Saturday, March 19, 2016

Panorama and PAN OS upgrade process


How to Upgrade PAN-OS

Note: Before upgrading PAN OS please validate latest stable version.

 

1-      Panorama OS upgrade:

 

Go to Panorama tab---à Software--à check now (as below):

 

Note : Download base version first (suppose you want to upgrade with 6.1.9 then first download 6.0.0 then check click on check now and download 6.1.9 and install it.)


 

 

Ø  Click on download latest stable version 6.1.9 or 7.0.4.

Ø  After download click on install on Panorama first.

 

2-      Now on PAN devices those are added on Panorama:

 

Go to Panorama tab---à Device Deployment-----àSoftware--à check now (as below):

 


Check Now

 

Ø  Click on download latest stable version 6.1.9 or 7.0.4.

Ø  After download click on install on Panorama first.


My personal suggestion is to deploy software one by one on PAN devices instead of at a time.

Base Version Note: The base version (first release of a major version, such as 4.1.0, 5.0.0, 6.0.0 or 6.1.0) must be downloaded onto the device first for the version that is being upgraded to. Once the base version is downloaded and the 'ACTION' appears as 'Install', the latest release on the same branch can be downloaded and installed.

For Example

If upgrading a Palo Alto Networks device from PAN-OS 5.0.5 to 6.1.6:

Note: Direct upgrade from 5.0.x to 6.1.x is not possible. It has to be a stepped upgrade from 5.0.x to 6.0.x to 6.1.x

  1. Download and install only the 6.0.0 base version. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect.
  2. Download only the 6.1.0 base version. The action PAN-OS 5.0.0 changes from "download" to "install." Do not install now.
  3. Download and install 6.1.2. After installing, the Palo Alto Networks device requires a reboot for the new OS to take effect.

Release Notes: To view a description of the changes in each release, including known issues, version features, and resolved issues, click "Release Notes" next to the release.

Deleting old versions

Older versions of the PAN-OS software can be deleted as long as you are no longer running that version. If running 6.0.6, then it is OK to delete all 5.1.x (Panorama) or 5.0.x (Firewall) software versions, even the base versions.

How to Upgrade a High Availability (HA) Pair


How to Upgrade a High Availability (HA) Pair

The following instructions for upgrading an HA pair are recommended because:

Ø  It verifies HA functionality before starting the upgrade.

Ø  It ensures the upgrade is successfully applied to the first device before starting the upgrade on the second.

Ø  At any point in the procedure, if any issue arises, the upgrade can be seamlessly reverted without any expected downtime.

Ø  When finished, the final active/passive device state will be the same as it was before the upgrade with the fewest number of failovers possible (2).

Steps

Before beginning, we recommend disabling preempt to avoid the possibility of unwanted failovers. Disabling preempt configuration change must be committed on both peers. Likewise, once completed, re-enabling must be committed on both peers.

To disable preempt,

 Go to Device > High Availability > Election Settings and uncheck Preemptive. Then, perform a commit.


First suspend the active unit from the CLI. Run the command:

> request high-availability state suspend

or
From the GUI, go to Device > High Availability > Operations > Suspend local device.



Note: This will cause an HA failover. It is recommended to do this first to verify the HA functionality is working before initiating the upgrade.

Ø  Verify network stability on the new active device with the previously active device suspended.

Ø  Install the new PAN-OS on the suspended device, then reboot the device to complete the install as below:

How to Upgrade PAN-OS

Note: Before upgrading PAN OS please validate latest stable version.


1-      PAN OS upgrade:


Go to Panorama tab---à Software--à check now (as below):




Ø  Click on download latest stable version 6.1.9 and install it on local PAN

Ø  Reboot the PAN to take effect.


When the upgraded device is rebooted, the CLI prompt should show passive (or non-operational, if on a different major release ie 5.0.15 to 6.X.X) and the PAN-OS version should reflect the new version.

On the current passive device, verify auto commit completes successfully (FIN OK) by running the command before proceeding to the next step:

> show jobs all

Note: If the current passive device is in a non-functional state, run the following command to make it functional again:

> request high-availability state functional

Suspend the second device (current active device).

Upgrade the second device, then reboot it. When the second device reboots, the first device, already upgraded, takes over as active.

As HA functionality was verified (step 1) and the config was successfully pushed to the dataplane on the new PAN-OS (step 5), the failover should be seamless.

When the second unit reboots, it will come up as the passive unit. Validate the auto commit completes on this device by running the following command (on this device (as done in step 5) to complete the upgrade):

> show jobs all

The original active device before the upgrade will be the active device now.

Note: For upgrading an Active-Active HA pair, following the same steps for upgrading the Active-Passive pair. All the steps and terms used for Active and Passive devices can be correlated to Active-Primary and Active-Secondary, respectively.

How to Downgrade

If an issue occurs on the new version and a downgrade is necessary:

To revert to the previous PAN-OS screen, run the following CLI command:

> debug swm revert

This causes the firewall to boot from the partition in use prior to the upgrade. Nothing will be uninstalled and no configuration change will be made.

Saturday, January 10, 2015

How To Create Custom URL Categories

Overview
This document describes the steps to create a Custom URL Category list, use the list in a URL Filtering profile, and then applying the profile in a security policy.
 

Steps

  1. For PAN-OS 4.0, 4.1, 5.0, go to Objects > Custom URL Category and click Add

  2. Untitled.jpg
    For PAN OS 6.0, 'Custom URL Category' has been renamed as 'URL Category' and moved under Objects > Custom Objects:
    Screen Shot 2014-05-26 at 9.55.04 AM.png
  3. Fill in the Name, Description, and the URLs of the category members (one per line).
    Note: A list of URLs can also be imported from a file.
To apply the the custom category to a URL filtering profile:
  1. Go to Objects > Security Profiles > URL Filtering and click Add.
  2. Name the profile and select the custom category.
    Note: The newly created category appears in the Category list with an asterisk next to it.
    Untitled.jpg
  3. Optionally, add URLs to the Allow/Block lists as appropriate.
 
To apply the URL filtering profile in a security policy:
  1. Go to Policies > Security
  2. Select or create a security policy
  3. Select the custom profile for URL Filtering, under Profile Setting:
    filter.jpg
  4. Commit
 
The Palo Alto Networks firewall will process the filter as follows:
  • Block list
  • Allow list
  • Custom category
  • Pre-defined category

How to Setup a Palo Alto Firewall with Dual ISPs and Automatic VPN Failover!!!

Overview


This document explains how to configure a Palo Alto Networks firewall that has a dual ISP connection in combination with VPN tunnels.
Configuration Goals:
  • A single device with two internet connections (High Availability)
  • Static site-to-site VPN
  • Automatic failover for internet connectivity and VPN
Setup
This setup is frequently used to provide connectivity between a branch office and a headquarters.  ISP1 is used as the primary ISP on Ethernet1/3.  ISP2 is the backup ISP on Ethernet1/4.
Configuration
The configuration is identical on both firewalls, so only one firewall configuration is discussed. In this example, there are two virtual routers (VR).
Dual Diagram.png
Interface Configuration
Configure two interfaces:
  • Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone
  • Eth 1/4: 10.80.40.38/24  (connection to ISP2) in the untrust zone
Virtual Routers
There are two virtual routers:
  • VR1: Primary (ISP1) (Ethernet1/3)
  • VR2: Secondary (ISP2) (Ethernet1/4)
Each VR has an ISP Interface attached, but all other interfaces will stay connected to VR Secondary, as well as all future interfaces. The purpose is to let all interfaces be known by connected routes and routes on the VR as their routing method when the Main ISP goes down.
  • Primary VR has Ethernet1/3 interface attached
Primary Router GEn.PNG
  • The Primary VR routes include the default route and return routes for all private addresses back to the Secondary VR, where the actual interfaces are as connected routes. When the traffic is forced out the interface through the PBF, the traffic will know how to get back to the Secondary VR where the interfaces live.
Primary Routes.PNG
  • Secondary VR has the Ethernet1/4 attached with all the other interfaces, as shown below:
Secondary Router GEN.PNG
  • Secondary VR routes for all connected interface will show up on the routing table as connected routes, and the route for the tunnel will be taken care of by PBF
  • To force the traffic out the Primary ISP interface, use the PBF Sourcing, as shown below from the Trusted Zone:
PBF Source.PNG
  • The firewall tells the PBF not to forward traffic that is destined to a private network, since it cannot route private addresses on the internet (there might be situations were there are private network addresses that need to be PBF'ed out). As shown in the example below, click Negate.
PBF Negate DEST.PNG
  • As shown in the example below, set up the forwarding out of the Primary Interface, with monitoring to disable the rule, if the destination being monitored is not available. Revert the traffic to use the routing table of the Secondary VR where all connected routes exist.
Forward Tab complete.PNG
The reason for the multiple VR’s, is both tunnels are up and running at the same time. If connectivity is to ISP1, it will failover to ISP2 as soon as possible. If the backup VPN over ISP2 is already negotiated, that will speed up the failover process.
Phase 1 Configuration
Gateways.PNG
For each VPN tunnel, configure an IKE gateway.
Phase 2 Configuration
Tunnels.PNG
For each VPN tunnel, configure an IPSec tunnel. On the IPSec tunnel, enable monitoring with action fail over if configuring the tunnels to connect to anther Palo Alto Networks firewall. Otherwise, setup the PBF with monitoring and a route for the secondary tunnel.
Tunnel Monitoring (Palo Alto Networks firewall connection to another Palo Alto Networks firewall)
  • Primary Tunnel with monitoring
Primary Tunnel Monitor .PNG
  • Secondary Tunnel with monitoring
Secondary Tunnel Monitor.PNG
  • In Action, configure the Monitor Profile to Fail Over
Tunnel Monitor.PNG
  • With this method, using tunnel monitoring there are two routes in the routing table, the first with metric of 10 for the Primary VPN traffic, and the second with the metric of 20 for the Secondary VPN. Since the tunnels terminate on the Secondary VR, the routes will be placed on that VR.
Routes for VPNs.PNG
Policy Based Forwarding (Palo Alto Networks firewall connection to a non Palo Alto Networks firewall vendor)
  • This method can be used when the connection is between two firewalls
  • State from what Source Zone
NONPA PBF.PNG
  • Indicate when the traffic is destined to the network on the other side of the tunnel (in this case it is 192168.10.0/24)
Destination PBF.PNG
  • Forward the traffic down the tunnel
Forward PBF.PNG
  • When the PBF is disabled, because the destination is not reachable, the other VPN will start to work using the routing table with a route with the same destination using the other configured tunnel.
Note: In the above example, a probe is sent out to 192.168.10.2 to check if it's reachable. The probe must have a source IP address and will use the egress interface's IP, which will be the IP address of the interface 'tunnel'. If an IP address is not configured on the tunnel interface, the PBF rule will never be enabled. In this scenario, an arbitrary IP needs to be configured, such as 172.16.0.1/30. A static route for destination 192.168.10.2 must be added with next-hop as the tunnel interface. Otherwise PBF will always fail because traffic initiated from the firewall will not hit the PBF rule. Make sure the remote device knows how to return the packet. When working with a Cisco ASA, make sure it knows how to return traffic to 172.16.0.1/30. Additionally, configure a Proxy ID for this network on the Palo Alto Networks device's IPSec tunnel configuration.

How to Configure IPSec VPN on PAN firewall

Steps
  1. Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
    Name: tunnel.1
    Virtual router: (select the existing virtual router)
    Zone: (select the layer 3 internal zone from which the traffic will originate)

    Note: If the tunnel interface is in a zone that is different from the zone that the traffic will originate/depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

  2. Go to Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
    These parameters should match on the remote firewall for the IKE Phase-1 negotiation to be successful.

  3. Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.

Note: The Tunnel configured above will terminate in the Trust zone for traffic traversing the tunnel, although if more granular control is desired for the policy configuration in the tunnel use a VPN or other zone. Also, note that the gateway configuration below will be configured for the Untrust interface and not to be confused with the tunnel terminating on a trusted interface.
temp.PNG

  1. Under Network > Network Profiles > IPSec Crypto Profile define IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These parameters should match on the remote firewall for the IKE Phase-2 negotiation to be successful.

  2. Under Network > IPSec Tunnel > General configure IPSec Tunnels to set up the parameters to establish IPSec VPN tunnels between firewalls.

    Note:  If the other side of the tunnel is a third party VPN device configured as a policy-based VPN, then enter the local proxy ID and remote proxy ID to match the other side.

    When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information since the Proxy-ID information defines
    the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

  3. Under Network > Virtual Routers-Static Route add a new route for the network that is behind the other VPN endpoint.
  4. Commit the configuration.

How to Configure LDAP (AD) Integration with Palp Alto.


Steps

1.     Click on Device tab

2.     Under Server Profiles, click on LDAP

3.     Click Add to bring up the LDAP Server Profile dialog

4.     Enter Server name, IP Address and port (389 LDAP)

5.     Select LDAP server type from drop down menu. Enter the Base Distinguished Name for the domain. Enter the Bind DN and Bind Password for the service account. Uncheck SSL checkbox (SSL can be used if the Domain Controller will listen for LDAP SSL on port 636).
         


6.     To find out DN information from AD server please use blow command on AD server:

               C:\>dsquery user

7.     Commit changes