CUC (6) CUCM (28) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (3)

Thursday, 25 February 2016

Palo Alto Nuggets

Just a few commands that are helpful getting diagnostics information out of your PA.

Because its a firewall (ssssshhhst, dont tell anyone!), you probably find your self testing and trouble shooting your policies a lot.

Security policy testing.

Security policies is just PAN's word for access lists. testing security policies can be particularly helpful when verifying what security policy gets hit by certain traffic and adjust if needed.

Dennis.Mink@au3pa01> test security-policy-match source destination protocol 1

"DMZ Cisco VCS to Internet" {
        from DMZ-trust;
        source [ ];
        source-region none;
        to DMZ-untrust;
        destination any;
        destination-region none;
        user any;
        category any;
        application/service  any/any/any/any;
        action allow;
        terminal yes;

Or to make it more granular, from the internet to DMZ, for port 5061:

Dennis.Mink@au3pa01> test security-policy-match from DMZ-untrust source to DMZ-trust destination protocol 6 destination-port 5061

"DMZ Cisco VCSE from Internet" {
        from DMZ-untrust;
        source any;
        source-region none;
        to DMZ-trust;
        destination-region none;
        user any;
        category any;
        application/service [ rtcp/udp/any/any rtp-base/udp/any/any rtp-audio/tcp/any/any rtp-audio/udp/any/any rtp-video/tcp/any/any rtp-video/udp/any/any sip-overrid
e/tcp/any/5060 sip-tls-override/tcp/any/5061 ];
        action allow;
        terminal yes;

Application override Testing
Application override policies can be used to exclude traffic from being application inspected, (something the PA does out of the box, contrary to for instance a Cisco ASA). Including 
certain traffic and application to these application override rules essentially "degrades" the inspection the PA applies, to "simple: state full firewall inspection (i.e. up to and including Layer 4). You can apply this to, for  instance, SIP traffic on tcp/5060 and or tcp/5061.

To test an application override  rule,

> show session all filter application Telnet_Override

No comments:

Post a Comment