About scotchoaf

Just saying 'XML' in various circles causes cringing and eye rolling. With other, more human-friendly file formats such as JSON available, XML (eXtensible Markup Language) can get a bad rap. However when dealing with PAN-OS configuration and system information, a basic working knowledge can actually enhance NGFW interactions.   The fundamentals of XML include basic terms and file structure: the xpath, xml elements, attributes, tags, and text. The tutorial video below explores these fundamentals by showing XML in relation to both HTTP and file folder structures. All through the lens of a PAN-OS config file.       The reality is that pretty much every NGFW or Panorama interaction is based on XML. The CLI? The web UI? Yep. You can use the CLI commands debug cli on and show cli config-output format xml to look behind the curtain. The same with the web UI debug capability.   You'll also see XML appear in the load config partial command when adding the to-xpath and from-xpath. Thanks to @fhu_omi for providing an example in the HTTP response code quickplay comments. A quick hack to create a pseudo XML file and xpath to load this quickplay without any API tools.   What about pan-os-python, pango, and the PAN-OS REST API that are designed to keep me away from XML? Well much like the CLI and web UI, they create an abstraction layer above XML and do the XML magic in the background. They also rely on raw XML for configuration elements not currently supported. So while powerful and simplify NGFW interactions, its still good practice to be versed in XML to have full access to most of the configuration options.   So yes XML is designed for the machines and isn't the most readable format. However for API and some CLI interactions with the NGFW it isn't a bad idea to consider XML as a friend and not a foe.           ... View more

The IronSkillet team is proud to announce the latest version of IronSkillet for PAN-OS 11.0 Nova. This is our eigth IronSkillet release since our initial release with PAN-OS 8.0.   In tandem with our 11.0 release and to keep the community Quickplay Solutions current we have implemented an archive model. Any Quickplays that haven't been updated in recent releases will be moved to the archive article section. They are still accessible along with the associated GitHub and other related repositories but are not actively supported through this community. Feel free to continue using these solutions noting they may not work with the latest software releases.   IronSkillet 11.0 New Release IronSkillet  is a day one deployment-agnostic NGFW and Panorama configuration. It is used as an initial baseline including device hardening and security profiles to be used by use-case specific configuration and security policies.   The 11.0 release includes new configuration snippets: Vulnerability Protection Profiles, URL Filtering Categories and Inline Cloud Analysis support.   Additional IronSkillet information can be found in the IronSkillet Quickplay Solutions article.   We're excited to release this new Quickplay Solution update to the community.    ... View more

Brief Description This quickplay solution provides an Ansible playbook to license a VM-series NGFW using an activated authcode, provide content updates, and upgrade or downgrade to a user-inputted PAN-OS software version   Video coming soon...   Prerequisites Playing this solution requires: An active and unused VM-series auth code API access to the NGFW Optional: panhandler 4.3 or later and docker to play skillets   Solution Details Documentation:  https://github.com/PaloAltoNetworks/panos-query-scripts/blob/main/README.md Github Location: https://github.com/PaloAltoNetworks/panos-ansible-upgrade-downgrade.git Github Branches:  main Product Versions Supported: PAN-OS 9.0 and later   Full Description Booting a NGFW can be done in a variety of ways: manual bootstrapping, public UIs or terraform templates, private cloud management systems, workflow and device management utilities, etc. In all cases, baselining the device (eg. licensing, updating, upgrading) can become tightly integrated for each model requiring specific UI interactions, custom templating, or manual instruction.   Instead of creating new workflows for each boot model, this playbook is boot type agnostic and can be run against any network-accessible NGFW in any deployed location. The playbook baselines the newly instantiated NGFW in three ways:   Licensing using an active Auth Code Add the auth code as a playbook variable to interact with the entitlement system to license the NGFW. The NGFW will perform a soft reboot with the newly active licenses.   NOTE: the playbook will continue to poll the NGFW until the management interface is ready for new commands.   Content Updates Newly deployed NGFWs do not have the latest content/threat and anti-virus updates. Often users may forget this step, waiting for the next scheduled update assuming the device is configured with a schedule. This creates a security gap where the device does not have the latest signatures loaded into the system likely missing active threats traversing the network.   The playbook will download and install the latest content/threat and anti-virus updates to ensure the NGFW is fully armed with the latest signatures.   Software Upgrades/Downgrades The user can input the desired software version and the playbook will work through all of the necessary base images, major/minor release stages, and land on the desired version.   The playbook will download and install each required stage while waiting for the device to come online after required reboots. ... View more

  Brief Description This quickplay solution includes a set of scripts and skillets to quickly query the NGFW to determine inbound open policy ports/applications, domain categories, and URL categories.   Below is a quick summary of each of the scripts.      Prerequisites Playing this solution requires: panhandler 4.3 or later to play skillets API access to the NGFW   Solution Details Documentation:  https://github.com/PaloAltoNetworks/panos-query-scripts/blob/main/README.md Github Location: https://github.com/PaloAltoNetworks/panos-query-scripts.git Github Branches:  main Product Versions Supported: DNS domain category query: PAN-OS 10.0 and later URL category query: PAN-OS 9.0 and later Inbound policy query: PAN-OS 9.0 and later   Full Description The quickplay scripts and skillets use the NGFW API to gain insights about inbound policy configuration and cloud service category mappings.   Get the DNS Domain or URL Category PAN-OS includes the capability to use CLI commands and the web UI to leverage the NGFW as a proxy into the cloud service layer to get category mappings for URLs and DNS domains. The CLI commands include:   test dns-proxy dns-signature fqdn {domain-to-test} test url {url-to-test}   The quickplay solution utilizes these commands through the API to read a list of domains or URLs to determine their category and output the results to screen and as a csv file for additional data analysis.   Open Port Query Provides a quick configuration analysis using the API to find security policies with destination of 'any' and a user input zone. The output shows the security policy name and associated services/ports and applications.   This provides quick insights regarding the NGFW attack surface where traffic is allowed from high risk zones such as the internet.           ... View more

  Brief Description This quickplay solution provides a rapid API-based CIS benchmark assessment of the Palo Alto Networks NGFW   Video coming soon...   Prerequisites Playing this solution requires: panhandler 4.3 or later API access to the NGFW   Solution Details Documentation:  https://github.com/PaloAltoNetworks/cis-benchmarks Github Location: https://github.com/PaloAltoNetworks/cis-benchmarks.git Github Branches:  main Product Versions Supported:  PAN-OS 9.0/9.1 based on the benchmark version support   Full Description The CIS benchmark v9.0.0 provides a description, rationale, audit, and remediation steps for a multitude of NGFW configuration benchmarks. Manually assessing the complete set of benchmarks can be highly time consuming.   This quickplay allows the user to leverage the NGFW API to query configuration and system state information, assess the various benchmarks, and then present the user with an online report showing pass/fail conditions. Not intended for an official audit, the quick preview allows for remediations ahead of a full audit or to provide periodic checks.   Note: This CIS quickplay does not replace a recommended Palo Alto Networks Best Practice Assessment (BPA). For more information, please visit the BPA Live Community   Report Results The output report provides a complete set of contextual information based on the CIS benchmark document:   summary of total test with pass/fail/action required counts each benchmark grouped by section as found in the report Level and Scored attributes for each benchmark documentation links for each benchmark to assist with manual remediation steps contextual pop-up insights showing why a benchmark failed       The Action Required Result Some of the benchmark results are flagged as 'action required'. This denotes one of two outcomes:   The test hasn't been implemented due to technical limitations such as 'off-box' benchmarks or volumetric type checks that are deployment specific The test hasn't been implemented and is marked as a 'roadmap item' for a future release       ... View more

Support Policy   Quickplay Solutions are released under an as-is, best effort, support policy. This content should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the solution through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options.   Requesting quickplay support within the community can be done by:   opening an issue for the specific quickplay solution repository in github, gitlab, or other related sites add a comment to the quickplay solution article start a discussion specific to a quickplay solution   The underlying product used (eg. the VM-Series firewall) by the quickplay solution are still supported, but the support is only for the product functionality and not for help in deploying or using the quickplay solution itself.   Unless explicitly tagged, all projects or work posted in a GitHub repository (eg. at   https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on   https://support.paloaltonetworks.com   are provided under the best effort policy. ... View more

The usability and value of Quickplay Solutions rely in part on contributions from you, community members who have an idea, discover a need, get inspired to improve something — or all three! If you have content or ideas for content that others in the community could use as a quickplay, please let us know.   To get started, create a new discussion starting with 'Quickplay Idea:' and add your idea. Please include a description of the quickplay, along with pointers to any existing content, and describe who you think would benefit from the solution.   We'll then review your idea and any user comments to see how we can get the quickplay added to the catalog.   We’re here to help, but more often than not, we’re helping community contributors help the entire community. ... View more

Brief Description The Local Government skillets are intended for local government NGFW configurations including pre-build region based blocking and compliance tags.   Target Audience PAN-OS NGFW users in the local government vertical.   Prerequisites IronSkillet configuration - tag and profile objects referenced by this configuration Threat, URL-Filtering, and Wildfire subscriptions panHandler version 4.0 or later   Skillet Details Documentation:  https://github.com/jmaclean33/LocalGov/blob/master/README.md Github Location: https://github.com/jmaclean33/LocalGov.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: LocalGov   Full Description The LocalGov skillets build on the IronSkillet day one configuration to create a complete internet gateway configuration aligned to local government compliance requirements.   Included are:   NIST and CJIS colored tags to associate to compliance needs in security policies Optional Country Block rules permitting only traffic to/from the US, Mexico, and Canada SSL decryption policy     ... View more

Brief Description Simplify and validate the firewall configuration for the Cortex IoT security service. The skillets also include the Cortex Data Lake skillets due to Data Lake and IoT service integration.   Below is a quick summary of the solution, a how-to guide for setting up the solution, and an explanation of the solution workflow menu options.     Target Audience PAN-OS Cortex IoT validations and configuration to ensure NGFW readiness. Also an IoT traffic generator for Linux endpoints.   Prerequisites Active Cortex Data Lake license Preshared key for on-boarding firewalls to Cortex Data Lake panHandler version 4.0 or later import of panos-logging-skillets Linux hosts (tested with Ubuntu 18.04)   Skillet Details Documentation:  https://github.com/PaloAltoNetworks/iot-automated-solution/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/iot-automated-solution.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: CDL IoT   Full Description The suite of skillets are design to assist with and validate the Cortex Data Lake install and then implement required configuration elements for DHCP and traffic logging specific to the IoT security service.   IoT configuration assist is based on the Get Started with IoT Security documentation. Workflow Various selection options based on software version and deployment type for IoT. The workflow steps through the needed skillets required by the user. Validation The validation skillet checks required elements for a successful Cortex Data Lake (CDL) and Cortex IoT install. Key items include firewall licensing, global CDL configuration, fetch CDL certificates, and CDL/EAL enablement in log forwarding profiles. Cortex Data Lake Playbook Cortex Data Lake inline validation checks and configuration using an Ansible playbook. Cortex Data Lake Optional Configurations CDL specific configurations needed for select IoT deployments including:   update of existing log forwarding profiles with EAL/CDL enabled add a log forwarding profile that is EAL/CDL ready update security policies to include a selected log forwarding profile   IoT Configuration Elements Based on the deployment scenario and software version, the firewall configuration may required additions or modifications:   10.0 firewall DHCP server: enable DHCP broadcast session Virtual Wire deployments: enable multicast firewalling Tap mode configuration with alert-all security profiles and policy Pre-10.0 local DHCP: convert to a logical interface DHCP server + enable DHCP relay Add a security policy specific to the DHCP application for traffic visibility   IoT Traffic Generator Python script running on a Linux host to emulate multiple IoT endoints and mqtt traffic sessions. Requires an IoT broker host (eg. mosquitto) to receive and respond to mqtt session requests.   The key element of the generator is emulating DHCP sessions that create log events in the firewall and passed to Cortex Data Lake and Cortex IoT.   HomeSkillet POC Add-on Configurations Using HomeSkillet as a quick-install base configuration, provide additional configuration elements for the IoT broker interface, zones, and security policy.   ... View more

Brief Description A set of skillets, set commands, and playbooks to simplify implementation and validation of Cortex Data Lake for the NGFW.   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using Cortex Data Lake with the NGFW.   Prerequisites Active Cortex Data Lake license Preshared key for on-boarding firewalls to Cortex Data Lake panHandler version 4.0 or later   Solution Details Documentation:  https://github.com/PaloAltoNetworks/panos-logging-skillets/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/panos-logging-skillets.git Github Branches:   master PAN-OS Versions Supported:   9.x, 10.0 Type of Skillet:   panos Collections: CDL   Full Description   Validation The validation skillet checks required elements for a successful Cortex Data Lake (CDL) install. Key items include licensing, global CDL configuration, fetch CDL certificates, and CDL/EAL enablement in log forwarding profiles.   Configuration Playbook Inline validation checks and configuration using an Ansible playbook. The playbook can be run in three ways:   Native Ansible playbook for existing environments Python script including needed packages, roles, and collections Skillet with a simple web UI input   CLI Set Commands Operational and configuration set commands for deployments without API access.    Update Existing Log Forwarding Profiles Allow the user to select an existing log forwarding profile and update to use Cortex Data Lake log forwarding for all log types and enable Enhanced Application Logging.   ... View more

Brief Description A suite of Panorama configuration skillets for SD-WAN:   Initial profile/object configuration Hub and Branch template and device-group configuration Panorama variables populated during device onboarding Hub-Branch topology configuration   Target Audience This skillet is intended for Palo Alto Networks SEs, PSEs, Partners, and Customers that are using PAN-OS SD-WAN and looking for simplified Panorama configuration.   Prerequisites The configuration skillet requires a licensed 9.1 Panorama installation and the SD-WAN plugin.   Solution Details Documentation:  https://github.com/PaloAltoNetworks/sdwan/blob/master/README.md Github Location: https://github.com/PaloAltoNetworks/sdwan.git Github Branches:   master Panorama Versions Supported:   9.1 Type of Skillet:   panorama Collections: SD-WAN Full Description The description below gives an overview of the skillet elements. For detailed information regarding prerequisites and skillet usage please review the SD-WAN Skillet documentation.   Playing the skillets currently requires panHandler. Onboarding Add devices to Panorama using one or more serial numbers and then onboarding devices to configured SD-WAN topologies.   Configure Shared Elements Rapid configuration of shared elements such as link tags, traffic distribution profiles, path quality profiles, and catch-all policies. Shared elements are used as part of the individual site configurations.   Site Creation SD-WAN configurations and eventual device configurations are topology dependent. The site creation skillet uses a building block approach using various interface and addressing types, Panorama variables, and zones. These sites can then be used as hub/branch options to create the SD-WAN topology     ... View more