Palo Alto Networks Setup Features: SSL VPN

  • Tutorial
image

Despite all the advantages of Palo Alto Networks firewalls, there are not so many materials on how to configure these devices in RuNet, as well as texts describing the experience of their implementation. We decided to summarize the materials that we have accumulated during our work with the equipment of this vendor and talk about the features that we encountered during the implementation of various projects.

To get acquainted with Palo Alto Networks, this article will discuss the settings necessary to solve one of the most common firewall tasks - SSL VPN for remote access. We will also talk about auxiliary functions for general configuration of the firewall, identification of users, applications and security policies. If the topic is of interest to readers, in the future we will release materials with analysis of Site-to-Site VPN, dynamic routing and centralized management using Panorama.

Palo Alto Networks firewalls use a number of innovative technologies, including App-ID, User-ID, Content-ID. The use of this functionality allows for a high level of security. For example, using App-ID it is possible to identify application traffic based on signatures, decoding and heuristics, regardless of the port and protocol used, including inside an SSL tunnel. User-ID allows identification of network users through integration with LDAP. Content-ID allows you to scan traffic and identify the transferred files and their contents. Other firewall features include intrusion protection, protection against vulnerabilities and DoS attacks, built-in anti-spyware, URL filtering, clustering, and centralized management.

For demonstration, we will use an isolated stand, with a configuration identical to the real one, with the exception of device names, AD domain name and IP addresses. In reality, everything is more complicated - there can be many branches. In this case, instead of a single firewall, a cluster will be installed at the boundaries of the central sites, and dynamic routing may also be required.

The stand uses PAN-OS 7.1.9 . As a typical configuration, consider a network with a Palo Alto Networks firewall at the border. The firewall provides remote SSL VPN access to the head office. The Active Directory domain will be used as the user database (Figure 1).

image

Figure 1 - Block diagram of the network

Setup steps:

  1. Device preset. Setting the name, management IP address, static routes, administrator accounts, management profiles
  2. Install licenses, configure and install updates
  3. Configuring security zones, network interfaces, traffic policies, address translation
  4. Configure LDAP Authentication Profile and User Identification
  5. Configure SSL VPN

1. Preset


The main tool for configuring the Palo Alto Networks firewall is the web interface, and control via the CLI is also possible. By default, the management interface has an IP address of 192.168.1.1/24, login: admin, password: admin.

You can change the address either by connecting to the web interface from the same network, or by using the set deviceconfig system ip-address <> netmask <> command . It runs in configuration mode. To switch to configuration mode command is used the configure . All changes on the firewall occur only after confirming the settings with the commit command , both in command line mode and in the web interface.

To change the settings in the web interface, use the sectionDevice -> General Settings and Device -> Management Interface Settings. Name, banners, time zone and other settings can be set in the General Settings section (Fig. 2).

image
Figure 2 - Management interface parameters

If you are using a virtual firewall in an ESXi environment, in the General Settings section you need to enable the use of the MAC address assigned by the hypervisor, or configure the MAC addresses on the hypervisor specified on the firewall interfaces, or change the virtual settings switches to allow MAC address changes. Otherwise, traffic will not pass.

The management interface is configured separately and does not appear in the list of network interfaces. Under Management Interface Settingsindicates the default gateway for the management interface. Other static routes are configured in the virtual routers section, which will be described later.

To allow access to the device through other interfaces, you need to create a Management Profile in the Network -> Network Profiles -> Interface Mgmt section and assign it to the appropriate interface.

Next, you need to configure DNS and NTP in the Device -> Services section to receive updates and correctly display the time (Fig. 3). By default, all traffic generated by the firewall uses the IP address of the management interface as the source IP address. You can assign a different interface for each specific service in the sectionService Route Configuration .

image
Figure 3 - DNS, NTP, and system route settings

2. Install licenses, configure and install updates


For the full operation of all the functions of the firewall, you must install a license. You can use the trial license by requesting it from Palo Alto Networks partners. Its validity is 30 days. The license is activated either through a file or using Auth-Code. Licenses are configured in the Device -> Licenses section (Fig. 4).
After installing the license, you must configure the installation of updates in the Device -> Dynamic Updates section .
In the Device -> Software section, you can download and install new versions of PAN-OS.

image
Figure 4 - License Control Panel

3. Configuring security zones, network interfaces, traffic policies, address translation


Palo Alto Networks firewalls apply zone logic when configuring network rules. Network interfaces are assigned to a specific zone, and it is used in traffic rules. This approach allows in the future, when changing the interface settings, not to change the traffic rules, but instead to reassign the necessary interfaces to the corresponding zones. By default, traffic within the zone is allowed, traffic between zones is prohibited, the predefined rules intrazone-default and interzone-default are responsible for this .

image
Figure 5 - Security Zones

In this example, the interface in the internal network is assigned to the internal zone , and the interface directed to the Internet is assigned to the external zone. A tunnel interface has been created for SSL VPN, assigned to the vpn zone (Fig. 5).

Palo Alto Networks firewall network interfaces can operate in five different modes:

  • Tap - used to collect traffic for monitoring and analysis.
  • HA - used for cluster operation
  • Virtual Wire - in this mode, Palo Alto Networks combines two interfaces and transparently passes traffic between them, without changing the MAC and IP addresses
  • Layer2 - Switch Mode
  • Layer3 - router mode

image
Figure 6 - Setting the operating mode of the interface

In this example, the Layer3 mode will be used (Fig. 6). The parameters of the network interface indicate the IP address, operating mode and the corresponding security zone. In addition to the operating mode of the interface, you must assign it to the Virtual Router, which is an analogue of the VRF instance in Palo Alto Networks. Virtual routers are isolated from each other and have their own routing tables and network protocol settings.

Virtual router settings specify static routes and routing protocol settings. In this example, only the default route was created for access to external networks (Fig. 7).

image
Figure 7 - Configuring a virtual router.

The next configuration step is traffic policies, sectionPolicies -> Security . An example of configuration is shown in Figure 8. The logic of the rules is the same as for all firewalls. Rules are checked from top to bottom, until the first match. A brief description of the rules:

1. SSL VPN Access to Web Portal. Allows access to a web portal for authenticating remote connections
2. VPN traffic - allowing traffic between remote connections and head office
3. Basic Internet - allowing applications dns, ping, traceroute, ntp. The firewall allows applications based on signatures, decoding, and heuristics, rather than port and protocol numbers, so the Application-default section is specified in the Service section. Default port / protocol for this application
4. Web Access - permission to access the Internet via HTTP and HTTPS without application control
5.6. Default rules for other traffic.

image
Figure 8 - An example of setting network rules

To configure NAT, use the Policies -> NAT section . An example of NAT settings is shown in Figure 9.

image
Figure 9 - Example of NAT settings

For any traffic from internal to external, you can change the source address to the external IP address of the firewall and use the dynamic port address (PAT).

4. Configure LDAP Authentication Profile and User Identification Feature
Before connecting users via SSL-VPN, an authentication mechanism must be configured. In this example, authentication will occur on the Active Directory domain controller through the Palo Alto Networks web interface.

image
Figure 10 - LDAP profile

In order for authentication to work, you need to configure the LDAP Profile and Authentication Profile . In the Device -> Server Profiles -> LDAP section (Fig. 10), you need to specify the IP address and port of the domain controller, LDAP type and user account included in the Server Operators , Event Log Readers , Distributed COM Users groups . Then under Device -> Authentication Profilewe create an authentication profile (Fig. 11), mark the previously created LDAP Profile and in the Advanced tab specify the group of users (Fig. 12) who are allowed remote access. It is important to note the User Domain parameter in the profile , otherwise group-based authorization will not work. The field must contain the NetBIOS domain name.

image
Figure 11 - Authentication profile

image
Figure 12 - Select AD group

The next step is to configure Device -> User Identification . Here you need to specify the IP address of the domain controller, the credentials for the connection, as well as configure the settings for Enable Security Log , Enable Session , Enable Probing (Fig. 13). In chapterGroup Mapping (Fig. 14) it is necessary to note the parameters for identifying objects in LDAP and the list of groups that will be used for authorization. Just like in the Authentication Profile, here you need to set the User Domain parameter.

image
Figure 13 - User Mapping parameters

image
Figure 14 - Group Mapping parameters

The last step in this step is to create a VPN zone and interface for this zone. On the interface, enable the Enable User Identification parameter (Fig. 15).

image
Figure 15 - Configuring a VPN Zone

5. Configure SSL VPN


Before connecting SSL VPN, the remote user must go to the web portal, authenticate and download the Global Protect client. Next, this client will request credentials and connect to the corporate network. The web portal operates in https mode and, accordingly, you need to install a certificate for it. Use a public certificate if possible. Then the user will not be given a warning about the certificate being invalid on the site. If it is not possible to use a public certificate, then you need to issue your own, which will be used on the web page for https. It can be self-signed or issued through a local certification authority. The remote computer must have a root or self-signed certificate in the list of trusted root centers, so that the user does not get an error when connecting to the web portal. In this example, a certificate issued through the Active Directory Certificate Services certification authority will be used.

To issue a certificate, you need to create a certificate request in the section Device -> Certificate Management -> Certificates -> Generate . In the request, specify the name of the certificate and the IP address or FQDN of the web portal (Fig. 16). After generating the request, download the .csr file and copy its contents into the certificate request field in the AD CS Web Enrollment web form. Depending on the settings of the certification authority, the certificate request must be approved and the issued certificate issued in Base64 Encoded Certificate format. Additionally, you need to download the root certificate of the certification authority. Then you need to import both certificates into the firewall. When importing a certificate for a web portal, select the request in the pending status and click import. The certificate name must match the name specified earlier in the request. The name of the root certificate can be specified arbitrarily. After importing the certificate, you need to create an SSL / TLS Service Profile in the Device -> Certificate Management section . In the profile, specify the previously imported certificate.

image
Figure 16 - Certificate request

The next step is to configure the Global Protect Gateway and Global Protect Portal objects in the Network -> Global Protect section. In the Global Protect Gateway settings, we specify the external IP address of the firewall, as well as the previously created SSL Profile , Authentication Profile , tunnel interface and client IP settings. You need to specify a pool of IP addresses from which the client will be assigned an address, and Access Route is the subnet to which the client will have a route. If the task is to wrap all user traffic through the firewall, then you need to specify the subnet 0.0.0.0/0 (Fig. 17).

image
Figure 17 - Configuring the pool of IP addresses and routes

Then you need to configure the Global Protect Portal . Specify the IP address of the firewall, SSL Profile and Authentication Profileand a list of the external IP addresses of the firewalls to which the client will connect. If there are several firewalls, you can set a priority for each, according to which users will choose a firewall to connect.

In the Device -> GlobalProtect Client section, you need to download the VPN client distribution package from Palo Alto Networks servers and activate it. To connect, the user must go to the portal’s web page where he will be asked to download the GlobalProtect Client . After downloading and installing, you can enter your credentials and connect to the corporate network via SSL VPN.

Conclusion


This part of the setup of Palo Alto Networks is finished. We hope the information was useful, and the reader got an idea of ​​the technologies used in the Palo Alto Networks. If you have questions about customization and suggestions on the topics of future articles - write them in the comments, we will be happy to answer.

Also popular now: