Ignite'18 Wrap Part 2 - Answer the orphaned questions and bag some swag

... oops...

If anyone is up to the challenge, I can provide a hint that the reward may or may not be anything that you could drink liquids out of.. 🙂

3.) Each application will behave differently if it is incompatible with SSL decryption.  Some applications will complain about mismatching SSL certificates, while other applications will fail without providing a reason or even notifications.  Your users will complain that things don't work, but it's highly likely that they'll be able to give you enough information to determine whether or not SSL decryption is the culprit.  

The firewall logs are your first line of defense regarding SSL-related failures.  After that you're looking at packet captures.  

If you don't want to/are unable to login to the firewall or to Panorama to investigate, then the only other way to view the logs that will tell you if you're experiencing decryption-related issues will be through the use of log-forwarding.  In your case, where you're interested in a subset of logs with indicators that may point to SSL decryption issues, you'll want to look at the "filtered log-forwarding" feature.  Once you filter for the "interesting" logs, the firewall can then forward those logs to a specific destination, be it syslog servers, e-mail addresses, snmp trap receivers, or any SaaS-based communications/logging platform that accepts HTTPS/SSL-based API calls (such as Slack), etc.

So, which logs are "interesting"?  All traffic logs include a session-end reason.  Some of those reasons clearly point to a decryption-related issue:

 - decrypt-cert-validation

 - decrypt-unsupport-param

 - decrypt-error

Some are a little more cryptic:

 - resources-unavailable (if your decryption profile has a failure check that blocks sessions if resources are unavailable)

Unfortunately, these other two reasons can (but do not always) indicate decryption-related issues:

 - tcp-rst-from-client (more likely in my experience)

 - tcp-rst-from-server (less likely)

One of those log-forwarding destinations could be the Palo Alto Networks' Logging Service, which would ultimately allow you to access that data via the Application Framework.  You (or your VAR, or an enterprising individual) could write an application that lives inside the framework and takes action when certain conditions are met.  

1.) I don't believe there's a "null" routing construct in PAN-OS.  The only two areas where "null" jumps out are in relation to tunnels (null-encrypted tunnel) or in configuring OSPFv3 (null-encrypted authentication).  

admin@pa0-black_knight(active)# find command keyword null
set network tunnel ipsec <name> manual-key esp encryption algorithm <des|3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|null>
set network virtual-router <name> protocol ospfv3 auth-profile <name> esp encryption algorithm <3des|aes-128-cbc|aes-192-cbc|aes-256-cbc|nul
l>
[edit]
admin@pa0-black_knight(active)#

One option is to configure an unnumbered dummy tunnel interface and point the route to that interface with the next-hop set to "none" (or more appropriately, not configuring a next-hop in the first place).  Using tunnel.11 as an example:

set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> interface tunnel.11 

Another option would be to set the nexthop for a particular route to "discard".  Those CLI commands are:

set network virtual-router <name> routing-table ip static-route <name> destination <ip/netmask> nexthop discard

Two "pro-tips" to help you discover a specific CLI command:  a.) login to the CLI, go to configure mode, and use "find command keyword <term>" - that will show you CLI commands that include the word <term>.  b.)  Make a sample configuration change in the GUI, and then look for the structure within the CLI using a modified "config-output-format" view of the configuration.  For example, if I had a static-route named "blackhole", here's how I would identify the associated CLI command:

admin@pa0-black_knight(active)> set cli config-output-format set
admin@pa0-black_knight(active)> configure
Entering configuration mode
[edit]
admin@pa0-black_knight(active)# show | match blackhole
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole destination 10.10.10.0/24
set network virtual-router VirtualRouter1 routing-table ip static-route blackhole interface tunnel.11
[edit]
admin@pa0-black_knight(active)#

@jvalentine, thanks for helping out to answer those 2 questions.. That helps out a lot. 

I will be reaching out to you to ensure y0u get a reward (really cool mug btw).. 

Now lets' see if anyone else is able to step up and help out with the rest of the questions left.

2) Unfortunately no and no. The firewalls cannot be joined to AD and there is (so far) no way to use MSAs. If the requirement is that the passwords are changed periodically the only way is to write a script to get something like MSA. With a powershell script this tasks seems not that difficult. This script needs to do the following:

• Generate a random password (really random so that it cannot be guessed with some state information of the server)
• Change an accounts password in active directory
• Change the account credentials on the firewall with the API

This script can then run as scheduled task as often as needed.

... but of course this is only as close as possible to Managed Security Accounts

Thanks @Remo for chiming in and answering #2. 

I will be reaching out to you to get you a reward for helping out.