Data Loading...
Securing Remote Access in Palo Alto Networks Practical techniques to enable and protect remote users, improve your security posture, and troubleshoot next-generation firewalls
Tom Piens FOR SALE IN INDIA ONLY
Securing Remote Access in Palo Alto Networks Practical techniques to enable and protect remote users, improve your security posture, and troubleshoot next-generation firewalls
Tom Piens
BIRMINGHAM—MUMBAI
Securing Remote Access in Palo Alto Networks Copyright © 2021 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavoured to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Wilson D'souza Publishing Product Manager: Vijin Boricha Senior Editor: Shazeen Iqbal Content Development Editor: Rafiaa Khan Technical Editor: Shruthi Shetty Copy Editor: Safis Editing Project Coordinator: Shagun Saini Proofreader: Safis Editing Indexer: Rekha Nair Production Designer: Jyoti Chauhan First published: June 2021 Production reference: 1030621 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80107-744-6 www.packt.com
I want to dedicate this book to my son, godson, and newborn nephew: life starts at 40, so don't grow up too fast.
Contributors About the author Tom Piens, PCNSE, CISSP, and founder of PANgurus, has over 10 years of experience working with Palo Alto Networks customers. Tom has been on the forefront of engaging with customers, responding to questions, and analysing unique needs to apply the best possible solutions or workarounds. He has authored a great many articles on the Palo Alto Networks knowledge base and discussion forum solutions, and a book, Mastering Palo Alto Networks. Also known as reaper on the PANgurus and LIVEcommunity forums, and PANWreaper on Twitter, Tom has been recognized by Palo Alto Networks user groups and community members, and by countless thankful customers. I want to extend a special thanks to Nick "Ndx" for helping to review and fact-check this book, Aref Alsouqi for being a technical sounding board, and Rutger Truyers for his much-appreciated insights.
In these trying times I have very much enjoyed their friendship above all.
About the reviewer Kris Znamierowski is an IT professional with over 18 years of experience in securing and supporting multiple operating systems, including PAN-OS, Microsoft, Linux, and BSD UNIX. An OpenBSD user since forever. He holds many credentials from industry leaders.
Table of Contents Preface
Section 1: Leveraging the Cloud and Enabling Remote Access
1
Centralizing Logs Technical requirements b Understanding log forwarding profiles and best practicesb
b4
the firewallb
b4
Allocating log storageb Adding disk space to a VM firewallb
b4 b7
Exploring log forwarding profilesb
Learning about Panorama and log collectorsb Forwarding logs to syslog, SMTP, and other optionsb SNMP trap server profileb Syslog server profileb Email server profileb HTTP server profileb Netflow Profileb Configuring system log forwarding on
b8 b10 b11 b12 b13 b15 b17
Dynamic taggingb Assigning log forwarding actionsb
Troubleshooting logs and log forwardingb Debugging log-receiverb Reading system resourcesb Using tcpdumpb Troubleshooting forwarding to a log collectorb
Summaryb
b18
b21 b23 b26
b28 b29 b32 b33 b36
b41
ii Table of Contents
2
Configuring Advanced GlobalProtect Features Technical requirementsb Learning about advanced configuration featuresb
b44 b44
Integrating SAML into authentication methodsb Setting up a VPN connection before
b44
the user has logged onb
Leveraging quarantine to isolate agentsb Practical troubleshooting for GlobalProtect issuesb Summaryb
b57
b75 b79 b85
3
Setting up Site-to-Site VPNs and Large-Scale VPNs Technical requirementsb Configuring a site-to-site VPN connectionb
b88
Static site-to-site tunnelsb
b102
b88
Dynamic site-to-site tunnelsb Setting up the LSVPNb
b114 b118
Summaryb
b133
Configuring mobile usersb Configuring remote networksb Configuring the remote firewallsb Configuring Cortex Data Lakeb Summaryb
b156 b163
4
Configuring Prisma Access Technical requirements b Configuring Prisma Accessb Configuring the service infrastructureb Configuring the service connectionb Configuring directory sync b
b136 b136 b144 b146 b150
b171 b175 b176
Table of Contents iii
Section 2: Tools, Troubleshooting, and Best Practices
5
Enabling Features to Improve Your Security Posture Technical requirements b Hardening the management interfaceb
b180 b180
FIPS-CC modeb b180 Replacing the default certificatesb b183 Setting minimum password complexitybb191 Configuring administrator rolesb b195
Restricting access to the management interfaceb b201 Setting the master keyb b202
EDLsb MineMeldb
Summaryb
b204 b207
b219
6
Anti-Phishing with User Credential Detection Technical requirements b Preparing the firewall for credential detectionb
b221
Configuring SSL/TLS decryptionb Enabling IP user mappingb
b223 b230
Using IP user mapping for credential detectionb
b222
b235
Enabling group mappingb Troubleshooting user-IDb
b237 b241
Using group mapping for credential detectionb b244 Using domain credential filterb b246 Troubleshoot domain credential filterb b253
Summaryb
b259
7
Practical Troubleshooting and Best Practices Tools Technical requirementsb Troubleshooting User-IDb Users are not being mappedb Users are mapped brieflyb
b262 b262 b262 b270
Inconsistent domain in usernameb Command-line interface (CLI) cheat sheetb
Troubleshooting NATb
b275 b278
b279
iv Table of Contents Loss of connectivity – proxy-ARP misconfigurationb Troubleshooting destination NAT issuesb Troubleshooting source NATb
b284 b290 b300
Other Books You May Enjoy Index
BPA toolb Summaryb Why subscribe?b
b303 b309 b311
Preface In this book, we will review remote connectivity in depth and learn about the different ways to deploy GlobalProtect and site-to-site VPN. Besides traditional methods, we will also learn about Large Scale VPN and Prisma Access SASE. Other topics that will be covered include anti-phishing and credential detection, hardening the management interface, and getting the most out of your logs.
Who this book is for This book is for anyone who wants to learn more about remote access for users and remote locations leveraging GlobalProtect, Prisma Access, and Large Scale VPN. You will learn about the added value that log forwarding can bring and how to improve the security posture of your management interface. Anti-phishing and credential detection are covered in depth to help those who want to protect their organization from credential theft and data leaks.
What this book covers Chapter 1, Centralizing logs, is all about how to get more out of logging. Chapter 2, Configuring Advanced GlobalProtect Features, looks at best practices, troubleshooting, and advanced configuration. Chapter 3, Setting up site-to-site VPNs and Large Scale VPNs, covers the ins and outs of traditional IPSec and GlobalProtect as a LargeScale VPN solution. Chapter 4, Configuring Prisma Access, explores the complete configuration of a Prisma Access deployment. Chapter 5, Enabling features to improve your security posture, talks about configuring advanced security measures to reach compliance. Chapter 6, Anti Phishing with User Credential Detection, gets into how to prevent the leaking of user credentials due to phishing or misuse. Chapter 7, Practical troubleshooting and Best Practice Tools, explains troubleshooting for User-ID and NAT and some best practices.
vi
Preface
To get the most out of this book To get the most out of this book, it is highly recommended that you have a small lab at your disposal with two firewalls, Windows 10, and Windows Server 2016. Access to a Panorama management server would be helpful to follow the covered material but not required. Familiarity with IPSec, syslog, and accessing systems through CLI is recommended, as well as working experience with PAN-OS. Basic knowledge of Palo Alto Networks, network protocols, and network design would be helpful, so reading Mastering Palo Alto Networks first is recommended.
If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Code in Action Code in Action videos for this book can be viewed at https://bit.ly/3votQBS.
Download the colour images We also provide a PDF file that has colour images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/ files/downloads/9781801077446_ColorImages.pdf.
Preface
vii
Conventions used There are a number of text conventions used throughout this book. Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."
A block of code is set as follows: html, body, #map { height: 100%; margin: 0; padding: 0 }
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold: [default] exten => s,1,Dial(Zap/1|30) exten => s,2,Voicemail(u100) exten => s,102,Voicemail(b100) exten => i,1,Voicemail(s0)
Any command-line input or output is written as follows: $ mkdir css $ cd css
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel." Tips or important notes Appear like this.
viii
Preface
Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected]. Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit packt.com.
Section 1: Leveraging the Cloud and Enabling Remote Access In this section, we will configure and troubleshoot remote connectivity through direct access and the cloud. The following chapters will be covered in this section: • Chapter 1, Centralizing logs • Chapter 2, Configuring Advanced GlobalProtect Features • Chapter 3, Setting up site-to-site VPNs and Large Scale VPNs • Chapter 4, Configuring Prisma Access
Securing Remote Access in Palo Alto Networks This book builds on the content found in Mastering Palo Alto Networks, providing you with the information you need to know to fully understand, deploy, and troubleshoot Palo Alto Networks Strata products. Complete with step-by-step explanations of essential concepts, practical examples, and step-bystep instructions, you will gain a solid understanding of how to configure and deploy Palo Alto Networks remote access products. As you advance, you will learn how to design, deploy, and troubleshoot physical and virtual products. Later, you will explore new features and discover how to incorporate them into your environment. By the end of this Palo Alto Networks book, you will have mastered troubleshooting methodologies and have the confidence you need to be able to deploy phishing protection.
Things you will learn: • • •
Understand how log forwarding is configured on the firewall Focus on effectively enabling remote access Explore alternative ways for connecting users and remote networks
• • •
Protect against phishing with credential detection Understand how to troubleshoot complex issues confidently Strengthen the security posture of your firewalls
FOR SALE IN INDIA ONLY