diff --git a/5 Firewall/Palo Alto/PA_Notes.txt b/5 Firewall/Palo Alto/PA_Notes.txt new file mode 100644 index 0000000..d8eccb2 --- /dev/null +++ b/5 Firewall/Palo Alto/PA_Notes.txt @@ -0,0 +1,301 @@ +# Shortcuts +# q - Quit +# ctl + c = run job in background +# z = clear screen + + +Reboot from Factory Reset +# Connect the PA via the console cable +# Power on +# When asked to exit the ZTP mode and configur eyour firewall in standard mode, type YES + +# System Will Reboot, wait 5min + +# Default Creds: admin:admin + +console@PaloAlto> configure + +console@PaloAlto# set deviceconfig system hostname FW-19 +console@PaloAlto# set deviceconfig system ip-address 192.168.1.19 netmask 255.255.255.0 +console@PaloAlto# set deviceconfig system default-gateway 192.168.1.1 +console@PaloAlto# set deviceconfig system dns-setting servers primary 8.8.8.8 +console@PaloAlto# set deviceconfig system dns-setting servers secondary 1.1.1.1 +console@PaloAlto# set deviceconfig system primary-ntp-server ntp-server-address 1.2.3.4 + +console@PaloAlto# commit + +# Connect the MGT Cable to the PC +# SSH AND HTTPS now should be open + +ssh@PaloAlto> show system info + +# HTTPS +# Configure Widgets in Dashboard +# Device tab > Setup + # Configure this as needed + # Enable SSH and HTTPS and PING + +# Device tab > Licences + # apply the licenses + +# Device tab > Dynamic Updates + # Check Now + # Download and Install Applications and Threats update + # Download and Install other updates needed + # After the updates install, the "Antivirus Tab" will reveal after a "Check Now" refresh + + +ZONES AND L3 INTERFACES +Zones +# Network tab > Zones + # Add + # Name: Inside + # Type: Layer3 + # OK + + # Add + # Name: Outside + # Type: Layer3 + # OK + +Interfaces +# Network tab > Interfaces + # ethernet1/1 + # Interface Type: Layer3 + # Config + # Virtual Router: default + # Security Zone: Inside + # IPv4 + # Add + # 10.10.0.19/24 + # OK + + # ethernet1/4 + # Interface Type: Layer3 + # Config + # Virtual Router: default + # Security Zone: Outside + # IPv4 + # Add + # 23.1.2.19/24 + # OK + + # ethernet1/1 + # Interface Type: Layer3 + # Config + # Virtual Router: default + # Security Zone: Outside + # IPv4 + # Add + # 24.1.2.19/24 + # OK + + +# CLICK COMMIT + +# Plug in the appropriate cables to the appropriate ports +# Test the connectivity with a ping (make sure the source is defined because default is the MGT port) + +ssh@PaloALto> ping source 24.1.2.19 host 24.1.2.1 +PASSED + +ssh@PaloAlto> ping host 24.1.2.1 +FAILED + + + +DEFAULT IP ROUTES + +# Display current IP Routes +ssh@PaloAlto> show routing route + +# HTTPS +# Network tab > Virtual Routers +# Click on default + # Router Settings + # Name: Virtual_Router + # Static Routes + # Add + # Name: Default Route A + # Destination: 0.0.0.0/0 + # Interface: ethernet1/4 + # Next Hop: IP ADDRESS : 23.1.2.1 + # Admin Distance: 10 + # Metric: 10 + # OK + + # Add + # Name: Default Route B + # Destination: 0.0.0.0/0 + # Interface: ethernet1/5 + # Next Hop: IP ADDRESS : 24.1.2.1 + # Admin Distance: 20 + # Metric: 20 + # OK + +# CLICK COMMIT + +# Verify the Route was added + +ssh@PaloAlto> show routing route +ssh@PaloAlto> ping source 23.1.2.19 host 8.8.8.8 + +# HTTP +# Device tab > Troubleshooting +# Test Configuration + # Select Test: Ping + # Source: 23.1.2.19 + # Host: 8.8.8.8 + # EXECUTE + + + +8 +DHCP Services + +# HTTPS +# Network Tab > DHCP + # Interface: ethernet1/1 + # Mode: Auto + # Lease + # 🗹 Ping IP when... + # IP Pools + # Add + # 10.10.0.51-10.10.0.99 + # Options + # Gateway: 10.10.0.19 + # Subnet Mask: 255.255.255.0 + # Primary DNS: 10.10.0.100 + # OK + +# CLICK COMMIT + + + +SOURCE NAT CONFIGURATION +# HTTPS +# Policies tab > NAT +# Add + # General + # Name: SNAT_in_to_out + # Original Packet + # Source Zone: inside + # Destination Zone: Outside + # Destination Interface: ethernet1/4 + # Source Address: + # Name: Subnet 10.10 + # Type: IP Netmask : 10.10.0.0/24 + # Translated Packet + # Translation Type: Dynamic IP and Port + # Address Type: Interface Address + # Interface: ethernet1/4 + # IP Address: 23.1.2.19/24 + # OK + +# Test the rule +ssh@PaloAlto> test nat-policy-match from inside to outside source 10.10.0.51 destination 8.8.8.8 protocol 1 + +# HTTP +# Policies tab > Test Policy Match + # From: Inside + # To: Outside + # Source: 10.10.0.51 + # Destination: 8.8.8.8 + # EXECUTE + + + + +INITIAL SECURITY POLICY +# HTTPS +# Policies tab > Security +# Add + # General + # Name: Inside to Outside + # Source + # Source Zone: inside + # Source Address: Subnet 10.10 + # Destination + # Destination Zone: outside + # Destination Address: 🗹 ANY + # Application + # 🗹 ANY + # Service/URL Category + # 🗹 ANY + # Actions + # Action Setting: Action : Allow + # Log Setting: 🗹 Log at Session End + # OK + +# CLICK COMMIT + +# TEST IT on the host machine by connecting to the internet +# HTTPS +# Monitor tab > Traffic +# Monitor tab > Session Browser + + + + +DECRYPTION (SSL Forward Proxy) +# HTTPS +# Device tab > Certificate Management > Certificates > Device Certificates +# Export your .cer file from your Certificate Authority Server +# Import the file (bottom of screen) +# name the Certificate ( Enterprise_CA ) +# File Format: Base64 (or whatever it is encoded in) +# Click on the cert + # 🗹 Trusted Root CA +# Generate + # Name: Cert_Fwd_Proxy + # Common Name: Cert_For_Forward_Proxy + # Signed by: External Authority + # 🗹 Certificate Authority + # GENERATE +# Click on the generated cert +# Export Certificate (Bottom) +# Upload it to the CA Server +# Generate the Certificate on the CA server +# Download cert from CA server +# Copy the name from the request on the PA HTTPS client +# IMPORT +# Upload the new .cer file +# Name: Same name as above +# Click on the name + # 🗹 Forward Trust Certificate + +# Redo above steps to regenerate an "Untrust" Cert + +# Objects tab > Decryption > Decription Profile +# Add + # Name: Decryption_Profile1 + # SSL Decryption + # 🗹 Block sessions with expired certificates + # 🗹 Block sessions with untristed issuers + # 🗹 Block sessions with unspported versions + # 🗹 Block sessions with unsupported cipher suites + # 🗹 Block sessions with client authentication + # SSL Protocol Settings + # Configure this as needed + +# Policies Tab > Decryption +# Add + # General + # Name: Decrypt + # Source + # Source Zone: inside + # Source Address: Subnet 10.10 + # Destination + # Destination Zone: outside + # Destination Address: 🗹 Any + # Service/URL Category + # Service: service-https + # Options + # Action: Decrypt + # Type : SSL Forward Proxy + # Decryption Profile: Dcryption_Profile1 + # 🗹 Log Successful SSL Handshake (may slow down system) + # 🗹 Log Unsuccessful SSL Handshake + # OK + +# CLICK COMMIT \ No newline at end of file diff --git a/5 Firewall/Palo Alto/Palo alto install and Setup SOP.pdf b/5 Firewall/Palo Alto/Palo alto install and Setup SOP.pdf new file mode 100644 index 0000000..8678181 Binary files /dev/null and b/5 Firewall/Palo Alto/Palo alto install and Setup SOP.pdf differ