Upload files to "5 Firewall/Palo Alto"

5 Firewall/Palo Alto/PA_Notes.txt

@@ -0,0 +1,301 @@
+# Shortcuts
+# q - Quit
+# ctl + c = run job in background
+# z = clear screen
+
+
+Reboot from Factory Reset
+# Connect the PA via the console cable
+# Power on
+# When asked to exit the ZTP mode and configur eyour firewall in standard mode, type YES
+
+# System Will Reboot, wait 5min
+
+# Default Creds: admin:admin
+
+console@PaloAlto> configure
+
+console@PaloAlto# set deviceconfig system hostname FW-19
+console@PaloAlto# set deviceconfig system ip-address 192.168.1.19 netmask 255.255.255.0
+console@PaloAlto# set deviceconfig system default-gateway 192.168.1.1
+console@PaloAlto# set deviceconfig system dns-setting servers primary 8.8.8.8
+console@PaloAlto# set deviceconfig system dns-setting servers secondary 1.1.1.1
+console@PaloAlto# set deviceconfig system primary-ntp-server ntp-server-address 1.2.3.4
+
+console@PaloAlto# commit
+
+# Connect the MGT Cable to the PC
+# SSH AND HTTPS now should be open
+
+ssh@PaloAlto> show system info
+
+# HTTPS
+# Configure Widgets in Dashboard
+# Device tab > Setup
+    # Configure this as needed
+    # Enable SSH and HTTPS and PING
+
+# Device tab > Licences
+    # apply the licenses
+
+# Device tab > Dynamic Updates
+    # Check Now
+    # Download and Install Applications and Threats update
+    # Download and Install other updates needed
+    # After the updates install, the "Antivirus Tab" will reveal after a "Check Now" refresh
+
+
+ZONES AND L3 INTERFACES
+Zones
+# Network tab > Zones
+    # Add
+    # Name: Inside
+    # Type: Layer3
+    # OK
+
+    # Add
+    # Name: Outside
+    # Type: Layer3
+    # OK
+
+Interfaces
+# Network tab > Interfaces
+    # ethernet1/1
+        # Interface Type: Layer3
+        # Config
+            # Virtual Router: default
+            # Security Zone: Inside
+        # IPv4
+            # Add
+            # 10.10.0.19/24
+        # OK
+
+    # ethernet1/4
+        # Interface Type: Layer3
+        # Config
+            # Virtual Router: default
+            # Security Zone: Outside
+        # IPv4
+            # Add
+            # 23.1.2.19/24
+        # OK
+
+    # ethernet1/1
+        # Interface Type: Layer3
+        # Config
+            # Virtual Router: default
+            # Security Zone: Outside
+        # IPv4
+            # Add
+            # 24.1.2.19/24
+        # OK
+
+
+# CLICK COMMIT
+
+# Plug in the appropriate cables to the appropriate ports
+# Test the connectivity with a ping (make sure the source is defined because default is the MGT port)
+
+ssh@PaloALto> ping source 24.1.2.19 host 24.1.2.1
+PASSED
+
+ssh@PaloAlto> ping host 24.1.2.1
+FAILED
+
+
+
+DEFAULT IP ROUTES
+
+# Display current IP Routes
+ssh@PaloAlto> show routing route
+
+# HTTPS
+# Network tab > Virtual Routers
+# Click on default
+    # Router Settings
+        # Name: Virtual_Router
+    # Static Routes
+        # Add
+            # Name: Default Route A
+            # Destination: 0.0.0.0/0
+            # Interface: ethernet1/4
+            # Next Hop: IP ADDRESS : 23.1.2.1
+            # Admin Distance: 10
+            # Metric: 10
+        # OK
+
+         # Add
+            # Name: Default Route B
+            # Destination: 0.0.0.0/0
+            # Interface: ethernet1/5
+            # Next Hop: IP ADDRESS : 24.1.2.1
+            # Admin Distance: 20
+            # Metric: 20
+        # OK
+
+# CLICK COMMIT
+
+# Verify the Route was added
+
+ssh@PaloAlto> show routing route
+ssh@PaloAlto> ping source 23.1.2.19 host 8.8.8.8
+
+# HTTP 
+# Device tab > Troubleshooting
+# Test Configuration
+    # Select Test: Ping
+    # Source: 23.1.2.19
+    # Host: 8.8.8.8
+    # EXECUTE
+
+
+
+8
+DHCP Services
+
+# HTTPS
+# Network Tab > DHCP
+    # Interface: ethernet1/1
+    # Mode: Auto
+    # Lease
+        # 🗹 Ping IP when...
+        # IP Pools
+            # Add
+            # 10.10.0.51-10.10.0.99
+    # Options
+        # Gateway: 10.10.0.19
+        # Subnet Mask: 255.255.255.0
+        # Primary DNS: 10.10.0.100
+    # OK
+
+# CLICK COMMIT
+
+
+
+SOURCE NAT CONFIGURATION
+# HTTPS
+# Policies tab > NAT
+# Add
+    # General
+        # Name: SNAT_in_to_out
+    # Original Packet
+        # Source Zone: inside
+        # Destination Zone: Outside
+        # Destination Interface: ethernet1/4
+        # Source Address:
+            # Name: Subnet 10.10
+            # Type: IP Netmask : 10.10.0.0/24
+    # Translated Packet
+        # Translation Type: Dynamic IP and Port
+        # Address Type: Interface Address
+        # Interface: ethernet1/4
+        # IP Address: 23.1.2.19/24
+    # OK
+
+# Test the rule
+ssh@PaloAlto> test nat-policy-match from inside to outside source 10.10.0.51 destination 8.8.8.8 protocol 1
+
+# HTTP
+# Policies tab > Test Policy Match
+    # From: Inside
+    # To: Outside
+    # Source: 10.10.0.51
+    # Destination: 8.8.8.8
+    # EXECUTE
+
+
+
+
+INITIAL SECURITY POLICY
+# HTTPS
+# Policies tab > Security
+# Add
+    # General
+        # Name: Inside to Outside
+    # Source
+        # Source Zone: inside
+        # Source Address: Subnet 10.10
+    # Destination
+        # Destination Zone: outside
+        # Destination Address: 🗹 ANY
+    # Application
+        # 🗹 ANY
+    # Service/URL Category
+        # 🗹 ANY
+    # Actions
+        # Action Setting: Action : Allow
+        # Log Setting: 🗹 Log at Session End
+    # OK
+
+# CLICK COMMIT
+
+# TEST IT on the host machine by connecting to the internet
+# HTTPS
+# Monitor tab > Traffic
+# Monitor tab > Session Browser
+
+
+
+
+DECRYPTION (SSL Forward Proxy)
+# HTTPS
+# Device tab > Certificate Management > Certificates > Device Certificates
+# Export your .cer file from your Certificate Authority Server
+# Import the file (bottom of screen)
+# name the Certificate ( Enterprise_CA )
+# File Format: Base64 (or whatever it is encoded in)
+# Click on the cert
+    # 🗹 Trusted Root CA
+# Generate
+    # Name: Cert_Fwd_Proxy
+    # Common Name: Cert_For_Forward_Proxy
+    # Signed by: External Authority
+    # 🗹 Certificate Authority
+    # GENERATE
+# Click on the generated cert
+# Export Certificate (Bottom)
+# Upload it to the CA Server
+# Generate the Certificate on the CA server
+# Download cert from CA server
+# Copy the name from the request on the PA HTTPS client
+# IMPORT
+# Upload the new .cer file
+# Name: Same name as above
+# Click on the name
+    # 🗹 Forward Trust Certificate
+
+# Redo above steps to regenerate an "Untrust" Cert
+
+# Objects tab > Decryption > Decription Profile
+# Add
+    # Name: Decryption_Profile1
+    # SSL Decryption
+        # 🗹 Block sessions with expired certificates
+        # 🗹 Block sessions with untristed issuers
+        # 🗹 Block sessions with unspported versions
+        # 🗹 Block sessions with unsupported cipher suites
+        # 🗹 Block sessions with client authentication
+    # SSL Protocol Settings
+        # Configure this as needed
+
+# Policies Tab > Decryption
+# Add
+    # General
+        # Name: Decrypt
+    # Source
+        # Source Zone: inside
+        # Source Address: Subnet 10.10
+    # Destination
+        # Destination Zone: outside
+        # Destination Address: 🗹 Any
+    # Service/URL Category
+        # Service: service-https
+    # Options
+        # Action: Decrypt
+        # Type : SSL Forward Proxy
+        # Decryption Profile: Dcryption_Profile1
+        # 🗹 Log Successful SSL Handshake (may slow down system)
+        # 🗹 Log Unsuccessful SSL Handshake 
+    # OK
+
+# CLICK COMMIT