Friday, January 10, 2020

Palo Alto Networks Firewall Zone Protection (DoS) and App Scope

To prevent scanning or any type Denial of Service (DoS) attack on your network, you can configure a Zone Protection profile under Network > Zone Protection > Add.


Type a Name (ZONE-PROTECTION-PROFILE-1) > under Flood Protection tab > tick all options (SYN, ICMP, ICMPv6, Other IP, UDP).


Go to Reconnaissance Protection tab > tick Enable on all three Scans (TCP Port, Host Sweep and UDP Port).


Change the Action to Block for all types of Scan.



Go to Packet Based Attack Protection tab > IP Drop > tick: Spoofed IP address , Fragmented traffic > under IP Option Drop > tick Strict Source Routing and Loose Source Routing > click OK.



To apply the Zone Protection profile, go to Network > Zones > Zone Protection Profile > select the Zone Protection Profile created earlier.


Apply the same Zone Protection Profile for the outside and dmz Security Zones.


Click Commit.


I ran Zenmap (GUI version of Nmap) on the client PC (192.168.1.20) and perform an Intense scan on the DMZ server 192.168.50.10.


To monitor for Nmap scan traffic, go to Monitor > Logs > Threat. Notice the scan under the Type column, under the Name column: SCAN: TCP Port Scan, To Port has random high number ports and Action is drop.


Click the magnifying glass icon to get a Detailed Log View.


You can use the PAN Firewall App Scope to monitor network bandwidth or observe the network behavior due to a recent network change.

To view App Scope, go to Monitor > App Scope > Summary.




To monitor network behavior due to a network change, go to Monitor > App Scope > Change Monitor.


To monitor network threats, go to Monitor > App Scope > Threat Monitor.


Click on Threat Category to change view: Threat, Threat Category, Source and Destination.


This is Threat Monitor view by Source.


This is Threat Monitor view by Destination.


This is Threat Map > Incoming threats view which is a nice dashboard that can be used in a Security Operations Center (SOC) environment.


This is Threat Map > Outgoing threats view.


This is Network Monitor view.


You can change the view for Application Category: Application, Application Category, Source and Destination.


You can change graph or chart on the upper right corner (Stacked area chart).


This is Network Monitor view by Source.


This is Network Monitor view by Destination.


This is Traffic Map view by Incoming traffic.


This is Traffic Map view by Incoming traffic. Notice the PAN Firewall location is in the middle of the ocean.


You can update the Latitude and Longitude info to pinpoint the location of the PAN Firewall under Device > Management > edit (gear icon).


Type the Latitude and Longitude info. In this case Singapore's Longitude and Latitude are 1.3521° N 103.8198° E respectively



Click Commit.

 
 
Click the PDF icon to export the selected report. In this case I'm exporting a PDF report for Traffic Map > Outgoing traffic.


Click Yes to Download Report.


You need to allow web browser pop-ups in order to view the downloaded PDF report.

Select Always allow pop-ups > Done. Click on the hyperlink to view the report. Notice the PDF report (at the bottom) was downloaded on the client machine.


You can share the PDF report to IT Management or sometimes to a non-technical person, i.e. Sales or Finance team.



Saturday, January 4, 2020

Palo Alto Networks CA Certificate Management

You get the error "Your connection is not private," whenever you HTTPS to a new device.

This is due to a device self-signed certificate which the client doesn't have the valid CA cert installed.


To create a local user account, go to Device > Administrators > Add.

Notice the admin (Superuser) account created by default.
 

Type a Name (john) and type a Password > type again to Confirm Password > leave other settings in default > click OK.



You'll need to generate two CA Certificates: the first one is the self-signed Root CA. This is the top-most cert which the PAN Firewall uses for other purpose.

To generate a CA cert, go to Device > Certificates > Generate (at the bottom).
 

Leave the default Certificate Type: Local > type a Certificate Name: PAN-CA-CERT > type a Common Name: 192.168.1.1 > tick Certificate Authority.

You can optionally add a Certificate Attributes.
 

In this case, I added Country > SG (Singapore) > click Generate.


Click OK.


To create a user cert, click Generate (at the bottom) > leave the default Certificate Type: Local > type a Certificate Name: PAN-USER-CERT > type a Common Name: PAN-USER-CERT > select Signed By: PAN-CA-CERT (Root CA Cert created earlier) > click Generate.


Notice the User Cert (PAN-USER-CERT) is a sub-page under the Root CA cert (PAN-CA-CERT).

Click OK.


To create a Certificate Profile, go to Device > Certificate Management > Certificate Profile > Add. 


Type a Name: CERT-PROFILE-1 > select Username Field: Subject.


Click Add > select CA Certificate: PAN-CA-CERT (Root CA Cert created earlier).


Click OK.



To apply the Certificate Profile, go to Device > Setup > Management tab > Authentication Settings > click edit (gear icon).


Select Certificate Profile: CERT-PROFILE-1 created earlier > click OK.



To export the User CA Cert (PAN-USER-CERT), go to Device > Certificate Management > Certificates > tick PAN-USER-CERT > Export (at the bottom).


Select File Format: Encrypted Private Key and Certificate (PKCS12).


Type the Passphrase (same passphrase used in generating PAN-USER-CERT) > type again to Confirm Passphrase > click OK.


Notice the PAN-USER-CERT was downloaded on the client machine.


Click Commit.


To install the User CA Cert, open the Certificate Manager (certmgr.msc) > Certificates - Current User > right-click on Personal folder > All Tasks > Import.


Click Next.


Type the passphrase (the same passphrase when the User CA Cert was generated) > click Next.


Leave the default Certificate store: Personal > click Next.


Click Finish.


Click OK.

Close the Certificate Manager > click Yes to save settings.


I login again to the PAN Firewall via HTTPS and got a Confirm Certificate page displayed.

Click OK.


Click Continue to the website (not recommended).


The Confirm Certificate page was displayed. Click OK.


I login using the user account: john > type the password > click Log In.


Notice the Logged In Admins: john and under System Logs: Client certificate authentication successful from 192.168.1.20.