Ignite'18 Wrap Part 2 - Answer the orphaned questions and bag some swag

by 3 weeks ago - last edited 3 weeks ago (2,156 Views)


A couple of weeks ago I posted a blog, Ignite'18 Wrap - Answer the orphaned questions and bag some swag, And we're lucky enough to get almost all of the first round of questions answered, which is great!


In case you missed all the questions and answers from Ignite18, please check it out here:


I told you before that I had more leftover (orphaned) questions from the "Great Wall of Knowledge" or, for those who saw it at Ignite, the "Shark wall". And because the first round was popular, we are posting up a Part 2.



The rules are simple: If you're able to provide the first correct answer, we will reward you with some Palo Alto Networks swag. Perhaps something from the booth, or a surprise. We are going to keep it a secret until the winners are announced.

Note: when you answer, please include the question # you are answering.



Here are the next 4 vetted questions:

  1.  What is the CLI command for adding a blackhole route?
  2. Can Palo Alto Networks firewall be registered as a member server in an Active Directory, so it can use MSA (Managed Security Account)? OR is there any other way to use MSA?
  3. Is there a way to get more information on SSL Decrypt issues or blocks without logging into the Firewall or Panorama?
  4. How to implement GlobalProtect using U7A machine certificate?

As always, please don't be shy.. .answer away and maybe you can win something.


Stay Secure!

Joe Delio

End of line.

by Quinn
3 weeks ago - last edited 3 weeks ago

... oops...

2 weeks ago

If anyone is up to the challenge, I can provide a hint that the reward may or may not be anything that you could drink liquids out of.. :)

by jvalentine
2 weeks ago

3.) Each application will behave differently if it is incompatible with SSL decryption.  Some applications will complain about mismatching SSL certificates, while other applications will fail without providing a reason or even notifications.  Your users will complain that things don't work, but it's highly likely that they'll be able to give you enough information to determine whether or not SSL decryption is the culprit.  


The firewall logs are your first line of defense regarding SSL-related failures.  After that you're looking at packet captures.  


If you don't want to/are unable to login to the firewall or to Panorama to investigate, then the only other way to view the logs that will tell you if you're experiencing decryption-related issues will be through the use of log-forwarding.  In your case, where you're interested in a subset of logs with indicators that may point to SSL decryption issues, you'll want to look at the "filtered log-forwarding" feature.  Once you filter for the "interesting" logs, the firewall can then forward those logs to a specific destination, be it syslog servers, e-mail addresses, snmp trap receivers, or any SaaS-based communications/logging platform that accepts HTTPS/SSL-based API calls (such as Slack), etc.


So, which logs are "interesting"?  All traffic logs include a session-end reason.  Some of those reasons clearly point to a decryption-related issue:

 - decrypt-cert-validation

 - decrypt-unsupport-param

 - decrypt-error


Some are a little more cryptic:

 - resources-unavailable (if your decryption profile has a failure check that blocks sessions if resources are unavailable)


Unfortunately, these other two reasons can (but do not always) indicate decryption-related issues:

 - tcp-rst-from-client (more likely in my experience)

 - tcp-rst-from-server (less likely)


One of those log-forwarding destinations could be the Palo Alto Networks' Logging Service, which would ultimately allow you to access that data via the Application Framework.  You (or your VAR, or an enterprising individual) could write an application that lives inside the framework and takes action when certain conditions are met.  

by jvalentine
2 weeks ago

1.) I don't believe there's a "null" routing construct in PAN-OS.  The only two areas where "null" jumps out are in relation to tunnels (null-encrypted tunnel) or in configuring OSPFv3 (null-encrypted authentication).  


admin@pa0-black_knight(active)# find command keyword null
set network tunnel ipsec <name> manual-key esp encryption algorithm <des|3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|null>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encryption algorithm <3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|nul


One option is to configure an unnumbered dummy tunnel interface and point the route to that interface with the next-hop set to "none" (or more appropriately, not configuring a next-hop in the first place).  Using tunnel.11 as an example:


set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> interface tunnel.11 


Another option would be to set the nexthop for a particular route to "discard".  Those CLI commands are:


set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> nexthop discard



Two "pro-tips" to help you discover a specific CLI command:  a.) login to the CLI, go to configure mode, and use "find command keyword <term>" - that will show you CLI commands that include the word <term>.  b.)  Make a sample configuration change in the GUI, and then look for the structure within the CLI using a modified "config-output-format" view of the configuration.  For example, if I had a static-route named "blackhole", here's how I would identify the associated CLI command:


admin@pa0-black_knight(active)> set cli config-output-format set
admin@pa0-black_knight(active)> configure
Entering configuration mode
admin@pa0-black_knight(active)# show | match blackhole
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole destination
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole interface tunnel.11

Ask Questions Get Answers Join the Live Community