About PeterT

PeterT · ‎10-13-2021

Been a couple years and I'd like to think we have come a long way on a better way to handle this. I'm dreading the future when we all go IPv6 if PANOS isn't updated to handle DNS wildcards in security policy / fw rules; I think we all understand the days of filtering by IP are limited with IPv6 and the every expanding CDN networks / cloud.

PeterT · ‎10-13-2021

So recently we (as in voluntold lol) decided to get rid of our dedicated Cisco L3 devices and move the L1 (VMWire) only FW's into L3 as a "cost saving measure". Won't get into how much I hate this but the decision has been made. Also this entire thing is managed via Panorama so don't need "do local FW overrides of templates". Also virtual systems not an option in many cases as the majority are low end small site models (i.e. 800's and down) hence don't need to get into "spin up a virtual system and control it that way" discussions. Anyways anybody have a config snippet they want to share for setting up the following two custom admin roles? 1) GP Admin - Needs access to the FW running GP (not all of them, just one), the ability to configure it all, maintain it, etc (via Panorama templates) but NOT anything else in Panorama or the FW. 2) Ditto but Network Engineer - I.e. needs access to the virtual routers, L2/L3 configs, interface configs, routing tables, etc but not stuff like admin database, authentication setup, security policy or objects, etc. The built-in rolls are ill equipped for this and I know how do do via effective superuser via Device Templates/Admin a per FW / virtual system level but I'm looking for more fine tuned than that i.e. "Just every function GP needs and nothing more" or "Every function a network engineer would need to treat the PA like a L3 device but nothing more"

PeterT · ‎05-24-2021

No, I end up just making a decrypt bypass rule just for it. I find google, like many other vendors (talking about you ArcGIS and many network appliances) are hard coding / cert pinning rather than using the OS certificate root store hence I ended up making all sorts of holes for this. I assume it's only going to get worse in the future given the move by major vendors and movers in the IT world to squash MITM "attacks" under the guise of privacy though in reality it has nothing to do with that.

PeterT · ‎04-29-2021

They are a community effort and I quit using Cacti sometime ago. Feel free to update them on the Cacti site and link them. Updating is pretty trivial, they are just definition files and OID's.

PeterT · ‎08-04-2020

Anybody figured out a the magic combo to get Google Earth (Pro) not to warn on startup with SSL Decrypt? Before you ask "yes" SSL decrypt is working no errors or warnings in browsers (i.e. CA's in trust store) and yes I thought about the ICA issue and imported the GTS CA 1O1 cert on the off chance that was the issue. Any other ideas outside "bypass or ignore it". Google Earth (Pro) the only Google app/suite I'm still having issues with here.

PeterT · ‎04-11-2019

So I'm reading that but not groking the flow exactly even the detailed one. Let me walk you through where my brain is going and ask you clarify: On your first rule it would seem to me that it would allow the source to access the entire web as well including non-MS updates since "web-browsing" is an implicit dependencie of ms-updates (show predefined application ms-update) though I'm not going to lie, my brain has had a hard time groking implicity-use and use applications when it comes to rule evaluation. So my source going to playboy.com would be allowed I assume because of the URL filter "any" coupled with the implicit-use web-browsing for the ms-update application-id, i.e. I feel you still need the the URL filter rule even w/ application=ms-update because of that. Lets take that a step farther, lets say rule1 = "deny application=ms-update url=windows-update" and rule2 = "allow application=ms-update url=any", in that scenario which rule triggers if I send ms-update to "ninja.com"? Does rule1 trigger because ms-update ignores URL categories regardless of implicit-use so denies it simply based applicatoin-id or does rule2 trigger because implicit-use will get it past rule1? What I'm trying to figure out (and I can't tell even from the detailed) is the interaction between URL category and application, i.e. are they treated independent of each other (i.e. can I use a URL category w/ app-id SSH for example to block a FQDN) or is URL category a subdependency ONLY of the single application web-browsing and use with any other application (even implicity-use) ignores it.

PeterT · ‎04-03-2019

Will test it out tomorrow and cool as a practical matter but any ideas or can point a doc that explains the interaction and OOP between services and url filtering or hell how URL filtering even works in details .. would help with other issues down the road I think.

PeterT · ‎04-03-2019

So let me start here fundementally all I'm trying to do is something like "Computer Y can access MS updates and nothing else" and my three pointers were: https://live.paloaltonetworks.com/t5/General-Topics/Security-Policy-with-Service-URL-category-configuration/m-p/233176#M66885 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbvCAC https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHXCA0 Also as an asside let me say 1) i really hate how often PA KB's conflict each other or do things differently, i.e. is it really that hard to deconflict (i.e. check the URI's listed; yes I understand somebody just went * for one of them) and 2) Why people never do anything in Panorama as it makes following examples / screenshots a PITA; like simpy show/list both ways. Anyways generally speaking what I want to know, and a search didn't really say anything, is exactly when does URL filtering kick in. Does it kick in after a Service="ssl" or Service="web-browsing" match? Does it kick in regadless of service context the first time it thinks it sees HTTP (or HTTPS)? Basically what is the interaction between "service" and "URL categories". For example if I say "service=web-browing deny; URL Catgory=allow list google.com" does it still let me to google? If say "service=webex allow; URL Category=webex_category deny" does it allow webex.com or not? The specific interaction between those two times when licensed for both is pretty unclear to include OOP. What if I HTTP to a non-standard port, does URL filtering still kick in if it sees HTTP on port 48123? etc. Like I get the context of URL filtering IF service=web-browing (or service=ssl) when they are complimentary but not when it's they are dependency services or the OOP interactions when they conflict. Fundementally in Panorama (to the point) I assume I'm just making a rule that says "allow service=web-browsing/ssl; block-categories all (67) allow list *.microsoft.com" which should work as long service doens't override it. Either way documentation on this could be clearer. Lastly (since I'm here) do you EVER have to update the PAN-DB URL FIltering database (Device->licenses) or is this just a one time thing when you first activate your license never to have to do it again until it expires or you wipe the box? It's the only license with an active/download status field hence I've always wondered on that given I can always 'download now' which I find odd as it suggetts it's something you may need to occasionally do but at the same time, it's not a dynamic update. I assume it just autoupdates somehow or it queries real time? LIke I've never understood on teh URL filtering side how those updates are handled.

PeterT · ‎11-21-2018

@Brandon_Wertz Actually it's the opposite, I'm trying to white list Google hence the problem. @BPry I've thought about that but never seen any good documentation on MindMeld especially for WhiteListing, not black plus last time I attempted to install it; some years ago, I think we ran into a problem where either it didnt' work with RHEL -OR- it didn't work with RHEL in FIPS mode but that was some years ago so maybe it doesn't hold true anymore. Still I'm not adverse to labbing this, you got a link to a URI with a similiar setup / walkthru?

PeterT · ‎11-19-2018

Correct; google 1e100.net as *.*.*.26 and *.*.*.27 addresses from thousands of blocks and they expand/contrast daily. Not really an issue for pre-defined google apps signatures but for raw SMTP this is an issue.

PeterT · ‎01-22-2018

Just an update for anybody who stumbles across this post like I did but since PANOS 6 Panorama will both forward Panorama events to a SIEM AND also send all the logs it receives from the various PA systems as well, i.e. act as a log aggregrator and forward. What I don't know, and I bet you can't, is ONLY send the Panorama logs and not the aggregate logs as support said " Panorama will forward whatever logs in the logdb, no matter it generated locally by Panorama itself or the log aggregated from FW, it will forwarded to the external destination." which suggests to me you can't and is a design flaw but oh well, it is what it is. For configuration see: https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-log-collection/configure-log-forwarding-from-panorama-to-external-destinations

PeterT · ‎06-19-2017

Since released back in 2012 some of these templates no longer work as Palo Alto has modified their OID's over the years. Attached is the PA-500 v1.1 template. http://forums.cacti.net/viewtopic.php?f=12&t=44560&p=267761#p267761 Would attach here but no idea how to attach a file in this forum

PeterT · ‎06-07-2017

Found it in case anybody else ever runs into this. The "Device Grouping" view also changes the left hand menu as well, I didn't realize it was contextual; only though the information displayed on the side was device grouping dependent. So in my case I needed "All" because Panorama itself isn't a device which can be grouped

PeterT · ‎05-08-2017

Panorama 8.0.2 Both work via CLI, the question then (per screenshot above) where is it via the Web UI? I'm thinking possibly bug / call support on this one now lol.

PeterT · ‎05-04-2017

@reaper That makes no sense given I'm logged on as the "superuser" on the Panorama 🙂 .. i.e. have rights to everything, I just don't have rights to the Arcsight SIEM where the remote logs are dumped 😉 . I should still be able to see the panorama local access logs though IMHO as would be a wierd situation where the panorama superuser could see the logs on the FW's (which I can) but not panorama itself

Member Since	‎06-17-2014 05:48 PM
Date Last Visited	‎05-06-2022 01:08 AM
Posts	33
Total Likes Received	4

Online Status	Offline
Date Last Visited	‎05-06-2022 01:08 AM

About PeterT

Re: Easy way to deal with Google SMTP (1e100.net)?

Custom Admin Template Examples for GP Admin and Network Engineer?

Re: Google Earth (Pro) and SSL Decrypt

Re: Cacti - Templates

Google Earth (Pro) and SSL Decrypt

Re: Cacti - Templates

Re: Handling Google Mail (1e100.net)?

Re: Where are the administrator access logs on Panorama?

Re: SSL version logging

Re: Handling Google Mail (1e100.net)?

Re: Are DMZs still necessary?

Re: Are DMZs still necessary?

Re: Configuration of Palo Alto's in a NIST SP 800-70 Environment (mostly IPv6 blocking related)

Re: Easy way to deal with Google SMTP (1e100.net)?

Custom Admin Template Examples for GP Admin and Network Engineer?

Re: Google Earth (Pro) and SSL Decrypt

Re: Cacti - Templates

Google Earth (Pro) and SSL Decrypt

Re: URL Filtering - How does it work exactly with Service interaction

Re: URL Filtering - How does it work exactly with Service interaction

URL Filtering - How does it work exactly with Service interaction

Re: Easy way to deal with Google SMTP (1e100.net)?

Re: Easy way to deal with Google SMTP (1e100.net)?

Re: Logging events from Panorama to SIEM?

Re: Cacti - Templates

Re: Where are the administrator access logs on Panorama?

Re: Where are the administrator access logs on Panorama?

Re: Where are the administrator access logs on Panorama?

Network Security

Cloud Security

Security Operations

About PeterT