Friday, March 11, 2016

PaloAlto: Zone Protection Profile and Traceroute

If you encounter some strange behavior with traceroute after you start implementing Zone Protection Profiles, please make sure to UNCHECK the "Discard ICMP embedded with error message" box as marked below. Remember, your trace packets are being sent with a TTL that is incrementing by 1. The router that decrements it to 0 responds with an error.



 This first is the expected results of a normal traceroute. The second is the results WITH the box checked.



 The PaloAlto is the second hop. Notice the one to Google DNS does answer. It is a valid packet with no error in the response.

Thursday, February 4, 2016

PaloAlto: How to Setup User-ID Information Exchange Between Firewalls

The goal of this article is to setup the exchange of User-ID mappings between firewalls. If you manage multiple firewall sets, sometimes you need those firewalls to exchange User-ID Information. All of the other standard user-ID steps are still required on the interfaces and zones in which you want to ID users. This is what has worked for me. Your mileage may vary.

General Steps:

  • Firewall that has valid user-ID Info  
  1. Create a Redistribution Collector for the other firewalls to gather information. The collector is the node currently doing active User-ID mappings. The Collector will need a name and shared key. You need to document this information
  2. Select an interface and IP address to serve as the source of the redistribution. This will be the interface the other firewalls query. This can be done on a standard interface or a management interface.
  • Firewalls that are requesting the User-ID Info
  1. Create an User-ID Agent that references the Collector above
  2.  Ensure traffic on tcp 5007 is allowed from the remote FWs to the collector firewalls

Now with Pictures!

This is done on the firewalls already doing User-ID. They will become Redistribution Collectors.

 Select the Device Tab, User-Identification Button. Select the User Mapping Tab. Click the gear (or green gear for those of you with Panorama)




















Inside of the window, Select the Redistribution Tab and fill it out. Remember or record Collector name and your key. Click ok when complete.



Your User Mapping Tab should now have your collector name


Ok, the collector is configured. Next up, the Agents who will use this collector. You have enabled them to talk over tcp port 5007 to the collector, right? Commit your changes for them to take affect.

On the remote FW firewalls:

On the Device Tab, User Identification select the User-ID Agents Tab


Click Add at the bottom to get the next screen. Fill out the information.


Fill out the info
  • Name: You get to pick a name here. Does not have to match
  • Host: The remote collectors IP address
  • Port: 5007, no ifs and or butts. Just is. Its in the documentation.
  • Collector Name: The exact name you entered in the 2nd screenshot
  • Collector Pre-shared key: The shared key you recorded
  • Confirm Collector Pre-Shared Key: really...type it again.
  • Only check the Enabled Box. 
  • Ok
The finished screen should like
 

You may only have one entry. Commit to commit your changes once you are happy.

Verification:

On the Collector Agent Firewalls


  • show user user-id-service status
This should show if it is running and if you have clients connected. Note the port 5007.
  • show user user-id-service client all 
This should show the actual connections IP addresses of the remote firewalls connected

On the remote FWs

  •  show user user-id-agent state all
With good results it might look like. It took me a few attempt to permit the correct TCP port traffic through on our firewalls, thus the 71 tried and 70 failed. Unlike most of life, a single success is sufficient.




Anyhow, good luck!

Update: If you have an Active-Passive configuration and are distributing from your management interface on the collector, you cannot have both nodes configured on the collector agents firewalls.