Customers using PAN-DB Private Cloud or a WildFire Private Cloud Appliance (WF-500) should read the official post for additional information.
On January 8th, 2024 Palo Alto Networks announced that five additional certificates that secure core services will soon expire. When these certificates expire, their respective services will be affected unless customer action is taken. Here is a summary of the certificates that will expire and the services that will be affected:
Expiration Date | Certificate | Affected Services |
---|---|---|
2024-04-07 | Panorama Management | Connections from devices to Panoramas |
2024-09-02 | URL PAN-DB Private Cloud | Connections to M-Series running PAN-DB Private Cloud |
2024-11-18 | Device Certificate for Cloud Delivered Security Services | All content updates except Threat Prevention / Adv. Threat Protection |
2024-11-18 | User-ID Agent and Terminal Server Default Certificate | Connections from devices to User-ID Agents and Terminal Servers |
2026-01-01 | WildFire Appliance CA Certificate | Connections to WF-500 devices |
Since there are multiple certificates expiring customers will need to take multiple actions to remediate. We recommend that all customers do ALL of the following:
Additionally, PAN has provided a fix for the Panorama management certificate expiration in content update versions 8795-8489 and higher. This resolves the issue of the April 7th, 2024 Panorama certificate expiration, but customers will still need to take the above actions to remediate the other certificate expirations. Additionally, after this content update is installed, you must reboot the device in order for the Panorama cert issue to be resolved. Since this requires a reboot, we recommend that customers instead upgrade to a hotfixed version, as it takes care of all the certificate expirations in the same amount of time.
Here is a simplified flow chart that applies to most customers:
Release Train | Fixed Versions |
---|---|
8.1 | 8.1.21-h3,8.1.25-h3, 8.1.26 (including future releases) |
9.0 | 9.0.16-h7, 9.0.17-h5 |
9.1 | 9.1.11-h5, 9.1.12-h7, 9.1.13-h5, 9.1.14-h8,9.1.16-h5, 9.1.17 (including future releases) |
10.0 | 10.0.8-h11, 10.0.11-h4, 10.0.12-h5 |
10.1 | 10.1.3-h3, 10.1.4-h6,10.1.5-h4, 10.1.6-h8, 10.1.7-h1, 10.1.8-h7, 10.1.9-h8, 10.1.10-h5, 10.1.11-h4, 10.1.12 (including future releases) |
10.2 | 10.2.0-h2, 10.2.1-h1, 10.2.2-h4, 10.2.3-h11, 10.2.4-h10, 10.2.6-h1, 10.2.7-h3, 10.2.8 (including future releases) |
11.0 | 11.0.0-h2, 11.0.1-h3, 11.0.2-h3, 11.0.3-h3, 11.0.4* (including future releases) |
11.1 | 11.1.0-h2, 11.1.1 (including future releases) |
The upgrade to the fixed versions of PAN-OS is no different than any regular PAN-OS update. Consult PAN’s official forum post for the fixed version in your release train.
Before upgrading, we always recommend taking a configuration backup from the device from Device > Setup > Operations > Configuration Management > Export Named Configuration Snapshot and exporting the running-config.xml file. This will allow you to restore the device configuration if there is an issue with the new version.
As always, we recommend failing over an HA pair before performing an upgrade. This ensures that there is no latent issues with the secondary device that could cause an extended outage after the primary devices reboots to perform the upgrade.
NOTE: This may not apply to you as newer devices ship with a Device Certificate pre-installed. We still recommend reviewing all your devices to ensure that they have device certificates present.
We have observed newer generation firewalls (PA-4XX) that do not have Device Certificates pre-installed from the factory.
See PAN’s documentation:
Installing Device Certificates on Standalone Firewalls (10.2)
Installing Device Certificates on Panorama (10.2)
Installing Device Certificates on Log Collectors (10.2)
Release Train | Fixed Versions |
---|---|
9.0 | 9.0.6 |
9.1 | 9.1.5 |
10.0 | 10.0.7 |
10.1 | 10.1.2 |
10.2 | 10.2.2 |
11.0 | 11.0.1 |
Consult PAN’s official forum post for the fixed version of the User-ID Agent and/or Terminal Server. Download the appropriate version from the PAN Support Portal and install it on the User-ID Agent and/or Terminal Server.
After installation, make sure that the User-ID Agent and/or Terminal Server is running and firewalls/Panorama show it as connected.
]]>On November 7th, 2023 Palo Alto Networks announced that there are two upcoming certificate expirations that may cause disruptions for customers. Despite both issues involving certificates, they are unrelated and require different actions to resolve.
The first issue affects basically all devices and is easy to remediate. The second issue affects only customers with Data Redistribution configured and involves a more complicated remediation process. This post will describe both issues and how to resolve them.
Internally, PAN devices verify the authenticity of content updates by checking the signature of the update against a certificate. This certificate is set to expire on December 31th, 2023. If the certificate expires, content updates will fail to install. This will cause the device to stop receiving new signatures for threats, applications, and other content. This will not affect the ability of the device to pass traffic, but it will cause the device to be unable to detect new threats and applications.
Any devices that retrieve content updates from Palo Alto Networks, including Panoramas.
There are three remediation paths for this issue:
We recommend that customers choose option #1 and install content update 8776-8390 as this is the easiest and most straightforward option. This content update is available now and can be installed on any PAN-OS version. For customers with many firewalls we recommend using Panorama to push the content update to all devices if they are not already configured to automatically install the latest content updates.
To verify that you have the correct content update installed, you can check the Application Version on Dashboard > General Information.
Data Redistribution is the umbrella term for the mechanism by which PAN devices can share user information with each other. Data Redistribution includes User-ID, IP-tags, User-tags, GlobalProtect HIP results and quarantine list entries. By default, the device to device communication uses a predefined certificate to secure these communications. This certificate is set to expire on December 31th, 2023. If the certificate expires, devices will be unable to share user information with each other, which could lead to an outage if that information is required for security policy enforcement.
Any device that acts as a client or server for Data Redistribution, including Panoramas.
There are two remediation paths for this issue:
We strongly recommend that customers upgrade rather than attempt to configure custom certificates, especially for customers using Panorama. The custom certificate configuration is complex and does not scale well (see the For Panorama Customers section below for more details), in addition to making firewall onboarding more difficult. Additionally, the custom certificate configuration appears to apply to the User-ID agents as well, which means that you would need to install the same custom certificates on all your User-ID agents as well. This is not documented anywhere, but was confirmed experimentally in our lab environment.
With that caveat, below are the steps to configure custom certificates for Data Redistribution. PAN also publishes a guide to configuring custom certificates, though it is geared towards securing device to Panorama communication.
Note: This guide shows the steps for both the client and server side of the communication as devices are typically both at once. If you know a device will only be a client or server you can skip the steps for the other role. Each section is labeled with the role it applies to.
We don’t recommend that customers use custom certificates to secure Data Redistribution if they are using Panorama. This is because if you enable custom certificates on Panorama there is no option to enable it only for data redistribution. This means that you’ll have to use the custom certs for communication with Panorama, which could cause an outage if you have not installed the new certificates on all your devices. If you are using Panorama we recommend that you upgrade all your devices to a patched version of PAN-OS instead.
Additionally, you can not push the configuration option to enable custom certs for the Panorama configuration from a Panorama template. This means that you’d have to create a local override on each Panorama managed firewall in order to deal with the fact that custom certs on Panorama for Data Redistribution force custom certs for the Panorama management connection. Since this solution doesn’t scale well we recommend that you upgrade all your devices to a patched version of PAN-OS instead.
Note: On a Panorama everything that would be on the Device tab is on the Panorama tab instead.
We recommend that customers use their existing PKI (typically Active Directory Certificate Services) to manage all their internal certificates, however you could generate both of these certificates on a PAN device if you do not have a PKI in place already.
On Device > Certificate Management > Certificates click Import and import the CA certificate. If you do not have an existing CA certificate you can generate one on the device here. Make sure to export this CA certificate and install it on all your devices so they can validate each other’s certificates.
On Device > Certificate Management > Certificates click Import and import the certificate with the private key. If you’re using PEM formatted cert be sure to check Import Private Key. If the certificate is password protected you will need to enter the password here.
Note: if the cert is not password protected you will still need to provide a password here, but it will not be used.
If you do not have an existing certificate you can generate one signed by the CA you created earlier on the device here. Make sure to export this certificate and install it on all your devices so they can encrypt communications with each other.
On Device > Certificate Management > Certificate Profile click Add and create a new profile. Give it a name and select the CA certificate you imported earlier.
Enable Block sessions with expired Certificates Click OK to save the profile.
On Device > Certificate Management > SSL/TLS Service Profile click Add and create a new profile. Give it a name and select the certificate with the private key you imported earlier.
Set the Min Version to TLSv1.2 and leave the Max Version set to Max. Click OK to save the profile.
On Device > Setup > Management click the gear icon at the top right of the Secure Communication Settings section. Under Secure Client Communications > Custom Certificate Settings > Certificate Type select Local from the dropdown.
Then select the certificate with the private key you imported earlier from the Certificate dropdown. Select the certificate profile you created earlier from the Certificate Profile dropdown. Check the box for Data Redistribution and click OK to save the settings.
On Device > Setup > Management click the gear icon at the top right of the Secure Communication Settings section. Under Customize Secure Server Communication select the SSL/TLS service profile you created earlier from the SSL/TLS Service Profile dropdown.
Then select the appropriate Certificate Profile that you created earlier. Check the box for Data Redistribution and click OK to save the settings.
Warning: Once you commit these changes the devices will begin to use the new certificates. If you have not installed the new certificates on all your devices you may cause an outage. Redistributed User-ID entries should be cached, so quickly committing on both the client and the server should cause User-ID latency, but not an outage.
Commit the configuration changes to the device. If you are using Panorama you will need to push the changes to the devices.
If you have have openssl installed (typically installed by default on most Linux distros and OSX) you can check the expiration date of the Data Redistribution server certificate with the following command:
openssl s_client -showcerts -connect firewall.example.com:5007 2>&1 | grep NotAfter
Note that we’ve redirected STDERR to STDOUT with 2>&1
to keep the output clean. Replace firewall.example.com
with the hostname or IP address of your firewall.
This should produce output similar to the following:
v:NotBefore: Feb 1 07:30:33 2023 GMT; NotAfter: Jan 1 07:30:33 2032 GMT
Here we can see that the certificate in use on this data redistribution server doesn’t expire until 2032, so it is not affected by issue #2.
]]>Location:
Sacramento County Office of Education
10474 Mather Blvd.
Mather CA 95655
Date:
Wednesday April 17th, 2024
Time:
9:00am - 1:00pm PDT
Join Digital Scepter for a deep-dive into the latest features of Palo Alto Networks NGFW. We’ll demonstrate best practices that you can use to immediately improve your security posture and get more from your firewalls.
Agenda:
Lunch will be served.
Location:
Tahoe Truckee Unified School District
11603 Donner Pass Rd
Truckee, CA 96161, USA
Date:
Wednesday May 1st, 2024
Time:
10:00am - 2:00pm PDT
Join Digital Scepter for a deep-dive into the latest features of Palo Alto Networks NGFW. We’ll demonstrate best practices that you can use to immediately improve your security posture and get more from your firewalls.
Agenda:
Lunch will be served.
Location:
San Bernardino County Superintendent of Schools
West End Educational Service Center
8265 Aspen Avenue
Rancho Cucamonga, CA 91730
Date:
Wednesday February 14th, 2024
Time:
10:00am - 2:00pm PDT
Join Digital Scepter for a deep-dive into the latest features of Palo Alto Networks NGFW. We’ll demonstrate best practices that you can use to immediately improve your security posture and get more from your firewalls.
Agenda:
Lunch will be served.
]]>If you can pony up and get the second device for HA, you can greatly minimize downtime. There’s no additional discount for the second device in an HA pair and you’ll also needs to purchase support (see below) for both devices in the HA pair. There are HA SKUs for subscriptions that do provide a discount compared to buying two separate subscriptions.
Approximate Down Time: None (with a single failure)
The next best alternative is a cold spare. They are typically discounted 50-60% from list price. You don’t need to buy support. In the event of a primary device failure, you open a ticket and transfer your licenses, then upgrade the software and import your config (you had a back up right?). Another option is to use your legacy device as a cold or warm backup.
Approximate Down Time: Two hours
This option is offered in most areas, but not all, so check with your rep. If your primary device fails, a replacement will be delivered within four hours. You have to add time to open the ticket, process the RMA, update and config.
Approximate Down Time: Seven hours
This is 24x7 phone support like the option above, but after processing an RMA, you get your replacement the next day.
Approximate Down Time: 30 hours
This is 8x5 phone support and you have to return your device to the factory before they ship you a replacement. Not recommended.
Approximate Down Time: 72 hours
]]>#
indicate that they must be entered while in configure mode.
Description | Command(s) |
---|---|
Enter configuration mode |
>
configure
|
Restart the device |
>
request restart system
|
Ping a destination |
>
ping host <destination>
|
Ping a destination from a particular interface IP |
>
ping host <destination> source <interface ip>
|
Find command by keyword |
>
find command keyword <keyword>
|
Show device information |
>
show system info
|
Show all jobs |
>
show jobs all
|
Show a particular job |
>
show jobs id <id>
|
Set the management interface to use a static IP |
#
set deviceconfig system type static
#
set deviceconfig system ip-address <ip-address> netmask <netmask> default-gateway <default-gateway>
|
Commit changes |
#
commit
|
Fetch licenses from the support portal |
>
request license fetch
|
Show all licenses |
>
request license info
|
Delete all licenses |
>
delete license key *.key
|
Show the running route table |
>
show routing route
|
Show the forwarding table |
>
show routing fib
|
Test routing for a destination |
>
test routing fib-lookup ip <destination> virtual-router <virtual router>
|
Show all interfaces |
>
show interface all
|
Show interface details and counters |
>
show interface <name>
|
Show all ARP entries |
>
show arp all
|
Show ARP entries for a particular interface |
>
show arp <interface>
|
Display settings in set command format when show |
>
set cli config-output-format set
|
Show global system counters |
>
show counter global
|
Show global counters that have changed since last run |
>
show counter global filter delta yes
|
Show global counters that match the current packet capture filters |
>
show counter global filter packet-filter yes
|
Test an IKE gateway (phase 1) |
>
test vpn ike-sa gateway <name>
|
Test an IPSec tunnel (phase 1 & 2) |
>
test vpn ipsec-sa tunnel <name>
|
Show installed transciever details for interface (>= 10.0.0 only) |
>
show transceiver-detail <interface>
|
Show installed transciever details for X slot and Y port |
>
show system state filter sys.sX.pY.phy
|
Disable ZTP mode |
>
request disable-ztp
|
Show active session information |
>
show system statistics session
|
Show per-application session stats |
>
show system statistics application
|
Test a URL's categorization |
>
test url <URL>
|
Show all attributes for users with group mapping |
>
show user user-attributes user all
|
How do you choose the right kind of perimeter protection solution for your unique business needs? Where should you focus your budget and attention to improve security dramatically, at a cost that makes sense for you? Learning which technology and policies you need to implement on your network is a process that begins with accurately assessing your existing network infrastructure.
At Digital Scepter, we encourage every organization to have a detailed breakdown of their network. Across hardware and software, creating an asset list is the first step in better understanding the security needs of your network, what you are doing to meet these demands, and how you can improve your network to keep your mission-critical or confidential data safe.
Ask any network administrator, and they will readily admit that modern corporate networks can be incredibly difficult to monitor. More and more hardware devices are being added to networks, and these devices are performing a number of different network functions, sometimes across wide and diverse geographical areas.
In the case of devices operated by your end-users, such as employees, software technology advances are growing rapidly, which can make the devices hard to monitor accurately. In addition, with the advent of cutting-edge technologies such as effective cloud storage, the location of your most important data is becoming increasingly distributed over multiple locations.
Creating an asset list is a task that essentially can be divided into three parts – hardware, software, and data.
Look at your network topography and list every single hardware device you can find. This should include infrastructure devices such as routers, switches, and bridges, as well as every single node including mobile devices that connect to your network externally. Also, be sure to include your existing security devices, such as network firewalls or other perimeter protection devices.
Ultimately, if the hardware device is connecting directly to your network by any means, you should list it as part of your asset list.
Examine the software that runs on your network. Some of the most commonly used applications will be ones that you have deployed on end-user machines, and listing each of these regularly used tools is relatively simple. You should take the time to understand which applications are being used, and also how they are being used. What do your users actually do with their web browsers? How are they sharing files via email?
Finally, every asset list should cover the most important asset of every network: your data. Modern organizations thrive on their data and it is important to make a list detailing where your data is stored, the type of databases that this information is contained in, and whether the given data is highly confidential, of a personal nature, or contains payment and credit card information.
Determining the nature of the data is essential to determine if compliance and regulatory requirements need to be followed (e.g. HIPAA, PCI, Sarbanes-Oxley, Gramm-Leach-Bliley, etc.) Start now by taking the opportunity to create an asset list for your network. Consolidate your information on hardware, software, and data to fully understand your current security position.
Equipped with your asset list, it should be clearer than ever how crucial it is to implement robust and dependable network security solutions in order to keep your assets safe. The threats to your network are growing increasingly sophisticated – from complex network attacks to new methods for employees to circumvent your acceptable use policies. Does your asset list assure you that your network security can meet the very latest standards?
]]>Fundamentally, URL filtering gives you visibility and control over the web traffic flowing through your network. URL filtering protects you from a full spectrum of legal, regulatory, productivity, and resource utilization risks. Among other benefits, URL filtering allows you to:
URL filtering can be as simple or as complicated as you want it to be. A basic profile like the one below that blocks unwanted categories can be created in under a minute.
When traffic matches a category with a configured action the firewall will:
Note: The default action for all categories is allow which will not generate any logs. We strongly recommend that you never set any category to allow and instead use alert for every category that you intend to allow. This greatly aids in troubleshooting and understanding your traffic flow.
PAN maintains a list of all the URL categories with descriptions here: PAN URL Category List(support login required)
Here is a quick list of all the categories:
|
|
You can retrieve a URL or IP address category information using the PAN “Test a Site” tool.
For organizations that need more granular control over URL filtering, it’s common practice to develop both a custom url blacklist and url whitelist filtering categories.
To block a specific URL you will need to create a custom blacklist category and add the URL you wish to block to that list. Entries in the block list must be an exact match and are case-insensitive.
For example: If you want to prevent a user from accessing any website within the domain example.com
, you would also add \*.example.com
, so that all subdomains of example.com
are also matched.
While each environment will have unique URL filtering requirements, we have found that there are several categories that should almost always be blocked:
You should customize your URL filtering profiles to match the level of internet access you intend to provide to your users.
]]>