Searching for the obvious can sometimes be hard. You simply might have overlooked something or you might have never needed it before. Things can become especially tricky when you have a security policy that's several hundreds of rules long.
This article is based on a discussion, Security Profiles - URL Filtering - Update Multiple Categories within all Profiles.
Read on to see how @PingMyServer was able to accomplish this from the CLI.
Hello all, I'm looking for some suggestions, or information on how I can quickly update all security profiles, with 3 select objects at once. In total, our Panorama has 129 profiles, so I would need to login to all 129 profiles, and update 3 categories in them to block.
By way of the gui, I think the only way would be able to edit 1 profile at a time, and search all 3 categories, and update them accordingly. Can anyone suggest any easier way to maybe resolve this?
Solution for Update Multiple Categories Within All Security Profiles With the CLI:
After doing further research, I found through the CLI you can do this fairly easy. Using the following commands. You can pull your profile names from the command "set device-group GROUP1 profiles" and pressing tab. It takes a little work, but with excel you can get all the commands you need fairly quickly
set device-group GROUP1 profiles url-filtering PROFILE_NAME block ransomware set device-group GROUP1 profiles url-filtering PROFILE_NAME block encrypted-dns set device-group GROUP1 profiles url-filtering PROFILE_NAME block real-time-detection
This article is based on a discussion, Prioritizing a BGP route over other BGP routes for IPSec tunnel traffic redirection, posted by @tamilvanan . Read on to see the guidance from our Cyber Elite @aleksandar.astardzhiev!
We have a physical Firewall on-premise. We have Three ISP and a single virtual router with ECMP enabled(Balanced Round Robin) in it.
Recently, we had configured Two pairs of IPsec tunnels(Pair one -Tunnel 1 and Tunnel2// Pair 2 - tunnel 3 and tunnel 4) to communicate to AWS Peer(Only one Subnet on AWS 10.x.x.x/24) using the BGP Method for successful failover.
ISP 1 -->Tunnel 1, Tunnel 2
ISP 2-->Tunnel 3 and Tunnel 4
As we had already enabled the ECMP Balanced round robin method the traffic is currently passing through tunnel 2 and tunnel 4
Now, we need the traffic to pass through only tunnel 1 and the traffic should pass through other tunnels only if the tunnel 1 fails. All the tunnels are configured under BGP.
Thanks in advance!
My guess is do we have some metrics mechanism which will influence the Tunnel through which the traffic will be egressed.
BGP Routing Question IPSec Tunnel Creation BGP Peer Configuration
I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up 🙂 ). So I will abstract from this.
Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be: - Create one import policy for BGP peer over tunnel1
- Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer
- On "action" tab put 100 as local preference (for example)
- Create one more import below the previous one for BGP peer over tunnel2, 3 and 4
- Leave match tab as it is
- On "action" tab put 200 for local preference
This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fails, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.
Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.
This article is based on a discussion, Tracing external IPs back to internal IPs at a specific moment in time..., posted by @Tom_Access . Read on to see the solution and collaboration from Cyber Elite @OtakarKlier & @Adrian_Jensen!
In the course of tracking down security vulnerabilities, I find myself trying to trace External IPs (from external security scan reports) back to Internal IPs at a specific moment in time (the timestamp from the scan report). Most of the time, it's very simple, as many internal IPs are NAT'd 1-to-1 to external IPs. Those tend to stay static. But there are also large groups of PAT'd addresses, such as whole ranges of internal IPs (like guest WiFi network DHCP pools) that go out a single external IP.
I'm really struggling with how to track these devices down. I can rarely even find a matching internal IP for that timestamp.
Is there a specific NAT/PAT log I can reference? Or a tool for this that I'm missing? I've been trying to use the traffic logs, but that's not always fruitful and it is tedious.
Any suggestions? I'm using a Palo Alto PA-5250 running PanOS 10.2.0.
Thanks in advance,
First thing is to make sure you have logging at session end enabled on all of your security policies. Then you go into the Unified log and filter on source IP of the attacker. This should show all the traffic from that IP address. Then click on the paper/magnifying glass icon on the far left of the log.
This will bring up all the session details and will show you the NAT'd IP.
In addition the Monitor -> Logs -> Traffic viewer has many additional fields which can be selected/filtered upon by selecting the down arrow in the column name header and selecting additional fields. (Note: You can also reorder columns by dragging them to either side.)
Two additional columns that are not shown by default are "NAT Source IP" and "NAT Dest IP" (as well as NAT Source/Dest Port), which show the NAT'd IP results. You can filter you traffic on these fields as well. So, for instance, if you external security report complains about an exploit attempt from your public IP to an internet IP:
2022-07-08 12:35 - 188.8.131.52:53219 -> 184.108.40.206:443
You can find all the matching outbound traffic logs with a Traffic log filter like:
( natsrc eq 220.127.116.11 ) and ( natsport eq 53219 ) and ( addr.dst in 18.104.22.168 ) and (port.dst eq 443)
You can further add time filters to narrow down a window, though be aware that while log receive time appears to be a log database index, session start time is not. So queries using start time may take much longer/time out when searching (you can work around this by also using a wide receive time filter to pre-narrow the results subsequently filtered by the start time filter).
... and (receive_time geq '2022/07/08 12:30) and (receive_time leq '2022/07/08 12:50) and (start_time geq '2022/07/08 12:30)
This article is based on a discussion, Issue that specific policy traffic logs fail to forward to syslog server and drop from firewall, posted by @JoHyeonJae. Read on to see the discussion and guidance from @PavelK!
Hello, PAN-OS : 9.1.6 Currently, my customer is facing Issues where logs generated (TO_DNS policy) from a specific policy of more than 10,000 LPS are dropped without being forwarded to the syslog server.
The Traffic Log of the firewall is verifiable, but the Forwarding Stats Syslog Drop Count is constantly increasing, debug log-receiver statistics have been confirmed, and less than 1,000 Total LPS appear in addition to this policy. There is no logs for that policy on the syslog server because it is dropped without being forwarded by the firewall. The Log Setting/Log Forwarding Profile in the policy settings is set normally, so it seems to be no problem with the settings. I will let you know, if you guys need additional info. The Device Log Forwarding Limit of PA-3260 is written in 24,000/LPS as shown in the document below, so I wonder why it is dropped.
your customer might be hitting an issue PAN-185616 addressed in 9.1.14:
This Nominated Discussion Article is based on the post " Change forward decrypt trust cert to a new one " by @djon and answered by @emr_1. Read on to see the discussion and solution!
I have forward ssl decrypt running and I want to change the cert I use. Can only have one forward trust cert at a time. If I deselect forward trust box I get commit error because my ssl decrypt policies don't have a forward trust cert. I can't select forward trust on the new cert until the old cert has forward trust deselected.
So now what do I do?
You don't need to "deselect and commit".
Just change the certificate and commit will work (at least worked on my lab / pan-os 10.1.6-h6)
Also make sure to have a private key for it.
Following two screenshots show what happens if you did not import private key (you won't be able to select Forward Trust Cert option):
tags: certificates, SSL Forward Proxy, Management, Management & Administration, NGFW, certificate management