Networking

A little treat that I hope will help someone at some point, for those with Palo Alto Networks Next Generation Firewalls (NGFW) and Aruba Instant Wi-Fi you can forward syslog messages from the controller to the NGFW and parse them with the profile below to map users to IP addresses.

There is plenty of information on syslog to User-ID at this link for those just getting started: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring.html.

The text strings you will need are:

  • User authenticated
  • username-([a-zA-Z0-9\_\.\@]+)
  • IP-([A-F0-9a-f:.]+)

Having recently moved home I have become a part of the privileged few (hopefully not for long) in the UK to have fibre-to-the-home (FTTH sometimes known as fibre-to-the-premises or FTTP). Not wanting to use the EE provided all in one modem/firewall/router/switch/access point I have a setup that uses the pre-installed BT Openreach Nokia modem (ONT) a pfSense firewall/router along with a Ubiquiti switch and (eventual) pair of Ruckus wireless access points.

From the BT Openreach modem a copper cable (probably Cat6) connects to the WAN interface on my pfSense firewall. EE provide some guides (see links below) that provide some handy pointers but don’t answer all the questions.

EE guide 1 – How do I use my own router for home broadband?
EE guide 2 – What are my home broadband internet settings?

Working out your username (and password)

As described in the guides your username will be in the format PRODUCTIONHQNUN<NUMBERS>@fs after a little bit of poking around the username is the same as the EE account number which can be found at  https://mybroadbandaccount.ee.co.uk/b2cselfcare/b2c/myaccount > select your active account > it’s the number in the round brackets.

For example the username based on the (redacted) account number as shown below could be PRODUCTIONHQNUN48123456@fs.

Your password will have been set when you first signed up for Broadband/your EE account (if you have changed your EE account password since first setting it it’ll likely still be the first password set). If you can’t remember this or don’t know it you will probably have to call 150 to see if it can be recovered (or changed).

Plugging it into pfSense

With this information in hand hop into your WAN interface on pfSense and configure as shown below. Firewall/NAT configuration is out of the scope of this guide but the defaults configured in pfSense will normally work well as is.

Ruckus Cloudpath is quickly turning into one of my favourite add-ons for a wireless network in a residential/University setting. It’s doing this by letting users bring all manner of ‘smart’ devices into an ‘enterprise grade’ network and connect them securely with a personal WPA2 pre shared key.

Even better Cloudpath has loads of options for customizing the onboarding portal – the little tutorial below shows how to change the colour of the font in the footer of the page with a custom CSS file.

ResultIt’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can break out the individual fields in the log entry.

In looking at the documentation it appears that the logs are in the Comment Event Format (CEF) but are then wrapped up in syslog for transmission. Although Graylog can absorb CEF directly this additional layer of syslog means we have to take in the syslog and then send the event messages through a processing pipeline in Graylog to extract the CEF data.

So onto the guide – which assume you are familiar with the operation of the Cortex XDR management console and Graylog (shown version is 3.3), for simplicity the code snippet you’ll need is also shown below from GitHub.

Code snippet from the screenshot sequence:

A handy trick I learnt recently from this video (ICX Serial Console Server with Raspberry Pi by Terry Henry) which I’ve condensed into this screenshot guide. In short the ‘screen’ command in Linux can be used to turn any device into a serial console server – very handy if you need ‘out of band’ access to the management console of devices. This can be very handy for Firewalls/Routers/Network Switches where a misconfiguration (and forgetting to set a rollback) can lead to the administrators network connection to the device being cut off.

This guide assumes you have some experience of using the Raspberry Pi (although this will work on many other types of hardware) and Linux.

If you are looking to build out Zone Protection Profiles on your Palo Alto Networks Next Generation Firewall then it can be handy to know just what your connections per second metrics look over time for each zone. Quite lucky Palo Alto Networks have a little (although not entirely descript) guide on where you can get this data – https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html.

With that information in hand it was just a matter of time before working out how to collect this data through PRTG so do follow on with the screenshot guide to find out how!

Handy strings:
1.3.6.1.4.1.25461.2.1.2.3.10
[rowidentifier] Connections Per Second
TCP
UDP
Other IP

Some more information on Zone Protection/Flood Protection: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/flood-protection.html

Not meant as a complete in depth guide but certainly enough to point you in the right direction here’s my list of the most commonly seen (from my point of view) HPE Aruba (e.g. the 2540, 2930F, 5400R series) fibre optics and their respective part numbers:

The format is effectively <Speed> <Fibre Type> <Maximum Range> – <Part Code>

1Gbit Multi Mode 500m – J4858D

1Gbit Single Mode 10km – J4859D

10Gbit Multi Mode 300m – J9150D

10Gbit Single Mode 10km – J9151E

Data from: https://support.hpe.com/hpesc/public/docDisplay?docId=a00028947en_us


Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services?
To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a website behind a Palo Alto Networks Next Generation Firewall, while we won’t get the same results that might be seen from a ‘determined attacker’ we will get an idea of how things look from the standpoint of a ‘casual attacker’.

In short the answer is you’ll miss a lot – without decryption of traffic coming at your own web servers it’s pretty much impossible to detect attacks (with some minor exceptions) that are hiding inside HTTPS, either way let’s see how it’s done…

Kit list for this testing:

  • An ‘internal’ web service, in this case the web console for PRTG Network Monitor (running on Windows Server)
  • A Palo Alto Networks Next Generation Firewall – a PA-850 running PAN-OS 8.1 with a full suite of licences
  • The Nessus vulnerability scanner

Both the firewall and the web service have been configured to run TLS1.2 with the private key for the certificate on both (which allows the firewall to decrypt the traffic without breaking connections) and the latest firmware/security updates have been applied across the board. Continue reading

Graylog is a brilliant (and Open Source) tool to easily capture logs from a variety of systems including good old fashioned syslog.

In the screenshot guide below you will learn how to use a set of extractors I constructed to parse out useful information from PAN NGFW syslog.

The link to the source files mentioned is: https://github.com/jamesfed/PANOSGraylogExtractor