Category: PaloAlto

Upgraded my NGFW

Since my last blog post I’ve upgraded by Palo Alto NGFW to the latest PAN-OS release which is 9.0 I also got an evaluation license from them to test the advanced features of the firewall. The license also allows me to see all the log entries as well, which is great for troubleshooting any issues I have with the firewall when enabling the different features.

I have the firewall setup to allow traffic from the 10.1.1.0/24 network (inside-zone) to the internet (outside-zone), the 10.1.1.0 network is also NAT’d to my local LAN address of 192.168.1.0/24 otherwise traffic wouldn’t flow as the 10 network is a private address range, I know the 192.168.0.0 network is also a private address range but my home router is setup to also NAT that range to the public IP address I get from my ISP.

One of the first features I am going to add to my security policy is URL filtering. Company policy is to block all web email for example http://www.gmail.com and http://www.outlook.com

URL FILTERING

I am going to add URL Filtering to the security policy that will block web email sites I’m also going to enable Response Pages so when an end user tries to get to a web email site they will get a message saying that it’s against company policy.

I’m first going to go to http://www.gmail.com and show that I can successfully browse to that site, and as you can see below I can. I am doing this from the PC on the inside network with an IP address of 10.1.1.15.

gmail

The first thing I am going to do is enable the response page. To do that go to Device>>Response Pages.

ResponsePages

Once under Device and Response Pages click on the Application Block Page which is currently set to Disable and then tick the box to Enable Application Block Page and click on OK.

Now end users will get a page displaying the reason they were blocked from connecting to sites that I mark as blocked under URL Filtering. So lets set up some URL Filtering now. To do that go to Objects>>URL Filtering.

URLFiltering

There is a default policy already configured which I can edit but I am going to create my own one and name it No Web Email. I’ll first tick the box beside the default policy and clone it. This will create a new policy called default-1 click on it to edit it.

urlwebfiltering

Under my new policy I have named it No Web Email and then I did a search to find we-based-email, here you need to change the Site Access from allow to block and also do the same under User Credential Submission and change that to block. Click on Ok.

Now its time to update the security policy and add the URL Filtering profile I just created. So under Policies>>Security I just clicked on the security policy called ‘inside to out’.

updatesecpolicy

Click on the Action tab and under ‘Profile Setting’ select Profiles as the Profile Type and under URL Filtering select the newly created profile called No Web Email and click on ok. All I have to do now is commit the configuration changes and test to see if this works !

webemailblock

It is working, I’m unable to get to the different web based email services. You can also check this under Monitor>>URL Filtering.

urlfilteringlogs

As you can see mail.google.com has been blocked as well as outlook.com

Any questions leave a comment below.

Unable to connect to the PA GUI

Something strange happened to my VM setup on my laptop yesterday. I was unable to connect to the PA GUI all of a sudden. The VM booted up fine and I could log on via the CLI and checking the management interface I had the correct IP address which was still set to 192.168.1.222 to check this use the following command on the CLI.

#show interface management

Thinking that something became corrupt with the VM I started to check all the settings and everything checked out ok there, nothing obvious had changed. Since it was a lab environment I decided to fully remove my Palo Alto VM from VM Workstation and to start over again.

Well that didn’t help I had the same issue, VM boots fine, I can log into the CLI fine, this time I got a different IP address as by default the management interface is set to DHCP and I was given the IP address of 192.168.1.17 but when trying to connect to it via https it would timeout. mmmm what gives?

I then tried to ping it from the windows command line and got back ‘Destination Host Unreachable’, time to check the windows route table to see if the IP address was in the routing table. It wasn’t ! This is a problem.

To check the routing table on Windows use the following command from the command line.

#route PRINT -4

It will show all the IPv4 addresses in the routing table. No IP address 192.168.1.17 so I added it into the routing table using:

#route ADD 192.168.1.17 255.255.255.0 192.168.1.1

BINGO I am able to connect via the GUI again. When on the GUI I changed the management interface IP back to 192.168.1.222 and committed the change. I then added in the 192.168.1.222 address into the Windows routing table this time using the -p option which stands for Persistent so when I reboot my laptop that route will remain in the routing table!

#route ADD 192.168.1.222 255.255.255.0 192.168.1.1 -p

This is a quick fix for now and allows me to continue to use the Palo Alto NGFW in my lab setup however I’m not sure how this issue came about, it is something I will look into further.

If anybody else has come across this issue and what caused it please let me know in the comments !

NAT – Network Address Translation

With IPv4 networks NAT is fundamental for it to work without it not a whole lot of devices would be able to surf the internet. For example your broadband connection uses NAT. You are assigned a public IPv4 address from your ISP on your WAN interface of your modem which allows you to surf the internet, within your LAN (home) all the devices you have attached to your WiFi network are assigned an address most likely from the 192.168.1.0/24 range which is from the private class C subnet range. These private IP addresses are not allowed out on the public internet and if you tried to use an address from a private IP address range your ISP will have an ACL blocking its use.

The job of NAT is to translate your private IP address that has been assigned by your modem at home to your PC for example and change the IP address to its public IP address before it leaves your modem.

If we take the following example:

41381

Your PC as been given the IP address of 192.168.1.7 and you want to surf the Internet. Before you can do that NAT has to step in and change your private IP address to its public IP address using NAT or more specific PAT which is a form of NAT which stands for Port Address Translation which allows all the private IP addresses on your LAN to be translated to the single public IP address using port numbers to keep track of the different sessions from the devices in your LAN.

So NAT will translate the source IP address in the packet from 192.168.1.7 to 159.17.5.1 before sending the packet out its WAN interface towards its destination on the Internet. It will keep track of this translation in its NAT table:

  • 192.168.1.7:80 = 159.17.5.1:8000

This mapping allows the return traffic to go back to the PC that started the session. If a second PC on the LAN went out to the internet and had an IP address of 192.168.1.10 it will also be tracked in the NAT table:

  • 192.168.1.7:80 = 159.17.5.1:8000
  • 192.168.1.10:80 = 159.17.5.1:8001

The second entry has a different port number assigned to it and this is how NAT/PAT keeps track of which traffic belongs to which IP address on the LAN.

Configuring NAT on the PA-NGFW

Here I will configure NAT/PAT on the NGFW to demonstrate how it is done.

NAT is configured under the Policies Tab on the left hand side panel select NAT and then click the Add button at the bottom to get started.

Step1_NAT

A new window will pop up asking for General information, give it a meaningful name and description then click the Original Packet tab.

Step2_NAT

Under Original Packet I’ve added the following:

Step3_NAT

Under Source Zone I’ve added the Internal zone, Destination Zone will be the Internet zone and I’ve selected the Destination Interface as the Interface that I configured as the Internet interface which as an IP address 192.168.1.250. Ok so 192.168.1.250 isn’t a public IP address but in my lab environment my modem is also doing NAT to a real public IP address before any traffic is sent. So for this lab I am pretending that 192.168.1.250 is a public IP address and it will translate IP address in the 10.1.1.0/24 network to 192.168.1.250 and my home modem will then translate the 192.168.1.250 again to a real public IP address. Hope that is clear enough. Ok back to the configuration under Source Address I selected the Object I created in an earlier lab called ‘Internal 10.1.1.0 subnet’. The Destination Address will be left to ‘Any’.

Next is the Translation piece so click on Translate Packet.

Step4_NAT

I have selected the Dynamic IP and Port as the translation type as I am using PAT. The Address Type is ‘Interface Address’ and I have selected the ethernet1/1 interface which is the Internet interface and the only IP address that is associated with that interface is 192.168.1.250. Next thing to do is click Ok and that is NAT/PAT configured. Don’t forget to commit the configuration for it to take affect.

To check that it is working I have started up the Windows 10 Virtual Machine I have as part of the lab. It is configured with the IP address of 10.1.1.25. I went to http://www.paloaltonetworks.com as you can see below it was successful.

windows10

This verifies a few things that I have done in the past blog posts. It verifies that traffic from the Internal zone is allowed out the Internet zone. It also verifies that the DNS, SSL protocols are allowed based on the security policy.

We can verify that NAT is working by looking at the NAT translation rule and see the hit count has increased to 985 meaning that it is working. I can’t show you this in the logs as I don’t have the license for that but will add one and show how that is done.

NAT_Working

Any questions leave a comment.

Security Policy Lab

In my last post I covered Zones, Virtual Routers and Interfaces and how they all come together to form a basic configuration. As discussed traffic from one zone going to a different zone is denied by default, traffic going to and from the same zone called intra-zone is allowed by default. In this lab I am going to allow traffic from the windows machine out onto the internet and to do that we have to set up a security policy to allow that to happen.

Lab Objective:

Set up the windows machine on the 10.1.1.0/24 network to go from its zone ‘Internal’ to the ‘Internet’ zone and allow access to the following protocols:

  • DNS port 53 (UDP)
  • HTTP port 80 (TCP)
  • HTTPS (SSL) port 443 (TCP)

This will allow the Windows PC onto the web and able to browse. Simply allowing HTTP and HTTPS wouldn’t be enough as DNS is involved when using the web to translate the human readable URL address such as https://www.paloaltonetworks.com to an IP address that will be then used to send the traffic towards the website.

Log into the PA GUI and select the Policies Tab.

Here we have the two default policies ‘Intrazone-default’ and ‘Interzone-default’. The Intrazone policy allows traffic to flow from the same zones and the Interzone policy denies traffic to flow from different zones. If you scroll over to the far right of the policies you’ll see ‘Action’ set to Allow and Deny for each one.

We need to add our own policy here to allow traffic from the Internal zone to the Internet zone and to specify the protocols we want the user to be able to access. Click on ‘Add’ to get started.

step1_policy

The first tab is called General and here we give the policy some meaning by naming it and giving it a description of what it is used for. Also you select the Rule Type since I am going between different zones I have selected ‘interzone’ as the Rule Type.

Next click on the Source tab.

Step2_source

Under Source Zone click on Add and select the zone you want to match on i.e. sourced from and select Internal. Under Source Address on the right side of the window I have the option to allow Any traffic from the Internal zone OR I can match a specific subnet or IP address. I could have multiple subnets that are part of my internal zone so this allows me to get more granular and select which subnet should have access out onto the Internet. To make things easier down the line I can setup an Object just for that 10.1.1.0/24 subnet and reuse it elsewhere in the configuration for other policies I might setup later.

Step3_Object

I’ve selected Add and I get this list of IP address ranges, I could simply type in the network address I want to use but I’ll set up an object instead. To do that you need to click on the New Address button at the bottom. A new window pops up shown below.

Step4_object

Enter in a name for the object here I am using ‘Internal 10.1.1.0 subnet’ and I have selected the IP Netmask as the type since I am configuring a subnet. Click on OK and the object will be added to the configuration.

I am going to skip the User Tab here as I don’t have any User-ID setup yet. The User tab can be used to identify a specific user on the network and to just lock it down to that particular user. So onto the Destination tab.

step5_destination

In the destination tab I am selecting the zone that I want to allow the traffic to flow to. In my case it is the Internet zone. On the right of the window it is set to Any which is fine as we are going out onto the internet and I don’t want to start restricting what parts of the internet the user can or can’t get to.

Next is the Application tab and here I am going to specify what applications or protocols that users are allowed to use from the Internet 10.1.1.0/24 subnet. As part of the lab brief we said we wanted the users to be able to browse the internet so that means allowing DNS, HTTPS (SSL) and HTTP.

step6_apps

Click on Add and add ssl for HTTPS traffic, DNS and web-browsing for HTTP.

The last step is to select Actions.

step7_actions

This is where you want to select what action to take against the policy we just created and since I want to allow the traffic that is what I’ve selected.

Click on Ok and the the policy will be created and added to the policy configuration. As shown here.

Step8_finish

The policy is as follows:

IF source zone is Internal AND from the 10.1.1.0/24 subnet going to the destination zone Internet AND using applications SSL, HTTP, DNS ALLOW the traffic.

Now our users on the 10.1.1.0/24 network have access to the internet, you might be thinking how does the return traffic get back to the users since we haven’t configured a policy for traffic from the Internet zone to the Internal zone? The NGFW is a stateful firewall which means it remembers the sessions from the ‘Internal to Internet policy’ and allows the return traffic back in without having to setup another policy for that to be allowed.

Lastly don’t forget to commit the configuration for it to become active on the firewall.

Getting into the Zone

In this post I want to talk about zones and what they are used for in a Palo Alto NGFW. Zones are used to group interfaces together that are part of the same business function on the NGFW. For example you might have two departments, one is Finance and the other is IT. Because the information within the Finance part of the network is highly sensitive you do not want your users from the IT department having access to that part of the network. With zones you can put them into separate zones and build policies around them. By default interfaces within the same zone can communicate with each other but interfaces in different zones cannot for that to happen you will need to configure a policy to allow users or a group of users to go from one zone to another such as IT to Finance and visa-versa. This is the first line of defense in stopping attackers moving laterally across your network.

Configuring Zones

I am going to setup 3 zones and assign interfaces to those zones. The 3 zones will be:

  • Internal
  • Servers
  • Internet

On the PA GUI click on the Network tab and on the left hand side select Zones. Click on Add.

Give your zone a name “Internal” and the type in this case is Layer 3. The other options are Layer 2, Tap, Vwire and tunnel.

Continue adding the remaining zones Internet and Servers.

Virtual Router

What is a virtual router? On the Palo Alto NGFW you can split the Firewall into virtual “mini” firewalls it can be used to keep different parts of the business separated or if you have different customers that you provide services to you can give them a virtual firewall with their own interfaces, zones, policies. You can add virtual routers or just use the default virtual router. To add a virtual router click on Network and on the left hand side click on Virtual Router and Add.

Here I have added a new Virtual Router and called it VR-1.

Interfaces and bringing it all together

The last thing to do is to assign the interfaces to the different zones and the virtual router.

Still under Network click on interfaces on the left hand side to get started. Select Layer 3 as the Interface type and add a comment. Under “assign interface to” select VR-1 as the Virtual Router and Internet as the Security Zone.

Click on IPv4 tab and enter the IP address here I am using 192.168.1.250/24 then click on Ok.

Once you have all the interfaces configured along with their IPv4 addresses you need to commit the configuration for it to become active. When the configuration is committed you will end up with the interfaces active as shown below.

 

 

Palo Alto Network NGFW

What better way to get to know the Palo Alto Security Operating Platform than installing it on your laptop and using it. Here is the lab I have setup on my laptop. You can also do this in the cloud using AWS for example as the image I am using is the VM-Series from Palo Alto that is built for protecting your cloud infrastructure but for now I am going to be running it locally on my laptop. I’ll set it up in the cloud on AWS in another blog post.

Palo Alto VM-Series in VMWare Workstation Pro

To do this you’ll need the Palo Alto VM-Series image from Palo Alto, VMware Workstation Pro software to run the Palo Alto VM-Series image on and also a Window 10 image again used within VMware. I’m using the PA-VM-ESX-8.1.0.vmx image here.

Once you have the PA VM-Series image file downloaded you’ll need to install it into VMware Workstation Pro, you can use a 30 day evaluation of the Workstation Pro software but after that you’ll have to buy a license if you would like to continue using it. The same goes for the Windows 10 image you’ll need to add it into VMware Workstation.

I’ve also setup some extra VMnets so I can connect up the topology as shown above this can be done via Edit–>Virtual Network Editor. Click on Change Settings (Admin level is required here) and then click on Add Network. One thing I did was deselected the option to use local DHCP as I wanted to add my own IP addresses as such:

  • vmnet 1 : 10.1.1.0 255.255.255.0
  • vmnet 2: 10.2.2.0 255.255.255.0
  • vmnet 3: 10.3.3.0 255.255.255.0
  • vmnet 4: 10.4.4.0 255.255.255.0

Although I’m not using all of these from the start it is good to have them configured if I want to connect another network into my lab.
Next thing to do is to power up the VM-Series NGFW once booted you’ll get prompted to enter in a username and password which is admin/admin by default.

Also during bootup you’ll see a DHCP message with the IP address that has been assigned to the management interface, in my case it was 192.168.1.101 to log into the GUI just open up a browser and type in the address in the address field as https://192.168.1.101 note you’ll get a warning about the site not being trusted as it is a self-signed certificate just click on Advanced and add it as an exception and it will load the GUI login page, again the username and password is the same here admin/admin.

You’ll end up with a page something like this.

Palo Alto GUI