Palo Alto Config 1
Palo Alto deployment steps:
1. Overview and design
· Management Port
· Internet Ethernet port
· L3 Port
· Vlan 802.1Q Vlan port
· Console Port
·
·
·
· Most common PAN deployment is Layer 3 Deployment
·
·
·
·
·
· Default IP address 192.168.1.1
· Login / Pass : admin/admin
2. Initial Access into PAN
3. Registering the PAN
· Device registration / Create account at Palo Alto Networks
· Serial # / Email address / Device name
· Activation key
4. Management Interface
· Ping IP address that need to be assigned for Palo Alto and make sure it is available !!
· Management IP Address / Default Gateway / Commit
5. General Settings and Services
6. Security Zones
· Trust zone
· Untrust zone
· Lan zone
· Wan Zone
7. Virtual Routers
· Create VR
· Also, check on routing table
·
8. Interfaces
· Configure interface per network design
· Layer 3 interface (LAN and WAN)
· ADD VR
· ADD Security Zone
· ADD IPV4 IP address / Static
· Management Interface profile: ADD services like Ping/ SSH/SNMP/ TELNET/HTTP/HTTPS
· ADD Management Interface profile to Interface: Advance Tab and other Info
·
9. Static Routes
· Default Static Route: go VR and Static Route
· Add Default gateway to Internet
i. Destnation:0.0.0.0/0
ii. Nest Hop: add default gateway
iii. Check Routing Table for confirmation
10. OSPF Routing
·
· Configure all switches ip-address attached to the Palo alto firewall
· Enable OSPF routing on the switches; commands are
i. Router OSPF 2
ii. network 172. 17.99.xxxxx0 0.0.0..7 Area 0
iii. network 172. 17.99.XXXX0 0.0.0..7 Area 201
iv. network 172. 17.99.XXXX0 0.0.0..7 Area 202
v. End
vi. Config T
vii. Passive-interface default /// established neighbor only with firewall
viii. No Passive-interface fastethernet 1/0/12
ix. End
x. Show ip ospf neighbor
· Go to VR
i. Enable OSPF
ii. 172.17.99.1
iii. ADD Area ID /// normal area/// add range ///add interface/// broadcast /// ok
iv. Commit
v. Confirm OSPF route on Switch Console
vi. Confirm on VR Routing Table
vii. Go to VR//// Redistribution profile // ADD Profile// click on Redist. //static// destination 0.0.0.0/0
viii. Go to VR /// OSPF /// Export Rules// ADD // Select new Redist. Rule // OK
ix. Commit
x. Go to Switch Console and Confirm
xi. Done
11. Upgrading PAN-OS
· Check Pan software version’
· Device // Software // Check now or upload
· Device // Dynamic Update // download /// install
· Firewall will reboot when installing a new version
· Sub-version also require reboot
12. Network Address Translations (NAT) /PAT (Port Address Translation)
· Go to objects Tab
· Provide NAT Name
· ADD Source Zone
· ADD Destination Zone
· ADD Destination Interface
· ADD Source Address
· Translated Packet – Translation type: dynamic IP and Port
· Address Type : Interface Address
· IP Address
· Commit
·
13. Security Policies
·
14. Outbound SSL Decryption
15. URL Filtering
16. Global Protect (Client VPN)
17. Site-to-Site VPN Tunnel (VTI)
18. Guest Network
19. DHCP
20. Sending Logs to Syslog
21. SNMPv3
22. Netflow
23. File Blocking
24. Anti-Virus Blocking
25. Factory Default
26. BGP Routing
27. Captive Portal
28. User Identification using Active Directory (without Agent)
29. Dual Internet using Policy Based Forwarding
30. DoS Protection (Zone Protection)
31. Virtual Wire (Transparent Firewall)
32. High Availability (Active/Passive)
33. App-ID: Overview, Blocking Skype & BitTorrent Applications
34. Dynamic Block List
35. Vulnerability Protection (IPS)
· Mgmt. Default Route and DNS
o Use DNS 8.8.8.8 (Google Server)
o
· Configuring PAT (13 min)
· Exporting and Importing Configs (13 min)
· Licensing the NGFW Features (11 min)
· Upgrade a Firewall (15 min)
· App vs. Protocol & Port Security Policies (12 min)
· Destination NAT (15 min)
· App-ID Concepts
o Zero Day Attack can be stopped by App-ID
o Block Traffic according to ACL (inbound/Outbound)
o DNS UDP Port = 53
o HTTP TCP Port = 80
o Stop different port tunneling Traffic; UDP Traffic tunneling through TCP port
o Looks deeper in the packet
o All Features are Integrated into the firewall (IPS/ IDS not required)
o App-ID
§ Packet Classification (ports involves)
§ Application Signatures (properties/Charters tics)
§ Decryption (setting Decryption Policy; PA setup own proxy to decrypt and see the traffic contents, Stop MIM attack)
§ Decoders (inside the payload of the packets, Tunnel Traffic; Hacker using TCP protocol to transfer UDP traffic)
§ Actions (Block, Allow, Scan, QoS)
o
· Granular App Control Concepts
o Granular Application control Feature
o Application object may
§ Depend on (Facebook Chat is depend on Facebook Base)
§ Implicitly Use (Web browsing / SSL)
§
§
§
§
· Granular App Control Demonstration
o Add Application Groups
§ Add Applications Ping, HTTP, HTTPS, DNS, Web-Browsing, SSL
§ Add Security polices and can be use as an application Group
§ If we need to allow any application just add another security policy and allow it
§ Default is Explicit DENY
§ To See the application dependies just go on facebook chat>Value
§
· SSL Outbound Encryption
o Create Certificate on Firewall
§ Add New Certificate
§ Generate New Certificate
o Tell Client Cert. is Trusted
o Setup decryption policy
o Add New Certificate
o Generate New Certificate
§ Check on following
· Forward trusted certificate
· Trusted root CA
o Export New certificate
o Load Certificate into Client Computer Trusted CA
o Setup decryption policy
§ Financial Cert should not be decrypted; Liability Issue
§ ADD decryption Policy
§ ADD source/dest.
§ ADD URL Category Social Media
§ Note: Financial should not be added
§ Select Decrypt
· SSL Forward Proxy
·
o
· URL Filtering
o License and Updated
§ Go To Device and Check if the feature is active
o Create URL Filtering Profile
o Go to Object
§ Add URL Filter
§ ADD NEWs Filter
§ Action Alert
§
o Attached Security Policy Rule
§ Edit “ User-going –to internet
§ Apply Profile in the actions/profile
§ Commit
§ Test
· Antivirus
o Update Antivirus
o Objects > antivirus
o Clone default
o Add AV Profile
o Apply to the POLICY; Profile
· Vulnerability and Spyware Protection
o Objects > Vulnerability Protection profile
o Clone default
o Add Profile
o Objects > Spyware Protection profile
o Clone default
o Add Profile
o Apply to the POLICY; Profile
o
· LDAP and Authentication Profiles
o Create LDAP Server Profile
§ ADD LDAP Server IP address /Port 389
§ SSL Connection required
§ Bind DN = Username
§
§
§ LDAP Connection Verification
· Go to User Identification > Group Mapping > Server Profile > Group Include List
o Create Authentication Profile
§ Add Profile
§ Server List
§
· Enable User-ID
o LDAP Profile
o Group Mapping
o User Identification
o User Mapping
§ Enable User-ID on Zone
§ Add WMI Windows Management Instrumentation
§ Server Monitoring/Enable Log
§ Client Probing
o ADD Server Monitoring
§ Add information for AD
o ADD Group Mapping
§ Service Profile
§ Add Groups
o TESTING : Go to Monitor> Add Source User
o Add security Policy
§ Drop User who are not register in the domain
· SSL VPN Concepts
o PKI, CSR and Install Certificates
o Profiles: LDAP and Authentication
o New Zone and Interface for VPN
§ ADD VPN Zone
§ ADD interface for VPN
§
o Gateway and Portal Configuration
o Client Software
o Security Policies
§ Define Traffic Allowed between VPN and DMZ Zone
§
· Installing a CA Certificate
o Using Microsoft CA server to Issue Certificate to Palo Alto
o
o
o Certificate will be generated through Microsoft server
o Export generated certificate and import in the Palo Alto Firewall
o Download a CA Certificate / Chain CRL
o Import CA Certificate as root CA certificate
o
· Create a VPN Zone and Tunnel Interface
o
o Create VPN Zone
§ Layer 3 Zone
§ Enable user identification
o Create Tunnel Interface
§ Go to interfaces > Select Tunnel TAB
§ Add router
§ Add Zone
· Configure a Global Protect GW and Portal
o Go to Global protect > gateways > ADD
§ General
· ADD Interface SSL profile
· ADD Certificate PA
· ADD and Select certificate you want to use
§ Client Config
· ADD client tunnel config
· ADD Network Setting
· ADD IP POOL That ip address going to be used during VPN Connection (Logical Network)
· ADD ACCESS Route by these VPN clients
·
· Add Network services
o Go to Portals
§ Add new GP Portal
§ Add agent config
· Sign-on on demand
· Agent-config
· ADD external gateway will be the firewall ip-address
· ADD trusted Root CA cert
o
· Clients and Security Policies for Global Protect
o Device > Global Protect Client > Check now
§ Download client Global Connect
§ Activate the client Global Connect
o Security policy
§ ADD policy for Global Protect
· source outside
· destination outside
· ADD APPLIcation SSL // PANOS GOLBAL Protect // PANOS WEB interface (check for dependies)
· LOG at session
§ ADD policy for VPN USERS
· InterZONE policy
· source Inside //DMZ //VPN
· destination Inside //DMZ //VPN
· App Any
· ALLOW
o Client Connect
§
§
· TESTING
· Site-to-Site IPsec VPN overview (8 min)
· Config IPsec on PA FW (15 min)
· Cisco IOS as VPN Peer (11 min)
· Zone Protection Profiles
o STOPS:
§ TCP FLOOD ICMP/Reconnaissance / Packet based attack
§ Create Zone Profile
§ Apply Zone Profile to Security Rule
§ Action can be taken and set in the profile
§ ADD this profile in the Zone
§ Ping <–l >
· Ping –l 900 8.8.8.8
· 802.1Q & Sub-Interface Concepts
o Use Switch which can perform 802.1Q
o Use Trunk to transfer (intranet ) VLANs Traffic to the Firewall as Firewall don’t have too many ports.
o L3 Sub-interface (used for different VLAN Guest/ Internal VLAN )
o Separate VLAN can be used to handle GUEST VLAN TRAFFIC
· Implement L3 Sub-Interfaces
o Create L3 Interface
§ Add Sub Interface
§ Add Tag # same as Sub-interface
§ Add IPv4 Address
§ Add new Security Zone
§
§ Add NAT Policy
§
· Verify L3 Sub-Interfaces
o Verify the L2 Sub –interface Traffic
o WireShark can be used to Sub –interface Traffic Verification
· Interface Management Profiles
o Create Interface Profile
o Go to Advance in the Ethernet interface to attach Interface profile
o Apply Interface Profile on the Interfaces
· Captive Portal
o LDAP Profile
o Authentication Profile
o Certificates
o Enable User-ID on Zones
o Captive Portal Setting
o Captive Portal Policy
o Enable Response Pages
· HA Concepts
o Modes:
§ Active / Standby
§ Active / Active
o HA Links
§ HA1 –Control Link
· icmp pings
· Hello Messages
· Link Monitoring
· State Information
· User Information
· High Ava. Sate
§ HA2 – Data Link
· Session
· IP Sec
· Address Resolution
o Triggers: icmp pings ; Hello Messages, Link Monitoring, Path Monitoring
o Pre-requites: Same Model / Same Pan OS Version / Same Interfaces
o Management port can also be use as HA1 // Same VLAN
o Any port can be use as HA2 // Same VLAN
o Same Licenses on both firewall should be same
· HA Implementation
o Licensee
o
· Panorama
o Register S/N
o Install File
o Use deviceconfig assign Management IP address at CLI
o Connect to HTTPS
o Palo alto Device setup Panorama Server Setting
o Panorama Server: Setup S/N, DNS, Updates
o Panorama Server: Add Managed devices S/N
o Panorama Server: Add device Group
o Panorama Server: Add Policies Pre (TOP of Device) and Post (Bottom of Device)
o Panorama Server: Commit Panorama, Device group
· File Blocking
o Create File Blocking Profile (Object) --- Define File Type/Action/Direction
o Create new policy or add to other policy (user going to internet) In Profile setting
· WildFire, Data Filtering and DoS Profiles
o Additional Security profiles
§ Wildfire Profile:
· Add Object of security Wildfire analysis;
· Define Name/ Analyze/ Application / File Types / Direction /
· ADD to Policy as a profile or Create SPARATE policy
· WILDFIRE Deployment (Sand BOX Services)
o PRIVATE Cloud (WF-500)
o Public CLOUD
o HYBRID CLOUD
§ Data filtering: PII Personal Identify information e.g. SSN
· Add Data Filtering Pattern
· Define Application/ File types / Direction /
· ADD to Policy as a profile or Create SPARATE policy
§ DOS protection
· Add DOS Protection
· VERY important for DOS protection
· SPARATE policy for DOS only
· Dynamic Routing
o Palo Alto make decision based on the Routing Administrative distance
o All Setting can be done in Virtual Router
o Palo Alto Support following:
§ RIPv2
§ OSPF /OSPFv3
§ BGP
§ Static Route
o See Routing Table on the virtual Router
· The Parka Principle
o
· Custom Application:
o Use Wireshark to capture data pattern
o Go to Application
o Add new Application
§ Name the App
§ Define property
· Category
· Sub category
§ Advanced: Check Data Pattern
§ Add default ports
§ Define Signature
· Add New Signature
· Check Ordered condition match
· Add conditions
· Add Pattern Type like Packet Header// file-java-body
· Add Pattern
o Add Policy accordingly and allow this custom application per requirement
o
0 Response to "Palo Alto Config 1"
Post a Comment