Firewall

Palo Alto Certificate Chain Fix

Palo Alto Certificate Chain Fix

An issue I’ve run into on Palo Alto Networks firewalls is that everything seems to work when importing a certificate (usually a PFX). Until you start using the certificate, then after a validation or a commit, there’s a warning that the certificate chain is not correctly formed.

Warning: certificate chain not correctly formed in certificate wild_thedxt_ca
(Module: device)

Certificate chain issues are commonly caused when the certificate chain is out of order. You can read more about certificate chains in my blog post, Certificate Chain. If you want to read more about what can cause broken certificate chains, my blog post, Broken Certificate Chain, goes into more detail.

An incorrect certificate chain can cause issues with a few items on a Palo Alto firewall. One of them can be GlobalProtect when the option FULLCHAINCERTVERIFY="yes" is used during the GlobalProtect install or when the registry value named full-chain-cert-verify is set to yes in the registry path HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

GlobalProtect malformed certificate error

In this post, I will show you step-by-step how to fix a certificate chain on a Palo Alto Networks firewall.

The Process

  • Click on the Device tab.
  • Click on Certificate Management > Certificates.
  • Select the certificate that is not correctly formed and click on Export Certificate.

In my example, the certificate named wild_thedxt_ca is the one I need to fix.

Read More Read More

Palo Alto Terminal Server Agent Upgrade

Palo Alto Terminal Server Agent Upgrade

Palo Alto Networks makes a program named Terminal Server Agent, aka the TS Agent. It is similar to the User-ID agent. However, the TS Agent is built to identify users on a multi-user system.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks Terminal Server agent.

Prerequisites

  • Verify that the new Terminal Server agent version is compatible with your PAN-OS.

The TS Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, TS agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Compatibility section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the Terminal Services Agent.
  • Click on the version you need to start the download.
  • Connect to the system that is running the Palo Alto TS Agent.
  • Open Services.
  • Stop the PAN Terminal Server Agent service.

Read More Read More

Palo Alto Device Certificate

Palo Alto Device Certificate

Palo Alto Networks firewalls often require a device certificate. A device certificate is needed for items like device telemetry and for some of the CDSS (Cloud-Delivered Security Services) items, such as WildFire, DNS and URL filtering, and others.

In this post, I show you step-by-step how to check if a device certificate is installed and how to install a device certificate on a Palo Alto Networks firewall.

Before we proceed with installing the device certificate, we should double-check whether the firewall already has one.

Checking Device Certificate

  • Log in to the Palo Alto Networks Firewall

CLI

  • To check if a device certificate is installed, run the following command show device-certificate status

If the result is No device certificate found, move ahead with installing the device certificate.

GUI

  • Click on Dashboard
  • The General Information widget will display the Device Certificate Status.

With the GUI, you can also check if a device certificate exists in another place.

  • Click on the Device tab.
  • Click on Setup.
  • The Management tab will have a widget about the Device Certificate.

If there is no device certificate installed, we can move ahead with installing the device certificate.

Installing Device Certificate

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Products > Device Certificates.
  • Under the One Time Password section, click on Generate OTP.

Read More Read More

Palo Alto User-ID Agent Upgrade

Palo Alto User-ID Agent Upgrade

Palo Alto Networks has this awesome program called the User Identification Agent, aka the User-ID Agent. It allows you to identify which device a user is using, allowing you to craft security policy rules based on the users themselves.

In this post, I will show you step-by-step how to upgrade the Palo Alto Networks User-ID Agent.

Prerequisites

  • Verify that the new User-ID agent version is compatible with your current PAN-OS.

The User-ID Agent is typically compatible with the same release number along with earlier still-supported PAN-OS versions. For example, User-ID agent 11.0 works with PAN-OS 11.0 and earlier. You can confirm this by reading the OS Compatibility section in the release notes.

The Process

  • Log in to the Palo Alto Networks Customer Support Portal.
  • Click on Updates.
  • Click on Software Updates.
  • Select the User Identification Agent.
  • Click on the version you need to start the download.
  • Connect to the server that is running the Palo Alto User-ID Agent.
  • Open Services.
  • Stop the User-ID Agent service.

Read More Read More

Palo Alto Private Data Reset with HA (Active/Passive)

Palo Alto Private Data Reset with HA (Active/Passive)

Sometimes, you need to do a quick factory reset on a Palo Alto Networks firewall. If you aren’t decommissioning the firewall, a Private Data Reset can be a faster way to accomplish similar results as a factory reset and can be done via CLI directly and could technically be done remotely with some coordination.

In this post, I will show you step-by-step instructions on how to perform a private data reset on a primary Palo Alto Networks firewall in an Active/Passive High Availability Pair using the GUI and the CLI.

The Process

HA Election Settings

If the HA election settings are set to preemptive, we need to disable that.

HA Election Settings GUI

  • On the Primary firewall, click on Device.
  • Click on High Availability
  • Uncheck Preemptive (if it isn’t selected, you don’t need to do anything)
  • Commit the changes

HA Election Settings CLI

  • SSH into the Primary firewall
  • Enter the configuration mode by running the command configure
  • Run the following command to output your HA election settings show deviceconfig high-availability group election-option

If preemptive is set to yes, make a note of that (if it isn’t selected, you don’t need to do anything)

Read More Read More

Securing GlobalProtect

Securing GlobalProtect

Out of the box, you can’t just add a Security Profile to the interface that runs GlobalProtect fortunately there’s a relatively easy way to do it with minimal impact to your existing GlobalProtect setup.

In this post, I will show you step-by-step how to secure GlobalProtect by adding protection with a Vulnerability Protection Profile or a Security Profile Group to an already existing GlobalProtect setup by using a loopback interface.

The Process

  • Log in to the Palo Alto Networks Firewall
  • Click on Objects
  • Click on Addresses
  • Add a new address for your loopback address

I will be using the address 192.168.187.2 for this example.

  • Click on Network
  • Click on Zones
  • Add a new Zone. I will be using the name GP-WAN. (This zone will be the zone allocated to the GlobalProtect loopback interface later on.)
    • Set the Type to Layer3
    • Select your Zone Protection Profile. In my case, I will use the one called Recommended_Zone_Protection
    • Select the option to Enable Packet Buffer Protection.
  • Click on Interfaces
  • Click on Loopback

Read More Read More

Policy Based Forwarding

Policy Based Forwarding

I needed to route an FQDN (Fully Qualified Domain Name) down an IPSEC VPN tunnel but couldn’t because it was an external address and the IP is dynamic so I wasn’t able to just make a static route to force it down the IPSEC VPN tunnel. To solve this I discovered something called policy based forwarding.

In this post, I will explain the setup and the reason for why I used policy-based forwarding to solve my problem and I will show step-by-step how to do all of this with a Palo Alto Networks firewall.

The Background

For the setup, Palo Alto Networks firewalls are being used. There are two sites the Head Office and the Data Center. There is an IPSEC VPN tunnel between both sites. The Data Center firewall also has various vendor IPSEC VPN tunnels.

The Head Office firewall has its own internet connection as does the Data Center firewall. The Head Office firewall is configured with static routes to only send traffic for the Data Center down the Data Center IPSEC tunnel. All other traffic goes out the Head Office WAN.

Configuring it this way allows for a very simple and basic SD-WAN type configuration, only essential traffic is sent down the Data Center IPSEC VPN tunnel freeing up the IPSEC tunnel from normal internet traffic that does not need to be routed to the Data Center.

The Problem

There are two vendors we’ll call them Vendor1 and Vendor2. Both of them have an Oracle database that users at the Head Office site need to connect to.

Vendor1 has an IPSEC VPN tunnel from the Data Center firewall to the firewall at Vendor1. The Oracle database on their end is on a private IP. All traffic from the Data Center to Vendor1 is NATed behind a specific IP. Vendor1 only allows connections that are from that NATed IP over the IPSEC VPN tunnel.

Vendor2 won’t set up an IPSEC VPN tunnel. The Oracle database for Vendor2 is an FQDN we’ll say that the FQDN is Oracle.Vendor2.com the resolving IP of that FQDN can and will change without notice. The only way users can connect to the Oracle database at Vendor2 is for Vendor2 to add the WAN IP to an allowed list on their side. This process is slow and doesn’t scale well. To help with this we can have Vendor2 add a specific WAN IP to their allow list that we can NAT our traffic to them behind.

Now this works for the most part when you tunnel all traffic from the Head Office to the Data Center firewall. The problem with this solution is that it can be very costly as you may need an E-Line/MPLS/VPLS connection back to the Data Center and depending on the location they can be very expensive. If the Head Office moves to a new physical location coordinating an E-Line/MPLS/VPLS move is not always the quickest option. Ideally, we want a solution that allows for flexibility.

Yes, you could IPSEC tunnel all the Head Office traffic back to the Data Center but why? Why would you want Microsoft 365 traffic and other normal internet traffic going down your Data Center IPSEC tunnel? This just adds unnecessary overhead and can cause slowness, especially today as so many applications are web-based.

The overarching problem in all of this is how to scale it without needing to reach out to the vendors to add a new IP to the allow list or to build a new IPSEC VPN tunnel.

The Solutions

The solution for Vendor1 is simple because it’s a private IP. We can just add a static route on the Head Office firewall telling it to go down the Data Center IPSEC VPN tunnel and out the Vendor1 IPSEC tunnel from the Data Center.

Read More Read More

Upgrade Palo Alto HA Pair (Active/Passive) with CLI

Upgrade Palo Alto HA Pair (Active/Passive) with CLI

I’m a big fan of CLI, I love to use it when I can, it always feels more complete and absolute. A while back I posted how to Upgrade Palo Alto Firewall HA Pair (Active/Passive) in that post I only covered the GUI method this post will detail how to complete everything with CLI only.

Here is step-by-step how to upgrade a Palo Alto Networks firewall in an Active/Passive High Availability Pair with CLI only.

In my example, I am running a Palo Alto Active/Passive HA pair. The firewall named DXT-FW-PA01 is the primary firewall and is the currently Active firewall. The firewall named DXT-FW-PA02 is the secondary and Passive firewall. Both are running PAN-OS 10.2 version 10.2.3. I will be upgrading them to PAN-OS 11.0 version 11.0.2-h2 which is the current preferred release for that version.

The Process

Confirm Upgrade Path

  • You always need to do every PAN-OS update as in you can’t jump from 9.1 to 11.0 you need to do 10.0 then 10.1 then 10.2 then 11.0
  • Check your upgrade path with Palo Alto’s documentation. Here is the upgrade path to PAN-OS 11.0.
  • Check what the preferred releases are for your upgrade path. You can do that here. (You will need a Palo Alto support account to access the link)

Review Release Notes

Review Upgrade/Downgrade Considerations

Upgrade Checklist

Check Content Updates

  • Connect to the currently Active firewall with SSH.
  • Run the following command to list out the PAN-OS version you are running along with the hostname and application and threat content versions.  show system info | match sw\|hostname\|app\|threat

Read More Read More

Palo Alto Config Set Commands

Palo Alto Config Set Commands

By default Palo Alto Networks firewalls export their configuration as an XML file which is great however, I’m more used to set commands such as the ones commonly used in switches. Fortunately, there’s a way to have the best of both worlds.

In this post, I’ll show you step-by-step how to output the Palo Alto running config to set commands and show a way to export it.

The Process

  • Connect to the firewall with SSH (I’ll be using PuTTY)
  • Run the following command to change the command output from XML to set commands set cli config-output-format set
  • Enter the configuration mode by running the following command configure
  • Now when you run the show command it will show you the set command versions of the configuration.

Exporting

I wasn’t able to find a way to easily export the running config of PAN-OS in the set format without using paid tools like Kiwi CatTools however, I did find a workaround by using PuTYY logging.

Read More Read More

FortiGate Policy Mode vs Profile Mode

FortiGate Policy Mode vs Profile Mode

By default all Fortinet FortiGates are in Profile-based NGFW mode. There is nothing wrong with the default mode. However, I personally prefer policy mode more.

Profile mode works like most firewalls like SonicWall, pfSense and UniFi for example. All your rules are based on ports.

Policy mode works like Palo Alto Networks firewalls. All your rules are only based on ports if you define them but where the real power comes in is application based rules.

To better show the differences here’s an example. I am using Central SNAT in profile mode to keep it as similar as possible to Policy mode.

The Setup

  • VLAN for the Guests network and the IoT network and they are on a tagged interface.
  • The Corp network is untagged on interface x1.
  • An object exists for the entire Guest LAN and the entire IoT LAN. I’ve colored them blue.
  • An object exists for the DHCP server on the Corp network. I’ve colored it green.
  • I will make a rule to allow the Guest and IoT network to talk to the DHCP server on the Corp network to get a DHCP address.

Profile Mode

In profile mode I will build the Firewall Policy rule like this.

  • Name: Allow DHCP
  • Incoming Interface: Guests and IoT
  • Outgoing Interface: Corp
  • Source: Object for the Guest LAN and IoT LAN
  • Destination: Object for the DHCP server on the Corp LAN
  • Service: DHCP and DHCP6

Here is what that rule looks like.

Read More Read More