Palo Alto

Palo Alto Captive Portal

Well let me tell you what happen this week
I saw one of our work mate login in his private Laptop to internet and download is so high and his user don’t show in the monitor page.

So there is a feature available in hotel and Internet Cafe and its a great feature to control who is going and coming and sometimes to which website
This Feature Called Captive portal

let me guide you in the configuration
the requirement 1, 2 & 3 available in earlier blog you can click in each component and it direct you to the page
1-LDAP
2-Authentication Profile
3-Certificate
4-Certificate Profile
5-Enable Captive Portal
6-Captive portal policies

So start from Step 4 to create a certificate profile
Go to Device – Certificate Management – Certificate profile – +
Choose Name and Select the User Domain
then under the CA Certificate Add your Cert that Created in Earlier Blog
50

60

1
Then Go to Device – User Identification – Captive Portal Settings – Edit
Make Sure to check Enable Captive Portal
Choose the Authentication Profile That we Created in the Earlier Blog
and Choose Mode Redirect
and in the Filed of Redirect Host put our LAN IP 192.168.250.250 so all traffic forward to that IP2
Now Lets Create a Captive Rule
Go to Policies – Captive Portal – +
Choose a Name
3
Then Select the Source as Inside4
Select your Destination as the Outside WAN5
After that select Your Service as HTTP and HTTPS also you can add a URL Category if you want to strict the Captive Portal to specific web sites
6
Choose the Action web-form 7
Last thing go to the Management Profile and make Sure you check the Response Pages so the user would be able to receive it
Got o Network – Network Profiles – Interface Mgmt – edit my Profile which i created in an Earlier Blog
8
Now lets go to the user PC and Open a browser to google Web Site
as you can see it direct me to 192.168.250.250 in URL
Click on Continue to this website (not recommended)
10
It will ask you for your Username and Password
I will put my LDAP Authentication Username and password20
Now it Login me30
and Walla im there40

 

Note: in the newer version of Palo Alto Captive Portal Policy is Called: Authentication Policy and Web-form is changed to : default-web-form

;D

Advertisements
Standard
Palo Alto

Blocking Youtube Using Palo Alto URL Category

Youtube
The Bandwidth Killer
to be honest i learn a lot from youtube whether cisco configuration or paloalto or even other things
but during work hour many user using youtube to hear songs, watch a movie trailer which kill the internet bandwidth so i explain earlier how to block facebook using APP-ID
but Youtube APP-ID is little diffrent cause it depend in google-base which will forbid google website too
so URL Category may save the Day
this remind me of Microsoft TMG

So first let create a URL Category
Go to Objects – Custom objects – URL Category – add new
(Youtube)
Add URL (www.youtube.com) Also you can add more (*.youtube.com)
1
now we create a security policy
Go to Policies – Security – add new (Stop Youtube)
2
Select the Source Zone (inside) and the Source Address (My Laptop IP  Address)
3
Select the user aysar.mohamed (Me)4
Select the Destination as my Outside Interface5
Select any in Application tab6
well here we go
in Service/URL Category we select the (Youtube) Category that we create earlier7
put the Action to deny8
now when i try to open Youtube i got the deny messgae ;D9
As you can see from the log i got the (Reset-both ) Action in rule of Stop youtube 10a

;D

 

Standard
Palo Alto

Blocking Facebook or Facebook Chat Using Palo Alto APP-ID

First i have to apologize cause this going to be a long Trip and it my fault i didn’t research it will but to deny an SSL traffic which used by facebook first you have to read what inside it, in another word (Decrypt it)

So i’m here rewrite the article again and just add the Decryption of the traffic before it forward to the intended site
First we need to create a Certificate on Firewall
Choose a name, Common name and Check the Certificate Authority
and the Certificate Attributes then Click Generate

1
Now Select the Cert to Edit and Check the Box
Forward trust Certificate
Forward Untrust Certificate
trusted Root CA
22
Then Export the Certificate as (PEM)
2
Choose Place to Save it
3
and as you see it download it in my Download Folder
4
Second i will go to my laptop to import in
Go to Tools – Internet Option – Content – Certificates5
Go to trusted Root Certification Authorities Tab – import6
Press Next
7
Browse to my Certificate8
Choose to place it in the Trusted Root Certification Authorities9
Press Finish
10
it will give you a security warning just press yes11
and import is successful
12
you can check it under the Trusted Root Certification Authorities Tab
13
Now get back to Palo Alto and Configure the Decryption Polocies
Go to Policies – Decryption – Add14
since this is a lab i will Choose Any as the Source
15
Also Choose Any as the Destination 16
i can Adjust under URL Category but since this is a lab i will configure it as Any17
Under option Tab i select the Action as Decrypt and Type SSL Forward Proxy18
Now i Check Gmail and here its Secure from my PA-CCIEROOT which is my Palo alto Common Name20
Also my facebook is Secured 21

;D

Now to the Part that everyone kept ask why Aysar it aint working
your article is worng
will i hope it work now

So as i said earlier unless you work in Marketing then you don’t need any Social Website
so Aysar Mohamed (ME) is an IT guy and i want my self to do IT Work and stop playing around the Facebook (i am sure my manager agree in  this point)so let’s do it

First go to Monitor – Logs – traffic and as you can see it full by Facebook logs by Aysar and it depend on one Application (facebook-base)

1
So let go to Policies – Security – add new (Stop facebook)91
Select the Source Zone (Inside) and Source Address (My Laptop IP Address)3
Select my user (Aysar.Mohamed)4
Select the Destination my outside interface5
then here choose the application (facebook-base) which appear in my logs90
Now Choose action to deny
92
Make sure to move this rule to the top
7
As you can see now i cant open my facebook at all and it give me this error7a
and if you go back to the logs you will see the action (reset-both)8

Now what if i want Aysar to view his Facebook but don’t want him to Chat with Anyone
Easy go back to my (Stop facebook) Policy change the APP-ID to (facebook-chat) and save9
some application can’t just stop by choosing the APP-ID you need to select also what it depend on
so highlight the rule and go to the application tab and choose facebook-chat and right click and choose (Value) to see what its Depends on.
so for facebook-chat it depends on
facebook-base
mqtt
Now If i select facebook-base it will also block facebook page Also
so here the trick
10
Add only mqtt
11
Then in my Second Rule (Aysar Allow) i will add to Alow the facebook-base12
under Application i will only add the facebook-base13
Now i can go to my facebook but as you can see my Chat is Dark (Unable to connect) 15
and as you can see in the Logs it block the facebook-chat14

;D
(let me just note this it only worked with me cause the Decryption was in the Palo Alto earlier)

Happy Friday Everyone

Standard
Firewall, Palo Alto, Security

Palo Alto High Availability

Down Time is not Acceptable in Any Environment
And here were the term High Availability comes to play.

To Configure the high availability in Palo Alto you need to have Two Links in each device, one for the Control Link (HA1) and one for Data Link (HA2)
both Palo Alto Device Exchange a hello message and a Heartbeat through the Control Link (HA1). if any of that not receive the Backup Palo Alto Peer will Assume that the Active Peer is Down and Take Control
(Note. this Scenario is on Active/Passive Mode)
be Aware that Both Palo Alto Device should have the Prerequisite:
1- Same model
2- Same interfaces
3- Same PAN-OS
4- License

well i’m working here on PAN-OS 7.0.1
My Active Palo Alto IP Address: 192.158.208.222
My Passive Palo Alto IP Address: 192.168.208.111

So i Show you earlier how to configure Palo Alto from scratch in the earlier Blog
Now I add extra Network card for the (HA1) & (HA2)
So to Configure the Palo Alto interface
Go to Network – Interface – Select interface
Ethernet 1/3 will represent HA1
Ethernet 1/4 will represent HA2
1

2
Now to Peer Configuration
so i Give the Active Peer IP Address
192.168.209.140 (HA1)
192.168.209.142 (HA2)
and for the Passive Peer
192.168.209.141(HA1)
192.168.209.143 (HA2)
Go to Device – High Availability – General Tab – Setup settings
Enable HA and choose a Group ID and fill the Peer IP Address and choose the mode
3
Then go to Control link (HA1 Configuration) and Choose my ethernet 1/3 as the HA1 and put the IP Address 192.168.209.140 and Netmask
4
After that i go to my Data Link (HA2) and Enable the Session for Synchronization and Put the IP Address i choose earlier 192.168.209.142 and Netmask and Gateway and for my Transport i select IP
5
Now to Election setting and to make Sure that 192.168.208.222 is the Active one i have to Put a Lower Priority
The Default is 100 so i Configure it to 90 and select Preemptive and heartbeat Backup
6.png
now go to Dashboard Tab – widgets – System – and Select HIGH Availability
so i can see the status in the Dashboard
7
and as you can see the status is so red
9
Now in the Other Peer i need to Configure the Same Interfaces for HA1 & HA2 and same configuration for HIGH Availability except the IP Addressing and for Election Setting i will just keep it the default
and then go Back to the Active Peer 192.168.208.222  and you will see the HA1 & HA2 turn to Green and now choose to Sync to Peer
10.png
It will Ask you to Overwrite Peer Configuration just Select yes
11
And now All our Configuration is Synchronized
13
Go to Passive Peer and you will See the Local Peer is the Passive
and the Active is 192.168.208.222
14
if you check the Passive Network interface you find it’s Red 15
And now to Test it i will ping  8.8.8.8 Non Stop and power off the Active Peer16
and as you can see it just took only 3 request timeout which less than 6 second and user will not notice itqqq
and if you check the System log in Dashboard you will see your passive peer notice the HA1 Control Link Went Down and the Passive become the Active
20
And our Red Interfaces Become Green21

;D

 

Standard
Palo Alto

Plao Alto LDAP Integration

Active Directory Integration
i wrote this a long time ago but the only issue i faced that i couldn’t see the user in monitoring screen no matter what i did and till the moment we received a new Palo Alto i test the same configuration and changed the Interface as this what the vendor ask but didn’t work and at the end it worked perfectly.

In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. Now Active directory allow me to control who can have an access to internet Per User and also monitor exactly whom watching who and this is the configuration

First go to Device – Server Profiles – LDAP – add
choose name (MyLDAP)
in Server List add the IP of my Active Directory (192.168.200.111)
then in Sever Settings
choose type: Active Directory
Base DN: auto generate
Bind DN & Password : is my admin username and password
(this account must be a member of the built-in Server Operators group in AD)
Also uncheck the box Require SSL/TLS secured connection
1
Then we need to create an Authentication Profile
Go to Device – Authentication Profile – add
Name : My Authentication Profile
Type : LDAP
Server Profile: MyLDAP (Which i create in the first step)
Login Attribute: sAMAccountName
User Domain: ccieroot.com
2
then Select Advanced tab and in the Allow list  select to add (All)3
Like that we done from Active Directory Integration
now we need to map and monitor our  server
So we go to Device – User Identification – Palo Alto Network user-ID Agent Setup – Click on settings button on the corner
in WMI Authentication i will use my Admin username and password3
Then Enable the Server Monitoring
5
Also Enable the Client Probing and press ok
6
After That i will add my Active directory Under the server Monitoring
4
Then the Domain Controllers will show with a status of Connected.
Second we create our group mappings, we can use these Active Directory groups in our security policies.
navigating to the Group Mapping Settings tab – Add new
Choose the Sever Profile: MyLDAP
User Domain: ccieroot
User Name: sAMAcountName
5
then go to the group include list tab at the top. as long you see the OU in your AD then it mean you can see everything correctly
6
Just for testing i Add the IT Staff7
Now Before you create a Policy Enable the User-ID on the inside Zone
Check the Enable User  Identification
90
Now on our Internet Rule Select under User tab and Add my user8
now as you can see under the Monitoring Tab i see my Username when i Access any website9

 

;D

Standard
Firewall, Palo Alto

Configure Palo Alto to allow inside DMZ (FTP server)

So DMZ
In earlier Blog Palo Alto to Internet we configure how to Allow users to go to the Internet. so today i will show you how to allow your customer to come  inside to your FTP Server
first i Configure my Ethernet 1/1 with the Public IP Address 37.76.249.42
Go to Networks – Interface – Ethernet Edit
Change type to Layer 3, Configure Virtual Router and Zone (Outside)0
Then go to IPv4 and configure an IP Address of 37.76.249.42/270aThen Configure Ethernet 1/2 for DMZ gateway
Change type to Layer 3, Configure Virtual Router and Zone (DMZ)1
Then go to IPv4 and configure an IP Address of 192.168.250.250/242
Now the most important step is to configure NAT Policy
Go to Policies – NAT – Add new
I choose name : NatMyFTPServer3
Choose your
Source Zone (DMZ)
Destination Zone (Outside)
Destination interface (Ethernet 1/1)
then i have to add my Source Address so Click on Address4
Choose a name (MyFTPServer)
Type : IP Netmask
Put the Local IP Address (192.168.250.16)5
And it’s added6
Now go to Translated Packet
Translated type: static IP
and Type the translated Address which is the public IP Address i Configure Earlier and to make sure translation go both way check  the box Bi-directional7
Now Finally let’s configure Security Policy Rule
Go to Policies – Security policy – Add new
Choose a Name and Rule Type as (interzone)8
Select the Source as Outside since the traffic coming from outside9
Configure the Destination as (DMZ) zone and Destination Address is your Public IP Address
10
You can custom the Application and Service/URL Category to Allow FTP Service only but since this is a Lab just select any
Select Any in Application11
Also select Any in Service/URL Category Tab12
Then select Allow as an action for this traffic13
Now in my laptop i install 3CDaemon which a great FTP server and Choose the Upload/Download Directory in my D:\IOS\ which contain my files.
I also configure a profile (Aysar) so i can use this as my login instead of anonymous13b
And now for the BIG Test
from any Customer PC i open cmd and go to ftp to the public IP Address of the FTP Server
and as you see Authentication went well14
Just type
dir
which list all the file under my D:\IOS\15

;D

 

Standard
Palo Alto

Palo Alto HA Sync Issue & APP and Threat Mismatch

Just when i think everything okay a Nice View Such as Below Appear
1
I Checked All my HA Configuration and it’s Fine SO
i Define this as Two Issue
Synchronize
App and Threat Mismatch

First lets Solve the Synchronized and it’s a simple Step
Just Next to Running Config Press (Sync to Peer) so it Push the Configuration to the Passive HA
2
It will Ask you to Overwrite Peer Configuration Just press yes
3
Now it Start as you See (Synchronization in Progress)4
And as you can see now it finished and now its Synchronized 5
and now here in the Passive HA and Also show the Same 6
Now Lets Move to Next step which is the APP & Threat Mismatch
Lets Check the Version of the Application First
Go to Device – Dynamic updates – and Check the Applications and threats
7
so Go to 654-3805 which is my Latest Update also you can See in the lower of screen (Check Update)
Then Press Install on Right Side of the Application8
Check to Synch to HA Peer
press Continue Installation
9
Now it will Progress
10
And Automatically will Transfer a copy to HA Peer11
As you See now a Copy Transferred and Installed in HA Peer12
And Finally the all your HA Item in the Active Peer  is Green14

;D

Standard