
5786 dynamic { 5847 dynamic {
5787 filter 'aws-tag.Team.Mordor'; 5848 filter 'aws-tag.Team.Mordor';
5788 } 5849 }
5789
description "Mordor AWS instances, data pulled from AW 5850
description "Mordor AWS instances, data pulled fr
S."; om AWS.";
5790 } 5851 }
  5852 "External Customer NET" {
  5853 dynamic {
  5854 filter "'EXT' and 'Customer'";
  5855 }
  5856 }
5791 } 5857 }
5792 } 5858 }
5793 PUB-AT1 { 5859 PUB-AT1 {
5794 devices { 5860 devices {
5795 001801043312 { 5861 001801043312 {
5796 vsys { 5862 vsys {
5797 vsys1; 5863 vsys1;
5798 } 5864 }
5799 } 5865 }
5800 001801043315 { 5866 001801043315 {
...   ...  
9289 route-table unicast; 9355 route-table unicast;
9290 enable yes; 9356 enable yes;
9291 set-origin incomplete; 9357 set-origin incomplete;
9292 } 9358 }
9293 Redis-OSPF { 9359 Redis-OSPF {
9294 address-family-identifier ipv4; 9360 address-family-identifier ipv4;
9295 route-table unicast; 9361 route-table unicast;
9296 enable yes; 9362 enable yes;
9297 set-origin incomplete; 9363 set-origin incomplete;
9298 } 9364 }
9299 Adv-AWS-Customer { 9365 Adv-Customer-Net {
9300 address-family-identifier ipv4; 9366 address-family-identifier ipv4;
9301 route-table unicast; 9367 route-table unicast;
9302 enable yes; 9368 enable yes;
9303 set-origin incomplete; 9369 set-origin incomplete;
9304 } 9370 }
9305 } 9371 }
9306 policy { 9372 policy {
9307 import { 9373 import {
9308 rules { 9374 rules {
9309 import_from_aws { 9375 import_from_aws {
...   ...  
9354 } 9420 }
9355 export { 9421 export {
9356 rules { 9422 rules {
9357 Advertise-to-AWS-Frankfurt { 9423 Advertise-to-AWS-Frankfurt {
9358 action { 9424 action {
9359 allow { 9425 allow {
9360 update { 9426 update {
9361 as-path { 9427 as-path {
9362 none; 9428 none;
9363 } 9429 }
9364 origin incomplete;  
9365 community { 9430 community {
9366 none; 9431 none;
https://panorama.mgmt.relexsolutions.com/php/device/show-config-diff.php?isGecko=0&width=850&height=500&type=panorama&filepath=50379… 3/5
8/26/2019 Panorama Local Config Audit (Panorama)
9367 } 9432 }
9368 extended-community { 9433 extended-community {
9369 none; 9434 none;
9370 } 9435 }
  9436 origin incomplete;
9371 } 9437 }
9372 } 9438 }
9373 } 9439 }
9374 match { 9440 match {
9375 address-prefix { 9441 address-prefix {
9376 10.82.193.0/28 { 9442 10.82.193.0/28 {
9377 exact no; 9443 exact no;
9378 } 9444 }
9379 193.210.102.0/24 { 9445 193.210.102.0/24 {
9380 exact no; 9446 exact no;
...   ...  
9721 retransmit-interval 5; 9787 retransmit-interval 5;
9722 transit-delay 1; 9788 transit-delay 1;
9723 link-type { 9789 link-type {
9724 broadcast; 9790 broadcast;
9725 } 9791 }
9726 } 9792 }
9727 } 9793 }
9728 } 9794 }
9729 } 9795 }
9730 router-id 10.99.200.24; 9796 router-id 10.99.200.24;
  9797 export-rules {
  9798 Adv-Customer-Net {
  9799 new-path-type ext-1;
  9800 }
  9801 }
9731 } 9802 }
9732 ospfv3 { 9803 ospfv3 {
9733 enable no; 9804 enable no;
9734 } 9805 }
9735 redist-profile { 9806 redist-profile {
9736 Default_to_VPC { 9807 Default_to_VPC {
9737 filter { 9808 filter {
9738 type static; 9809 type static;
9739
destination [ 10.82.193.0/28 193.210.102.0/2 9810
destination [ 10.82.193.0/28 193.210.1
4 194.240.65.199/32]; 02.0/24 194.240.65.199/32];
9740 } 9811 }
...   ...  
9827 Redis-OSPF { 9898 Redis-OSPF {
9828 filter { 9899 filter {
9829 type ospf; 9900 type ospf;
9830
destination [ 10.23.4.0/23 10.23.16.0/24 10.4 9901
destination [ 10.23.4.0/23 10.23.16.0/
4.8.0/24]; 24 10.44.8.0/24];
9831 } 9902 }
9832 priority 10; 9903 priority 10;
9833 action { 9904 action {
9834 redist; 9905 redist;
9835 } 9906 }
9836 } 9907 }
9837 Adv-AWS-Customer { 9908 Adv-Customer-Net {
9838 filter { 9909 filter {
9839 type static; 9910 type static;
9840 destination 10.184.7.192/27; 9911 destination 10.184.7.192/27;
9841 } 9912 }
9842 priority 10; 9913 priority 10;
9843 action { 9914 action {
9844 redist; 9915 redist;
9845 } 9916 }
9846 } 9917 }
9847 } 9918 }
...   ...  
19941 } 20012 }
19942 } 20013 }
19943 } 20014 }
19944 Helsinki { 20015 Helsinki {
19945 parent-dg Offices; 20016 parent-dg Offices;
19946 id 111; 20017 id 111;
19947 address-group { 20018 address-group {
19948 "AWS Mordor instance group" { 20019 "AWS Mordor instance group" {
19949 id 178; 20020 id 178;
19950 } 20021 }
  20022 "External Customer NET" {
  20023 id 237;
  20024 }
19951 } 20025 }
https://panorama.mgmt.relexsolutions.com/php/device/show-config-diff.php?isGecko=0&width=850&height=500&type=panorama&filepath=50379… 4/5
8/26/2019 Panorama Local Config Audit (Panorama)
19952 } 20026 }
19953 PUB-AT1 { 20027 PUB-AT1 {
19954 parent-dg PUB-FW; 20028 parent-dg PUB-FW;
19955 id 141; 20029 id 141;
19956 } 20030 }
19957 PRVLink-AT1 { 20031 PRVLink-AT1 {
19958 parent-dg PRVLink-FW; 20032 parent-dg PRVLink-FW;
19959 id 142; 20033 id 142;
19960 } 20034 }
...   ...  
20346 } 20420 }
20347 } 20421 }
20348 } 20422 }
20349 } 20423 }
20350 PAN3020-DA7_stack { 20424 PAN3020-DA7_stack {
20351 id 227; 20425 id 227;
20352 } 20426 }
20353 } 20427 }
20354 } 20428 }
20355 } 20429 }
20356 max-internal-id 236; 20430 max-internal-id 237;
20357 shared { 20431 shared {
20358 address-group { 20432 address-group {
20359 "DMZ Public facing IPs" { 20433 "DMZ Public facing IPs" {
20360 id 16; 20434 id 16;
20361 } 20435 }
20362 "AWS Infra instance group" { 20436 "AWS Infra instance group" {
20363 id 38; 20437 id 38;
20364 } 20438 }
20365 "Office IP addresses" { 20439 "Office IP addresses" {
20366 id 40; 20440 id 40;

https://panorama.mgmt.relexsolutions.com/php/device/show-config-diff.php?isGecko=0&width=850&height=500&type=panorama&filepath=50379… 5/5