Before start configuring GlobalProtect, needs to generate/import an SSL certificate and create an SSL/TLS Service Profile. And also needs an Authentication Profile, you can either create a local user base or use an external one. An example of using OneLogin and AWS SSO. Security zone First of all, needs to create a security zone …
Continue reading "Palo Alto VM-Series Firewall: GlobalProtect"
GlobalProtect supports various authorization methods, including SAML 2.0 IdP. This example shows how to set up authorization using AWS SSO. AWS Before adding SAML IdP, you must already have AWS Directory Service configured To begin with, let’s add an application, for this go to "IAM Identity Center" -> "Application assignments" -> "Application" And click "Add …
Continue reading "Palo Alto VM-Series Firewall: GlobalProtect – AWS SAML"
GlobalProtect supports various authentication methods, including SAML 2.0 IdP. This example shows setting up authentication through OneLogin. OneLogin First, let’s add an application, for this, in the OneLogin admin interface, go to "Applications" and click "Add App" In the search bar, enter "globalprotect" and click on it In the settings, set the name of …
Continue reading "Palo Alto VM-Series Firewall: GlobalProtect – OneLogin SAML"
PAN-OS only allows you to generate self-signed certificates or already import existing ones. To use a Let’s Encrypt certificate, you need to request it on another device, and therefore we can only use DNS as validation. AWS Route53 is used as a DNS provider, we will use Certbot to obtain a certificate, we also need …
Continue reading "Palo Alto VM-Series Firewall: Let’s Encrypt certificate"
VM-Series Firewall SSH To use WebUI, we need to set an administrator password, for this, need to connect via SSH. After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH Connect to the first instance, SSH user – "admin" And execute the following commands: Enter the …
Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 2"
The Palo Alto VM-Series Firewall uses an active/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options for achieving HA on AWS: "Secondary IP Move" and "Dataplane Interface Move". Secondary IP Move If the active …
Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1"
In order to exclude a specific range or IP address, you need to add the parameter "net_gateway". For example, it is necessary that the network "10.0.0.0/8" is routed through the VPN, but at the same time the network "10.0.1.0/24" is excluded from the route, the entry in the configuration file will look like this: …
Continue reading " OpenVPN – Exclude specific IPs or networks from routes"
Goal: Only allow networks that fall under the ban through a VPN, the rest should go directly. The convenience of connecting devices, cross-platform, speed and security are also important. All steps were performed on CentOS 7. Install the EPEL repository if it is not already in the system and install the necessary packages: Create a …
Continue reading "OpenVPN – Selective traffic (mail.ru, yandex.ru, vk.com, ok.ru, kaspersky.ru)"
Goal: Allow traffic from any device via VPN. The maximum convenience is connecting new devices without creating accounts, creating passwords, etc. Fast and encrypted connection. All steps were performed on CentOS 7. Install the EPEL repository if it is not already in the system and install the necessary packages: Create a configuration file:
Goal: Link 2 remote nodes in between so that communication between them is "transparent". Channel stability, speed and, of course, safety are also important. Imagine that there are 2 nodes: Server – IP 1.1.1.1 Client – IP 2.2.2.2 Install OpenVPN on them CentOS: Ubuntu: