K-12 Quickplay

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
No ratings

quickplay_solutions.png

 

Brief Description

The K-12 Skillet is intended to help enable a safe and secure internet experience. The solution hardens a network by building off of the IronSkillet configuration and by enabling Safe Search features across the institution without having to manually configure and audit devices.

 

Target Audience

K-12 users or other entities that want to implement Safe Search features.

 

Solution Details

Documentation: https://github.com/PaloAltoNetworks/K12Skillet/blob/master/README.md

GitHub Location: https://github.com/PaloAltoNetworks/K12Skillet

GitHub Branches: master

PAN-OS Supported: 10.0, 10.1

Type of Skillet: workflow, panos/xml, docker, python3

Collections: Education
Purpose: Enable a safe and secure internet experience for K-12 users

 

Detailed Description

The K-12 Skillet utilizes Git submodules in order to pull external skillets into this repository for its use. This K-12 solution chains together skillets from the IronSkillet Components, SLED Components, PAN-OS Upgrade/Downgrade, and PAN-OS Config Elements repositories into one chain of execution. Since the submodules specifically point to a commit in the external repository's history, the K-12 solution can stay up-to-date by simply updating the commit references.

 

This Quickplay solution is meant to be run as a workflow skillet, which groups together multiple skillets. The four sub-skillets that run are as follows: 

  1. Load an empty NGFW baseline configuration 
  2. Perform a content update 
  3. Configure for IronSkillet 
  4. Configure for K-12

 

Baseline Skillet

The baseline python3 skillet (from the PAN-OS Config Elements repo) loads an empty, 'out-of-the-box' baseline configuration to the firewall while saving existing admin credentials and management interface configurations.  

 

Content Update Skillet

The content update docker skillet (from the PAN-OS Upgrade/Downgrade repo) runs an Ansible playbook that downloads and installs the latest content/threat and anti-virus updates to ensure the firewall is fully armed with the latest signatures.

 

IronSkillet Configuration

The IronSkillet panos playlist skillet, which includes snippets from the IronSkillet Components repo, configures an initial baseline for the firewall, including device hardening and security profiles to be used by use-case specific configuration and security policies. For more information about IronSkillet, see the documentation.

 

NOTE: You must have IronSkillet configured on your NGFW before loading the K-12 solution since many K-12 configuration elements depend on IronSkillet elements.

 

K-12 Configuration

The K-12 panos skillet configures the following elements: 

  • Dynamic configuration based on the desired Safe Search deployment:
    • Transparent - SSL inspection with NGFW enforced Safe Search
    • DNS-Proxy - NGFW responds to Google and Bing search engine requests with Safe Search only server IPs
    • Local DNS CNAME - Limits outbound DNS requests to sanctioned internal DNS servers with Google and Bing Safe Search configurations
  • Optional country block: Only allows IPs from US, Mexico, Canada, and cloud providers (based on EDL)
  • K-12 Reports
  • Targeted decryption policies to help enable SSL Decryption adoption and limit risk
  • Chromebook and SAML no-decrypt decryption policies

Additional Safe Search information can be found at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/safe-search-enforcement.html

 

Prerequisites

The following should be completed before running the K-12 Solution Workflow:

  • Deploy a PAN-OS 10.X NGFW
  • License NGFW with the Threat, URL, and WildFire subscriptions
  • Install PanHandler (Version 4.5+) or other skillet-supported applications, such as SLI

 

How to Use

The K-12 Skillet is intended to be used with Panhandler. It is assumed that you have PanHandler Version 4.5+ already installed. Follow these instructions for running the K-12 Solution:
  1. Import this repository into PanHandler
  2. In your K-12 Repository Details page, click on the K-12 Educational Deployment Full Workflow workflow skillet
  3. Input your NGFW IP, admin credentials, and PAN-OS software version
  4. Input the sub-skillets you need configured, more information about the workflow menu options below
  5. Click Submit to start the workflow execution. You will need to input additional information for the IronSkillet and K-12 Configuration Skillets.
Rate this article:
Comments
L0 Member

Hi,

 

Ive tried importing this skillet to PAN Handler and get the below error. Other skillets import successfully. Do you have any ideas on what the issue may be? 

 

Could not Import Repository: Cmd('git') failed due to: exit code(1) cmdline: git submodule update --init stderr: 'Submodule 'submodules/SLED-components' (https://github.com/annabarone/SLED-components.git) registered for path 'submodules/SLED-components' Submodule 'submodules/ironskillet-components' (https://github.com/PaloAltoNetworks/ironskillet-components.git) registered for path 'submodules/ironskillet-components' Submodule 'submodules/panos-ansible-upgrade-downgrade' (https://gitlab.com/panw-gse/tech-library/deploy/panos-ansible-upgrade-downgrade.git) registered for path 'submodules/panos-ansible-upgrade-downgrade' Submodule 'submodules/panos-config-elements' (https://gitlab.com/panw-gse/tech-library/configure/panos-config-elements.git) registered for path 'submodules/panos-config-elements' Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/SLED-components'... Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-ansible-upgrade-downgrade'... remote: HTTP Basic: Access denied fatal: Authentication failed for 'https://gitlab.com/panw-gse/tech-library/deploy/panos-ansible-upgrade-downgrade.git/' fatal: clone of 'https://gitlab.com/panw-gse/tech-library/deploy/panos-ansible-upgrade-downgrade.git' into submodule path '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-ansible-upgrade-downgrade' failed Failed to clone 'submodules/panos-ansible-upgrade-downgrade'. Retry scheduled Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/ironskillet-components'... Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-config-elements'... remote: HTTP Basic: Access denied fatal: Authentication failed for 'https://gitlab.com/panw-gse/tech-library/configure/panos-config-elements.git/' fatal: clone of 'https://gitlab.com/panw-gse/tech-library/configure/panos-config-elements.git' into submodule path '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-config-elements' failed Failed to clone 'submodules/panos-config-elements'. Retry scheduled Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-ansible-upgrade-downgrade'... remote: HTTP Basic: Access denied fatal: Authentication failed for 'https://gitlab.com/panw-gse/tech-library/deploy/panos-ansible-upgrade-downgrade.git/' fatal: clone of 'https://gitlab.com/panw-gse/tech-library/deploy/panos-ansible-upgrade-downgrade.git' into submodule path '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-ansible-upgrade-downgrade' failed Failed to clone 'submodules/panos-ansible-upgrade-downgrade' a second time, aborting Cloning into '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-config-elements'... remote: HTTP Basic: Access denied fatal: Authentication failed for 'https://gitlab.com/panw-gse/tech-library/configure/panos-config-elements.git/' fatal: clone of 'https://gitlab.com/panw-gse/tech-library/configure/panos-config-elements.git' into submodule path '/home/cnc_user/.pan_cnc/panhandler/repositories/K12 Skillet/submodules/panos-config-elements' failed Failed to clone 'submodules/panos-config-elements' a second time, aborting'

L1 Bithead

@cwscotty 

 

Thank you for bringing this to our attention. The errors you experienced were due to our team's movement of all public content from GitLab to GitHub. We've updated the skillet to reflect this and is ready to import now. You may need to remove the repository from your PanHandler first before you can successfully import the updated repository. 

  • 5531 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎06-21-2021 03:18 PM
Updated by: