Full Tunnel Site to Site VPN and Static Route

I have encountered situations where a customer is needing to route all traffic, including Internet-bound traffic, from a branch location back to a main location to ensure consistent security policies, content filtering, or some other requirement.

In this scenario, let’s assume there is a firewall and ISP at the branch location. Normally, the firewall would have a default route configured that points to the ISP gateway for all Internet traffic. When adding a site to site VPN tunnel on a firewall that uses route-based VPNs and you want to send all traffic across this tunnel, you must create a default route that points to the tunnel interface. Fortinet and Palo Alto are examples of firewalls that use route-based VPNs where this would be applicable.

Because you are changing the default route to point to a site to site VPN, it is critical to also add a specific host route that points to the VPN peer public IP with the ISP gateway as the next hop. This is to ensure that the firewall has a route to the VPN peer instead of only using the default route that points to the VPN interface.

Palo Alto User-ID and WinRM

Background: In the past, when using the agentless method of User-ID with a Palo Alto firewall, WMI was used for the firewall to connect to a domain controller and parse Windows security logs to find user to IP mappings. However, on June 14, 2022, Microsoft released patch KB5004442 for Windows Server to address the vulnerability described in CVE-2021-26414. This patch essentially breaks the WMI connection from the firewall to the server. This is described well here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA

The new solution is to enable WinRM to be used in place of WMI. This process is very well documented so I won’t go into detail here, but I did want to mention that I had to add the service account used for this into the “Remote Management” group in Active Directory or else it wouldn’t work properly and would show “Access Denied” for the server. The below links are helpful in configuring this and only one of them has the Remote Management Group mentioned.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2&lang=en_US%E2%80%A9

        https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-server-monitoring-using-winrm

  

Run Continuous Ping in the Background Including Timestamp and Logging

When trying to troubleshoot network or Internet related connectivity issues, it may be helpful to have a system on the inside network pinging a reliable destination on the Internet to test connectivity and log the output with a timestamp to find the specific times when an outage occurred.

Here is the command within Linux I used for this:

nohup ping 1.1.1.1 | while read result; do echo "$(date): $result"; done > /home/user/pinglog.txt &

Including “nohup” makes it so this command continues to run even when the session to the system is closed. When you run this command without “nohup” and you close the SSH session to that Linux host, the command will stop executing. The “&” at the end makes this command run in the background on the system.

The command takes the ping output and creates a variable called “result”. The time is added and then the “result” variable is output.

iOS Configuration Profiles and Certificate Trust Settings

This article will describe the steps needed for importing a VPN, DNS, or Device Management profile to a iOS or iPadOS device and enabling full trust for these certificates.

The configuration profiles allow an administrator to import settings to an iPhone or iPad which can be used for functions like VPN, DNS proxying, MDM, or trusting an internal Certificate Authority.

Recently, I implemented SSL decryption on my firewall, and had to import a self-signed CA certificate into my devices so that it was trusted and SSL/TLS errors didn’t appear within the web browser. There are two main steps for this.

First, send the certificate to the device using some method such as email, Dropbox, Airdrop, or MDM (if this is a managed device already). The certificate will appear under Settings->General->VPN,DNS, & Device Management. Make sure the cert you imported shows “Verified” when clicking on it under the “Configuration Profiles” section.

Next, if you need the device to trust this certificate as a root CA, you must also go to Settings->General->About and scroll down to “Certificate Trust Settings”. Check the box next to the cert in the “Enable Full Trust For Root Certificates” section.

Now, the device shouldn’t see any browser warnings when SSL decryption is performed using that certificate.

Sophos XG Virtual Firewall – VMware vSwitch Configuration

I recently setup the Sophos firewall as a VM in VMware ESXi 8. Sophos offers this for free for home users with limitations around how much memory and CPUs can be used.

When deploying this, or really any other virtual firewall in VMware, there are a few things to consider. First, just like a physical firewall appliance, you’ll want at least a minimum of two physical ethernet ports on the VMware host. This will allow you to use a traditional “inside” and “outside” interface. Next, if your VMware host has multiple ethernet ports, it is worth identifying what those ports are ahead of time before deploying the VM. This can be done by plugging in each cable on the physical host and checking what port lights up in the VMware console under the Network Management settings. Make a note of which ports they are.

Before deploying the VM, you can prepare the network settings in VMware for this. You’ll want to have two separate virtual switches, each associated with their own physical ethernet port. I created one vswitch for “inside” and another for “outside”. Next, I created two ports groups, also one for inside and outside and attached them to the appropriate virtual switch.

Here are the virtual switches:

Here are the Port Groups:

Now, when deploying the VM, add two network adapters and assign one to the inside port group and the other to the outside port group.

MacOS DNS Issue with FortiClient VPN

I have noticed that at times when using FortiClient for remote access VPN connections with MacOS, that after disconnecting from the VPN, the DNS settings added by FortiClient for DNS resolution over the VPN, fail to be removed.

When connecting to the VPN, an entry is added to /etc/resolver for the domain name associated with resources behind the VPN tunnel. For example, a resolver for example.com is added here. When on the VPN, this allows the user to resolve a hostname such as dc01.example.com. However, when the VPN disconnects, this should be removed. If the domain name used internally is the same as that used externally, then once the VPN is disconnected, with that resolver still in place, it will attempt to resolve DNS using that resolver over the disconnected VPN causing subsequent connections to the actual VPN to fail.

If the VPN hostname is vpn.example.com, and the resolver is still there, it fails to resolve and can’t connect to the VPN.

The solution I have found is to go to /etc/resolver, run “ls”, then run “rm example.com” to remove this. After doing this, resolution should use the system DNS servers and work as expected.

Use Palo Alto API and Script to Pull Automated Backup Config Files

Palo Alto has put out a helpful article on this topic, but I wanted to add a few additional details. This is necessary when you don’t have Panorama or some other 3rd party tool that doesn’t already have an integrated solution for pulling backup configs from the firewall.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC

As the article above mentions, the first step is to generate the API key using this format in a browser. Record and maintain this API key once generated.

https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>

Next, if you are using a Windows machine, download Curl here: https://curl.se/windows/

I extracted this then took the contents and put it in a folder named “Curl” in the C:\ directory. Next, I created a folder for the backup configs named “FirewallBackups” also in the C:\ directory.

Next, I created the following Batch script below. Replace 192.168.1.1 with the firewall management IP and the actual API key. Also, you can change the directory where the backups are stored as well as the filename.

cd c:\Curl\bin\
curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=API-KEY-HERE" > c:\FirewallBackups\PaloAltoFilename-01_Backup%DATE:~10,4%_%DATE:~4,2%_%DATE:~7,2%_%TIME:~0,2%_%TIME:~3,2%.xml

In this script, it is switching to the directory where the Curl executable is. You can also follow instructions to add Curl to the system path so it runs without having to switch to that specific directory. At the end of the filename, this script will automatically insert the timestamp to differentiate file names and prevent the file from being overwritten each time the backup runs. The formatting around this is necessary because the timestamp by default has the “:” symbol in it which isn’t supported in the Windows filename so it replaces that with “_” instead.

Finally, you can schedule this Batch script to run on a schedule basis using the Windows Scheduler or a third party tool.

Fortigate SNMP VPN Tunnel Listing and Monitoring

This article describes how to list all VPN tunnels using SNMP and monitor the status of individual tunnels.

This shows all VPN tunnel names and their corresponding OIDs to then be able to monitor:


snmpwalk -v2c -c string_here 198.18.254.1 1.3.6.1.4.1.12356.101.12.2.2.1.3

This will monitor one of the VPNs determined from the first output:

snmpwalk -v2c -c Hotlips1 198.18.254.1 1.3.6.1.4.1.12356.101.12.2.2.1.3.2.1

For Interface Monitoring, you’ll need to retrieve the SNMP index number matching the actual interface you want to monitor. Run these commands to see the index numbers and match with the interface:

“config system interface”

“show”

Then take the index number and use this base OID:

.1.3.6.1.2.1.2.2.1.8

That will show all of them, pick the interface with the index you want to monitor.

For example, to monitor interface with index 6 use:

.1.3.6.1.2.1.2.2.1.8.6

Display FortiGate Policy Name or Comments in FortiAnalyzer Logs

By default, the FortiGate does not send the Policy Name or Comments from the policies in logs to FortiAnalyzer or any remote logging server. This makes troubleshooting more difficult.

You must turn this setting on manually from the Fortigate CLI:

config log setting 
set log-policy-comment enable
set log-policy-name enable 
end

Temporarily Add Denied Sessions to Session Table to Reduce Resource Utilization and Log Generation

This is an interesting feature available through the Fortigate CLI that I came across.

Below are the commands to enable denied session to be added into the session table:


#config system settings #set ses-denied-traffic enable
#end

For optimum performance, adjust the global block-session-timer:

#config system global 
#set block-session-timer <1-300>  (default = <30>)#end

Here is a link to the Fortinet knowledge base with a good description of what this is:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46328