swap mem 100% used on palo 400 series 450, 455

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYzBCAU&lang=en_US%E2%80%A9

Palo on gave 400 series 1mb swap which is full when the device is on.

Swap (and other memory) can be cached/buffered for the kernel. Its not really used but ready to be used, it can be reclaimed by the system when needed.

Monitor physical memory instead (available memory is what you want to look at)

show system resources

hardening anyconnect ssl on cisco secure firewall 7.7

 Hardening

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Service access object (geo block anyconnect):

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222810-configure-geolocation-based-policies-for.html

Auto shun (flex config)

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222383-configure-threat-detection-for-remote-ac.html#toc-hId--1375473333

Threat detection service remote-access-authenticaiton hold-down 15 threshold 5

hold down - how long after the last failed attempt when new failures are counterd

thresthold - number of failed auths, if we fail login with in 5 mins 3 times

Show commands:

show threat-detection service remote-access-authentication

show threat-detection service remote-access-client-initiations

show threat-detection service invalid-vpn-access

Logs locations in FMC:

Some of them change depending on version of interface 

Cog (top right) > monitoring > syslog

Monitoring → VPN → Remote Access (anyconnect)

Analysis → Connections → Events (won't show auth success/failure here)

Health → Events (shows cpu/memory issues)

There is a unified log as well

Log level

FMC GUI → Devices → Platform Settings

syslog > logging

Syslog messages:

%ASA-6-113004: AAA user authenticated successfully

%ASA-6-113005: AAA user authentication Rejected

%ASA-4-722051: Group <group> User <user> IP <ip> Session connected

%ASA-6-722041: Session disconnected (reason...)

***

Enable Access Control Logging for VPN User Traffic

On the rule that allows anyconnect in (log at start/log at end/ send to FMC) (still won't show login attempts)

search messsage *x.x.x.x*

Ok so lessons learned there:

You won't see anything in analysis > connections > events (doesn't show ssl rejected stuff, only successful https etc connections)

SAML (staff profile) rejection was not showing in the logs. I will ask cisco about this maybe it's a different event ID or Duo doesn't send anytning back to the firewall when SAML fails. He could see it in Duo logs so was happy enough there.

AAA/radius (contractors profile) was where we saw the issues coming in.

We needed to enable informational level logging under devices > platform settings. (we hit a bug there it didn't set first time not sure what happened, I watched him set it so watch out for that)

Once we had informational we could see some stuff under the cog > monitor > syslog.

Filter "message" for *x.x.x.x* where x.x.x.x is the IP you are looking for

We saw ssl denied for the German IP based on geoblock

We saw username ***** denied from my UK IP

The username was hidden in the logs

Added flex config "no loggin hide username" cisco said you have to leave off the "g" loggin is not a typo

Shun settings were 20 failed logins in 10 mins, he said he had to set it high because users were actually typing password wrong 10 times so that is something he will have to live with. Attackers can still try from the approved IPs for 20 tries then get shun'd but at this stage they can change IP address and try again

*** SAML

SAML failed logins won't show in the FMC log in the same way. Best to review these in the SAML provider dashboard/logs (Duo/Azure etc). These logs can be forwarded from there to a central SIEM. Duo have a tool called duo log sync.

filter to include class “vpnc”, which outputs logs like:

%FTD-6-611102: User authentication failed: IP = IP address, Uname: user

Palo alto PCNSA notes

Palo alto firewall

Palo alto is next gen firewall with user-id and app-id. Dynamic lists/feeds (EDL) for blocking malicious traffic and allowing trusted traffic like azure and CDNs etc.

It can do its inspections on north/south traffic and east/west traffic.

It has IPS, URL, wildfire (unknown threats).

DNS sinkhole (DNS protection)

Advanced logging with cortex datalake (take in multiple log sources and apply machine learning)

Platforms

• Virtual machines for public and private cloud (you control the VM)
• Prisma access (hosted cloud based firewall as a  service)
• Physical devices (physical boxes to install on site)

https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations

SP3

Single pass simultaneous traffic inspection, classification and enforcement in one pass

Traffic 

Control plane

• config 
• logging 
• reporting 

Data plane

• Signature matching 
• security and network processing 

Management options

• Web interface HTTPS over the network or MGMT port
• CLI via SSH over the network or via console cable
• Panorama - centralized platform for managing multiple firewalls. Good for MSP. 6+ devices.
• API - XML REST based API. Good for automation and network programming

The management GUI on box help

There is an onbox documentation, usually in the top right

ACC - Application Command Centre

Analytical tool to provide actionable intelligence about network activity. Shows trends etc.

Monitor tab

• Live logs
• Reports

Policies 

• Firewall / NAT rules etc

Objects

• Setup objects for use in policies

Network

• data plane interfaces and zones
• VPN related items

Device

• General settings
• Management interface
• User accounts
• Licenses
• Config backup

Management port is part of the control plane

Default 192.168.1.1/24

HTTPS

default user: admin/admin

We can disable it if needed and use network interface

By default dataplane ports won't accept mgmt packets

Service routes

For all items we need to reach out of the firewall for eg radius / log forwarding etc. 

By default it will use the mgmt port

Device > Setup > Services > Service Router Configuration > Customize 

CLI modes

• Operational - basic network commands: ping traceroute, show, debug
• Configuration - configure command, now you can make changes
• Similar to cisco in that regard

CLI enhancements

• User find to figure out the command syntax
• use ? to get help
• User tab to autocomplete
• Use | pipe with match or except for output filtering

ping "tab"

We will sett options with symbols

+ count - plus means it needs a value

* host - * means its required

> - means you will have more options after

ping host 1.1.1.1

tail - useful for log messages

set is how we do some config 

show is how we show the config

Find all the commands related to the network

find command keyword network

W can see ethernet is under interface under network. To change ethernet1/1 from cli we need to use:

set network interface ethernet1/1

CLI is good for checking and debugging but most config will be done via CLI now

Firewall maintenance

Config files

Running config (running-config.xml)

sits in the dataplane and this one controls the firewall behaviour

When the firewall reboots this config is loaded when it boots up 

Candidate configuration (snapshot.xml)

Separate file/space in memory to store temporary configuration in the control plane

Its config we have configured but have not deployed yet. 

When we do a commit its merged into running config.

Saving the candidate config doesn't commit the changes

Candidate config is the running config + the new changes

Commit command merges the changes from candidate config into running config

New updated running config has the new changes

We can revert to last saved conf

Replaces current candidate config with a saved candidate config file

We can revert to running config (probably will use this one most)

Get rid of un-commited changes

Load 

over writes with a file saved earlier (usually from a backup, used when restoring) 

Save

Can save a named config snapshot.

Export

Export a named config (backup)

Dynamic updates

• Make sure these are enabled and auto downloading / installing 
• Antivirtus / Wildfire 
• Apps and threats 
• Global protect HIP
• PAN-DB URL filtering (may use umbrella instead)

Palo alto policy types

• Security (firewall rules etc)
• NAT (global NAT, NoNats, public NATs etc)
• QoS (voice QoS)
• Policy based forward (PBR)
• Decryption (SSL)
• Authentication ( radius / SAML etc)
• DoS protection 
• Tunnel Inspection
• SD-WAN

Palo alto works like ASA

works from top to bottom

when rule is match traffic is dispatched 

it doesn't check any futther rules

Security policies

• The primary traffic control tool
• Block rules at top like block lists, implicit deny at the bottom.
• Add the most specific rules at the top

IntERzone vs IntRAzone

• IntRAzone (same zone)
• IntERzone (lan to dmz)
• Universal (interzone + intrazone combined)

Application/Service 

• select (pick which ports)
• any (allow HTTP on any port for example)
• application-default (web-browsing only allowed on default ports 80/443 but not 8881)

Generally we don't want to allow apps on lots of ports but some custom applications run HTTP etc on non standard ports.

• applicaiton-default - use this where we can as first preference
• select - in edge cases we can config the specific ports. Second choice.
• any - only for testing or we can't get it working any other way. Last resort.

Default rules can be changed by using the override button.

Policy objects / groups

Its efficient to group items into groups so later the groups can be updated but your firewall rules can remain unchanged.

Security profiles

ping command source from inside to host

ping source 192.168.10.100 host 192.168.10.50

however if the clients try to ping the firewall it will fail by default. We would need to create a management profile, allow ping and apply it to that interface.

ACLs can be found under

Policies > Security 

We can see applications ping and icmp

icmp is for the full protocol (except for ping)

ping is the ping app which is under icmp protocol

How to block web comms to a specific IP