La red de Angel

Prerequisites 1. Have 1 or multiple Palo Alto Firewalls onboarded to Strata Cloud Manager or sending Palo Alto logs directly to Strata Logging Service. 2. Have access to Strata Logging Service / Strata Cloud Manager console. 3. Have access to an AWS Console How to send Palo Alto logs to an AWS S3 bucket @AWS 1. Create a new S3 bucket . We will call it palo-alto-logs.  Take note of the AWS region (us-central-1, eu-central-1, etc) this will be required on a later step. Also for security, kindly enable Block all public access  in the S3 Bucket. It is not required to create an ACL so you can disable  this setting. 2. Create a new IAM role.  We will call it SLS_to_S3_access_role. During the creation of the IAM role, you need to select AWS Account > Another AWS Account > Enter the Account ID of Strata Logging Service.  This can be obtained when creating a new S3 bucket profile in Strata Logging Service, specifically here: Once the AWS Account ID it is obtaine...

# GET HIT COUNTS FROM ALL SECURITY RULES # import requests params = { 'key': ' {INSERT XML API KEY HERE} ', 'type': 'op', } data = { 'cmd': "<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security'><rules><all></all></rules></entry></rule-base></entry></vsys-name></vsys></rule-hit-count></show>", } response = requests.post('https:// {FIREWALL MGMT IP} /api/', params=params, data=data, verify=False) print (response.text) # GET  HIT COUNT FROM SPECIFIC SECURITY RULE # import requests params = {     'key': ' {INSERT XML API KEY HERE} ',     'type': 'op', } data = {     'cmd': "<show><rule-hit-count><vsys><vsys-name><entry name='vsys1'><rule-base><entry name='security...

Cause -->   This issue is directly related to high-availability configuration in SDWAN device in local device. If you are adding an standalone firewall as SDWAN device in Panorama with locally enabled HA configuration it will cause this problem. Solution -> You can either remove local HA configuration in the firewall or tou can implement HA with 2 member and then you can setup SDWAN in both devices as an HA group in Panorama SDWAN settings.

 

In the example we will be using Google Chrome as our browser. Step 1 - Create .bat file in Notepad Open Notepad app in Windows and copy and paste the following text: start "" "c:\Program Files\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors Save the file as a .bat file  in your preferred location (I choose Desktop usually).  Make sure you choose "ALL Files (*.*)" as the File type when saving the file. Step 2 - Execute the file Make sure you have any no open Chrome session otherwise this will not work. This is specially useful whenever you going to configure a new network device via HTTPS where normally it comes with a Self-Signed certificate which by default not Trusted by the browser. With this technique you should be able to connect to the device while ignoring any SSL certificate warnings from the browser and of course as part configuring a network device a proper SSL certificate  will need to be installed for a secured web access to...

@AZURE 1.1. Create SAML enteprise Applicarion. We will call it Fortigate SSL VPN 1.2.   Define AAD User groups that will have access to the Enterprise Application. Take note of the Object ID as it will use later in the Fortigate firewall. 1.3. Download Enterprise Application's SSL certificate. This will be imported in the Forigate firewall manually on later stage. @FORTIGATE FIREWALL NOTE: Forticlient SSLVPN settings are ignored in this step. 2.1. Import Azure's Enterprise Application SSL certificate on Fortigate Firewall (downloaded in Step 1.3) 2.2.   Create SAML Sign-Sign On group. We will call it ' ssl-azure-saml' 2.3. Create an User Group called 'AAD-SSL-VPN-USERS' pointing to the  Object Id of the and the AAD Group (this can be found in Azure in step 2). This User group will be used in the Firewall Policies in order to filter  2.4 .Create Firewall Policy to restrict traffic to VPN Users AAD group while using the AAD-SSL-VPN-USERS  object. If we wa...