Wednesday, March 22, 2017

Palo Alto Networks - Clientless VPN and RDP

With the 8.0 release of the PAN-OS operating system, the ability to access applications via web portal has now been added. This is sometimes referred to as "Clientless VPN." Prior to this release, some existing Palo Alto Networks customers may have been hesitant to fully migrate away from point products like PulseSecure or Aventail because they offer pretty robust capabilities around Clientless VPN. Although this capability is still relatively new to the platform and additional features will be added over time, I thought I would highlight how one can currently leverage Clientless VPN for remote access to a desktop.

In its current state, the Palo Alto Networks client-less VPN supports access to internal applications via web browser. With the development of HTML5, this means that we can leverage tools like Apache Guacamole. In this scenario, we are going to leverage this application.
  • Chase Wright has a fully scripted version of the Apache Guacamole install for Ubuntu here. Just in case his site is not accessible for some reason, here are some of the details (I would recommend viewing all details/comments on his site):
    • The following will install Guacamole 0.9.11, Tomcat 8, and MySQL for you. All you have to do is pick a MySQL Root Password and change the guacamole_user password
    wget https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-install.sh
    chmod +x guac-install.sh
    apt-get update
    apt-get -y install dos2unix
    dos2unix guac-install.sh
    ./guac-install.sh
    • You will be prompted to enter passwords for mysql.
    • Reboot once the install is complete.
    • Once rebooted, navigate to the GUI (http://<IP address of Ubuntu machine>:8080/guacamole)
      • user: guacadmin
      • password: guacadmin
    • Within the GUI, you can add multiple multiple users, as well as add connection types, like RDP.
  • Within the firewall, we will build upon my first GlobalProtect post, by adding Clientless VPN functionality.
    • Navigate to Network -> GlobalProtect -> Clientless Apps -> Add
      • Enter a Name for the Clientless Application
      • Enter the Application Home URL
        • This is the URL of the Apache Guacamole server
      • Click OK
    • Navigate to Network -> GlobalProtect -> Portals -> (Select the portal) -> Clientless VPN -> General
      • Enable the Clientless VPN
      • Enter a Hostname
        • This should be the FQDN or IP address of the GlobalProtect Portal
      • Select a Security Zone
        • To keep things simple in this example, I have selected the zone in which the Clientless Application resides
      • Select a DNS Proxy
        • For more information on how to configure DNS Proxy, see this post
    • Navigate to the Applications tab and select Add.
      • Enter a Name
      • Select the Application that was previously created
      • Click OK
    • Click OK
    • Commit the configuration
  • You can now test remote access to the application via Clientless VPN by navigating to the FQDN/IP of the GlobalProtetct Portal (https://<FQDN or IP>/)
  • Once logged in, there will be an option to select the application
  • Upon selecting the application, you will be redirected to the Apache Guacamole login page, and upon logging in, you will have successfully established an RDP session through your web browser



Wednesday, March 8, 2017

Palo Alto Networks - How to Import Address Objects from a .csv File

Although there are a variety of ways to accomplish this task, I thought I would put together a quick script to satisfy this particular requirement.

Let's say you are trying to migrate from a firewall that isn't supported via the Migration Tool, and you have 1000's of address objects. What would be a simple way to get this data imported into a Palo Alto Networks firewall from a .csv file?

Step 1:

Install Python and Jinja2 (easy_install jinja2 or pip install jinja2) on a machine (I did this on a VM running Ubuntu). Create a directory somewhere on the machine for the files you will be creating.

Step 2:

Rename your existing .csv file to "device_data.csv". Here is an example.

Step 3:

Create a jinja2 file called "conf_template.j2" with the configuration parameters and variables that reference each column in the .csv file. Here is an example.

Step 4:

Create a python script called "make_config.py" so that upon execution it will use the information from your jinja and csv files to create a configuration file. Here is an example.

Step 5:

Place all three files (.csv, .j2, and .py) in the directory you previously created.

Step 6:

Open the terminal and navigate to the directory where the files are stored (in Ubuntu, cd ~/Desktop/scripts/address-objects/)

Step 7:

Run the script (in Ubuntu, sudo python make_config.py). This will produce a file in the same directory called, "address_objects.conf". Here is an example.

Step 8:

Open the "address_objects.conf" file and copy and paste the contents into the cli of the firewall. Don't forget to commit the configuration.

In summary, this methodology can be applied in a variety of scenarios (here is one example), but the main goal is to save time and avoid doing things manually.