Tag: PaloAlto

LAB – ISE jako radius dla PaloAlto dla kont Admina

Posted on 10 maja, 2016 in Cisco, Lab, Palo Alto

Po dłuższej przerwie wróciłem do integracji Cisco ISE 2.0 z Palo Alto Networks wykorzystując Radiusa z ISE jako punkt uwierzytelniania kont administracyjnych. Wiem, że zapewne większość autoryzacji kont administracyjnych opiera się o LDAP oraz AD. Natomiast ja jak zawszę muszę kombinować i komplikować scenariusze do labowania, ale dzięki takiemu podejściu jestem w stanie bardziej poznać oba systemy.

Konfiguracja ISE

przechodzimy do Policy –> Policy Elements –> Dictationaries wybieramy system –> radius —RADIUS Vendors. Tutaj będzie nam pomocny link– gdzie mamy opisane atrybuty.
klikamy add

Dictionary Name: PaloAlto – nasza nazwa
Vendor ID: 25461

klikamy submit

przechodzimy do nowo utworzonego profilu po czym przechodzimy do Dictionary Attributes. Klikamy add
zgodnie z dokumentacją PaloAlto. W tej chwili będzie nam potrzebny jeden atrybut

Attribute Name: PaloAlto-Admin-Role
Data Type: String
Direction: Both
ID: 1
W kroku kolejnym tworzymy profil dla urządzań typu PaloAlto. Przechodzimy do Administration –> Network Resources –> Network Device Profiles klikamy Add

Dodajemy nasze urządzenie do ISE, przechodzimy do Administration –> Network Resources –> Network Devices klikamy Add

Podajemy dane:
Name: nazwę dla naszego urządzenia
IP Address: podajemy adres ip, z którego nasze urządzenie będzie się komunikowało z serwerem ISE
Device Profile: wybieramy nasz profil dla urządzeń Palo
Device Type: ja stworzyłem oddzielne repo dla urządzęń tego typu
Location: również podzieliłem na lokalizację
Wybieramy: RADIUS Authentication Settings
w polu Shared Secret wpisujemy nasze hasło, które będzie wykorzystywane do połączenia PALO do ISE

Wybieramy grupę AD, w której będą użytkownicy mogący zalogować się na Palo

Przechodzimy do Administration –> Indetity Management –> External Identity Soures, wybieramy Active Direcory oraz nasz punkt spięcia z naszym AD. Tam wybieramy Groups, dodajemy Add z menu Select Dictionary Groups po czym otworzy się okno, w którym możemy wyszukać naszą grupę dodając ją do ISE.

Tworzymy profil dozwolonych protokołów komunikacji PALO ISE, przechodzimy do Policy –> Policy Elements –> Results –> Authentication –> Allowed Protocols, klikamy Add

Tworzymy profil autoryzacyjny, przechodzimy do Policy –> Policy Elements –> Results –> Authorization –> Authoriztion Profiles, kliamy Add

w polu Advanced Attributes Settings wybieramy z menu PaloAlto –> PaloAlto-Admin-Role, w polu obok wpisujemy nazwę naszego profilu z Palo, który później zostanie skonfigurowany na Palo.

W polu Attributes Details mamy taki wynik:


Access Type = ACCESS_ACCEPT
PaloAlto-Admin-Role = admin-radius

Access Type = ACCESS_ACCEPT

PaloAlto-Admin-Role = admin-radius

przechodzimy do utworzenia reguły autoryzacyjnej, gdzie idziemy do Polcy –> Authorization

dodajemy nową rulę gdzie:
Rule Name: nasza nazwa reguły
warunki:
If ANY and ISE-SRV:memberOf maches CN=PA-admin-full,CN=Users,DC=safekom,DC=pl
and DEVICE:Device Type Equals Device Type#All Device Types#Palo
then Palo-auth

Konfiguracja Palo

Prszyszedł czas na konfigurację naszego Palo. Po zalogowaniu się przechodzimy do Device –> Server Profiles –> Radius, dodajemy nowy profil z ISE

gdzie:

Profil Name: nasz profil Radiusa

w polu servers dodajemy nasze serwery radiusa (w mym przypadku jest to jeden serwer)

Name: nasza nazwa rozpoznawcza

RADIUS Server: adres IP lub FQDN naszego radiusa

Secret: nasze ustawione hasło

Port: Standardowo 1812

CLI


set shared server-profile radius ISE server ISE01 secret -AQ==gPzxJUAM1wLKKOPC5tJg+lHyn0A=aloUXPMeEZ6yM/xJpgEVLA==
set shared server-profile radius ISE server ISE01 port 1812
set shared server-profile radius ISE server ISE01 ip-address 192.168.1.55

set shared server-profile radius ISE server ISE01 secret -AQ==gPzxJUAM1wLKKOPC5tJg+lHyn0A=aloUXPMeEZ6yM/xJpgEVLA==

set shared server-profile radius ISE server ISE01 port 1812

set shared server-profile radius ISE server ISE01 ip-address 192.168.1.55

Tworzymy profil Admin Roles – dzięki temu profilowi możliwe będzie zalogowanie się użytkownika z odpowiednimi uprawnieniami.

W tym miejscu ważne jest aby nazwa profilu była taka sama jak zdefiniowaliśmy ją na serwerze ISE admin-radius

Cli


set shared admin-role admin-radius role device cli superuser
set shared admin-role admin-radius role device webui dashboard enable
set shared admin-role admin-radius role device webui acc enable
set shared admin-role admin-radius role device webui monitor logs traffic enable
set shared admin-role admin-radius role device webui monitor logs threat enable
set shared admin-role admin-radius role device webui monitor logs url enable
set shared admin-role admin-radius role device webui monitor logs wildfire enable
set shared admin-role admin-radius role device webui monitor logs data-filtering enable
set shared admin-role admin-radius role device webui monitor logs hipmatch enable
set shared admin-role admin-radius role device webui monitor logs configuration enable
set shared admin-role admin-radius role device webui monitor logs system enable
set shared admin-role admin-radius role device webui monitor logs alarm enable
set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlation-objects enable
set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlated-events enable
set shared admin-role admin-radius role device webui monitor packet-capture enable
set shared admin-role admin-radius role device webui monitor app-scope enable
set shared admin-role admin-radius role device webui monitor session-browser enable
set shared admin-role admin-radius role device webui monitor botnet enable
set shared admin-role admin-radius role device webui monitor pdf-reports manage-pdf-summary enable
set shared admin-role admin-radius role device webui monitor pdf-reports pdf-summary-reports enable
set shared admin-role admin-radius role device webui monitor pdf-reports user-activity-report enable
set shared admin-role admin-radius role device webui monitor pdf-reports saas-application-usage-report enable
set shared admin-role admin-radius role device webui monitor pdf-reports report-groups enable
set shared admin-role admin-radius role device webui monitor pdf-reports email-scheduler enable
set shared admin-role admin-radius role device webui monitor custom-reports application-statistics enable
set shared admin-role admin-radius role device webui monitor custom-reports data-filtering-log enable
set shared admin-role admin-radius role device webui monitor custom-reports threat-log enable
set shared admin-role admin-radius role device webui monitor custom-reports threat-summary enable
set shared admin-role admin-radius role device webui monitor custom-reports traffic-log enable
set shared admin-role admin-radius role device webui monitor custom-reports traffic-summary enable
set shared admin-role admin-radius role device webui monitor custom-reports url-log enable
set shared admin-role admin-radius role device webui monitor custom-reports url-summary enable
set shared admin-role admin-radius role device webui monitor custom-reports hipmatch enable
set shared admin-role admin-radius role device webui monitor custom-reports wildfire-log enable
set shared admin-role admin-radius role device webui monitor view-custom-reports enable
set shared admin-role admin-radius role device webui monitor application-reports enable
set shared admin-role admin-radius role device webui monitor threat-reports enable
set shared admin-role admin-radius role device webui monitor url-filtering-reports enable
set shared admin-role admin-radius role device webui monitor traffic-reports enable
set shared admin-role admin-radius role device webui policies security-rulebase enable
set shared admin-role admin-radius role device webui policies nat-rulebase enable
set shared admin-role admin-radius role device webui policies qos-rulebase enable
set shared admin-role admin-radius role device webui policies pbf-rulebase enable
set shared admin-role admin-radius role device webui policies ssl-decryption-rulebase enable
set shared admin-role admin-radius role device webui policies application-override-rulebase enable
set shared admin-role admin-radius role device webui policies captive-portal-rulebase enable
set shared admin-role admin-radius role device webui policies dos-rulebase enable
set shared admin-role admin-radius role device webui objects addresses enable
set shared admin-role admin-radius role device webui objects address-groups enable
set shared admin-role admin-radius role device webui objects regions enable
set shared admin-role admin-radius role device webui objects applications enable
set shared admin-role admin-radius role device webui objects application-groups enable
set shared admin-role admin-radius role device webui objects application-filters enable
set shared admin-role admin-radius role device webui objects services enable
set shared admin-role admin-radius role device webui objects service-groups enable
set shared admin-role admin-radius role device webui objects tags enable
set shared admin-role admin-radius role device webui objects global-protect hip-objects enable
set shared admin-role admin-radius role device webui objects global-protect hip-profiles enable
set shared admin-role admin-radius role device webui objects dynamic-block-lists enable
set shared admin-role admin-radius role device webui objects custom-objects data-patterns enable
set shared admin-role admin-radius role device webui objects custom-objects spyware enable
set shared admin-role admin-radius role device webui objects custom-objects vulnerability enable
set shared admin-role admin-radius role device webui objects custom-objects url-category enable
set shared admin-role admin-radius role device webui objects security-profiles antivirus enable
set shared admin-role admin-radius role device webui objects security-profiles anti-spyware enable
set shared admin-role admin-radius role device webui objects security-profiles vulnerability-protection enable
set shared admin-role admin-radius role device webui objects security-profiles url-filtering enable
set shared admin-role admin-radius role device webui objects security-profiles file-blocking enable
set shared admin-role admin-radius role device webui objects security-profiles wildfire-analysis enable
set shared admin-role admin-radius role device webui objects security-profiles data-filtering enable
set shared admin-role admin-radius role device webui objects security-profiles dos-protection enable
set shared admin-role admin-radius role device webui objects security-profile-groups enable
set shared admin-role admin-radius role device webui objects log-forwarding enable
set shared admin-role admin-radius role device webui objects decryption-profile enable
set shared admin-role admin-radius role device webui objects schedules enable
set shared admin-role admin-radius role device webui network interfaces enable
set shared admin-role admin-radius role device webui network zones enable
set shared admin-role admin-radius role device webui network vlans enable
set shared admin-role admin-radius role device webui network virtual-wires enable
set shared admin-role admin-radius role device webui network virtual-routers enable
set shared admin-role admin-radius role device webui network ipsec-tunnels enable
set shared admin-role admin-radius role device webui network dhcp enable
set shared admin-role admin-radius role device webui network dns-proxy enable
set shared admin-role admin-radius role device webui network global-protect portals enable
set shared admin-role admin-radius role device webui network global-protect gateways enable
set shared admin-role admin-radius role device webui network global-protect mdm enable
set shared admin-role admin-radius role device webui network global-protect device-block-list enable
set shared admin-role admin-radius role device webui network qos enable
set shared admin-role admin-radius role device webui network lldp enable
set shared admin-role admin-radius role device webui network network-profiles gp-app-ipsec-crypto enable
set shared admin-role admin-radius role device webui network network-profiles ike-gateways enable
set shared admin-role admin-radius role device webui network network-profiles ipsec-crypto enable
set shared admin-role admin-radius role device webui network network-profiles ike-crypto enable
set shared admin-role admin-radius role device webui network network-profiles tunnel-monitor enable
set shared admin-role admin-radius role device webui network network-profiles interface-mgmt enable
set shared admin-role admin-radius role device webui network network-profiles zone-protection enable
set shared admin-role admin-radius role device webui network network-profiles qos-profile enable
set shared admin-role admin-radius role device webui network network-profiles lldp-profile enable
set shared admin-role admin-radius role device webui network network-profiles bfd-profile enable
set shared admin-role admin-radius role device webui device setup management enable
set shared admin-role admin-radius role device webui device setup operations enable
set shared admin-role admin-radius role device webui device setup services enable
set shared admin-role admin-radius role device webui device setup content-id enable
set shared admin-role admin-radius role device webui device setup wildfire enable
set shared admin-role admin-radius role device webui device setup session enable
set shared admin-role admin-radius role device webui device setup hsm enable
set shared admin-role admin-radius role device webui device high-availability enable
set shared admin-role admin-radius role device webui device config-audit enable
set shared admin-role admin-radius role device webui device administrators read-only
set shared admin-role admin-radius role device webui device admin-roles read-only
set shared admin-role admin-radius role device webui device authentication-profile enable
set shared admin-role admin-radius role device webui device authentication-sequence enable
set shared admin-role admin-radius role device webui device user-identification enable
set shared admin-role admin-radius role device webui device vm-info-source enable
set shared admin-role admin-radius role device webui device certificate-management certificates enable
set shared admin-role admin-radius role device webui device certificate-management certificate-profile enable
set shared admin-role admin-radius role device webui device certificate-management ocsp-responder enable
set shared admin-role admin-radius role device webui device certificate-management ssl-tls-service-profile enable
set shared admin-role admin-radius role device webui device certificate-management scep enable
set shared admin-role admin-radius role device webui device block-pages enable
set shared admin-role admin-radius role device webui device log-settings system enable
set shared admin-role admin-radius role device webui device log-settings config enable
set shared admin-role admin-radius role device webui device log-settings hipmatch enable
set shared admin-role admin-radius role device webui device log-settings cc-alarm enable
set shared admin-role admin-radius role device webui device log-settings manage-log enable
set shared admin-role admin-radius role device webui device server-profile snmp-trap enable
set shared admin-role admin-radius role device webui device server-profile syslog enable
set shared admin-role admin-radius role device webui device server-profile email enable
set shared admin-role admin-radius role device webui device server-profile netflow enable
set shared admin-role admin-radius role device webui device server-profile radius enable
set shared admin-role admin-radius role device webui device server-profile tacplus enable
set shared admin-role admin-radius role device webui device server-profile ldap enable
set shared admin-role admin-radius role device webui device server-profile kerberos enable
set shared admin-role admin-radius role device webui device local-user-database users enable
set shared admin-role admin-radius role device webui device local-user-database user-groups enable
set shared admin-role admin-radius role device webui device scheduled-log-export enable
set shared admin-role admin-radius role device webui device software enable
set shared admin-role admin-radius role device webui device global-protect-client enable
set shared admin-role admin-radius role device webui device dynamic-updates enable
set shared admin-role admin-radius role device webui device licenses enable
set shared admin-role admin-radius role device webui device support enable
set shared admin-role admin-radius role device webui device master-key enable
set shared admin-role admin-radius role device webui privacy show-full-ip-addresses enable
set shared admin-role admin-radius role device webui privacy show-user-names-in-logs-and-reports enable
set shared admin-role admin-radius role device webui privacy view-pcap-files enable
set shared admin-role admin-radius role device webui validate enable
set shared admin-role admin-radius role device webui commit enable
set shared admin-role admin-radius role device webui global system-alarms enable
set shared admin-role admin-radius role device xmlapi report enable
set shared admin-role admin-radius role device xmlapi log enable
set shared admin-role admin-radius role device xmlapi config enable
set shared admin-role admin-radius role device xmlapi op enable
set shared admin-role admin-radius role device xmlapi commit enable
set shared admin-role admin-radius role device xmlapi user-id enable
set shared admin-role admin-radius role device xmlapi export enable
set shared admin-role admin-radius role device xmlapi import enable

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

set shared admin-role admin-radius role device cli superuser

set shared admin-role admin-radius role device webui dashboard enable

set shared admin-role admin-radius role device webui acc enable

set shared admin-role admin-radius role device webui monitor logs traffic enable

set shared admin-role admin-radius role device webui monitor logs threat enable

set shared admin-role admin-radius role device webui monitor logs url enable

set shared admin-role admin-radius role device webui monitor logs wildfire enable

set shared admin-role admin-radius role device webui monitor logs data-filtering enable

set shared admin-role admin-radius role device webui monitor logs hipmatch enable

set shared admin-role admin-radius role device webui monitor logs configuration enable

set shared admin-role admin-radius role device webui monitor logs system enable

set shared admin-role admin-radius role device webui monitor logs alarm enable

set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlation-objects enable

set shared admin-role admin-radius role device webui monitor automated-correlation-engine correlated-events enable

set shared admin-role admin-radius role device webui monitor packet-capture enable

set shared admin-role admin-radius role device webui monitor app-scope enable

set shared admin-role admin-radius role device webui monitor session-browser enable

set shared admin-role admin-radius role device webui monitor botnet enable

set shared admin-role admin-radius role device webui monitor pdf-reports manage-pdf-summary enable

set shared admin-role admin-radius role device webui monitor pdf-reports pdf-summary-reports enable

set shared admin-role admin-radius role device webui monitor pdf-reports user-activity-report enable

set shared admin-role admin-radius role device webui monitor pdf-reports saas-application-usage-report enable

set shared admin-role admin-radius role device webui monitor pdf-reports report-groups enable

set shared admin-role admin-radius role device webui monitor pdf-reports email-scheduler enable

set shared admin-role admin-radius role device webui monitor custom-reports application-statistics enable

set shared admin-role admin-radius role device webui monitor custom-reports data-filtering-log enable

set shared admin-role admin-radius role device webui monitor custom-reports threat-log enable

set shared admin-role admin-radius role device webui monitor custom-reports threat-summary enable

set shared admin-role admin-radius role device webui monitor custom-reports traffic-log enable

set shared admin-role admin-radius role device webui monitor custom-reports traffic-summary enable

set shared admin-role admin-radius role device webui monitor custom-reports url-log enable

set shared admin-role admin-radius role device webui monitor custom-reports url-summary enable

set shared admin-role admin-radius role device webui monitor custom-reports hipmatch enable

set shared admin-role admin-radius role device webui monitor custom-reports wildfire-log enable

set shared admin-role admin-radius role device webui monitor view-custom-reports enable

set shared admin-role admin-radius role device webui monitor application-reports enable

set shared admin-role admin-radius role device webui monitor threat-reports enable

set shared admin-role admin-radius role device webui monitor url-filtering-reports enable

set shared admin-role admin-radius role device webui monitor traffic-reports enable

set shared admin-role admin-radius role device webui policies security-rulebase enable

set shared admin-role admin-radius role device webui policies nat-rulebase enable

set shared admin-role admin-radius role device webui policies qos-rulebase enable

set shared admin-role admin-radius role device webui policies pbf-rulebase enable

set shared admin-role admin-radius role device webui policies ssl-decryption-rulebase enable

set shared admin-role admin-radius role device webui policies application-override-rulebase enable

set shared admin-role admin-radius role device webui policies captive-portal-rulebase enable

set shared admin-role admin-radius role device webui policies dos-rulebase enable

set shared admin-role admin-radius role device webui objects addresses enable

set shared admin-role admin-radius role device webui objects address-groups enable

set shared admin-role admin-radius role device webui objects regions enable

set shared admin-role admin-radius role device webui objects applications enable

set shared admin-role admin-radius role device webui objects application-groups enable

set shared admin-role admin-radius role device webui objects application-filters enable

set shared admin-role admin-radius role device webui objects services enable

set shared admin-role admin-radius role device webui objects service-groups enable

set shared admin-role admin-radius role device webui objects tags enable

set shared admin-role admin-radius role device webui objects global-protect hip-objects enable

set shared admin-role admin-radius role device webui objects global-protect hip-profiles enable

set shared admin-role admin-radius role device webui objects dynamic-block-lists enable

set shared admin-role admin-radius role device webui objects custom-objects data-patterns enable

set shared admin-role admin-radius role device webui objects custom-objects spyware enable

set shared admin-role admin-radius role device webui objects custom-objects vulnerability enable

set shared admin-role admin-radius role device webui objects custom-objects url-category enable

set shared admin-role admin-radius role device webui objects security-profiles antivirus enable

set shared admin-role admin-radius role device webui objects security-profiles anti-spyware enable

set shared admin-role admin-radius role device webui objects security-profiles vulnerability-protection enable

set shared admin-role admin-radius role device webui objects security-profiles url-filtering enable

set shared admin-role admin-radius role device webui objects security-profiles file-blocking enable

set shared admin-role admin-radius role device webui objects security-profiles wildfire-analysis enable

set shared admin-role admin-radius role device webui objects security-profiles data-filtering enable

set shared admin-role admin-radius role device webui objects security-profiles dos-protection enable

set shared admin-role admin-radius role device webui objects security-profile-groups enable

set shared admin-role admin-radius role device webui objects log-forwarding enable

set shared admin-role admin-radius role device webui objects decryption-profile enable

set shared admin-role admin-radius role device webui objects schedules enable

set shared admin-role admin-radius role device webui network interfaces enable

set shared admin-role admin-radius role device webui network zones enable

set shared admin-role admin-radius role device webui network vlans enable

set shared admin-role admin-radius role device webui network virtual-wires enable

set shared admin-role admin-radius role device webui network virtual-routers enable

set shared admin-role admin-radius role device webui network ipsec-tunnels enable

set shared admin-role admin-radius role device webui network dhcp enable

set shared admin-role admin-radius role device webui network dns-proxy enable

set shared admin-role admin-radius role device webui network global-protect portals enable

set shared admin-role admin-radius role device webui network global-protect gateways enable

set shared admin-role admin-radius role device webui network global-protect mdm enable

set shared admin-role admin-radius role device webui network global-protect device-block-list enable

set shared admin-role admin-radius role device webui network qos enable

set shared admin-role admin-radius role device webui network lldp enable

set shared admin-role admin-radius role device webui network network-profiles gp-app-ipsec-crypto enable

set shared admin-role admin-radius role device webui network network-profiles ike-gateways enable

set shared admin-role admin-radius role device webui network network-profiles ipsec-crypto enable

set shared admin-role admin-radius role device webui network network-profiles ike-crypto enable

set shared admin-role admin-radius role device webui network network-profiles tunnel-monitor enable

set shared admin-role admin-radius role device webui network network-profiles interface-mgmt enable

set shared admin-role admin-radius role device webui network network-profiles zone-protection enable

set shared admin-role admin-radius role device webui network network-profiles qos-profile enable

set shared admin-role admin-radius role device webui network network-profiles lldp-profile enable

set shared admin-role admin-radius role device webui network network-profiles bfd-profile enable

set shared admin-role admin-radius role device webui device setup management enable

set shared admin-role admin-radius role device webui device setup operations enable

set shared admin-role admin-radius role device webui device setup services enable

set shared admin-role admin-radius role device webui device setup content-id enable

set shared admin-role admin-radius role device webui device setup wildfire enable

set shared admin-role admin-radius role device webui device setup session enable

set shared admin-role admin-radius role device webui device setup hsm enable

set shared admin-role admin-radius role device webui device high-availability enable

set shared admin-role admin-radius role device webui device config-audit enable

set shared admin-role admin-radius role device webui device administrators read-only

set shared admin-role admin-radius role device webui device admin-roles read-only

set shared admin-role admin-radius role device webui device authentication-profile enable

set shared admin-role admin-radius role device webui device authentication-sequence enable

set shared admin-role admin-radius role device webui device user-identification enable

set shared admin-role admin-radius role device webui device vm-info-source enable

set shared admin-role admin-radius role device webui device certificate-management certificates enable

set shared admin-role admin-radius role device webui device certificate-management certificate-profile enable

set shared admin-role admin-radius role device webui device certificate-management ocsp-responder enable

set shared admin-role admin-radius role device webui device certificate-management ssl-tls-service-profile enable

set shared admin-role admin-radius role device webui device certificate-management scep enable

set shared admin-role admin-radius role device webui device block-pages enable

set shared admin-role admin-radius role device webui device log-settings system enable

set shared admin-role admin-radius role device webui device log-settings config enable

set shared admin-role admin-radius role device webui device log-settings hipmatch enable

set shared admin-role admin-radius role device webui device log-settings cc-alarm enable

set shared admin-role admin-radius role device webui device log-settings manage-log enable

set shared admin-role admin-radius role device webui device server-profile snmp-trap enable

set shared admin-role admin-radius role device webui device server-profile syslog enable

set shared admin-role admin-radius role device webui device server-profile email enable

set shared admin-role admin-radius role device webui device server-profile netflow enable

set shared admin-role admin-radius role device webui device server-profile radius enable

set shared admin-role admin-radius role device webui device server-profile tacplus enable

set shared admin-role admin-radius role device webui device server-profile ldap enable

set shared admin-role admin-radius role device webui device server-profile kerberos enable

set shared admin-role admin-radius role device webui device local-user-database users enable

set shared admin-role admin-radius role device webui device local-user-database user-groups enable

set shared admin-role admin-radius role device webui device scheduled-log-export enable

set shared admin-role admin-radius role device webui device software enable

set shared admin-role admin-radius role device webui device global-protect-client enable

set shared admin-role admin-radius role device webui device dynamic-updates enable

set shared admin-role admin-radius role device webui device licenses enable

set shared admin-role admin-radius role device webui device support enable

set shared admin-role admin-radius role device webui device master-key enable

set shared admin-role admin-radius role device webui privacy show-full-ip-addresses enable

set shared admin-role admin-radius role device webui privacy show-user-names-in-logs-and-reports enable

set shared admin-role admin-radius role device webui privacy view-pcap-files enable

set shared admin-role admin-radius role device webui validate enable

set shared admin-role admin-radius role device webui commit enable

set shared admin-role admin-radius role device webui global system-alarms enable

set shared admin-role admin-radius role device xmlapi report enable

set shared admin-role admin-radius role device xmlapi log enable

set shared admin-role admin-radius role device xmlapi config enable

set shared admin-role admin-radius role device xmlapi op enable

set shared admin-role admin-radius role device xmlapi commit enable

set shared admin-role admin-radius role device xmlapi user-id enable

set shared admin-role admin-radius role device xmlapi export enable

set shared admin-role admin-radius role device xmlapi import enable

Tworzymy profil dla Authentication Profile, gdzie będziemy wykorzystywać nasz profil dla ISE:

w Type wybieramy RADIUS
Server Profile wybieramy nasz profil ISE
W Advanced
w Allow List dajemy all

Cli


set shared authentication-profile ISE method radius server-profile ISE
set shared authentication-profile ISE allow-list all
set shared authentication-profile ISE lockout lockout-time 1
set shared authentication-profile ISE lockout failed-attempts 5

set shared authentication-profile ISE method radius server-profile ISE

set shared authentication-profile ISE allow-list all

set shared authentication-profile ISE lockout lockout-time 1

set shared authentication-profile ISE lockout failed-attempts 5

Po wykonaniu commitu próbujemy zalogować się do urządzenia po ssh

w logach PA widzimy:

Web

wyszukujemy po:


( object eq auth )

( object eq auth )

lub jak niżej na screenie:


( eventid eq auth-success )

( eventid eq auth-success )

Jak chcemy wyszukać błędne autoryzacje stosujemy filtr:


( eventid eq auth-fail )

( eventid eq auth-fail )

CLI


michal-adminpa@PA-VM> show log system eventid equal auth-success
Time                Severity Subtype Object EventID ID Description
===============================================================================
2016/05/10 13:00:16 info     general auth   auth-su 0  authenticated for user 'michal-adminpa'.   auth profile 'auth', vsys 'shared', server profile
 'ISE', server address '192.168.1.55', From: 192.168.1.10.

michal-adminpa@PA-VM> show log system eventid equal auth-success

Time Severity Subtype Object EventID ID Description

===============================================================================

2016/05/10 13:00:16 info general auth auth-su 0 authenticated for user 'michal-adminpa'. auth profile 'auth', vsys 'shared', server profile

'ISE', server address '192.168.1.55', From: 192.168.1.10.

Taki użytkownik nie może dodawać kont lokalnych i modyfikować ich oraz dodawać/modyfkować Admin Rulses tak jak widać niżej pola add oraz delete mam wyszarzane:

Aby umożliwić dostęp na pełnych prawach musimy utworzyć konto Administratora:

gdzie Name jest naszym userem, który jest w Radiusie.

CLI


set mgt-config users michal permissions role-based superuser yes
set mgt-config users michal authentication-profile ISE

set mgt-config users michal permissions role-based superuser yes

set mgt-config users michal authentication-profile ISE

Po takim zabiegu mamy konto z full uprawnieniami, zalogowany administrator już może modyfikować Admin Roles

Poprzednie wpisy dotyczące ISE:

Tags: 25461, aaa, admin, admin-role, authentication-profile, Cisco ISE 2.0, Dictionary, ISE, Palo Alto Networks, PaloAlto, Radius, server-profile, user, Vendor ID: 25461

Palo – AD 2012 user maping

Posted on 20 września, 2015 in Lab, Palo Alto

Poniżej opis jak podłączyć Palo do AD 2012 w celu pozyskania użytkowników do Autoryzacji SSH, WEB GUI.

Kontroler domeny windows 2012r poziom AD 2012

AD01- 192.168.1.199

User- pa-admin-user

domena- safekom.pl

Konfiguracja Palo:

Device –> Server Profiles –> LDAP

Gdzie w servers podajemy namiary na kontrolery domeny, w mym przypadku jest to jeden serwer. Na chwilę obecną korzystam z LDAP bez SSL. W polu Domain wpisujemy nazwę NETBIOS domeny, w kolejnym polu wybieramy Active-Directory. W polu Base podajemy w formacie LDAP (X.500) czyli DC=safekom, dc=pl, w polu Bind DN podajemy usera który może czytać drzewo LDAP, w dokumentacji jest aby pole podawać w formacie X.500 a zastosowałem user@domena.pl, pole Bind Password – hasło do użytkownika.

to co wyżej ale z CLI:


set shared server-profile ldap AD-Safekom server ad01 address 192.168.1.199
set shared server-profile ldap AD-Safekom server ad01 port 389
set shared server-profile ldap AD-Safekom ldap-type active-directory
set shared server-profile ldap AD-Safekom bind-dn pa-admin-user@safekom.pl
set shared server-profile ldap AD-Safekom bind-password Password_DLA_Usera-pa-admin-user
set shared server-profile ldap AD-Safekom base "dc=safekom, dc=pl"
set shared server-profile ldap AD-Safekom ssl no
set shared server-profile ldap AD-Safekom domain safekom

set shared server-profile ldap AD-Safekom server ad01 address 192.168.1.199

set shared server-profile ldap AD-Safekom server ad01 port 389

set shared server-profile ldap AD-Safekom ldap-type active-directory

set shared server-profile ldap AD-Safekom bind-dn pa-admin-user@safekom.pl

set shared server-profile ldap AD-Safekom bind-password Password_DLA_Usera-pa-admin-user

set shared server-profile ldap AD-Safekom base "dc=safekom, dc=pl"

set shared server-profile ldap AD-Safekom ssl no

set shared server-profile ldap AD-Safekom domain safekom

Kolejnym krokiem jest wybranie grup w AD które będą przeszukiwane. Przechodzimy do Device–>User Identification –> Group Mapping Settings, dodajemy nowy profil:

Gdzie:

Name – dowolna nazwa profilu

Server profile – wybieramy profil który utworzyliśmy dla serwera LDAP

przechodzimy do zakładki Group Include List gdzie wybieramy grupy AD które mają być przeszukiwane.

To co wyżej ale z CLI:


set group-mapping safekom group-object group
set group-mapping safekom group-name name
set group-mapping safekom group-member member
set group-mapping safekom user-object person
set group-mapping safekom user-name sAMAccountName
set group-mapping safekom email mail
set group-mapping safekom server-profile AD-Safekom
set group-mapping safekom update-interval 60
set group-mapping safekom group-include-list "cn=domain users,cn=users,dc=safekom, dc=pl"

set group-mapping safekom group-object group

set group-mapping safekom group-name name

set group-mapping safekom group-member member

set group-mapping safekom user-object person

set group-mapping safekom user-name sAMAccountName

set group-mapping safekom email mail

set group-mapping safekom server-profile AD-Safekom

set group-mapping safekom update-interval 60

set group-mapping safekom group-include-list "cn=domain users,cn=users,dc=safekom, dc=pl"

Tworzymy użytkownika który może zalogować się po SSH oraz WEB GUI

Pierwszym krokiem będzie utworzenie profilu Authentication Profile.

Gdzie:

Name – to dowolna nasza nazwa

w polu Allow List wybieramy grupę z AD która ma być sprawdzana autoryzację użytkownika.

Authentication – wybieramy LDAP

Server Profile – Nasz profil

To co wyżej ale z CLI:


set shared authentication-profile AD method ldap server-profile AD-Safekom
set shared authentication-profile AD method ldap login-attribute sAMAccountName
set shared authentication-profile AD allow-list cn=users,cn=builtin,dc=safekom,dc=pl

set shared authentication-profile AD method ldap server-profile AD-Safekom

set shared authentication-profile AD method ldap login-attribute sAMAccountName

set shared authentication-profile AD allow-list cn=users,cn=builtin,dc=safekom,dc=pl

Przechodzimy do Administrators gdzie mapujemy użytkowania.

gdzie:

Name: użytkownik z AD

Roule: Dynamic – Superuser

To co wyżej ale z CLI:


set mgt-config users miwanczuk permissions role-based superuser yes
set mgt-config users miwanczuk authentication-profile AD

set mgt-config users miwanczuk permissions role-based superuser yes

set mgt-config users miwanczuk authentication-profile AD

Kolejnym krokiem będzie pozyskanie IP użytkowników ale to będzie w kolejnym wpisie na blogu

Tags: ad, maping, Palo, Palo Alto Networks, PaloAlto, user

LAB – IPSEC SRX <--> PALO

Posted on 30 sierpnia, 2015 in Juniper, Lab, Palo Alto

Dziś przyszedł czas na lab z wykorzystaniem urządzeń Juniper SRX oraz Palo Alto Networks. Skupię się w tym wpisie na skonfigurowaniu połączenia VPN Ipsec pomiędzy tymi urządzeniami.

założenia:

Faza 1	aes256 sha-1 pfs g2 3600s
Faza 2	aes256 sha-1 pfs g2 3600s

	Palo	SRX
Sieci które będą podlegały szyfrowaniu	10.20.10.0/24	10.10.10.0/24

	Palo	SRX
Interfejs z adresem tzw. publicznym	192.168.1.210/24	192.168.1.2/24

Konfiguracja SRX

Faza1


set security ike proposal IKE-phase1-LAB02 authentication-method pre-shared-keys
set security ike proposal IKE-phase1-LAB02 dh-group group2
set security ike proposal IKE-phase1-LAB02 authentication-algorithm sha1
set security ike proposal IKE-phase1-LAB02 encryption-algorithm aes-256-cbc
set security ike proposal IKE-phase1-LAB02 lifetime-seconds 3600

set security ike policy ike-phase1-LAB02 mode main
set security ike policy ike-phase1-LAB02 proposals IKE-phase1-LAB02
set security ike policy ike-phase1-LAB02 pre-shared-key ascii-text Qwert678!


set security ike gateway gw-Palo-lab ike-policy ike-phase1-LAB02
set security ike gateway gw-Palo-lab address 192.168.1.210
set security ike gateway gw-Palo-lab external-interface fe-0/0/7
set security ike gateway gw-Palo-lab local-address 192.168.1.2

set security ike proposal IKE-phase1-LAB02 authentication-method pre-shared-keys

set security ike proposal IKE-phase1-LAB02 dh-group group2

set security ike proposal IKE-phase1-LAB02 authentication-algorithm sha1

set security ike proposal IKE-phase1-LAB02 encryption-algorithm aes-256-cbc

set security ike proposal IKE-phase1-LAB02 lifetime-seconds 3600

set security ike policy ike-phase1-LAB02 mode main

set security ike policy ike-phase1-LAB02 proposals IKE-phase1-LAB02

set security ike policy ike-phase1-LAB02 pre-shared-key ascii-text Qwert678!

set security ike gateway gw-Palo-lab ike-policy ike-phase1-LAB02

set security ike gateway gw-Palo-lab address 192.168.1.210

set security ike gateway gw-Palo-lab external-interface fe-0/0/7

set security ike gateway gw-Palo-lab local-address 192.168.1.2

Faza 2


set security ipsec proposal ipsec-phase2-lab02 protocol esp
set security ipsec proposal ipsec-phase2-lab02 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-lab02 encryption-algorithm aes-256-cbc


set security ipsec policy ipsec-phase2-lab02-polcy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-lab02-polcy proposals ipsec-phase2-lab01


set security ipsec vpn ike-vpn-palo ike gateway gw-Palo-lab
set security ipsec vpn ike-vpn-palo ike proxy-identity local 10.10.10.0/24
set security ipsec vpn ike-vpn-palo ike proxy-identity remote 10.20.1.0/24
set security ipsec vpn ike-vpn-palo ike proxy-identity service any
set security ipsec vpn ike-vpn-palo ike ipsec-policy ipsec-phase2-lab01-polcy
set security ipsec vpn ike-vpn-palo establish-tunnels immediately

set security ipsec proposal ipsec-phase2-lab02 protocol esp

set security ipsec proposal ipsec-phase2-lab02 authentication-algorithm hmac-sha1-96

set security ipsec proposal ipsec-phase2-lab02 encryption-algorithm aes-256-cbc

set security ipsec policy ipsec-phase2-lab02-polcy perfect-forward-secrecy keys group2

set security ipsec policy ipsec-phase2-lab02-polcy proposals ipsec-phase2-lab01

set security ipsec vpn ike-vpn-palo ike gateway gw-Palo-lab

set security ipsec vpn ike-vpn-palo ike proxy-identity local 10.10.10.0/24

set security ipsec vpn ike-vpn-palo ike proxy-identity remote 10.20.1.0/24

set security ipsec vpn ike-vpn-palo ike proxy-identity service any

set security ipsec vpn ike-vpn-palo ike ipsec-policy ipsec-phase2-lab01-polcy

set security ipsec vpn ike-vpn-palo establish-tunnels immediately

Konfiguracja polityki vpn

Dodanie obiektów


set security address-book global address SRX_LAN_10.10.10.0 10.10.10.0/24
set security address-book global address Palo_LAN_10.20.1.0 10.20.1.0/24

set security address-book global address SRX_LAN_10.10.10.0 10.10.10.0/24

set security address-book global address Palo_LAN_10.20.1.0 10.20.1.0/24

Konfiguracja polityki z Trust do Untrust


set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match source-address SRX_LAN_10.10.10.0
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match destination-address Palo_LAN_10.20.1.0
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match application any
set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 then permit tunnel ipsec-vpn ike-vpn-palo

set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match source-address SRX_LAN_10.10.10.0

set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match destination-address Palo_LAN_10.20.1.0

set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 match application any

set security policies from-zone trust to-zone untrust policy vpn-tr-untr02 then permit tunnel ipsec-vpn ike-vpn-palo

Konfiguracja polityki z Untrust do Trust


set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match source-address Palo_LAN_10.20.1.0
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match destination-address SRX_LAN_10.10.10.0
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match application any
set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 then permit tunnel ipsec-vpn ike-vpn-palo

set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match source-address Palo_LAN_10.20.1.0

set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match destination-address SRX_LAN_10.10.10.0

set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 match application any

set security policies from-zone untrust to-zone trust policy vpn-untr-tr02 then permit tunnel ipsec-vpn ike-vpn-palo

Konfiguracja Palo

Konfiguracja IKE Proposal

Web:

CLI:


set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX hash sha1
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX dh-group group2
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX encryption aes256
set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX lifetime hours 1

set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX hash sha1

set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX dh-group group2

set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX encryption aes256

set network ike crypto-profiles ike-crypto-profiles IKE-Proposal-SRX lifetime hours 1

Konfiguracja IPSEC Propsal

Web:

Cli:


set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX dh-group group2

set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp authentication sha1

set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX esp encryption aes256

set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX lifetime hours 1

set network ike crypto-profiles ipsec-crypto-profiles IPSEC-Proposal-SRX dh-group group2

Konfiguracja Fazy 1

Web:

Cli:


set network ike gateway IKE-SRX-GW protocol ikev1 dpd enable no
set network ike gateway IKE-SRX-GW protocol ikev1 ike-crypto-profile IKE-Proposal-SRX
set network ike gateway IKE-SRX-GW protocol ikev1 exchange-mode main
set network ike gateway IKE-SRX-GW local-address interface ethernet1/1
set network ike gateway IKE-SRX-GW local-address ip 192.168.1.210/24
set network ike gateway IKE-SRX-GW authentication pre-shared-key key Qwert678!
set network ike gateway IKE-SRX-GW protocol-common nat-traversal enable no
set network ike gateway IKE-SRX-GW protocol-common fragmentation enable no
set network ike gateway IKE-SRX-GW protocol-common passive-mode yes
set network ike gateway IKE-SRX-GW peer-address ip 192.168.1.2

set network ike gateway IKE-SRX-GW protocol ikev1 dpd enable no

set network ike gateway IKE-SRX-GW protocol ikev1 ike-crypto-profile IKE-Proposal-SRX

set network ike gateway IKE-SRX-GW protocol ikev1 exchange-mode main

set network ike gateway IKE-SRX-GW local-address interface ethernet1/1

set network ike gateway IKE-SRX-GW local-address ip 192.168.1.210/24

set network ike gateway IKE-SRX-GW authentication pre-shared-key key Qwert678!

set network ike gateway IKE-SRX-GW protocol-common nat-traversal enable no

set network ike gateway IKE-SRX-GW protocol-common fragmentation enable no

set network ike gateway IKE-SRX-GW protocol-common passive-mode yes

set network ike gateway IKE-SRX-GW peer-address ip 192.168.1.2

Konfiguracja Fazy 2:

Konfiguracja zony VPN

Web:

Cli


set zone VPN network layer3

set zone VPN network layer3

Utworzenie interfejsu tunel z przypisaniem do zony VPN

Web:

Cli


set network interface tunnel interface-management-profile mgmnt
set zone VPN network layer3 tunnel

set network interface tunnel interface-management-profile mgmnt

set zone VPN network layer3 tunnel

Utworzenie profilu IPSEC

Web:

Dodanie proxy id

Cli:


set network tunnel ipsec IPSEC-PALO_SRX auto-key ike-gateway IKE-SRX-GW 
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx protocol any 
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx local 10.20.1.0/24
set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx remote 10.10.10.0/24
set network tunnel ipsec IPSEC-PALO_SRX auto-key ipsec-crypto-profile IPSEC-Proposal-SRX
set network tunnel ipsec IPSEC-PALO_SRX tunnel-monitor enable no
set network tunnel ipsec IPSEC-PALO_SRX tunnel-interface tunnel

set network tunnel ipsec IPSEC-PALO_SRX auto-key ike-gateway IKE-SRX-GW

set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx protocol any

set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx local 10.20.1.0/24

set network tunnel ipsec IPSEC-PALO_SRX auto-key proxy-id palo-srx remote 10.10.10.0/24

set network tunnel ipsec IPSEC-PALO_SRX auto-key ipsec-crypto-profile IPSEC-Proposal-SRX

set network tunnel ipsec IPSEC-PALO_SRX tunnel-monitor enable no

set network tunnel ipsec IPSEC-PALO_SRX tunnel-interface tunnel

Dodanie routingu w kierunku SRX na Palo

Cli:


set network virtual-router default routing-table ip static-route vpn-srx interface tunnel
set network virtual-router default routing-table ip static-route vpn-srx metric 10
set network virtual-router default routing-table ip static-route vpn-srx destination 10.10.10.0/24

set network virtual-router default routing-table ip static-route vpn-srx interface tunnel

set network virtual-router default routing-table ip static-route vpn-srx metric 10

set network virtual-router default routing-table ip static-route vpn-srx destination 10.10.10.0/24

Dodanie polityk fw na Palo

Polityka z Trust to VPN

Cli:


set rulebase security rules vpn-srx to VPN
set rulebase security rules vpn-srx from trust
set rulebase security rules vpn-srx source any
set rulebase security rules vpn-srx destination any
set rulebase security rules vpn-srx source-user any
set rulebase security rules vpn-srx category any
set rulebase security rules vpn-srx application any
set rulebase security rules vpn-srx service application-default
set rulebase security rules vpn-srx hip-profiles any
set rulebase security rules vpn-srx action allow

set rulebase security rules vpn-srx to VPN

set rulebase security rules vpn-srx from trust

set rulebase security rules vpn-srx source any

set rulebase security rules vpn-srx destination any

set rulebase security rules vpn-srx source-user any

set rulebase security rules vpn-srx category any

set rulebase security rules vpn-srx application any

set rulebase security rules vpn-srx service application-default

set rulebase security rules vpn-srx hip-profiles any

set rulebase security rules vpn-srx action allow

Polityka z VPN to Trust


set rulebase security rules vpn-to-palo to trust
set rulebase security rules vpn-to-palo from VPN
set rulebase security rules vpn-to-palo source any
set rulebase security rules vpn-to-palo destination any
set rulebase security rules vpn-to-palo source-user any
set rulebase security rules vpn-to-palo category any
set rulebase security rules vpn-to-palo application any
set rulebase security rules vpn-to-palo service application-default
set rulebase security rules vpn-to-palo hip-profiles any
set rulebase security rules vpn-to-palo action allow
set rulebase security rules vpn-to-palo log-start yes

set rulebase security rules vpn-to-palo to trust

set rulebase security rules vpn-to-palo from VPN

set rulebase security rules vpn-to-palo source any

set rulebase security rules vpn-to-palo destination any

set rulebase security rules vpn-to-palo source-user any

set rulebase security rules vpn-to-palo category any

set rulebase security rules vpn-to-palo application any

set rulebase security rules vpn-to-palo service application-default

set rulebase security rules vpn-to-palo hip-profiles any

set rulebase security rules vpn-to-palo action allow

set rulebase security rules vpn-to-palo log-start yes

Sprawdzenie działania VPN

SRX:

Faza 1


root@srx_lab> show security ike security-associations               
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2430487 UP     51c22bb643895b79  afa9078ec7b25980  Main           192.168.1.210   

root@srx_lab> show security ike security-associations detail 
IKE peer 192.168.1.210, Index 2430487, Gateway Name: gw-Palo-lab
  Role: Initiator, State: UP
  Initiator cookie: 51c22bb643895b79, Responder cookie: afa9078ec7b25980
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 192.168.1.2:500, Remote: 192.168.1.210:500
  Lifetime: Expires in 1966 seconds
  Peer ike-id: 192.168.1.210
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                  672
   Output bytes  :                 1208
   Input  packets:                    4
   Output packets:                    6
  Flags: IKE SA is created 
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 192.168.1.2:500, Remote: 192.168.1.210:500
    Local identity: 192.168.1.2         
    Remote identity: 192.168.1.210
    Flags: IKE SA is created

root@srx_lab> show security ike security-associations

Index State Initiator cookie Responder cookie Mode Remote Address

2430487 UP 51c22bb643895b79 afa9078ec7b25980 Main 192.168.1.210

root@srx_lab> show security ike security-associations detail

IKE peer 192.168.1.210, Index 2430487, Gateway Name: gw-Palo-lab

Role: Initiator, State: UP

Initiator cookie: 51c22bb643895b79, Responder cookie: afa9078ec7b25980

Exchange type: Main, Authentication method: Pre-shared-keys

Local: 192.168.1.2:500, Remote: 192.168.1.210:500

Lifetime: Expires in 1966 seconds

Peer ike-id: 192.168.1.210

Xauth assigned IP: 0.0.0.0

Algorithms:

Authentication : hmac-sha1-96

Encryption : aes256-cbc

Pseudo random function: hmac-sha1

Diffie-Hellman group : DH-group-2

Traffic statistics:

Input bytes : 672

Output bytes : 1208

Input packets: 4

Output packets: 6

Flags: IKE SA is created

IPSec security associations: 1 created, 0 deleted

Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Initiator, Message ID: 0

Local: 192.168.1.2:500, Remote: 192.168.1.210:500

Local identity: 192.168.1.2

Remote identity: 192.168.1.210

Flags: IKE SA is created

Faza 2


root@srx_lab> show security ipsec security-associations            
  Total active tunnels: 2
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <3    ESP:aes-cbc-256/sha1 6ac39d90 2004/  4607995 - root 500 192.168.1.201   
  >3    ESP:aes-cbc-256/sha1 3d8b1728 2004/  4607995 - root 500 192.168.1.201   
  <2    ESP:aes-cbc-256/sha1 197758a2 1994/ unlim - root 500  192.168.1.210   
  >2    ESP:aes-cbc-256/sha1 9c6bae7b 1994/ unlim - root 500  192.168.1.210   

root@srx_lab> show security ipsec security-associations index 2 
  ID: 2 Virtual-system: root, VPN Name: ike-vpn-palo
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.210
  Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.20.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy-name: vpn-tr-untr02
  Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829 
  Last Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 197758a2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1988 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1366 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 9c6bae7b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1988 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1366 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

root@srx_lab> show security ipsec security-associations

Total active tunnels: 2

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<3 ESP:aes-cbc-256/sha1 6ac39d90 2004/ 4607995 - root 500 192.168.1.201

>3 ESP:aes-cbc-256/sha1 3d8b1728 2004/ 4607995 - root 500 192.168.1.201

<2 ESP:aes-cbc-256/sha1 197758a2 1994/ unlim - root 500 192.168.1.210

>2 ESP:aes-cbc-256/sha1 9c6bae7b 1994/ unlim - root 500 192.168.1.210

root@srx_lab> show security ipsec security-associations index 2

ID: 2 Virtual-system: root, VPN Name: ike-vpn-palo

Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.210

Local Identity: ipv4_subnet(any:0,[0..7]=10.10.10.0/24)

Remote Identity: ipv4_subnet(any:0,[0..7]=10.20.1.0/24)

Version: IKEv1

DF-bit: clear

Policy-name: vpn-tr-untr02

Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600829

Last Tunnel Down Reason: SA not initiated

Direction: inbound, SPI: 197758a2, AUX-SPI: 0

, VPN Monitoring: -

Hard lifetime: Expires in 1988 seconds

Lifesize Remaining: Unlimited

Soft lifetime: Expires in 1366 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: 9c6bae7b, AUX-SPI: 0

, VPN Monitoring: -

Hard lifetime: Expires in 1988 seconds

Lifesize Remaining: Unlimited

Soft lifetime: Expires in 1366 seconds

Mode: Tunnel(0 0), Type: dynamic, State: installed

Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)

Anti-replay service: counter-based enabled, Replay window size: 64

Palo

Faza 1


admin@PA-VM> show vpn ike-sa gateway IKE-SRX-GW 

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
              1 192.168.1.2            IKE-SRX-GW             Resp Main PSK/DH2/A256/SHA1 Aug.30 14:26:34 Aug.30 15:26:34 v1 12  2      1 

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               -------  -------- -----    -- --
              1 192.168.1.2            IKE-SRX-GW             Resp DH2 /tunl/ESP/A256/SHA1 9C6BAE7B 197758A2 552A3DCF  9  1 

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

admin@PA-VM> show vpn ike-sa gateway IKE-SRX-GW

phase-1 SAs

GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2

--------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------

1 192.168.1.2 IKE-SRX-GW Resp Main PSK/DH2/A256/SHA1 Aug.30 14:26:34 Aug.30 15:26:34 v1 12 2 1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs

GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in) SPI(out) MsgID ST Xt

--------------- ------------ ------------ ---- --------- ------- -------- ----- -- --

1 192.168.1.2 IKE-SRX-GW Resp DH2 /tunl/ESP/A256/SHA1 9C6BAE7B 197758A2 552A3DCF 9 1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

Faza 2


admin@PA-VM> show vpn ipsec-sa tunnel IPSEC-PALO_SRX:palo-srx 

GwID/client IP  TnID Peer-Address           Tunnel(Gateway)                                Algorithm     SPI(in)  SPI(out) life(Sec/KB)
--------------- ---- ------------           ---------------                                ---------     -------  -------- ------------
              1    1 192.168.1.2            IPSEC-PALO_SRX:palo-srx(IKE-SRX-GW)            ESP/A256/SHA1 9C6BAE7B 197758A2   1650/0

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

admin@PA-VM> show vpn ipsec-sa tunnel IPSEC-PALO_SRX:palo-srx

GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)

--------------- ---- ------------ --------------- --------- ------- -------- ------------

1 1 192.168.1.2 IPSEC-PALO_SRX:palo-srx(IKE-SRX-GW) ESP/A256/SHA1 9C6BAE7B 197758A2 1650/0

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

Tags: cli, faza, ipsec, Juniper, pa srx ipsec, Palo, Palo Alto Networks, PaloAlto, phase, srx, vpn

SafeKom Blog

Notatki konsultanta IT

Tag: PaloAlto

LAB – ISE jako radius dla PaloAlto dla kont Admina

Konfiguracja ISE

Konfiguracja Palo

Palo – AD 2012 user maping

LAB – IPSEC SRX <--> PALO

założenia:

Konfiguracja SRX

Konfiguracja Palo

Sprawdzenie działania VPN