Palo Alto Networks - Tags, Dynamic Address Objects, and Policy Automation

Palo Alto Networks offers a variety of ways to automate configuration tasks. One of these ways is through the concept of tags. Tags allow administrators to group and visually distinguish objects within the PAN-OS GUI. A simple, real-world example would be when you manage multiple networks that may dynamically change, and don't want to have to update configuration information in multiple areas.

• Navigate to Objects -> Tags, and create a tag that references an address group.

• Navigate to Objects -> Address Groups, and create a Dynamic Address Group that references the tag created in the previous step.

• Navigate to Objects -> Addresses, and create address objects that reference the tag created in the first step.

You can now create policies that reference the Dynamic Address Group as a source or destination address. This means that moving forward, any policy changes (from an address object perspective) will be updated automatically via how tags are applied.

Palo Alto Networks - Bing Safe Search Options

Safe Search allows administrators to block explicit content. This especially important in educational institutions (i.e. K-12). Palo Alto Networks offers multiple ways to enforce this feature. However, each of these options require implementing SSL Forward Proxy, as most search engines now leverage SSL. That being said, Bing does not adhere to the safe search settings over SSL, so it is recommended in the Palo Alto Networks documentation to disable SSL for Bing searches. For some organizations, this may not be a viable option. Luckily, Bing currently offers a DNS method that can be leveraged to ensure that safe search is enforced over SSL. It is recommended to leverage SSL Forward Proxy on the Palo Alto Networks firewall in conjunction with this method so that you have full control and visibility into user searches. Below are the DNS Proxy configuration steps for the firewall if public DNS servers are in use in the environment. Keep in mind that the same objective can be accomplished via an internally managed DNS server, outside of the firewall configuration.

Navigate to Network -> DNS Proxy. Define your servers and the interfaces on which you would like to leverage DNS Proxy.

In the Static Entries tab, define specific FQDNs that you would like to map to specific IP addresses. As you will see below, Bing has an IP specified to enforce Safe Search (you can do an nslookup to verify the current IP that maps to restrict.bing.com).

Navigate to Device -> Setup -> Services -> Service Route Configuration, and select DNS. Verify the interface that is assigned. In my case, it is my trust interface.

Navigate to Policies -> Security. Create a security policy that only allows DNS for the source address specified in the Service Route Configuration. This will ensure that an end user will not be able to enter other DNS servers and successfully bypass your static entries. We are explicitly allowing only the firewall, and all else is denied (assuming you don't have an "allow all" policy configured below this rule).

Upon testing you will find that safe search is enforced. It should be noted that as part of my configuration I have followed Palo Alto Networks best practice of blocking all search engines except for Google, Bing, and Yahoo, so that I can be more granular with how users on my networks are performing searches. This step is optional, but I recommend it because it will make things easier to control.

Palo Alto Networks - Clientless VPN and RDP

With the 8.0 release of the PAN-OS operating system, the ability to access applications via web portal has now been added. This is sometimes referred to as "Clientless VPN." Prior to this release, some existing Palo Alto Networks customers may have been hesitant to fully migrate away from point products like PulseSecure or Aventail because they offer pretty robust capabilities around Clientless VPN. Although this capability is still relatively new to the platform and additional features will be added over time, I thought I would highlight how one can currently leverage Clientless VPN for remote access to a desktop.

In its current state, the Palo Alto Networks client-less VPN supports access to internal applications via web browser. With the development of HTML5, this means that we can leverage tools like Apache Guacamole. In this scenario, we are going to leverage this application.

• Chase Wright has a fully scripted version of the Apache Guacamole install for Ubuntu here. Just in case his site is not accessible for some reason, here are some of the details (I would recommend viewing all details/comments on his site):
• The following will install Guacamole 0.9.11, Tomcat 8, and MySQL for you. All you have to do is pick a MySQL Root Password and change the guacamole_user password

wget https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-install.sh
chmod +x guac-install.sh
apt-get update
apt-get -y install dos2unix
dos2unix guac-install.sh
./guac-install.sh

• You will be prompted to enter passwords for mysql.
• Reboot once the install is complete.
• Once rebooted, navigate to the GUI (http://<IP address of Ubuntu machine>:8080/guacamole)
• user: guacadmin
• password: guacadmin
• Within the GUI, you can add multiple multiple users, as well as add connection types, like RDP.
• Within the firewall, we will build upon my first GlobalProtect post, by adding Clientless VPN functionality.
• Navigate to Network -> GlobalProtect -> Clientless Apps -> Add
• Enter a Name for the Clientless Application
• Enter the Application Home URL
• This is the URL of the Apache Guacamole server
• Click OK

• Navigate to Network -> GlobalProtect -> Portals -> (Select the portal) -> Clientless VPN -> General
• Enable the Clientless VPN
• Enter a Hostname
• This should be the FQDN or IP address of the GlobalProtect Portal
• Select a Security Zone
• To keep things simple in this example, I have selected the zone in which the Clientless Application resides
• Select a DNS Proxy
• For more information on how to configure DNS Proxy, see this post

• Navigate to the Applications tab and select Add.
• Enter a Name
• Select the Application that was previously created
• Click OK

• Click OK
• Commit the configuration
• You can now test remote access to the application via Clientless VPN by navigating to the FQDN/IP of the GlobalProtetct Portal (https://<FQDN or IP>/)
• Once logged in, there will be an option to select the application

• Upon selecting the application, you will be redirected to the Apache Guacamole login page, and upon logging in, you will have successfully established an RDP session through your web browser

Palo Alto Networks - How to Import Address Objects from a .csv File

Although there are a variety of ways to accomplish this task, I thought I would put together a quick script to satisfy this particular requirement.

Let's say you are trying to migrate from a firewall that isn't supported via the Migration Tool, and you have 1000's of address objects. What would be a simple way to get this data imported into a Palo Alto Networks firewall from a .csv file?

Step 1:

Install Python and Jinja2 (easy_install jinja2 or pip install jinja2) on a machine (I did this on a VM running Ubuntu). Create a directory somewhere on the machine for the files you will be creating.

Step 2:

Rename your existing .csv file to "device_data.csv". Here is an example.

Step 3:

Create a jinja2 file called "conf_template.j2" with the configuration parameters and variables that reference each column in the .csv file. Here is an example.

Step 4:

Create a python script called "make_config.py" so that upon execution it will use the information from your jinja and csv files to create a configuration file. Here is an example.

Step 5:

Place all three files (.csv, .j2, and .py) in the directory you previously created.

Step 6:

Open the terminal and navigate to the directory where the files are stored (in Ubuntu, cd ~/Desktop/scripts/address-objects/)

Step 7:

Run the script (in Ubuntu, sudo python make_config.py). This will produce a file in the same directory called, "address_objects.conf". Here is an example.

Step 8:

Open the "address_objects.conf" file and copy and paste the contents into the cli of the firewall. Don't forget to commit the configuration.

In summary, this methodology can be applied in a variety of scenarios (here is one example), but the main goal is to save time and avoid doing things manually.

Palo Alto Networks - Application Prioritization

In many customer environments, administrators may not have the approval from management to block specific applications that are considered to be bandwidth intensive (Netflix). This is particularly evident in the education vertical. Fortunately for Palo Alto Networks users, QoS Policies are very flexible way of throttling or prioritizing traffic based on application, users, URL category, etc. This feature eliminates the need for 3rd party packet shaping or QoS for traffic traversing the network segment where the Palo Alto Networks firewall is deployed. Here is a configuration example based on the Netflix example above:

• Navigate to Network -> Network Profiles -> QoS Profile -> Add and create a QoS Profile. You can create up to 8 queues. In our example, we will just create one.

In the example above, we have an Egress Max of 100Mbps because that is the size of our WAN interface. We added class1 and assigned it an Egress Max of .01 Mbps. Essentially, even though the traffic is allowed the application itself won't work.

• Navigate to Network -> QoS -> Add and configure QoS for the appropriate interface(s).

In the example above, we have an Egress Max of 100Mpbs because that is the size of our WAN interface. We select ethernet1/2 for the Interface Name because this is our Trust interface. QoS is always applied to the egress interface for traffic. Since Netflix is a very download-intensive application, we will apply our Throttle Streaming Apps profile to this interface only. 

• Navigate to Policies -> QoS -> Add and configure a policy to identify the application and apply a specific QoS class.

In the example above, we are applying Class 1 to all Netflix traffic that originates from the Trust zone and is destined for the Untrust zone.

Once the changes are committed, you can then test and verify traffic classification by navigating to Network -> QoS -> Statistics.