XDR Isolation Exceptions and Exclusions Use Case

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L6 Presenter
No ratings

xdr-isolation-use-case_paloaltonetworks.jpg

 

When you isolate an endpoint, you halt all endpoint network access — except for traffic to Cortex XDR. This can prevent a compromised endpoint from communicating with other endpoints, which reduces an attacker’s mobility. After the Cortex XDR agent receives the instruction to isolate the endpoint and carries out the action, the Cortex XDR console shows an isolated check-in status. To ensure an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.

 

Traffic to Cortex XDR can be halted in some cases. For example, enabling the GlobalProtect feature “Enforce Global Protect for Network Access” will block ALL traffic on GlobalProtect clients until the GlobalProtect agent is internal or connects to an external gateway. Forcing users to connect to GlobalProtect to access the network reduces the security risks of exposing your enterprise to endpoints who aren’t connected via VPN. In this case, to ensure communication to Cortex XDR is always allowed, an IP or FQDN exclusion can be made for the XDR cloud. As best practice, it is recommended to create FQDN exclusions because domain names do not change as often as IP addresses do

 

 The IP address and FQDN names used by the XDR service can be found on Resources Required to Enable Access to Cortex XDR; find out more about the enforce option in the resources list at the bottom of this article.

 

 

2022-10-12_17-23-55.jpg

 

Still, if the FQDN exclusions are configured, then the process (the native operational system DNS process or custom agent specific process) that the VPN agent uses for the DNS resolution should also not be isolated by the XDR system as when the VPN agent can’t resolve a DNS/FQDN domain name then it can not be excluded and this is where ” Network isolation allow list ” comes into play. 

 

A quick note is that with DNS FQDN exclusions better to use the Palo Alto DNS Proxy feature where your clients will use the Palo Alto as local DNS resolver as it is possible that the client's DNS to resolve differently the FQDN name than the Firewall as inteligent DNS services can do this.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-dns-proxy/dns...

 

 

 

This feature is located under the “Agent Settings Profile” and allows a process and destination IP address to not be blocked during isolation and for an IP address also a wildcard can be configured. Sometimes a process may use another process for DNS resolution, so it should be checked which is the final process that does the DNS resolution for the VPN agent.

 

 

 

Windows and Mac Response Actions      

 

If you need to isolate an endpoint but want to allow access for a specific application, add the process to the

Network Isolation Allow List . The following are considerations to the allow list:    

  • When you add a specific application to your allow list from network isolation, the Cortex  XDR agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
  • (Windows) For VDI sessions, using the network isolation response action can disrupt communication with the VDI host management system thereby halting access to the VDI session. As a result, before using the response action you must add the VDI processes and corresponding IP addresses to your allow list.
  • Add an entry to the allow list
  • Specify the Process Path you want to allow and the IPv4 or IPv6 address of the endpoint. Use the * wildcard on either side to match any process or IP address. For example, specify * as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify *  as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
  • Click the check mark when finished.
  •  

 

This is a really helpfull XDR feature as many other EDR and Endpoint Security solutions when isolating the device can't exclude the VPN agent DNS resolution and this becomes a big issue. Some EDR and Endpoint Security solutions can only exclude from isolation other applications and VPN agents that are from the same vendor and this is vendor lockdown.

 

 

Just for an info I have seen this issue with another VPN agent and their feature that is like “Enforce Global Protect for Network Access” as there is a big chance that Globalprotect may use the same DNS process as the XDR agent (XDR is not going to block their own DNS resolution) or the XDR knowing that the Globalprotect DNS resolution shouldn't be blocked but I used Globalprotect as an example as in this forum I want to talk about Palo Alto stuff 🙂

 

RESOURCES

 

Cortex XDR on LIVEcommunity

TechDocs: Enforce GlobalProtect Exclusions 

Enforce GlobalProtect Connections with FQDN Exclusions

Global Protect Enforcer Exception List

TechDocs: Add a New Agent Settings Profile   TechDocs: Cytool for Windows

How to Exclude Application and Video Traffic from the GlobalProtect VPN Tunnel*

 

*For the GlobalProtect split-tunnel, there is an exclusion that is based on process and this may at some point be added also for the Enforce option and then it will be much easier to just exclude the XDR process that connects to the XDR cloud console. I have seen the process exclusion option for "Enforce Global Protect for Network Access”  in the Globalprotect PanGPS/PanGPA agent logs, so it should be added to some point.

Rate this article:
(1)
  • 6230 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎11-22-2022 05:37 AM
Updated by: