Saturday, January 10, 2015

How To Create Custom URL Categories

Overview
This document describes the steps to create a Custom URL Category list, use the list in a URL Filtering profile, and then applying the profile in a security policy.
 

Steps

  1. For PAN-OS 4.0, 4.1, 5.0, go to Objects > Custom URL Category and click Add

  2. Untitled.jpg
    For PAN OS 6.0, 'Custom URL Category' has been renamed as 'URL Category' and moved under Objects > Custom Objects:
    Screen Shot 2014-05-26 at 9.55.04 AM.png
  3. Fill in the Name, Description, and the URLs of the category members (one per line).
    Note: A list of URLs can also be imported from a file.
To apply the the custom category to a URL filtering profile:
  1. Go to Objects > Security Profiles > URL Filtering and click Add.
  2. Name the profile and select the custom category.
    Note: The newly created category appears in the Category list with an asterisk next to it.
    Untitled.jpg
  3. Optionally, add URLs to the Allow/Block lists as appropriate.
 
To apply the URL filtering profile in a security policy:
  1. Go to Policies > Security
  2. Select or create a security policy
  3. Select the custom profile for URL Filtering, under Profile Setting:
    filter.jpg
  4. Commit
 
The Palo Alto Networks firewall will process the filter as follows:
  • Block list
  • Allow list
  • Custom category
  • Pre-defined category

How to Setup a Palo Alto Firewall with Dual ISPs and Automatic VPN Failover!!!

Overview


This document explains how to configure a Palo Alto Networks firewall that has a dual ISP connection in combination with VPN tunnels.
Configuration Goals:
  • A single device with two internet connections (High Availability)
  • Static site-to-site VPN
  • Automatic failover for internet connectivity and VPN
Setup
This setup is frequently used to provide connectivity between a branch office and a headquarters.  ISP1 is used as the primary ISP on Ethernet1/3.  ISP2 is the backup ISP on Ethernet1/4.
Configuration
The configuration is identical on both firewalls, so only one firewall configuration is discussed. In this example, there are two virtual routers (VR).
Dual Diagram.png
Interface Configuration
Configure two interfaces:
  • Eth 1/3: 10.185.140.138/24 (connection to ISP1) in the untrust zone
  • Eth 1/4: 10.80.40.38/24  (connection to ISP2) in the untrust zone
Virtual Routers
There are two virtual routers:
  • VR1: Primary (ISP1) (Ethernet1/3)
  • VR2: Secondary (ISP2) (Ethernet1/4)
Each VR has an ISP Interface attached, but all other interfaces will stay connected to VR Secondary, as well as all future interfaces. The purpose is to let all interfaces be known by connected routes and routes on the VR as their routing method when the Main ISP goes down.
  • Primary VR has Ethernet1/3 interface attached
Primary Router GEn.PNG
  • The Primary VR routes include the default route and return routes for all private addresses back to the Secondary VR, where the actual interfaces are as connected routes. When the traffic is forced out the interface through the PBF, the traffic will know how to get back to the Secondary VR where the interfaces live.
Primary Routes.PNG
  • Secondary VR has the Ethernet1/4 attached with all the other interfaces, as shown below:
Secondary Router GEN.PNG
  • Secondary VR routes for all connected interface will show up on the routing table as connected routes, and the route for the tunnel will be taken care of by PBF
  • To force the traffic out the Primary ISP interface, use the PBF Sourcing, as shown below from the Trusted Zone:
PBF Source.PNG
  • The firewall tells the PBF not to forward traffic that is destined to a private network, since it cannot route private addresses on the internet (there might be situations were there are private network addresses that need to be PBF'ed out). As shown in the example below, click Negate.
PBF Negate DEST.PNG
  • As shown in the example below, set up the forwarding out of the Primary Interface, with monitoring to disable the rule, if the destination being monitored is not available. Revert the traffic to use the routing table of the Secondary VR where all connected routes exist.
Forward Tab complete.PNG
The reason for the multiple VR’s, is both tunnels are up and running at the same time. If connectivity is to ISP1, it will failover to ISP2 as soon as possible. If the backup VPN over ISP2 is already negotiated, that will speed up the failover process.
Phase 1 Configuration
Gateways.PNG
For each VPN tunnel, configure an IKE gateway.
Phase 2 Configuration
Tunnels.PNG
For each VPN tunnel, configure an IPSec tunnel. On the IPSec tunnel, enable monitoring with action fail over if configuring the tunnels to connect to anther Palo Alto Networks firewall. Otherwise, setup the PBF with monitoring and a route for the secondary tunnel.
Tunnel Monitoring (Palo Alto Networks firewall connection to another Palo Alto Networks firewall)
  • Primary Tunnel with monitoring
Primary Tunnel Monitor .PNG
  • Secondary Tunnel with monitoring
Secondary Tunnel Monitor.PNG
  • In Action, configure the Monitor Profile to Fail Over
Tunnel Monitor.PNG
  • With this method, using tunnel monitoring there are two routes in the routing table, the first with metric of 10 for the Primary VPN traffic, and the second with the metric of 20 for the Secondary VPN. Since the tunnels terminate on the Secondary VR, the routes will be placed on that VR.
Routes for VPNs.PNG
Policy Based Forwarding (Palo Alto Networks firewall connection to a non Palo Alto Networks firewall vendor)
  • This method can be used when the connection is between two firewalls
  • State from what Source Zone
NONPA PBF.PNG
  • Indicate when the traffic is destined to the network on the other side of the tunnel (in this case it is 192168.10.0/24)
Destination PBF.PNG
  • Forward the traffic down the tunnel
Forward PBF.PNG
  • When the PBF is disabled, because the destination is not reachable, the other VPN will start to work using the routing table with a route with the same destination using the other configured tunnel.
Note: In the above example, a probe is sent out to 192.168.10.2 to check if it's reachable. The probe must have a source IP address and will use the egress interface's IP, which will be the IP address of the interface 'tunnel'. If an IP address is not configured on the tunnel interface, the PBF rule will never be enabled. In this scenario, an arbitrary IP needs to be configured, such as 172.16.0.1/30. A static route for destination 192.168.10.2 must be added with next-hop as the tunnel interface. Otherwise PBF will always fail because traffic initiated from the firewall will not hit the PBF rule. Make sure the remote device knows how to return the packet. When working with a Cisco ASA, make sure it knows how to return traffic to 172.16.0.1/30. Additionally, configure a Proxy ID for this network on the Palo Alto Networks device's IPSec tunnel configuration.

How to Configure IPSec VPN on PAN firewall

Steps
  1. Go to Network > Tunnel Interface to create a new tunnel interface and assign the following parameters:
    Name: tunnel.1
    Virtual router: (select the existing virtual router)
    Zone: (select the layer 3 internal zone from which the traffic will originate)

    Note: If the tunnel interface is in a zone that is different from the zone that the traffic will originate/depart, then a policy will need to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

  2. Go to Network > Network Profiles > IKE Crypto Profile and define IKE Crypto (IKEv1 Phase-1) parameters.
    These parameters should match on the remote firewall for the IKE Phase-1 negotiation to be successful.

  3. Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.

Note: The Tunnel configured above will terminate in the Trust zone for traffic traversing the tunnel, although if more granular control is desired for the policy configuration in the tunnel use a VPN or other zone. Also, note that the gateway configuration below will be configured for the Untrust interface and not to be confused with the tunnel terminating on a trusted interface.
temp.PNG

  1. Under Network > Network Profiles > IPSec Crypto Profile define IPSec Crypto profile to specify protocols and algorithms for identification, authentication, and encryption in VPN tunnels based on IPSec SA negotiation (IKEv1 Phase-2). These parameters should match on the remote firewall for the IKE Phase-2 negotiation to be successful.

  2. Under Network > IPSec Tunnel > General configure IPSec Tunnels to set up the parameters to establish IPSec VPN tunnels between firewalls.

    Note:  If the other side of the tunnel is a third party VPN device configured as a policy-based VPN, then enter the local proxy ID and remote proxy ID to match the other side.

    When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information since the Proxy-ID information defines
    the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

  3. Under Network > Virtual Routers-Static Route add a new route for the network that is behind the other VPN endpoint.
  4. Commit the configuration.

How to Configure LDAP (AD) Integration with Palp Alto.


Steps

1.     Click on Device tab

2.     Under Server Profiles, click on LDAP

3.     Click Add to bring up the LDAP Server Profile dialog

4.     Enter Server name, IP Address and port (389 LDAP)

5.     Select LDAP server type from drop down menu. Enter the Base Distinguished Name for the domain. Enter the Bind DN and Bind Password for the service account. Uncheck SSL checkbox (SSL can be used if the Domain Controller will listen for LDAP SSL on port 636).
         


6.     To find out DN information from AD server please use blow command on AD server:

               C:\>dsquery user

7.     Commit changes