About scotchoaf

Brief Description A suite of deployment, configuration, and service information skillets for Prisma Access mobile users including:   Panorama instantiation in Azure or AWS Panorama licensing, content updates, software updates, and basic configuration Prisma Access service setup, mobile user, and remote network configuration/onboarding Prisma Access API queries to view service information   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using Prisma Access and looking for simplified Panorama deployment and configuration.   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/prisma-access-skillets/blob/master/README.md Github Location:  https://github.com/PaloAltoNetworks/prisma-access-skillets.git Github Branches:   master Panorama Versions Supported:   9.0.x running cloud services plugin version 1.5 (9.1 not currently supported) Type of Skillet:   panorama, python, terraform, docker Collections: Prisma Access Deploy Panorama Prisma Access Configure Service Setup Prisma Access Configure Mobile Users Prisma Access Configure Remote Networks Prisma Access Assess Tools   Full Description The description below gives an overview of the skillet elements. For detailed information regarding prerequisites and skillet usage please review the Prisma Access Skillet documentation.   Playing the skillets currently requires panHandler.   Deploy The first step in the skillet will access the user's Azure or AWS account and deploy a virtual instance of Panorama using Terraform templates. This is a simplified alternative to using the Azure Resource Manager UI or AWS UI for Panorama deployment.   After Panorama is online and the IP address is accessible, the Step 2 skillet will: apply the serial number and license Panorama perform a software update install content updates install the Prisma Access cloud services plugin   For users that are not using the Step 1 deploy skillets and deploy their own Panorama, the Step 3 skillet can also be used to help automate the steps listed above to ensure Panorama deployment is complete.   The last deploy piece is to use the Customer Support Portal to generate a One Time Password that is used in Panorama to verify the cloud service.   Configure   Service Setup Collection Initial configuration of the infrastructure subnet and BGP AS   Mobile User Collection   After verification is complete, Panorama is ready for configuration. For mobile users, this requires the initial service setup and the mobile user configuration.   There are 2 configuration options depending on access to the Panorama API: API and non-API.   API Option This series of skillets leverage the Panorama API generate a configuration file, import to Panorama, and use 'load config partial' commands to merge the configuration elements into the candidate configuration.   Non-API Option For remote support or users without access to the Panorama API, this option will generate a full configuration file that can be manually imported to Panorama. Once imported the documentation includes a small set of load config partial commands that can be pasted into the CLI to do the configuration.   Remote Network Collection Initial Remote Network setup and onboarding configuration using the Panorama API. Includes IKE/IPSEC Crypto profiles, IKE gateway, IPSEC tunnel, and plug-in onboarding configuration.   Assess The assess skillet provides a simple interface to query Prisma Access and obtain service information. Details for the REST queries can be found in the Admin Guide     ... View more

Brief Description A set of GlobalProtect API and set command configuration skillets based on the Quick Config Guides   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using GlobalProtect and need a quick start configuration helper   Skillet Details Documentation: https://github.com/PaloAltoNetworks/GPSkillets/blob/panos_v90/README.md Github Location:  https://github.com/PaloAltoNetworks/GPSkillets.git Github Branches: panos_v90 PAN-OS Versions Supported: 9.x Type of Skillet: panos, template (set commands) Collections: globalprotect   Full Description This skillet set is based on the GlobalProtect Quick Config guides and covers two common configuration options:   Remote Access VPN Remote Access VPN with Pre-Logon   Remote Access VPN Configures GlobalProtect elements including the gateway and portal. Also included is a reference LDAP auth profile and a local DB reference user.   Remote Access VPN with Pre-Logon Adds pre-logon to the remote access VPN. Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user.   Deployment Note These configs create security rules that do not contain any sort of security profile or logging configuration. Please utilize the best practice security profiles from the iron-skillet repository on the rules that get created and read the Best Practices documentation before deploying.       ... View more

Brief Description HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: informational responses, successful responses, redirects, client errors, and server errors. Monitoring HTTP status codes assist customers in locking down HTTP responses to prevent fingerprinting and helping create more effective App-ID signatures. These configured Threat Prevention custom signatures will log HTTP response status codes.   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers   Skillet Details Documentation: https://github.com/ceskillets/SecOps-HTTP-Response-Codes/blob/master/README.md Github Location: https://github.com/ceskillets/SecOps-HTTP-Response-Codes.git Github Branches: master PAN-OS Supported: 7.x, 8.x, 9.x Type of Skillet: panos/xml Collections: Configuration   Full Description This HTTP Status code Skillet will create custom threat prevention signatures that will log all HTTP status codes in PAN-OS logs. It is designed to help customers determine misconfigurations and help with more focused Application ID (App-ID) signatures.   As you interact with a website, you make the request and the server responds. Status codes let us know whether the request was a success, a failure, or something in-between. Upon creating the custom threat prevention signatures, you can immediately start to utilize them for a few use cases:   Build more granular security rules based on the response codes Mine HTTP 200 to better understand how the application works to build better App-IDs and/or rules. HTTP 4XX client errors can indicate an application issue like a broken link or potential scanning activity. HTTP 5XX client made a valid request but the server didn’t complete it – server problem.   Consider resetting these responses so an attacker does not get positive feedback that the application was impacted. Also, match the URL for the session and provide that to the app team to harden the code. If you have not fully adopted App-ID, then there is most likely a “catch-all” rule that exists that will be similar to this one.   In PAN-OS 8.1, rule count and first/last seen features were introduced. Correlating this data with the HTTP status codes, you can create more granular rules for your applications and not only see if those rules are being hit, but you can also filter on that rule in the traffic logs as well. As you keep building more App-ID centric rule in your security policy, see a decline in hit count for your “catch-all” rule and eventually be able to disable it with confidence. Disabling the catch-all rule prevents scanning tools such as Shodan and port scanners from footprinting your web application. This means that an attacker must actually know the proper URL for your hosted application to access it – a bar that any valid user will automatically pass.   ... View more

Brief Description Pre-provisioned NGFW DNS proxy configuration   Target Audience SE, Partner, Customer   Skillet Details Authoring Group: Datacenter-cloud and virtualization CE Documentation: https://github.com/ceskillets/DCV-DNS-Proxy/blob/master/README.md Github Location: https://github.com/ceskillets/DCV-DNS-Proxy.git Github Branches: master PAN-OS Supported: v9.0 or greater Cloud Provider(s) Supported: Enterprise/Private cloud: ESXi, KVM, ACI, Nutanix, OCI, BMaaS, etc. Type of Skillet: xml Collections: NGFW setup Purpose: Configuration     Detail Description Configures the basic settings for a DNS Proxy object (optional) Specifies DNS proxy rules (optional) Supply the DNS Proxy with static FQDN-to-address entries. Static DNS entries allow the firewall to resolve the FQDN to an ip address without sending a query to the DNS server Commit and backup configuration file ... View more

As we grow this new community we are always curious what configurations, big or small, would be useful to users.  this could be configurations, validations, operations, or any type of automated scenario   what would you like to see? ... View more

Brief Description This skillet will automatically configure panorama and plugin for a state-of-the-art integration into an ACI Multi Pod environment with PBR for traffic redirection as a “one click ready” POC. That skillet will also configure your cluster of VM-Series in A/A (One device per Pod), managed by panorama to be ready to receive traffic from that fabric through the PBR interface.   Target Audience This skillet is designed to be used by SEs and Partners.   Skillet Details Authoring Group : Private Cloud Documentation : Readme file on github repository does explain things Github Location: https://github.com/ceskillets/DCV-skillet-ACI-MultiPod.git Github Branches:  master PAN-OS Supported : 8.1.X and higher releases with NSX plugin version 2.0.X Cloud Provider(s) Supported : VMWARE ESXi and ACI 3.2 and higher Type of Skillet : Multiple XML files to configure panorama and an A/A VM cluster entirely Purpose : Config ready for POCs   Detail Description Automated configuration of a cluster of A/A VM-Series managed by Panorama Multi Pods PBR insertion   Pre-Requisites Panorama 8.1.X and 2 VM-Series 8.1.X connected to Panorama but not attached to any template nor device group yet. Each of your VM-Series must have a minimum of 3 vNics for that setup and vNic must be defined as describe below : - eth0 (vNic1) connected to the management network - eth1 (vNic2) connected to a dedicated port group of your DVS and it will be used for HA2 - eth2 (vNic3) connected to a dedicated port group of your DVS and it will be used for HA3 - eth3 (vNic4) connected to a dedicated port group of your DVS and it will be used for PBR connection to the fabric A PBR policy MUST be configured in parallel in the Fabric for your pod with filters on a Service Graph and that Service Graph must be applied to a contract to start redirecting some traffic to our VM Series located on each Pods. You must have a Multi Pods (2 pods) with "Enable Pod Aware redirection" option checked and a functional IP SLA option (icmp) for the heath check in your L4-L7 Policy-Based Redirect configuration for the setup to work as expected   Automation on Panorama create a Template Stack and a Template dedicated for each of your 2 VM-Series all Network and Device policies configured with webpage variables. create a Device Group dedicated for that specific cluster of VM-Series configured for a Multi Pods PBR insertion. move and attach your 2 VM-Series to these respective Template Stack and Device Group and trigger a commit to have a fully functional setup. configure ACI plugin to connect into APIC controller in order to collect metadata to be able to create DAGs in your firewall policy.   Variables STACK_DEVICE_A (Template Stack name Device A) STACK_DEVICE_B (Template Stack name Device B) DEVICEGROUP (Device Group name for your VM Series for ACI) HA2_DEVICE_A (Device A IP address for HA2) HA2_DEVICE_B (Device B IP address for HA2) MGT_DEVICE_A (MGT IP address of Device A) MGT_DEVICE_B (MGT IP address of Device B) DNS (DNS Server IP address) NTP (NTP Server IP address) SN_DEVICE_A (Serial Number of Device A) SN_DEVICE_B (Serial Number of Device B) ZONE (Zone creation for PBR interconnection) TARGET_IP_PBR_POD_A (Target IP of the fabric for PBR in POD A without Netmask) TARGET_IP_PBR_POD_B (Target IP of the fabric for PBR in POD B without Netmask) LOCAL_IP_PBR_POD_A (Local IP of your VM interface connected to the the fabric for PBR in POD A with Netmask) LOCAL_IP_PBR_POD_B (Local IP of your VM interface connected to the the fabric for PBR in POD A with Netmask) APIC_IP (IP address of APIC controller) APIC_LOGIN (Login of APIC controller) APIC_PASSWORD (Password of APIC controller) HYPERVISOR_MAC (Hypervisor Assigned MAC option for VM Series) TAGCOLOR (Color of the TAG for your Zone) Caution That skillet will not configure ACI Fabric to redirect traffic. That step must be done in parallel. Promiscuous mode is not mandatory on vNIC4 port group to have a functional cluster A/A if you select hypervisor assigned MAC option That skillet should work with physical devices instead of VM-Series but it has not been tested. Panorama must be able to reach APIC controller without any proxy to retrieve metadata. DAGs must be created manually after you apply the skillet. ... View more

Brief Description This skillet will automatically configure panorama and plugin for a state-of-the-art integration into an ACI Single Pod environment with PBR for traffic redirection as a “one click ready” POC. That skillet will also configure your cluster of VM-Series in A/P in the Pod, managed by panorama to be ready to receive traffic from that fabric through the PBR interface.   Target Audience This skillet is designed to be used by SEs and Partners.   Skillet Details Authoring Group : Private Cloud CE Documentation : Readme file on github repository does explain things Github Location:    https://github.com/ceskillets/DCV-skillet-ACI-SinglePod.git Github Branches:  master PAN-OS Supported : 8.1.X and higher releases with NSX plugin version 2.0.X Cloud Provider(s) Supported : VMWARE ESXi Type of Skillet : Multiple XML files to configure panorama and an A/P VM cluster entirely Purpose : Config ready for POCs     Detail Description Automated configuration of a cluster of A/P VM-Series managed by Panorama Single Pod PBR insertion   Pre-Requisite Panorama 8.1.X and 2 VM-Series 8.1.X connected to Panorama but not attached to any template nor device group yet. Each of your VM-Series must have a minimum of 3 vNics for that setup and vNic must be defined as describe below: - eth0 (vNic1) connected to the management network - eth1 (vNic2) connected to a dedicated port group of your DVS and it will be used for HA2 - eth2 (vNic3) connected to a dedicated port group of your DVS and it will be used for HA3 - eth3 (vNic4) connected to a dedicated port group of your DVS and it will be used for PBR connection to the fabric A PBR policy MUST be configured in parallel in the Fabric for your pod with filters on a Service Graph and that Service Graph must be applied to a contract to start redirecting some traffic to our VM-Series located on each Pods. You must have a Multi Pods (2 pods) with "Enable Pod Aware redirection" option checked and a functional IP SLA option (icmp) for the heath check in your L4-L7 Policy-Based Redirect configuration for the setup to work as expected   Automation on Panorama  create a Template Stack and a Template dedicated for each of your 2 VM-Series all Network and Device policies configured with webpage variables. create a Device Group dedicated for that specific cluster of VM-Series configured for a Multi Pods PBR insertion. move and attach your 2 VM-Series to these respective Template Stack and Device Group and trigger a commit to have a fully functional setup. configure ACI plugin to connect into APIC controller in order to collect metadata to be able to create DAGs in your firewall policy.   Variables STACK_DEVICE_A (Template Stack name Device A) STACK_DEVICE_B (Template Stack name Device B) DEVICEGROUP (Device Group name for your VM-Series for ACI) HA2_DEVICE_A (Device A IP address for HA2) HA2_DEVICE_B (Device B IP address for HA2) MGT_DEVICE_A (MGT IP address of Device A) MGT_DEVICE_B (MGT IP address of Device B) DNS (DNS Server IP address) NTP (NTP Server IP address) SN_DEVICE_A (Serial Number of Device A) SN_DEVICE_B (Serial Number of Device B) ZONE (Zone creation for PBR interconnection) TARGET_IP_PBR_POD_A (Target IP of the fabric for PBR in POD A without Netmask) TARGET_IP_PBR_POD_B (Target IP of the fabric for PBR in POD B without Netmask) LOCAL_IP_PBR_POD_A (Local IP of your VM interface connected to the the fabric for PBR in POD A with Netmask) LOCAL_IP_PBR_POD_B (Local IP of your VM interface connected to the the fabric for PBR in POD A with Netmask) APIC_IP (IP address of APIC controller) APIC_LOGIN (Login of APIC controller) APIC_PASSWORD (Password of APIC controller) HYPERVISOR_MAC (Hypervisor Assigned MAC option for VM-Series) TAGCOLOR (Color of the TAG for your Zone)   Caution That skillet will not configure ACI Fabric to redirect traffic. That step must be done in parallel. Promiscuous mode is not mandatory on vNIC4 port group to have a functional cluster A/A if you select hypervisor assigned MAC option That skillet should work with physical devices instead of VM-Series but it has not been tested. Panorama must be able to reach APIC controller without any proxy to retrieve metadata. DAGs must be created manually after you apply the skillet. ... View more

Brief Description 1. GcpHttpLbAppID skillet to create the Palo Alto Networks App-ID for the Azure Application Gateway Health Probe. 2. move_rule_rest skillet to move the rule to its proper location above the actual application rule and commit.   Target Audience The skillet is intended for anyone deploying a VM-Series firewall behind the GCP HTTP(s) Load Balancer.   Skillet Details Authoring Group : Public Cloud CE Documentation :  https://github.com/ceskillets/Cloud-GCP-HTTPS-Load-Balancer-App-ID Github Location :  https://github.com/ceskillets/Cloud-GCP-HTTPS-Load-Balancer-App-ID Github Branches:  master PAN-OS Supported : v8.1 and v9.0 Cloud Provider(s) Supported : GCP Type of Skillet : XML and REST Purpose : Config   Detail Description The GCP Application Load Balancer HTTP(s) Load Balancer sends an extensive amount of traffic to the firewall that can be hard to differentiate from the valid application traffic. By implementing a specific App-ID, the probe traffic can be filtered specifically to focus on either the probe traffic when troubleshooting configuration or excluded when reviewing valid application traffic. This skillet will configure the following firewall items:   App-ID specific to the GCP HTTP(s) Load Balancer Objects taken as input for the subnets containing the HTTP(s) Load Balancer Allow rule for traffic from the HTTP(s) Load Balancer subnet specifically utilizing the App-ID 'move rule' skillet to move the rule to its proper location and perform a final commit   Variables for AppID Skillet name: appid_name description: appid name (32 total char limit) default: appidname type_hint: text name: appid_description description: appid_description default: appid_description type_hint: text name: rule_name description: security_rule_name default: security_rule_name type_hint: text name: rule_description description: security_rule_description default: security_rule_description type_hint: text   Variables for the Move Rule Skillet name: TARGET_IP description: Host default: 127.0.0.1 type_hint: ip_address name: TARGET_USERNAME description: Username default: admin type_hint: text name: TARGET_PASSWORD description: Password default: admin type_hint: password name: rule_name description: name of security rule to move default: rule1 type_hint: text name: ref_rule description: rule to move before or after default: rule2 type_hint: text name: where description: move before or after other rule default: top ... View more

Brief Description This skillet will automatically configure Panorama and plugin for a state-of-the-art integration into NSX-V for a “one click ready” POC with single and multiple tenant support.   Target Audience This skillet is designed to be used by SEs and Partners.   Skillet Details Authoring Group : Private Cloud CE Documentation : https://github.com/ceskillets/DCV-skillet-nsx/blob/master/README.md Github Location: https://github.com/ceskillets/DCV-skillet-nsx.git Github Branches:  master PAN-OS Supported : 8.1.X and higher releases with NSX plugin version 2.0.X Cloud Provider(s) Supported : VMWARE NSX Type of Skillet : Multiple XML files to configure panorama and the plugin entirely Purpose : Config ready for POCs Detail Description This skillet will automate these tasks for you on Panorama :   create a Template Stack and a Template dedicated for NSX-V with DNS and NTP server configured with webpage variables. create a Device Group dedicated for NSX-V with the authcode configured with webpage variables. create a Service Definition and a Service Manager profile with a single Service Profile "Tenant" attached to the service Definition. create an empty DAG with a TAG attached to it that will be pushed into NSX-Manager for demo as a Security Group. create 2 intrazone pre-rulebase firewall security rules for your tenant with Security Profiles, Log Forwarding Profile and a dedicated TAG for that tenant to filter both incoming and outgoing traffic of that Security Group members. automatically generate the NSX Manager Steering Rule Policies on Panorama that fits the previous pre-rulebase. create an HTTP log forwarding profile on Panorama to provide "automated quarantine" on NSX Manager in case of a virus detection in one of our VM-Series agent firewall.   Notice that if you want a second ("Tenant"), you just need to launch the Skillet a second time and just modify the "Tenant" name variable at the end of the webpage with your second "Tenant" name   How to execute it: Just launch the skillet with Panorama as a target destination. Your Panorama must be able to reach out NSX Manager without proxy to successfully configure and register the service definition and service profile(s).   Variables STACK (Template Stack name for NSX) DEVICEGROUP (Device Group name for NSX) AUTHCODE (AuthCode VM series for NSX) URLOVA (URL where ovf/ova package is hosted) NSXLOGIN (NSX Manager login) NSXMANAGER (NSX Manager IP Address) NSXPASSWORD (NSX Manager password) DNS (DNS Server IP address) NTP (NTP Server IP address) TENANT (Tenant name for Zone creation) TAGCOLOR (Color of the TAG for your Tenant)   Caution This skillet will not deploy our VM agents on NSX manager nor configure it for deployment, it's Panorama configuration only. This skillet will create only one single Security Group into NSX Manager linked to one single DAG in Panorama. Additional DAGs/Security Groups must be added manually after you apply the skillet if you need more on your setup. Generation of the certificate, signature of that certificate, extraction and installation of that certificate into NSX Manager is not part of that skillet. That step need to be manually done after you launch the skillet to have that automated quarantine feature fully functional. ... View more

Brief Description Set of simple skillets that can be used to perform simple tasks or as a starting point to learn about skillets. Includes changing the NGFW hostname, instantiate an Ubuntu server, or VM-Series in AWS. Other example skillets include: Python based skillets, workflows, REST API skillets, and more. More examples are being added all the time, so check back often.   Target Audience User wanting to get the 'Hello World' experience from skillets   Skillet Details Documentation: https://github.com/PaloAltoNetworks/Skillets/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/Skillets.git Github Branches: master PAN-OS Supported: 8.1, 9.0, 9.1 Cloud Platform Supported: AWS Type of Skillet: panos, python3, rest, terraform, and workflow Purpose: library of hello world simple skillets   Detail Description   Hello World for PAN-OS Simple starter and test skillet that takes the user input of a hostname and updates the NGFW hostname   Single Ubuntu Instance Use Terraform to instantiate an Ubuntu server in AWS   VM-Series Instantiation in AWS Use Terraform to instantiate a VM-Series NGFW in AWS   Prerequisites The AWS Terraform skillet requires the user input of an access key, secret key, and region VM bootstrapping requires the user has acknowledged all license agreements in the AWS portal ... View more

Brief Description This skillet will configure a BGP peer. It needs to be combined with a redistribution profile in order to advertise routes to the peer. This configuration assumes all of the default timers and values for BGP.   Target Audience This skillet is designed for use by SEs, partners, customers, CEs and anyone who wants to quickly configure the settings for a BGP peer.   Skillet Details Authoring Group : DataCenter CE Group. Documentation :  https://github.com/ceskillets/DCV-BGP-Peer-Configuration/blob/master/README.md Github Location :  https://github.com/ceskillets/DCV-BGP-Peer-Configuration Github Branches:  master PAN-OS Supported : This skillet supports PAN-OS 7.1 – PANOS 9.0. Cloud Provider(s) Supported : Any and all providers are supported by this skillet. Type of Skillet : This skillet is based on xml configuration. Purpose : This skillet will configure a BGP Peer and Peer Group. Once deployed, bgp will be enabled and configured by the variables required. Once deployed, the peering should be established. To enable route-sharing between the bgp peers, a redistribution profile must either be manually configured or deployed with a redistribution profile skillet.   Detail Description This skillet will configure a BGP peer. It needs to be combined with a redistribution profile in order to advertise routes to the peer. This configuration assumes all of the default timers and values for BGP.   To use, fill out the requested variable values. Once the configuration has been completed, combine this skillet with one that configures the redistribution profile, or configure the profile manually on the firewall. The requested variables are:   • local_address • local_as • local_interface • peer_as • peer_group_name • peer_ip • peer_name • peer_as • router_id • virtual_router_name ... View more

Brief Description The K-12 Skillet is intended to help enable a safe and secure internet experience. The features and options are meant to help easily enable Safe Search features across the institution without having to manually configure and audit devices.   Target Audience K-12 users or other entities that want to implement Safe Search features   Skillet Details Documentation: https://github.com/PaloAltoNetworks/K12Skillet/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/K12Skillet Github Branches: master PAN-OS Supported: 9.0, 9.1 Type of Skillet: panos/xml, python Collections: Education Purpose: enable a safe and security internet experience for K12 users   Features Included Builds on the IronSkillet configurations Dynamic configuration based on the desired Safe Search deployment: Transparent - SSL inspection with NGFW enforced Safe Search DNS-Proxy - NGFW responds to Google and Bing search engine requests with Safe Search only server IPs Local DNS CNAME - Limits outbound DNS requests to sanctioned internal DNS servers with Google and Bing Safe Search configurations Additional Safe Search information can be found at: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/safe-search-enforcement.html   Optional country block: Only allows IPs from US, Mexico, Canada, and cloud providers (based on EDL) K-12 Reports   Targeted decryption policies to help enable SSL Decryption adoption and limit risk   Requirements PAN-OS 9.X Threat, URL, and WildFire subscriptions Panhandler or other skillet-supported applications How to use The K-12 Skillet is intended to be used with Panhandler. Both configuration options can be found under the Education Skillet Collection once they are imported into Panhandler.   Panhandler Skillet Collections - Education Collection   There are two different methods of deploying the configuration:   1) Full Workbook deployment - Single workflow that launches all three Skillet components   2) 3-Step deployment - Manually run through Step 1, Step 2, and Step 3 Complete k12 Workflow 3-step deployment   ... View more

Brief Description HomeSkillet is a starter internet gateway configuration that builds on a modified version of IronSkillet for use in home networks. It includes interface, zone, NAT, and security policy configuration.     Target Audience Users who want to fast track a basic NGFW Internet gateway setup and configuration in L3 or vwire mode.   Skillet Details Documentation:   https://homeskillet.readthedocs.io/en/panos_v9.0/ Github Location:   https://github.com/PaloAltoNetworks/HomeSkillet.git Github Branches:   panos_v9.0 PAN-OS Supported:   9.0, 9.1 Type of Skillet:   Suite of workflow, panos, rest, validation, template, python Collections: HomeSkillet Purpose:   setup or demo skillet workflow to configure the NGFW   Detailed Description Running the HomeSkillet skillet leads into a section menu including:   workflow elements to perform such as clean config, content updates, configuration stages, validations network topology selection: L3 or vwire additional add-ons such as DHCP UserID   Workflow Elements workflow skillet with selection menu of tasks to perform; starting point for the skillet python skillet that imports, loads, and commits a clean config; will replace an existing configuration python skillet to download and install the latest threat/app and AV content updates pre-load validation to show the stage 1 configuration is missing (should see all FAIL outputs) IronSkillet-based Day 1 Configuration; user should opt to commit for online validation post-load validation to show that stage 1 has been configured (should see all PASS outputs) topology configuration L3 or vwire options and associated elements security policy configuration using IronSkillet security profiles optional userID configuration based on DHCP log events   Also embedded in the workflow are 'get list' skillets to pull interface and zone information from the firewall to use as dropdown lists for interface and zone selection.   Topology Selection HomeSkillet currently supports both L3 routing and virtual wire (vwire) options.   L3 Routing 2x interfaces and 2x zones, one each internal and internet. virtual routing configuration NAT DHCP local server   Virtual Wire 2x interfaces and 2x zones, one each internal and internet. virtual wire between the 2 interfaces Optional Add-Ons DHCP UserID [L3 mode only] Sends local DHCP log events to the management interface and uses DHCP host information to create a User-ID entry. Does not support static IP addressed hosts.   Prerequisites The following should be completed before running HomeSkillet:   ensure IronSkillet with the corresponding release branch is imported and checked out firewall licenses activated including all threat, URL, and Wildfire subscriptions updated with the latest or recommended software release if using Panhandler: updated to 3.0 latest release DHCP-based public ethernet interface for L3 mode Additional details specific to each loading stage, variables, and release updates are found at https://homeskillet.readthedocs.io/en/panos_v9.0/ ... View more

Brief Description IronSkillet is a day one deployment-agnostic NGFW and Panorama configuration. It is used as an initial baseline including device hardening and security profiles to be used by use-case specific configuration and security policies.   Target Audience Users who want to an immediate day one configuration to build from without extensive research and GUI clicks.   Skillet Details Documentation: https://iron-skillet.readthedocs.io/en/docs_master/ Github Location: https://github.com/PaloAltoNetworks/iron-skillet.git Github Branches: panos_v9.1, panos_v9.0, panos_v8.1, panos_v8.0 (EOE) PAN-OS Supported: 8.1, 9.0, 9.1 for the NGFW and Panorama Type of Skillet: panos (xml/set) and panorama (xml/set) Collections: IronSkillet, Config, ValidationsPurpose: starting point for new NGFW or Panorama deployment   Detailed Description IronSkillet includes a broad set of configuration elements that land in various areas of the configuration as show in the menu items below.   IronSkillet Menu For a detailed walkthrough of the GUI elements used in IronSkillet, use the visual guide: https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html   Skillet focus can broken into a few core areas: Device management hardening: general operations of the NGFW Security traffic hardening: control of traffic flows that impacts device monitoring Logging and alerts: data collection and external notifications Security objects and policies: policy-related config settings and dynamic updates Decryption objects and policies: certification checks and sample no-decrypt policy   The repo contains the following skillets and other configuration elements:   NGFW and Panorama full configuration file as a template and folder with default-based loadable configs NGFW and Panorama xml snippets NGFW and Panorama set command skillets including a spreadsheet version that is tool agnostic NGFW validation skillet mapped to the Visual Guide to compare current configurations to IronSkillet recommendations NGFW validation skillet showing new items added between 8.1 and 9.x to look for gaps during sw upgrades   Detailed information specific to using each skillet type is included in the readthedocs.io documentation.   Prerequisites The following should be completed before running IronSkillet: firewall licenses activated including all threat, URL, and Wildfire subscriptions updated with the latest or recommended software release if using PanHandler: updated to 3.0 latest release   Additional details specific to each loading stage, variables, and release updates are found at https://iron-skillet.readthedocs.io/en/docs_master/   Loading IronSkillet Various tools and apps have been updated to work with IronSkillet including:   Palo Alto Networks Customer Support Portal; option when registering new devices or under the Tools menu Expedition Migration Tool; https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool PanHandler skillet application; https://panhandler.readthedocs.io/en/master/ Secure Dynamics Health Products; SecureDynamics - Palo Alto Networks Cloud Management Software ... View more

Sharing a suite of skillets to perform simple tasks such as content updates, moving a security rule, or adding brute force validations. These can be used for reference or added to other skillets where needed.   Skillet Details Documentation: https://github.com/scotchoaf/panos_tools/blob/master/README.md Github Location: https://github.com/scotchoaf/panos_tools.git Github Branches: master PAN-OS Supported: 8.1, 9.0, 9.1 Type of Skillet: xml configuration, rest, python, text render for set commands Collections: PANOS, Configure Purpose:   small support skillets   Additional Details This is a small library of skillets to test and demonstrate skillet functionality.   Open to suggestions for additional skillets to add that can help with basic tasks using the API ... View more

We've introduced a new type of skillet that isn't designed to instantiate or config something but instead read and assess. These are validation skillets.   Initially focused on xml configuration files for the NGFW and Panorama, they provide a structured way to look at the configuration without the user looking at the configuration. The skillet does the work based on predefined test rules in the skillet. Post analysis the user is presented with a set of pass/fail information including detailed messaging and documentation links for more information or quick remediation.   IronSkillet provides a solid introduction to the validation skillets due to its set of recommended practices. The common question I often get is 'how close is my current config to IronSkillet?'. Well, now we have a way to answer that question combined with GUI config steps to align with IronSkillet where gaps are found.   Using the panHandler application, the validation skillets are found in the IronSkillet collection as type = PAN Validation.     The first tile is a quick check of items added in 9.0. An easy way to see what's changed since IronSkillet was loaded with an 8.x release.   The second and where we'll focus is a full assessment of the configuration file against IronSkillet recommendations. More details can be found within the   IronSkillet documentation.   When I hit 'Go' I'm presented with the option of Online or Offline mode. Online mode is useful when you have API access to the device and want to do a quick grab of the running configuration. Offline mode allows you to paste in the xml configuration file. A great alternative when you don't have API access or have a copy of the config file ready to go.   I paste in a firewall config and the output shows me I didn't do so well. This is the first 9 of 49 checks. I failed most of them. Oops.     Click on the 'Check' column label shows me additional detail     Lastly I can click on the documentation links to see where in the GUI to make recommended updates. This maps to the   IronSkillet visual guide.   I can take a peek at Telemetry and decide to enable it. The guide shows the GUI menu steps and below the image some context about this feature.     Or maybe I'm not quite sure where to find the SNMP config area. Click the test doc link and here it is under Device > Setup > Operations > SNMP. Its those hard to find areas of the configuration where the IronSkillet validation skillet and visual guide work best together.     I can continue to step through the validation, make changes, and rerun the test to see what has changed or what I've missed. All without deep diving into the xml config file or dancing through every piece of the GUI.   The use cases for validation skillets can include 'what did I miss?', 'what do I need?', or 'what will I break?'. IronSkillet gave us a view of the first. Other validation skillets could check for object names such as security or logging profiles and even licensing information where skillets have varying dependencies. The 'what will I break?' can look at existing configuration bits for naming conflicts or look before configuring over existing interfaces.   So in tandem with configuration skillets, the validations provided needed visibility and safeguards for a better configuration experience. ... View more

First there was IronSkillet The skillet story starts with IronSkillet. The goal was to answer a simple question: how can a new NGFW user get to a recommended day one configuration without hours to days of reading through configuration guides while stepping through 1000's of GUI clicks?   The answer required two sets of expertise: (1) security subject matter experts to define a best practice configuration and (2) automation experts to help define how to make the configuration consumable across a broad set of applications. The former expertise was provided with a mix of inputs from Pro Services, the Best Practice Assessment team, Consulting Engineers, Technical Marketing Engineers, and Support engineers. The latter expertise, and the genesis of the skillet concept, was based on a design model from automation experts.   IronSkillet (aka 'a hardened PAN') provides a structured model for an xml-based configuration template including the ability to allow for user input variables and simple logic based on configuration options such as a DHCP or statically addressed interfaces. This configuration file is packaged with associated metadata so it can be shared and played back with any supporting application.   Skillets and Records Played back...like a record? Yep. This lead to the concept that the skillet is like a record and the supporting applications the record players. And borrowing from the IronSkillet name we now have these record-like skillets.   Now that there is a structured way to capture and share configuration information, our records, the skillet story extended beyond IronSkillet to any configuration use case. Whether the need for highly repeatable configurations such as MSSP or branch deployments or Just-in-Time needs like demos, training, or quick deployments the same model can be used. Now instead of the IronSkillet security-centric team any SME can readily share their experiences.   Moving Beyond NGFW and Panorama Configuration With the metadata model used, skillets could extend beyond the playback of xml configuration files. The second generation of skillets now included:   simple text rendering: the ability to add variables to set command file or any text content that can be shared and requires variables specific to each user python: simplify sharing of python code with an included python virtual environment, variables, and a web UI through the use of tools like panHandler rest: rest calls and data capture for any rest-based API requirement even extending beyond Palo Alto Networks terraform: support a UI, variable inputs, and instantiations by integrating with terraform templates workflow: the ability to chain together a set of skillets into a simple workflow  More than Configuration and Instantiation: Validation   The current generation of skillets also allow for the analysis of configuration information as validation skillets. This skillet has a set of test rules to look for specific configuration elements, licensing information, and content update status. This creates a more dynamic environment to better understand the device state.     ... View more

Brief Description This skillet will take input variables and configure an IPSec Tunnel and IKE Gateway.   Target Audience This skillet is designed for use by SEs, partners, customers, CEs and anyone who needs to quickly configure an IPSec tunnel.   Skillet Details Authoring Group: This Skillet was designed by the DataCenter CE Group Documentation: https://github.com/ceskillets/DCV-IPSec-Tunnel-Creation/blob/master/README.md Github Location: https://github.com/ceskillets/DCV-IPSec-Tunnel-Creation Github Branches: master PAN-OS Supported: PAN-OS 7.1 – PANOS 9.0. Cloud Provider(s) Supported: Any and all providers are supported by this skillet Type of Skillet: xml configuration Collections: IPSEC, Configure Purpose: Any type of IPSec Tunnel Configuration   Detail Description This skillet will take input variables and configure an IPSec Tunnel and IKE Gateway. This skillet is meant to be an easy IPSec tunnel setup that can be replicated for SE POCs, customer environments where hundreds of tunnels need to be configured, and can be leveraged for on-prem tunnels, site-2-site tunnels, and cloud environments. The skillet is also extensible in that it can be paired with other skillets designed to configure dynamic routing if dynamic tunnel routing is desired over static routing.   Limitations This particular skillet is designed to configure IPv4 routes and gateways and would need to be adapted to support IPv6.   It is also designed to configure static tunnel routes, but dynamic configuration can be added using a dynamic routing skillet. Authentication is designed to be handled with a preshared key and if ProxyIDs are necessary, they must be added after the skillet is deployed. Additionally, the tunnel interface is designed to be "unnumbered," meaning it doesn’t have an IP address. If an IP address is needed for the tunnel interface to enable tunnel monitoring, for example, that must be added after the skillet is deployed.   User Entered Variables The skillet supports use of the following variables, each of which have default values that support the most common tunnel configurations:   ike_gateway_name: Name for the IKE Gateway ike_version: List of IKEv1, IKEv2, or IKEv2-Preferred local_interface: IKE Interface on the local firewall local_interface_address: IKE Interface address on the local firewall peer_address: IKE Peer Address preshared_key: Preshared Key in plaintext remote_network_tunnel_route: The Destination Network/CIDR routed into the IPSec tunnel. tunnel_interface: The tunnel interface (tunnel.Number) tunnel_interface_zone: Zone applied to the Tunnel Interface (must exist) tunnel_route_name: Name for the route-based tunnel route virtual_router_name: Name of the virtual router (must exist) vsys: VsysID   Additional IPSec and IKE Information Set Up an IPSec Tunnel How To Configure IPSec VPN ... View more

Skillet District   Welcome to the Skillet District Skillets offer an open-source model for information sharing across a wide array of tasks and use cases. They can be used for NGFW and Panorama configuration, data capture and validations, device instantiation, or a combination of tasks as workflows.   Often described as records played on various applications or record players, skillets are contained collections of information with a mix of variables, content, and playback instructions contained as metadata.   Skillets are categorized in three fundamental ways: Type: based on what they do; examples include 'panos', Panorama, Python, Terraform, validation Collection: how they are tagged and grouped based on use cases or actions Tier: based on maturity and trust in the community as certified, community, or personal   Finding and Playing Skillets Skillets are archived using GitHub repositories. This allows a player to easily import the skillet, read the metadata information, and begin skillet playback.   The content in this site is designed to provide contextual information about each skillet along with its GitHub repository and branch information. Skillets promoted to the community tier are catalogued as community articles. Personal skillets contributed as hoc are found with the personal skillets discussion board. The How to Contribute article provides additional information about skillet tiers.    Skillet Details for GitHub   This example shows the GitHub information for IronSkillet, a day one configuration skillet. The GitHub location provides the URL for repo import and a set of associated branches specific to each software version.   After a skillet of interest is found, use the GitHub repo and branch information to import the skillet into a player. A recommended player to get started with skillets is Panhandler. You can use the Panhandler Quick Start guide to install Panhandler and then import and play skillets.   Skillet Questions, Suggestions, and Issues Users are encouraged to use the various discussion boards to provide feedback to the skillet community. This is not limited to only skillet questions but also suggestions to help improve existing skillets and to bring new skillets into the community.   Feedback for personal skillets can help tune, mature, and help get them promoted to more trusted community skillets.   Lastly, issues can be discussed here yet found issues should be submitted to the specific skillet GitHub repository to ensure the author is notified and can address any skillet problems. The LIVEcommunity is useful as a discovery and discussion forum while GitHub is better suited for issue submission and tracking.   Support of Skillets Skillets are not supported by Palo Alto Networks.   Some skillets are contributed by Palo Alto Networks and not formally supported. Support for the this project is provided on a best-effort basis the Palo Alto Networks user community. If you encounter any issues you may: Open a  GitHub issue Open a discussion using the skillet page on LIVEcommunity More information on Palo Alto Networks support policies may be found at: http://www.paloaltonetworks.com/support   ... View more

Skillet District   Panhandler is an open-source application that allows you to import and playback any skillet using a web interface.   Complete documentation for Panhandler can be found at https://panhandler.readthedocs.io.   Below is a quick summary for installation, importing skillets, playing skillets, and setting the user environment.     Installation Prerequisites Panhandler runs inside a docker container so the installation platform must support a docker environment.  It is also a simple web server so an open port will be used on the installed platform.   NOTE: Panhandler has been tested with Mac and Linux but has not been fully tested or supported with Windows.   Installation Panhandler is installed using the following curl command to pull down and run the docker container. It can also be used to check for and install updates.   curl -s -k -L http://bit.ly/2xui5gM | bash   Welcome to Panhandler Curl View   Here is what you should see after a few minutes of download, installation, and running the container.   Panhandler Container   The last line in the output message shows the url including the assigned port for Panhandler access. This example shows port 9999 while other ports such as 8080 may be used. Also note that users can use the server IP address instead of localhost for remote access.   Logging into Panhandler Panhandler requires simple login to the web interface. Panhandler uses a default username/password: paloalto/panhandler.   Panhandler Login View   Panhandler Menus The pulldown menu in the upper left of the screen allows the user to perform a variety of tasks.   Welcome: Bottom center of the screen will show the current build version and if updates are available Import Skillets: Quick name and import skillets from GitHub repositories Skillet Collections: View and run currently loaded skillets by category, collection name, or search Skillet Repositories: Manage skillet repositories including pulling updates and switching between branches   Panhandler Menu   Import a Skillet Repository The import menu leads you to a list of recommended skillets or the ability to import ad hoc skillets.   Panhandler Recommended Repositories   Import will checkout the master branch. However, some branches may use software versioned branches. Switching is done in the Skillet Repository page.   NOTE: When importing be sure to use the clone url ending in .git and not the website url.   Once imported, you can immediately run a skillet using links from the bottom of the page or click into a named Collection.   Run a Skillet with Skillet Collections Once in the Skillet Collection page, choose the collection containing the skillet you wish to run. You can also select All Skillets and search by skillet name.   Panhandler Skillet Collections   Inside the Collection, you'll see a list of Skillets. These can be filtered by task, type, or quick find with search.   Panhandler Collections for IronSkillet   Click Go to run a skillet.   NOTE: Some skillets are classified as "workflow," which runs a series of skillets instead of a single task.   Manage Skillet Repositories The Skillet Repository page will show all of the imported skillet repositories.   Panhandler Repository Detail for Home Skillets   Inside the repository detail, you can Update to Latest to pull the latest skillet changes or Remove Repository to delete unused repos.   If you need to switch to another version/branch, click on the branch name, which takes you to the bottom of the page for branch selection.   Panhandler Checkout New Branch for Home Skillets   You may still have to Update to Latest after the checkout of a new branch.   Configuring the User Environment (Optional) Skillets are design to prompt the user for username, password, and device address when API calls are required. If multiple devices are periodically used or you wish to bypass the password entry each time, you can create and customize user environments naming and setting attributes for each device.   Choose Environments from the upper right pulldown menu.   Panhandler Menu on Right Side This data is stored encrypted on the user's local disk. You are prompted for an admin password on the first time that is used to access environments in the future.   Environment attributes most common used are TARGET_IP, TARGET_USERNAME, and TARGET_PORT to see api call targets.   For more details using environments see:   https://panhandler.readthedocs.io/en/master/environments.html ... View more

NOTE: Examples shown in this article are specific to the panHandler application. Installation and getting started with Panhandler can be found in the Panhandler quick start guide or at https://panhandler.readthedocs.io.   Import Skillets In order to import skillets, both the GitHub clone URL and the branch name are required. This information is captured in the community skillet articles and should be included in personal skillet contributions.   Skillet details for GitHub   In Panhandler, choose "Import Skillets"   Panhandler Menu   Then enter the GitHub "clone URL" not the website url. Either copy from the skillet article or if using github.com look for the green box labeled "Clone or Download"   Import Repository - Enter a valid git url and desired branch below   NOTE: This will default to the master branch. If a different branch is required, go to Skillet Repositories, select skillet repo Details. Click on the branch name to jump to the bottom of the page where you can checkout the needed branch.   Imported Skillets can be updated with Update to Latest found in the Skillet Repository details page   Skillet Collections The common way to play skillets is from the Skillet Collections page and then skillet selection. Skillets can be filtered by type or found with search options. Within a named collection is a list of playable skillets.   Skillet Collection   Click Go to play a specific skillet from within its collection.   Based on the skillet design the user will be presented with various web form entries and target IP/user/password inputs as API credentials.   What to Expect based on the Type of the Skillet 'panos' or Panorama This type of skillet uses the NGFW or Panorama API to push one or more configuration snippets to the device. Target IP, username, and password are used to generate the API key prior to loading the snippets. The user has the option to commit, fast commit, or not commit after the snippets are loaded along with prior config backup.   These skillets also support operational commands and additional config actions such as delete, edit, and move.   Validation these skillets use a source config file loaded in offline mode or captured from the device in online mode. Online mode requires the target IP, username, and password to create the api key and export the start-up or running configuration for analysis.   Post analysis results show pass/fail responses for each test criteria along with detailed messages and documentation links for next steps such as config remediation.   Rest REST skillets do not have device logic included and consist of a sequence of one or more stateless API calls. Where required for 'panos' or Panorama, the target IP, username, and password are entered for api key generation and capture for subsequent api calls.   The rest response can be parsed and displayed or passed to other skillets as input variables. A common type of rest skillet is an API call emulated the '?' complete CLI option generating a list of responses used in dropdown lists.   Python Used for stateful or more complex needs, these skillets provide for a python virtual environment and GUI on top of the python code. This simplifies distribution of python code with extensive documentation for installation and CLI usage. Skillet variables are passed to the code as arguments.   When running a python skillet the user will see the python virtual environment created including installation of required packages. Then the code will run. Screen-based status updates can be viewed on the screen during update intervals.   Template These are basic rendering of text content using jinja-based variable substitutions. This multi-purpose skillet type can be used for output messages, CLI set commands, and any other text context capture requiring user-based variable inputs.    All output is rendered on screen.   Terraform Similar to python, provides for a UI interface on top of Terraform templates. User capture variable inputs are passed to the Terraform platform to instantiate devices in various private and public cloud deployments.   Workflow Workflows provide a simple model for chaining together a set of skillets of various types. Simple conditionals can be used to determine if a skillet should be played. ... View more

The Skillet program is an open-source initiative that relies on the community to create and consume various types of skillets.   Skillet Classifications There are 2 tiers of skillets for contribution and usage: community and personal.   Community Skillets Community skillets have a higher level of recognition and trust in terms of release coverage, documentation, and testing. They may or may not be hosted as part of the Palo Alto Networks organization area on GitHub so Live status can help with some level of confidence level-setting for unknown personal GitHub accounts.   Contributions for community skillets start with an article submission and minor review before publication. Key review elements are quality and completeness of the skillets, problems solved or time saved, and documentation coverage.   Expectations for contributed community skillets are ongoing monitoring of conversations, resolution of critical issues, and general upkeep.   Personal Skillets The entry level tier of skillets that are submitted using the personal skillet discussion board. Anyone can contribute their work "as is," solicit help, or share ideas.   Skillet links and content can be posted in a similar manner to community skillets but may be less documented and tested. These skillets can be upvoted to be promoted to the community tier for additional recognition.   The community does not monitor or provide testing to ensure quality of skillets at this tier.   Opening a personal skillet article should include the following reference information:   Skillet details including GitHub repo url and branch information documentation and usage instructions in the article or a link to remote documentation additional information, notes, caveats Example information to include:   Skillet Details Documentation:  https://github.com/scotchoaf/panos_tools/blob/master/README.md Github Location:  https://github.com/scotchoaf/panos_tools.git Github Branches: master PAN-OS Supported: 8.1, 9.0, 9.1 Type of Skillet: xml configuration, rest, python, text render for set commands Collections: PANOS, Configure Purpose:   small support skillets   Additional Details This section houses tips, tricks, caveats, requirements, and any other information assisting a user wanting to play this skillet   Support Model Skillets are unsupported by Palo Alto Networks and only supported within the community.   Contributing to Existing Skillets As is common in the open-source community, users can contribute to existing community or personal skillets.   The recommended model is to fork the GitHub repo and use pull requests to submit skillet additions, changes, or suggestions. Or for novice skillet users, open an issue in the skillet with suggested enhancements. This creates a discussion thread in GitHub specific to the skillet. ... View more