Tag: Palo Alto

Palo Alto introduces new feature to support Terminal Service (TS) Agent on Windows Server 2016

In the latest release of Palo Alto Networks Terminal Service Agent 8.1.1, we were introduced to a new feature where it is now supported to install the agent on Windows Server 2016.

This is a very welcome feature that a lot of us have been waiting for. There are no other features added to this version or the one before.

This release is also compatible with all the PAN-OS versions that Palo Alto Networks still support.

For more information see:

Where Can I Install the Terminal Service (TS) Agent?

Release Notes – Terminal Service Agent 8.1



HOW-TO IMPORT DHCP-LEASES TO WINDOWS SERVER FROM PALO ALTO

In some cases you will come across DHCP-scopes that are configured on the edge-device or similar and wanting to move it to your dedicated Windows Server instead.
Below is an example where you can export DHCP-leases from your Palo Alto Networks device and add them to your dedicated Windows Server.

In this example I will be using Putty.

Step 1.
Start Putty and connect to your Palo Alto Networks firewall. Then go to the Putty Reconfiguration page, Session > Logging and select ”All Session output”.
Choose your filename and where to save it. Select Apply.

Step 2.
Log in to your Palo Alto Networks firewall and issue one of the below commands. Choose the second one if you need to specify an interface. For example if you have several DHCP-scopes configured on your firewall.

Close your session when the output has been printed.

Step 3.
Inactivate the DHCP-scope on your Palo Alto Netoworks firewall so there are no new leases being added.

Step 4.

Open the file where the output has been pasted and remove any unnecessary information.

Import the values to Excel and it should look something like this: (We are only importing IP, MAC and Hostname in this example)

Step 5.
Now we need to add the information to the command that we will be using in Powershell on the new DHCP-server.

Go to a new column on the same sheet and add the below:

This will get the information for the IP on column A and row 2, MAC-adress on column B and row 2 and the Hostname on column C and row 2.

Go the new cell and hover to the right corner. Drag down to fill in the rest of the rows.

Step 6.
If you have not already created the new DHCP-scope this is the time to do it.

Step 7.
Start Powershell on your DHCP-server and paste the below commands.

Step 8.
Activate the new scope and remember to configure DHCP-relay on your Palo Alto Networks firewall if needed.



Palo Alto Networks: Command-And-Control (C2) category has been added to URL-Filtering

A new category has been added to Palo Alto Networks URL-filtering. The category is ”Command and Control” or ”C2” and the recommendation is to immediately set the action to BLOCK in your security profiles.

C2 was previously included in the Malware category but has now been separated to get more effective management. For the malware-category you will normally recognize that the threat was stopped by your Palo Alto Networks Firewall and no further compromises has been made. When C2 is logged an endpoint has likely been compromised, this happens when an compromised endpoint attempts to communicate with an attackers remote server to receive malicious commands or extract information.

The default URL-profile should automatically have C2 action to BLOCK if you are using PAN-OS version 8.0.2 or later. If you are using customized profiles or other versions you need to set it manually.

These are the steps required:

  1. Go to Objects > Security Profiles > URL Filtering

 

 

 

 

 

 

 

 

2. Click on your URL-profile and find ”command-and-control” in the list. Set the action to BLOCK and press OK.

Also make sure the URL-profile are applied to your security-profiles.

Press commit and you are done!

More information can be found on https://live.paloaltonetworks.com/t5/Management-Articles/Command-and-Control-C2-FAQ/ta-p/178617