Technical Notes: Firewalls

From Mediawiki-1
Jump to navigation Jump to search

Palo ALto[edit]

 Live Community: https://live.paloaltonetworks.com

CLI Troubleshooting[edit]

Routing[edit]

show routing protocol bgp summary
show routing route virtual-router chkpt-vr type bgp
show routing protocol bgp rib-out
show routing route virtual-router chkpt-vr
test routing bgp virtual-router chkpt-vr restart peer Nexus7ka

Show Commands[edit]

show system software status     => includes process table
show system resources follow    => equivalent of top
show jobs all                   => shows currently running tasks
show logging-status             => allows comparison of sent/received log sequence numbers
show logging-status device <SN> => allows comparison of sent/received log sequence numbers
show session all [filter source 177.43.228.149]

Packet Captures[edit]

Set up and enable filter

 debug dataplane packet-diag set filter on
 debug dataplane packet-diag set filter match source 1.2.3.4 destination-port 25

Set up capture file parameters

debug dataplane packet-diag set capture stage drop file drop.pcap
debug dataplane packet-diag set capture stage receive file receive.pcap
debug dataplane packet-diag set capture stage firewall file firewall.pcap
debug dataplane packet-diag set capture stage transmit file transmit.pcap

Turn capture on/off

debug dataplane packet-diag set capture on/off

View capture

debug dataplane packet-diag show setting
view-pcap filter-pcap drop.pcap

Check Counters

 show counter global filter packet-filter yes delta yes

Manually clear out old sessions which match previous filters

debug dataplane packet-diag clear filter-marked-session all

Take Action[edit]

debug software restart process ntp request log-fwd-ctrl device <sn> action start <fw-sn>

VPN[edit]

Configuration[edit]

It is crucial that IPSEC-tunnel -> Proxy ID matches the CP encryption domain (same subnet mask)!

Information gathering[edit]

 show vpn flow ===> shows existing tunnel-IDs
 show vpn flow tunnel-ID ===> shows details about specific tunnel-ID
 show vpn tunnel name Autonomy_DR
 show vpn ike-sa [detail] gateway Autonomy-DR-IKE
 show vpn ipsec-sa tunnel Autonomy_DR:Autonomy3


Initiate creation of SAs[edit]

 test vpn ike-sa gateway Autonomy-DR-IKE
 test vpn ipsec-sa tunnel Autonomy_DR:Autonomy3

Take action[edit]

 clear vpn

Panorama[edit]

HA Setup[edit]

 https://www.paloaltonetworks.com/documentation/60/panorama/panorama_adminguide/panorama-high-availability/configure-a-panorama-high-availability-pair
 https://live.paloaltonetworks.com/t5/Management-Articles/How-Does-Panorama-HA-Work/ta-p/61479

Log Collectors[edit]

Configure M-100 as both, Panorama management server and log collector. Essentially, one has to set up the Panorama server as a managed collector, and define a collector group, which tells the firewalls to which log collector(s) logs should be forwarded.

 https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-an-M-100-to-Function-as-Both-a-Log-Collector/ta-p/60405
 https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-log-collection/configure-log-forwarding-to-panorama#id80fca380-dbad-4432-8aec-d0f3265ba358

Similar concept, just in a Panorama HA configuration:

 https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/manage-log-collection/log-collection-deployments/deploy-panorama-m-series-appliances-with-local-log-collectors#id48ef20e9-5931-4ad9-8f4c-fe802fea558b

Troubleshoot logging issues[edit]

Logging from firewalls to Panorama happes over port 3978 which is also used for management functions

Reference: https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Networks-Firewall-not-Forwarding-Logs-to-Panorama-VM/ta-p/59799

Panorama:

 show logging-status device <serial number>
 request log-fwd-ctrl device <serial number> action start-from-lastack
 debug software restart process logd
 

Firewall:

 show log-collector preference-list
 debug software restart process log-receiver

RMA related tasks[edit]

 https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Networks-Firewall-not-Forwarding-Logs-to-Panorama-VM/ta-p/59799
 https://www.paloaltonetworks.com/documentation/61/panorama/panorama_adminguide/troubleshooting/recover-logs-after-failure-rma-of-m-100-appliance-in-log-collector-mode

Wildfire[edit]

 Tips & Tricks: https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/FeaturedArticles/article-id/11 
 Configuration: https://live.paloaltonetworks.com/t5/Management-Articles/Wildfire-Configuration-Testing-and-Monitoring/ta-p/57722

Weak ciphers[edit]

In order to change the default cipher/mac suite one manually enables desired ciphers/macs.

Example:

 configure
 set deviceconfig system ssh mac mgmt hmac-sha2-256
 set deviceconfig system ssh mac mgmt hmac-sha2-512
 set deviceconfig system ssh ciphers mgmt aes256-gcm
 set deviceconfig system ssh ciphers mgmt aes256-ctr
 exit
 set ssh service-restart mgmt

References:

 https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-8-0/cipher-suites-supported-in-pan-os-8-0-admin-sessions 
 https://live.paloaltonetworks.com/t5/General-Topics/How-to-disable-SSH-weak-algorithm-supported/m-p/234975#M67366
 https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-8-0/cipher-suites-supported-in-pan-os-8-0-admin-sessions

pfSense[edit]

Reference: https://www.pfsense.org

The Uncomplicated Fire Wall ufw[edit]

Reference: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server