Palo Alto Users Group. November 12, 2013

Similar documents
Certificate Management

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

GlobalProtect Configuration for IPsec Client on Apple ios Devices

Configuring Global Protect SSL VPN with a user-defined port

About the VM-Series Firewall

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Chapter 7 Managing Users, Authentication, and Certificates

Smart Card Authentication. Administrator's Guide

WildFire Cloud File Analysis

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

About the VM-Series Firewall

Configuring GlobalProtect Tech Note PAN-OS 4.1

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Manage Licenses and Updates

How to Configure Captive Portal

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Configuring Multiple ACE Management Servers VMware ACE 2.0

Advanced Administration

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Managing Identities and Admin Access

GlobalProtect Features

VMware Identity Manager Administration

Certificate technology on Pulse Secure Access

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Configuring Digital Certificates

Certificate technology on Junos Pulse Secure Access

The IVE also supports using the following additional features with CA certificates:

H3C SSL VPN RADIUS Authentication Configuration Example

How do I set up a branch office VPN tunnel with the Management Server?

Smart Card Authentication Client. Administrator's Guide

Installing and Configuring vcloud Connector

Chapter 4 Virtual Private Networking

WildFire Cloud File Analysis

Check Point Security Administrator R70

Certificate Management

Software Version 1.0 ConnectKey TM Share to Cloud April Xerox ConnectKey Share to Cloud User / Administrator s Guide

Microsoft Administering the Web Server (IIS) Role of Windows Server

How To Configure SSL VPN in Cyberoam

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

REMOTE ACCESS VPN NETWORK DIAGRAM

Configuring User Identification via Active Directory

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Introduction to the EIS Guide

SolarWinds Log & Event Manager

Cisco Expressway Basic Configuration

Polycom RealPresence Access Director System Administrator s Guide

Installation and Configuration Guide

Configuring SSL VPN on the Cisco ISA500 Security Appliance

User-ID. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Dlink DFL 800/1600 series: Using the built-in MS L2TP/IPSEC VPN client with certificates

VPN SECURITY POLICIES

Case Study for Layer 3 Authentication and Encryption

Websense Content Gateway HTTPS Configuration

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Configuring PA Firewalls for a Layer 3 Deployment

SSL VPN Technology White Paper


Chapter 8 Virtual Private Networking

Reports and Logging. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Configuration Guide. BES12 Cloud

Contents. Introduction. Prerequisites. Requirements. Components Used

Protected Trust Directory Sync Guide

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Manage Firewalls. Palo Alto Networks. Panorama Administrator s Guide Version 6.1. Copyright Palo Alto Networks

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Content Filtering Client Policy & Reporting Administrator s Guide

Barracuda Link Balancer Administrator s Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Certificate Management

App Orchestration 2.5

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Implementing Core Cisco ASA Security (SASAC)

VMware Identity Manager Connector Installation and Configuration

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Reports and Logging. PAN-OS Administrator s Guide. Version 6.1

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Scenario: IPsec Remote-Access VPN Configuration

WHITE PAPER Citrix Secure Gateway Startup Guide

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Manage Log Collection. Panorama Administrator s Guide. Version 7.0

Entrust Managed Services PKI

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

vcloud Director User's Guide

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

AD CS.

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Wireless Local Area Networks (WLANs)

Using IPsec VPN to provide communication between offices

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

F-Secure Messaging Security Gateway. Deployment Guide

VPNC Interoperability Profile

Transcription:

Palo Alto Users Group November 12, 2013

Topics of Discussion Netflow Export LDAP Server profiles Large Scale VPN Custom Reports Training classes available from Palo Alto Open discussion/questions

Netflow Export The firewall can generate and export NetFlow Version 9 records with unidirectional IP traffic flow information to an outside collector. NetFlow export can be enabled on any ingress interface in the system The firewall supports the standard NetFlow templates and selects the correct one based on the data to be exported

Netflow Export-cont d To configure NetFlow data exports, define a NetFlow server profile, which specifies the frequency of the export along with the NetFlow servers that will receive the exported data. Then when you assign the profile to an existing firewall interface, all traffic flowing over that interface is exported to the specified servers.

Netflow Export-cont d

Netflow Export-cont d

Netflow Export-cont d

LDAP Server Profiles

LDAP Server Profiles LDAP is one of the methods used to authenticate users When you create an administrative account, you specify local authentication or client certificate (no authentication profile), or an authentication profile (RADIUS, LDAP, Kerberos, or local DB authentication). This setting determines how the administrator s authentication is checked.

LDAP Server Profile-cont d

LDAP Server Profile-Group membership

LDAP Server Profile-Group membershipcont d

Large Scale VPN

Large Scale VPN The Large Scale VPN feature simplifies the deployment of traditional hub and spoke VPNs. This solution provides administrators with the ability to quickly deploy enterprise networks with several branch offices or telecommuters to securely access resources at a central site, with a minimum amount of configuration required on the remote devices. It uses certificates for device authentication, and IPSec to secure data.

Large Scale VPN-Concepts GlobalProtect Portal: PAN-OS firewall that holds the entire configuration required for the satellites (spokes) to connect to the gateway (hub). Portal is always required in a large scale VPN. GlobalProtect Gateway: PAN-OS firewall that is the tunnel end point for satellite connections. The resources that the satellites access is protected by the gateway. It is not required to have a separate portal and gateway. A single PAN-OS firewall can function both as portal and gateway. GlobalProtect Satellites: Remote site firewalls that connect to a gateway(s) in order to access centralized resources. Certificate Authority Server: The portal, gateway, and satellites authenticate to each other using certificates. The PAN-OS firewall itself can be configured as the CA server to sign certificates.

Large Scale VPN-Enrollment Methods The GlobalProtect portal authenticates the satellites using either the serial number or a username/password. After the satellite successfully authenticates to the portal, it will obtain the configuration from the portal and attempts to establish an IPSec tunnel to the gateways.

Large Scale VPN-Serial Number Enrollment When using a serial number for authentication, you must add the serial number of the Palo Alto Networks firewall (satellite devices) to the portal configuration (the host name is optional). When the satellite connects to the portal, the portal retrieves the serial number of the portal from the satellite certificate and matches the serial number against the list of the satellite devices allowed to connect to the portal.

Large Scale VPN-Username/Password Enrollment The username/password method of authentication is used when the serial number of the device is unknown. In this case, a user account on the portal is used to validate the satellite when it first connects to the portal. The administrator of the satellite must enter the credentials when the satellite connects to the portal. This is done on the satellite by navigating to Network > IPSec Tunnels and choosing gateway info and then clicking on Enter Credentials. The username/password authentication is only required the first time the satellite connects to the portal. Once authenticated, the username/password is not required for subsequent connections.

Large Scale VPN- Initial Connection Sequence In this example, it is assumed that the portal is configured as the CA server, all the required certificates are configured, and the portal and gateway configured to accept connections from satellite devices.

Large Scale VPN- Initial Connection Sequence 1.Satellite generates a CSR and sends it to the portal over an SSL connection. 2. Satellite authenticates the portal's certificate before establishing a connection to the portal. In order to authenticate the portal s certificate, the satellite must have the CA certificate that was used to sign the portal certificate. 3. Satellite then authenticates to the portal using its serial number. 4. The portal verifies the serial number with its locally configured list of satellite devices. If the serial number does not exist in the portal configuration, the portal returns a 401 error message prompting the satellite administrator to authenticate using a username/password. 5. Portal verifies the credentials provided using the authentication profile configured in the portal configuration.

Large Scale VPN- Initial Connection Sequence 6. After the satellite is authenticated, portal creates a certificate for the satellite from the CSR received. The portal then sends the satellite, its certificate and configuration which include the list of gateways. 7. Satellite contacts all available gateways using its certificate for authentication. Satellite and gateway verify the validity of certificates. 8. Satellite then submits a list of routes to the gateway. Gateway accepts the routes if they are not denied by the route filter configured on the gateway. 9. Gateway provides the satellite with a list of routes. 10. IPSec tunnel is established between the gateway and satellites. The keys for IPSec tunnel is exchanged using a SSL connection

Large Scale VPN- Certificate renewal 1. The portal checks the list of expiring certificates every 24 hours and renews client certificates that will expire within (certificate lifetime / 5) days of the current date. 2. Satellite authenticates to the portal to retrieve the latest configuration and certificate. 3. Satellite installs new configuration and new certificate. 4. Satellite re-keys all gateway connections using the new certificate.

Large Scale VPN- Certificate Requirements Large Scale VPN uses certificates to authenticate the portal, gateway, and satellites, so all certificates must be signed by the same Certificate Authority (CA). The following certificates are required: CA Certificate-Since the GlobalProtect portal issues authentication certificates for all registered satellites, a CA certificate - root or intermediate must be present or created on the device. An intermediate certificate authority can be created by generating and exporting a certificate signing request from the device and importing the issued certificate as a PEM formatted certificate file.

Large Scale VPN- Certificate Requirements The following certificates are required: Cont d Server Certificate-All communication between GlobalProtect satellites, the portal and the gateways are secured via TLS. Therefore, both the GlobalProtect portal and the gateways require SSL certificates. When connecting to the portal, the satellite verifies the presented server certificate against it s built in trusted certificate authority list. After the initial connection, the satellite continues to verify the server certificate of the portal against the list of trusted Root Certificates from the satellite configuration. Since the connection to the gateways occurs after the portal connection, the presented server certificate of the gateways is verified against the Root Certificate list in the satellite configuration only. Because of the verification processes described above and because of simplification, it is recommended to create the portal certificate and all gateway certificates through the same certificate authority.

Large Scale VPN- Certificate Requirements The following certificates are required: Cont d OCSP Responder-In order for the portal to provide certificate revocation for GlobalProtect satellites, it is recommended that you configure a publicly available OCSP responder on the device running the portal. Besides configuring an OCSP responder, access to the OCSP service needs to be allowed via the interface management profile settings. If an external certificate authority is used, no OCSP responder configuration is required since revocation is handled externally.

Large Scale VPN- Example

Large Scale VPN- Example The gateway/portal is configured with the following: IP pool : 10.11.12.11-10.11.12.25 DNS suffix: acme.local DNS servers: 10.0.0.246 and 10.0.0.247 Access route: 192.168.0.0/16 and 172.16.0.0/16 Interfaces

Large Scale VPN- Example Portal Configuration To configure the portal navigate to Network > GlobalProtect > Portal.

Large Scale VPN- Example Satellite Configuration Note: In this configuration we will be using the serial number of the satellite devices for authentication of satellites.

Large Scale VPN- Example Devices: List the serial number(s) of the satellite devices that are authorized to connect to the portal to retrieve the configuration (the host name is optional). Once a satellite device successfully connects to the portal, the hostname will be automatically retrieved from the satellite and updated in this section. In the example below, the serial numbers of the two satellites (spoke devices) are added. Note that the hostname shows as unknown. Once the satellites authenticate and establish a connection with the portal, the satellite hostname will be automatically updated with the hostnames of the satellites.

Large Scale VPN- Example Gateways: List the available gateways the satellite can connect to. If there are multiple gateways, specify the name and IP address or FQDN of each of the gateways. In this configuration the firewall is configured as both the portal and gateway with the IP address 10.2.133.240. Routing Priority: When there are more than one gateways site that offers VPN connectivity to the same network, routing priority is used to select the preferred gateway. Routing priority is a numeric value between 1 and 25. A lower value indicates the most preferred gateway. Routes published by gateway are installed on the satellite as a static route. The metric for this static route is derived from the routing priority. The metric of the static route is 10x routing priority. See the section Hub and Spoke VPN with Redundant HUB Site for more information on this topic. In this example we have only one central gateway. The configuration on the portal follows:

Large Scale VPN- Example cc

Large Scale VPN- Example Certificates If you are using certificates signed by a public CA like VeriSign, you can leave the Trusted Root CA field empty if the CA certificate is listed in the Default Trusted Certificate Authorities. In this example, we are using self-signed certificates with the firewall as the CA server. In the OCSP responder section, select from the drop-down to show the OCSP responder created earlier. The configuration for this example follows:

Large Scale VPN- Example Gateway Configuration Interface-External facing interface of the portal, where the satellite devices establish the first connection. In this example the egress interface is ethernet1/10. IP address-egress interface IP address. This is the IP address where the satellites will establish the first connection to authenticate and download the configuration. Server certificate-select the server certificate created for the LSPVN. Certificate Profile-Select the certificate profile created. This is used by the gateway to authenticate satellite when it attempts to establish a tunnel to the gateway.

Large Scale VPN- Example Satellite Config

Large Scale VPN- Example Satellite Configuration field descriptions Tunnel interface-select the tunnel interface that will be used to terminate the IPSec tunnel and to route traffic between the gateway and satellite. In this example, tunnel.1 is used to terminate IPSec tunnels. Enabling anti-replay offers protection against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet. Copy Type of Service (TOS) option will copy the TOS field settings from the original IP header to the outer IP header. Configuration refresh interval-the time interval the satellites will refresh the configuration from the gateway. By default the satellite refreshes the gateway configuration every 2 hours. Tunnel Monitoring-Used to monitor the tunnel status. Refer to tunnel monitoring section of this tech note for more details. Crypto Profiles-This is used to define the IPSec encryption and authentication method used for securing the data. The default profile uses ESP-DH group2-aes 128 with SHA-1.

Large Scale VPN- Example-Network settings

Large Scale VPN- Example-Route Filter This setting is used to control the routes advertised by the satellites. By checking the option Accept published routes, all routes advertised by satellites will be installed in the gateways routing table. This option must be selected in order to accept any routes advertised by the satellite.

Large Scale VPN- Example-Satellite Configuration Note: 1. If you are using self signed certificates, you must import the CA server certificate that was used for signing the server certificate to the satellite devices. 2. In order to export the certificate from the portal navigate to Devices > Certificate Management > Certificates, select the CA certificate and choose import. When exporting set the file format to Base64 Encoded Certificate (PEM). DO NOT IMPORT PRIVATE KEY 3. On the satellite device, navigate to Devices > Certificate Management > Certificates and select import. Assign a name to the certificate, set the file format to Base64 Encoded Certificate (PEM), uncheck the import private key and click on OK.

Large Scale VPN- Example-Satellite Configuration To configure the satellite navigate to Network > IPSec tunnels

Large Scale VPN- Example-Satellite Configuration

Large Scale VPN- Example-Satellite Configuration Advanced Select the option publish all static and connected routes to gateway. This will add appropriate routes to the satellite network on the gateway.

Custom Reports

Custom Reports Using the Query Builder

Custom Reports Selecting the appropriate database determines the other options

Custom Reports Example- Top Applications sorted by byte count

Custom Reports Example- Top Applications sorted by byte count

Custom Reports Example Reports from live demo box.

Design Guide Great resource- Different deployment scenarios Available on the Support Portal

Upcoming Webinar Friday November 22 nd 10:00am-11:0am

Existing Training classes PA-201 Essentials I- 3 days PA-205 Essentials II- 2 days

New Training Class 311 Troubleshooting class 3 days Labs are scenario based

Questions??????

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information