Despite all the advantages of Palo Alto Networks firewalls, there are not many materials on the Internet on configuring these devices, as well as texts describing the experience of their implementation. We decided to summarize the materials we have accumulated while working with the equipment of this vendor and talk about the features that we encountered during the implementation of various projects.
For an introduction to Palo Alto Networks, this article will look at the settings required to solve one of the most common firewall tasks, SSL VPN for remote access. We will also talk about helper functions for general firewall configuration, user identification, application and security policies. If the topic is of interest to readers, in the future we will release materials with an analysis of Site-to-Site VPN, dynamic routing and centralized management using Panorama.
Palo Alto Networks firewalls use a number of innovative technologies, including App-ID, User-ID, Content-ID. The use of this functionality allows you to provide a high level of security. For example, using App-ID it is possible to identify application traffic based on signatures, decoding and heuristics, regardless of the port and protocol used, including inside an SSL tunnel. User-ID allows you to identify network users through integration with LDAP. Content-ID makes it possible to scan traffic and identify transferred files and their contents. Other firewall features include intrusion protection, protection against vulnerabilities and DoS attacks, built-in anti-spyware, URL filtering, clustering, and centralized management.
For the demonstration, we will use an isolated stand, with a configuration identical to the real one, except for the device names, AD domain name, and IP addresses. In reality, everything is more complicated - there can be many branches. In this case, instead of one firewall, a cluster will be installed at the boundaries of the central sites, and dynamic routing may also be required.
The stand uses PAN OS 7.1.9. As a typical configuration, consider a network with a Palo Alto Networks firewall at the edge. The firewall provides remote SSL VPN access to the head office. The Active Directory domain will be used as the user database (Figure 1).
Figure 1 - Block diagram of the network
Setup steps:
- Device preset. Setting Name, Management IP Address, Static Routes, Administrator Accounts, Management Profiles
- Installing licenses, configuring and installing updates
- Setting up security zones, network interfaces, traffic policy, address translation
- Configuring the LDAP Authentication Profile and User Identification
- Configuring an SSL VPN
1. Preset
The main tool for configuring the Palo Alto Networks firewall is a web interface, and management via the CLI is also possible. By default, the management interface has the IP address 192.168.1.1/24, login: admin, password: admin.
You can change the address either by connecting to the web interface from the same network, or by using the command set deviceconfig system ip-address <> netmask <>. It runs in configuration mode. To switch to configuration mode, use the command configure. All changes on the firewall occur only after the settings are confirmed by the command c, both in command line mode and in the web interface.
To change settings in the web interface, use the section Device -> General Settings and Device -> Management Interface Settings. The name, banners, time zone and other settings can be set in the General Settings section (Fig. 2).
Figure 2 - Control interface parameters
If a virtual firewall is used in an ESXi environment, in the General Settings section, you need to enable the use of the MAC address assigned by the hypervisor, or configure the MAC addresses on the hypervisor specified on the firewall interfaces, or change the settings of virtual switches to allow MAC changes addresses. Otherwise, traffic will not pass.
The management interface is configured separately and is not displayed in the list of network interfaces. In chapter Management Interface Settings specifies the default gateway for the management interface. Other static routes are configured in the virtual routers section, which will be discussed later.
To allow access to the device through other interfaces, you must create a management profile Management Profile In chapter Network -> Network Profiles -> Interface Mgmt and assign it to the appropriate interface.
Next, you need to configure DNS and NTP in the section Device -> Services to receive updates and display the time correctly (Fig. 3). By default, all traffic generated by the firewall uses the IP address of the management interface as its source IP address. You can assign a different interface for each specific service in the section Service Route Configuration.
Figure 3 - Parameters of DNS, NTP services and system routes
2. Installing licenses, setting up and installing updates
For the full operation of all firewall functions, you must install a license. You can use a trial license by requesting it from Palo Alto Networks partners. Its validity period is 30 days. The license is activated either through a file or using Auth-Code. Licenses are configured in the section Device -> Licenses (Fig. 4).
After installing the license, you must configure the installation of updates in the section Device -> Dynamic Updates.
In section Device -> Software you can download and install new versions of PAN-OS.
Figure 4 - License control panel
3. Setting up security zones, network interfaces, traffic policy, address translation
Palo Alto Networks firewalls use zone logic when configuring network rules. Network interfaces are assigned to a specific zone, and it is used in traffic rules. This approach allows in the future, when changing the interface settings, not to change the traffic rules, but instead reassign the necessary interfaces to the appropriate zones. By default, traffic within the zone is allowed, traffic between zones is prohibited, predefined rules are responsible for this intrazone-default ΠΈ interzone-default.
Figure 5 - Security zones
In this example, the interface on the internal network is assigned to the zone internal, and the interface directed to the Internet is assigned to the zone external. A tunnel interface has been created for SSL VPN and assigned to the zone vpn (Fig. 5).
Palo Alto Networks firewall network interfaces can operate in five different modes:
- Tap β used to collect traffic for the purpose of monitoring and analysis
- HA - used for cluster operation
- virtual wire - in this mode, Palo Alto Networks combines two interfaces and transparently passes traffic between them without changing the MAC and IP addresses
- layer2 β switch mode
- layer3 β router mode
Figure 6 - Setting the interface operation mode
In this example, the Layer3 mode will be used (Fig. 6). The network interface parameters specify the IP address, mode of operation, and the corresponding security zone. In addition to the operating mode of the interface, you must assign it to the Virtual Router virtual router, this is an analogue of the VRF instance in Palo Alto Networks. Virtual routers are isolated from each other and have their own routing tables and network protocol settings.
The virtual router settings specify static routes and routing protocol settings. In this example, only the default route for accessing external networks has been created (Figure 7).
Figure 7 - Configuring a virtual router
The next configuration step is traffic policies, section Policies -> Security. An example of setting is shown in Figure 8. The logic of the rules is the same as for all firewalls. Rules are checked from top to bottom, until the first match. Brief description of the rules:
1. SSL VPN Access to Web Portal. Allows access to the web portal to authenticate remote connections
2. VPN traffic - allowing traffic between remote connections and the head office
3. Basic Internet - allowing dns, ping, traceroute, ntp applications. The firewall allows applications based on signatures, decoding, and heuristics rather than port numbers and protocols, which is why the Service section says application-default. Default port/protocol for this application
4. Web Access - allowing Internet access via HTTP and HTTPS protocols without application control
5,6. Default rules for other traffic.
Figure 8 β An example of configuring network rules
To configure NAT, use the section Policies -> NAT. An example of setting up NAT is shown in Figure 9.
Figure 9 - NAT setup example
For any traffic from internal to external, you can change the source address to the firewall's external IP address and use a dynamic port address (PAT).
4. Configuring the LDAP Authentication Profile and User Identification Function
Before connecting users via SSL-VPN, you need to set up an authentication mechanism. In this example, authentication will occur on the Active Directory domain controller through the Palo Alto Networks web interface.
Figure 10 - LDAP profile
In order for authentication to work, you need to configure LDAP Profile ΠΈ Authentication Profile. In section Device -> Server Profiles -> LDAP (Fig. 10) you need to specify the IP address and port of the domain controller, the LDAP type and the user account included in the groups Server Operators, Event Log Readers, Distributed COM Users. Then in the section Device -> Authentication Profile create an authentication profile (Fig. 11), mark the previously created LDAP Profile and in the Advanced tab, specify the group of users (Fig. 12) who are allowed remote access. It is important to note the parameter in the profile User Domain, otherwise group-based authorization will not work. The field must contain the NetBIOS domain name.
Figure 11 - Authentication profile
Figure 12 - AD group selection
The next step is setting Device -> User Identification. Here you need to specify the IP address of the domain controller, the credentials for the connection, and configure the settings Enable Security Log, Enable session, Enable Probing (Fig. 13). In chapter Group Mapping (Fig. 14) you need to note the parameters for identifying objects in LDAP and the list of groups that will be used for authorization. Just like in the Authentication Profile, here you need to set the User Domain parameter.
Figure 13 - User Mapping Parameters
Figure 14 - Group Mapping Parameters
The last step in this step is to create a VPN zone and an interface for this zone. On the interface, you need to enable the parameter Enable User Identification (Fig. 15).
Figure 15 - Setting up a VPN zone
5. Set up an SSL VPN
Before connecting the SSL VPN, the remote user must go to the web portal, authenticate, and download the Global Protect client. Next, this client will ask for credentials and connect to the corporate network. The web portal works in https mode and, accordingly, you need to install a certificate for it. Use a public certificate if possible. Then the user will not receive a warning about the invalidity of the certificate on the site. If it is not possible to use a public certificate, then you need to issue your own, which will be used on the web page for https. It can be self-signed or issued through a local CA. The remote computer must have a root or self-signed certificate in the list of trusted root centers so that the user does not receive an error when connecting to the web portal. This example will use a certificate issued through an Active Directory Certificate Services CA.
To issue a certificate, you need to create a certificate request in the section Device -> Certificate Management -> Certificates -> Generate. In the request, specify the name of the certificate and the IP address or FQDN of the web portal (Fig. 16). After generating the request, download .csr file and copy its contents into the certificate request field in the AD CS Web Enrollment web form. Depending on the setting of the certificate authority, the certificate request must be approved and the issued certificate must be downloaded in the format Base64 Encoded Certificate. Additionally, you need to download the root certificate of the certification authority. Then you need to import both certificates to the firewall. When importing a certificate for the web portal, select the request in the pending status and click import. The name of the certificate must match the name specified earlier in the request. You can specify the name of the root certificate arbitrarily. After importing the certificate, you need to create SSL/TLS Service Profile In chapter Device -> Certificate Management. Specify the previously imported certificate in the profile.
Figure 16 - Request for a certificate
The next step is setting up objects Global Protect Gateway ΠΈ Global Protect Portal In chapter Network -> Global Protect... In settings Global Protect Gateway specify the external IP address of the firewall, as well as previously created SSL Profile, Authentication Profile, tunnel interface, and client IP settings. You need to specify a pool of IP addresses from which the address will be assigned to the client, and Access Route are the subnets to which the client will have a route. If the task is to wrap all user traffic through the firewall, then you need to specify the subnet 0.0.0.0/0 (Fig. 17).
Figure 17 - Setting up a pool of IP addresses and routes
Then you need to set up Global Protect Portal. Specify the IP address of the firewall, SSL Profile ΠΈ Authentication Profile and a list of external firewall IP addresses that the client will connect to. If there are several firewalls, you can set a priority for each, according to which users will choose a firewall to connect to.
In section Device -> GlobalProtect Client you need to download the distribution kit of the VPN client from the Palo Alto Networks servers and activate it. To connect, the user must go to the portal web page, where he will be prompted to download GlobalProtect Client. After downloading and installing, you will be able to enter your credentials and connect to the corporate network via SSL VPN.
Conclusion
This completes the Palo Alto Networks setup part. We hope the information was useful and the reader got an idea of ββthe technologies used in Palo Alto Networks. If you have questions about setting up and wishes on the topics of future articles - write them in the comments, we will be happy to answer.
Source: habr.com