Friday 21 April 2023

winrm / ldaps setup on palo alto firewall

 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMgiCAE


Generate a self signed CA on the palo

fw-ldap.domain.int

now generate a cert for the DC

DCHOST.domain.int (signed by the self signed CA we just made)

export the DC cert as pkcs12 and give password

import on the dc into local computer store

winrm quickconfig

winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="DCHOST.domain.int";CertificateThumbprint="1x1x1x1x1x1x1x1x1x1x1x1x1x1x1"}'


winrm get winrm/config/client/Auth

Look for Basic = true


Palo FW setup

Device >User Identification >User Mapping >Palo Alto Network User-ID Agent Setup >Server Monitor Account.


It seems there are 2 parts

1 - AD user group download from AD (uses LDAP/LDAPS) so we can use in ACLs etc

2 - Server monitoring for security log to monitor logins and make user -> ip mappsing


WMI seems to be totally broken

Move to winRM + HTTP + kerberos (kerberos is still encrypited)


Needed to add extra AD groups

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2

  • Distributed COM Users
  • Event Log Readers
  • Remote Management Users
  • Server Operators
  • WinRMRemoteWMIUsers__ 
Posted by at No comments:

Thursday 13 April 2023

asa keeps booting into rommon mode

 I set the boot system to the new bin file but still booting into rommon mode

The config reg was set like this which is boot from TFTP

I set config-register 0x1 and then would need to reload

Configuration register is 0x2102 (will be 0x1 at next reload)


Posted by at No comments:

Tuesday 11 April 2023

patching methods

We know always patch everything all the time is the best but real world constraints lead customers to take different paths. Some patching methods below

1 – Always patch to the latest release (best security)

  • Pro: Latest security patches
  • Con: Latest release, so largely untested, could hit new software bugs which can cause outages.

2 – Patch to the vendors suggested release (most stable)

  • Pro: Usually stable as it has been deployed for some time, less software bugs as they will have been patched out overtime.
  • Con: You don’t get the latest security patches which could lead to a system being compromised.

3 – Mixed method

Patching internet facing servers like firewalls/DMZ server etc to latest release but leaving LAN and other non critical systems/no internet access systems. Those systems could be left un-patched unless there is an issue or patching to suggested/stable release on a longer patching cycle.


  • Pro: The most critical and most likely to be compromised systems are kept on the latest release.
  • Con: Due to above, you may hit new software bugs on your most critical systems which can cause outages.
  • Pro: You are not expending limited IT time on patching non critical systems.
  • Con: The non critical systems are not kept on the latest release which could lead to a system being compromised from the inside. For example a compromised laptop enters the LAN and is able to leverage

Exceptions There are some exceptions like hospital equipment where we cannot patch. For example the x-ray machine won’t work with windows10. In these rare exceptions, extra security should be added. For example isolating them from your main network and removing internet access. Locking down user access to the devices etc. Adding 2FA if possible and more network visibility like syslog/SIEM/SOC. Some IT departments won’t install a patch until its at least 6 months old, their focus here is availability over security. They want their servers up and working on business tasks. That is a business risk they are willing to take. Other orgs may be more security focused.


Patching

Is a business decision that is up to the customer. There are pro's and con's with every patching strategy. I'll detail it below and you can make the decision that works best for you.

With brand new software there is the risk of new bugs/vulns that haven't been seen yet but on the pro side, you get the latest security/bug fixes/features. You will also be in the a good position if something does go wrong, TAC's can't ask you to upgrade because you are already on recent version.

  • Latest release from palo: 11.2.0
  • The preferred release advised by palo alto is 11.1.2.
  • Your FW is running 11.0.4-h1.


The 3 main approaches we see in the wild:

1 - Try to stay on latest release
For customers concerned about security issues, they choose security over connectivity/availability. They want the latest security and software feature patches. They accept the risk there may be new bugs/issues sometimes and are ok with doing more reboots patching etc.
  • Pro: Get the latest patches and features
  • Con: Untested in the wild, could have new bugs vulns, more patching, more downtime, more rick etc

Some customers would wait for the first patch in a new version for example when 11.2.0 comes out, wait for the next patch in that version before upgrading for example 11.2.0-h1.

2 - Try to stay on preferred release (I would advise this for most customers)
For customers who want a balanced approach, get good security patches and good connectivity/availability.

  • Pro: A recent version of the software with almost all patches and features, considered stable
  • Con: Not the very latest bleeding edge software, more patching/risk than next method

3 - Stay on current version unless affected by a security issue or bug then upgrade to latest hotfix
For customers more concerned with connectivity/availability, these customers want to keep systems up and running for users with minimal interruptions, they take the risk in falling behind on security/feature/bug fixes but will handle them as they come.
  • Pro: Less downtime/patching risk in regard to downtime etc
  • Con: You can fall behind in patches which can make upgrading later a bigger job

Palo are a bit different from other vendors so they only support the current and last major release. This is to reduce their workload when they need to deliver security patches quickly when an issue is discovered and also to encourage customers to keep relatively up-to-date. For example when version 12 comes out version 10 will no longer be supported but 12 and 11 will.

With all that in mind let me know which option you want to go ahead with:
  • 1 - Schedule upgrade to latest release
  • 2 - Schedule upgrade to preferred release
  • 3 - Stay on latest hotfix in the current software version

Posted by at No comments:
Subscribe to: Posts (Atom)