https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMgiCAE
Generate a self signed CA on the palo
fw-ldap.domain.int
now generate a cert for the DC
DCHOST.domain.int (signed by the self signed CA we just made)
export the DC cert as pkcs12 and give password
import on the dc into local computer store
winrm quickconfig
winrm create winrm/config/Listener?Address=*+Transport=HTTPS '@{Hostname="DCHOST.domain.int";CertificateThumbprint="1x1x1x1x1x1x1x1x1x1x1x1x1x1x1"}'
winrm get winrm/config/client/Auth
Look for Basic = true
Palo FW setup
Device >User Identification >User Mapping >Palo Alto Network User-ID Agent Setup >Server Monitor Account.
It seems there are 2 parts
1 - AD user group download from AD (uses LDAP/LDAPS) so we can use in ACLs etc
2 - Server monitoring for security log to monitor logins and make user -> ip mappsing
WMI seems to be totally broken
Move to winRM + HTTP + kerberos (kerberos is still encrypited)
CIMV2 part is needed and maybe DNS proxy to resolve local addresses.
on CLI
Less mp-log useridd.log
How to Configure DNS Proxy on a Palo Alto Networks Firewall - Knowledge Base - Palo Alto Networks
Needed to add extra AD groups
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2
- Distributed COM Users
- Event Log Readers
- Remote Management Users
- Server Operators
- WinRMRemoteWMIUsers__
No comments:
Post a Comment