Palo Alto Basic

-

 Notes:

>   !!operation mode

#   !!configuration mode


serial cable

wait for prompt "PA-VM" then login with below default account.

admin/admin

HW FW management port default IP is 192.168.1.1,
VM FW management port doesn't have a static  IP,  it is DHCP client.

show interface management


To change mgmt IP:

configure

set deviceconfig system type static


set deviceconfig system ip-address 172.16.1.100
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 172.16.1.1

or 
set deviceconfig system ip-address 172.16.1.100 netmask 255.255.255.0 default-gateway 172.16.1.1

set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>  

validate full
show jobs all

commit

then login GUI 

Change admin password. Device >Administrators

Setup hostname, domain, and time zone. Device>Setup>Management

Add DNS server and NTP server IPs. Device>Setup>Services

Service route 

License
   Demo license activation:
      1. Add VM Auth-Code in Support portal
      2. GUI> Device > Licenses > Activate feature using authorization code.

Software -- for OS updates

Dynamic updates  - For app, threat etc update


limit of VM

HA - Active/Passive only

10 interfaces

no vsys

vmotion is not allow

jumbo frame is not supported

LAG is on VM itself


Factory Reset method:

1.reboot from console
2. Enter "maint" mode
3. Choose "Factory Reset"
4. Wait for reload...


Ethernet Interface Types

1. tap mode - one port, IDS
2. L2 mode  !!switch ports, optional VLAN interface to route traffic to other networks
3. V-wire   -transparent FW, only two ports, IPS
4. L3 mode
5. HA

loopback interface
tunnel interface
subinterface

Network> VLANs
  a broadcast domain, or bridge domain, contains multiple L2 interfaces, even L2 sub-interfaces are tagged differently. 


Interface management profile  -- service or IP filter

When configure interface IP Address, put ip address directly, no need to create address object.





Security policy

Intra-zone is allowed by default

Inter-zone is denied by default
   Internet traffic to FW outside interface matches Intra-zone default policy (untrust to untrust). Create a rule near the top to block traffic to FW outside interface. GlobalProtect rule should be above it.
or create a explicit deny untrust-to untrust rule above intrazone-default rule


Create Zones  - different type interface has different zone.

Create management profile for interfaces

Create objects for interface IPs

Create interfaces.
    Create sub-interface if trunk


SNAT:
static 
dynamic IP and port  - PAT
dynamic IP

When create PAT:








Or:



 







Specify interface IP is optional.









DNAT:
source zone and destination are both Untrusted.

static
port forwarding


Security Policy.

use applications in policy, can use Application Filters (dynamic) or Application Groups (static) 
application dependency (implicit, explicit)

Object: DBL (Dynamic block list) - New term: External Dynamic Lists
after created, use it in address section is Security Policy

Use NATed IP address in security policy for inbound access.


License:

Threat and Protection: Anti-virus, anti-spyware, vulnerabilities.

URL:URL filter


WildFire: malware analysis, PA cloud sandbox

WildFire Verdicts:
Benign:  safe
Grayware: adware, spyware, and Browser Helper Objects (BHOs).
Phishing:
Malicious: Malware includes virus, worms, Trojans, rootkits, and botnets.

Content ID

Security Profiles:

Antivirus
Anti-Spyware
Vulnerabilities

Above three in threat log.

URL filtering
File Blocking
Data Filtering

DoS protection profile: flood protection and resource protection, then attach to Dos Protection Policy

Zone protection profile



User ID:

AD user agent
LDAP user agent
captive portal
TS agent
PAN client


Group mapping, then group can be used in security policy
1. Create server profile, like ldap server profile.
2. User Identification > Group Mapping Setting

User Mapping (Agentless), for user-IP mapping, pull user login log via WMI
User Identification > User mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor Account.
User Identification > User mapping > Palo Alto Networks User-ID Agent Setup > Server Monitor.


User Identification > User mapping >  Server Monitoring.

 

How to Configure Agentless User-ID
 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGGCA0

show user user-ids match-user []
show user ip-user-mapping all


Authentication Profile refers a server profile (with Allow List), then be used in creating admin account or  captive portal to actually authenticate user:


test authentication authentication-profile Auth-Profile username user1 password 

admin@Panorama> test authentication authentication-profile AuthProfielLDAP username user1 password
Enter password :
Target vsys is not specified, user "user1" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "user1" is in group "all"
Authentication to LDAP server at 172.16.1.10 for user "user1"
Egress: 172.16.1.62
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=user1,CN=Users,DC=lab,DC=local
User expires in days: never
Authentication succeeded for user "user1"
admin@Panorama>


If use local user DB for admin access:
1. Create a local user and/or user group
2. Create a Authentication Profile, authentication type choose Local Database, configure Allow List.
3. Create an administrator identical name with step one, choose Authentication Profile created in step2. Assign Administrator Type Dynamic or Role Based. 
 
If use external DB like radius for admin access:
    only Radius, TACACS+ and SAML are supported.
1. Create Server profile
2. Create Authentication Profile, authentication type choose the one created in spep1.
3. Device>Setup>Management>Authentication Settings, select Authentication Profile created in step 2.
4. Create an Admin Role Profile


Authentication Policy define what trigger the authentication.




SSL Decryption

1. SSL Forward Proxy - decrypt outbound traffic for user access Internet

2. SSL Inbound Inspection - decrypt inbound traffic for server behind FW

Apply Decryption Policy




Wildfire

could service detect unknown threats, generate verdict:

Benign -- Allow
Grayware -- Allow
Phishing -- Deny
Malware -- Deny


1.QoS Profile (aka service-map)
 Define BW usage or PQ for each class

2. QoS Policy (aka class-map)
Define what traffic assign to which class.
Qos policy processed after other policies.

3. Activate QoS on an interface (aka service-policy), assign QoS Profile
Network>QoS


============Log==============

1. Device >  Server Profiles: SNMP trap, Email, Syslog and HTTP

2. For system, configuration etc, Device > Log Settings

3. For traffic related, Objects > Log forwarding

 3.1 specify Log Type, Forward Method
       if log forwarding profile is "default", it will be selected by all security policy automatically.










     3.2. Assign the  Log Forwarding profile to a Security Policy



















VM-Series Plugin

The VM-Series firewalls include the VM-Series plugin, a built-in plugin architecture for integration with public cloud providers or private cloud hypervisors. The VM-Series plugin can be manually upgraded independent of PAN-OS

Device > 
VM-Series
If your firewall is deployed on a hypervisor or cloud without a public interface (for example, VMware ESXi), the tab is named VM-Series and displays a general message.

Log in to the VM-Series firewall and check the dashboard to view the plugin version.
Device > 
Plugins
download and install


Configuration Management
The right top corner dropdown Save changes & Revert changes is about candidate configuration.  They shortcut of  menu of Device> Setup > Operations 
     Save candidate configuration     .snapshot.xml
     Revert to running configuration  running-config.xml


Reset Configuration

1. When admin password is known, and wants to keep
 installed content packages
> request system private-data-reset










after system reboot, license is gone, but vm retrieve license works without re-inputing auth-code.


2. When admin password is known, and want to reset to factory default
> debug system maintenance-mode


























































































after system reboot, license is gone, but vm retrieve license works without re-inputing auth-code



3. When admin password is unknown
From console, type maint during bootup
Choose  Reset to Factory Default



Device Certificate


You must install the device certificate on your Next-Generation Firewall to use one or more cloud services. You only need to install a device certificate once. The device certificate has a 90 day lifetime. The firewall re-installs the device certificate 15 days before the certificate expires.

Device> 
Setup> 
Management> 
Device Certificate


issue:
renew device certificate. Invalid request. Authentication failed
fix:
request certificate fetch
show device-certificate status



Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more