Ignite'18 Wrap Part 2 - Answer the orphaned questions and bag some swag

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L7 Applicator

Ignite-questionspart2.jpg

A couple of weeks ago I posted a blog, Ignite'18 Wrap - Answer the orphaned questions and bag some swag, And we're lucky enough to get almost all of the first round of questions answered, which is great!

 

In case you missed all the questions and answers from Ignite18, please check it out here:

 

I told you before that I had more leftover (orphaned) questions from the "Great Wall of Knowledge" or, for those who saw it at Ignite, the "Shark wall". And because the first round was popular, we are posting up a Part 2.

 

Rules

The rules are simple: If you're able to provide the first correct answer, we will reward you with some Palo Alto Networks swag. Perhaps something from the booth, or a surprise. We are going to keep it a secret until the winners are announced.

Note: when you answer, please include the question # you are answering.

 

Questions

Here are the next 4 vetted questions:

  1.  What is the CLI command for adding a blackhole route? - Answered
  2. Can Palo Alto Networks firewall be registered as a member server in an Active Directory, so it can use MSA (Managed Security Account)? OR is there any other way to use MSA? Answered
  3. Is there a way to get more information on SSL Decrypt issues or blocks without logging into the Firewall or Panorama? - Answered
  4. How to implement GlobalProtect using U7A machine certificate?

As always, please don't be shy.. .answer away and maybe you can win something.

 

Stay Secure!

Joe Delio

End of line.

7 Comments
L1 Bithead

... oops...

L7 Applicator

If anyone is up to the challenge, I can provide a hint that the reward may or may not be anything that you could drink liquids out of.. 🙂

L7 Applicator

3.) Each application will behave differently if it is incompatible with SSL decryption.  Some applications will complain about mismatching SSL certificates, while other applications will fail without providing a reason or even notifications.  Your users will complain that things don't work, but it's highly likely that they'll be able to give you enough information to determine whether or not SSL decryption is the culprit.  

 

The firewall logs are your first line of defense regarding SSL-related failures.  After that you're looking at packet captures.  

 

If you don't want to/are unable to login to the firewall or to Panorama to investigate, then the only other way to view the logs that will tell you if you're experiencing decryption-related issues will be through the use of log-forwarding.  In your case, where you're interested in a subset of logs with indicators that may point to SSL decryption issues, you'll want to look at the "filtered log-forwarding" feature.  Once you filter for the "interesting" logs, the firewall can then forward those logs to a specific destination, be it syslog servers, e-mail addresses, snmp trap receivers, or any SaaS-based communications/logging platform that accepts HTTPS/SSL-based API calls (such as Slack), etc.

 

So, which logs are "interesting"?  All traffic logs include a session-end reason.  Some of those reasons clearly point to a decryption-related issue:

 - decrypt-cert-validation

 - decrypt-unsupport-param

 - decrypt-error

 

Some are a little more cryptic:

 - resources-unavailable (if your decryption profile has a failure check that blocks sessions if resources are unavailable)

 

Unfortunately, these other two reasons can (but do not always) indicate decryption-related issues:

 - tcp-rst-from-client (more likely in my experience)

 - tcp-rst-from-server (less likely)

 

One of those log-forwarding destinations could be the Palo Alto Networks' Logging Service, which would ultimately allow you to access that data via the Application Framework.  You (or your VAR, or an enterprising individual) could write an application that lives inside the framework and takes action when certain conditions are met.  

L7 Applicator

1.) I don't believe there's a "null" routing construct in PAN-OS.  The only two areas where "null" jumps out are in relation to tunnels (null-encrypted tunnel) or in configuring OSPFv3 (null-encrypted authentication).  

 

admin@pa0-black_knight(active)# find command keyword null
set network tunnel ipsec <name> manual-key esp encryption algorithm <des|3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|null>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encryption algorithm <3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|nul
l>
[edit]
admin@pa0-black_knight(active)#

 

One option is to configure an unnumbered dummy tunnel interface and point the route to that interface with the next-hop set to "none" (or more appropriately, not configuring a next-hop in the first place).  Using tunnel.11 as an example:

 

set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> interface tunnel.11 

 

Another option would be to set the nexthop for a particular route to "discard".  Those CLI commands are:

 

set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> nexthop discard

 

 

Two "pro-tips" to help you discover a specific CLI command:  a.) login to the CLI, go to configure mode, and use "find command keyword <term>" - that will show you CLI commands that include the word <term>.  b.)  Make a sample configuration change in the GUI, and then look for the structure within the CLI using a modified "config-output-format" view of the configuration.  For example, if I had a static-route named "blackhole", here's how I would identify the associated CLI command:

 

admin@pa0-black_knight(active)> set cli config-output-format set
admin@pa0-black_knight(active)> configure
Entering configuration mode
[edit]
admin@pa0-black_knight(active)# show | match blackhole
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole destination 10.10.10.0/24
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole interface tunnel.11
[edit]
admin@pa0-black_knight(active)#

L7 Applicator

@jvalentine, thanks for helping out to answer those 2 questions.. That helps out a lot. 

I will be reaching out to you to ensure y0u get a reward (really cool mug btw).. 

 

Now lets' see if anyone else is able to step up and help out with the rest of the questions left.

L7 Applicator

2) Unfortunately no and no. The firewalls cannot be joined to AD and there is (so far) no way to use MSAs. If the requirement is that the passwords are changed periodically the only way is to write a script to get something like MSA. With a powershell script this tasks seems not that difficult. This script needs to do the following:

  • Generate a random password (really random so that it cannot be guessed with some state information of the server)
  • Change an accounts password in active directory
  • Change the account credentials on the firewall with the API

This script can then run as scheduled task as often as needed.

... but of course this is only as close as possible to Managed Security Accounts

L7 Applicator

Thanks @Remo for chiming in and answering #2. 

I will be reaching out to you to get you a reward for helping out.

  • 30249 Views
  • 7 comments
  • 1 Likes
Register or Sign-in
Labels