Monday, May 31, 2021

Installing PaloAlto Certificate on Mobile phones or Computers - Traffic decryption

 As you all know, controlling smart phones in a Network could be a challenge. 


Especially these day many mobile applications works with  the secured version of HTTP > (HTTPS)

As a solution that might be useful for many of us is URL filtering.

Since Firewalls need to make SSL scanning or (Decryption) for HTTPS traffic to do that because as you know, HTTPS is encrypted.

you can do the decryption on the firewall which of course will have some impact on your firewall resources, but if you don't have a lot of users to apply decryption policy then that should be fine.


In my post, I'm going to apply decryption policy using PALOALTO firewall, which I think is a great firewall.

you can review the creation of the policy from an older post here on my blog on this link >

https://pbitccie.blogspot.com/2020/08/ssl-decryption-policy-on-paloalto.html


however, in regards to exporting and installing certifications on your devices, I will post here:

1. In order to export the certification you need to go to Device > Certificate management > certificates


2. select the certificate which was generated by the LAB Firewall and in my case it is showing with the firewall inside IP address of 10.211.250.253

3. choose the export option at the end of the page


4. you will get a drop list option from the window that will open and you will need to select the option

(.PEM or .DER) one of them is applicable to Windows and IPHONE, and the second is for Android based smart phones.



5. press OK and the certificate will be downloaded to your local disk.

now you need to import on your target device (PC, IPHONE, ANDROID phone)

NOTE: on PC you will need to install as trusted certificate.

on IPHONE you can email it to yourself and download it to your iphone then install from Settings> General > Profiles

on Android devices it can be installed from Advanced Wifi settings (look it up in google)


Once this all done, you can check if the users traffic is getting decrypted by the Firewall

go to > Monitor > Decryption


Or Go to > URL filter option and check the traffic for the filtered traffic there

NOTE: make sure the user does not have a direct access to internet and his IP is available in decryption policy and in Access Policy it must be applied with the URL filter options that you need (Allowed or Denied)


I hope this was helpful to you!


Thanks

Samer R. Saleem




- No comments:
Labels: , , , ,

Friday, May 14, 2021

Enable sending PaloAlto Firewall logs to Email Account

 If you are using PALO-ALTO Firewalls, which they are great products according to my experience, you would not want to be connected all the time to check events/threats and monitor the everything all the time.

this would be time waste and of course you will not get better benefits from sitting the whole time in front of the screen.

 

Other way is enabling log forwarding to an external receiver.

the options available to forward the logs are as below:

1. SNMP

2. EMAIL

3. SYSLOG

4. HTTP

Creating Log forwarding, select the option and click on ADD:













Go to Objects > Log Forwarding > Add

Now add the information below:












Select from the Log type drop list> I'm selecting threats which will check vulnerabilities and Viruses and File checking and this of course will include Wildfire submissions as you can see in my email list below






A great option to use here will be EMAIL, you can send threats for a specific rule to your EMAIL Inbox.

For Example, an important rule like incoming rules used to allow emails coming inbound to Exchange server or security policy rule for the traffic allowed to hosts accessing internet.


 

you will be able to add the option to get alerts for threats coming in emails for example.

here is how to enable the Log forwarding to email:

you should see a drop list under the option Log Forwarding:



at the end this what you will start seeing in your email feed:

The type is threat, source IP and destination IP, the name of the policy which in my case is INCOMING-EMAIL, Logset which is the log type we chose as logging forward to email











 

 

 

 

 

 

 

 

 

 

 

 

you can do the same for any log forward enabled policy.

Hope this was useful!

#CCIE #NETWORKSECURITY #PCNSE #PCNSA #PALOALTONETWORKS

Samer R.Saleem



- No comments:
Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...