Loading...

Follow Network Interview QnA on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Overview

  • 2 firewalls can be configured in a High Availability pair
  • HA Provides:
    • Redundancy
    • Business Continuity
    • If one firewall fails, the second can continue service with little to no interruption
  • HA options can be deployed as:
    • Active/Passive: One active, one standby firewall
    • Active/Active: Both Active, used in specific circumstances, such as asynchronous routing setups
  • Items Synchronized include:
    • Networks
    • Objects
    • Policies
    • Certificates
    • Session Tables (not available on the PA-200)
  • Items NOT Synchronized:
    • Management Interface configuration
    • HA Settings
    • Logs
    • ACC information
  • For a consolidated application and log view, Panorama must be used.
  • PA-200 only supports HA-Lite
    • Lite is only available due to the low number of ports available on this model
  • A/P Deployment
    • Only one firewall is active
    • One firewall synchronized and ready to process traffic
    • No increase in session capacity or network throughput
    • Supports VWire, Layer 2, and Layer 3 deployments
    • A/P HA has simplistic design to help with implementation.
  • A/A Deployment
    • Both firewalls are active and processing traffic
    • Both individually maintain routing and session tables, sync’d to the other
    • Is for use in Asyncronous routing deployments
    • No increase in throughput/session tables
    • Supported in V-Wire and L3 deployments
  • HA Prerequisites
    • Both firewalls must be running the same hardware or VM model
    • Both firewalls must be running the same version PanOS
    • Starting in 7.0, session syncing is an option when upgrading major and minor releases
    • Updated and current Threat, URL and App DB’s
    • Same dedicated HA interfaces
    • Licenses are unique to each FW; each needs matching licenses
    • Matching Slot configurations (for chassis 5000/7000 series)
    • VM’s must be on the same hyper-visor, and have same number of CPU Cores

HA Components and Operations

  • HA Control Link is L3 link that requires an IP address.
    • Used to exchange heartbeats and hellos and HA state info
    • Used to exchange routing and user ID information
    • Active firewall uses this to exchange config change information
  • HA Datalink is a L2 Link, but can be configured in L3 that requires and IP
    • L3 is required if the data links are not on the same subnet
    • In L2 mode, the Datalink uses ethernet type 0x7261
    • The Datalink synchronize sessions, forwarding table, IPSec SA’s and ARP tables in the HA Pair
    • Dataflow is unidirectional from the Active to Passive firewall.
  • Some models have dedicated HA ports, other models will use MGT or other in-band ports
    • Dedicated HA Ports are on 3000, 4000, 5000 and 7000 models
    • HA1/HA2 ports can be directly connected via ethernet cable
    • Recommended to use the MGT port as the control link
      • Any in-band port used must be configured as type HA
  • HA Backup Links are recommended for the control link, to prevent the FW’s going into ‘split-brain’ mode
    • Backup links must be on separate physical ports
    • Backup links must be in separate subnets as the primary backup links
  • PA-7000 series mandates the use of specific ports on the Switch Management Card (SMC)
    • HA1-A is the control link; connect to same port on the 2nd firewall (or through switch/router)
    • HA1-B is the backup control link; connect to same port on 2nd firewall (or through switch/router)
    • Backup control link cannot be configured on the MGT or NPC Data ports.
    • High Speed Chassis Interconnects (HSCI) are used as the Primary and backup Datalinks
      • If distance is beyond the scope of the HSCI ports, inband ports can be used.
  • HA firewalls can be set with a device priority to indicate a preference for which should be active.
    • Enable Pre-empt on both firewalls if you want one firewall to become the active firewall when it is available/brought online.
  • Failure Detection
    • Hello and Heartbeats to confirm responsiveness and availability
    • Link Groups can be configured to validate interfaces are up
    • Path groups can monitor remote IP’s to validate reachability
    • These items can be configured for any/all and the failure conditions.
    • Internal Health checks are done to validate hardware is healthy
  • HA Timers
    • HA Timers enable the firewall to detect failures and fail over
    • Timer profiles simplify setting HA timer settings
    • Advances enables individual timer modification
  • HA Heartbeat on the management port
    • Helps to prevent split-brain
    • Happens when a non-redundant control link goes down

Active/Passive HA Configuration

  • Prepare In-band Interface
    • Set interface type as HA
  • Configured under Device > High Availability
    • Each section here can be configured depending on the needs of the deployment
  • Enable HA A/P mode under Device > High Availability > General
    • Select Mode (A/A or A/P)
    • Matching Group ID’s for the HA Pair
    • Description (useful if configuring multiple HA configurations
    • Check enable config sync to automatically sync any config changes to the peer
    • Add the Peer IP address
      • HIGHLY recommended to add a backup peer IP Address
  • Configure the Control Link
    • Under Device > High Availability > General
    • Select the Control Link (HA1)
      • Select management port or another configured in-band port
      • MGT Port is recommended if a dedicated HA port is not available
      • Add a gateway if the peer is in a different subnet
    • Control link can be encrypted
      • Private keys will need to be exported/imported from the certificate configuration for this to function.
    • Backup link can be configured using an in-band port
  • Configure the DataLink
    • If available, configured on the HA2 link
    • If using in-band and the peer is on a different subnet, add a gateway
    • An HA2 keepalive can also be configured.
      • To prevent split-brain, use the action ‘log only’
    • Select ‘session synchronization’ to ensure sessions are sync’d
    • A backup datalink can also be configured
  • Election Settings
    • Device Priority can be set if one should be preferred to be the Primary
    • (correction provided by /u/stangri-la) Preemptive can be set if a specific firewall should be primary if available. The firewall with the lower numerical value has the higher priority and will be primary if both are active and pre-empt is set.
    • HA Timer can be changed, however leaving at recommended unless a specific reason is needed for change.
  • (Optional) set the passive link state to auto
  • Link Monitoring (Optional)
    • Configured under Device > High Availability > Link and Path Monitoring
      • Different link groups can be configured with different failure conditions
      • Example: Critical links can force a failover if any of the links fail. other links can be set if all links fail (Aggregate interfaces, which would likely be a switch failure, for example).
  • Path Monitoring (Optional)
    • Configured under Device > High Availability > Link and Path Monitoring
    • Options for VWire Path, VLAN Path and/or a Virtual Router Path.
      • A VWire will need a source and destination IP
      • Virtual Router monitoring does not need a source, as a route lookup will be done to determine the source.

Monitoring HA state

  • During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn’t been discovered, the FW will boot as Active.
  • If a peer is found, it will negotiate with the peer
    • If Preempt is active, determine who has highest priority – this FW becomes active.
  • If a FW is in a suspend state, it will not participate in a FW election
  • States an A/P FW can be in are:
    • Initial – Transient state when it joins an HA pair
    • Active – normal state, primary and processing traffic
    • Passive – normal traffic is discarded, may process LLDP and LACP traffic
    • Suspended – administratively disabled
    • Non-functional – FW is non-functional and will need to have the issues resolved before it can return to service.
  • States of the individual members can be added as a widget on the Dashboard
    • Add under Dashboard > Widgets > System > High Availability
    • This will show at a glance the status
      • Green: Good
      • Yellow: Warning (normal state for a standby firewall in an A/P pair)
      • Red: Error to be resolved
      • When an HA Pair is initially formed, a manual sync will need to be done. This screen can initiate a ‘sync to peer’ push.
    • System Log will show the events in an HA Pair negotiation.

Source: User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Dashboard, ACC and Monitor

  • Dashboard
    • On the dashboard, individual widgets can be added and removed to have a customized display
    • A custom refresh counter can be set in the upper right hand corner.
  • ACC
  • Interactive graph of traffic and applications going through the firewall
  • Threat graph shows the risk of traffic going through
  • Custom Tabs can be added, with custom widgets to be added with information specific to your network and security concerns.
  • Filters
    • Applied by using the funnel shaped icon in the top right corner of the widget
    • Can be applied to a specific widget to set custom displays
    • Persistent between reboots
    • A global filter can be applied to all graphs in the ACC to help troubleshooting or trends
    • Global Filters on the ACC are not persistent.
    • Global filters can be applied in three methods:
      • Select an attribute from a table in any widget, apply it as a global filter.
      • Promote a local filter and elevate it to a global filter
      • Use the global filters pane in the ACC
  • Session Browser
    • To see active sessions on the firewall, go under Monitor > Session Browser
  • Reports
    • Various reports can be accessed under Monitor tab
    • Predefined reports are included with the FW, and can be run to generate reports on commonly requested information
    • Custom reports can be created using the Query Builder
    • User or Group activity reports can show what users and groups access (must have User-ID enabled and configured)
    • Botnet reports can show systems that display behaviors noted with known botnets
    • PDF Summary reports can help aggregate reports and export to PDF format for reports and presentations
    • Report Groups combine reports into a single emailed PDF document.
    • SaaS Reports can be generated on all data over a specified timeframe, or based on a certain group or application.
    • Reports can be scheduled to run at a specific schedule

Log Forwarding

  • Under the logs, a CSV file can be exported with a maximum of up to 65,535 rows.
    • Limit can be changed by updating the Max Rows field in Device > Setup > Management > Logging and Reporting Settings
  • In Scheduled Log Export, the logs exported will be up to the last scheduled export.
  • Logs can be forwarded with:
    • Panorama
    • http
    • Syslog SIEM
    • SNMP Manager
    • Email
  • Panorama can be a log aggregator to generate reports based on all firewall traffic, push updated policies, and monitor usage and security incidents
  • Panorama comes in applicances or VM:
    • M100 – supports 8 terabytes
    • M500 – supports 24 terabytes
    • VM – supports ?? petabytes
  • Logs can be configured to be sent to an external archive system (syslog / SIEM server)
    • Define the remote logging destination
    • Enable log forwarding for each type
  • SNMP Trap servers, Syslog and Email log forwarding can be configured under: Device > Server Profiles
  • System log will contain information about changes to the device, failed logins and config commits.
  • Log forwarding is configured under Objects > Log forwarding
    • The log objects that can be forwarded are broken down into categories: Traffic, Threat, Wildfire, URL, Data, GTP, Tunnel and Authentication.
  • Each security policy rule can have a log forwarding profile applied to each rule. Under the actions tab, the rule can be set to log at start, end, and a log forwarding profile set.
  • The Log forwarding profiles can be viewed under Device > Log Settings. these profiles are only visible to the security policy rules for log forwarding

Syslog

  • Allows the aggregation of logs from different sources to be combined, compiled, analyzed and reports generated from.
  • Syslog can be sent over:
    • UDP (unsecured and unreliable)
    • TCP (more overhead, reliable but unsecured)
    • SSL (highest overhead, secured auth is required)
  • Syslog Profiles can be created under Device > Server Profiles > Syslog
    • Specify IP
    • Transport type
    • Set port defaults are:
      • UDP:514
      • TCP:must be manually specified.
      • SSL: =6514
    • Format: BSD, Default, IETF
    • Facility: Level of logging to send
  • Syslog over TCP/SSL
    • If the syslog server uses client auth:
      • A local certificate is required
      • The private key must also be available.
      • This cannot be stored in an Hardware Security Module (HSM)
      • Import an existing certificate (or)
      • Create a self-signed certificate (or)
      • Create a cert using a windows cert server on your network
  • Syslog custom format
    • Under Device > Server Profiles > Syslog
    • Create a custom log format based on criteria from your syslog server or custom needs

Configuring SNMP

  • If the SNMP Manager is not on the MGT interface, then SNMP must be enabled on the management profile where it is, and a service route added.
  • Configure under Device > Setup > Operations > Miscellaneous > SNMP Setup
    • Enter and IOD and a mast to determine which parts of the MIB can be seen.
      • 1.3.6.1 mast 0xf0 to see everything
      • .1 mask 0x80 to see more information.
    • Users select View for User, user name auth and privilege password should match in SNMP Manager
    • The Community string needs to match the string in the SNMP manager
  • For SNMP Traps Profile:
    • V2c
      • IP of Manager
      • Community Name
    • V3
      • Username
      • IP Address
      • EngineID (can get using OID 1.3.6.1.6.3.10.2.1.1.0)
      • Auth Password (SHA)
      • Private Password (AES)

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
  • Overview
    • PanOS does IPSec tunnels as route-based tunnels
    • Support for connecting to 3rd party IPSec devices
    • The tunnel is represented by a logical tunnel interface
    • The tunnel interface is placed in a zone
    • When traffic is sent to the tunnel, the VPN is connected and traffic sent across
  • IKEv1 vs IKEv2
    • IKEv1 is the most common version used
    • IKEv2 is primarily used to meet NDPP (network device protection profile), Suite B support and/or MS Azure compliance
    • IKEv2 preferred mode provides a fail back to IKEv1 after 5 retries (about 30 seconds)
  • IKE Phase 1
    • Identifies the endpoints of the VPN
    • Uses Peer IDs to identify the devices
      • Usually the public IP’s of each end
      • Can also be an FQDN or other string of data
    • Three Settings/modes: Agressive, Main, Auto
    • 5 pieces of info are exchanged during Phase 1:
      • Authentication Method
      • DH Key Exchange
      • Symmetric Key Algorithm bulk data encryption
      • Hashing algorithm
      • Lifetime
  • Ike Phase 2
    • Creates the tunnel that will encapsulate traffic
    • Each side of the tunnel has a proxy ID to identify traffic
      • There is support for multiple proxy ID’s
      • Proxy ID’s are also known as ‘Encryption Domain’ with other vendors
    • Proxy ID’s can be specific or 0.0.0.0/0
    • 5 Pieces of information are passed during phase 2:
      • IPsec type/mode
      • DH additional exchange if specified
      • PFS
      • Symmetric key algorithm/Hashing Algorithm
      • Lifetime before Rekey
  • Route Based site-to-site VPN
    • VPN setup depends on the need and requirements of each site and the company configuration
    • Each tunnel interface will support up to ten (10) IPSec tunnels

Configuring site-to-site tunnels

  • Phase 1 IKE Gateway Configuration
    • Create the IKE Gateway under Network > Network Profiles > IKE Gateways
    • Simple tunnels (PAN to PAN) only require the interface, IP and PSK are needed.
    • If the firewall uses a dynamic IP address (PPPoE DSL for example), leave the local IP address field blank.
    • Certificate PKI authentication is supported, with the following Limitations:
      • Maximum level of cert chain is 5
      • CRL over LDAP is not supported
      • Supported ID Types include: FQDN, IP Address, KeyID (Binary format ID Hex string),Email/User FQDN
      • If none is specified, local IP is used.
  • Phase 1 IKE Gateway Advanced Options
    • Configured under Network > Network Profiles > Ike Gateways > Advanced Options
    • Enable Passive Mode – will not initiate connections, only receive incoming requests
    • Enable NAT traversal – UDP encapsulation used on IKE and UDP protocols, allows them to pass through intermediate NAT devices (upstream routers for example)
    • Exchange Mode Options
      • Auto (default) allows both Main and Aggresive
      • Main: Used for fixed IP tunnels where the IP’s on each end will not change
      • Aggressive: Used when one endpoint has an IP address that may change, such as and ISP that provides a DHCP Address
      • Both sides must have the same mode set
    • Ike Crypto Profile
      • By default, the crypto profile is set to AES-128-CBC, 3DES, SHA1
      • A custome IKE crypto profile can be created under Network > Network Profiles > IKE Crypto
    • Enable Fragmentation
      • Allows the local gateway to receive fragmented IKE packets – max is 576 bytes
    • Dead Peer Detection
      • Identifies and confirms that the remote peer is alive and responding by sending a request to confirm, and receiving a response. If no response, the tunnel is torn down.
  • Phase 1 IKE Cryptographic Profiles
    • Both peers must match a cryptography for the tunnel to be established.
    • Specify the DH group for Asymetric Key Exchange
    • Multiple encryption types can be set to help match with a peer
    • Multiple Authentication types can be set
  • Phase 2 IPSec Cryptographic Profiles
    • Configured under Network > Network Profiles > IPSec Crypto
    • Set the IPSec Protocol (ESP or AH)
    • Encryption type (must match remote peer)
    • Authentication (MD5, SHA1, SHA256, SHA384, SHA512)
    • Set the DH Group
    • Set Lifetime
    • (Optional) Set the lifesize, which will re-establish the tunnel after a certain amount of traffic has passed and the tunnel will rekey. This is to help prevent session data decryption of sniffed packets if one key has been captured.
  • VPN Tunnel Interface
    • Configured under Network > Interfaces > Tunnel tab
    • Each Tunnel interface represents an individual tunnel connection
    • Must be added to a security zone and a VR
    • Does not require an IP address, but is needed if traffic will be participating in Dynamic routing protocols (ospf, BGP) or if the tunnel monitor is enabled.
  • Phase 2 IPsec Tunnel
    • Configured under Network > IPSec Tunnel
    • Name the Tunnel with a clear identifier
    • Specify the IKE Gateway and IPSec Crypto Profile (also called ‘phase 2 proposal’)
    • ‘Show Advanced Options’ checkbox will show further configuration items:
      • Enable Replay protection – adds sequence numbers to packets so that a replay of captured packets to an IPSec device are discarded if not the expected packet numbers
      • Tunnel Monitor – Only available if the Tunnel interface has an IP address. Sends Ping traffic to a specified IP across the tunnel to validate the route/path is valid.
      • Monitor profile can be configured configured to send pings over the tunnel in an attempt to restore the session, or to fail over to another routing path.
      • Monitor profiles can configured under Network > Network Profiles > Monitor
    • The Proxy ID tab on the IPSec configuration page can be used to specify a local and remote proxy ID if needed, and a specific protocol of allowed traffic can be set if needed (TCP, UDP, Non-IP protocol number, or Any). By default, the proxy ID is 0.0.0.0/0
  • Static Route for VPN
    • Configured under Network > Virtual Routers > Add > Static Routes > IPv4
    • Add the Static route remote destination network, specifying the tunnel interface of the VPN
    • Next-Hop not required, but can be specified if needed
    • Any admin distance or metric adjustments
    • This step is not required if Dynamic routing will be used through the tunnel.
  • Validating Connectivity
    • Under Network > IPSec Tunnels
    • The status will show green if the tunnel has established and is active.
    • Clicking on ‘Tunnel Info’ will provide details about the tunnel.

IPSec Troubleshooting

  • First step is to double-check all the settings in the IKE and IPSec sections. Talk to a rubber duckie!
  • Check under Network > IPSec Tunnels
    • Tunnel Status red indicates that IPSec Phase 2 is not available or expired.
    • Ike Gateway Status green indicates Phase 1 is established, red indicates it has failed.
    • Note that Tunnels are only up/established when traffic is needed to cross them (except when Monitoring is used, this will keep the tunnel active).
    • The test VPN command can be used to test a VPN:
      • Ike Phase 1 test: test vpn ike-sa gateway (name)
      • Show VPN ike-sa gateway (name) to check status
      • IPSec Phase 2 test: test vpn ipsec-sa tunnel (name)
      • Show VPN ipsec-sa tunnel (name) to check status
      • To validate traffic flow, use the ‘show vpn flow’ command.
  • Troubleshooting from the responder is easier to track down issues
    • VPN error messages can include:
    • Wrong IP – Incorrect IP in P1 config or cannot communicate/route to the IP
    • No matching P1/P2 proposal – double check IKE/IPSec and encryption settings
    • Mismatched Peer ID – Able to communicate, but Peer ID’s do not match
    • PFS group mismatch – Check/update PFS DH Group
    • Mismatched Proxy ID – generally caused by a mismatch from Policy Based VPN’s
    • The System Log will log attempts and this can be used to troubleshoot the errors

Source: User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Overview

  • GlobalProtect: Solution to VPN Issues
    • Extends NGFW to endpoints
    • Deilvers full traffic visibility
    • Simplifies Management
    • Unifies policies
    • Stops Advanced Threat
  • Components
    • Portal – Provides Management functions for GP; every client connecting to GP receives configuration information from the portal
    • Gateways – Provide Security Enforcement for traffic
      • External gateways provide security enforcement and VPN Access
      • Internal Gateways apply security policy for access to internal resources
  • Connection Sequence
    • GP client connects to the portal for authentication
    • After auth, the portal sends the configuration and list of GP Gateways
    • Client will connect to the portal with the best SSL response time
    • If the client is not installed, it will ask to be downloaded and installed
    • When the client is installed, the client will connect to the selected gateway.
  • GlobalProtect in the Cloud
    • Infrastructure can be extended using AWS VM-series. When a Portal is contacted, it can provide an AWS Gateway as an option.
  • Simple Topology
    • Required at least one portal and one gateway.
      • In small deployments this can be on the same device.
      • If Portal and Gateway share a single system, only one certificate is needed for the firewall.
  • Advanced Topology
    • Multiple Gateways can be configured for performance and global deployments.
      • Chosen gateway is the fastest responded.
      • Only one Portal can be configured and active.
      • If Portal goes down, existing users can log into a cached gateway.
      • If Portal is down, no new clients can connect, and no new configuration changes can be sent out to existing users.
      • If the portal is down, either restore it, or activate a portal at another location.
  • Determining External or Internal Gateways
    • The portal may provide an IP and DNS to determine if the client is inside or outside the network
      • This should be a hostname that can only be resolved internally
      • If the IP is able to be resolved to a hostname, then the internal gateway is used.
      • If the IP is not resolvable, then the external gateway is used.
  • GP for Internal Users
    • Internal Gateways are useful for enforcing group based policies, or access to restricted or confidential data.
    • Examples include: Enforcing access to Engineering to Code and Bug DB’s, While blocking access to Finance and HR to that resource.
    • Profiles on the gateway can allow only certain LDAP/AD group members
      • Can also enforce HIP checks for AV/OS Patching/etc

Preparing the firewall for GlobalProtect

  • Certificates:
    • Certificate Authority Certificate (Optional)
    • GP Portal certificate
    • GP client certificate (optional)
    • A public CA certificate should be used for external users to provide the correct authority and security for the Portal.
    • Portal will include the public server certificate, and the client certificate and key.
    • GP users use the client certificate to identify the client.
  • Authentication Server Profile
    • Authentication servers are used to authenticate users. An existing Server Authentication profile can be used.
      • This is done under Device > Authentication Profile
  • Agent Software
    • Under Device > GlobalProtect Client
      • Review the currently installed and activated GlobalProtect client version
      • New versions can be downloaded and activated from this page
      • GP Client software only needs to be updated and activated on the portal, not on the gateways.

Configuration: GP Portal

  • GP Portal
    • Authenticates users using GP
    • Ability to create and store custome client configurations
    • Maintains a list of internal and external gateways
    • Manages CA Certificates for client validation of gateways
  • Configuration
    • Configuration is done under Network > GlobalProtect > Portals > General
    • A Portal must be configured on an L3 interface.
    • Custom pages can be created and uploaded to the firewall under Device > Response Page
      • Access to the Portal Login page can also be disabled (via browser on 443).
      • This does not impact the GP Client connections, they can still connect.
      • Clientless VPN’s need portal page to be accessible.
  • Portal Authentication
    • This is under Network > GlobalProtect > Portals > Add > Authentication
      • Portal Configuration Authentication profile is used to authenticate users
      • Certificate profiles are used if certificates are used for client validation. If not using certificates, select ‘none’.
      • Authentication Message is an optional entry of up to 50 characters in length, to provide a message such as what kind of credentials to use.
  • Agent configuration
    • For certificate logins: A root CA must be specified under the Agent tab. If a gateway gives a certificate that is not from the listed CA, the login is rejected
    • Multiple configurations can be done for different groups. For example, a config for field users, and another for office users.
    • The internal portal can be configured under the Internal tab. These gateways need to be manually defined.
    • On the external gateway, the connection is made by the fastest response time and priority. A checkbox is available to manually select a tunnel.
    • Gateways that are set as ‘manual only’ are not provided for consideration for the fastest SSL response.
    • Three Types of App connection Methods are supported:
      • On Demand: Users connect when they need to, and disconnect when completed.
      • User-Logon: Automatically connects when the user logs in
      • Pre-Logon: GP connects before the user has entered credentials, to keep the system secured, and updates the user login information when they supply credentials.
  • Clientless VPN
    • Users can log in through a browser to access specific configured applications. Examples can be web-based email, internal web apps.
    • Applications can be published under Network > GlobalProtect > Portals > Clientless VPN > Application > Add
      • Group Mappings need to be configured prior to this point in order to use group mappings.

Configuration: GP Gateway

  • Global Protect Gateway is configured under Network > Global Protect > Gateways
  • Select the L3 interface to use with the gateway, and the IP Address (if different from the interface IP)
  • The tunnel tab will be needed if you are configuring an external gateway; optional for internal gateways.
  • Agent configuration
    • Check the ‘Tunnel Mode’ to enable tunneling (for external gateways; not needed for internal but can be used).
    • Tunnel settings will include the tunnel interface.
      • Enable IPSec, or uncheck to enable SSL. If IPSec is selected but not able to connect, it will fall back to SSL automatically.
    • Timeouts can be set for inactive connections to be disconnected.
    • A group name and password can be used in place of certificates to authenticate third-party VPN clients
  • IP Pools Tab
    • When configured in Tunnel mode, it functions as a DHCP client.
    • Pools are only available if tunnel mode is enabled.
  • Split Tunneling
    • NOT recommended; This will allow internal traffic to go up the tunnel, and internet traffic out the local network.
    • Can be set to not allow any local network access (no access to home devices/printers/ect).
  • Network Services Tab can be used to override the local settings of DNS, WINS and DNS Suffixes with the settings of the interface selected for the ‘inheritance source’ (aka the interface selected) field.
  • User-ID can be used to map users to username to IP. This info is added to the User-ID list to show in the logfiles. Can also be used in internal networks to validate only specific users and authenticated users have access to specific systems.

Configuration: GP Agents

  • Agent runs on Windows, Mac, Linux, and is availabe as apps for ios and android (HIP check license required for ios/android).
  • Agent must be installed on client device. The portal will provide a download link after a successful login to the portal webpage.
  • Agent can be open or locked down depending on administrator.
    • FQDN or IP, and login/password are minimum requirements if not already configurated. Username can be left blank if using SSO.
    • A right-click on the icon will show the option available. connect to will default to ‘auto discovery’ to find the fastest gateway. manual selection of a gateway can be selected.
  • X-auth can be configured (only configurable if Tunnel Mode and IPSec enabled)
    • Third party X-auth clients can connect to a GP Gateway such IPSec VPN on IOS/android and the VPNC client on Linux
    • Provides simplified access
    • If group name and group password are populated, then the group name/password must be entered first, THEN the auth profile credentials are used. if the group name/password is left blank, a certificate must be used for the first authentication.
    • By Default, there is not required to re-authenticate when the IKE rekey timer is up. The check box can be set to skip auth on rekey.
  • System Logs show the GP connection logs.
    • Available Under Monitor > Logs > System, a log filter of ‘subtype eq globalprotect’ will show the GP connections.
      • The traffic logs are under the standard Monitor > Logs > Traffic.

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

User-ID Overview

  • Identify users by username and user group
  • Creates Policies and view logs/reports based on user/group name
  • Used in combination with App-ID allows for very granular control
  • Can be used to profile identified vs non-identified users for policy control
  • Prior to being ready for use, the FW needs to know the group mapping to match user to IP
  • Components for User-ID include:
    • PAN Firewall
    • PAN OS Integrated User ID agent
    • Windows Based User-ID Agent
    • Terminal Services Agent
    • (other options – see below)
  • Integrated Vs Windows-Based Agents
    • Windows Agent uses Windows RPC to read the full security logs
      • Recommended for local deployments with the Windows Servers and Firewalls in the same physical network
    • Integrated Agent uses Windows WMI to read security logs to map Username to IP
      • Uses much less bandwidth
      • Uses more of the FW CPU
      • Better for remote deployments of firewalls in small offices, labs, etc.

User Mapping Methods Overview

  • Multiple Methods available, which will depend on the OS’s, apps and infrastructure
    • Can monitor Windows DC, Exchange servers, or Novell eDirectory for user auth session tables
    • Probes windows clients for file/printer mappings
    • Captive Portal/GP Logins
    • Terminal Services Agents for Windows RDP/Citrix
    • Syslog login/logout for NAC, 802.1x and Wireless AC’s
    • Pan-OS XML API for devices that can send XML to the firewall.
  • For User-ID to function, it must be enabled on the zone
  • User-ID can monitor Syslog server for actions to map users, when syslog messages are received from systems such as:
    • Unix/Linux Authentication
    • 802.1x Authentication
    • Windows and the User-ID agent can parse the Syslogs to help mapping users to IP’s
    • Multiple Profiles can be configured to read from different sources.
  • Domain Controller Monitoring
    • Monitors the Security Log of DC’s
    • Continuously monitors logs for all login/logout events
      • DC must be configurd to log successful logon events
      • All DC’s must be configured
    • An agent can only monitor one domain; for multiple domains, multiple agents would be needed.
    • Anyone who accesses file and printer shares also have their connections in the log read to map to their user ID
  • User-ID can be configured to use WMI to probe windows system
    • This is useful for laptops and devices that may change IP’s semi-frequently.
    • NetBIOS is option and supported.
    • WMI Probes are performed every 20 minutes (default)
  • Global Protect
    • GP will provide User-ID with username/IP when they log into the gateway
  • User ID Mapping Recommendations
    • User ID Agent is used for DC, Exchange, eDirectory, Windows file/print shares, Client probing and Syslog Monitoring
    • Terminal Services agent is used for mutliuser systems for MS Terminal Server, Citrix Metaframe/Xenapp
    • Captive Portal maps usernames to IP’s for users that do not login to a windows domain
    • GlobalProtect maps usernames/IP’s for remote users
    • XML API is for non-User-ID devices and systems that can expore XML data

Configuring User-ID

  • Enable User-ID by the zone
    • Check the ‘Enable User Identification’ on the Network > Zones > (zone name)
    • Only enable on inside-facing zones, or it will attempt to identify any user on the internet if added on an outside facing zone.
    • By default, all subnets in the source zone are mapped; the include/exclude list can be added/modified to include or exclude custom subnets
    • If WMI probing is enabled, it will only probe RFC1918 IP ranges (10/8, 172.16/12, 192.168/16); to add external IP’s, they must be added to the include list.
  • Configure user mapping methods
  • Configure group mapping (optional)
  • Modify FW Policies for user/group matching

PAN-OS Integrated Agent configuration

  • On the DC, Create a service account with the required permissions
  • Define the addresses of the Servers on the Firewall
    • An autodiscover option for Windows DC based on domain name (under device > setup > management > general settings) is also an option
  • Add the service account to monitor the server(s)
    • Added under Device > User Identification > User Mapping; username should be entered as domain\account
    • Consult the Administrators guide for specific groups needed for your version of Windows server.
  • Configure session monitoring (optional)
    • Enable session monitoring under Device > User Identification > User Mapping > Server Monitor Tab
    • This option enables the File/Print Sharing mapping to account and IP address
  • Configure WMI Probing (optional)
    • Enable WMI Client Probing under Device > User Identification > User Mapping > Client Probing tab
    • This will enable a probing of the clients every 20 minutes, to validate the same user is still logged into the same IP address
    • When an IP is found with no User-ID account, it sends it to the Agent for an immediate probe
    • WMI doesn’t probe any IP’s outside of RFC1918; to enable any non-routable IP’s, add them to the include list in the zone.
    • File and Print sharing must be enabled on the client for this to function.
  • Commit the configuration and validate agent connectivity
    • After commit, each server specified under Device > User Identification should show as connected. If not, troubleshoot the connection from the agent to the DC, check service account rights, and confirm network connectivity

Windows-based agent configuration

  • Installation information:
    • Can be installed on 32 and 64-bit systems, XP SP3 or later
    • Should be installed in the the same physical network as the servers to optimize bandwidth
    • Should be installed on at least 2 domain members for redundancy
    • Recommended that it should NOT be installed on the domain controller itself (best practice).
  • Download the agent software from PAN’s support site.
    • Check the Release notes for details on supported OS’s for the version you are downloading
    • MSI can also be used in SCCM to push to multiple locations
  • In the Agent Application after installation:
    • Click Setup on the left-side to change any of the settings
      • Save will save but not activate
      • Commit will implement all changes
    • TCP Port 5007 is the default port
  • Should run with a service account with proper rights.
    • For specifics, check the Administrators guide or the support website.
  • Server Monitoring tab can be used to enable the security sessions reader
  • Client Probing tab can be set to enable WMI probing.
    • Sends a probe to each known IP to validate the same user is logged in. Each is probed once per interval (20 minutes is default)
    • NetBIOS can be enabled; is used for backwards compatibility with XP and earlier versions of windows. Needs to have port 139 open for communication.
  • Clicking the Discovery on the left side, you can use the ‘Auto-Discover’ button to try to automagically add the DC’s, or manually add the servers you want to probe.
  • The firewall must be configured for each agent. This is done under Device > User Identification > User-ID Agents > Add
    • For Panorama setups that will gather the User-ID info, select ‘serial number’
    • For Windows Agents, select ‘host port’ If you change the Port the agent uses, this is where it can be updated on the PAN side.
  • Validate connectivity both on the agent and the firewall. Both should be green showing connection is working.
  • The Monitoring section on the left side of the agent will show a list of current IP to User-ID mapping
  • On the firewall CLI, you can see the mappings are:
    • show user user-id-agent statistics
    • show users user-ids
    • show user ip-user-mappings all
    • show user ip-user-mappings (ip/netmask)

Configuring Group Mapping

  • Server profiles will LDAP servers will be contacted, which order, and where to search the directory tree.
    • Defaults to port 389; if SSL is configured on the server, then 636 is available.
    • Type is the type of LDAP Server
    • Base DN should auto-populate when you click the drop-down menu
      • To check the Base DN manually, on the server open active directory domains and trust > Microsoft Console Snap-In – look at the name of the Top-level domain
    • Bind DN and Password will be used to auth users and read the LDAP directory. The Bind DN will depend on your DC configuration
      • If Universal Groups are used, the GC must be used to capture group memberships, and the LDAP port must be set to 3268
    • Bind, Search and Retry timeouts can be changed
  • To configure Group Mapping, open Device > User Identification > Group Mapping Settings > Add
    • Select the server profile for your AD/LDAP server profile
    • The domain setting is generally blank; only enter a name if NetBIOS needs to override.
    • Groups objects should be dynamically populated by the LDAP server; these can be manually changed to look in specific locations.
  • Group include list will allow you to filter specific groups to be included. If no groups are added to the ‘included groups’ section, then all groups are added.
    • It is recommended if you have a large/complex tree/forest, to specify groups. This will reduce search time and CPU utilization.
  • Custom Groups allow you to set certain filters so that a filter will match certain critera, but are not in a specific LDAP/AD user group.
    • Examples could be: Department=Sales, City=Dallas, etc
    • Can help without the need for an AD Admin to create or modify existing structure.
    • User-ID also logs custom groups.

User-ID and Security Policy

  • In the security policy rules, the options under the Users section are:
    • Any: Any user if they match the rest of the rule criteria
    • pre-logon: used with certain GP configurations and implementations
    • known-user: a known/mapped user
    • unknown: an unmapped/unmatched user/ip address
    • select: a specific user or group specified
    • Note: The source IP and the source user are processed with a logical AND condition. So the user ID and the source IP range must match.
      • This can be used in places to allow access only if someone is connected to a network segment that is physically on-site at an office, and block access if someone is connected via GP or other VPN.
    • Small office can use Users, however in larger environments, groups are best to base rules on.

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Wildfire Concepts

  • When a file receives a file:
    • It will check to see if it is signed by trusted signer.
    • If there is not a signature, it creates a hash of the file to check if it has already been sent to wildfire
      • If not already submitted, it will check if it is below the maximum file size configured to be uploaded to WF
      • If exceeded max size, it is allowed through the firewall
      • if under max size, it is uploaded and checked with Wildfire, and the response is sent to the firewall.
    • The Types of verdicts assigned to files scanned by wildfire include:
      • Benign – Found to be safe and pose no risk
      • Greyware (intro’d in panos 7.0) – No security threat but may display obtrusive behavior; adware, spyware, browser helper objects.
      • Malware – the file contains a malicious payload; viruses, worms, trojans, rootkits, botnets and remote access tools.
      • Phishing (intro’d in panos 8.0) – scans links in emails to determine if the site is a site to phish for credentials or other personal data
    • File attachments and URL in emails are also scanned and will be categorized in one of the options above.
  • When files and URL’s are submitted to wildfire, new signatures are generated and are available for download within 24-48 hours as content updates.
  • Two types of wildfire subscription service
    • Standard Subscription: All systems running panOS 4.0+ can access wildfire standard subscription service (as an XP or Win7 VM)
      • Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc
      • AV signature delivered daily dynamic content updates (requires Threat prevention license)
      • Automatic file submission
    • Wildfire Licensed Service get standard features plus:
      • Additional file types scanned, including MSOffice files, PDF, JAR, CLASS, SWF, SWC, APK, Mach-O, DMG, and PKG
      • Wildfire signature files updated every 5 minutes
      • API File submission
      • Wildfire private cloud appliance: WF-500
  • Wildfire Private Cloud
    • WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on your network.
    • Locally analyzes files forwarded from the FW or from the PAN XML API
    • Signatures can be generated locally. Benign and Greyware never leave the network.
    • You have the option to forward malware to the wildfire cloud for signature generation.
    • Signatures updates every 5 minutes.
    • Supports XML API
    • Does not support Phishing; all positive matches are classified as ‘malware’.
    • Content updates can be installed manually or automatically
  • Hybrid Cloud
    • Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and less sensitive files can be uploaded to wildfire for analysis.

Configuring and Managing Wildfire

  • Device > Setup > Wildfire to configured
    • Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are available)
    • If you have a WF-500 locally, you can specify the IP on this screen
    • Can also specify the maximum size files to upload; anything larger is permitted.
    • Can report benign and greyware by selecting the checkboxes
    • Decrypted content is not forwarded to Wildfire by default; this can be set under Device > Setup > Content ID > Content ID settings to enable ‘allow forwarding of decrypted content’
  • Under Device > Setup > Wildfire, you can specify what information is reported to wildfire. This can include information such as source/dest IP, ports, VSYS, Application, User, etc.
  • Wildfire submission is activated by being added to a firewall security policy rule. This is added on the action tab in the rule details.
    • Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions
  • A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis
    • A pre-configured default profile is included, that can be cloned/modified, or a new from-scratch profile can be created.
    • The types of files can besent to a specific destination (public, private or hybrid). example: JAR can be sent to cloud, while DOCX can stay on a local WF-500 appliance.
  • The profile can be added as an individual or as part of a group
    • If a file block profile blocks a file, the file is not sent to wildfire for analysis.
  • Updates are available under Device > Dynamic Updates. With a wildfire licence, you can specify to updates from 1 minute to every hour. If you do not have a license, it can be set to update once a day.

Wildfire Reporting

  • Each time a file is analyzed, it reports its findings back to the firewall. The amount of information reported is configurable.
  • To verify successful uploads, you can use the CLI command:
    • debug wildfire upload-log show
      • Output should indicate an uploaded successful
  • Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab to get details on users, and the file details.
  • More details can be seen at wildfire.paloaltonetworks.com – this will give a breakdown of the category of findings (benign, greyware, malware, phishing).
    • Files can also be manually uploaded on this portal as well.
    • Reports button on the web portal can let you generate a custom report, and individual entries can be viewed.
    • Email reports can also be configured on this to get automatic reports.
    • If a file was found to be flagged as something other than benign, you can open the individual report, scroll to the bottom and submit a request to have it reviewed.

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Decryption Concepts

  • Encrypted traffic is growing every year
  • PAN’s can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
  • SSL Establishment includes:
    • Client – requests SSL connection
    • Server – sends server public cert
    • Client – Verifies Cert
    • Client – sends encrypted session key
    • Server – begins encrypted communications session
  • When an SSL session is first established or needs to re-establish a session and rekey, this is known as PFS (Perfect Forward Secrecy)
  • The FW can act as an Outbound SSL Proxy:
    • A client initiates a session to an external server
    • The FW intercepts the connection, decrypts it, applies any security policies, re-encrypts the traffic and sends to the external server
  • The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and inspects)
    • The internal server’s certificate and private key need to be added to the PAN firewall for this to function properly
  • The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
    • If SSH Tunneling of another application is found, the session is blocked to prevent apps from bypassing firewall rules.
  • Public Key Infrastructure (PKI) solves issue of secure identification of public keys
    • Uses digital certificates to verify public key owners (x.509 format)
    • Typical PKI components include:
      • Root CA: Provides service that confirm identity and public keys to people and companies.
      • Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB that will issue, revoke certs and stores CSR’s
      • Device has the certificate and private keys. They maintain a list of trusted CA’s, and can be updated by admins or by system updates.
    • Certificate Chain starts with the device and ends with the Root CA. As long as there is a Root CA in the chain, the certificate can be checked as valid (or revoked).
    • Certificate Hashes can be validated to confirm that it hasn’t been intercepted and altered.
  • Firewalls can use for many purposes:
    • SSL/TLS
    • MGT Interface User Auth
    • Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
    • Captive Portal User Auth
    • IPSec VPN IKE Auth
    • HA Auth
    • Secure Syslog Auth
  • All Certificates in a chain must be checked and validated before an SSL session is permitted
  • Checking a Certificate includes:
    • Is the signature valid
    • Is the date range valid
    • is it intact/not malformed?
    • Has the certificate been revoked?
      • CRL (certificate revocation list) has a list of revoked certificates
      • OCSP (online cert status protocol) can check revocation status
      • Certs can be revoked for: Private key compromised, Hostname/username changed, counterfeit key found
  • Certificate signing request (CSR) is generated by the device. This is used by a certificate issuing authority to generate the device. The private key generated with this CSR never leaves the device.

Certificate Management

  • Devices are managed under Device > Certificate Management > Certificates
    • Operations supported include:
      • Generate CSR’s
      • View Certificates
      • Modify Certificate Use
      • Import/Export Certificates
      • Delete Certificates
      • Revoke Certificates
    • Different certificates have different features
      • A signing certificate is required for SSL Forward Proxy and Global Protect
    • There are 3 methods of getting a certificate on the FW
      • Generate a self-signed CA Certificate from the FW
      • Generate a CA Cert using CSR
      • Import a CA Certificate
  • The FW will sort the certificates in a hierarchy in order of the CA chain, root to intermediate to device.

SSL Forward Proxy Decryption

  • An SSL Forward Proxy decryption is used to intercept and decrypt SSL session in order to inspect the traffic for nefarious contents
  • Steps in this process are:
    • Client sends request to external server through firewall
    • Firewall intercepts the SSL request
    • Firewall then contacts the external server and sends that server the FW cert
    • External server responds with its server certificate; firewall validates certificate
    • The SSL session is then established between the server and the firewall
    • The firewall then sends a copy of the remote server cert, signed with the FW SSL certificate
    • The client validates the certificates and the session continues
  • The firewall will sign the certificate sent to the client with its firewall trust cert if the external servers cert is signed by a CA it trusts. If it doesn’t have a CA the FW knows/trusts, the FW will send back it’s firewall untrust certificate, and the client is shown an untrusted warning page in their browser.
  • To configure Forward Proxy: (see PAN Docs for more details and instructions)
    • Configure a Forward Trust Certificate
    • Configure a Forward Untrust Certificate
      • Generate a new cert on FW; cert should not be trusted by SSL clients, but ability to sign other server certs.
      • Do not copy; this should be untrusted and unknown to any CA.
      • Select ‘CA’ checkbox on this cert
      • Configure as forward untrust cert in properties
    • Configure SSL Forward Proxy
      • Under Policies > Decryption (be sure to know what traffic is protected by local/state/national laws and cannot be decrypted).
    • A decryption profile allows check on both decrypted traffic and traffic excluded from decryption
      • Allows to block sessions unsupported protocols, cypher suites, or SSL client auth.
      • Block sessions based on certificate status: revoked, unknown, expired, etc
      • After creating a profile, it can be applied to a decryption policy.
      • A default profile is provided that can be used/cloned/modified.
      • Rules for the decrypted traffic will need to be present. For example, if traffic is web-browsing, google docs, or another encrypted application setting, security policies allowing that traffic must be present or the traffic will be dropped as matching no FW rules.

SSL Inbound Inspection

  • FW Can inspect inbound SSL traffic
  • The internal server’s cert and private key must be loaded on the firewall.
  • The firewall will decrypt and read the traffic, and then forwards the original encrypted traffic to the server
    • Note that the traffic will be forwarded only if it is not blocked/dropped by a security policy on the firewall.
  • To create an SSL inbound inspection policy:
    • Import the server certificate and private key into the firewall (PEM and PKCS12 formats supported)
    • Create a decryption policy under Policies > Decryption > Add – under Options, select ‘Decrypt’
    • (Optional) Create a decryption profile that can be added to the decryption policy

Other Decryption Topics

  • Some applications may not work with SSL Forward Proxy
    • Application with client-side certs
    • Non-RFC compliant apps
    • Servers using unsupported cryptographic settings
  • If an application fails, the site is added to the excluded cache list for 12 hours
  • Decryption Exclusion are apps that encryption is known to break
    • The prepopulated list is under Device > Certificate Management > SSL Decryption Exclusion
    • Custom domains can be added to this list, and wildcards are supported.
  • If the decryption policy is set to an action of ‘no-decrypt’, the profile attached to the rule can still check for expired or untrusted certificates. This can be done under ‘No Decryption’ tab in the profile.
  • Decryption Mirroring can mirror decrypted traffic to a capture device for DLP and/or network forensics
    • Requires a (free) licence to activate; contact TAC support to get the license key. Key is perpetual, does not need renewal.
    • Only available on the PA-3000, PA-5000 and PA-7000 series firewall.
  • Hardware Security Module (HSM) are a hardware storage for keys for additional security features (FIPS)
    • PA-3000, PA-5000, PA-7000, and PA-VM series; Panorama VM, and M100e
  • The traffic log can be used to determine if the traffic is being decrypted by the firewall
    • Also can be done by setting a log filter for Flags, Has, SSL Proxy.
  • Troubleshooting SSL sessions
    • Using the log filter to search for ‘session end reason’ ‘equal’ ‘decrypt error’, you can see what sessions are not being decrypted.

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

URL Filtering Security profiles

  • Added to security policies that are set to ‘allow’
  • Applied to all packets over the life of a session
  • Items are logged under:
    • Monitor > Logs
    • URL Category in the logs show which category the site falls under.
    • The actions of ‘Alert’, ‘Block’, ‘Continue’ and ‘Override’ will generate a log entry
    • Filtering logs can be done with (URL contains ‘facebook’) to search for all entries with users going to facebook.
  • Rules can be created to block access to specific websites, or website categories
  • A default profile is included to be used ‘out of the box’.
  • A custom profile can be created based on your companies internal security policies
  • A URL profile can be configured to take specific actions per each category.
  • If User-ID is configured, you can enable under the ‘User Credential Detection’ tab to log the user information to the logfiles.
  • To create a new custom URL Category, go to: Objects > Custom Objects > URL Category > Add
    • Entries are case sensative, and subdomain considerations should be checked.
    • www.ebay.com will not block cdn.ebay.com in a block list.
    • *.ebay.com would block all ebay subdomains.
  • Allow list and block lists can be used to add sites you don’t want users to access.
  • Actions available under the block list include:
    • Block: block access, access attempt is logged, and a response page is given to the user notifying them the site is blocked.
    • Continue: a response page is presented, asking the user to confirm they want to proceed. Item is logged as ‘block-continue’ when the continue page is presented, and changed to ‘continue’ if the user proceed to the page.
    • Override: will prompt for an administrator page to override a URL block. Used for administrators and others that need a way to bypass blocks to some pages when needed.
    • Alert: allows the user to proceed without interruption, and generates an alert in the URL log.
  • Custom HTML pages can be created and uploaded to the PAN firewall.
  • Custom HTML block pages are limited to 16kb
  • Block pages are used to provide a challenge/response or notification if a URL has an action of block, continue or override.
  • User’s name will be displayed on the page if UserID is enabled; otherwise the IP will be displayed.
  • If Continue or Override is used, a 15 minute timer is set to allow access to that category.
    • Timer can be changed at: Device > setup > content-id > URL Filtering
    • Admin Password can be changed at : Device > Setup > Content ID > URL Admin Override
    • Only one override password is allowed.
    • An SSL/TLS profile can be used to specify a certificate to secure the connection to the firewall if Admin override is set to ‘Redirect’
    • Transparent mode can be used make block pages look to originate from the blocked website
    • Redirect will send the request to the specified IP. This IP must be an L3 interface on the firewall.
    • Safe Search can be selected under Objects > Security Profiles > URL Filtering > (profile name) under the URL Filtering Tab
      • This is based on the browser’s safe search setting
      • Log Container Page Only can be selected in this same section
      • Only the name of the page will be logged if Log Container Page is selected(helps with log containment and size)
    • Both SafeSearch and Log Container are both recommended settings by PAN for best practice.
  • To configure Credential Phishing profiles by where users are allowed to submit credentials
    • Note: User ID is required for the User Credential Detection to function
    • Under Objects > Security Profiles > URL Filtering > (profile name) > User Credential Detection
  • If a URL is not categorized by the firewall, you can create a policy based on corporate security policy
    • Unknown URL’s can be allowed
    • Unknown URL’s can be alert/logged
    • Unknown URL’s can be Continued with a challenge page
    • Unknown URL’s can be set to Override with the admin password
    • Unknown URL’s can be blocked
  • Not-Resolved URL’s include sites that are not in the local cache and could not contact the PAN Cloud to check the category
    • Recommend to set to ‘alert’
    • Use the CLI Command ‘show url-cloud status’ to check cloud lookup service; should say ‘connected’. If not connected, troubleshoot connectivity to this site (may need a service route installed)
  • The local URL Seed Database locally on the firewall is based on the region the FW is installed, but doesn’t contain all URL’s that PAN has categorized as it would be too large. Local contains most common accessed, and others are checked ‘on-demand’ as not-resolved to the PAN cloud DB.
  • If a URL is miscategorized by PAN, a request can be submitted to ask it to be recategorized. This is done under Monitor > Logs > URL Filtering – click on the entry you want to submit, click the ‘request categorization change’ under details. Fill out all information including comments, these are human reviewed and are generally responded to in 24-48 hours.
  • A category check can be done in 2 ways:
    • By going to ‘urlfiltering.paloaltonetworks.com and putting in the URL. You can also submit a category change here
    • by going under Objects > Security Profiles > URL Filtering > Add – click ‘Check URL Category Link’

Attaching URL Filtering Profiles

  • URL Filtering can be added into Security Profile Groups with other security profiles such as AV, Vuln, File Block and Data filtering
  • Either Individual or groups can be assigned to a Security Policy rules. This is dependant on your deployment and corporate security policy.
  • In the Security Policy, select the URL Profile or group you have created that you want to apply the policy to.
    • Reminder that only ‘allow’ policies evaluate URL policies. Polices set to deny or block traffic will do just that.

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Overview

  • Scans traffic for/offers protection against/can do:
    • Software Vulnerability exploits – detects attempts to exploit known software vulnerabilities
    • Viruses – detects infected files crossing the firewall
    • Spyware – detects spyware downloads and already infected system traffic
    • Malicious URL’s – blocks URL’s known to be locations that host or assist any of the content scanned with these profiles.
    • Restricted Files and Data – tracks/blocks uploads/downloads based on application and/or file types
    • Data Filtering – identifies, logs and/or blocks specific data patterns
    • Wildfire Analysis – will upload suspect files to Wildfire for further analysis to determine if threat or benign.
  • Security profiles must be added to a security policy to be activated.
  • Security Profiles are applied to all packets for the life of a session
  • Security Profiles can be added to a group containing several security profiles for easier management, and applying specific types for specific rules.
  • Threat log keeps records of vuln, AV, Anti-SW that can be reviewed, and can be forwarded to an external log server.

Vulnerability Protection Security Profiles

  • Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch.
    • Strict: Strict implementation of the profiles. Used for ‘out of the box’ protection.
    • Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments
  • Each individual vuln signature has a predefined default action. The default action can be seen under:
    • Objects > Security Profiles > Vulnerability Protection > Add > Exceptions – then select ‘show all signatures’ checkbox
  • New updates are released weekly from PAN. *
  • Rules can be configured to take packet captures
  • Threat Name can be for ‘any’ for all, or a specific string to only scan for signatures matching that name
  • Categories can can for Any or a specific CVE/Vendor ID
  • Actions can include:
    • Allow: Permit without logging
    • Alert: Allow with Logging
    • Drop: drops and logs
    • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
    • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
    • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session
    • Block IP: Blocks traffic/sessions from an IP, and a time to block can be set in seconds.
  • Exceptions can be set to override the actions on rules. This can be used to override false detection being detected blocking legitimate traffic. A list of IP’s can be added to the exemptions column, useful for servers that may be flagged as sending out false positives.

AV Security Profiles

  • Default Policy is available out of the box. This is recommended for initial configurations and TAP gatherings
  • A custom policy is recommended. Options are to clone the default or make a new one from scratch
  • The profile has predefined application decoders for common apps: FTP, HTTP, IMAP, Pop3, SMB, SMTP
  • Virus signatures are release every 24 hours by PAN
  • Action is what will occur when a virus signature is detected.
  • Actions can include:
    • Allow: Permit without logging
    • Alert: Allow with Logging
    • Drop: drops and logs
    • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
    • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
    • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session
  • Application Exceptions can be added to the Application Exception section in the profile config screen. Any application can be added, and the action specified.
  • Packet Capture can be set to run a capture when a suspected virus is detected. This can be useful to help troubleshoot and resolve false positives.
  • The Virus Exception tab can be configured to add false positives to virus detections. Add the Thread ID to the list to whitelist that pattern from having the specified action taken.

Anti-Spyware Security Profiles

  • Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch.
    • Strict: Strict implementation of the profiles. Used for ‘out of the box’ protection.
    • Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments
  • Each individual Anti-Spyware signature has a predefined default action. The default action can be seen under:
    • Objects > Security Profiles > Anti-Spyware Protection > Add > Exceptions – then select ‘show all signatures’ checkbox
  • Virus signatures are release every 24 hours by PAN
  • Spyware is generally detected when it attempts to ‘phone home’ to a C2 Server.
  • A custom policy is recommended. Options are to clone the default or make a new one from scratch. Best Practice is to create to your network design, deployment and company security policy.
  • Each profile can contain several rules to apply policy based on the severity or type of spyware.
  • Threat Name can be for ‘any’ for all, or a specific string to only scan for signatures matching that name
  • Actions can include:
    • Allow: Permit without logging
    • Alert: Allow with Logging
    • Drop: drops and logs
    • Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
    • Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
    • Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session
  • The Exception tab can be configured to add false positives to anti-spyware detections. Add the item to the list to whitelist that pattern from having the specified action taken. The action here will override the rule with the action in the ‘Action’ column
  • DNS Signatures are included in the anti-spyware definition updates from PAN, but additional custom DNS domains can be blacklisted manually.
  • Exceptions can also be added by thread ID’s. Add the thread ID and the threat name to the exceptions list.
  • Actions are:
    • Allow – Permit without logging
    • Alert – Permit with Logging
    • Block – Block with Logging
    • Sinkhole – This is a specified IP to send DNS lookup for C2 traffic servers to a dead end. This can be sent to a PAN-provided IP, a local loopback, or a custom specified IP address. it is recommended that the sinkhole be in a different zone unless intrazone traffic is logged, so that the traffic can be logged.
  • Actions are also available with single packet or extended packet capture
  • Sinkhole traffic can be seen in the Monitor > Logs > Threat – action of ‘sinkhole’

File Blocking Profiles

  • Allows blocking of prohibited, malicious and sensative files
  • File blocking can be done by extension or examination of files
  • Granular control can be done by (example) blocking .exe files from gmail, but allowing .exe’s from FTP
  • Profiles have these actions available:
    • Alert: Allow and Log
    • Continue: Log incident, send user to a browser response page for them to review/continue/stop.
    • Block: Block file and log
  • Monitor > Logs > Data Filtering can be used to see the actions taken and the file name/type
  • There is no predefined file block profile. One must be created manually.
  • Rules can be set for:
    • Specific applications
    • File Types
    • Direction (upload/download/both)
    • Action (alert/continue/block)
  • If a file matches multiple rules, the highest matching rule is applied.
  • If Continue is set, the transfer is halted to alert the user that a matched file is attempting to be downloaded. This can be set to help prevent ‘drive-by’ downloads, or downloads that are done without the user knowing or interaction by the user.
    • Continue only functions with an application over http
  • The File Block can decode up to 4 layers of encoding. Encoding includes files such as .zip, .tar, docx, .gzip, etc
    • The ‘Multi-Level Encoding’ needs to be set under the ‘File Types’ in the file block rule

Attaching Security Profiles to Security Policy Rules

  • Security Groups can be used to group a set of Security profiles. This will simplify Security Policy rule maintenance and deployment by selecting one group that can contain AV, ASW, Vuln, URL Filtering, File Blocking, Wildfire and Data Filtering Profiles.
  • You can also assign individual Security Profiles to a rule

Telemetry and Threat Intelligence

  • Opt in is required, and can be customized to what data you want to share
  • Information sent to PAN is sanitized before being sent to PAN, and is not shared with any 3rd parties.
  • Telemetry can be configured under Device > Setup > Telemetry and Threat Intelligence. The check boxes can be selected for what you want to upload. A download box in the corner can be used to get a copy of the 100 most recent folder with packet captures and threat data that has been sent to PAN.

Denial of Service Protection

  • DoS is Packet based, not session based.
  • Use packet header info rather than signature matching.
  • These are not linked to Security Policies.
  • Zone Protection:
    • Provides edge protection
    • First line of defense
    • Flood Protection:
      • Protects agains most common attack types, including UDP flood, Syn Flood, ICMP Floods.
      • All Categories use a random early drop, except SYN (provide choice of RED or SYN Cookies)
    • Reconnaissance Protection
      • Protects against TCP/UDP/ICMP sweeps and port scans within the criteria set
      • Actions include:
      • Allow: Permits the scan
      • Alert: Generates an alert for each scan that matches the time interval
      • Block: Blocks the attempts
      • Block IP: Can be specified to block traffic from the source or for the source/destination combo.
    • Packet Based Attack Protection
      • Protects agains specific type of packet attacks. Examples include Spoofed IP, fragmented traffic, timestamp forging, etc
    • Protocol Protection:
      • Applies to L2 or Vwire zones only
      • Used to allow or deny non-IP protocols can move between zone.
      • Include list will allow specified protocols only; Exclude list will allow all but the specified protocols
    • Protection is enabled on a ‘per-zone’ basis
    • Only one Profile can be set per zone.
  • DoS Policy
    • Provide flexible rules and matching criteria
    • Can be used for specific hosts that are critical or have been hit previously
    • This can be based on match criteria such as Source/Desination zone/interface, IP address, user and services.
    • Profiles include:
      • Protect:
      • Aggregate profile: applies limits to ALL incoming traffic
      • Classified Profile: applies limits to a single IP address
      • Allow: Permit all packets
      • Deny: Drop all packets
    • Added under: Polices > DoS Protection > Add
      • Specify match for source/destination/option-protection tabs
      • You can specify the aggregate and/or classified profile if Protect is selected
      • Example setting is to protect a web server from attacks or floods.
      • Added under: Objects > Security Profiles > DoS Protection > Add
      • This will allow to set the profile options for flood proection. Syn, UDP, ICMP, ICMPv6 and Other IP.
      • Resource Protection can be set to limit sessions to a host to prevent port depletion or resource (cpu/memory) exhaustion

Source:User submitted post

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Application ID Overview

  • An application is a specific program or feature who’s communication can be labeled, monitored and controlled
  • App-ID does additional work beyond just port
  • Port-based rules use ‘Service’
  • Application-based rules use ‘application’
  • Application rules will allow only the application traffic that is allowed (ex: FTP) and not other traffic using that port.
  • Zero-day or unknown traffic trying to pass on an application policy is also blocked, because it doesn’t match the application traffic.
  • App-ID for UDP can generally identify the application on the first packet
  • App-ID for TCP will take several packets to identify, as the 3-way handshake needs to be done, and then the app data will need to be examined, depending on the app data.
  • Application DB is updated weekly with new and updated application identifiers:
  • Unknown protocol decoder will attempt to identify unknown appid traffic
  • Known protocol decoder will match traffic with a known app
  • Decryption to ID traffic will check if decrypt is configured.
  • App-ID steps:
    • Packet comes in – IP/Port identified
    • Check if allowed by Security policy
    • If allowed, App-ID will attempt to identify – Known, Unknown or Decrypt (if configured).
    • Does it match?
    • Security policy applied to allow or block.

Using App-ID in a Security Policy

  • Traffic can shift from one app to another during a session lifetime
  • As more traffic is received, it can also refine what the traffic it sees is.
  • This is why several applications are sometimes needed; web browsing, Facebook base and facebook chat could all be in the same session.
  • Signatures contain data on several versions of applications
  • Application dependance can be seen in the applications section under objects
  • Some objects have dependencies built in – example, facebook has web-browsing as a needed dependence
  • Under Objects > Applications, you can find what applications have what implicit use of other applications.
    • Search for an application
    • Click the application
    • Look for the ‘implicitly uses’ to see what apps it will implicitly use.
  • Application Filters can be used to allow access to a series of applications, such as Office application systems, or online streaming audio and video.
  • Application Groups can be used to group together several applications for easier deployment to firewall security policy rules. They also can be used for QoS and Policy Based Forwarding (PBF) Policies.
  • Applications, Filters and groups can be nested to several levels and added to policies.
  • Application groups are added to security policy rules just like single applications.
  • Under Objects > Services can be used to build custom services on specific ports. This can be used to narrow access on applications
  • Application Block Page can be configured to block access to specific applications. If User ID is in use, it will use the name of the user. If not, it will use their IP address.

Identifying Unknown Application Traffic

  • Traffic known to the PAN FW will be shown in the traffic log with the app identified.
  • When it’s not able to be identified, if it is http, it is identified as web browsing. if it is not http, it is ‘unknown tcp’ or ‘unknown udp’.
  • In intitial deployments in TAP mode, in the the Policies > Security section, you can create a policy to block ‘known good’ or ‘known bad’ apps, and add known applications on your network to the appropriate rule. a third rule set for ‘any/any/allow’ will let you see the other applications not identified to help pinpoint what they are and their source/destination.
  • To control unknown applications:
    • Create a custom application after identifying the traffic via packet captures.
    • Configure an application override policy. This will disable the application ID for this traffic.
    • Block unknown-tcp, unknown-udp * be cautious if in production, this could block legitimate traffic. this isn’t recommended unless you are confident the traffic will have no production impact.

Updating App-ID

  • App-ID DB is updated weekly, and can be added to the application/threat auto update. it can also be manually downloaded and installed.
  • A check can be done on the updated App-ID under Object > Applications, and clicking on the ‘review policies’ on the bottom of the page.
  • On the Application > Review policies page, you can see what rules will be impacted by the new application matches.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview