Wall's Week - November 9th, 2018

L4 Transporter

Take a look at some of the new enhancements for Aperture, new features for Evident, and updates to Traps TMS. You can also review some helpful tips from Palo Alto Networks Live Community about QUIC Protocol, templates and resources, even setting up SSH on a non-standard port using certificate authentication.



New Aperture Enhancements

Enhanced Administrator Roles (RBAC). You may now customize admin roles vs. the built-in four previous admin roles. Aperture admins with a Super-Admin role may customize a role in a similar way as in PAN-OS. Each area of the UI may be regulated and assigned to specific roles. Each role can be granted various levels of applicable permissions (no access, view only, view+download, etc).


Also new is an application health status for Box and Google Drive. Sometimes, there are issues that can prevent Aperture from accessing an app or scanning data in that app. When this happens, Aperture can now display a warning to administrators in the UI that provides details. This can be seen in the “Settings” tab under “Cloud Apps & Scan Settings."



New Evident Features

Here is a snapshot of recent new features introduced in Evident.

  • Audit log export for Amazon SNS integration – you can now export Audit logs
  • Custom signatures for Azure – create security checks for services not natively available
  • New report search parameter – match multiple keywords in the Signature ID field
  • New Azure signatures – see the list here



Traps TMS October/November Update Enhancements

Like all of Palo Alto Networks SaaS applications, Traps TMS receives new features on a monthly basis. Here are the latest enhancements:

  • Automatic dump analysis on demand for exploit events
  • Mimikatz prevention
  • Lowering severity of hash override security events from “High” to “Low”
  • Examination of Office files on Network drives
  • Enhanced management for resolved events
  • Bulk security event status management

See the details for the October release here. November will be posted soon.



TIP: Best Practices for QUIC Protocol

QUIC (Quick UDP Internet Connections) is a protocol developed by Google. Many applications like Google, Gmail, and YouTube utilize QUIC and may cause disruption in your SSL Decryption implementation. The two best practices for dealing with QUIC are as follows:

  • Block QUIC by using the “quic” App-ID
  • Block service udp/443

Also, make sure you are at least upgraded on your content signatures to version 8080 or higher. For more information, see this article. See this knowledge base article for an example of proper blocking.



TIP: Templates and Resources

If you are looking for handy scripts, try our GitHub repository at https://github.com/PaloAltoNetworks. Here are few to check out:

  • Cloudticity wrote a couple of Lambda functions to update FW with LB IPs when they change. Another one implements a version of HA in AWS. See them here.
  • Dave Spears wrote a number of ARM templates to deploy FW into existing environments (not presently possible when deploying from Marketplace). Also included are some examples of LB sandwiches.
  • Patrick Glynn’s repository with various Azure templates (deploy FW to existing environments, LB sandwiches, Azure functions to update FW, etc.).
  • Keith Blackstone’s GitHUb repository with various ARM templates and examples of Ansible and TerraForm templates.
  • Dan Ward wrote a hardening script in Python that uses the API to update the FW. There are various utilities in there as well.
  • Marcus Butler wrote some Python codes for AWS that implement a form of HA.
  • Craig Stancill has written numerous scripts.



TIP: Setting up SSH on a Non-Standard Port Using Certificate Authentication

Check out this FUEL article to set up SSH on a non-standard port using certificate authentication and then permitting access through a Palo Alto Networks Next Generation Firewall (PA-220) to the destination server. The article covers the following items:

  • Setting up a second instance of SSH on a non-standard port number
  • Configuring SSH to require a certificate for authentication instead of a username and password
  • Configuring the firewall to allow the connection through that port
Ask Questions Get Answers Join the Live Community