Palo Alto Notes

Links

• PAN-OS packet flow sequence
• PAN-OS CLI Cheat Sheets
• Generate API key
• Security policy useful filters
• Newly added AD users don’t appear on the firewall immediately
• Remove admin login sessions
• Print device config in XML
• Migrating config between locations or devices via API
• App-ID and application dependency
• Custom applications & app override
• Brute force prevention on GP portal

---

• App-ID
  • Should be used where possible over service filtering - App-ID is more reliable for filtering traffic as it does not rely on just what ports the traffic is riding on
  • Where possible, using ‘application-default’ under service is also ideal - this will allow only the ports required for this application
  • The first few packets will be permitted based on the 6-tuple key¹ defined by the rule until the app can be identified
  • This further reinforces using correct service filtering as otherwise unintended traffic will be permitted (e.g. ‘any’ service would permit any destination ports until app was identified)
• URL filtering
  • Only works when used on web traffic (80 & 443)
  • Can work even without traffic being decrypted by inspecting the SNI² field of the TLS handshake
  • URL filters do not work properly when URLs exist in multiple custom URL groups
    • When one URL matches multiple categories, this creates unpredictable results with URL filtering³
• Asymmetric routing
  • By default, PAs will not allow asymmetric traffic between zones - if a PA doesn’t get a SYN for the first packet of a TCP handshake, the traffic will be discarded
  • You can allow asymmetric traffic⁴, however this is done on a per-zone basis.
• Proxy-ID
  • Used in VPN configurations where one side is a policy-based VPN (defining interesting traffic, source/destination)
  • Palo Alto is strictly a route-based VPN and will by default advertise 0.0.0.0/0 as its interesting traffic - if the other side is policy-based, this won’t match and the tunnel will fail to come up unless proxy-id is used
• Hits on Rules but No Logs
  • Few possible causes for this occurrence
  • First, improper log forwarding to Panorama if looking there or no logging on the rule in general
  • Second, rule is logging at end and, through gathering more information, the end of the session is marked as hitting another rule - there will still be a hit for the initial connection in this case but no log
  • Third, this could be a licensing issue with a VM firewall causing no logs to be generated

---

• Useful commands
  • find command keyword <keyword> - Allows searching CLI for useful commands
  • show counters global filter yes packet-filter yes delta yes | match drop - This gives you any drop counters that have incremented since the command was last run and matches the PCAP filter - useful for finding the reason for dropped packets in a PCAP

Footnotes

1. The 6-tuple key consists of the following: source-address, destination-address, source-port, destination-port, protocol, and security-zone.

2. The SNI field (server name indication) is transmitted in clear text during the TLS handshake - more detail on how PA inspects this located here.

3. Attached article validates this.

4. Attached article describes how to allow asymmetric traffic.