Logs from the FreeIPA server can be used with the Syslog receiver function of a PAN NGFW to send username to IP address mappings into User-ID and in turn be used to create policies based on the users identity. To extract the data from the logs you will need the parser shown below. View the code on Gist. I could… Read more
Tag: PAN
Palo Alto Networks Captive Portal, long delay in loading – Sophos agent
In recently deploying the Captive Portal feature of a Palo Alto Networks Next Generation Firewall (NGFW) in testing we were finding Apple Macs take 120+ seconds to load the sign-in page. First thoughts jumped to the Apple Captive Network Assistance (CNA) feature not functioning correctly however this appeared to be a dead end. Some time and a few packet captures… Read more
Aruba Instant – PAN Syslog Parse Profile
A little treat that I hope will help someone at some point, for those with Palo Alto Networks Next Generation Firewalls (NGFW) and Aruba Instant Wi-Fi you can forward syslog messages from the controller to the NGFW and parse them with the profile below to map users to IP addresses. There is plenty of information on syslog to User-ID at… Read more
Palo Alto Networks GlobalProtect and Azure AD – AADSTS700016: Application with identifier was not found in the directory.
When setting up a GlobalProtect Portal/Gateway with AzureAD you may find you receive the error message: AADSTS700016: Application with identifier <Entity ID> was not found in the directory ‘<Directory ID>’. The fix here is easy – the GlobalProtect client injects a :443 at the end of the domain name which isn’t mentioned in the guide from Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial) but is… Read more
Palo Alto NGFW, decryption and images in Slack not displaying or uploading
You may find that when doing decryption on a Palo Alto Networks Next Generation Firewall that images in Slack channels are not displayed or are only shown in a very low resolution – in addition images cannot be uploaded. When inspecting the HTTP error messages in your browser a 503 response may also be seen. To top off the issue… Read more
Processing Cortex XDR Syslog/CEF with Graylog
It’s a bit of an odd situation but sometimes you might want to take information from a cloud service in this case Cortex XDR from Palo Alto Networks and drag it into an on premise logging service. This guide will have a look at how to get this log data in as well as parse it such that you can… Read more
Detecting threats with inbound SSL (TLS) decryption
Today we have the answer to the question – Without SSL decryption how many threats/attempted vulnerability exploits/other bad stuff will I miss that are coming from the internet at my internally hosted (externally published) web sites and services? To run some simple tests (which will be detected as malicious attacks) I’m going to be running the Nessus scanner against a… Read more
Backing up a Palo Alto Networks Next Generation Firewall with PowerShell
For some time there have been plenty of examples of backing up Palo Alto Firewalls with curl commands (extracting the files using the XML API) however that may not sit well with some Windows administrators who want to use PowerShell. As such I’ve put together the BackupPANNGFWConfig repo on GitHub which contains the scripts to get ahold of the API… Read more