Palo Alto: High Availability – Failover-Testing

You can deploy Palo Alto firewalls in active/passive pairs. If the active firewall fails for any reason, the passive firewall becomes active automatically with no loss of service. A failover can be triggered by any of the following:

  • If one or more monitored interfaces fail
  • If one or more specified destinations cannot be pinged by the active firewall
  • If the active device does not respond to heartbeat polls

You need two Palo Alto Networks firewalls that are the same model number. Configure the management ports, and attach the management port of each device to the network. Load licenses on each device. Make sure that the licenses match—if you have a threat license for one, you need a threat license for the other. Install the latest PANOS onto each one, as well as the latest threat database.

Today i was trying the functionality within high availability. The out turn was positive with only 2 pings not delivered.  After today I feel like i can really trust on these machines, since they are appreciably stable and reliable.

Palo Alto: SSL decryption Controlling and Implementation

Secure Sockets Layer also known as SSL is getting more and more common. People are getting more concerned about their security on the internet, and how they are supposed to get secured. We see many common applications now turning in to HTTPS as twitter, facebook, gmail by deafult/supported. It gives the user a certain amount of privacy. Unfortunately SSL is also used as evasion tactics by hackers and cyber criminals. It’s used to hide the activity within the ssl package. This is why we are interested in decrypting ssl packages for visibility controlling and granular security. I will show in an example later how a virus could infect a computer and not get detected if it is enclosure by ssl encryption.

This is where the Palo Alto comes in. A handful of networking vendors inspect SSL encrypted HHTP traffic (HTTPS). This firewall goes further by inspecting compliant SSL traffic, no matter the protocol encapsulated by it. The firewall understands SSL and can unwrap the encapsulation to expose the underlying protocol and applications.

There are two types of decryption Inbound SSL decryption and Outbound SSL decryption:

 Inbound SSL decryption: 

In this case, the administrator imports a copy of the protected serve’s certificate and key. Once the ssl server certificate is loaded on the firewall, and a ssl decryption policy is configured for the inbound traffic, the device will be able to decrypt and read the traffic as it forwards it on.

 Outbound SSL decryption: 

In this case, the firewall proxies the outbound connections. It intercepts the outbound requests, and generates a certificate on the fly for the site that the client was going to.

Setup configuration steps 

  1. Install the proper certificates on the firewall
  2. Configure SSL decryption rules
  3. Enable SSL decryption noticiation page (optional)
  4. Export the certifcate and import it with GPO to client computers
  5. Commit your changes, test the decryption

1. The first thing we would like to do is to install and manage the certificate we would like to use. Navigate  Device > Certificates and generate a new self signed Certificate, be sure to activate CA,Forward Trust Certificate, Untrust and Trusted Root CA:

2. Navigate Policys > Decryption.

Here are some suggestions for configuring SSL decryption rules:

  • Do not decrypt known-good SSL connections, such as connections between internal users and internal servers.
  • Do not decrypt the  following URL categories, as users may consider this to be an invasion of privacy:
    • Financial services
    • Health-and-medicine
    • Shopping
  • Do not decrypt URL category “unknown”, as it includes many non-HTTP applications, some of which will not correctly SSL decrypt.
  • Do not decrypt URL category “computer-and-internet info”, as it includes the Windows Update service, which requires specific server certificates from Microsoft. (As an alternative, you can create a rule that does not decrypt traffic to the IP addresses of the Microsoft Update servers.)
  • Do not decrypt applications where the server requires client-side certificates.
  • Be precise in your source and target zones—do not use “any”
  • You should implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device (refer to Appendix A for those commands).  You want to make sure you do not exceed the maximum number of concurrent SSL decrypted sessions that is supported on a device.  Over time, you can add additional decryption rules.

3. Enable response page:

The user can be notified that their SSL connection is going to be decrypted using the response page found on the Device tab -> Response Pages screen. Enable this feature if you choose.  This page can be exported, edited via an html editor, and imported to give company-specific information. Here is  an example of the default page:

4. Export the certificate from palo and import it to clients computers using GPO. Make a new computer based gpo, Policies > Windows > Security Settings > Public Key > Trusted Root Cert Authorities. Make it available for those computers/user groups that you would like to manage ssl decrypt on.

5. Testing

To test outbound decryption:

Make sure that on your outbound policy, you are alerting for any viruses found. Also enable packet capture on that anti-virus security profile.  Commit any changes you made.On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner, you will see: Click on “anti-malware testfile”.  In the screen that appears, scroll down to the bottom.

Download the eicar test virus using http.  Any of the 4 files shown here will be detected. Go to the Monitor tab -> Threat log, and look for the log message that detects the vicar file. Click on the green down arrow in the left-hand column. This brings up a view of the packets that were captured.

Also click on the magnifying class in the far left column. Scroll to the bottom, and look for the field “SSL Decryption.” You will see that the session was not decrypted.

Now that you have proven that your policy will detect viruses in unencrypted traffic, you will now try detecting the virus in encrypted traffic.  Go back to the www.eicar.org downloads page.  This time use SSL to download the test virus. If you get a certificate error, you can still proceed with downloading the file. Examine the Threat logs.  The virus should have been detected, since the SSL connection was decrypted. You will see a log message that shows Eicar was detected in web browsing on port 443. You can also view the packet capture by clicking on the green down arrow. To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field “SSL Decrypted”. The value should say “yes”.

Therefore, the virus was successfully detected in an SSL-encrypted session. To test the “no-decrypt” rule, first determine what  URLs fall into the financial services, shopping, or health and medicine categories.  Go tohttp://www.brightcloud.com/testasite.aspx  and enter various URLs that you believe fall into those categories. Once you have found some web sites that are classified into categories that will NOT be decrypted, use a browser to go to those sites using https.  You should not see a certificate error when you go to those sites.  The web pages will be displayed properly. If you look at the traffic logs, the sessions will show application SSL going over port 443, as expected.
Summary As with any enterprise security policy, individual policy decisions will vary as organizations match their security controls to their unique needs and tolerances for risk. However, as more and more critical traffic becomes encrypted by SSL, enterprises will increasingly be forced to find ways to decrypt high-risk traffic without the performance impacts of decrypting ALL traffic. The simple guidelines discussed above simply illustrate a policy driven model that can enable an enterprise to strike the appropriate balance and retain full visibility and control over traffic even when encrypted.

//Karl

Microsoft: KMS host and client

KMS (Key Management Server)

What is a KMS?

KMS activates the clients operating system on your network instead of each client connecting to Microsoft. To do this, KMS uses a client/server method of implementation. KMS clients connect to a KMS server, called the KMS host, for activation. The KMS host resides on your local network.

On what types of product does it work?

With Volume Licensing for products such as Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, and Microsoft Office 2010, you must use a new type of product activation called Volume Activation (VA). To activate these operating systems with VA, you can use either a Multiple Activation Key (MAK) or Key Management Service (KMS), requiring a KMS key.

How many clients is required? 

You will need at least 25 clients, the network must meet or exceed the activation threshold, or the minimum number of qualifying computers that KMS requires.  Computers running Windows 7 must receive an activation count ≥25 to be activated. KMS clients in the grace state that are not activated because the activation count is too low connect to the KMS host every two hours to get the current activation count and will be activated when the threshold is met.

How does the KMS host keep values alive/uptodate ?

To track the activation threshold, the KMS host keeps a record of the KMS client computers that request activation. The KMS host gives each KMS client computer a client machine identification (CMID) designation, and the KMS host saves each CMID in a table. Each activation request remains in the table for 30 days. When a client computer renews its activation, the cached CMID is removed from the table, a new record is created, and the 30-day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding CMID from the table and reduces the activation count by one.

How long is an activation valid?

KMS activations are valid for 180 days. To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails , the client will retry every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.

How does clients discover the host?

By default, KMS clients query DNS for KMS service information. The first time a KMS client queries DNS for KMS service information, it randomly chooses a KMS host from the list of SRV RRs that DNS returns.

By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client is activated and the session is closed. The KMS client uses this same process for renewal requests. The communication each way is 250 bytes.

Setup in 5 easy steps:

1. Enter the DNS on the primary Domain Controller (or if you have a separate icensserver   on the selected network. Navigate Forward Lookupzone > *Domain* > _tcp >. Edit the _VLMCS value as followed:

2. Connect to your DC/License server. Add following command with your KMS Key: slmgr.vbs /ipk xxxx.xxxx.xxxx.xxxx

You should see something like this:

Microsoft ® Windows Script Host Version 5.7
Copyright © Microsoft Corporation. All rights reserved.
Installed product key xxxxx-xxxxx-xxxxx-xxxxx-xxxxx successfully.

3. Type slmgr.vbs /dlv to check that KMS could activate to Microsoft, and to see status of clients who have tried to establish connection to the kms host: 

4. Make firewall rules to accespt KMS traffic. (not necessary) In Windows Firewall, click on Exceptions and allow the now listed Key Management Services, failure to do this step will mean that your KMS hosts can not talk to the KMS service and therefore will not activate.

KMS listens on port 1688, to change the port you must do as follows:

5. Test the conneciton type following in CMD:

And we are done, happy licensing ! 😉

//Karl

Palo Alto: SSL VPN (GlobalProtect)

Last month Palo Alto released a “Stable” version of 4.1.x update 4.1.3, we were still on 3.1.9 and it worked fine. However there were some pleasant features in 4.1 like better ways of committing configuration, faster GUI, Premium Version of VPN setup etc.. The update however messed up things in committing stage and generated errors. This is an addressed issue and it’s fixed in 4.1.4 as I am running now.

When you chose to upgrade to 4.1 you are forced to leave your current setup of SSL VPN and it will turn in to Palo Altos Premium VPN called GlobalProtect. GlobalProtect provides security for computers that are used in the field by allowing easy and secure login from anywere in the world. With GP, users are protected against threats even when they are not on the enterprise network. Users network traffic is gated through the Palo Alto and then out on internet. That means every package demanded by the client will be reviewed by the firewall.

GP could be compared to Microsofts DirectAcces and it is a very good competitor. As it is a client installed on to the users computer.

This is how it works:

  • 1. Users make an SSL connection to the portal and authenticate
  • 2. The user is prompted to download the Client Software supports OSX or Windows
  • 3. Configure client options with usernam/password and name of portal
  • 4. Portal sends configuration and Client Certificate to the Client, cfg contains following:

– Gateway list both internal & external
– DNS name/IP mapping thah client uses to determine if the PC is inside or outside
– Trusted CA
– Host information data collection, reports OS version, AV version, disk encryption, specified registry keys/value etc
– Base 64embedded Client certificate that allows client to authenticate itself when connecting to gw
– Client users override policy
– Portal Client software version. This is to allow client to determinate if a different version is available

  • 5. At this point the client will obtain the host info and find the closest gateway to connect to
  • 6. If the client determines that the user is inside the network and that the gateway is the internet firewall then the client can connect to multiple internal gateways and authenticate
  • 7. If the client determines that the user is outside the internal network, then the client will find the closest external gateway, authenticate and establish a SSL VPN tunnel
  • 8. The Gateway enforces security policy based on user, application, content and the HIP submitted from the client.

Configuration:

Following items are required to configure GP. Configure the items listed in the order below

  1. Certificates
  2. User Authentication
  3. Gateway Configuration
  4. Portal Configuration

Certificates – Palo recommends to use 3 types of cert’s CA cert, Gateway cert, Client cert. I only use the required once CA cert and Gateway Cert, the third Client Cert is for extra security. However managing cert is done in Device > Certifcates . Create a CA cert and a Gateway cert from digicert or verisign or whatever public certificate your company owns.

User Authentication – Identify the authentication method that will be using to authenticate GlobalProtect users. Supported methods are Local database, LDAP,RADIUS or kerberos.  We use LDAP so set up a LDAP profile if you haven’t:

Next thing you would like to do is to setup authentication profile, it refers to the authentication method configured in previous step. Authentication profile using LDAP requires “Login Attribute” field.

Gateway Configuration – Gateway provides the endpoint for the clients connection. Once the client is connected it sends all traffic through the gateway. The gateway can be either external or internal. External gateway as we are setting up in this tutorial require a tunnel.   For this example we will refer to the topology below:

To configure Gateway, navigate Network > GlobalProtect > Gateways. In this example we will configure an external gateway. A tunnel interface is required when configuring external gateway. The IPSec tunnel from the remote users is terminated on this tunnel interface. When using external gateway, it is recommended to configure the tunnel interface in its own zone. This provides the ability to enforce a different security policy on the traffic from the remote users. Also to identify users, enable “User identification” on the zone in with the tunnel interface is bound. General Tab:

  • Name: Gateway name
  • Authentication: Chose the Server Certificate that you own + The auth profile we made
  • Tunnel mode: Should be enabled with external gateways
  • Timeout Configuration: Specify the lifetime of the tunnel
  • Tunnel Gateway Address: Select interface in my setup i actually use Layer2 VLAN and not L3 as in pictures before.

Client Configuration Tab:

Client configuration is required if tunnel mode is enabled. If tunnel mode is disable, this section will be grayed out. When the client connects to the Gateway using tunnel mode, a virtual adapter is created and networking configuration will be assigned to the client. Specify the DNS,WINS and dns suffix to be used by the client. Also specify the pool from with IP addresses will be assigned to the clients. Access routes by default all traffic from the client will be sent to the gateway. Access routes allow you to define networks that will be accessible by the client through the tunnel, also known as split tunneling. Palo Alto do not recommend split tunneling, so just leave this option to 0.0.0.0/0. I set it up letting the tunnel zone access what ever networks i would like VPN users to reach.

Portal Configuration:

To configure portal navigate Network > Global Protect > Portal. The authentication profile is used to auth users when the first browse to the portal to download the GP client. The client and server certificates is used to authenticate the client and the portal. The certificates are sent to the client when it establish the first connection to the portal. PAN-OS 4.1 supports both the portal and the gateway using the same interface and IP address.

Client configuration general tab:

This section defines the parameters that will determine the GP client behavior. Click on “ADD” to create a new client configuration and give it a name.

On Demand – client can be configured to connect on demand ( if selected it will not automatically sign on to gateway when internet connections i available) user have to click connect. If its not selected user will get logged on directly.

Single-sing-on – works fine with corp computers. The client will use the windows credentials of the user to auth to the portal.

There a lot of more options available, like if you have a very large world or nation wide network, you have the possibility to set up multiple gateways. And set priorities on what GW client should chose pending on the average response time etc..

Under gateway section you can define internal and external gateways that portal manages. A cut off time can be defined to limit the amount of time clients wait to get a response from the gateways. External gateways can be assigned priorities. Priority is numeric value between 1 and 5, with 1 being the highest priority and 5 the lowest. The client also considers the latency along with priority before connection to a gateway. Notice the client will not always connect to the highest priority gateway if the latency is high compared to the other gateways. The sample topology below is used to illustrate the configuration used to configure internal and external gateway:

Ok setup is done, all you need to do now is to download the client from web portal. Put in portal info and auth with AD user with permissions. Permissions are set within firewall security policy’s, assign them to have free access to the zone the tunnel are made in.

Next chapter Palo Alto SLL VPN will be about HIP profiles, profiles that collect data from the computer client connected to the gateway. And i will walk through logging and reporting and also GP in High Availability mode (redundancy).  Also i will show how to troubleshoot Gateway configuration from the CLI using SSH connection.

// Karl

Mikrotik: Basics enable Static WAN + Add DHCPserver

Sometimes there is no possibility for minor offices to buy a ring service of LAN, and therefore they will not be assigned a VLAN from the company’s IT-infrastructure. Still we would like to give’em a good router/firewall with IPsec features. Miktorik RB450G will make the job! In this 6-step guide i will first of all just show how to config a static IP address and let it hand out DHCP to clients. This setup require static ip-address from ISP.

Add IP to interface Ether1:

/ip address
add address=83.227.135.130/26 interface=Ether1

Add LAN address on interface Ether2:

add address=192.168.0.1/24 interface=Ether2

Add your ISP’s DNS:

/ip dns
/ip dns
set servers=195.23.144.141,195.23.144.1412 allow-remote-requests=yes

Add DHCP-server and DHCP-Pool:

/ip pool
add name=dhcp-pool ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add name=dhcp interface=LAN address-pool=dhcp-pool
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 dns-server=192.168.0.1

Add Deafult Route:

/ip route
add dst-address=0.0.0.0/0 gateway=83.227.135.129

Add Firewall NAT-rule:

/ip firewall nat
add action=masquerade chain=srcnat comment=”” disabled=no out-interface=ether1

And we are done! If you are assigned dynamic ip addresses from your ISP just make Ether1 “DHCP client” /ip dhcp-client add Ether1

Next up will be how to config ipsec fw to fw

SCCM07: Build and capture OSD Windows 8 SCCM07

The first thing that flew in to my mind when RC of Windows 8 realesed was, is it deployable in sccm? I started but got some pretty errors whitin sysprep of the OS capture..

Here is the error code visible in Task Sequence log:

The task sequence execution engine failed executing the action (Prepare OS) in the group (Capture the Reference Machine) with the error code 4
Action output: 4 (e:\nts_sms_fre\sms\framework\tscore\bootimage.cpp,522)
ValidateSystemPartition(), HRESULT=d0000004 (e:\nts_sms_fre\sms\framework\tscore\bootimage.cpp,897)
BootImage::PrepareForStaging(sLocalDataPath), HRESULT=d0000004 (e:\nts_sms_fre\sms\framework\tscore\bootimage.cpp,674)
TS::Boot::BootImage::StageBootImage(sPkgID), HRESULT=d0000004 (e:\nts_sms_fre\sms\client\osdeployment\prepareos\prepareos.cpp,933)
PreStageWINPE(m_bDebug), HRESULT=d0000004 (e:\nts_sms_fre\sms\client\osdeployment\prepareos\prepareos.cpp,1374)
pCmd->Sysprep(bActivate, bMsd), HRESULT=d0000004 (e:\nts_sms_fre\sms\client\osdeployment\prepareos\main.cpp,270)
De-Initialization successful
Exiting with error code 4
Failed to query firmware type.
Wait Callback (Error: D0000004; Source: WinHTTP)
Failed to prepare the system partition for staging.
Wait Callback (Error: D0000004; Source: WinHTTP)
Failed to pre-stage WINPE image, hr=0xd0000004
Unable to sysprep the machine, hr=d0000004
Sysprep’ing the machine failed, hr=d0000004. The operating system reported error 4: The system cannot open the file.

So it seems microsoft removed sysprep for SCCM07, but i have seen it work in CM2012 something i will try verry soon. But there is a workaround to apply W8 in CM07, the soulution can be found here: http://blog.danovich.com.au/2012/03/06/deploying-windows-8-with-sccm-2007-r3/