Palo Alto: How to Implement a Virtual Wire between trunked interfaces

When implementing a Virtual Wire between trunked interfaces:

  1. Specify which Tags are allowed to pass through the Virtual Wire:Network Tab > Virtual WiresSelect the Virtual Wire
  2. There is an option called Tag Allowed which by default, only permits 0 (untagged traffic).  If you have VLAN’s 2, 3, 4, 5, etc…, they will need to be included with Tag Allowed, otherwise tagged traffic will not be permitted.
  3. An easy option is to permit Tags 0-4094, though the recommended option would be to specify only the required tags. The Palo Alto Networks device will consume a logical interface for each tag specified on each Virtual Wire, though this would be more resource related than performance impacting.

Image

Simple VPN Configuration Between ASA and PAN Device

Basic CLI configuration setting to bring up the VPN tunnel between ASA and PAN device.

Phase 1 Proposal

ASA:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

PAN:
<ike-crypto-profiles>
<entry name=”default”>
<encryption>
<member>aes192</member>
<member>aes256</member>
<member>aes128</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
<member>md5</member>
</hash>
<dh-group>
<member>group2</member>
<member>group1</member>
</dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ike-crypto-profiles>

P2 Proposal

ASA:
crypto ipsec transform-set palo-alto esp-aes-256 esp-sha-hmac
crypto map outside 20 set transform-set palo-alto

PAN:
<ipsec-crypto-profiles>
<entry name=”default”>
<esp>
<encryption>
<member>aes256</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group></dh-group>
<lifetime>
<hours>24</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
</crypto-profiles>

Gateway:

ASA:
crypto map outside 20 set peer 70.98.39.8
tunnel-group 70.98.39.8 type ipsec-l2l
tunnel-group 70.98.39.8 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
prompt hostname context
Cryptochecksum:2e764f8b78fffa0bef7a212795ec0ebe

PAN:
<gateway>
<entry name=”Loyalty.ASA”>
<peer-address>
<ip>67.88.212.253</ip>
</peer-address>
<local-address>
<ip>70.98.39.8/24</ip>
<interface>ethernet1/1</interface>
</local-address>
<authentication>
<pre-shared-key>
<key>k2VXNMN7gOjEFUe6y8ALut8vWzxw5TY0</key>
</pre-shared-key>
</authentication>
<protocol>
<ikev1>
<exchange-mode>auto</exchange-mode>
<ike-crypto-profile>default</ike-crypto-profile>
<dpd>
<enable>yes</enable>
<interval>10</interval>
<retry>3</retry>
</dpd>
</ikev1>
</protocol>
</entry>
</gateway>

P2 – proxy ID/tunnel

ASA:
access-list PDX2CLUBFED extended permit ip 10.211.168.0 255.255.252.0 10.61.0.0 255.255.0.0
crypto map outside 20 match address PDX2CLUBFED

PAN:
<tunnel>
<ipsec>
<entry name=”LoyTunnel”>
<anti-replay>no</anti-replay>
<copy-tos>no</copy-tos>
<tunnel-monitor>
<enable>no</enable>
</tunnel-monitor>
<tunnel-interface>tunnel.1</tunnel-interface>
<auto-key>
<ike-gateway>
<entry name=”Loyalty.ASA”/>
</ike-gateway>
<ipsec-crypto-profile>default</ipsec-crypto-profile>
<proxy-id>
<local>10.61.0.0/16</local>
<remote>10.211.168.0/22</remote>
</proxy-id>
</auto-key>
</entry>
</ipsec>
</tunnel>

Palo Alto: High Availability – Failover-Testing

You can deploy Palo Alto firewalls in active/passive pairs. If the active firewall fails for any reason, the passive firewall becomes active automatically with no loss of service. A failover can be triggered by any of the following:

  • If one or more monitored interfaces fail
  • If one or more specified destinations cannot be pinged by the active firewall
  • If the active device does not respond to heartbeat polls

You need two Palo Alto Networks firewalls that are the same model number. Configure the management ports, and attach the management port of each device to the network. Load licenses on each device. Make sure that the licenses match—if you have a threat license for one, you need a threat license for the other. Install the latest PANOS onto each one, as well as the latest threat database.

Today i was trying the functionality within high availability. The out turn was positive with only 2 pings not delivered.  After today I feel like i can really trust on these machines, since they are appreciably stable and reliable.

Palo Alto: SSL decryption Controlling and Implementation

Secure Sockets Layer also known as SSL is getting more and more common. People are getting more concerned about their security on the internet, and how they are supposed to get secured. We see many common applications now turning in to HTTPS as twitter, facebook, gmail by deafult/supported. It gives the user a certain amount of privacy. Unfortunately SSL is also used as evasion tactics by hackers and cyber criminals. It’s used to hide the activity within the ssl package. This is why we are interested in decrypting ssl packages for visibility controlling and granular security. I will show in an example later how a virus could infect a computer and not get detected if it is enclosure by ssl encryption.

This is where the Palo Alto comes in. A handful of networking vendors inspect SSL encrypted HHTP traffic (HTTPS). This firewall goes further by inspecting compliant SSL traffic, no matter the protocol encapsulated by it. The firewall understands SSL and can unwrap the encapsulation to expose the underlying protocol and applications.

There are two types of decryption Inbound SSL decryption and Outbound SSL decryption:

 Inbound SSL decryption: 

In this case, the administrator imports a copy of the protected serve’s certificate and key. Once the ssl server certificate is loaded on the firewall, and a ssl decryption policy is configured for the inbound traffic, the device will be able to decrypt and read the traffic as it forwards it on.

 Outbound SSL decryption: 

In this case, the firewall proxies the outbound connections. It intercepts the outbound requests, and generates a certificate on the fly for the site that the client was going to.

Setup configuration steps 

  1. Install the proper certificates on the firewall
  2. Configure SSL decryption rules
  3. Enable SSL decryption noticiation page (optional)
  4. Export the certifcate and import it with GPO to client computers
  5. Commit your changes, test the decryption

1. The first thing we would like to do is to install and manage the certificate we would like to use. Navigate  Device > Certificates and generate a new self signed Certificate, be sure to activate CA,Forward Trust Certificate, Untrust and Trusted Root CA:

2. Navigate Policys > Decryption.

Here are some suggestions for configuring SSL decryption rules:

  • Do not decrypt known-good SSL connections, such as connections between internal users and internal servers.
  • Do not decrypt the  following URL categories, as users may consider this to be an invasion of privacy:
    • Financial services
    • Health-and-medicine
    • Shopping
  • Do not decrypt URL category “unknown”, as it includes many non-HTTP applications, some of which will not correctly SSL decrypt.
  • Do not decrypt URL category “computer-and-internet info”, as it includes the Windows Update service, which requires specific server certificates from Microsoft. (As an alternative, you can create a rule that does not decrypt traffic to the IP addresses of the Microsoft Update servers.)
  • Do not decrypt applications where the server requires client-side certificates.
  • Be precise in your source and target zones—do not use “any”
  • You should implement rules in a phased approach. Start with very specific rules for decryption, and monitor the typical number of SSL connections being decrypted by the device (refer to Appendix A for those commands).  You want to make sure you do not exceed the maximum number of concurrent SSL decrypted sessions that is supported on a device.  Over time, you can add additional decryption rules.

3. Enable response page:

The user can be notified that their SSL connection is going to be decrypted using the response page found on the Device tab -> Response Pages screen. Enable this feature if you choose.  This page can be exported, edited via an html editor, and imported to give company-specific information. Here is  an example of the default page:

4. Export the certificate from palo and import it to clients computers using GPO. Make a new computer based gpo, Policies > Windows > Security Settings > Public Key > Trusted Root Cert Authorities. Make it available for those computers/user groups that you would like to manage ssl decrypt on.

5. Testing

To test outbound decryption:

Make sure that on your outbound policy, you are alerting for any viruses found. Also enable packet capture on that anti-virus security profile.  Commit any changes you made.On a PC internal to the firewall, go to www.eicar.org. In the top-right hand corner, you will see: Click on “anti-malware testfile”.  In the screen that appears, scroll down to the bottom.

Download the eicar test virus using http.  Any of the 4 files shown here will be detected. Go to the Monitor tab -> Threat log, and look for the log message that detects the vicar file. Click on the green down arrow in the left-hand column. This brings up a view of the packets that were captured.

Also click on the magnifying class in the far left column. Scroll to the bottom, and look for the field “SSL Decryption.” You will see that the session was not decrypted.

Now that you have proven that your policy will detect viruses in unencrypted traffic, you will now try detecting the virus in encrypted traffic.  Go back to the www.eicar.org downloads page.  This time use SSL to download the test virus. If you get a certificate error, you can still proceed with downloading the file. Examine the Threat logs.  The virus should have been detected, since the SSL connection was decrypted. You will see a log message that shows Eicar was detected in web browsing on port 443. You can also view the packet capture by clicking on the green down arrow. To the left of that log entry, click on the magnifying class. Scroll to the bottom, and look for the field “SSL Decrypted”. The value should say “yes”.

Therefore, the virus was successfully detected in an SSL-encrypted session. To test the “no-decrypt” rule, first determine what  URLs fall into the financial services, shopping, or health and medicine categories.  Go tohttp://www.brightcloud.com/testasite.aspx  and enter various URLs that you believe fall into those categories. Once you have found some web sites that are classified into categories that will NOT be decrypted, use a browser to go to those sites using https.  You should not see a certificate error when you go to those sites.  The web pages will be displayed properly. If you look at the traffic logs, the sessions will show application SSL going over port 443, as expected.
Summary As with any enterprise security policy, individual policy decisions will vary as organizations match their security controls to their unique needs and tolerances for risk. However, as more and more critical traffic becomes encrypted by SSL, enterprises will increasingly be forced to find ways to decrypt high-risk traffic without the performance impacts of decrypting ALL traffic. The simple guidelines discussed above simply illustrate a policy driven model that can enable an enterprise to strike the appropriate balance and retain full visibility and control over traffic even when encrypted.

//Karl

Palo Alto: SSL VPN (GlobalProtect)

Last month Palo Alto released a “Stable” version of 4.1.x update 4.1.3, we were still on 3.1.9 and it worked fine. However there were some pleasant features in 4.1 like better ways of committing configuration, faster GUI, Premium Version of VPN setup etc.. The update however messed up things in committing stage and generated errors. This is an addressed issue and it’s fixed in 4.1.4 as I am running now.

When you chose to upgrade to 4.1 you are forced to leave your current setup of SSL VPN and it will turn in to Palo Altos Premium VPN called GlobalProtect. GlobalProtect provides security for computers that are used in the field by allowing easy and secure login from anywere in the world. With GP, users are protected against threats even when they are not on the enterprise network. Users network traffic is gated through the Palo Alto and then out on internet. That means every package demanded by the client will be reviewed by the firewall.

GP could be compared to Microsofts DirectAcces and it is a very good competitor. As it is a client installed on to the users computer.

This is how it works:

  • 1. Users make an SSL connection to the portal and authenticate
  • 2. The user is prompted to download the Client Software supports OSX or Windows
  • 3. Configure client options with usernam/password and name of portal
  • 4. Portal sends configuration and Client Certificate to the Client, cfg contains following:

– Gateway list both internal & external
– DNS name/IP mapping thah client uses to determine if the PC is inside or outside
– Trusted CA
– Host information data collection, reports OS version, AV version, disk encryption, specified registry keys/value etc
– Base 64embedded Client certificate that allows client to authenticate itself when connecting to gw
– Client users override policy
– Portal Client software version. This is to allow client to determinate if a different version is available

  • 5. At this point the client will obtain the host info and find the closest gateway to connect to
  • 6. If the client determines that the user is inside the network and that the gateway is the internet firewall then the client can connect to multiple internal gateways and authenticate
  • 7. If the client determines that the user is outside the internal network, then the client will find the closest external gateway, authenticate and establish a SSL VPN tunnel
  • 8. The Gateway enforces security policy based on user, application, content and the HIP submitted from the client.

Configuration:

Following items are required to configure GP. Configure the items listed in the order below

  1. Certificates
  2. User Authentication
  3. Gateway Configuration
  4. Portal Configuration

Certificates – Palo recommends to use 3 types of cert’s CA cert, Gateway cert, Client cert. I only use the required once CA cert and Gateway Cert, the third Client Cert is for extra security. However managing cert is done in Device > Certifcates . Create a CA cert and a Gateway cert from digicert or verisign or whatever public certificate your company owns.

User Authentication – Identify the authentication method that will be using to authenticate GlobalProtect users. Supported methods are Local database, LDAP,RADIUS or kerberos.  We use LDAP so set up a LDAP profile if you haven’t:

Next thing you would like to do is to setup authentication profile, it refers to the authentication method configured in previous step. Authentication profile using LDAP requires “Login Attribute” field.

Gateway Configuration – Gateway provides the endpoint for the clients connection. Once the client is connected it sends all traffic through the gateway. The gateway can be either external or internal. External gateway as we are setting up in this tutorial require a tunnel.   For this example we will refer to the topology below:

To configure Gateway, navigate Network > GlobalProtect > Gateways. In this example we will configure an external gateway. A tunnel interface is required when configuring external gateway. The IPSec tunnel from the remote users is terminated on this tunnel interface. When using external gateway, it is recommended to configure the tunnel interface in its own zone. This provides the ability to enforce a different security policy on the traffic from the remote users. Also to identify users, enable “User identification” on the zone in with the tunnel interface is bound. General Tab:

  • Name: Gateway name
  • Authentication: Chose the Server Certificate that you own + The auth profile we made
  • Tunnel mode: Should be enabled with external gateways
  • Timeout Configuration: Specify the lifetime of the tunnel
  • Tunnel Gateway Address: Select interface in my setup i actually use Layer2 VLAN and not L3 as in pictures before.

Client Configuration Tab:

Client configuration is required if tunnel mode is enabled. If tunnel mode is disable, this section will be grayed out. When the client connects to the Gateway using tunnel mode, a virtual adapter is created and networking configuration will be assigned to the client. Specify the DNS,WINS and dns suffix to be used by the client. Also specify the pool from with IP addresses will be assigned to the clients. Access routes by default all traffic from the client will be sent to the gateway. Access routes allow you to define networks that will be accessible by the client through the tunnel, also known as split tunneling. Palo Alto do not recommend split tunneling, so just leave this option to 0.0.0.0/0. I set it up letting the tunnel zone access what ever networks i would like VPN users to reach.

Portal Configuration:

To configure portal navigate Network > Global Protect > Portal. The authentication profile is used to auth users when the first browse to the portal to download the GP client. The client and server certificates is used to authenticate the client and the portal. The certificates are sent to the client when it establish the first connection to the portal. PAN-OS 4.1 supports both the portal and the gateway using the same interface and IP address.

Client configuration general tab:

This section defines the parameters that will determine the GP client behavior. Click on “ADD” to create a new client configuration and give it a name.

On Demand – client can be configured to connect on demand ( if selected it will not automatically sign on to gateway when internet connections i available) user have to click connect. If its not selected user will get logged on directly.

Single-sing-on – works fine with corp computers. The client will use the windows credentials of the user to auth to the portal.

There a lot of more options available, like if you have a very large world or nation wide network, you have the possibility to set up multiple gateways. And set priorities on what GW client should chose pending on the average response time etc..

Under gateway section you can define internal and external gateways that portal manages. A cut off time can be defined to limit the amount of time clients wait to get a response from the gateways. External gateways can be assigned priorities. Priority is numeric value between 1 and 5, with 1 being the highest priority and 5 the lowest. The client also considers the latency along with priority before connection to a gateway. Notice the client will not always connect to the highest priority gateway if the latency is high compared to the other gateways. The sample topology below is used to illustrate the configuration used to configure internal and external gateway:

Ok setup is done, all you need to do now is to download the client from web portal. Put in portal info and auth with AD user with permissions. Permissions are set within firewall security policy’s, assign them to have free access to the zone the tunnel are made in.

Next chapter Palo Alto SLL VPN will be about HIP profiles, profiles that collect data from the computer client connected to the gateway. And i will walk through logging and reporting and also GP in High Availability mode (redundancy).  Also i will show how to troubleshoot Gateway configuration from the CLI using SSH connection.

// Karl