Tag: Palo Alto

Palo Alto VM-Series with active/passive HA support in Azure

Since the latest release of Palo Alto Network PAN-OS 9.0.0 the VM-Series firewall now supports the VM-Series plugin, a built-in-plugin architecture for integration with public clouds or private cloud hypervisors, with the plugin you can now configure VM-Series firewalls with active/passive high availability (HA) in Azure. I will cover some of the requirements in short which is needed to setup HA in Azure.

mixed authentication methods added for Global Protect

In Palo Alto Networks latest release 9.0.0, a new feature was added that allows you to have mixed authentication methods to the same Global Protect portal and/or gateway.

When this feature is enabled it will basically allow your users to authenticate with user credentials and/or client certificates. The options are to either to require both user credentials and client certificates or you can allow user credentials or client certificates.

On top of this you can also set different requirements depending on what OS the user connects from. Below are the current list for available operating systems you can set policies on:

  • Andriod
  • Chrome
  • iOS
  • Linux
  • Mac
  • Satellite
  • Windows
  • WindowsUWP
  • X-Auth

With this you could create an authentication-profile that requires Windows-users to authenticate with both user credentials and client certificates.

Then create another that allows your Android-users to authenticate with either user credentials or client certificates.

This feature could be used in some different cases, for example if you already have two different portals and one of them only requires user credentials for authentication. In that case you could put the two configurations together and save the public IP that was used for the other portal/gateway.

More information can be found on: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/globalprotect-features/mixed-authentication-method-support-for-certificates-or-user-credentials.html 

If you have any questions, feel free to email me at petter.vikstrom@xenit.se or comment down below.

Create Threat Exceptions for specific traffic

At some point you might encounter a false-positive threat that you want to make an exception for. If you know a file is safe if its downloaded from a specific place but you don’t want other files classified with the same threat ID/name to be whitelisted, you can create a separate security profile.

Start by identifying the traffic and where it’s blocked. In this example the file got blocked by the vulnerability protection-profile.

Click on the magnifying class to see more detailed information and find the threat ID.

If we look in the detailed section we can see that the threat ID is 39040 for this threat-name.

Go to Objects > Security Profile > Vulnerability Protection. Since we want to specify what traffic this is whitelisted on we need to create a separate profile so the current security policys is unaffected.

Clone the profile that are currently used for this kind of traffic and rename it properly. Go to the exceptions-tab and select “Show all signatures”. Type the threat ID, press enter and enable the signature.
Press on the current action (default (alert)) and change it to allow or leave it at default. In this example I will select default (alert) since I still want it to be logged.

When this is done we can either add it to a new Security Profile Group or add it directly to a new Security Policy. Here we will add it directly to a security policy.

Create a new Security Policy above the one that blocked the file.

Specify you source adress and destination.
In the actions-tab, select Profile Type: Profiles and under Vulnerability Protection: <The profile you created>

Commit and verify that the traffic hits the correct Security Policy and is logged with alert.

Be very cautious when you create exceptions and always make sure you only allow the traffic you intended. Always make sure you look at alternative ways before creating an exception.

The same method can be applied on different security profiles.


HOW TO: Configure BGP between Arista and Palo Alto using loopback-interfaces

In this example I will be showing you how you can configure BGP between Arista and Palo Alto. The setup has two Arista COR-switches which is configured with MLAG and a Palo Alto Networks firewall.

The goal is to use iBGP between the Arista-switches and eBGP between the Arista-switches and Palo Alto.

We will also be using a specific VRF in this example, if you have more than one VRF the same configuration-method can be applied again.

We will also assume that all linknet-interfaces are already configured on each device.

The topology is shown below.

Start by adding your route distinguisher and activate routing on your VRF on the Arista-switches.

Configure the loopback-interfaces and create static routes between them.

Next we will configure BGP on both Arista-switches. Both Arista-switches will have the same router BGP-ID but will be distinguished by “local-as”. Also in this example we will redistribute connected and static routes, these can be changed depending on your needs.

Verify that that the neighbor Arista-switch is in established state with the below command.

Next we will configure the Palo Alto-firewall with BGP. For simplicity we will call the Virtual Router “vrf-01” here as well.

Start by creating your loopback-interface.

Then create your static-routes and enable ECMP to be able to use both paths.

Next we will create a redistribution profile to decide what routes will be redistributed. As on the Arista-switches we will redistribute connected and static routes.

As a final step we will configure BGP on the VR. This can be configured in several different ways depending on your needs and this example is kind of slim but enough to distribute the routes.

Verify that BGP is established to both arista-core1 & arista-core2 by going to:

You should see that both “peer-arista-core1” and “peer-arista-core2” is established.

Also verify the established neighbors (should be two) on the Arista-switches with the below command:

At this point the only routes that should be added by BGP is the linknets that is not directly connected.

For example on arista-cor1:

As seen in the topology is between arista-core2<->pa-fw01 and arista-core1 routes this traffic via the linknet ip on arista-core2.

Feel free to send me any questions to petter.vikstrom@xenit.se or add your question in the comments.

Palo Alto introduces new feature to support Terminal Service (TS) Agent on Windows Server 2016

In the latest release of Palo Alto Networks Terminal Service Agent 8.1.1, we were introduced to a new feature where it is now supported to install the agent on Windows Server 2016.

This is a very welcome feature that a lot of us have been waiting for. There are no other features added to this version or the one before.

This release is also compatible with all the PAN-OS versions that Palo Alto Networks still support.

For more information see:

Where Can I Install the Terminal Service (TS) Agent?

Release Notes – Terminal Service Agent 8.1


In some cases you will come across DHCP-scopes that are configured on the edge-device or similar and wanting to move it to your dedicated Windows Server instead.
Below is an example where you can export DHCP-leases from your Palo Alto Networks device and add them to your dedicated Windows Server.

In this example I will be using Putty.

Step 1.
Start Putty and connect to your Palo Alto Networks firewall. Then go to the Putty Reconfiguration page, Session > Logging and select “All Session output”.
Choose your filename and where to save it. Select Apply.

Step 2.
Log in to your Palo Alto Networks firewall and issue one of the below commands. Choose the second one if you need to specify an interface. For example if you have several DHCP-scopes configured on your firewall.

Close your session when the output has been printed.

Step 3.
Inactivate the DHCP-scope on your Palo Alto Netoworks firewall so there are no new leases being added.

Step 4.

Open the file where the output has been pasted and remove any unnecessary information.

Import the values to Excel and it should look something like this: (We are only importing IP, MAC and Hostname in this example)

Step 5.
Now we need to add the information to the command that we will be using in Powershell on the new DHCP-server.

Go to a new column on the same sheet and add the below:

This will get the information for the IP on column A and row 2, MAC-adress on column B and row 2 and the Hostname on column C and row 2.

Go the new cell and hover to the right corner. Drag down to fill in the rest of the rows.

Step 6.
If you have not already created the new DHCP-scope this is the time to do it.

Step 7.
Start Powershell on your DHCP-server and paste the below commands.

Step 8.
Activate the new scope and remember to configure DHCP-relay on your Palo Alto Networks firewall if needed.

Palo Alto Networks: Command-And-Control (C2) category has been added to URL-Filtering

A new category has been added to Palo Alto Networks URL-filtering. The category is “Command and Control” or “C2” and the recommendation is to immediately set the action to BLOCK in your security profiles.

C2 was previously included in the Malware category but has now been separated to get more effective management. For the malware-category you will normally recognize that the threat was stopped by your Palo Alto Networks Firewall and no further compromises has been made. When C2 is logged an endpoint has likely been compromised, this happens when an compromised endpoint attempts to communicate with an attackers remote server to receive malicious commands or extract information.

The default URL-profile should automatically have C2 action to BLOCK if you are using PAN-OS version 8.0.2 or later. If you are using customized profiles or other versions you need to set it manually.

These are the steps required:

  1. Go to Objects > Security Profiles > URL Filtering









2. Click on your URL-profile and find “command-and-control” in the list. Set the action to BLOCK and press OK.

Also make sure the URL-profile are applied to your security-profiles.

Press commit and you are done!

More information can be found on https://live.paloaltonetworks.com/t5/Management-Articles/Command-and-Control-C2-FAQ/ta-p/178617