Friday, November 8, 2019

Palo Alto Networks Firewall WildFire Malware Analysis

The Palo Alto Networks (PAN) Firewall uses WildFire (a Cloud service) to block and sandbox unknown malwares (zero day attack). You first need a WildFire license applied.

To verify the PAN Firewall license, go to Device > Licenses > WildFire. Notice the Date Expires: May 19, 2020.


You also need to update WildFire under Device >Dynamic Updates > WildFire. You can sort from the latest update by clicking the Release Date column.

Notice the WildFire last update is from 2017. Click Check Now to download new updates.
 


Click Download for the WildFire update (2019).



Click Install.



You can modify the WildFire settings under Device > Setup > WildFire tab > click edit (gear icon). I just left its settings in default.



To configure the PAN Firewall to submit decrypted file in WildFire cloud (for sandboxing) under Device > Setup > Content-ID > Content-ID Settings.

You'll need SSL Decryption policy configured on the PAN Firewall as well.


Tick Allow forwarding of decrypted content > click OK.



To configure a WildFire Analysis Security Profile, go to Objects > Security Profiles > WildFire Analysis > tick default > Clone.


Leave the Name selected by default > click OK.


Click default-1 to edit.


Type a Name (WILDFIRE-PROFILE-1) > leave the other settings in default > click OK.



To apply a WildFire Analysis Security Profile, go to Policies > Security > click on Rule #1 (Allow-Any).


Under Actions > Profile Setting > WildFire Analysis: WILDFIRE-PROFILE-1 > click OK.


Click Commit.


There's several test files on the Palo Alto Networks website for testing WildFire configured on a PAN Firewall. I tried to download various Malware test files to trigger WildFire.


To monitor WildFire logs, go to Monitor > Logs > Traffic. Notice the traffic from inside client machine (192.168.1.20) was redirected to Palo Alto WildFire cloud.


Click the magnifying glass icon to get a Detailed Log View.


The WildFire Submission logs took a few minutes to appear under Monitor > Log >WildFire Submissions.


Click the magnifying glass icon to get a Detailed Log View.





Friday, November 1, 2019

Palo Alto Networks Firewall User-Identification (User-ID) and Captive Portal

To add a Local User account, go to Device > Local User Database > Users > Add (at the bottom).

Type the user Name (John) > leave the default Mode: Password > type the Password > type again to Confirm Password > click OK.

I added another user Name: Sophia.



Configure an Authentication Profile under Device > Authentication Profile > Add.


Type a Name (LOCAL-AUTH-PROFILE-1) > leave the default Type: Local Database.


Leave the other settings in default.



Under Advanced tab > Allow List > select all > click OK.




Enable the Local User-ID on a Security Zone under Network > Zones > click inside.


Under User Identification ACL > tick Enable User Identification > click OK.



Since I have no Active Directory (AD) in my lab, I'll leverage the Captive Portal login for web access on the PAN Firewall. This is a common solution for wifi hotspot in a hotel or coffee shop.

To configure Captive Portal, go to Device > User Identification > Captive Portal Settings > click edit (gear icon).
 

Tick Enable Captive Portal > under Authentication Profile > select LOCAL-AUTH-PROFILE-1 created earlier > leave other settings in default > click OK.



Go to Objects > Authentication > tick default-web-form > Clone (at the bottom).


Leave the default Name selected > click OK.


Click default-web-form-1 to edit.


Type a Name (LOCAL-AUTH-WEB-FORM-1) > leave the default Authentication method: web-form.


Select Authentication Profile: LOCAL-AUTH-PROFILE-1 created earlier.


Optionally type a Message > click OK.



To enable the Captive Portal, go to Policies > Authentication > Add.


Under General tab > type a Name (WEB-AUTH-POLICY-1).


Under Source tab > Source Zone > Add > select inside.


Under Destination tab > Destination Zone > Add > select outside.


Under Service/URL Category tab > Service > Add > service-https. The service-http is already added by default.


Under Actions tab > select Authentication Enforcement: LOCAL-AUTH-WEB-FORM-1 created earlier > click OK.


Click Commit.


You'll need an SSL Decyrption policy to perform deep packet inspection for HTTPS traffic and enforce the User-ID with Captive Portal.

<SSL DECRYPTION BLOG LINK>

I tried to visit Facebook (HTTPS) and got a website security certificate error (PAN Firewall self-signed CA cert). Click Continue to this website (not recommended).


I got redirected to the PAN Firewall Captive Portal. I login using the configured local user account (John).



To monitor User-ID, go to Monitor > Logs > Traffic.

Notice the Source User column has the User-ID for john. You can apply a search filter by clicking the specific user > click green arrow icon.
 

Click the magnifying glass icon to get a Detailed Log View. Notice under Source > User > john.

You can now apply granular Security policy for a specific User-ID.


You can use the CLI command show user ip-user-mapping ip <ip/sm> for viewing User-to-IP mapping on the PAN Firewall. Here's a link for the User-ID cheat sheet commands.

I needed to clear the User-ID for John and login as Sophia via the Captive Portal.


I login as Sophia in the Captive Portal.


To monitor User-ID, go to Monitor > Logs > Traffic.

Notice the Source User column has now the User-ID for sophia.