Trick or Treat! Reaper's Halloween challenge

by Community Manager ‎10-18-2017 07:52 AM - edited ‎10-25-2017 12:02 AM (29,302 Views)

Halloween is at our doorstep and this happens to be my favorite time of year (being the 'reaper' and all). I usually spend my days collecting souls and answering questions in the Live Community Discussion Forum or KB articles.




With Halloween marking the start of the end of the year festivities, things usually start to wind down a little, so this is the perfect time to challenge the community to do something creative!


Don't worry, it does not need to be in the Halloween theme necessarily, but i will award extra points if you manage to do something spooky!


Here's the setup: a little while ago there was this event called Ignite2017 where we organized a hackathon challenging people to code extraordinary stuff. At that event @vsathiamoo and @dhshah integrated an Amazon Alexa with a Palo Alto Networks firewall


Here's a little video to get you started:


The challenge: show us your skills and create something that's a fun way of integrating with the firewall (or panorama or any other Palo Alto Networks product), or simply stick to the Halloween theme and send us a scary picture or video of yourself and/or your firewall.


Bonus points go to anything that actually works and you are willing to share your work with the community

 - videos to show off your creation but not sharing your code are fine!

 - funny spoofs are permitted (and are encouraged)

 - I will also accept funny pictures of your firewall dressed up in Halloween attire


The reward:

In a couple of weeks we'll select the best entry and the funniest entry: these community members will be the recipients of our coveted, limited edition Live Community hoodie !!


Every participant also gets a little something to brag with, a cool badge to their profile! :)

jack-o-lantern-badge-17.pngThe Live Spooky 2017 badge !




Best of luck, Reaper out!


by Community Manager
on ‎11-02-2017 04:41 AM

Just a reminder what's at stake :)


by SKye_Hodges
on ‎12-06-2017 10:10 AM

Where exactly do we "enter" --Are there no entries yet, or?

by Community Manager
on ‎12-06-2017 10:54 AM

Hi @SKye_Hodges!


Right here! Unfortunately not many people seemed excited to do something challenging or silly, but I will keep finding new reasons to challenge people to do something out of the ordinary :)


If you're up for it, I will still accept your entry (and use your contribution as marketing for the next event ;) )

And unless someone else shows up to challenge you for the title, it's kind of a de facto win ;)

by SKye_Hodges
on ‎12-06-2017 11:21 AM

Well, ok, here's my "Posessed" PA :) 2017-12-06 11.13.41.jpg


by Peadard
on ‎12-06-2017 04:03 PM

Here is a Power BI desktop I created to display the incoming Threats logged by the firewall using Syslog SQL and Power BI.

Its interactive adn you can drilld down for further details.


by RamonH
on ‎12-07-2017 07:46 AM

Hey Reaper ... are you still accepting entries for this?  when is the deadline (is there a deadline) when you will no longer receive entries?





on ‎12-07-2017 10:26 AM


I don’t know about everyone else’s experiences but every time that I enable SSL inspection in an environment users complain that specific sites are broken.  I wanted to come up with a way that I could proactively fix these issues before they occur based on the traffic in the environment.  So I made this beast … and really it is a beast. 


What this does is collects the URL logs from production firewalls, and then tests connectivity through SSL inspection for every unknown https request.  If it receives the typical "Encountered end of file" error than it assumes that there is an issue with connectivity.  The URLs are logged to a database where status can be updated.  This database also feeds a web grid where admins can test pages and change status of a host or domain.  The status’ of the URLs in the database are then used to create a dynamic list which is picked up by MineMeld and finally read by PaloAlto.


This project is far from secure, efficient, or even pretty, so go ahead and flame I don’t care.  It was written in a few hours due to my timeline at the time.  If anyone wants to pick this up and write it properly, be my guest.



  • As mentioned above this is NOT secure in any way, use at your own risk
  • Linux config is very poor and insecure
  • Needs PANOS 8+ (dynamic URL lists)
  • Expected that MineMeld is already installed and operational
  • Assumes SSL Inspection is already setup for the linux machine being built

Uses code from:


Linux Build

  • Create a new virtual host
  • I built off CentOS-7-x86_64-Minimal-1708.iso
  • Install the minimum of the OS
  • Configure hostname and network settings during install

Commands from VM Console window (assuming you log in as root)

  • Systemctl disable firewalld
  • Vi /etc/sysconfig/selinux
    • Change line to show


  • Systemctl enable sshd
  • Reboot

SSH Commands (assuming you log in as root)

  • Connect (ssh) to your host
  • Yum update
  • Yum install psmisc net-tools ca-certificates mariadb mariadb-server httpd php php-mysql
  • Systemctl enable httpd
  • Systemctl start httpd
  • Systemctl enable mariadb
  • Systemctl start mariadb
  • Mkdir /var/log/PAN
  • Vi /etc/rsyslog.conf
    • Add the lines in the RULES Section. Replace 'fw-' with 'the beginning of the hostname for your firewall'

$template PAN,"/var/log/PAN/%fromhost%/%$YEAR%-%$MONTH%-%$DAY%.log"

if ($fromhost startswith 'fw-') then ?PAN

& stop


  • Uncomment the following line depending on if you want to use UDP or TCP

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514


  • systemctl restart rsyslog
  • netstat -antup | grep 514
    • make sure that rsyslogd is listening on either UDP or TCP
  • SCP documents to /var/www/html/
    • Chown -R apache:apache *
  • Mysql
    • grant all on *.* to root@localhost identified by "password";
    • create database db_url;
    • grant all on db_url.* to pans_ssl@localhost identified by "password";
    • use db_url;

create table main (unique_ID int not null primary key auto_increment,

time_Accessed datetime,

time_Checked datetime,

url varchar (255),

domain varchar (255),

blanket_Domain varchar (255),

return_HTTP_Code varchar (15),

url_Category varchar (255),


blanket_Approved BOOLEAN NOT NULL DEFAULT 0);


  • exit

PAN Syslog Forwarding

  • Log into the PaloAlto Web Interface
  • Device Tab -> Server Profiles -> Syslog
    • Name: PANs_SSL
    • Servers:
      • Name: PANs_SSL
      • Syslog Server: IP address of the box
      • Transport: TCP
      • Port: 514
      • Format: BSD
      • Facility: Log_User
    • Objects Tab -> Log Forwarding
      • Click “Add”
      • Name: PANs_SSL
      • Click “Add”
        • Name: PANs_SSL
        • Log Type: URL
        • Under Syslog click “Add” and select “PANs_SSL”
        • Click “OK”
        • Click “OK”
      • Policies Tab -> Security
        • Find the rule allowing outbound SSL access and open it
          • Actions tab
            • Log Settings
            • Log at Session end (selected)
            • Log Forwarding: PANs_SSL
          • Commit changes
          • Check on the PANs_SSL box and logs should start appearing under /var/log/PAN/

Bot Setup

  • SCP bot directory and files to /root
  • Get the trusted root CA used for SSL Inspection and copy it to /etc/pki/ca-trust/source/anchors/
  • update-ca-trust force-enable
  • Test the installation of the cert
    • Curl
    • If you get the webpage HTML than you are good
    • If you see this you are pooched:
      • curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

More details here:


curl performs SSL certificate verification by default, using a "bundle"

 of Certificate Authority (CA) public keys (CA certs). If the default

 bundle file isn't adequate, you can specify an alternate file

 using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

 the bundle, the certificate verification probably failed due to a

 problem with the certificate (it might be expired, or the name might

 not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

 the -k (or --insecure) option.


  • Vi /etc/php.ini
    • Change line 705 to:

include_path = ".:/php/includes:/root/bot/lib"


  • Crontab -e

30 00 * * * /root/bot/

0,30 * * * * /root/bot/

0,10 * * * * php /root/bot/sqlmaintenance.php


  • Chmod +x /root/bot/
  • Chmod +x /root/bot/


  • Log in to your MineMeld web interface
  • Click Config on the top bar
  • Scroll to the bottom and click the hamburger button
  • Select a miner based on the minemeld.ft.http.HttpFT class (I chose blocklist_de.sip)
  • Click new
    • Name: PANs_SSL
    • Devel Status: Experimental
    • Description: Whatever you want
    • Indicator Types: domain
    • Tags: confidenceHigh ShareLevelGreen
    • Config:


    confidence: 100

    share_level: green

    type: domain

ignore_regex: ^#

interval: 1800

source_name: PANs_SSL

url: http://x.x.x.x/dynamic_ssl


  • Config -> go to bottom of page -> eye -> +
    • Name: PANs_SSL
    • Prototype: minemeldlocal.PANs_SSL
    • Inputs: none
    • Click OK
  • Click Commit
  • Wait until everything is done
  • Config -> go to bottom of page -> eye -> +
    • Name: PANs_SSL_Output
    • Prototype: stdlib.feedHCWithValue
    • Inputs: PANs_SSL
    • Click OK
  • Click Commit
  • Wait until everything is done
  • Click Nodes
  • Your new dynamic URL list is available at https://minemeld.domain.local/feeds/PANs_SSL_Output

Configure Dynamic URL list

  • Log in to the PaloAlto Web Interface
  • Objects Tab -> External Dynamic Lists -> add
    • Name: PANs_SSL
    • Type: URL List
    • Description: Whatever you want
    • Source: URL to the dynamic list on MineMeld
    • Server Authentication: None
    • Repeat: Daily
  • Policies Tab -> Decryption -> Pre or Post Rules -> add
    • General Tab
      • Name: PANs_SSL
      • Description: Whatever you want
    • Source Tab
      • Source Zone: Inside
      • Source Address: any
      • Source User: any
    • Destination
      • Destination Zone: Public
      • Destination Address: any
    • Service/URL Category
      • Service: https
      • URL Category: PANs_SSL
    • Options Tab
      • Action: No Decrypt
      • Type: SSL Forward Proxy
      • Decryption Policy: None
    • Target Tab
      • Any

Admin Interface

Admin Interface Definitions

  • URLs – These are what was picked up as potentially problematic. All URLs that show IP addresses I just delete as this will most likely mess things up.
  • Domain – The entry that will be put in the dynamic list.
  • Blanket Domain – The domain that will be put after an *. to cover multiple subdomains.
  • Category – URL category assigned by Palo Alto.
  • Error – the URL status in the database
    • OK – The URL is accessible through SSL
    • Error – The bot found an error
    • False+ - The bot’s results are incorrect
    • Ignore – Set the web page to ignore the URL and not show it
    • Unchecked – Status is used to trigger the bot to attempt to access the page
  • Approved – The domain is approved to be placed on the dynamic list
  • Blanket Approved – The string *.[blanket domain] is approved to be put on the dynamic list.
    This also will automatically add any new [host].[blanket domain] record in the future.
  • SAVE – ALWAYS CLICK SAVE! This is what initiates SQL requests and commands.




My (very poor) code is available (for a limited time) here

Also includes a docx with this post in case any special characters were removed or formatting was changed

by Community Manager
on ‎12-07-2017 01:39 PM



So, since we have a sudden surge of participants I will be extending the deadline to December 31st!

If you still want to submit your entry and get a chance to win one of the awsome hoodies, have at it!

by Community Manager
on ‎01-04-2018 02:58 PM

ALRIGHT! so the time to submit entries has come and gone, and it's time to pick a winner!!


The good news is that I managed to convince my boss to throw in another hoodie, to all the people mentioned below, please forward me your hoodie size and address details via


so here goes




FIRST PLACE, for most complete solution, and for sharing all the bits needed to get it to work: @DIRTT !!!


A round of applause please! (just go ahead and 'like' this post, we'll tell everyone you applauded real hard :) )


SECOND PLACE, for funny picture of a haunted firewall: @SKye_Hodges !!! 

another round of applause! If you haven't liked this post at this point would be a good time to go ahead and 'like' epic photoshop skills (or a REALLY haunted firewall that's somehow also blocking apparitions and banshees from entering the network)


And an HONORABLE THIRD PLACE goes to @Peadard for sharing his really spiffy looking dashboard!!! Great work compressing this valuable data into one single screen that shows you the data that matters most to you!

Third and final round of applause! If you haven't hit the like button by now, this is the time to do so ;)


We'll be sending all three gentlemen (no lady contestants this time unfortunately, maybe next time! ) a limited edition Live Community hoodie (as pictured above)


Stay tuned for the next challenge to get your shot at winning a cool (and really warm) hoodie or other prize we can get management to sign off on ;) 


Gratz to the winners!

Reaper out



Ask Questions Get Answers Join the Live Community