Palo Alto

Palo Alto Series – Part I

Like any other firewall palo alto is a very feature enrich firewall which we’ll see in our next series.

When we boot the firewall and connect the management cable and take the session then it boots up with IP : 192.168.1.1 ; so connect a laptop and access the firewall via https://192.168.1.1

PA has separate mgmt and console ports. In higher version a serial port is also available.

Topology :

Picture1.png

Here, R6 is our DMZ Router , Win is for Inside users and towards R5 we have outside zone.

By default Palo Alto have 192.168.1.1 as their management address, if we want to configure management then connect 1 PC in same IP segment and take the access, otherwise we can change it via console.

Mgmt IP Configuration by CLI:

set deviceconfig system ip-address 192.168.1.10  netmask 255.255.255.0 type static

By default it takes dynamic IP address

To edit management interfaces on the firewall :

Picture2.png

Check the management IP by the following command to verify :

show system info

So, like any other firewall PA also have interfaces on the device but these are of certain types :

  1. Layer 3
  2. Vwire : For sniffing of traffic
  3. Layer 2
  4. HA : for sync of state information and replication of Data
  5. TAP : to send data from remote part of network to PA firewall to analyze that

Next, we have Virtual router concept in Palo Alto like we have VRF on Cisco Routers. In this series we’ll be assigning interfaces to different virtual routers starting from VR-1.

Be default all interfaces are the part of default virtual router.

Like some other vendor firewalls, PA also supports making zones and assigning different interfaces to those zones.

Eg : Inside Zone, Outside Zone, DMZ Zone

and we can assign multiple interfaces and sub interfaces to these zones. And We can set up our policies based on Zones.

Now, Let’s create Zones :

Go to Network Tab, click on Zones and click on Add :

Picture1.png

And the same way , we can create Outside and DMZ zones as well. We can add interfaces here also but we haven’t defined any interface so far , so we’ll link interfaces later.

Now, create the virtual router :

By default there will be default virtual router. Delete if you don’t wish to use it and click on create to create your custom virtual router.

Picture1.png

Now, let’s configure the interfaces as per topology given in the diagram and we’ll be calling security zones and virtual router there:

Picture1.png

And we configured all the interfaces. click on commit and commit all the changes.

Picture1.png

Now, configure the default route for the data plane or for our virtual router VR-1

got to virtual router VR-1 and click on More Runtime Stats for routing information

Picture1.png

Here we can see all the networks and assigned IP address on the interfaces which are the part of this virtual router. But there is no default route. So, let’s configure it.

To configure a default route , go to Network –> virtual router –> VR-1 , click on it and go to static routes and click on add to configure the default route.

Picture1.png

Once committed , routing table now have 1 static route and it looks like :

Picture1.png

Here, I have also attached the management profile on inside interface to allow ping and some other protocols from my inside PC.

Picture1.png

Security Policy :

Default policy on the PA firewall is denied to any traffic that is attempting routing or forwarding between two different zones. However traffic within the same zone will be permitted by default.

Like any other firewall, PA is also a stateful firewall means we need to permit traffic only in 1 direction and return traffic will be permitted by default through already built session.

So, through security we can allow a user based on a specific source IP, destination IP and service/port .

By default, we can see inter zone is denied and intra zone is allowed.

Go to Policies , then go to security and see the rules and make changes in the policy here :

Picture1

Now, click on add (Left  bottom) to add a new security policy.

Picture1.png

To allow inside users to internet, we gave the name as : Inside_To_Internet

Picture1.png

As shown above, we are allowing inside users to access the internet but to certain applications as given above. Commit the changes.

Still the inside users will not be able to reach internet because of private IP assigned to them. I have NAT the inside user’s IP on R5 to allow to go to internet and once the NAT is done, Inside users can browse the internet. Output from Inside PC :

NAT Configuration on Router R5 :

Picture1.png

Picture1.png

let’s test browsing :

Picture1.png

PAT : Port Address Translation

I am now directly going to implement PAT on our PA firewall instead of explaining like what is PAT and what it does.

Go to Policies–click on NAT–And then click on Add

Picture1.png

And choose below Parameters :

Source Zone is Inside , Destination Zone is Outside, choose the destination Interface as there could have been many interfaces assigned to the outside zone and then the service and actual source and destination IP address.

Picture1.png

And to do the PAT now click on translated packet where we’ll define if a packet qualifies the criteria we defined in original packet then perform below action which we’ll define in translated packet :

Picture1.png

In translation type, choose Dynamic IP and Port , there are other options also which we’ll discuss later but for PAT choose Dynamic IP and Port.

In address type choose interface address because we have already an IP assigned on the interface , so use that instead of using a new IP. We can use another IP also here if we choose address type as Translated Address. So for now it’s interface address.

Now, Specify the Port on which we want to overload the IP and Port and his IP address as shown in above snapshot and click on ok and commit.

Now Let’s see if this is working :

Picture1.png

As you can see , from our user machine yes I can reach out to internet as well as nslookup is working fine.

 

NAT Sessions on the Router :

Ping to 4.2.2.2 Session : We can see actual source IP is 10.1.3.1 but here after PAT on the firewall request is hitting the router R5 as an source IP 10.1.1.10 and that is again static translated to 192.168.110.166  on the router R5 to reach out the internet.

If the PAT shouldn’t have been configured on the firewall then this translation on the router would have reflected from 10.1.3.1 to 192.168.110.165.

Picture1

NSLOOKUP Session : (On user machine I have configured 8.8.8.8 as Primary DNS)

Picture1.png

DMZ Server Access :

Now to check access to a DMZ server, what is actually required is :

  1. A server placed in DMZ zone ;
  2. NAT : Generally user hit on the public IP of the server but actually that public IP is natted to some private IP and then it is processed by the firewall.

3.Policy : Firewall policy to allow that traffic.

Configuration to enable http/https on a Cisco Router :

username cisco privilege 15 secret  cisco

interface FastEthernet0/0

ip address 10.1.2.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.2.10

ip http server

ip http authentication local

ip http secure-server ; wr

Now Let’s configure Static NAT :

Picture1.png

Translated Packet :Choose Bidirectional

Picture1.png

and do the commit.

Now, let’s configure the security policy to allow this access.

Picture1

We have allowed http and https services from outside to DMZ zone.

Now, commit this.

Let’s test this :

Let’s do http from router R5 :

Picture1.png

And similarly for port 443 :

R5#telnet 10.1.1.20 443 /source-interface fastEthernet 0/0

Trying 10.1.1.20, 443 … Open

It is also open.

Now, let’s try to open it from a windows user machine :

Picture1.png

And we can see here, static NAT is working as well as we are able to access http/https services.

Now, Let’s change the administrator’s password :

Go to Device–>Administrators–>and click on admin account to change the password

OR , here we can click on Add to create a new user and give him privileges like super user or real only user.

Picture1.png

To Reboot or shutdown gracefully the device : choose from here :

Picture1.png

Backup and restore of the configuration :

  1. To save the current running-configuration snapshot :

Picture1.png

  1. Now, click on Export named configuration snapshot on your local PC :

Picture1

Choose from the one we created in step 1 and it will download the snapshot on local PC.

Now if anything wrong happens to this firewall, let’s say it is blown away and we might need to replace it with a new one then we only have to configure the management IP and then we can import and load this snapshot.

  1. To Import the snapshot on newly created firewall or if we want the old snapshot to load on same firewall :

–Click on Import named configuration snapshot and click on browse and import it.

In this example, I have imported the one which we exported in step 2.

Picture1.png

And then load the imported snapshot :

Picture1.png

Click on commit after loading to see all the configuration we had when we took the snapshot.

Licensing the firewall :

If we need advance features like SSL encryption and decryption on firewall to find out any malware/threat in the traffic going on between user and the actual web server on the internet. In these type of features PA acts as a  proxy like man in the middle.

For URL Filtering , Data Filtering and threat prevention like (Anti Virus, Anti Malware and Anti Spyware), VPN support for remote access needs licensing.

So, to License the firewall, first make a support account on the Palo Alto support center website and then register yourself and enter the CPU ID and UUID which are present on the dashboard of the firewall to get it licensed.

Then go to Device–Licenses– and choose from below License Management features :

Picture1.png

Either retrieve directly or upload the license key manually.

Once it will be licensed then we can see the serial number of the firewall on dashboard page.

Before upgrading a firewall make sure you have updated and installed the dynamic updates which are prerequisite to this.

and then go for the major release. In some cases you might need to download the base version if you going for a major version change.

So, it goes like : Dynamic update–>Download base version–>Download and install the latest version whose base version we already downloaded–Reboot

App Vs Protocol and Port Security policies :

So, till now we have configured below policies on our firewall :

Picture1.png

In policy no 2, we are allowing access from internet to our DMZ server but in this policy we are only monitoring till the port level means http/https traffic. What if any malicious traffic comes to an attack on port 80/443 because in that rule we are not inspecting up to application level. Palo alto provides us that functionality by looking upto application level like what is inside the packet.

For example, in policy 1 we have allowed certain applications like dns, ping, SSL, web-browsing so if any attacker send data on port UDP port 53 for DNS query but sending something else inside the payload instead of a genuine DNS request then firewall will quickly realize that and will drop that traffic.

So, when we define a policy Services tab open access till transport layer and Application tab till layer 7.

Sometimes in services we choose application default, what does that mean ?

Application-default regarding services means it is going to use well known and expected ports associated with the application objects we define under Application tab in policy rules. By this way we can control traffic upto application level like we can allow users to go to facebook but not allow them to play any game/chat on facebook.

Beside the application granularity, we can also tied those conversations with the actual user so that we can identify which user associated with which IP addresses are attempting what activities.

We can see all applications which Palo Alto recognizes by going to Applications under Objects tab.

Picture1.png

So, it’s currently showing 2458 application it recognizes but this number will only grow day by day.

If you want to see what it offers then click on any application type and it will tell us some important characteristics :

I have clicked on the web-browsing and we can see the standard port it supports, Timeout info and some other info.

Picture1.png

So we define application in policies so that our firewall can look for deep packet inspection upto application level or inspect up to payload in the packet.

Destination NAT :

We generally require destination NAT when someone from outside world wants to access our servers which are placed in our internal network. So, outside user hit on the public IP (as outside users can come over public IP only over internet) on the outside zone of the firewall and then destination IP gets natted to some private IP and then packet goes to the actual server who has private IP address in actual.

 

As earlier in this series we did the source NAT when packet was initiated from inside network and was going out to the internet but we did that translation in bidirectional way.

Now, we are going to perform destination NAT.

In destination NAT 1 point needs to be look with more keen is here packet is coming from internet means outside zone and it will be hitting the IP (Global reachable address, in our Lab Environment I am taking 10.1.1.20) which is also a part of the outside zone. So, we’ll be defining NAT rule from outside to outside zone.

Picture1.png

and in translated packet : We are not going to translate the source but we are going to translate the destination IP on 10.2.2.1 which is the IP of our DMZ server.

Picture1.png

Disable the NAT rule no 2 as we did the same for going from DMZ to outside.

Commit the changes.

And now let’s test this : I am going to telnet 10.1.1.20 (Outside interface IP) from R6 (Outside device) on port 80 and let’s see the output.

R6#telnet 10.1.1.20 80 /source-interface fastEthernet 0/0

Trying 10.1.1.20, 80 … Open

And it is opened means our destination NAT is working fine.

Also, I have allowed telnet through policy and now i can telnet to the DMZ device

R6#telnet 10.1.1.20 /source-interface fa0/0

Trying 10.1.1.20 … Open

User Access Verification

Username: cisco

Password:

DMZ_Router#who

Line       User       Host(s)              Idle       Location

0 con 0                idle                 00:06:20

* 98 vty 0     cisco      idle                 00:00:00 172.16.1.2

 

Interface    User               Mode         Idle     Peer Address

So, here we can see the outside user’s IP, 172.16.1.2 in this case from where we telnet to this router.

So, what is preferred or what should we define in policy on Palo when we perform destination NAT : So, it’s like:

Post NAT Zones and Pre NAT Addresses are preferred.

Picture1.png

In above policy we have define destination zone as DMZ that is post NAT (because in NAT we have defined outside to outside NAT zones)  and 10.1.1.20 as destination address that is pre NAT address.

APP ID :

The major benefit of Palo alto firewall is its ability to correctly indentified what actually being carried inside the packet and the concept of being able to correctly identify the applications is a function of APP-ID.

Let’s say if any malicious user is sending his data by tunneling on some well known allowed port on the firewall but inside the payload there is something else that would be allowed if we are inspecting up to layer-4 only so, one of the solution that Palo Alto come up with is called Application ID or APP-ID.

With APP ID firewall not only looking for port number or transport protocol to allow/deny traffic but instead still aware of the default ports for those applications but it has also the ability to look deeper into the packet verify what’s the actual payload/traffic is.

Like many other features, APP-ID is also not free but integrated as a part of Palo firewall and need to be licensed.

How APP ID Works :

Classification : It has understanding about port and protocols of the traffic.

Signatures : Signatures allow the PA firewall to identify an application correctly. Currently more than 2500 application objects are the part of its database. And the signatures are looking for specific application properties and characteristics to recognize that particular application.

Decryption : To break the SSL/TLS session between user and the end application. PA firewall will be the man in the middle here where there will be two SSL sessions. One from user to Firewall and one from firewall to end destination, so that firewall can decrypt the data and see what kind of traffic is going on.

Decoders : Decoders are actually looking for tunneled traffic , like some applications are tunneled in something else. By the help of decoders  firewall can identify the payload and set up actions like to permit the traffic, deny the traffic or apply QOS (Voice Traffic) or scanning.

One of the best thing about APP ID is we can have granular control by specifically identifying  and telling the PA that what is allowed and what’s not.

Means you can access Face book and can’t chat over it or can’t play games on Face book. And to do that use specific apps for thing like facebook and google (Subset of Facebook and google).For example facebook has Facebook-Base app on the PA which don’t allow playing games or chat.

1 Point to keep in mind here : For example if we want to allow the Facebook-Chat then first we need to allow Facebook-base. So, application objects have some dependencies.

Picture1.png

So, these dependencies have to be allowed either in same rule or in different rule in the policy.

And other point here is : there are some applications which use some implicit  apps. For Example : see the below snapshot :

Picture1.png

Here, we can see Facebook-Base implicitly uses ssl and web-browsing means if we have allowed Facebook-Base then we don’t need to enable SSL, web-browsing(HTTP) in the policy rules. However if we want to go to let’s say cisco.com then we need a different rule in the policy.

Also, we can make application groups and call different applications under a single group.

Picture1.png

Here, I have made an application group named as Internet_Access, commit the changes and I am going to replace my 1st rule : which was for inside users to go to internet with this application group.

Picture1.png

Commit the changes once again.

Now, I am going to disable the rule no 1 and add 2 more rules :

Rule No 2. To allow inside user to go to facebook (basic functionality)

Rule No 5. Cleanup Rule

Picture1.png

Click on Commit.

Now Let’s test this :

Picture1.png

Yeah…. we can login into facebook and we can see the https session as well.

Why, because it is already a part of the facebook-base application which it uses implicitly.

Picture1.png

And we can see , we can’t get connected to chat as chat is not a part of Face book-Base.

If you’ll go to the monitor tab then it will show the Facebook-Chat logs as policy denied. I can’ t show those at this moment because my firewall is unlicensed.

Now, let’s allow the chat :

Picture1.png

Now, let’s see if there are any dependencies for Facebook-chat.

Picture1.png

From above snapshot it is clear that we also need to allow the mqtt app.

Picture1.png

If you wish to read about MQTT(Message Queue Telemetry transport) just go to application and search for it. Then click on it to see what it is all about.

And if you want the latest info on these apps. go to : https://applipedia.paloaltonetworks.com/

Commit the changes and let’s test the facebook-chat if we can access.

Picture1.png

And now, as we can see Facebook-Chat is now accessible.

Palo Alto Series:

  1. Palo Alto Series – Part I
  2. Palo Alto Series – Part II
  3. Palo Alto Series – Part III
Advertisements

Categories: Palo Alto, Security

4 replies »

  1. Just read complete Article its awesome with some typing mistakes.

    However i loved it. I am dying to set it up in my Virtual lab environment, please help for the same. Thanks

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s