I’ve spend some time on testing thevulnerability protection feature on a Palo Alto Firewall. I’ve launched some client-side exploits in the hope they will be detected. And Yes, traffic was blocked. The can read my result of my test in the following document.
http://www.accessdenied.be/blog/documentation/Configuring Vulnerability Prevention.pdf
Normally, you logon with either a local username or a domain username on a server. Servers in the DMZ are difficult to manage since they all contain the same local administrator or different local administrator account. But what if you could manage these servers by your domain account. In the document I use an open source access management tool to logon with your domain credentials. Authentication is done via a backend server either a LDAP or RADIUS server.
http://www.accessdenied.be/blog/documentation/How to Logon with Domain Credentials to a Server in a Workgroup.pdf
I’ve been playing around with WildFire, results can be found in the following document:
The following guide describes how to configure your Palo Alto Firewall for SSL VPN access using GlobalProtect. GlobalProtect is the replacement of NetConnect for initiating a VPN tunnel.
When you need to install the GlobalProtect agent for the first time, you need administrative privileges. The agent can be downloaded via the GlobalProtect portal site or deployed via group policy.
After the agent has installed, you can initiate a VPN session using this component.
Here is the document how to configure SSL VPN access. The user needs to be a member of a group in Active Directory and authentication is performed using Network Policy Server on Windows Server 2012.
http://www.accessdenied.be/blog/documentation/Configuring GlobalProtect SSL VPN using a user-defined port.pdf
The following guide describes how to request a certificate for your firewall using a template file and a Microsoft Certification Authority. I show you how to create a certificate template and how to request a certificate using certreq.exe
I’m still testing the CSR part on the firewall itself, because I cannot find how to import the signed certificate if the private key exist on the firewall.
http://www.accessdenied.be/blog/documentation/How to request a certificate.pdf
You can configure a captive portal on your Palo Alto firewall which can be used to authenticate your users first before they access resource on the internet. The user will be presented with a web form where she needs to enter her credentials. After success authentication, the user is allowed to visit her resources.
http://www.accessdenied.be/blog/documentation/How to setup a Captive Portal using a webform.pdf
One of the strenghts of Palo Alto firewall is that it can performs User Identification. This feature allows you to identify users and knows exactly what they are doing on your network or who access which websites on the internet. Another nice feature is that you can use your Active Directory security groups directly into your security policies. Isn’t that cool
http://www.accessdenied.be/blog/documentation/Configuring User Identification via Active Directory.pdf
The following step-by-step guide guides you on how to configure your Palo Alto Firewall for administrative access via a Network Policy Server running on Windows Server 2012. By using a RADIUS server for management authentication, you can use your domain credentials to adminster your server. Policies are created on the RADIUS server to allow only users who are member of a specific security group in Active Directory.
http://www.accessdenied.be/blog/documentation/Configure your Firewall for Administrative Access via RADIUS Authentication.pdf
Read this document first to understand how my virtual lab is configured. All the documents I write are based on this network setup.
http://www.accessdenied.be/blog/documentation/PA-VM Network Configuration.pdf
This is an older document I wrote on how to configure wireless networks using Windows Server 2008. I’ve used a wireless access point (WAP 1130AG) from Cisco with multiple SSID’s. If the user connects to a SSID, the user will be placed into a VLAN. If another user connects to a differfent SSID, the user is placed into a different VLAN.
http://www.accessdenied.be/blog/documentation/Configuring wireless VLANs on Windows 2008.pdf
I’ve palns to rewrite this document so that VLAN will be dynamically assigned using a Cisco WLC 2106. Keep posted….