DNS-over-HTTPs/TLS is an up and coming technology that is slowly being adopted by different types of software, Firefox for example is beginning to enable it by default in their browsers with the DNS-over-HTTPs variant.
Whilst it has been met with some critism the advantages of finally being able to encrypt DNS queries is a good step towards internet privacy.
DNS hijacking used to be common with UK ISPs for returning targetted advertisements if a user typed in an non-existant domain. Later I found that an ISP was redirecting my search queries to their own hosted servers even though I had set my DNS servers to custom ones.
dnscrypt-proxy has been my goto fix for ensuring my DNS communications were untampered with for many years, but now I want to explore DOH (DNS over HTTPs) and DOT (DNS over TLS) to see if it fares any better.
I’m beginning by installing an application called stubby
...a local DNS Privacy stub resolver, using DNS-over-TLS. Stubby encrypts DNS
queries sent from the local machine to a DNS Privacy resolver, increasing end user
My goal is to install Stubby on my local DNS recursor server (running Ubuntu 18.04), and use it as a forwarded to securely resolve DNS queries.
It’s easy to tell that it’s my DNS server, as checking the service post-install shows it failed to start due to a port conflict:
stubby: error: Could not bind on given addresses: Address already in use
The configuration file looks to be in /etc/stubby/stubby.yml
First I want to fix the address bind error, so I find the section listen_addresses and add a custom port number at the end:
Save those changes, and restart the service with:
systemctl stubby restart
If I now check to see if the service is running, it appears that it is:
sudo systemctl status stubby ● stubby.service - DNS Privacy Stub Resolver Loaded: loaded (/lib/systemd/system/stubby.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-09-16 19:49:22 BST; 4s ago
Great, so we’ve got the Stubby application now running for DNS resolution on the DNS box only. It’s not yet serving pushing the requests from the rest of the network yet but thats still to come. For now I want to change away from the default servers that are included so I’ll look at changing that.
There is a good sized list of secured DNS Public Resolvers here:
Describe the differences between active/active and active/passive high availability
Define the prerequisites for creating a high availability pair
Describe the metrics used to detect a firewall failure
Configure the firewall interfaces used for heartbeats and hellos
Configure a high availability pair
Firewall High Availability Overview
High availability is remains a concern for mission critical networks. Palo Alto firewalls can be used as a high availability pair. When firewalls are set up in this pair, they provide redundancy and help business continuity.
If one firewalls fails for any reason, the other firewall can take over with minimal loss of service.
Palo Alto firewalls support both active/passive and active/active high availability configurations.
Both firwalls will synchronise their network, object, and policy configurations plus session information.
Note that only changes that have been comitted are shared between the firewalls.
Some information is not shared that is firewall sepcific, this is management interface IP address, high availability specific configuration, log data, and the application command center.
To get a consoliated view of applications and logs across a high availability pair, Panorama must be used.
Active/Passive High Availability
One firewall manages traffic whilst the other synchronised and ready to move to an active state if a failure occurs.
In this mode, the firewalls will both share the same configuration settings, and one will actively manage traffic until a failure occurs.
If an active firewall fails, the passive firewall will transition to an active state and takes over seamlessy enforcing the same policies to maintain network security.
In an active/passive setup, session capacity or network throughput is not increased.
Active/Passive high availability is supported in virtual wire, layer 2, and layer 3 deployments.
Active passive high availability has the simplicity of design, meaning any troubleshooting is easier.
Active/Active High Availability
In an active/active high availability deployment, both firewalls in the pair are active and processing traffic.
Both firewalls maintain their own session and routing tables, plus synchronise to each other.
The active/active configuration is designed to support environments that require asymmetric routing.
Active/active high avilability does not increase the session capacity or network throughput. Active/active high availability is supported in virtual wire and layer 3 deployments.
Active/active mode requires advanced design concepts, and can result in more complicated networks.
Depending on how the active/active high availability is implemented, it might require additonal configuration such as dynamic routing protocols on both firewalls, replication of NAT pools, and deployment of floating IP addresses to provide seamless failover.
Both firewalls in the active/active configuration process traffic, so firewalls will use the additional concepts of session owner and session setup to perform layer 7 content inspection.
Active/active mode is recommended if each firewall needsi tso wen routing instances, and if full real time redundancy is required out of both firewalls at all times.
Active/active will have faster failover and can handle peak traffic flows better than active/passive mode since both firewalls are processing traffic.
Note the PA-200 series firewall supports only high availability lite without synchronisation capability and can not be configured for active/active high availability.
The VM-Series firewall in Amazon Web Services only supports active/passive high availability
High Availability Prerequisities
Before high availability can be enabled on the Palo Alto firewall pair, both firewalls need to be the same hardware model.
The PAN-OS version must be the same, except when there is a temporary version mismatch during a software upgrade.
The Palo Alto firewall pair must also have up to date application, url, and threat databases.
A high availability interface type must be configured, and the firewall correctly licenced.
The firewall must also have a matching slot configuration (applies to multi-slot firewalls)
Specific requirements on VM-Series firewalls is that the firewall must use the same hypervisor, and the number of CPU cores requires to be the same.
Active/Passive High Availability Links
The high availability control link is used to exchange hellos, heartbeats and high availability state information.
The control link is also used to synchronise routing and User-ID information between mangement planes.
The active firewall also uses this link to synchronise configuration changes with it’s peer firewall.
The firewalls exchange hello messages messages and heartbeats at configurable interviews to verify the peer firewall is responsive and operational.
Hello messages are sent from one peer to the other to verify the state of the firewall.
The heartbeat is an ICMP ping sent to the high availability peer. A response from the peer indicated that the firewall is connected and responsive.
The control link is a layer 3 that requires an IP address.
The data link layer is a layer 2 link but can be configured as a layer 3 link that requires an IP address. The layer 3 link is only required if the data links are not on the same subnet. In layer 2 mode, the data link type uses ethertype 0x7261
The data link is used to synchronise sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in the high availability pair. Data flow on the data link is unidirectional and flows from the active firewall to the passive firewall.
Dedicated and Non-Dedicated High Availabilty Ports
Some of the Palo Alto firewall range have high availability ports, and others require the management or in-band ports to be used as high availbility links.
The control link provides synchronisation for functions that are part of the management plane.
Using the dedicated HA1 port or the management port as the control link is more efficient than using the data planes in-band ports as the synchronisation packets need to pass from the data from the data plane to the management plane is not required.
The dedicated HA1 port requires an IP address that is different from the managment interface address. With devices with the dedicated ports, an ethernet cable can directly connect the dedicated HA1 ports and the dedicated HA2 ports to the device pair.
For firewalls without a dedicated high availability port, the best practice is to use the management port for the control link to allow a direct connection to be formed between management planes on the firewall.
Any in-band port can be used for the data link. Any in-band port that is used for a Control or Data link must be configured as the interface type HA.
Firewalls with dedicated HA ports are:
Firewalls without a dedicated high availability port:
PA-200 and PA-500 Series
High Availability Backup Links
Backup links provide redundancy for control and the data links.a
The purpose of configuring a bkacup control link is to avoid a split brain scenario.
Split brain operation occurs when a non redundant control link goes down, which causes the managment plane to miss heartbearts, although both firewalls are still functioning.
In this situation, the passive firewall concludes that the active firewall is down and attempts to start services that are already running on the active firewall, causing a split brain operation.
Dedicated and redundant management plane control links connections can help prevent split brain.
In band ports are used as backup links for dedicated HA1 and HA2 ports. The following needs to be considered when configuring these ports:
The IP address of the primary and backup HA links must not overlap
HA backup links must be on a different subnet from the primary HA links
HA1 backup ports and HA2 backup ports must be configured on physically seperate ports
PA-7000 Series HA Links
High availabiltiy on the PA-7000 series mandates the use of specific ports on the switch management card.
The HA1-A port is the control link. This port connects directly to the HA1-A port on the second firewall in the pair, or connected together through a switch or router.
The control link cannot be configured on NPC data ports or the MGT port.
The HA1-B port is the backup control link. This port connects directly to the HA1-B port on the second firewall in the pair, or through a switch/router. The backup control link also can not be configured on NCP data ports or the MGMT port
The high speed chassis interconnect, or HCSI, is used as the HA Data link and backup data link. Each HCSI port is a quad port SFP+ interface. Each HCSI port has four 10GB links internally for a combined speed of 40GB.
The HSCI ports are not routable and must be connected directly to each other. The HCSI-A on the first chassis connects directly to the HSCI-A on the second chassis, and so on.
Once fully connected, the connectivity will provide full 80Gbps transfers rate. In software the four HSCI-A ports are treated as a single HA inteface, this goes the same for the four HSCI-B ports.
If in the rare isntance the distance between the high availability pairs exceeds the maximum distance of the HSCI interface, in band ports can instead be used for data link connections.
Designating an Active Firewall
The firewall in a high availability pair will be a ssigned a device priority to indicate a preference for which firewall should assume the active role.
If a designated firewall in a HA pair needs to be made the active firewall, the pre-emptive behavior on both devices and a priority should be assigned.
The fireewall with the lower priority value is designated as the active firewall. The other firewall is designated as the passive firewall.
By default, pre-emption is disabled. When enabled the firewall with lower priority can resume as the active firewall when it recovers from whatever event stopped it working.
If pre-emption is disabled, this can give an administrator a chance to check why a firewall failed before bringing it back into service.
The firewall can use several monitored metrics to detect a failure.
The firewall uses hello messages and heartbeats to verify that the peer firewall is responsive and operating.
Hello messages are sent from one peer to the other at the configured hello interval to verify the state of the other f irewall.
The heartbeat is an ICMP ping to the high availability peer over the Control link, and the peer responds to the ping to establish that the firewalls are connected and responsive.
Firewalls can be configured to monitor the link states of the physical interfaces. A firewall can be configured to trigger a failure if any or all the monitored interfaces in the group fail. The default behavior for monitored groups of ports is to failover if any port in the group fails.
The firewall can be configured to monitor mission critical IP addresse via ICMP pings to test reachability. Again a group can be defined to list the IP addresses that require to be monitored.
An IP address is deemed unreachable if ten pings fail by default, the failover settings can be set to fail the firewall if any or all the IP addresses become unreachable. Similar to interfaces, the default behavior is failover if any of the IP addresses fail.
The PA-3000, PA-5000, and PA-7000 series firewalls can also force a failvoer if an internal system health check fails. The health check is not configurable and is enabled to monitor critical components such as the field programmable gate arrays and CPUs.
General health checks can also cause a failover on any platform.
The failover will also occur if the firewall is suspended, or if pre-emption occurs.
HA Timer Profiles
High Availability timer profiles define the parameters associated with detecting failures and triggering failover.
Complexity can be reduced with configuring seven different high availability timers by selecting different profiles. The Advanced profile gives access and control to each of the seven different timers
The recommended profile is used for typical failover times, whilst the aggressive profile is used for faster failover time settings.
Note these preset values can change in different PAN-OS releases
Heartbeat Backup on the Management Port
Enablement of heartbeat backup on the management port can help prevent split brain operations, as redundant heartbeats and hello messages are transmitted over the management port on the management plane.
As heartbeat is an ICMP ping, the management port if configured for heartbeat backup must have pings enabled on the management interface.
Active/Passive High Availability Startup
The firewall remaisn in the INITIAL state after boot-up until it discovers a peer and negotiation begins. After a 60 second time out, the firewall becomes ACTIVE if HA negotiation has not started.
The ACTIVE state is the normal traffic-handling state of the active firewall in an active/passive configuration.
The PASSIVE state is the normal state of the passive firewall in an active/passive configuration. The passive firewall is synchronising flow state, run-time objects, and configuration.
If passive link state is configured, the passive firewall is running, the passive firewall is running routing protocols, monitoring link and path state. The passive firewall pre-negotitates LACP and LLDP if LACP and LLDP pre-negotiation are configured. The firewall does not process any other types of traffic.
A firewall in the SUSPENDED state cannot participate in the election process and become either active or passive. To suspend a firewall, click Device -> High Availability -> Operational Comamnds and click the Suspend local device link.
To re-active the firewall, click Make local device functional link.
The NON-FUNCTIONAL state is an error state due to a data-plane failure or configuration mismatch.
Transient state of a firewall until it joins the HA pair. The firewall will remain in this state after boot-up until it discovers a peer and negotiations begin.
Normal traffic handling state
Normal traffic is discarded, might process LLDP and LACP traffic
Monitor Firewall States
The state of the individual firewalls in a high availability pair can be monitored from the Dashboard tab of the web interface. There is colour coded display about the major components of high availability, these states are green for good, yellow for passive, and red for critical.
Synchronisation of the firewalls must be initiated manually the first time a firewall pair is connected.
This is required to prevent administrators accidently setting the wrong firewall as active and overwriting the configuration they wish to push to the peer.
Even though Sync to Peer is available on the passive device, it should only be ran from the active device or the current configuration on the active device may overwritten with an earlier out of date configuration.
Create an interactive, graphical summary of the applications with the ACC
Export policy rules, objects, and IPS signatures using the configuration table export
Create a predefined report to view traffic statistics for the previous day
Describe how log files are forwarded to an external source
Configure a Server Profile to forward logs to a syslog server
Applying a local filter allows interaction with a graph and customises the display so details can be seen and information can be accessed on a specific widget.
The local filter is persistent across reboots
A global filter allows the display to be limited and details the administrator wishes to see, removing unrelated information from the display.
An example is all events can be displayed related to a specfic user and application. The users IP address or username and application can be applied as global filter, and display only information regaridng the user and the application through all tabs and widgets on the ACC. Global filters are not persistent.
Global Filters can be applied in three ways:
Set a global filter from the table. Select an attribute from the table in any widget and apply the attribute as a global filter
Promote a local filter to a global filter. Allows you to take a local filter, which can be attribute in a single graph or table in a widget and apply that attribute globally. When the local filter is replicated to a global filter, the display is updated across all tabs on the ACC.
Define a global filter using th Global Filters pane on the ACC.
Selecting Monitor -> Session Browser alls the administrator to browse and filter sessions that are currently on the firewall
Configuration Table Export
Starting with Pan-OS 8.1, policy rules, objects, and IPS signatures from Panorama and firewalls can be exported to demonstrate regulatory compliance to external auditors, or conduct periodic reviews of firewall configuration and generate reports about firewalls policies.
Auditors no longer need direct access to firewalls to take screenshots, or use the XMI API to generate configuration reports.
Form the web interface, configuration data for policies, objects, network, and devices, plus panorama configurations, the exceptions in antivirus, antispyware, and vulnerability protection can be exported.
Configure table export works like a printout, and generated files can not be exported back into the firewall.
The data that is viewed on the web interface is exported into a CSV or PDF format.
Filters can be applied and matched with the report criteria, plus searching within PDF reports allows data to be found quicly.
Every time configuration data is exported, a system log is generated to record the event.
Types of Reports
Over 40 reports including Applications, Traffic, Threat and URL Filtering
Behavior-based mechanisms to identify potential infected hosts
With the query builder
PDF Summary Reports
User or group-activity reports
Includes URL categories and browse-time calculations
Compile reports into a single emailed PDF
User or Group Activity Reports
Serlect Monitor -> PDF -> Reports -> User Activity Report
Click Add and then enter a name for the report
Create the report:
For a User Activity report: Select User and enter the Username or IP address (IPv4 or IPv6) of the user who will be the subject of the report
For a Group Activity report: Select Group and select the Group Name from which to retrieve user group information in the report
For a Custom User or Group Activity report: Select Filter Builder and select the appropriate Connector, Atrribute, Operator, and Value for the report
Select the time period for the report from the drop down list.
It should be noted that the number of logs that are analysed in a user activity report is determined by the number of rows defined on the Max Rows in User Activity Report on the Logging and Reporting Settings section in Device -> Setup -> Management
Select Include Detailed Browsing to include detailed URL logs in the report.
The detailed browsing information can include a large volume of logs (thousands of logs) for the selected user or user group and can make the report very large
To run the report on demand, click Run Now
To save the report, click OK
User/Group Activity reports cannot be saved on the firewall
PDF Summary Reports
PDF summary reports contain information compiled from existing reports based on the data for the top five in each category.
PDF summary reports also provide trend charts that are not available in other reports
Report groups enable a set of reports to be created that the firewall can compile and send as a single aggregate PDF report with an optional title page and all constituent reports included.
Exporting Current Listing to CSV
To export the current log listing to CSV, select the Export to CSV icon.
EXporting of the log listing to CSV format generates a CSV of up to 65,535 logs.
To change this number of limits, use the Max Row in CSV Export field on the Log Export and Reporting subtab. Select Device -> Setup -> Management -> Logging and Reporting Settings
Scheduled Log Export
A daily export of logs can besent to a FTP or SCP server in a CSV format.
Traffic, Threat, URL, Data Filtering, HIP Match, and WildFire logs can be exported.
After the first export, only logs collected since the last export will be sent in the next export.
The log file also includes logs of the last calendar day.
Forwarding Logs to External Sources
The firewall provides logs that record configuration changes, system events, security threats and traffic flows.
Logs can be forwarded to a Panorama management appliance, which can generate SNMP traps or syslog messages and send e-mail notifications.
The firewall can also forward logs using HTTP/HTTPS. This capability allows the firewall to integrate with external systems that provide a HTTP-based API and trigger automated actions when a specific event occurs on the firewall.
Logs most commonly are sent to Panorama or to an external syslog server for long-term storage and analysis.
Panorama provides the ability to manage a distributed network of Palo Alto Networks firewalls from a centalised location where the administrator can:
View of all the firewall traffic
Manage all aspects of device configuration
Push global policies
Generate reports about traffic patterns or security incidents
Panorama is available as a dedicated management appliance known as the M-100 or M-500, or as a virtual appliance.
If the M-100 is used as a log collector, it’s maximum storage is 7 terabytes.
The M-500 supports up to 24 terabytes
Cortex Data Lake
Cortex Data Lake provides cloud-based, centralised log storage and aggregation for on-premises, virtual, private cloud, and public cloud firewalls, plus Global Protect Cloud Service.
Panorama provides the interface for all logs stored in Cortex Data Lake.
From Panorama, an aggregated view of all logs can be observed, and reports, log analysis, and forensics can be generated from this logged data.
Cortex Data lake also provides isolation of data from other customers, avoiding cross-contamination of logged data.
Data redundancy is maintained through storage of multiple copies of the log datacase to ensure access when needed.
Current Cortex Data Lake facilities are in two regions, North America and Europe.
The location can be configured to where log data is forwarded.
Syslog is a standard log transport mechanism that enable aggregation of log data from different network devices such as routers, firewalls, and printers from different vendors into a central repository for archive, analysis, and reporting.
Syslog log forwarding can be used to forward logs to a system information and event manager.
Many SIEM vendors and models are compatible with PAN-OS software.
Syslog can be transported over UDP, TCP, or SSL with authentication.
SNMP Monitoring Overview
If the SNMP manager is on a non management, allow SNMP on the interface management profile for that interface and create a service route for SNMP to use that interface.
Creating an SNMP Traps Server Profile
Trap Repository Adress
EngineID: (Get with the OID 184.108.40.206.220.127.116.11.1.1.0)
Describe the three basic requirements for creating a VPN
Configure the interface, IP addresses, and PSK for the IKE Gateway
Configure the DH group, encryption methods, and authentication methods for an IKE Cryptographic profile
Configure a static route in the route table for the tunnel
Troubleshoot IPSec VPN issues from the responder side of the VPN tunnel
Site to Site Overview
IPsec VPNs are implemented between Palo Alto firewalls as routed based tunnels, rather than policy based designs.
In a route based VPN, the determining factor of which traffic will be tunneled is the final destination of that traffic.
Route based VPNs are easy to deploy and can scale easily due to the advantage of being supported by dynamic routing protocols.
The Palo Alto firewall can also interoperate with third party policy based VPN devices.
When recieved traffic is destined for a remote private network, it looks up the next hop in the routing table.
If it is a remote network, the routing table points to a logical tunnel interface.
This interface is not a real interface, but has the information required to create an IPSec tunnel.
Once the traffic is sent to this logical tunnel interface, the VPN is created and traffic is sent through it.
Palo Altos support IKE version 1 and 2. Version 1 is more commonly used but version 2 supports the requirements of the Network Device Protection Profile, or NDPP.
The option of ‘IKEv2 preferred mode’ provides the ability for the Palo Alto to fall back to IKEv1 after 5 failed retries, that takes around 30 seconds.
IKE Phase 1
IKE Phase 1 identifies the end points of the VPN.
Phase 1 uses peer IDs to identify the devices at each end of the VPN. This is often just the public IP address of the device.
In situations where the public IP is not static, it can be replaced with a domain name or other text value
Three settings are available on Palo Alto firewalls: Aggressive, Main, and Auto
Five snippits of information are transmitted during Phase 1:
Diffie-Hellman key exchange
Symmetric Key Algorithm / Bulk Data Encryption
IKE Phase 2
Phase 2 creates the tunnel that will encapsulate data traffic.
Whilst IKE Phase 1 deals with the authentication, Phase 2 focuses on the data that is transmitted across the tunnel.
Each side of the tunnel has proxy IDs to identify the traffic it is sending and what it expects to receive. These IDs can be a specific network range or a generic network of 0.0.0.0/0
Both sides need to know what the other side will be sending in order for the VPN tunnel to work.
Five snippits of information are transmitted during Phase 2, these are:
IPSec type and mode
Diffie-Hellman / PFS
Symmetric Key Algorithm / Bulk Data Encryption
Lifetime before rekeying
Route Based Site to Site VPN
A single VPN may be sufficient for connecting between a singel central site and a remote site.
Connections between a central site and multiple remote sites require VPN tunnels for each central remote site pair.
Each tunnel is bound to a tunnel inteface.
VPN traffic is moved across the tunnel interface to the same virtual router as the incoming plaintext traffic.
If a packet comes to the firewall, the route lookup function can determine the most approriate tunnel to use.
The tunnel interface appears to the Palo Alto operating system as a normal interface, and existing routing protocols and infrastructure can be applied.
Each tunnel interface can have a maximum of 10 IPSec tunnels, that allow creation of IPSec tunnels for individual networks that are associated on the same tunnel interface as the firewall.
VPN Tunnel Component Interaction
Three basic requirements for creating a VPN in Pan-OS:
Create the tunnel interface or Phase 1 Objects
See Network -> Intefaces -> Tunnel
The new logical interface must be added to a Layer 3 zone and to a virtual router just as any other logical Layer 3 interface would
Configure the IPSec tunnel or Phase 2 Objects:
A basic interface can be used when creating a tunnel between PAN-OS devices with known IP addresses
The only values needed are the tunnel interface to use, local peer ID, remote peer ID, and pre-shared key
If configuration is with another Palo Alto firewall, make use of the default crypto profiles
If the configuration is with another vendors firewall, configure the advanced settings in Crypto Profiles to match both sides
Add a static route to the virtual router or enable a routing protocol such as BGP, OSPF, or RIP
Add a route table entry fo the remote network that points to the tunnel interface in Steps 1 and 2
Create a route for the remote network using the tunnel interface
No next-hop IP address is required when tunnel interfaces are used
Ensure to create a security rule to allow tunneled traffic
Troubleshooting IPSec Tunnels
Begin by looking at the IPSec Tunnel page, each tunnel provides useful troubleshooting information.
Go to Network -> IPSec tunnels
Tunnel Status, green indicates a Phase 2 SA tunnel has established. Red indicates SA is not available or has expired.
IKE Gateway Status: Green indicates a valid IKE Phase 1 SA or IKEv2 IKE SA. Red indicates that IKE Phase 1 SA is not available or has expired
Tunnel Interface Status:
Green indicates that the tunnel interface is up, because tunnel monitor is disabled or the tunnel monitor status is up and the monitoring IP is reachable. Red indicates that the tunnel interface is down because the tunnel monitor is enabled and the remote IP address is unreachable.
Tunnels are established only when traffic is attempting to cross. The test vpn command in the CLI can be used to initiate a tunnel manually.
Common VPN error messages
Always troubleshoot error messages from the responder!
Describe the three major components of GlobalProtect
Configure the client and server certificates to authenticate the agent and the portal
Define the three methods supported for GlobalProtect client connections
Configure the tunnel parameters for an external gateway connection
Extending the security platform with GlobalProtect
GlobalProtect builds on the technology of and offers several features over traditional VPNs:
Extends Next Generation Firewall capabilities to endpoints
Delivers full traffic visibility
Stops advanced threats
Expanding the boundries of the organisation network the clients endpoint anywhere in the world, GlobalProtect can work on remote laptops and mobiles devices.
GlobalProtect can determine the closest available gateway to the roaming device and establish a secure connection using strong authentication.
Laptops and mobiles devices can stay conencted to the organisations network at all times, and behave as if they have never left the corporate network.
GlobalProtect can ensure that the same secure application enablement policies that protect users at the organisation are enforced for all users where ever they are in the world.
Components of GlobalProtect
GlobalProtect comes in three components:
Provides the management functions for the GlobalProtect infrastrucutre. Every client that connects to the GlobalProtect netweork receives configuration information from this portal.
Provides security encofrmcenet for traffic and GlobalProtect agents and apps. External gateways provide security enforcement and VPN access for remeote users. Internal gateways apply security policy for access to internal resources
GlobalProtect Client Software
Runs on end users systems and enables access to network resources via the deploy GlobalProtect portals and gateways
GlobalProtect Install Agents
The installer is in an .msi for Windows, or .pkg for Mac.
GlobalProtect has installation agents for Android, Chroembook, iOS, and Universal Windows Platform.
The iOS and Android versions are available through their respective app stores.
The GlobalProtect app for Linux extends User-ID and Security Policy enforcement to users on Linux endpoints.
The app is available in .deb, .rpm, or .tar packages, and compatibilty with operating systems such as CentOS 7.0, Red Hat Enterprise 7.0, or Ubuntu 14.04 and later
It provides a command line interface and functions as an SSL or IPSec VPN client.
The Linux App supports common GlobalProtect features and authentication methods such as client certificate authentication, server certificate validation, authentication cookies, and two factor authentication.
Connection Sequence for GlobalProtect
The GlobalProtect client on the local system connects to the GlobalProtect Portal for authentication.
After authorization is confirmed, the portal sends the client configurations and a list of GlobalProtect Gateways.
The client connects to the bets gateway (based on SSL response time and local priority) to respond to the connection request.
It is the client that communicates directly with portals and gateways, there is direct communication among gateways or between gateways and portals.
Once the client is installed and enabled, it contacts the portal when setting up a connection. Any time the client contacts to the portal, the portal authenticates the connection.
A GlobalProtect Topology
The GlobalProtect implementation requires at least one portal and one gateway.
The portal and gateway can be configured on the same firewall.
In the most simple configuration, a single firewall is configured to serve gateway and p otal services from the same IP addres. This provides the end users with VPN access to the organisations networks with a minimum of configuration.
If the gateway and portal share a single IP address, only one certificate is needed for the firewall.
An Advanced GlobalProtect Topology
Larger environments GlobalProtect can be configured with multiple gatewaysd.
Additional gateways can be used to provide access to multiple protected networks, and can provide redundancy and performance improvements for end users.
GlobalProtect clients can connect directly to a gateway, from a list provided by the portal, and by default, the chosen gateway is the one that responds the fastest to the connection request.
To ensure consistent access, multiple gateways often require the networks to be connected to each other by VPN so the end user has access to the same data regardless of which gateway they connect too.
Although there will always be one portal, the portal is not a single point of failure. If the firewall that hosts the portal is unreachable the client can use their cached configuration to contact other gateways.
The only limitation is an offline portal, which a new client can not be serviced or configuration changes will not be downloaded by existing clients.
This issue can be resolved by fixing the offline portal, or redirecting clients via DNS to another portal.
GlobalProtect in the cloud
With major cloud providers having worldwide locations, with VM series firewalls and globalprotect mobile security, this allows an organisation to extend their security policy to remote users and devices regardless of their location in the world.
GlobalProtect establishes a secure connection to protect the user from internet threats and can enforce application based access control where ever they are in the world.
In marketing terms:
Prisma access is:
security delivered from the cloud
scalable, mangeable architecture
consistent security for both remote locations and mobile users
managed centrally by panorama
Prisma access allows the administrator to scale their networks based on growth of the headquarters, remote networks, and mobile users.
Subscriptions are Threat Prevention, URL F iltering, WildFire are all included with Prisma Access.
Panorama is used to onboard sites, manage policies and query logs for monitoring and reporting capabilities.
Determining Internal or External Gateways
The portal can provide an IP address and DNS hostname as part of the information passed to the client to determine if the host is inside or outside the corporate network
The DNS hostname and IP address must correspond to a device whose name can only be resolved by an internal web server
The agent performs a reverse lookup on the IP address. If it recieves a hostname as the response, the agent assumes it is an internal network and connects to the gateways in the internal list.
If no response is recieved by the lookup, the client connects to the gateways in the external list.
If an internal host detect hostname and address pair is not provided, the client connection attempts to connect to the internal gateways first, then the external gateways.
Clientless VPN allows the user to have secure access to an organisations network from a SSL-enabled web browser without needing to install client software
Users can log into the GlobalProtect portal using a web browser and launch the web applications that have been published for that user
A user can access applications that have been made available to them. The user who logs in will be able to see a list of applications that they can launch
Security policies will need to be configured to allow traffic from GlobalProtect clients to the security zone associated with the GlobalProtet portal that hosts the landing apge.
Security policies will need to be configured to allow user-based traffic from the GlobalProtect portal zone to the security zone where the published application servers are hosted.
GlobalProtect for Internal User Based Access
An internal gateway that is used in conjunction with User-ID technology can be used to provide a secure, accurate, method of identifying and controlling traffic by user
Internal gateways are useful in sensitive environments where authenticated access to critical resources is required
HIP Profiles can be configured on the gateway to ensure compliance with internal maintenance requirements, such as the latest security patches and anti-virus definitions are installed, whether disk encryption is enabled, and if any other software is required to bne installed.
Connectivity between all components of GlobalProtect is authenticated using SSL certificates.
The portal can act as a CA for the system, using a self signed or imported subordinate issuing a CA certificate, or an administrator can generate their own certificates using their own CA.
The portal, gateways, and agents msut use certificates all signed by the same certificate authority.
Before any information is tranferred, the client verifies the gateway is using a server certificate signed by a trusted CA.
The gateway also verifies that the client has a client certificate signed by the correct CA.
If they are third parties who may not trust a self signed CA, a third paty CA who is trusted by all parties should be used for the portal.
The portal includes public certificate of the CA, and the needed client certificate and key as part of a configuration bundle sent to the client.
GlobalProtect gateways use the same client certificate to authenticate and identify the client,
Support is provided from the Palo Alto for the portal to export the server certificate and key for the gateways. If an external CA is used, the CA certificate, along with a server certificate and key can imported along with a server certificate and key for the portals and gatewats, and a client certificate and key for the clients.
Portals and gateways do not communicate directly, so the gateway certificates need to be manually imported onto firewalls.
Authentication Server Profiles and GlobalProtect
GlobalProtect uses the same system of server profiles and authentication profiles that administration or user-id use.
The GlobalProtect client apge lists available GlobalProtect releases.
When the agent connects to the portal, the firewall will check the version and installs the currently activated version if it is different from the version currently on the system.
Only the portal provides the software, so if seperate from the gateway it will need to be maintained.
As most configuration for GlobalProtect to work happens on the portal, the portal is responsbile for co-ordinating communications between all other components for GlobalProtect to work.
GlobalProtect administrators can set the level of control that end users have over their own coinnections, from a fully locked down configuration to one that permits to choose what gateway they want to connect too.
GlobalProtect App Connection Methods
on-demand: Allows users to establish a connection on demand. This user must explictly initiate the connection
user-logon: Automatically establishes a GlobalProtect client connection after the user logs into their computer. If the use of single sign on is enabled, the agent uses the Windows credentials of the user to authenticate to the portal in a process that is completely seamless to the user. The authentication profile must use the same verification process as the logon service.
pre-logon: Preserves pre-login and post-login services provided by organisation infrastructure regardless of where a machine might be located. GlobalProtect establishes a connection, even if a user is not logged into the computer. This means the company can create a logicial network that maintains the security and management features normally achieved by a physical network. Tunnel selection and establishment occurs based on machine certificates deployed outside of GlobalProtect
When User-ID technology isi n use, pre-login conditiuons are marked with a user identifier of ‘pre-login’ rather than an explict user. Once a user has logged in ‘pre-login’ changes to the username of the client device.
Internal gateways only support always-on methods, user-login or pre-login.
The connection method is selected by navigating to Network -> GlobalProtect -> Portals -> Agent
The GlobalProtect gateway provides the endpoint for the agents connection
If tunnel mode is enabled, the client sends all traffic through the conencted gateway.
Note that external gateways always require a tunel, internal gateways do not but can be configured to use one.
Split tunnels are supported, but this feature is not recommended for extending the firewall policy with application control and visibility to all mobile users.
Gateways enforce the policy based on the HIP profiles that are received.
GlobalProtect and User-ID
The GlobalProtect client provides a way of mapping user information to the firewall directly.
Every user that has the GlobalProtect agent or app running requires the user to enter their login details to access orgainisation rsources.
This login information can be mapped to the User-ID user mapping table on the firewall for visiblity and user-based securtity policy enforcement.
Since users must authenticate to gain access to the network, their user to IP address is explictly known.
The GlobalProtect client software runs on end users systems and enables access to the organisations network via GlobalProtect Portals and Gateways that have been deployed.
Describe the differences between the integrated agent and the Windows-based agent
Define the methods to map IP addresses to users
Configure the PAN-OS integrated agent to ocnnect to monitored servers
Configure the Windows-based agent to probe IP addresses for username information
The purpose of User-ID is to identify the user on the network and the IP addresses of the computers the user is logged in too.
User-ID can retrieve information from a connected LDAP directory server.
The goal of User-ID is to give the ability to write policies, display logs, and display reports using usernames rather than just numercial IP addresses and port numbers.
Usernames and group names can be used as matching criteria in Authentication policies, Decryption policies, DoS protection policies, Policy Based Forwarding policies, QoS policies, Security Policies, and Tunnel Inspection Policies.
User-ID Main Functions
Before user and group based policy rules can be created, the firewall requires a list of all users and their group mappings.
The firewall uses group mapping and user mapping to collect the information required.
Group Mapping is learned from group names and member users from a LDAP directory server.
User Mapping includes several different methods to collect IP address-to-username information.
The user mapping can be chosen by the administrator to suit different needs and environments. Different methods can be used at different sites.
Palo Alto Networks Fireewall
Maps IP addresses to usernames
Maps usernames to group names
PAN-OS Integrated User-ID Agent
Runs on the firewall
Collects IP address to username information
Windows-based User-ID Agent
Runs on a domain member
Collects IP address-to-username information
Sends information to the firewall
Palo Alto Networks Terminal Services Agent
Runs on Micorsoft and Citrix terminal servers
Collects IP and port nubmer to username information
Sends information to the firewall
Forms of User-ID Agent
PAN-OS Integrated Agent
Included with PAN-OS software
Available for download from Palo Alto Networks and can be installed on one or more Windows Systems
A firewall can communicate with both agent types at the same time
Can monitor up to 100 domain controllers or Exchange servers
Can monitor users and domain controllers only from a single Active Directory, or AD, domain
Designed for small and midsize deployments
Can handle larger environments or multiforest domains
Integrated Agent verues Windows Based Agent
The Windows based agent and the PAN-OS integrated perform the same basic tasks, but use different underlying communication protocols.
The Windows based agent uses MS-RPC, which requires full Windows Security logs to be sent to the agent, where they are filtererd for relevant User-ID information. This agent is best for reading local logs.
The Pan-OS integrated agent users either the Windows Management Instrumentation (WMI) or the Windows Remote Management Protocol (WinRM), which allows the agent to retrieve only the relevant User-ID information from the security logs. This agent is best for reading remote logs.
In summary, use an integrated agent for remote sites, or install a Windows-based agent at the local site.
User Mapping Methods
GlobalProtect – Login Events
Captive Portal – Web Forms
Devices that can format and send XML over HTTP
Third Party WLAN controller
Third Party Proxy
Third Party VPN
Network access control systems
Terminal Services Agent
Microsoft Remote Desktop Services
Citrix Presentation Server
Third Party Proxy
eDirectory – Login or logout events in authentication logs
Microsoft Exchange – Login or logout events in authentication logs
Microsoft Active Directory – Login or logout events in authentication logs
Session tables are also read to confirm known IP address to username mappings based on current Windosws file and printer shares
User Mapping Using Global Protect
Every GlobalProtect user is required to enter their login credentials to access to the VPN
GlobalProtect can directly add the username to the firewalls User-ID mapping table
GlobalProtect is listed as the best solution for high security enviroments
User-ID information can be provided by clients that are conneted to an internal network via an internal Global Protect gateway without establishing a VPN tunnel to the firewall.
User-ID Syslog Monitoring
Syslog monitoring may be a good fit where existing network services exist that authenticate users. These services could include 802.1x devices, Wireless controllers, Apple Open Directory serves, proxy servers and other related services.
These services can be configured to send syslog messages that contain information about login and logout events, and configure the User-ID agent to parse those messages.
The integrated and Windows based agents can retrieve these syslog messages. Syslog Parse Profiles are used to parse syslog messages. With environments with different services with varying messages, custom Syslog Parse Profiles can be set up to pick up on login and logout events. If the Pan-OS integrated User-ID agent is used, Palo Alto provide predefined Syslog Parse Profiles through Application content updates.
The User-ID agent can parse for login events to map IP addresses to usernames and parse for logout events so the firewall deletes outdated mappings. Deletion of outdated mappings is useful were IP address assignments are changed often.
User-ID Operation Overview: Domain Controllers
Before User-ID can operate, it must be enabled on the relevant security zone.
If User-ID is enabled, the firewall consults the administrator-defined User-ID configuiration to determine which agents the firewall has available to gather IP address and username information.
Once User-ID has retrived the IP address and username information from an agent, it can use the firewalls LDAP configuration to retrieve user to group mapping information from a LDAP server.
With the information requirements satisified, the security policy can be checked for a match.
In terms of Domain Controllers User-ID, When a user logs into their laptop, which is an Active Directory member, the AD domain controller logs a logon event with the username and IP address of the station.
User-ID Domain Controller Monitoring
Palo Alto recomended passive server monitoring (due to low overheads) allows a User-ID agent to monitor the security logs for user logon or logout events for a Microsoft domain controller.
The AD domain must be configured to log succesful logon events into the security logs.
Users are able to authenticate to any domain controller in a domain, and security logs are not replicated between seperate domain controller servers. Server monitoring needs to be turned on for all controllers to capture all user login events. User-ID agents can monitor multiple domain controllers, but only a single domain.
Step 1 – Parse and record
On startup, the User-ID agent parses the security event logs for user logon events
Step 2 – Check Logs
The User-ID agent checks Security logs on a regular basis for only new logon or logout events
Step 3 – Mappings cached
User mappings are cached for the first time equal to the timeout value set in the User ID agent
User-ID Windows Session Monitoring
Clients thats have a connected shared file/folder or print resource will have their session information stored on a Domain Controller.
This is an additional Windows-based method to resolve IP addresses to users. Consult the shared resource session table recorded on the Domain Controller.
User-ID Mapping Recommendations
If you have…
GlobalProtect VPN Clients
Web clients that do not use the domain server
Non-windows systems, NAC mechanisms such as wireless controllers, 802.1x devices, or proxy servers
User-ID agent: Session monitoring
Exchange servers, domain controllers, or eDirectory servers
User-ID agent: Session monitoring
Windows file and print shares
Terminal Services agent
Multi-user systems such as Microsoft Desktop Services or Citrix Metaframe Presentation Server (XenApp)
User-ID agent: Client probing
Windows clients that often change IP addresses
Devices and applications not integrated with User-ID
Steps for configuring User-ID
Enable User-ID by zone
Configure user mapping methods
Configure group mapping (Optional)
Modify firewall policy rules to use usernames or group names
To enable user-ID by zone, tick the ‘Enable User Identification’ box on the zone settings on the firewall.
By default User-ID tries to map all user from all networks found within a User-ID enabled zone.
The include list can be used to limit the networks that the firewall tries to map IP addresses too.
The exclude list can be used to exclude a subnet of network included in an Include list.
If WMI probing is enabled, by default only private IP address ranges are probed. To probe public addressing ranges, those ranges need to be included in the Include List.
Configuring the PAN-OS Integrated User-ID Agent
On the domain controller, create a service account with the required permissions to run the agent
On the firewall define the address of the servers to be monitored
Add the service account to monitor the servers
Configure session monitoring (optional step)
Configure WMI probing (optional step)
Commit the configuration and verify agent status
Configure the Windows-Based User-ID Agent
On the domain controller, create a service account with the require permissions to run the agent
Select a Windows domain member
Download and install User-ID agent software
Run the User-ID agent installer
Configure the User-ID agent
Configure the firewall to connect to the User-ID agent
Verify connection status
Selecting the Installation Location
The Windows-based agent can be installed on 32 or 64 bit machines running Windows XP SP3 or later
The agent is to be installed on the same network site as the monitored server to optimise bandwidth use
Two agents can be installed on two member servers in case one agent or a single domain controller fails.
The agent can be installed on a domain controller, though this is not recommended best practice.
Selecting Users and Groups for a Security Policy
any – matches any value for user
pre-login – Used with certain GlobalProtect implementations
known-user – Matches any user or group identified by User-ID
unknown – Matches traffic where the user could not be identified by User-ID methods
select – Matches a specific user or group identified by User-ID
For larger enterprise, it is best to set policy rules by groups rather than users.
Describe how a firewall works with WildFire Threat Intelligence Cloud
Describe how WildFire analysis is used to update URL categories listed in the PAN-DB URL Filtering data
Configure Session Information Settings to specify which type of session information will be sent to Wildfire
Define a WildFire Analysis Profile
Configure both the types of information submitted to WildFire and the amouht of information is returned to the firewall in the report
Evolution of Malware
In modern times malware has evolved.
Instead of being a simple replication of a virus, it has adapted to be highly evasive and adaptable to avoid deteciton. Highly targeted and sophisticated when launching attacks
This new breed of malware that is often the core of the most sophisticated attacks on organisations networks today
Often this new malware is customised for a particular attack, making it more difficult for traditional signature-based anti-malware solutions to detect it
WildFire Threat Intelligence Cloud`
Palo Alto firewalls arouind the world automatically forward unknown files and URL links found in emails to the WildFire Threat Intelligence Cloud Cloud, or one of the three regional clouds for analysis.
The three regional clouds are in Europe, Japan, or Singapore.
Each cloud analyses samples and generates malware signatures and verdicts independently of other WildFire clouds.
The sample could be detected as Benign, Grayware, Malware or Phishing. If Phishing the PAN-DB URL Database will get updated.
WildFire signatures and verdicts are shared globaly which allow WildFire users to benefit from the anti-malware coverage no matter where they are in the world.
WildFire users can also use the WildFire XML API or WildFire Dashboard to manually upload files to WildFire for analysis.
Recap of Wildfire
WildFire is a cloud based virtual sandbox used to evaluate unknown files and URL links found in e-mails.
The evaluation occurs for Android, Linux, MAC OSX, Windows XP, Windows 7 and Windows 10
If malware or phishing is founmd, WildFire creates a new antivirus signature or adds the URL to the PAN-DB Phishing URL category.
These updates are available in minutes for firewalls around the world to download.
Overview of Wildfires Operation
For the daily threat updates, the new signature is normally delivered within 24 to 48 hours
WildFire Verdict Descriptions
Safe and does not exhibit malicious behavior
No security threat but may display obtrusive behavior
Malicious in nature and intend and can pose a security threat
Based on properties and behaviors the website displays
WildFire Protects E-mail
The Palo Alto firewall has the capability to send email attachements or URL links to WildFire for analysis.
The firewall nor Wildfire store or enable viewing of the email contents.
If WildFire detects a malicious file, it immediatly creates a new anti-virus signature that can be downloaded by Palo Alto firewalls around the world.
This new antivirus signature can help prevent further compromise of other machines in the network and around the world.
If the firewall has a WildFire and PAN-DB licence, the firewall can gain access to the signatures in as little as 5 minutes.
If WildFire determines a file attachment or e-mail URL link is malicious, it includes the email header in WildFire Submissions logs that it returns to the firewall. If User-ID technology is eanbled, the log can be used to quickly find and remediate the threats received by the user.
Content Packages and Wildfire Updates
WildFIre analysis is used to create new antivirus signaturtes.
It also is used to update the URLs and URL categories listed in the PAN-DB URL Filtering database.
Antivirus signatures are made available within 24 to 48 hours as content updates to the Antivirus content database.
Daily downloads of the antivirus content database can be scheduled. Firewall access to the AntiVirus content database is permitted with a Threat Prevention Licence.
Antivirus signatures are also available as little as 5 minutes as content from the WildFire Signatures database. A firewall can scheduled as little as every minute to check for updates. Access to this database is permitted with a WildFire licence.
URL updates are available within 5 minutes as content updates to the PAN-DB URL Filtering database.
Updates of the firewall with new content updates of the PAN-DB URL Filtering do not need to be scheduled, as new URL information is downloaded dynamically as needed.
Firewall access to the PAB-DB URL filtering database is enabled using a URL Filtering Licence.
Microsoft Office extensions, PDF, JAR, CLASS, SWF, SWC, APK, Mach-O, DMG, RAR, 7-Zip, Linux ELF, PKG
WildFire signature updates every 5 minutes
API file submission
WildFire private cloud appliance
There are two different content package formats for WildFire content updates, content packages for 7.1 and later, and content packages for 7.0 and earlier.
The content packages contain the same set of signatures
A licence allows users to submit files for analysis to WildFire using the WildFire XML API
A WildFire licence entitles a firewall to use the WF-500 appliance as a WildFire private cloud service.
WildFire Private Cloud
The WF-500 is a WildFire private cloud solution. It supports Windows XP and Windows 7 virtual environments and requires a Windows 7 64-bit image to be installed on the appliance.
The WF-500 locally analyses unknown files, plus files and URLs found in email.
The advantage being that these files will never leave your network.
The WF-500 does not support scanning of APK files.
The WF-500 locally generates antivirus signatures and categorises URLs.
The administrator can choose whether to automatically forward malware files to the public cloud for signature generation.
The WF-500 appliances supports the WildFire XML API.
Content updates to the WF-500 are provided daily, helping to imrpove analysis accuracy. Trusted code-signing certificates, malware domain lists, new signatures are examples of content packages provided to the WF-500 via updates.
The WF-500 can be configured to provide automatic download and installation of WF-500 content packages, or can be manually accomplished by an administrator.
The Hybrid Cloud combines the public and private cloud solutions.
If a WF-500 applioance is used, a WildFire hybrid cloud can be enabled that lets the WF-500 analyse sensitive file types locally, whie less sensitive file types are sent to the WildFire public cloud.
Files that are not supported on the WF-500, such as APK, can be set to be forwarded to the public cloud.
If public and private cloud solutions have configuration overlap, the private cloud analysis will prevail.
WildFire Appliance Cluster
Up to 20 WildFire appliances (WF-500) can form a WildFire appliance cluster on a single network.
Clusters are useful where the WildFire public cloud can not be used.
The larger clusters have better support for a larger firewall deployment on a single network over the capability a single WildFire appliance provides.
Wildfire clusters also provide fault tolerance, and a single signature package is provided to all firewalls connected to that cluster.
Encryption can be enabled on appliance clusters too, beginning with PAN-OS 8.1.
Encryption can be switched on to maintain confidentiality of transmitted content.
Clusters can be operated in a FIPS/CC environment where they are configured using FIPS/CC compliant certificates.
WildFire Analysis Profiles
WildFire analysis profiles are objects that are added to security profile rules that are configured with an action of “allow”.
WildFire analysis profiles are not required for security profile rules with the deny action, because no further processing is needed of traffic that will be dropped.
WildFire Analysis are applied to all packets during the life of a session.
WildFire anaylsis profiles represent additional security checks on files in allowed network traffic.
WildFire analysis profiles allow more granular control over allowed traffic.
An example is that the firewall can be configured to submit files to Wildfire only when a specific file type is matched, and they are transferred in a specific direction by a specific application.
Files submitted by WildFire are logged to Monitor -> Logs -> WildFire -> Submissions
The firewall contains a pre-defined, read only default WildFire Analysis Profile.
It can be customised by creating a new WildFire profile, or cloning the default profile and editing that clone.
The default profile rule sends all unknown files from any applications allowed by the rul,e to the WildFire public cloud for analysis.
WildFire Reporting Overview
Each time that the WildFire technology analyses a file or URL link, it will report it’s finding to the firewall.
The administrator can configure the information submitted to WildFire and the amount of information that is returned to the firewall in the report.
Information reported back to the firewall is recorded by the firewall in the WildFire submissions log.