General Articles

The purpose of this document is to guide the user through all the steps required to configure a Palo Alto Networks unit for POC testing. There are three installation scenarios for you to choose from TAP, Vwire, or Layer 3.   The configuration is designed to produce maximum logging, using real traffic that is either mirrored or seen over from your production network. The recommended TAP installation will in turn produce the most comprehensive Security Lifecycle Review (SLR) reports possible with maximum visibility.   NOTE: If your evaluation unit came directly from a partner/reseller, distributor, or Palo Alto Networks some of these configurations might already pre-configured. Typically, units shipped from partners are already licensed and registered to the partner who sent it. Below are links to information that will help you decide on the best evaluation for you.   Overview: TAP - Tap Mode Deployments Vwire - Virtual Wire Deployments Layer 3 - Layer 3 Interfaces     1. Create Support Portal User Account Go to https://support.paloaltonetworks.com Click Activate My Account. Enter your email address and the CAPTCHA code. Select Register device using Serial Number or Authorization Code. Complete the New User Registration form. The Display Name must be unique. Your display name is used to uniquely identify yourself in the Palo Alto Networks Support Community. It is searchable and viewable by public search engines. For your privacy, please do not use your email address or full name as the display name. Enter the Device Serial Number and Eval-ID. This data can be found in your Eval email. When you enter the Device Serial Number (a long string of digits usually starting with 00) and click <Tab> the next field will change and ask for your Eval-ID. The Eval-ID will be in the format EXXXX with numbers following it, no spaces. The End User Agreement must be accepted to create a user account. You will receive an email that contains a link to activate your user account. Click on the activation link, log in to the Customer Support Portal (https://support.paloaltonetworks.com). Setup the two security questions, and you will be taken to the Account Home tab.   2. Activate Evaluation Device If you are evaluating our physical appliance, use step 3.1. Go to Assets and select Devices. Select Register New Device and choose Register Device using Serial Number or Authorization Code on the next window then submit. Enter the Serial Number and the other required fields. Click Agree and Submit when you're done. The device is now registered, and you should see a confirmation on this page.   3. Establish Management IP Connect a serial cable to the CONSOLE port on the firewall, using 9600-8-N-1 on a console emulator, such as Putty. Set Putty for Serial. This will likely require you to use a USB to serial adapter to convert the 9-pin serial to USB, as the firewall ships with a 9-pin to RJ45 console cable. Determine an open IP address on the network that the firewall management interface can use and ensure this IP has access to the Internet using https and is accessible from your desktop. On new hardware models (PA-220, PA-820, or PA-850), you may use the built-in micro-USB port to console in. Download and install the Microchip driver for Windows. (Not required for Windows 10.) Additional information on the micro USB console port found here.   NOTE: As an alternate approach to using the console port, you can plug a laptop into the MGT port, put a 192.168.1.x IP on their Ethernet NIC and browse to https://192.168.1.1 to login and change the IP in the GUI. Once this change is committed, you will lose your connection to the console (assuming you assigned it outside of that network). Then simply revert to your previous IP, and login to the newly set IP.   Log in using the defaults: Username: admin Password: admin   From the console, execute the following commands: > configure (brings you into EDIT mode) # set deviceconfig system ip-address x.x.x.x netmask x.x.x.x # set deviceconfig system dns-setting servers primary x.x.x.x default-gateway x.x.x.x # commit # exit (brings you out of EDIT mode) You should see the commit process occur and return to a prompt. If you get any formatting errors that keep you from setting the DNS, configure the IP and netmask. DNS can be configured later inside the web interface.   Connect an ethernet cable from MGT port to switch, so the MGT IP you just set can be browsed and has Internet access. Attempt to browse to the IP you just set, using https (https://x.x.x.x) Accept the certificate error and log in to the web interface using default admin login and password. 4. Tap Mode Evaluation Setup (Recommended) Sample TAP mode install network diagram   Ensure that the evaluation unit is on the inside of the network (behind any existing firewall, IPS, web proxy, etc) and is receiving mirrored or spanned traffic from the core switch. By default, the TAP interface on the evaluation unit is ethernet1/3. Also, ensure that the Management Interface is connected and has external (https) access as well as being internally accessible.   a. DEVICE Tab configuration Use the web interface to perform the initial setup by browsing (https://x.x.x.x) to the IP you assigned. Device Tab > Setup > Interfaces sub-tab > Management (interface name): These apply to the management interface only. These are the same settings previously configured through the CLI. Verify they are correct and/or configure the IP Address, Netmask, and Default Gateway, then click OK. In PAN-OS 7 or 7.1, the path is Device Tab > Setup > Management > Management Interface Settings > Edit button (gear icon). Device Tab > Setup > Management > General Settings > Edit button: Insert your AD Domain suffix, correct the Time Zone, and set the correct Time and Date for your local geographic area. Then click OK. Clock changes may require you to log back in by using refresh or browsing to (https://x.x.x.x) again, due to cookie expiration. Device Tab > Setup > Services sub-Tab > Edit button (gear icon): Set the Primary DNS Server to your own internal DNS server IP, then click OK. If this was done previously in the console, you will see these values present, and you may skip this step. Alternately, you may use a public DNS such as 4.2.2.2 and/or 8.8.8.8. Device Tab > Setup > WildFire sub-Tab > General Settings > Edit button: Set File Size Limits to their maximum values. Click each default size limit and enter the max values for each File Type (flash=10, pk=50, PDF=1000, jar=10, PE=10, ms-office=10000, MacOSX=50). Check the boxes next to Report Benign Files and Report Grayware Files), then click OK. Commit your changes to this point by clicking Commit in top right corner. Commit again to confirm, then Close. Close moves the commit dialog to the background, but it is still running. You may click Tasks in the bottom right corner of the console to see background running and previous tasks. Device Tab > Licenses: Click on Retrieve license keys from license server. If your licenses fail to appear or you get an error, the problem lies somewhere with the assigned management IP, its ability to get to the internet, and/or a misconfiguration of DNS not allowing our server name to resolve. Device Tab > Dynamic Updates: If Antivirus, Applications and Threats, or WildFire are not present, click Check Now at the bottom left hand corner. The first item to appear is Applications and Threats. Click Download, then Install after Applications and Threats are downloaded. Click Check Now again - this time Antivirus and any other subscriptions should appear. Click Download, then Install after Antivirus is downloaded. Click None next to Schedule for each component and set each to Download and Install. Antivirus should be set to Daily, Applications and Threats set to Weekly, and WildFire set to Every Minute (NOTE: In earlier versions of PAN-OS, the maximum frequency for the WildFire schedule is Every 15 Minutes) b. NETWORK Tab configuration (For Vwire mode, jump to page 29) Network Tab > Zones > Add: Set Name to TAP, Type to Tap, and Check the box next to Enable User Identification, then click OK Network Tab > Interfaces > ethernet1/3: Set Interface Type to Tap and Security Zone to TAP, then click OK NOTE: For User Identification in the logs to work, you must enable User Identification on the (trust/internal) zone in question. Do not enable User Identification on any externally facing interfaces.   5. Basic Security Policy (firewall rule) Setup Policies Tab > Security > Add General Tab, Set Name to TAP Policy Allow All or whatever label you choose NOTE: Since you will not actually be filtering traffic, but need to have visibility in your logs for all traffic, we will create this as an “Any to Any” Rule. Any configuration will reflect accurately in the logs however, so if you choose to write additional rules that do block things, those blocks will show in the logs. You will not actually be blocking on the network, given we are logging copies of mirrored traffic. Source Tab, Select Any for Source Zone and Source Address User Tab, Select Any for Source User and HIP Profiles NOTE: These will be users or groups pulled from your Active Directory Domain. Users and groups of users will only appear after User-ID has been configured, later in this document. Destination Tab, Click the drop down on Destination Zone and choose any Application tab, Select Any on Applications Service/URL Category tab, Click the drop down on Service select any. This will ensure that regardless of an application’s default ports, we will still log it on any/all ports we observe it on. Service/URL Category tab, Select Any on URL Category. Actions tab, Select Allow for the Action. Leave all else as None for now. Click OK. You should now see this policy in your Security Policy list. Commit to apply your policy to the data plane, making it now take effect. After a minute or so, you should now be able to see traffic logging start to appear under Monitor > Logs > Traffic.   6. Security Profiles Setup: Baseline Prevention Config NOTE: If you find that the Security Profiles referenced in this section already exist, the evaluation unit has likely shipped in a preconfigured state. You may double check the settings against this guide, or simply proceed to Section 8. To enable the threat prevention features of the next-generation firewall, you will need to create re-usable objects which will then be applied to any "Allow" rules, to have those features take effect. In a TAP mode deployment, threats would not actually be blocked but will appear in the logs based on your Security Profile ACTION settings. When it comes to security profile Action settings, Alert = let it happen but log it, Allow = let it happen don’t even log it, and all other actions are some form of block. Drop, reset-both, block-ip, and others are all examples of a blocking setting. At a minimum, all configs should use Alert – but best practice is to block threats, not just log them. The following is a sample baseline configuration that would provide blocking and logging of threats and URL activity.   Objects Tab > Security Profiles > Antivirus: Click Add, Set Name to block and Action and WildFire Action for http, smb, and ftp to DROP. For email protocols smtp, pop3, and imap, set Action and WildFire Action to reset-both. Optional: Click the check box next to Packet Capture. Click OK. Objects Tab > Security Profiles > Anti-Spyware: Click Add, Set Name to block. On the Rules tab, click Add, Set Rule Name to block, Threat Name to any, Category to any, Action to Drop, Packet Capture to single-packet, for Severity High or Critical. Click OK on the Anti-Spyware Rule window. Add another rule, Set Rule Name to log, Threat Name to any, Category to any, Action to Default, Packet Capture to none, for Severity Medium, Low, and Informational. Click OK on the Anti-Spyware Rule window. On the DNS Signatures tab, you may accept the default settings (sinkhole and Palo Alto Networks predefined sinkhole IP). Objects Tab > Security Profiles > Vulnerability Protection: Click Add, Set Name to blockhicrit. On the Rules tab, click Add, Set Rule Name to block, Action to Drop, Host Type to any, Category to any, for Severity High and Critical, Packet Capture to single-packet, CVE to any, and Vendor ID to any. Click OK on the Vulnerability Protection Rule window. Add another rule, where Rule Name set to log, Action to Default, Host Type to any, Category to any, for Severity Medium, Low, and Informational. Packet Capture to none, CVE to any, and Vendor ID to any. Click OK on the Vulnerability Protection Rule window, then OK again on the Vulnerability Protection Profile window. Objects Tab > Security Profiles > URL Filtering: Click Add, Set Name to block, hover over the Site Access column, click the down arrow icon, then Set All Actions to alert. Click OK. Recommended to set Malware and Phishing categories to BLOCK. PAN-OS 7 and 7.1 URL filtering profile does not have User Credential elements, and the web interface looks slightly different, but it's the same process may be used. Objects Tab > Security Profiles > File Blocking: Click Add, set Name to alert_files. Click Add inside the File Blocking Profile window and set Name to files, Applications to any, File Types to any, Direction to both, and Action to alert. Objects Tab > Security Profiles > WildFire Analysis: There should already have a default policy where Applications is set to any, File Types is set to any, Direction is set to both, and Analysis is set to public-cloud. If this is present, nothing else is needed to be done. The objects you just created must now be applied to your TAP mode security policy to take effect. Policies Tab > Security: Click on the rule name TAP Policy Allow All to open up the rule you created previously. On the Actions tab, select Profiles from the Profile drop down box. This will open up your security profile slots. Set the Profile Settings to match what you named your security profiles: Antivirus > block Vulnerability Protection > blockhicrito Anti-Spyware > blockhicrit URL Filtering > block File Blocking > alert_files Data Filtering > None WildFire Analysis > default Click OK Commit your changes. In time, you should start to see logs appear under Monitor Tab > Logs > Threat as well as under WildFire Submissions. 7. User-ID Setup User-ID allows you to see authenticated user names in your logs, instead of just IP addresses. It also enables you to create rules/polices which are specific to users or groups of users. This setup requires you to connect to your LDAP server and scrape event logs from your Active Directory Domain Controller(s). a. Setup and connect to your LDAP Server Device Tab > Server Profiles > LDAP: Click Add. Set Profile Name to LDAP and make sure Administrator Use Only is unchecked. Click Add in the Server list section and set Name to an appropriate identifier (for example, AD01), LDAP Server to the IP address of your Domain Controller (for example, 10.46.168.121), and Port to 389. Under Server settings on the right: Set Type to active-directory, Base DN should auto-populate when you pull down the pick list. If it does not, try unchecking the "Require SSL" box and try again. Bind DN to the UPN or full distinguished name of an Administrator on the domain (for example, Administrator@acme.local or CN=Administrator,CN=Users,DC=acme,DC=local), and the Password and Confirm Password fields for that user. TIP: If the Bind DN on the LDAP server is unknown, you can use the following Windows command on the LDAP server to determine this: C:\>dsquery user To find a specific user, you can type dsquery user –name <user>: C:\>dsquery user –name admin* The result, which can be inserted into the Bind DN field, will look something like: CN=administrator,CN=Users,DC=acme,DC=com b. Group Mapping Setup This step is to ensure that LDAP queries are able to be processed. Device Tab > User Identification > Group Mapping Settings Tab > Click Add. Set Name to mapping1 and select LDAP from the Server Profile drop down box. Default values should pre-populate: Group Objects Object Class > group Group Name > name Group Member > member User Objects Object Class > person User Name > sAMAccountName Mail Domains Mail Attributes > mail Enabled is checked Next, verify the admin user configured in the LDAP setup has rights to read the domain tree. Group Include List Tab: Double-click on the domain tree under Available Groups. If the tree does not populate, go back to step 8.1 and change the user in the Bind DN configuration. If the tree does break out, this means you are successfully querying LDAP with the credentials you entered previously. You may leave Included Groups List empty, meaning all groups are searched, or select the groups you want to monitor and click the green (+) icon to add them to Included Groups on the right. Click OK when finished. NOTE: If you have a really large domain with multiple OUs, limit the number of groups for the firewall to look up to minimize resource usage on the firewall and domain controller. c. Agentless User-ID Setup Device Tab > User Identification > User Mapping > Palo Alto Networks User ID Agent Setup: Click the Edit button (the gear icon at the top right of the section). On the WMI Authentication tab, enter the User Name of a domain administrator in the format of DOMAIN\username (for example, ACME\Administrator) and the password for this user or service account. NOTE: The user specified in the WMI Authentication tab needs to have rights to read the domain controller’s Security Logs. If this account is not a Domain Admin, or if User-ID does not populate traffic logs with user names, verify its rights with the following document: How to Configure Agentless User-ID   Device Tab > User Identification > User Mapping > Server Monitoring: If you entered your AD domain suffix previously, you may auto-discover your domain controller(s) using the Discover button. If not, use: Device Tab > User Identification > User Mapping > Server Monitoring: Click Add. Set Name to the name of the domain controller (for example, AD01), make sure the Enabled box is checked, set Type to Microsoft Active Directory, and enter the server’s IP address for Network Address (for example, 10.46.168.121), then click OK. NOTE: Repeat this step to add a User Identification Monitored Server for each domain controller in your environment.This will ensure that no User-ID information is missed from users authenticating to other domain controllers. Commit your changes. You should now see the server(s) you added show up with a Connected status under Server Monitoring. At this point, you should be able to add users and group to Security Policies via the User tab in addition to seeing User-ID information in the traffic logs. If you do not see users in the traffic logs, wait 15 minutes to an hour for that information to start populating. If it still does not show up, revisit the configuration.   8. TAP Mode Evaluation Final Check To test whether your TAP mode evaluation is fully functioning, check the first five log types under the Monitor Tab. Almost immediately, you should have Traffic logs, but check that the Source User column is starting to populate with user names. It may require users to log out, and log back into the network, to get those user names to really start flowing, so sometimes this column doesn’t fully populate until the next work morning. Also, you should be seeing accurate representations under the Application column. If you are seeing predominately "incomplete," "not-applicable," or "Insufficient Data" then it is possible we are not seeing full sessions on our tap, and we should re-examine the SPAN port configuration. Most environments will generate at least a few informational level threats, so there should show something (hopefully NOT criticals) in the Threat log.  URL filtering will have logs quickly, assuming there is any browsing activity, as well as User-ID on them.  WildFire submissions may not populate for approximately 15 minutes to several hours after deployment. This is a log of files that were submitted to WildFire for analysis. Given that SSL decryption cannot be deployed in TAP mode, this means we will be seeing and/or submitting files found in clear text traffic. Furthermore, files already known by hash value to WildFire will not be submitted. To expedite this testing process, you may download an inert sample file that will register as completely unique to WildFire at http://wildfire.paloaltonetworks.com/publicapi/test/pe. NOTE: Existing files known to WildFire as malicious will not appear in submission logs, rather search the Threat Logs for Type = 'wildfire-virus’ to see those preventions. Data Filtering logs should populate rather quickly, but in TAP mode, relies on files seen in clear text (non-encrypted) protocols.   If all five logs are populating, along with User-ID, then your TAP mode evaluation configuration is complete. For best results, allow the device to collect logs using this configuration for at least seven days. Any time after those initial 7 days, revisit your logs with your Palo Alto Networks (or partner) engineer and generate a Security Lifecycle Review (SLR) report. The SLR is an executive style report that reflects a snapshot-in-time of the last seven days of traffic.   9. Vwire Evaluation Setup Configure the first virtual wire interface Select Network Tab > Interfaces > Ethernet and select an interface you have cabled (ethernet1/4 in this example) Set the Interface Type to Virtual Wire and click OK. Repeat this step to configure a second Virtual Wire interface (ethernet1/5 in this example) Attach the interfaces to a virtual wire object Select one of the virtual wire Ethernet interfaces, on the Config tab, select Virtual Wire and click New Virtual Wire Enter a Name for the virtual wire object Select the two Virtual Wire interfaces you just created as Interface1 and Interface2 (it doesn't matter which interface is assigned to 1 or 2) Create a separate security zone for each virtual wire interface Select Network > Zones and add a zone Enter the name of the zone (such as Vwire trust) For Type select Virtual Wire Add the Interface that belongs to the zone (ethernet1/4 in this example) Click OK Create a second zone for the second Virtual Wire interface Enter the name of the zone (such as vwire untrust) For Type select Virtual Wire Add the interface that belongs to the zone (ethernet1/5 in this example) 10. Vwire Basic Security Policy (firewall rule) Setup Policies Tab > Security > Add General Tab, Set Name to 'vwire trust to vwire untrust' or whatever label you choose. NOTE: We will create this as an “Any to Any” Rule. Any configuration will reflect accurately in the logs however, so if you choose to write additional rules that do block things, those blocks will show in the logs.   Source Tab, Select Vwire trust for Source Zone and Any for Source Address User Tab, Select Any for Source User and HIP Profiles NOTE: These will be users or groups pulled from your Active Directory Domain. Users and groups of users will only appear after User-ID has been configured.   Destination Tab, Click the drop down on Destination Zone and choose Any Application tab, Select Any on Applications. Service/URL Category tab, Click the drop down on Service select any. This will ensure that regardless of an application’s default ports, we will still log it on any/all ports we observe it on. Service/URL Category tab, Select Any on URL Category. Actions tab, Select Allow for the Action. Leave all else as None for now. Click OK. You should now see this policy in your Security Policy list. Repeat this process to create a second Security Policy Rule, but now have the Source Zone as Vwire untrust, and the destination zone as Vwire trust Commit to apply your policy to the data plane, making it now take effect. After a minute or so, you should now be able to see traffic logging start to appear under Monitor > Logs > Traffic.   11. Layer 3 Evaluation Setup For this install, we are going to be within the production network, and it must be planned around the changes that can affect production traffic. For this guide, we are under the assumption that we are within the production network but not replacing the firewall. With a Layer 3 installation, you would also be able to test a GlobalProtect VPN setup as well. Below is an example of this network diagram:    Example Environment: l3-untrust Zone Public IP: 87.65.43.2/29 Next Hop: 87.65.43.1 eth1/1 interface connected to ISP l3-trust Zone Priv. Subnet: 192.168.1.0/24 Firewall IP: 192.168.1.1 eth1/2 interface connected to local switch Firewall will act as router   Palo Alto Networks Firewall configuration For this, we will be utilizing the web interface to perform our configuration moving forward. To reach this page, browsing to the IP that was setup for the management interface (https://x.x.x.x). Resulting page should look like this: Device tab config is same as Tap mode When looking at the user interface for the firewall, we have seven tabs across the top. We will now select the Network tab.   Now that we are in the network tab, we are going to create our security zones by selecting Zones on the left.   At the bottom left of the page, you have an Add button with a green plus symbol. Click on Add so you can create our Untrust Zone. Configure the following: Name: L3-Untrust Type: Layer3   Now you will create our Trust Zone by following the same steps. Configure the following: Name: L3-Trust Type: Layer3   Our next step will be to configure our ethernet interfaces and assign them to our new Security Zones. We will click on Interfaces on the left which is above Zones. The page should look like this.   Click to open ethernet1/1 and configure the following: Comment: Outside interface Interface Type: Layer3 Virtual Router: none Security Zone: L3-Untrust   Now, we will click on the IPv4 tab to configure our static IP address for your Internet Router. In our example, that IP address is 87.65.32.2/29. After you add the IP address, click ok.   We will now do the same setup for ethernet1/2. Click to open ethernet1/2 and configure the following: Comment: Inside interface Interface Type: Layer3 Virtual Router: none Security Zone: L3-Trust   For your IP address for ethernet1/2, we will be going to our switch, so the IP address needs to be assigned accordingly. In our example, the address is 192.168.1.1/24. After the IP address is added, click OK.   Our next step in the configuration process is to configure our virtual router for our interfaces. To accomplish this, we will need to click on Virtual Routers on the left.   To configure our virtual router, click on default to open the configuration window. We will start by adding our interfaces ethernet1/1 and ethernet1/2 under the General tab within Router Settings. It should look like the image below:   Next, we need to configure our Static Routes. To accomplish this, we will need to click on the Static Routes tab beneath Router Settings. Then we will click add and configure the following: Name: default-router Destination: 0.0.0.0/0 Interface: ethernet1/1 Next Hop: IP address, 87.65.43.1 It should look like the image below:   Please keep in mind that for our environment the next hop is 87.65.32.1, in your environment that will be different. After you have verified your settings, click OK to close create the static route, and click OK to save the changes to the Virtual Router. Our final network configuration left is to create our NAT policy. For this, we will be leaving the Network tab and going to the Policies tab.   On the left we will then select NAT.   On the resulting NAT page, we will click Add on the lower left to create a new NAT policy. Configure the NAT policy with the following: General tab Name: outbound-nat NAT Type: ipv4 Original Packet tab Source Zone: L3-Trust Destination Zone: L3-Untrust Destination Interface: ethernet1/1 Translated Packet Tab Translation Type: Dynamic IP and Port Address Type: Interface Address Interface: ethernet1/1 IP Address: Select the IP address of the outside interface from the list.   Your configuration should look like the following images:   Once you have verified your settings click OK. We will now create our policy to allow traffic leaving our network. To complete this, we will navigate to the Security Policies configuration page. This is on the left above NAT. Once we have reached that page, click Add on the lower left so that we can create our policy.   Configure Security Policy Rule with the following: General tab: Name: egress-l3-trust Rule Type: universal (default) Source tab: Source Zone: L3-Trust Source Address: Any Destination tab: Destination Zone: L3-Untrust Destination Address: Any Application tab: Verify that Any is selected Service/URL Category tab: Verify that application-default and Any is selected Actions tab: Action: Allow Log Setting: Log at Session End   Your policy should match the following images.   We will now commit these changes to the firewall so that we can verify that we have network connectivity on our test hosts. On the upper right click on Commit.   Make sure that the radio button for Commit All Changes is selected, and then click Commit. Test and Validate Connectivity Connect an endpoint to the ethernet1/2 interface or a switch attached to the ethernet1/2 interface. Configure the endpoint’s network settings with the following: An IP Address in the 192.168.1.0/24 subnet The Gateway IP address with firewall interface (192.168.1.1) DNS servers reachable from the outside interface (e.g. 4.2.2.2 and 8.8.8.8) Attempt to access the internet.    
View full article
reaper ‎09-13-2019 03:09 PM
77 Views
0 Replies
Ask Questions Get Answers Join the Live Community
Top Contributors