PANOS decryption tip

I was troubleshooting something with an org a while back where they needed to do decryption for just one "URL", but the  FQDN IP address matching matches numerous sites.

So let's use example.com which has the following;

www.example.com

www.example.net.

www.example.org

and www.example.edu

all map to the same single IP. address; 93.184.216.34

kfelix@kfelixs-MacBook-Air ~ % host www.example.com 

www.example.com has address 93.184.216.34

www.example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.net

www.example.net has address 93.184.216.34

www.example.net has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.org

www.example.org has address 93.184.216.34

www.example.org has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % host www.example.edu

www.example.edu has address 93.184.216.34

www.example.edu has IPv6 address 2606:2800:220:1:248:1893:25c8:1946

kfelix@kfelixs-MacBook-Air ~ % 

So let's say you want to decrypt traffic to www.example.com and not the others. 

Do not use a decryption rule with an IP or FQDN address object in the decryption n rule. 

You should use a "custom URL" list. Here are a few screenshots of how that would look from the web UI

1st the wrong method was deployed ( they had used an address object FQDN ) 

Now the method was changed to use a custom URL list the destination field for IP was left as an ANY.

Now www.exmple.net was not decrypted when user-initiated traffic to that "URL" based on traffic log

But https://www.exmple.com was decrypted when user-initiated traffic to that "URL"

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Certificate types

 In this blog, we will look at 4 certificate types.

1st up PEM which is a base64 format. This format can include a certificate and key and if the key is included and it's protected it would have the wording "private-key" in the file format.

e.g

"-----BEGIN PRIVATE KEY-----" 

dddddddjhfjkfjfkfjfkskdjdkjkdjdd

djkdjkjdkdjdkjfkjfkrjfkerjkejfejfioewjfewijfewq

djeqfjeqkwjhfkqejfkejfkjfkeqjefq

"-----END PRIVATE KEY-----". 

Next up PFX ( privacy exchange is also known as PKCS12. Same as above it can have certificate(s) and key and the file format is binary. You will need a passcode to decode it. It's a common exported format in winOS or MacOSX. The extension for the file format would be .pfx 

Last, we have DER ( Digital Encoding Rules ) it's also binary and you will commonly see these with the name ending in .der

We also have PKCS#7 but it's rarely used and typically does not contain any keying information.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

howto use FortiOS api user with certificates ( fortios api )

I worked with an issue a few months back where someone had changed the client key and did not update their Postman or the API clients

1st if using the Postman app you need to add the certificate and key files into your setting > certificates

https://en.wikipedia.org/wiki/Postman_(software)

e.g

passphrase in real life should be something much stronger than test1234

 

here's a simple API call for path ; api/v2/cmdb/system/global

using curl, you can simulate the above by calling up the API user cert/key files on the cmd-cli while inputting the passphrase

example1

curl -v --cacert ./rootCA_crt.pem --cert ./api.crt --key ./api.key -k   "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2

kfelix@kfelixs-MacBook-Air ca_test 

example2 ( bundle cert+key into one file  and use -E ) 

curl - -E api.bundle -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 

example3 cert+key bundle, but supply the passphrase on the cmd-cli in one pass

curl - -E api.bundle:test1234 -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 

Always ensure the API client key passphrase is secured and strong.

use the following debug on the FortiGate if you suspect a bad certificate during mTLS

   diag debug reset 

   diag debug en

   diag debug application httpsd -1

You should see lines similar to the following;

( my apiuser name = apiuserken ) 

[httpsd 6544 - 1699755801     info] fweb_debug_init[430] -- User-Agent: "PostmanRuntime/7.35.0"

[httpsd 6544 - 1699755801     info] fweb_debug_init[432] -- Handler "api_cmdb_v2-handler" assigned to request

[httpsd 6544 - 1699755801     info] _peer_auth_certificate_valid[180] -- Api-key + certificate login successful for apiuserken via pki peer apiuserken

[httpsd 6544 - 1699755801  warning] api_access_check_for_api_key[687] -- API Key request authorized for apiuserken from 9.4.19.7.

[httpsd 6544 - 1699755801     info] api_store_parameter[323] -- add API parameter 'access_token' (type=string)

[httpsd 6544 - 1699755801     info] api_cmdb_request_init_by_path[1800] -- new CMDB query (path='system',name='global')

[httpsd 6544 - 1699755801     info] api_generate_and_add_etag[1826] -- Per VDOM ETags: [ "vdom: r

typical API user configuration enabled for PKI

longisland # show user group api-pki

config user group

    edit "api-pki"

        set member "apiuserken"

    next

end

longisland # show user peer apiuserken

config user peer

    edit "apiuserken"

        set mandatory-ca-verify disable

        set ca "ACME_CA_Cert_1"

    next

end

longisland # show sys api-user apiuserken 

config system api-user

    edit "apiuserken"

        set api-key ENC SH2pULD0pHAvU3P/IVgWdW8cDJhxFURU+rNuid335YYU9v65WAXRL/eYm4rSmU=

        set accprofile "super_admin"

        set vdom "root"

        set peer-auth enable

        set peer-group "api-pki"

    next

end

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

48min later my PA-220 is upgraded to 10.2.7

 One of my biggest complaints with PanOS, upgrades take a considerable amount of time. Take this simple PA-220 upgrade to 10.2.7 It took way over 45mins.

The following firewalls are much quicker 

CiscoASA

FortiGate

Forcepoint

Checkpoint 

 So always plan for extra time with upgrading Palo Alto firewall. The quad digits appliance does upgrade in a quicker time from my experience. The only other vendor that is just as slow would be juniper.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Forticlient vs Globalprotect differences

 In this blog I will discuss a few items that different  between FTNT and PANW with regards to VPN clients

1: GlobalProetct uses a portal with a list of various gateways. The gateways are where your SSL or IPSEC VPN clients are terminated to. So think of it as a distributed gateway

Fortinet is manual you have to define each gateway

2: With Globalprotect if you need to use a radius server that is not using the MGMT interfaces and have defined local admins authentications with an existing radius server, you can have service for radius using a data plane interface

For Fortinet you can source the radius server from any interface 

3: GlobalProtect does not support Linux/Chrome/mobile devices without a license for globalprotect gateway

FortiGate does not care it supports numerous clients with no additional license

4: GlobalProtect SSL VPN client does not support DTLS

Forticlient, SSLvpn can use TCP or UDP

5: Globalprotect has a fallback from IPSEC ( default ) to SSL if the former has quality issues

Forticlient has no dual-mode fallback

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

CHKP proxy-id narrowing IKEv2

With CHKP and VPN, your Traffic Selectors will be narrowed down to longer CIDR if the peer sends a longer CIDR length 

The following ;

If the peer sends a 10.88.204.0/27 or 10.88.204.73/32 the Checkpoint will negotiate and install an IPsec Security Association for the more specific destination

Fortigate does the same thing btw but it will display the following "Dynamic proxyid as a result of selector narrowing" 

The checkpoint appliance just does not make it so obvious that narrowing has taken place.

This process typically does not issues unless traffic exiting is using the wrong SPI. You will see issues in a lot of firewall Forcepoint and checkpoint primarily where the traffic is exiting using the wrong SPI. You can easily find the SPI used by using a packet size of 666 as an example and capture the ESP datagram on exit and review the SPI #

tcpdump -nnvv -i wan proto 50 and less 790 and greater 666

And on a host generate a ping of 666 bytes { ping -s 666 x.x.x. }

The ESP datagram will stick out and you can verify the SPI value in hex to the IPsec SA.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

sonicwall VPN types ( site 2 site or tunnel )

We will look at the differences

1. 1st tunnel interface means exactly that you have a tunnel and will need a route or use a routing protocol. 
2. This is a classic junos route-based type
3. the proxy-id will be a single 0.0.0.0/0 for src/dst subnets

A policy-based VPN will look similar to the following;

1.  The proxy-id would be whatever remote/local subnets that you define
2. Your policy will initialize the IPsec tunnel, think of a juniper policy-based VPN

In both cases, you still need a firewall policy to allow the traffic flow

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \