Category: Palo Alto Networks

I have encountered situations where a customer is needing to route all traffic, including Internet-bound traffic, from a branch location back to a main location to ensure consistent security policies, content filtering, or some other requirement.

In this scenario, let’s assume there is a firewall and ISP at the branch location. Normally, the firewall would have a default route configured that points to the ISP gateway for all Internet traffic. When adding a site to site VPN tunnel on a firewall that uses route-based VPNs and you want to send all traffic across this tunnel, you must create a default route that points to the tunnel interface. Fortinet and Palo Alto are examples of firewalls that use route-based VPNs where this would be applicable.

Because you are changing the default route to point to a site to site VPN, it is critical to also add a specific host route that points to the VPN peer public IP with the ISP gateway as the next hop. This is to ensure that the firewall has a route to the VPN peer instead of only using the default route that points to the VPN interface.

Background: In the past, when using the agentless method of User-ID with a Palo Alto firewall, WMI was used for the firewall to connect to a domain controller and parse Windows security logs to find user to IP mappings. However, on June 14, 2022, Microsoft released patch KB5004442 for Windows Server to address the vulnerability described in CVE-2021-26414. This patch essentially breaks the WMI connection from the firewall to the server. This is described well here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkkfCAA

The new solution is to enable WinRM to be used in place of WMI. This process is very well documented so I won’t go into detail here, but I did want to mention that I had to add the service account used for this into the “Remote Management” group in Active Directory or else it wouldn’t work properly and would show “Access Denied” for the server. The below links are helpful in configuring this and only one of them has the Remote Management Group mentioned.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VUICA2&lang=en_US%E2%80%A9

        https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-server-monitoring-using-winrm

  

Palo Alto has put out a helpful article on this topic, but I wanted to add a few additional details. This is necessary when you don’t have Panorama or some other 3rd party tool that doesn’t already have an integrated solution for pulling backup configs from the firewall.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7yCAC

As the article above mentions, the first step is to generate the API key using this format in a browser. Record and maintain this API key once generated.

https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>

Next, if you are using a Windows machine, download Curl here: https://curl.se/windows/

I extracted this then took the contents and put it in a folder named “Curl” in the C:\ directory. Next, I created a folder for the backup configs named “FirewallBackups” also in the C:\ directory.

Next, I created the following Batch script below. Replace 192.168.1.1 with the firewall management IP and the actual API key. Also, you can change the directory where the backups are stored as well as the filename.

cd c:\Curl\bin\
curl -kG "https://192.168.1.1/api/?type=export&category=configuration&key=API-KEY-HERE" > c:\FirewallBackups\PaloAltoFilename-01_Backup%DATE:~10,4%_%DATE:~4,2%_%DATE:~7,2%_%TIME:~0,2%_%TIME:~3,2%.xml

In this script, it is switching to the directory where the Curl executable is. You can also follow instructions to add Curl to the system path so it runs without having to switch to that specific directory. At the end of the filename, this script will automatically insert the timestamp to differentiate file names and prevent the file from being overwritten each time the backup runs. The formatting around this is necessary because the timestamp by default has the “:” symbol in it which isn’t supported in the Windows filename so it replaces that with “_” instead.

Finally, you can schedule this Batch script to run on a schedule basis using the Windows Scheduler or a third party tool.

It is possible to use the remote access VPN capabilities of a Palo Alto firewall without having a Global Protect license or Global Protect agent (app) on your mobile device. I do want to mention that you get additional capabilities by having the Global Protect license and app such as TAC support, detailed information about the endpoint connecting to the VPN, split tunneling, NAC-type functionality by profiling and enforcing compliance profiles, and more.

This is helpful if you have just a handful of mobile devices where you want the ability to have remote access VPN.

Here is what the configuration looks like to enable this. First you must enable IPSec along with X-Auth support under the Gateway Client Configuration. You set the Group Name and Password and configure the rest of GlobalProtect like you normally would.

On the iOS or Mobile VPN client settings, create a new VPN configuration and use the IPsec/Cisco tab to configure the necessary settings. IPsec and X-Auth must be enabled. The group password field in the Palo Alto is the equivalent of the “secret” field on the iOS VPN client configuration.

This will also work with the native VPN agent on macOS.