About scotchoaf

Brief Description The Local Government skillets are intended for local government NGFW configurations including pre-build region based blocking and compliance tags.   Target Audience PAN-OS NGFW users in the local government vertical.   Prerequisites IronSkillet configuration - tag and profile objects referenced by this configuration Threat, URL-Filtering, and Wildfire subscriptions panHandler version 4.0 or later   Skillet Details Documentation:  https://github.com/jmaclean33/LocalGov/blob/master/README.md Github Location: https://github.com/jmaclean33/LocalGov.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: LocalGov   Full Description The LocalGov skillets build on the IronSkillet day one configuration to create a complete internet gateway configuration aligned to local government compliance requirements.   Included are:   NIST and CJIS colored tags to associate to compliance needs in security policies Optional Country Block rules permitting only traffic to/from the US, Mexico, and Canada SSL decryption policy     ... View more

As PAN-OS continues to grow its feature capabilities we also strive to extend our automated solution sets. This current release of content not only updates IronSkillet to include new 10.0 features but also adds in new security services such as Cortex Data Lake, IoT Security, and SD-WAN. The goal is to replace time consuming documentation research and UI clicks with tested, ready to use configurations and validation assessments.   IronSkillet 10.0 This is the fifth release of our IronSkillet day one configuration. In this release we've included inline ML coverage for Wildfire/AntiVirus and URL-Filtering profiles, DNS security category verdict actions, and moving Wildfire dynamic updates from every minute to real-time. The goal is to continue evolving IronSkillet in unison with the NGFW product for a consistent and current day one configuration.   A complete list of IronSkillet 10.0 changes can be found in the IronSkillet Release History   Additional IronSkillet information can be found in the IronSkillet community article.   Cortex Data Lake (CDL) The CDL solution set includes playbooks, skillets, and set commands to simplify both the onboarding of the NGFW to CDL and 'brownfield' updates to existing log forwarding profiles to include both CDL and Enhanced Application Logging (EAL).   The Ansible playbook, run natively or as a skillet, completes a series of tasks including CDL onboarding, licensing checks, validations, and global configuration of CDL in the firewall. All this is required is the onboarding pre-shared key (PSK) created in the Cortex Data Lake application. As an alternative for non-API users we've included a similar collection of operational and configuration set commands used with the firewall CLI.   After onboarding is complete or for existing installations we include helper skillets to add CDL/EAL to existing log forwarding profiles and do a firewall assessment using a validation skillet. The assessment checks CDL and EAL licensing and configuration elements to ensure a successful deployment.   Additional Cortex Data Lake skillet information can be found in the PAN-OS Cortex Data Lake skillets community article.   IoT Security The IoT security solution builds on the Cortex Data Lake logging solution to further configure and validate the firewall specific to select IoT deployment models. Configuration elements are based on the IoT Security Onboarding guide. Helper configurations support DHCP configuration, pre-10.0 DHCP server to relay conversion, adding log forwarding profiles for CDL/EAL, and updating existing security policies with log forwarding.   For existing deployments and troubleshooting assistance, a validation skillet can be used to assess the current configuration and operational state showing missing elements required for a successful deployment.   Lastly, this solution includes a traffic generation script for demo/POC environments to generate IoT DHCP and session traffic. This traffic is captured by the firewall and forwarded to CDL and the Cortex IoT platform for analysis and visibility.   Additional IoT Security skillet information can be found in the IoT Automated Solution community article.   PAN-OS SD-WAN To alleviate the complexities of Panorama configuration for SD-WAN, a set of skillets are used for device onboarding and hub/branch template and device-group site configurations. The combination of skillets that include Panorama variables, allows for custom creation of device sites and site-specific interface types.   This skillet is currently released for PAN-OS 9.1.   Additional PAN-OS SD-WAN skillet information can be found in the SD-WAN skillets community article.     We're excited to release these new skillet solution updates to the community.    If you have ideas for automated solutions drop us a note in our Skillet Suggestion board.  We're also looking to see where we can help the community simplify deployments, configuration, and assessment of the NGFW. ... View more

Brief Description Simplify and validate the firewall configuration for the Cortex IoT security service. The skillets also include the Cortex Data Lake skillets due to Data Lake and IoT service integration.   Target Audience PAN-OS Cortex IoT validations and configuration to ensure NGFW readiness. Also an IoT traffic generator for Linux endpoints.   Prerequisites Active Cortex Data Lake license Preshared key for on-boarding firewalls to Cortex Data Lake panHandler version 4.0 or later import of panos-logging-skillets Linux hosts (tested with Ubuntu 18.04)   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/iot-automated-solution/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/iot-automated-solution.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: CDL IoT   Full Description The suite of skillets are design to assist with and validate the Cortex Data Lake install and then implement required configuration elements for DHCP and traffic logging specific to the IoT security service.   IoT configuration assist is based on the Get Started with IoT Security documentation. Workflow Various selection options based on software version and deployment type for IoT. The workflow steps through the needed skillets required by the user. Validation The validation skillet checks required elements for a successful Cortex Data Lake (CDL) and Cortex IoT install. Key items include firewall licensing, global CDL configuration, fetch CDL certificates, and CDL/EAL enablement in log forwarding profiles. Cortex Data Lake Playbook Cortex Data Lake inline validation checks and configuration using an Ansible playbook. Cortex Data Lake Optional Configurations CDL specific configurations needed for select IoT deployments including:   update of existing log forwarding profiles with EAL/CDL enabled add a log forwarding profile that is EAL/CDL ready update security policies to include a selected log forwarding profile   IoT Configuration Elements Based on the deployment scenario and software version, the firewall configuration may required additions or modifications:   10.0 firewall DHCP server: enable DHCP broadcast session Virtual Wire deployments: enable multicast firewalling Tap mode configuration with alert-all security profiles and policy Pre-10.0 local DHCP: convert to a logical interface DHCP server + enable DHCP relay Add a security policy specific to the DHCP application for traffic visibility   IoT Traffic Generator Python script running on a Linux host to emulate multiple IoT endoints and mqtt traffic sessions. Requires an IoT broker host (eg. mosquitto) to receive and respond to mqtt session requests.   The key element of the generator is emulating DHCP sessions that create log events in the firewall and passed to Cortex Data Lake and Cortex IoT.   HomeSkillet POC Add-on Configurations Using HomeSkillet as a quick-install base configuration, provide additional configuration elements for the IoT broker interface, zones, and security policy.   ... View more

Brief Description A set of skillets, set commands, and playbooks to simplify implementation and validation of Cortex Data Lake for the NGFW.   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using Cortex Data Lake with the NGFW.   Prerequisites Active Cortex Data Lake license Preshared key for on-boarding firewalls to Cortex Data Lake panHandler version 4.0 or later   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/panos-logging-skillets/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/panos-logging-skillets.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: CDL   Full Description   Validation The validation skillet checks required elements for a successful Cortex Data Lake (CDL) install. Key items include licensing, global CDL configuration, fetch CDL certificates, and CDL/EAL enablement in log forwarding profiles.   Configuration Playbook Inline validation checks and configuration using an Ansible playbook. The playbook can be run in three ways:   Native Ansible playbook for existing environments Python script including needed packages, roles, and collections Skillet with a simple web UI input   CLI Set Commands Operational and configuration set commands for deployments without API access.    Update Existing Log Forwarding Profiles Allow the user to select an existing log forwarding profile and update to use Cortex Data Lake log forwarding for all log types and enable Enhanced Application Logging.   ... View more

Brief Description A suite of Panorama configuration skillets for SD-WAN:   Initial profile/object configuration Hub and Branch template and device-group configuration Panorama variables populated during device onboarding Hub-Branch topology configuration   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using PAN-OS SD-WAN and looking for simplified Panorama configuration.   Prerequisites The configuration skillet requires a licensed 9.1 Panorama installation and the SD-WAN plugin.   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/sdwan/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/sdwan.git Github Branches:   master Panorama Versions Supported:   9.1 Type of Skillet:   panorama Collections: SD-WAN Full Description The description below gives an overview of the skillet elements. For detailed information regarding prerequisites and skillet usage please review the SD-WAN Skillet documentation.   Playing the skillets currently requires panHandler. Onboarding Add devices to Panorama using one or more serial numbers and then onboarding devices to configured SD-WAN topologies.   Configure Shared Elements Rapid configuration of shared elements such as link tags, traffic distribution profiles, path quality profiles, and catch-all policies. Shared elements are used as part of the individual site configurations.   Site Creation SD-WAN configurations and eventual device configurations are topology dependent. The site creation skillet uses a building block approach using various interface and addressing types, Panorama variables, and zones. These sites can then be used as hub/branch options to create the SD-WAN topology     ... View more

Brief Description A suite of deployment, configuration, and service information skillets for Prisma Access mobile users including:   Panorama instantiation in Azure or AWS Panorama licensing, content updates, software updates, and basic configuration Prisma Access service setup, mobile user, and remote network configuration/onboarding Prisma Access API queries to view service information   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using Prisma Access and looking for simplified Panorama deployment and configuration.   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/prisma-access-skillets/blob/master/README.md Github Location:  https://github.com/PaloAltoNetworks/prisma-access-skillets.git Github Branches:   master Panorama Versions Supported:   9.0.x running cloud services plugin version 1.5 (9.1 not currently supported) Type of Skillet:   panorama, python, terraform, docker Collections: Prisma Access Deploy Panorama Prisma Access Configure Service Setup Prisma Access Configure Mobile Users Prisma Access Configure Remote Networks Prisma Access Assess Tools   Full Description The description below gives an overview of the skillet elements. For detailed information regarding prerequisites and skillet usage please review the Prisma Access Skillet documentation.   Playing the skillets currently requires panHandler.   Deploy The first step in the skillet will access the user's Azure or AWS account and deploy a virtual instance of Panorama using Terraform templates. This is a simplified alternative to using the Azure Resource Manager UI or AWS UI for Panorama deployment.   After Panorama is online and the IP address is accessible, the Step 2 skillet will: apply the serial number and license Panorama perform a software update install content updates install the Prisma Access cloud services plugin   For users that are not using the Step 1 deploy skillets and deploy their own Panorama, the Step 3 skillet can also be used to help automate the steps listed above to ensure Panorama deployment is complete.   The last deploy piece is to use the Customer Support Portal to generate a One Time Password that is used in Panorama to verify the cloud service.   Configure   Service Setup Collection Initial configuration of the infrastructure subnet and BGP AS   Mobile User Collection   After verification is complete, Panorama is ready for configuration. For mobile users, this requires the initial service setup and the mobile user configuration.   There are 2 configuration options depending on access to the Panorama API: API and non-API.   API Option This series of skillets leverage the Panorama API generate a configuration file, import to Panorama, and use 'load config partial' commands to merge the configuration elements into the candidate configuration.   Non-API Option For remote support or users without access to the Panorama API, this option will generate a full configuration file that can be manually imported to Panorama. Once imported the documentation includes a small set of load config partial commands that can be pasted into the CLI to do the configuration.   Remote Network Collection Initial Remote Network setup and onboarding configuration using the Panorama API. Includes IKE/IPSEC Crypto profiles, IKE gateway, IPSEC tunnel, and plug-in onboarding configuration.   Assess The assess skillet provides a simple interface to query Prisma Access and obtain service information. Details for the REST queries can be found in the Admin Guide     ... View more

Brief Description A set of GlobalProtect API and set command configuration skillets based on the Quick Config Guides   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using GlobalProtect and need a quick start configuration helper   Skillet Details Documentation: https://github.com/PaloAltoNetworks/GPSkillets/blob/panos_v90/README.md Github Location:  https://github.com/PaloAltoNetworks/GPSkillets.git Github Branches: panos_v90 PAN-OS Versions Supported: 9.x Type of Skillet: panos, template (set commands) Collections: globalprotect   Full Description This skillet set is based on the GlobalProtect Quick Config guides and covers two common configuration options:   Remote Access VPN Remote Access VPN with Pre-Logon   Remote Access VPN Configures GlobalProtect elements including the gateway and portal. Also included is a reference LDAP auth profile and a local DB reference user.   Remote Access VPN with Pre-Logon Adds pre-logon to the remote access VPN. Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is to authenticate the endpoint (not the user) and enable domain scripts or other tasks to run as soon as the endpoint powers on. Machine certificates enable the endpoint to establish a VPN tunnel to the GlobalProtect gateway. A common practice for IT administrators is to install the machine certificate while staging the endpoint for the user.   Deployment Note These configs create security rules that do not contain any sort of security profile or logging configuration. Please utilize the best practice security profiles from the iron-skillet repository on the rules that get created and read the Best Practices documentation before deploying.       ... View more