PAN Virtual Wire with Cisco HA Pair

Recently, I was setting up a Palo Alto Networks Next Generation firewall to perform URL Filtering and Threat Prevention on internet-bound traffic for a client. The firewall was deployed into the environment using a network tap to get traffic through the device. The tap sat between a pair of ASAs and some backend IPS appliances. This may seem a bit redundant, but the primary purpose of the PAN was to perform URL Filtering, and the threat prevention as simply a nice addition.


CAC Based Remote Access VPN on the ASA

Introduction In general, using CACs (or smartcards, PIV cards, etc.) as the authentication mechanism is pretty straightforward. The certificate is used for authentication, and, if desired, authorization can then be performed using a value in the certificate. The ASA essentially pulls a username from a field to use for a lookup against a backend server, e.g. LDAP or RADIUS. I’m not going to cover the configuration and setup of the initial VPN group policies, tunnel groups, etc.