About bradk14

bradk14 · ‎04-11-2017

unfortunately I have no practical experience with MS CA myself, but the Base64 option should basically equal PEM format you should get what amounts to a text file that resembles the original CSR, though it's the actual cert.

bradk14 · ‎04-11-2017

yes, your security policy is your first line of defense and will restrict traffic accordingly.

bradk14 · ‎04-10-2017

@TranceforLife_technically_ the security profiles would 'work' for an application override, but since there is no layer 7 inspection, they won't have any effect. it's like assigning security profiles to a deny policy (only it's being allowed). Just to confirm, given the fact we are using an Application override, means that technically not as secure for these ports since there is no App-ID associated with it, correct? @OMatlock I believe it's worse than that. You are assigning an app to it, so if someone were to send syslog over 7000 for example, it would become BroadVoice-SIP and be sent to the fastpath. So there's a trickle down effect in that logs would be incorrect, as an example, your security policies may not be applied appropriately depending on their order, etc. Absolutely the best course of action is always a custom app (without the override policy), but it's also the most challenging (but if it's already been done for you, then run with it). Actually the best course of action would be to submit a request to PA to create an app, but if it's inhouse or a standard app using non-standard ports, they won't be as inclined to to indulge the request.

bradk14 · ‎04-10-2017

So there's a lot going on here, so please feel free to correct me on anything I may be misunderstanding here. First and foremost, by using an application override policy, that traffic is now exempt from _both_ AppID and ContentID inspection. So yes, you lose layer 7 protection by using the application override policy. If it was strictly a custom App, it would still be subject to ContentID. (ETA: I'm struggling to find the exact phrasing as such anywhere, but I am fairly confident this is the case. The closest I could find is this: An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing time. from https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/app-id/manage-custom-or-unknown-applications.html ) Second, barring being more specific with source/destination, any traffic using those UDP ports will be automatically identified as the app and subsequently not inspected. So you need to be very careful about this. A custom App is the best approach. If you can correctly identify signatures in the traffic so the PA can reliably identify it as your custom app, you will have full protection.

bradk14 · ‎04-10-2017

if your source zone consists of only 10.0.0.0/8, what you could do is put a source IP of 10.100.0.0/24 and check the negate option. that way the policy will only apply to IPs sourced from that zone that are NOT in the 10.100.0.0/24 range.

bradk14 · ‎04-10-2017

for port ranges, you can combine the geq (greater than or equal to) and leq (less than or equal to) with an AND operator, e.g: (port.dst geq 53) and (port.dst leq 442) will show DNS and HTTP but not HTTPS or SSH requests for IP, I believe your only option is to use CIDR notation, but you can get as specific as you need to with the subnet mask. for example, ( addr.src in 10.0.0.0/29 ) will show IPs in the range of 10.0.0.0 - 10.0.0.7 (though .0 is the network and .7 is the broadcast in this case, so those 2 shouldn't show up in results)

bradk14 · ‎04-10-2017

I have a single UserID Agent running under Windows server accessing several domains. but unfortunately when it comes to using UserID in policy, because it does access AD via LDAP, we had to create a separate account in each domain. I could not find a way around it. if that answers your question

bradk14 · ‎04-09-2017

Is their any way we can keep the tunnel up always? this is done through tunnel monitoring. https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/vpns/set-up-tunnel-monitoring

bradk14 · ‎04-08-2017

@Matt.Blackwellthank you, you too. I actually decided to take the test this afternoon and surprised myself by passing. It's a wise move to have your own deployment to experiment on. You will basically need to know a bit of everything. It is a very tough, but fair, test.

bradk14 · ‎04-08-2017

I only meant alert would be fine in the sense that you aren't blocking anything. I think the potential for false positives is too great. But no, other than what I've suggested by using threat intel feeds and/or custom DBL/EDLs to block known bads, I don't have any ideas for you that might work. You should also probably take advantage of the built-in Botnet report https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/monitor/monitor-botnet as that will flag traffic of interest to you (users browsing to IP addresses vs fqdn), but that's after the fact, of course.

bradk14 · ‎04-07-2017

also what I should have noted before, is if you do have a proxy in front of the palo alto, unless you enable X-Forward-For support on the proxy, the Palo will see the Proxy's IP as the source for all traffic which can lead to additional confusion/headaches, especially when it comes to content-id. If you enable XFF, the PA will use the original client's IP in the logs. Just be sure to enable stripping the XFF in the content ID setup otherwise it can/will leak corporate IPs to the internet, which may or may not be a concern.

bradk14 · ‎04-07-2017

did you convert manually or via the migration utility? either way, the migration utility actually has a path to assist for migrating from port based to app based by importing logs back into it and analyzing the traffic and making suggestions that you can agree to or customize. you should also be comfortable with the idea of application shift. traffic that starts out as web-proxy more often than not changes to another app, so just something to consider depending on your approach (whitelisting and implicit deny vs blacklisting and explicit allow). I come from an ASA background and I can tell you while there are some basic similiarities, the two are worlds apart.

bradk14 · ‎04-07-2017

the question may be do you have need for the proxy? what is it doing that the palo can't do? I don't believe it makes sense to have both performing policy based on URL categorization because unless they're both using bright cloud as a source, there's a good chance they won't always agree and that may cause confusion.

bradk14 · ‎04-07-2017

is it a PA on both ends of the tunnel? or what device are they using? dunno if it's of any help, but just throwing it out there because there is the requirement of the use of proxy ids in order to establish a tunnel with a policy-based vpn device to essentially identify the interesting traffic.

bradk14 · ‎04-07-2017

I've had no personal experience (or knowledge) with Chef as of yet. But searching the Applipedia does seem to agree that there is no app for it. So barring any responses of actual value, my suggestion would be to do exactly what you are doing and let the traffic flow, then review the logs and see what AppID is actually saying. Chances are if you aren't decrypting traffic, ssl will never app shift anyway. You can then look into trying to create a custom App yourself, or at least open a case with PA and request one be added for Chef

Member Since	‎03-23-2017 07:51 AM
Date Last Visited	‎07-24-2019 01:28 AM
Posts	91
Total Likes Received	31

Online Status	Offline
Date Last Visited	‎07-24-2019 01:28 AM

About bradk14

CIS Palo Alto Recommendation Auditing

Re: WannaCry - how to protect our system with help from PANOS?

Re: Clear Config on new Palo

Re: RDP NAT connection issue?

Re: RDP NAT connection issue?

Re: 2 Factor Auth Issue

Re: User-ID mapping when host has 2 interfaces

Re: User-ID inconsistancies

Re: 2 Factor Auth Issue

Re: Message of the Day Updating?

Re: Log filter for RANGE of IP's or Ports

Re: moving away from a disconnected panorama

Re: WannaCry - how to protect our system with help from PANOS?

Re: 2 Factor Auth Issue

Re: User-ID mapping when host has 2 interfaces

Re: How to Implement Certificates Issued from Microsoft Certificate Services?

Re: Custom Application ports secure at Layer 7?

Re: Custom Application ports secure at Layer 7?

Re: Custom Application ports secure at Layer 7?

Re: Security Policy Exception

Re: Log filter for RANGE of IP's or Ports

Re: User-ID Configuration multiple different domains

Re: IPSEC VPN IKE Phase 1 Goes down after couple of hours

Re: Can I use PAN-OS 8.0.0 to Study for the PCNSE 7 exam?

Re: Blocking/Alerting on Web Sessions to IP Address Formatted URLs

Re: Proxy filtering or paloalto filtering

Re: L7 Inspection

Re: Proxy filtering or paloalto filtering

Re: Site to Site VPN Tunnel is up, but no traffic pass through

Re: Securing Access To Chef Deployment Servers

Unlock your full community experience!

About bradk14