Integrate new firewalls into Panorama via CLI

I recently switched jobs and I am excited to announce that I am working with Palo Alto firewalls again. I am not gonna lie, I am beyond excited seeing PANs again. There is just something about them that I like.

As much as I love the UI it is somewhat annoying to integrate a new Palo Alto in Panorama. The reason is that PANs come with a standard configuration which has a standard security policy, virtual-wires and security zones. Now when you want to add it to Panorama this will cause some problems because it interferes with the config you want to push from Panorama. And after all, you want to get rid of any configuration that you may not use. Now you must click through the WebUI and delete the standard configuration in the correct order to avoid dependency errors. Just to hit “commit” and get another error thrown at you.

Hence I referred to the CLI and looked up all commands to wipe and stage a new device for our environment. I basically wanted to have a copy/paste deployment procedure to save time and drive standardization. The Palo Alto CLI is very capable and I was pleasantly surprised about the awesome readability of the commands. Below you will find my staging scripts for the local device and Panorama.

 

Example deployment “script” for PA firewall

 

For easier deployment, I build a small excel file that will build all the commands to

  • wipe the standard configuration
  • setup the management interface
  • set the panorama server
  • setup the interfaces so that interface configurations can be pushed via Panorama templates
  • setup HA
  • update the license
  • check and install dynamic updates
  • check and install software updates

Basic setup of 3 interfaces as layer 3 and port 7 and 8 for HA1/2:

 

# Setup MGMT interface

set deviceconfig system ip-address <MGMT-IP> netmask <netmask in X.X.X.X> default-gateway <default-gw-IP> dns-setting servers primary <primary-DNS>

# Setup Panorama server

set deviceconfig system panorama-server <IP/DNS of your Panorama Server>

# Delete standard config

delete network virtual-wire default-vwire

delete rulebase security rules rule1

delete zone trust

delete zone untrust

delete network interface ethernet ethernet1/1

delete network interface ethernet ethernet1/2

delete network interface ethernet ethernet1/3

delete network interface ethernet ethernet1/4

delete network interface ethernet ethernet1/5

delete network interface ethernet ethernet1/6

delete network interface ethernet ethernet1/7

delete network interface ethernet ethernet1/8

# Assign minimum configuration to network interfaces to be able to push Panorama templates

set network interface ethernet ethernet1/7 ha

set network interface ethernet ethernet1/7 comment HA1

set network interface ethernet ethernet1/8 ha

set network interface ethernet ethernet1/8 comment HA2

set network interface ethernet ethernet1/1 layer3 ip X.X.X.X/XX

set network interface ethernet ethernet1/1 comment <interface1comment>

set network interface ethernet ethernet1/2 layer3 ip X.X.X.X/XX

set network interface ethernet ethernet1/2 comment <interface2comment>

set network interface ethernet ethernet1/3 layer3 ip X.X.X.X/XX

set network interface ethernet ethernet1/3 comment <interface3comment>

set network virtual-router default interface ethernet1/1

set network virtual-router default interface ethernet1/2

set network virtual-router default interface ethernet1/3

# Setup hostname

set deviceconfig system hostname <hostname>

# Setup HA

set deviceconfig high-availability enabled yes

set deviceconfig high-availability group 1

set deviceconfig high-availability group 1 peer-ip X.X.X.X peer-ip-backup X.X.X.X

set deviceconfig high-availability interface ha1 port ethernet1/7

set deviceconfig high-availability interface ha1 ip-address X.X.X.X netmask X.X.X.X

set deviceconfig high-availability interface ha1-backup port management

set deviceconfig high-availability interface ha2 port ethernet1/8

set deviceconfig high-availability interface ha2 ip-address X.X.X.X netmask X.X.X.X

commit

# Update license on local firewall

request license fetch

# Check for App updates and install latest

request content upgrade check

request content upgrade download latest

request content upgrade install sync-to-peer yes version latest

# Check for AV updates and install latest

request anti-virus upgrade check

request anti-virus upgrade download latest

request anti-virus upgrade install sync-to-peer yes version latest

 

Example deployment “script” for Panorama

 

This will do the following on the Panorama Server:

  • Add serial number to Managed Devices
  • Clone a template
  • Create a template stack
  • Add templates to template stack
  • Add new device to template stack
  • Add new device to log-collector

 

set mgt-config devices <serial-nr>

# copy a template

copy template <template1> to <template2>

# Create template stack, add templates and add new device

set template-stack <template-stack>

set template-stack <template-stack> templates <template1>

set template-stack <template-stack> templates <template2>

set template-stack <template-stack> devices <serial-nr>

# Add new device to log collector

set log-collector-group default logfwd-setting devices <serial-nr> collectors <serial-nr-of-collector>

 

Hit commit and push the template to device (don’t forget to force values on first push).

No rocket science here, it is all very simple CLI commands, but maybe I will save someone some time to look up all these commands and it will for sure save you some time clicking through the WebUI and hitting dependency errors.

I used the commands above together with an excel file which will automatically put in IPs and serial numbers collected from a form. All commands are tested with version PAN-OS 8.0.4

 

Advertisements

How to replace blank/space with line break (Alt+Enter) in Excel

Ever wondered how to replace blank or spaces with a line break in Microsoft Excel? it is a lifesaver when dealing with firewall policy sheets 🙂

Push Ctrl + H (for replace) and find what:” “(just a space).
In the replace with field you enter 0010 while holding Alt key (so ALT + 0010). You will now notice the cursor jumping into a second line (hence, there is only a small piece visible – it is looking like a flashing dot). Now hit Replace or Replace all. Et voila!

Of course this also works the other way around.

before:

excel_before

after:

excel_after

Short n quick: DIY BayTech RPC serial adapter to use with standard ethernet cables (RJ45)

How to build a BachTech RPC serial console adapters which can be used with standard RJ45 (Cat5/Cat6/..) ethernet cables:

Serial RS-232 Pinout (DE-9 female):
______________
\ 5  4  3  2  1 /
\ 9  8  7  6 /

RS-232 to RJ45 (T-568A) Pins

RS-232 Pin# RS-232 Color RJ45 PIN# RJ45 Color
5 Orange 7 White Brown
4 White 1 White green
3 Green 4 Blue
2 Red 5 White blue
1 Black 6 Orange
9 None None None
8 Blue 8 Brown
7 Yellow 3 White orange
6 Brown 2 green

Accessing your modem from OpenWRT Router

Very useful if you want to check for errors on your Cable modem Accessing your modem from OpenWRT Router.

Unfortunately, you don’t have fulll access to your modem on AT&T, TWC or Comcast. Hence, you are not able to do SNMP monitoring 😦

Short n quick: Reset Alteon AD3 load balancer to factory default.

Case: Old load balancer, unknown IP, no serial/console access

Don’t even try to get the serial port up – it’s impossible.

  • Connect a computer with crossover cable to one of the ports.
  • Check ARP requests with Wireshark
  • Telnet into IP
  • Enter “boot” (boot menu)
  • Enter “conf” (config block to use next boot)
  • Enter “factory” (in order to boot factory defaults)
  • Power off
  • Power on

Good Luck!

Problem solved: Monitoring Kemp Loadbalancers with Check_MK (kemplb_real_servers, kemplb_rsvs and kemp_virtual_server)

About two weeks ago I found a plug-in for monitoring Kemp loadbalancers on Check_MK Exchange (go here: http://exchange.check-mk.org/index.php?option=com_remository&Itemid=59&func=fileinfo&id=135).  Until today it was working absolutely flawless on two loadbalancers and was a really big help on monitoring all the services (including connection and pool data).

Unfortunately, it would not recognize the services on a third Kemp loadbalancer. That´s when I went CLI and checked the snmp_scan_function. (Note: The plug-in consist of three different checks: kemplb_real_servers, kemplb_rsvs and kemp_virtual_server)

kemplb0

Turns out the script is checking for OID .1.3.6.1.4.1.12196.12.8.1.2.1 in order to inventory the servers. So I decided to compare the output from the working and faulty Kemp LBs when doing a snmpget for this OID:

kemplb1

Turns out that the working LB is giving back a value, while the other Loadbalancer does not. This is quite interesting since both LBs are on same firmware version and platform (virtual machines).

Then I used a MIB-Browser to investigate which values in this OID tree would be available.

kemplb3

As we can see from the screenshot there is no OID .1.3.6.1.4.1.12196.12.8.1.2.1. Instead there are a couple other OIDS like .1.3.6.1.4.1.12196.12.8.1.2.4. and .18 etc in the subtree.

While checking the Kemp LB MIBs (accessible here: http://kemptechnologies.com/files/downloads/documentation/7.0/LM_mibs.zip) I found out that OID .1.3.6.1.4.1.12196.12.8 is “a table containing Totals for Real Server (RS) specific information.”

So it seems that there is no Real Server “1” on the faulty LB. Thereforet Check_MK is not doing an inventory (even though it would find services on the LB).

So here is a solution that worked for me: I changed the last lines of the three check scripts as following:

kemplb4

So basically it is checking OID .1.3.6.1.2.1.1.2.0 (“The vendor’s authoritative identification of the network management subsystem contained in the entity”)  and validates if the returned value starts with .1.3.6.1.4.1.12196 (because in that case it is a Kemp LB and we want the plug-in to start the inventory).

Feedback appreciated.

Update: Check PAN Firewall´s Sessions Counters with SNMP

About a year ago I published my first ever developed plug-in for check_mk (https://sitweak.wordpress.com/2012/08/30/snmp-based-check_mk-plug-in-for-palo-alto-firewalls/). For all who missed out on that milestone in my programming carrer: It´s doing not more than fetching some sessions counters with the help of SNMP.

Even though I realized that there is not a high demand for such an plug-in (until now it has one rating on the check_mk Exchange – haha) I am still very proud that there is a piece of self-made code which is actually working. J That’s why I decided to give a small update.

Some hours ago I uploaded and version 1.0. Here´s a Changelog:

Plug-In

o   Two more SNMP values are being fetched
– 1.3.6.1.4.1.25461.2.1.2.3.7.0 Total number of active SSL proxy sessions
– 1.3.6.1.4.1.25461.2.1.2.3.8.0 Total number of active SSL proxy sessions.

o   Code updated
– Added a snmp_scan_function
– Added declaration according to new Check_MK API (https://mathias-kettner.de/checkmk_devel_newapi.html)

o   Added warning and critical levels (Service State is based on SNMP value of sessions utilization)
– Factory default: 80% warning level and 90% critical level. You can define your own values by editing ~/local/share/check_mk/checks/paloalto_sessions.

Perfdata
o Added value ‘proxied ssl sessions’ to perfdata

PNP-Template
o   Added graph for value ‘proxied ssl sessions’
o   Cleaned PNP-Template

Plug-In Output
o   Added value for proxied SSL sessions
o   Added value for utilization of SSL proxy

 

This is what it looks like:

ImageImage

Tested on Check_MK 1.2.4

 

I´m looking forward to any feedback here, on twitter or check_mk Exchange!

 

%d bloggers like this: