topic Re: PenTest GlobalProtect Subnet in GlobalProtect Discussions

PenTest GlobalProtect Subnet

popoymaster — Fri, 26 May 2023 13:26:34 GMT

Hello,

Our Palo GP is setup inside Azure - and it is working and serving its purpose. GP can reach everything, but not the other way around.

We can't ping GP Clients, we can't RDP to them, any traffic destined to GP Subnet has literally no logs at all.

Looking for some expert advice. Thanks in advance.

Re: PenTest GlobalProtect Subnet

Raido_Rattameister — Fri, 26 May 2023 14:00:12 GMT

Traffic log in 10.29.2.4 firewall shows pen tester traffic going to tunnel.1 towards GlobalProtect client?

If yes and you don't get any replies it means Windows firewall is dropping incoming traffic.

Re: PenTest GlobalProtect Subnet

Raido_Rattameister — Fri, 26 May 2023 14:04:10 GMT

Traffic log in 10.29.2.4 firewall shows pen tester traffic going to tunnel.1 towards GlobalProtect client?

If yes and you don't get any replies it means Windows firewall of the GlobalProtect client is dropping incoming traffic.

Re: PenTest GlobalProtect Subnet

TomYoung — Sat, 27 May 2023 17:47:58 GMT

Hello @popoymaster ,

Do you have a security rule allowing traffic to your GP zone?

If you do not see logs, it may be because you have not enabled logging on your interzone-default rule which drops all traffic not matched by any rules. Click on the interzone-default rule; click Override; select Log at Session End; and click Ok. Commit.

Thanks,

Tom

Re: PenTest GlobalProtect Subnet

popoymaster — Sun, 28 May 2023 05:18:48 GMT

This actually works! Traffic is dropped by the interzone-default rule.

Ok, so we have 2 palo alto firewalls;

1. On-prem with site-to-site tunnel to azure native vpn gateway
2. The other one is dedicated for GP.

Now, GP palo can reach the GP clients, thanks to you i allow interzone comms.

Problem now is, our on prem palo can reach all the interfaces Eth1 Untrust, Eth2 Trust of the GP FW but not the GP subnets. And this time, no logs at all.

Additionally, GP clients can reach the on-prem palo and subnets inside it.

Re: PenTest GlobalProtect Subnet

TomYoung — Sun, 28 May 2023 13:38:28 GMT

Hi @popoymaster ,

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?
Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?
Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?
What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

Thanks,

Tom

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:34:35 GMT

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?
- YES! Azure NGFW's management and GP subnets are pointing to tunnel.
[cid:image001.png@01D992EA.9FD5C5D0]

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?
- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?
- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs - this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?
- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.
[cid:image002.png@01D992EA.9FD5C5D0]

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.
[cid:image003.png@01D992EA.9FD5C5D0]

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:37:48 GMT

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:48:25 GMT

PING from Azure NGFW works but not from the Onprem NGFW.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:50:21 GMT

Hi Tom,

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:51:16 GMT

Hi Tom,

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:54:08 GMT

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

- YES! Bi-directional.

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:55:23 GMT

Do you have a route on the on-prem NGFW to the GP subnet that points to the tunnel?

- YES! Azure NGFW’s management and GP subnets are pointing to tunnel.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:55:34 GMT

Do you have a rule on the on-prem NGFW that allows traffic to the GP subnet?

- YES! Bi-directional.

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:55:45 GMT

Do you have a rule on the Azure NGFW that allows traffic to GP for S2S VPN?

- On-prem NGFW tunnels with Azure Native VPN Gateway. I enabled the intra and interzone loggs – this should capture anything not matched right?

Re: PenTest GlobalProtect Subnet

popoymaster — Tue, 30 May 2023 15:56:07 GMT

What do the traffic logs show on the on-prem and Azure NGFWs for the pings that fail?

- I can see the traffic going out of On-prem NGFW but not arriving at Azure NGFW. Ping test to interfaces logged and worked but not to the GP Subnet.

Azure NGFW only sees traffic going to the interfaces, but not destined to GP subnet.