Friday, December 6, 2019

Palo Alto Networks Firewall High Risk and Geolocation IP Blocking

To configure the PAN Firewall for Dynamic IP (similar to DBL) from High Risk and Malicious IP addresses from International attackers (Geolocation IP), go to Objects > External Dynamic Lists > Add. Notice the Dynamic IP List or feed created from my previous post.

There are also two Default Dynamic IP Lists: High risk and Known malicious IP addresses.


To apply these Dynamic IP Lists, go to Policies > Security > click Rule #1 (Allow-Any) > Clone (at the bottom).


Leave the Default Name selected > click OK.


Click Allow-Any-1 to edit.


Under General > edit the Name: BLOCK-OUT-HIGH-MALICIOUS-IP. Note a Name can be up to 31 characters in length.


Under Source > Source Zone > Add > select inside.


Under Destination > Destination Zone > Add > select outside.


Under Destination Address > Add > select both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses.


You can also block based on Geolocation source IP address (Geo-IP). Refer to the PAN Knowledge Base (KB) for the Region Code Legend.

For this lab, I've blocked both Outbound and Inbound traffic for North Korea (KP), China (CN) and Russia (RU).
 


Leave the Application and Service/URL Category tabs with the default of Any.



Under Actions tab > Action Setting > Action: Deny > click OK.


Clone Rule #2 (BLOCK-OUT-HIGH-MALICIOUS-IP) > Clone (at the bottom) to configure a Security rule for Inbound traffic.


Leave the default Name selected > click OK.


Click BLOCK-OUT-HIGH-MALICIOUS-IP-1 to edit.


Under General tab > edit Name: BLOCK-IN-HIGH-MALICIOUS-IP.


I just configured a reverse or mirrored rule for Inbound traffic. Under Source > Source Zone > modify to outside.

For Source Address > Add both Palo Alto Networks - High risk IP addresses and Known malicious IP addresses. Also add the Geo-IP addresses for North Korea (KP), China (CN) and Russia (RU).


Under Destination > Destination Zone > modify to inside > click OK.


Move the Security Rules #2 and 3 to positions #1 and #2 respectively. Either you select and drag the Security rule or Ctrl + click (for multiple rule selection on Rules #2 and 3) or click Move (at the bottom) > Move Top.



Before clicking Commit, I tried to ping one of the High Risk IP address (as of this writing): 103.37.60.112 and 103.253.73.168.


To get a list of High Risk IP addresses, you can issue the CLI command request system external-list show type predefined-ip name <panw-highrisk-ip-list or panw-known-ip-list>


To monitor ICMP logs, go to Monitor > Logs > Traffic.

Notice the Application: ping to Destination:103.37.60.112 and 103.253.73.168 had an Action: allow.


Click on magnifying glass icon to get a Detailed Log View.

Notice under Destination > Address (103.37.60.112) > Country > Hong Kong.
 

Notice under Destination > Address (103.253.73.168) > Country > Thailand.


To apply the new Security rules, click Commit.


I was unable to ping to the High Risk IP addresses afterwards.


To monitor ICMP logs, go to Monitor > Logs > Traffic.

Notice Application: ping > Action: deny > Rule: BLOCK-OUT-HGIH-MALICIOUS-IP.
 

Click the magnifying glass icon to get a Detailed Log View.



I tried to visit  popular websites in China and Russia but my access were denied.


Click the magnifying glass icon to get a Detailed Log View.



I also got denied when I visited a North Korean website.



Sunday, December 1, 2019

Palo Alto Networks Firewall Dynamic Block List (DBL)

The Dynamic Block List (DBL) automates the blocking of the domains or websites  instead of configuring manually on each PAN Firewall. You just need to update a list or a script in an web server.

I listed popular websites that are commonly blocked and impacts productivity (depending on company's IT policy): Facebook, Youtube and Reddit. I saved the notepad (.txt) file and named as block-list.

You'll need the wildcard pattern such as the asterisk (*) and dot (.) to correctly match the URL/domain in the Dynamic Block List.


I tried to access the said websites prior to configuring the Dynamic Block List.




To view logs, go to Monitor > Logs > Traffic.


I transferred the file block-list.txt from the client Windows machine to the web (Linux) server via WinSCP.


To configure a Dynamic Block List, go to Objects > External Dynamic Lists > Add.


Type a Name (DYNAMIC-LIST-BLOCK-1) > Type: URL List.


Type the Source: http://192.168.50.10/block-list.txt > Repeat: Five Minute > click OK.

I configured the DMZ/web server (192.168.50.10) as the Source and imports the list or feed every 5 minutes. There's no need to Commit every time the PAN Firewall automatically retrieves the Dynamic Block List.
 

You need to configure the Dynamic Block List first before you can use the Test Source URL.

Notice the Source URL is accessible. Click Close.
 

To apply the External Dynamic List, go to Policies > Security > click Rule #1 (Allow-Inside-Out) > Clone.


Leave the default Name selected > click OK.


Under General, type a Name (DYNAMIC-LIST-BLOCK).


Leave the other cloned settings in their default.




Under Service/URL Category > URL Category > External Dynamic Lists > select DYNAMIC-LIST-BLOCK-1 created earlier.


Under Actions tab > Action Settings > Action: Deny > click OK.


You can drag and hold the Security rules to the position you want. I dragged the DYNAMIC-LIST-BLOCK rule to position 1.


Alternatively, you can select a rule > click Move (at the bottom) > Move Top to move the selected rule to the topmost rule.


Click Commit.


To verify the blocked URLs, type the CLI command request system external-list show type url name <DYNAMIC LIST OBJECT NAME>

Notice the three domains are listed: *.facebook.com, *.youtube.com, *.reddit.com
 

If there's an update on the DBL script and can't wait for the fuve minute refresh, you can force update by using the CLI command request system external-list refresh type url name <EXTERNAL DYNAMIC LIST NAME>.


I tried visiting again the websites on the DBL but got a page can't be displayed error.




To view DBL logs, go to Monitor > Logs > Traffic. 

Notice under Action column: reset-both and under Rule column: DYNAMIC-LIST-BLOCK.


Click on the magnifying glass icon to get a Detailed Log View.

Notice the Security Policy Rule: DYNAMIC-LIST-BLOCK with a Category: DYNAMIC-LIST-BLOCK-1 took effect on the URL in the DBL: www.facebook.com, www.youtube.com and www.reddit.com.




Access to other websites: Google and CNN worked just fine.