disable palo gp web page

 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC

 In the WebGUI, go to Network > GlobalProtect > Portals > GlobalProtect Portal > Portal Configuration.

2. On the Portal Configuration tab > Appearance > Select 'Disable login page'.

After this configuration is committed, the Global Protect portal page will instead return a '404 page not found' error message

Hide the login page:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NEoCAM

new user ID agent passive identity agent (PIA) for cisco firepower FMC

 https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/m_user-control-with-the-passive-identity-agent.html#deploy-the-passive-identity-agent

getting started palo alto

Classic firewalls were L3/4

L3 - ip addresses
L4 - TCP/UDP

Stateful firewall: if its allowed out the reply traffic is allowed.

Next gen features
User based rules
URL filtering (previously done by proxy server)
Firewall learns about new Viruses / malware and blocks them
Deep pack inspection, looking at the application later
Facebook is ok but block facebook messanger
SSL decryption


Getting management access
Seems they take a while to fully boot up after showing you the login: prompt, wait a while before trying default username/password

Two options CLI and Web access
Physical boxes will have a console port and a MGMT port
Default IP is 192.168.1.1
Default username/password: admin/admin
Change your IP, gateway, DNS

Console over writing itself
Had an issue couldn't read output from CLI, these commands fixed it
set cli terminal height 500
set cli terminal width 500


CLI initial config of management port

• Set the default gateway to the core switch
• Plug mgmt port into switch port on same VLAN as inside
• Must have SVI setup on switch
• For example give inside interface 10.0.1.1 and mgmt 10.0.1.2
  

configure
set deviceconfig system type static
set deviceconfig system ip-address 10.0.1.254 netmask 255.255.255.0
set deviceconfig system default-gateway 10.0.1.2
set deviceconfig system dns-setting servers primary 8.8.8.8
commit
exit

Commiting config
You must type the commit command to apply the config.
Current config is what is running
Candidate config is what has been changed but has not been commited yet.

ping host www.google.ie

Web interface 
https://10.0.1.254
Device -> Setup -> Interfaces
Might need to enable ping

Change DNS (DNS in important for the palo to function correctly)
Device -> Setup -> Services

Service route configuration

NTP settings

Device > setup

also not sync'd so conifg on both palo1 and palo2

set the timezone as well.

Upgrading the software
Device -> Software
Check now
You need to upgrade through each major version 7.0 -> 7.1.x -> 8.1.0
Once in 8.1.0 you can go straight to 8.1.5 for example

Tap interfaces (monitor mode)
Setup span ports on the switch and connect to the firewall tap interface
Network -> Interfaces -> Ethernet
ethernet1/1 select interface type as "tap"

Virtual wire interfaces
Bump in the wire
Checks the traffic against security policies
passes the traffic through without needed to create IP on each interface
Select the interface type "Virtual Wire"
Network -> Virtual wires
Add
vWire1
Select the interfaces you want to be part of it
commit

Layer 2 interfaces
You can configure interfaces as L2 interfaces and configure security zones. This is to avoid re-addressing the network. Again set the interface type of Layer2.

Layer3 interfaces
Each interface has an IP address
Network -> Ethernet -> Ethernet1/1
Interface type = Layer3
Assign IP
Assign to security zone
Commit

Zone concepts and policies
Create sec zones like outside, dmz, wifi, inside
Assign interfaces to zones
Lets say we setup eth1/3 as inside zone
We setup several policies
Now we can assign eth1/4 as inside zone and our policies still apply
We don't have to write the same rules for each zone.

Virtual router concepts
There is a default virtual router. This is what we will use in most cases. Its possible to create multiple virtual rotuers.

Config zones, VR and L3 interfaces
Network -> Zones
Add
Inside

Network -> Virtual router
Add
VR1

Network -> Interfaces
ethernet1/1
Interface type = Layer3
Virtual router = VR1
Security zone = Inside

Configure a default route
Data plane (to ISP gateway)
Control plane (MGMT, for NTP, updates, SSH etc)

CLI to see the route table
show routing route

Web interface to see routing table
Network -> Virtual Routers
On your VR click "More Runtime Stats"

CLI to ping from another source
ping source x.x.x.x host 8.8.8.8

Network -> Virtual routers
edit
static routes
add

Configure NAT/PAT

Policies -> NAT
add (in bottom left)
Name it Inside_to_Outsie
source zone = inside
destination zone = outside
You can select IP's etc

Translated packets
Dynamic IP and Port (PAT / global NAT)
Interface Address = the public IP
Interface ethernet1/1
Select  IP
Leave destination as none
Commit

We still need a security policy to allow the traffic

Security policy (ACLs)
There are two default rules

Logging is not turned on by default

Add sec rule
type = intrazone rule

Troubleshooting / verification 
On Policies -> Security
Look at your ACL, can see the hit count, last hit, first hit.
You can clear counters in the bottom right
"Reset Rules Hit Counter"

We can see hit counts for the nat policies

Monitor -> Traffic
Most recent is at the top
You can click on the magnify glass on each entry for more info

Tags
You can setup tags to add a color
eg
outside = red
inside = green
dmz's = yellow

Objects -> Tags
Click add in bottom left
Drop down and select your zone
Select the color
commit



Zone protection
Create zone protection profile
Then apply it to a zone
Network -> Network profiles -> Zone protection
Give a name
Enable flood protection etc
Network -> Zone
Edit the zone, select the zone protection profile
Enable packet buffer protection

Check the documentation some of the features have a performance impact.

Interface management
By default ping is not allowed
Network -> Interface Mgmt
Add
HTTP_and_ping
tick: HTTPS and ping
Click add to add source IP addresses

Network -> Interfaces ->
Edit ethernet1/1
Advanced tab -> Select management profile from dropdown box
Yes
commit

DHCP
Network -> DHCP
Add
select the interface
enabled = on
disaled = off
auto = check if there is already a DHCP server

Tick pick IP when allocating (helps avoid conflicts)
Fill in details gw, dns etc
Can configure DHCP options there

DHCP relay (helper)
Click on the DHCP relay tab
select the interface
tick the box
fill in he IP address of the real DHCP server.

Config management
Create a new tag as a test

3 ways to revert this change
reboot firewall (config not saved)
config -> revert changes
Devices -> Operations -> revert to running config

Making changes but not finished but want to come back
Don't want to commit but want to return to finish these changes and commit later.
Config -> Save Changes

Devices -> Operations -> save named config snapshot

Each time we commit the palo saves a version of the config
Device -> Setup -> Load a config version
Drop now we can see previous versions of config

cisco umbrella SIG webinar notes

Redirection methods

both methods will enforce SWG (web protection) but the IPSec tunnels will also provide Cloud Delivered Firewall (this is not available with roaming clients), we always recommend the clients since they will protect your users when they are working from the office or just travelling or working from a cafeteria.

But both options are advantageous for different reasons, you could also configure the clients to backoff when they are at the office, and use the IPSec tunnel to have access to the Cloud Delivered Firewall

IPsec IKEv2 VPN from your firewall > umbrella cloud

secure client with SWG module goes via https > umbrella cloud

Which is recommended, any features lost/gained vpn vs secure lcient

clients > redirection method > umbrella client > CD FW (l7 and ips) 

http/https > SWG 

non web not blockecd >

DNS > CDFW > SWG > DLP or RBI 

DLR scans data for violations

RBI render in cloud browser

PAC files to send users traffic to the SWG

CDFW only available with IPsec tunnel 

secure client is using SWG

still need to keep VA's 

On policy flow:

The order of operations will depend on what deployment method you are using, for example, if you have a setup of VAs, IPSec tunnel, the order of operations will be: DNS policy enforcement (redirected by VAs to resolvers), CDFW (because you of the IPSec tunnel, and finally SWG

if you use roaming clients only, everything stays the same, with the exception of CDFW, since this is only available via the IPSec tunnel

It is also recommended to have policies on all these layers (in the case that IPSec tunnels are set), this is because protection will happen at different stages, meaning, the CDFW will protect layer 4-7, DNS protection will protect you at the domain resolution level, and the SWG will protect URL level access

Hello Jack, The policies work as order of operations based on your question will hit DNS first, Firewall,Web and then DLP. So if you have policy in place for DNS it will only hit that policy first and for SWG it will hit Web policies. https://docs.umbrella.com/umbrella-sig-gov/docs/best-practices-for-dns-policies. https://docs.umbrella.com/umbrella-sig-gov/docs/best-practices-for-web-policy

We match Web policies from top to button, but we also check identity and destination... that means an user can match multiple rules. Also, we have an implicit allow all at the end.

umbrella support page

Secure client vs PAC.

Hi Jack, if the umbrella module is deployed to endpoints, it is not necessary to deploy the pac file, however, the client is not supported in windows servers, if you wish to protect servers, the pac file is the easiest way to protect servers

Doing MD5 checksum check on cisco FMC install file

 A client AV detected as malware so I wanted to confirm the hash 

certutil is built in so I used that but there are some free GUI tools

certutil -hashfile Cisco_Secure_FW_Mgmt_Center_Upgrade-7.2.9-44.sh.REL.tar MD5 | find /v "hash"

Compare the result to the MD5 hash on cisco.com downloads section. If you hover the version the MD5 and SHA1 hashes will be there to copy.

nessus advanced

Terrascan 

Need to tick a box to download it. 

Scans code for infrastructure as code (IAC)

Used to scan an GIT repo URL for example.

• Log level: set the verbosity 
• IAC type: select arm cft, docker, k8s etc
• Remote type: git, s3, gcs, http, terraform-registry

Not we need git installed on nessus server to select the git type

Reviewing results is much like a regular Nessus scan.

Click on the control to get more detail on why the control failed etc.

For example SSH port 22 is open to the internet.

It will give your the file / line number where it found the issue so the code can be reviewed

Attack surface discovery

This is the initial scan to see what is visible 

My scans > new scan

select attack surface discovery template 

supply comma separated list of top level domains

domain.com,other.com

save and launch 

The scan will provide results

On the records tab we will see the IP's / hostnames names that were found. We will see the record types:

• A and AAAA
• MX
• NS
• PRT
• CNAME
• SOA etc 

Now we can select what was discovered

• Click more > create scan
• Select a basic or advanced network scan
• The targets field automatically populates
• Now we can run the normal Nessus scan on the targets we discovered

Web application scanning

Traditional Nessus scans are done on IP's. Web app scans will scan web applications looking deeper into the web app. It can run with creds or no creds. It can look for the unknown. It will send info the web forms. There are known and unknown vulns. 

Traditional Nessus scan is looking for the known. WAS is investigating on web apps. I will send many special request were page it finds.

• Traditional will suggest patches/software upgrades to fix the problem .
• WAS will show you leaks but further investigation will be needed from there. You will need to work with the customer/developer 

WAS scanning sequence 

• Identify web server
• Known web app (wordpress, joomla etc)
• Vulnerabilities on the known web apps
• Spider through website to understand the layout
• identify forms (CGI etc)
• Pass parameters at forms
• Identify vulnerabilities in the web app forms etc

Credentialed WAS (going beyond the public areas of the web app/site)

• Connect to website 
• Connect to login form
• Login 
• Preform tests
• Looking for SQL injection / XSS / Session mgmt
• Like a traditional scan we get more info from a credentialed scan
• WAS could have bad affects
• Run on test/staging site (avoid live environment)
• Scans can ddos/overload web servers/apps (rate limit the scan, run OOH)
• Run with read only user

How to mitigate issues

• Backup before starting scan
• Scan a mirror of the site (test site etc)
• Maintenance window for scan
• Light scan first followed by scan tuning 

WAS workflow

• Get website sub domains
• run config scan
• run overview scan (get creds)
• develop scan policy 
• follow up scans (code can change over time)
• Keep WAS up to date

Sitemap.csv

This contains a list of URL discovered / HTTP methods supported etc

How to enable WAS in nessus

• You need to have docker installed on your nessus server
• Tick enable WAS
• It will download the image

WAS Scan types

What kind of scan are we doing ?

• Risk assessment 
• Compliance requirements (credit card data requires PCIDSS, others may require CIS etc)
• Data sensitivity 
• Technology stack
• Specific vulnerabilities 

Web app config audit scan

• Checks HTTP headers available
• XSS checks
• HTTPS enforced ?
• quick to run, good first step

SSL_TLS web app scan 

• Look for proper implementation of SSL/TLS on your web server
• Measured against industry standards
• Runs quickly too, good for regular checks

Web app overview scan

• Discovery scan
• Spider and inventory all web pages / files / folders / sub domains
• Results stored in sitemap.csv
• The bigger the site, the longer the scan takes

Quick scan

• Similar to config audit scan
• Checks common security standards
• Checks HTTP/SSL/TLS/DNS configs

Comprehensive  scan

• Includes config audit, overview and SSL/TLS scans
• Takes a long time depending on site size
• Plugin family options for all web app plugins
• The most detailed scan

Scans for special cases

PCI DSS - For payment card industry

API - checks APIs for RESTful API's (checking API's is key to web app testing)

OpenAPI (previously called Swagger)

Log4Shell - For the log4shell issue. Needs local creds for local checks.

Overview scan

• New scan > web app tab
• choose "overview"
• provide URL
• scan name
• target URL

Config scan

• New scn > web app tab
• choose "Web app config audit"
• scan name
• target URL

SSL scan

• New scn > web app tab
• choose "SSL_TLS"
• scan name
• target URL

Filter results for SSL

Non credentialed web app scan

• New scn > web app tab
• choose "scan" scan
• scan name
• target URL

credentialed web app scan

• Credentialed scans are important as it looks deeper looks at all the user pages /forms etc
• Identify
• can break sites so best to run on a copy of the live site
• Basic/NTLM auth (type username and password). NTLM stronger than basic.
• Nessus supports cookie based auth
• Use web browser to login
• Copy cookie
• Name+Contecnt
• chrome://settings/siteData
• Check limitations (https, NoScript, expiration etc)

• Form based auth (manual and selenium scripting)
• login url and form paramaters
• you can use selenium script
• plugin 98033 detects a form
• You will give details there
• login page
• creds (username and password), field name; field value
• pattern for success (regex)
• Page to veryify active
• pattern to verify active (regex)
• All patterns are regex
• Selenium is used for scripting browser automation
• Selenium IDE browsers extension (record, edit and play back)

Selenium scripting

• Chrome extension makes it easier
• create a new test project (givename)
• enter Url and click start recording 
• login and do you actions
• open tool again and stop recording in top right
• give the script a name
• save it for use later

Using the script in a credentialed scan

• New scan > web app tab
• choose "scan"
• enter scan name
• enter URL
• credentials tab
• select web authentication
• Select authentication method: Selenium Authentication 
• You can upload your script file here
• Enter the page to verify auth worked
• Enter pattern to verify active session: Sign off (text or regex) text method is case in-sensitive
• save scan and launch
• On our results 
• filter for selenium in the info we should see it succeeded
• Give screenshots and other details of login.
• This page is good if auth fails to figure out what is wrong

credentialed scan without a script (policy config)

• New scan > web app tab
• Choose "Scan"
• Give the scan a name
• Enter the URL
• Click credentials and click 
• Choose authentication method "login form"
• Login page url: (the page where the username and password is entered)
• You can give login paramaters in a .json file
• simple example {'uid'.'admin','passw'.admin'}
• Pattern to verify successful auth "Sign off"
• url for active session
• Pattern to verify active session "Sign off"
• Save and run scan
• check vulnerbilites
• filter for authenticaiton
• The info "Login form authenticaiton succeeded"
• You will see details here
• Filter for failed to see details of the login failed

swap mem 100% used on palo 400 series 450, 455

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYzBCAU&lang=en_US%E2%80%A9

Palo on gave 400 series 1mb swap which is full when the device is on.

Swap (and other memory) can be cached/buffered for the kernel. Its not really used but ready to be used, it can be reclaimed by the system when needed.

Monitor physical memory instead (available memory is what you want to look at)

show system resources