Palo Alto Networks

Report
March 18, 2024

Interview Report
Erick G. Henao Barraza

1
Table of contents:
Interview Report
Table of contents:
Ipsec:
IPsec Crypto Phase 2
● Port usage
● Traffic selectors:
● Messages
Ipsec ike crypto - Important to note crypto:
NAT traversal
IPsec Troubleshoot:
Service routes
Ipsec logs on GUI
Logging level commands
HA
Preemption
HA4 links (HA4 and HA4 backup)
Floating IP address / ARP-load sharing
Floating IP address
ARP-load sharing
User ID
Uid daemons
Uid configuration
Uid commands
Difference between both diagrams for flow basic (unofficial and more complete is on the
Drive)
Private diagram (Cut):
Public diagram (cut):
Performance (differentiate between mp commands and data plane commands)
Management plane commands
Data plane commands
MP-monitor, dp-monitor
Content Inspection
SNI with FQDN
Database for URL filtering
Pandb
Brightcloud

2
Decryption
● SSL Forward proxy
● SSL inbound inspection
● SSH Proxy
Decryption profile
Configuration of decryption
installation of certificates
Usage of untrust certificates (decryption profile), how does it work
PBF (Policy based forwarding)
Common use cases:
To create a PBF

3
Ipsec:
IPsec is a group of protocols for securing connections between devices. IPsec helps keep data
sent over public networks secure. Its most common use is the VPN.
Virtual private networks (VPNs) create tunnels that allow users and systems to connect securely
over a public network, as if they were connecting over a local area network (LAN).

IPsec Crypto Phase 2

one of the protocols used in IPsec s IKEv2:
It's a protocol used for establishing a secure tunnel, both devices need to be configured to use
it, encryption and DH group should be the same.
uses a child SA for Encapsulating Security Payload (ESP) or Authentication Header (AH).
IKEV2 sets up a security association (SA) that negotiates security keys.
IKEv2 validates the security association,then sets a secure tunnel, and encrypted
communication starts.

● Port usage
Primarily uses UDP port 500, Also uses port UDP port 4500 for NAT traversal

● Traffic selectors:
Traffic selectors are used during the CHILD_SA (tunnel creation) Phase 2 to set up the
tunnel and to determine what traffic is allowed through the tunnel. The two IKE gateway
peers must negotiate and agree on their traffic selectors. These are needed whenever
we have to make connection with a policy based FW, since palo alto devices are route
based.

The IPv4 and IPv6 traffic selectors are:

Source IP address—A network prefix, address range, specific host, or wildcard.
Destination IP address—A network prefix, address range, specific host, or wildcard.
Protocol—A transport protocol, such as TCP or UDP.
Source port—The port where the packet originated.
Destination port—The port the packet is destined for.

● Messages
Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four
messages; IKEv1 uses either nine messages (in main mode) or six messages (in
aggressive mode).

4
 Built-in NAT-T functionality improves compatibility between vendors.

Ipsec ike crypto - Important to note crypto:

AES with 256-bit and similar Is the encryption standard not the authentication method. In
IKEv there is no authentication and must not be confused.

NAT traversal
NAT traversal is required when address translation is performed after encryption,
another way to see this is whenever we need to perform nat and we have a device in
between both gateways, in this case we have to activate nat-t in both gw.
With this option enabled, the firewall will encapsulate IPSEC traffic in UDP packets
allowing the next device to apply address translation to the UDP packet's IP headers. It
uses port 4500

IPsec Troubleshoot:
1. ping to peer from external interface, to rule out ISP issues.
● About pings:
pings need to be allowed by the management profile, if this is not the case it will
result in failed ping. Management profiles are in place to protect the FW from
unauthorized access.
2. if pings are not allowed check Encap Decap traffic using command show vpn flow
(Encap Decap can only be shown if the tunnel is up)
3. check Ike config:
show vpn ike-sa gateway <name>: ike-sa is for ike phase 1
show vpn ipsec-sa gateway <name>: ipsec-sa is for ike phase 2
4. less mp-log ikemgr.log: check if the preshared key is correct.
5. Take packet captures to analyze the traffic.
● About the packet capture
this can be fund on monitor > packet capture > set the needed filters > packet
capture > ON > send traffic > check the packets logged in the 4 categories: drop,
transmit, received and fw.

6. show vpn ipsec-sa tunnel <tunnel.name>

● About show vpn ?
we need to be a specific as we can in order to ot display unrelated information

5
7. show vpn flow name <tunnel.id/tunnel.name>
● About Show vpn flow
Counters of encapsulated packets
the encap and decap bytes are counters related to the traffic going through the
tunnel.

Encap: Counter for encapsulated packets going from the palo alto device.
Decap: Counter for encapsulated packets RECEIVED from the other side.
If it's 0 for both that means there is no traffic going through the tunnel.

8. test vpn ipsec-sa tunnel <tunnel_name>

● About command test vpn ?

An important piece of information is that we ALWAYS need to specify the name

of the tunnel or object, failing to do so may bring down other unrelated tunnels or
objects in the network.

9. Check security policies

● test security-policy-match from <zone> to <zone> soure <ip> destination <ip>
protocol <protocol number>
10. Check NAT policies and ip pool
● test nat-policy-match
● show running ippool
11. Set filters
On GUI go to Monitor > packet capture > Virtual system > all > Manage filter > set filters
> ok > filtering > on

6
 12. Global counters
The most effective way to use GC is to use the delta yes packet filter yes option, then
sending traffic and afterwards repeating the command this way we can see the changes
in the global counters that are being caused by the traffic.

● Show Counter Global — needs active filter configured, ALL Global Counters are
shown
● Show Counter Global filter — show filters
● Show counter global filter delta yes — displays change in Counters since the last
execution
● Show counter global filter delta yes packet-filter yes — Shows changes on the
counters while using the previously configured filters in real time

13. Check arp tables

● show arp all
● show arp <Interface>
14. Check routes
● show routing route: show routing table
15. Check interfaces
● show interface all
● show interface <interface>
16. Flow basic
● Flow basic as a last resort
after setting up the packet filters, issue the following commands:
debug dataplane packet-diag show setting
debug dataplane packet-diag set on
debug dataplane packet-diag show setting
less mp-log pan_task_1.log OR
tail follow yes mp-log pan_task_1.log
For GP on the client side
17. check the GP version

7
 18. check route on the FW:
route ADD <IP> mask <Subnetmask> <Gateway> metric <metric> If <interface>
route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2

Service routes
A service route is the path from the FW data port to the intended service. The default behavior is to use
the management port. If the service route is not configured properly the Fw will have no way to access
these necessary services

Service route can be configured here:

Device > setup > Services > Service route configuration

Ipsec logs on GUI

Monitor > Logs >Traffic, Threat, URL Filtering, WildFire Submissions, Data Filtering, or Unified >
Detailed Log View > Tunnel Inspected flag
Tunnel Inspected flag indicates the firewall used a Tunnel Inspection policy rule to inspect the inside
content or inner tunnel

Logging level commands

● See logging level:
debug software logging-level show level service all-services
● Change default logging level:
debug software logging-level set level default service all-services
—-

HA
Preemption
In Active passive deployment a priority value can be assigned a device priority value to
indicate a preference for which firewall should assume the active role.

Preemptive behavior must be enabled and priority values assigned, less numerical value
means higher priority.
In this configuration the firewall with the higher priority (lower numerical value) will
resume as active or active-primary after it recovers from a failure.

8
 It can be activated on Device > HA > General > Election settings > Device priority |
preemptive

HA4 links (HA4 and HA4 backup)

These links are used in CLUSTERING with the following uses:
● Session synchronization among all HA cluster members.
● Check connectivity failures by sending L2 keepalives.

Clustering is a deployment of multiple FWs working in tandem. These deployments are

made of more than 2 FWs and up to the maximum allowed by the model of the FWs.
The maximum is 16 FWs.

Floating IP address / ARP-load sharing

Floating IP address
In active / active mode we can assign floating IP addresses which moves from a fw to the other
should a link or fw fail. The interface that owns the IP answers with a virtual MAC. whenever
the Ip is moved to the functioning FW a gratuitous arp is sent to announce the change of floating
IP and virtual mac ownership.
If the original FW comes back online the floating IP switches back to the original FW.

image taken from: Floating IP Address and Virtual MAC Address

9
ARP-load sharing
In active / active mode ARP load-sharing allows the firewalls to share an IP address and provide
gateway services. ARP load sharing is suggested when there are no L3 devices between the end
host and the FW and the end hosts use the FW as the default gateway.
A single Gateway IP address is configured. Uses a load sharing algorithm to decide which FW
handles the traffic

Image taken from: ARP Load-Sharing

10
User ID
Maps users with ips. It gets their information from various sources
● Global Protect
● Captive Portal
● XFF headers
● XML Apis such as the ones used by aruba devices
● syslog monitoring gathered from 3rd party wlan devices, tunnels and vpns
● port mapping
● Server monitoring, microsoft active directory, e-directory.

Uid daemons

● Authd.log — authentication issues

● User-ID Rasmgr.log — SSL:

● VPN Useridd.log — User-ID or HIP

11
Uid configuration

Uid commands

● Show user group list — Lists all the groups

● Show user group name — Shows all the members in the group
● Show user ip-user-mapping ip <IP Address> — Shows user info for an IP address.
● Show user ip-user-mapping all — Shows all the users and its groups including the way they were
mapped.

Difference between both diagrams for flow basic (unofficial and

more complete is on the Drive)
Private diagram (Cut):

Main difference is that session lookup is its own step done with the 6 tuple key

12
Public diagram (cut):

13
14
Performance (differentiate between mp commands and data
plane commands)
Management plane commands
● Show running resource-monitor minute <minutes>
Shows resources used in the last defined minutes
● Show counter global delta yes
Shows change in global counters when used repeatedly
● Show session info
Shows 6 tuple key for sessions and if it's S2c or C2s
● Show system statistics application
Shows used applications in real time and how much traffic they are processing
● Show system statistics sessions
Shows statistics for applications and the device
● Debug dataplane pool statistics
Shows free memory for work queues and packet buffers
● Show running resource-monitor second last 10 ingress-backlogs
Shows sessions that uses the most resources
● debug dataplane pow performance
Shows packets going through each stage, it can give an overview of how the data is
behaving before the last time the data was reset, which is 1 minute by default.
● less dp-log dp-monitor.log

General TS steps
1. Check process usage of CPU
2. Check the respective daemon via CLI command: “tail follow yes mp-log <daemon>”
3. Useful daemons to check: masterd, masterd_detail, sys logs
4. If issue is not happening in real time check Quest tool
5. If viewing old cases, the tool they may be referencing is called pants, which does a similar
function as quest.
6. To generate graphs we can also use ppgraphs
7. Check for periodic events like updates or log exports
8. Check if the spike is happening between 2:00 am -2:45 am, reschedule periodic processes if this
is the case
9. If panorama is available use it for log report instead of the FW for it

15
Data plane commands
● Show system info
Provides an overview of the system
● Show system resources follow
Shows resource consumption in real time. With this command we can take a look at how the CPU
is being utilized.
Meaning of categories:
○ Us: user cpu time
○ Sy: system cpu time
○ Ni: Nice CPU - CPU time spent on low priority processes
○ Id: Idle CPU time
○ Wa: io wait CPU time - CPU time spent in wait while input / output processes are taking
place or waiting for IO devices like disks
○ Hi: CPU time spent servicing the hw interrupts
○ Si: CPU time spent servicing the sw interrupts
○ St: steal time - in virtualized environments; time the cpu was not able to be used in the
VM due to the physical CPU being unavailable.
● Show system software status
Here we can see the processes running in the system and the IDs assigned to them, once they are
terminated and restarted a new pid will be assigned
● Debug software restart process user-id
Restart a process
● less mp-log mp-monitor.log

MP-monitor, dp-monitor
● less dp-log dp-monitor.log
Shows information related to the dataplane and how packets are being processed
● less mp-log mp-monitor.log

Shows information related to the management and how processes are working

16
Content Inspection
It can be done using a security policy
Create a security policy > policies > tunnel inspection

SNI with FQDN

Can be found in Client Hello under the TLS section and it is used for knowing which traffic can and
cannot be decrypted besides URL filtering
TLS > TLS V1.x > Handshake protocol: client hello > Extension: server Name > Server Name Indication
extension > Server Name: www.deepl.com

Database for URL filtering

Pandb
Palo alto owned database that actively crawls webpages, it uses a dynamic cache containing the most
useful sites per region. Pandb is the database used for advanced URL filtering. With the database in use,
more precise and up to date control can be applied and access to more recent websites can be
blocked.This service cannot be active concurrently with Brightcloud
It requires a license-

Brightcloud

17
Third party database fed with various sources and manual reclassification tickets. This service also
requires a license. This service cannot be active concurrently with Pandb

18
Decryption
● SSL Forward proxy
The firewall is a man-in-the-middle between the internal client and the external server. The firewall uses
certificates to represent the client to the server and to represent the server to the client. Client believes it is
communicating directly with the server.
FW certificates need to be installed in the client system certificate stores.

Taken from: SSL Forward Proxy

● SSL inbound inspection

Check inbound traffic, FW is man in the middle, works similarly to forward proxy but in this case FW has
the server cert imported as well as the private key.

● SSH Proxy

Does not require certificates. Key used to decrypt is generated automatically. Traffic is re-encrypted as it
ges out of the FW. FW acts as a proxy. FW intercepts communication, introduces its key and establishes 2
tunnels.

Decryption profile
set of configurations that instructs the FW to perform checks on both decrypted traffic and SSL
traffic that is excluded from decryption.
Objects > Decryption Profile > Add > select Decryption type > SSL Decryption, SSL Forward
Proxy decryption
Select SSL Decryption:

19
 Select SSL Forward Proxy to configure the settings to verify certificates, enforce protocol
versions and cipher suites, and perform failure checks on SSL decrypted traffic. These settings
are active only when this profile is attached to a decryption policy rule configured to perform
SSL Forward Proxy decryption.
Select SSL Inbound Inspection to configure the settings to enforce protocol versions and cipher
suites and to perform failure checks on inbound SSL traffic. These settings are active only when
this profile is attached to a decryption policy rule that performs SSL Inbound Inspection.

Configuration of decryption
Create a decryption profile > create a decryption policy rule > Set rule to encrypt or decrypt
traffic > select type of decryption (SSL forward, SSL inbound inspection, SSH Proxy) > Select
the decryption profile

installation of certificates
● on windows machines:
Run > mmc > files > add or remove complements > Certificates > trusted certificates >
import
● On Mac machines:
Open Keychain Access Manager > My Certificates> import

Usage of untrust certificates (decryption profile), how does it work

Untrust certificates are used to sign traffic from the FW to the client, when the client receives this
traffic it will show a warning to the user informing them of the validity of the certificate.
While the untrust certificate does not block access per se, it can be used in a Decryption profile to
block traffic when activating the option “Block sessions with untrusted issuers”. This can be
activated on Objects > DecryptionDecryption > Profiles

20
PBF (Policy based forwarding)
Instructs the firewall to forward traffic through an alternative route different to the next hop specified in
the route table. Traffic can be redirected to a specific interface, drop the traffic or redirect it to a virtual
system.

Common use cases:

● Sites with two ISPs
● Sites with two different lines with vastly different capabilities (e.g. associated cost of
use), and purposes.

To create a PBF
Policies > Policy Based Forwarding > Add > Configure source and destination zones,
applications, addresses > specify the action (Forward, Forward to Vsys, Discard, No PBF) >
select schedule > Configure next hop with FQDN, IP address or none (will use the packet ip
address) > enable monitoring

21