Palo Alto VM-Series Firewall: GlobalProtect

 

Before start configuring GlobalProtect, needs to generate/import an SSL certificate and create an SSL/TLS Service Profile. And also needs an Authentication Profile, you can either create a local user base or use an external one. An example of using OneLogin and AWS SSO.

Security zone

First of all, needs to create a security zone for the VPN interface. To do this, go to the "Network" -> "Zones" tab and click "Add".

Set the name, select "Layer3" as the "Type" and enable the "Enable User Identification" option. Leaves everything else by default.

Continue reading "Palo Alto VM-Series Firewall: GlobalProtect"

Palo Alto VM-Series Firewall: GlobalProtect – AWS SAML

 

GlobalProtect supports various authorization methods, including SAML 2.0 IdP. This example shows how to set up authorization using AWS SSO.

AWS

Before adding SAML IdP, you must already have AWS Directory Service configured

To begin with, let’s add an application, for this go to "IAM Identity Center" -> "Application assignments" -> "Application"

And click "Add Application"

There is no application for GlobalProtect in the list, so we indicate it will be a custom application and click "Next"

Specify a name and description

Next, in the "Application properties" section, in the "Application start URL" field, specify the following:

https://YOUR_GP_DOMAIN/global-protect/getsoftwarepage.esp

In order for us to get to the GlobalProtect client download page from the AWS SSO portal

In the "Application metadata" section, in the "Application ACS URL" field, specify the following:

https://YOUR_GP_DOMAIN:443/SAML20/SP/ACS

And "Application SAML audience":

https://YOUR_GP_DOMAIN:443/SAML20/SP

Then download the SAML Metadata file, scroll down and click "Submit"

After adding the application, you need to make sure that the correct attribute format is used. To do this, in the "Actions" tab, select "Edit attribute mapping"

Required format:

  • Value: ${user.subject}
  • Format: emailAddress

This completes the configuration from the AWS side.

Firewall

Import the SAML Metadata file, for this go to the "Device" -> "Server Profiles" -> "SAML Identity Provider" tab and select "Import" in the lower left corner

Parameter "Validate Identity Provider Certificate" – must be disabled

Let’s create an Authentication Profile, to do this, go to the "Device" -> "Authentication Profile" tab and select "Add". Specify a name and in the "IdP Server Profile" field select the profile that was imported in the previous step, leaving all other settings as default.

Go to the "Advanced" tab and add "all" to the "Allow List".

Click "OK" and save the changes, for this, click "Commit" in the upper right corner. Now we can use this Authentication Profile to authenticate with GlobalProtect.

Palo Alto VM-Series Firewall: GlobalProtect – OneLogin SAML

 

GlobalProtect supports various authentication methods, including SAML 2.0 IdP. This example shows setting up authentication through OneLogin.

OneLogin

First, let’s add an application, for this, in the OneLogin admin interface, go to "Applications" and click "Add App"

In the search bar, enter "globalprotect" and click on it

In the settings, set the name of the application and click "Save"

Next, in the application settings, go to the "Configuration" item, and in the "Domain" field specify the domain name for GlobalProtect.

In the "Login URL" field, enter the following:

https://YOUR_GP_DOMAIN/global-protect/getsoftwarepage.esp

So that from the OneLogin portal we can get to the download page of the GlobalProtect client

 

This completes the configuration from the OneLogin side, needs to save the changes, and downloads the SAML Metadata file. To do this, click on "More Actions" in the upper right corner and select "SAML Metadata"

 

Firewall

Import the SAML Metadata file, for this go to the "Device" -> "Server Profiles" -> "SAML Identity Provider" tab and select "Import" in the lower left corner

Let’s create an Authentication Profile, to do this, go to the "Device" -> "Authentication Profile" tab and select "Add". Specify a name and in the "IdP Server Profile" field select the profile that was imported in the previous step, leaving all other settings as default.

Go to the "Advanced" tab and add "all" to the "Allow List".

Click "OK" and save the changes, for this, click "Commit" in the upper right corner. Now we can use this Authentication Profile to authenticate with GlobalProtect.

Palo Alto VM-Series Firewall: Let’s Encrypt certificate

PAN-OS only allows you to generate self-signed certificates or already import existing ones. To use a Let’s Encrypt certificate, you need to request it on another device, and therefore we can only use DNS as validation.

AWS Route53 is used as a DNS provider, we will use Certbot to obtain a certificate, we also need an installed and configured awscli

Certificate request

Installing the necessary software (in this example, the macOS system was used):

brew install certbot awscli
pip3 install certbot-dns-route53

Configure awscli:

awscli configure

 

Minimum permissions for DNS validation

AWS IAM Policy:

{
  "Version": "2012-10-17",
  "Id": "certbot-dns-route53",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
        "route53:GetChange"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "route53:ChangeResourceRecordSets",
        "route53:ListResourceRecordSets"
      ],
      "Resource": [
        "arn:aws:route53:::hostedzone/YOURDOMAINZONEID"
      ]
    }
  ]
}

Where "YOURDOMAINZONEID" – ID your hosted zone

 

Continue reading "Palo Alto VM-Series Firewall: Let’s Encrypt certificate"

Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 2

 

VM-Series Firewall

SSH

To use WebUI, we need to set an administrator password, for this, need to connect via SSH.

After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH

Connect to the first instance, SSH user – "admin"

And execute the following commands:

configure
set mgt-config users admin password

Enter the password 2 times and save the changes:

commit

Repeat the same on the second instance.

Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 2"

Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1

 

The Palo Alto VM-Series Firewall uses an active/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options for achieving HA on AWS: "Secondary IP Move" and "Dataplane Interface Move".

Secondary IP Move

If the active firewall is unavailable, the passive one becomes active. It also makes API requests to transfer secondary IP addresses from an inaccessible host to itself and updates the routing tables so that traffic is sent to the new active firewall. Switching firewall roles in this method is faster than in "Dataplane Interface Move".

Dataplane Interface Move

As in the case of "Secondary IP Move", if the passive firewall detects that the active one is no longer available, then it becomes active, but instead of transferring IP addresses, it transfers ENI from the inaccessible firewall to itself.

Continue reading "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 1"

 FIX ERROR — Python2: PIP fails after upgrade

After upgrading PIP to CentOS 6, which still uses Python2.7, PIP for each command crashes with an error.

For example:

pip install --upgrade pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/88/d9/761f0b1e0551a3559afe4d34bd9bf68fc8de3292363b3775dda39b62ce84/pip-22.0.3.tar.gz (2.1MB)
    100% |████████████████████████████████| 2.1MB 544kB/s
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-snCNSf/pip/setup.py", line 7
        def read(rel_path: str) -> str:
                         ^
    SyntaxError: invalid syntax

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-snCNSf/pip/
You are using pip version 8.1.2, however version 22.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

 

Reason:

PIP versions above 20.3 do not support Python2.7

Solution:

Install latest supported version

pip install --upgrade pip==20.3

 

 Linux – Get path and filename from full path

 

To extract a file path or filename from a full path, you can use various utilities like grep, sed, awk, etc. If it’s not a list from a file or variable, you can use find, but there’s an easier way:

  • basename – returns the filename
  • dirname – returns the path to the file

Example:

basename /home/artem/file.txt
file.txt

dirname /home/artem/file.txt
/home/artem

 

These two utilities are included in the coreutils package

 S3 – Mounting in Linux

In order to mount an S3 Bucket as a file system, you need to install s3fs

Create a directory to mount:

mkdir -p /mnt/s3

 

And add the following to "/etc/fstab":

artem-service-bucket:/upload/ /mnt/s3 fuse.s3fs _netdev,rw,nosuid,nodev,allow_other,nonempty,iam_role,umask=022,url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1 0 0

 

Where:

  • "artem-service-bucket:/upload/" – S3 bucket name and the directory inside the bucket to mount
  • "url=https://s3.eu-central-1.amazonaws.com,endpoint=eu-central-1" – the region where the S3 bucket is located
  • "iam_role" – indicate that we will use the IAM Role for authentication

 

Mount:

mount -a

 

 

 Terraform – AWS Secrets Manager: Retrieve RDS login/password

It is necessary to extract the login and password from RDS, which are stored in AWS Secret Manager and use their values in the Terraform code. To do this, you can use the following construction:

# Should be there before the apply
data "aws_secretsmanager_secret" "rds-admin-user" {
  name  = "/ARTEM-SERVICES/PROD/RDS/CREDENTIALS"
}

data "aws_secretsmanager_secret_version" "rds-admin-user" {
  secret_id = data.aws_secretsmanager_secret.rds-admin-user.id
}

locals {
  additional_rds_username      = jsondecode(data.aws_secretsmanager_secret_version.rds-admin-user.secret_string)["username"]
  additional_rds_user_password = jsondecode(data.aws_secretsmanager_secret_version.rds-admin-user.secret_string)["password"]
}

 

And use variables:

local.additional_rds_username
local.additional_rds_user_password