Global Protect Troubleshooting

Global Protect Components
Certificate Management
Connections
Authentication
Debugging

https://www.youtube.com/watch?v=0Z48WHvyW0Q

authentication user - allow list, group mapping?

    

Threat ID Vulnerability profile override (exception)

 Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the action that is enforced for that threat signature. For example, you can modify the action for threat signatures that are triggering false positives on your network.

Configure threat exceptions for antivirus, vulnerability, spyware, and DNS signatures to change enforcement for a threat. However, before you begin, make sure the threats are being properly detected and enforced based on the default or best practice signature settings for an optimum security posture:

Get the latest Antivirus, Threats and Applications, and WildFire signature updates (for the firewall).

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection and apply these security profiles to your security policy.

For SCM, adding or updating a Vulnerability profile override (exception) has to be done in the Overrides section. We are all used to editing the profile and making the change in the exceptions tab, but as we saw you can’t do that in SCM. 

1. To add an override, click Add Override
2. Search for the Threat ID or Name
3. Check the box to select the Threat
4. Change the Action to Allow
5. Click + to add the IP address
6. Check the box to select which profile to want to add it to
7. Save 

To update an override, in the Overrides section, click on the Threat ID

1. Click on the name of the Profile
2. Click + to add an IP address or – to delete one
3. Save the update
4. Save the override of the Threat ID

Strata Cloud Manager

Exclude anti-virus signature from enforcement

Select <Configuraiton > <NGFW and Prisma Access>  <Security Services> <WildFire and Antivirus> 

Add Profile or select an existing WildFire and Antivirus profile from which you want to exclude a threat signature and go to the Advanced Settings tab.

From the Signature Exceptions menu, Add Exception and provide the Threat ID for the threat signature you want to exclude from enforcement. You can optionally add notes to the signature exception.

Save the signature exception when you are finished.

A valid threat signature ID auto-populates the threat name field. You can view a complete list of active signature exceptions as well as Delete entries that are no longer necessary.

1. 1. 
      
   2. Repeat to add additional exceptions or click Save after all of your threat exceptions have been added.
2. Modify enforcement for vulnerability and spyware signatures (except DNS signatures; while they are a type of spyware signature, DNS signatures are handled through the DNS Security subscription in Prisma Access).

   1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware or ConfigurationNGFW and Prisma AccessSecurity ServicesVulnerability Protection, depending upon the signature type.
   2. Add Profile or select an existing Anti-Spyware or Vulnerability Protection profile from which you want to modify the signature enforcement, and then select Add Override.
   3. Search for spyware or vulnerability signatures by providing the relevant Match Criteria. This automatically filters the available signatures and displays the results in the Matching Signatures section.
   4. Select the check box for the signature(s) whose enforcement you want to modify.
   5. Provide the updated Action, Packet Capture, and IP Addresses that you want the modified enforcement rules to apply to for the selected signatures.

      
   6. Save your updated signature enforcement configuration.
   7. You can view a complete list of Overrides including various statistics, as well as Delete entries that are no longer necessary.

      

   
   

https://docs.paloaltonetworks.com/advanced-threat-prevention/administration/configure-threat-prevention/create-threat-exceptions#idf17107a0-2df4-4ad5-a26f-d985a9bbe3ec

How to Setup a Site to Site Tunnel

Build Site to Site tunnel

Lab: Service Connections 

Service Connections Setup  
Verify Service Connection Status  

1. IKE Crypto Profile      (Phase 1)
2. IPSec Crypto Profile   (Phase 2)
3. IKE Gateway   (Phase 1)
4. Zones  
5. Tunnel Interface  
6. IPSec Tunnel  (Phase 2)
7. Virtual Router 
8. Static Routes  
9. Security Policy

You create IKE-Crypto-Profile, IPSec-Crypto-Profile
IKE Gateway (use the IKE-Crypto-Profile)
IPSec Tunnel (use IKE Gateway and IPSec-Crypto-Profile)

IKE Crypto Profile    (IKE Phase 1) 
Name: pa-lab-ike-crypto-profile
DH Group: Group20
Authentication: non-auth
Encryption:  aes-256-gcm
Timers: 1 Hour

IPSec Crypto Profile    (IKE Phase 2) 
Name: pa-lab-IPSec-crypto-profile
ESP - Encapsulating Security Payload
AH - Authentication Header 
Encryption:  aes-256-gcm
Authentication: sha256
DH Group: Group 
Life Time: 1 Hour

IKE Gateway
Name: pa-lab-service-connection-IKE-gateway
Version: IKEv2 only Mode
Address Type: IPv4
Interface: Ethernet1/2
Local IP Address 172.16.17.1/24

Peer IP address Type:  IP
Peer IP address: 203.1.113.1

Pre-shared Key: PaloAlto!
Confirm Pre-shared Key: PaloAlto!
Local Identification: User FQDN (Email address) Site-a@prisma-access.lab

Advance Tab
Enable NAT Traversal
IKE Crypto Profile: pa-lab-ike-crypto-profile

IPsec Tunnel

Name: pa-lab-service-connection-IPsec-tunnel

Tunnel Interface: tunnel.11

Type: auto Key

Address Type: IPV4

IKE Gateway: pa-lab-service-connection-IKE-Gateway

IPsec Crypto Profile: pa-lab-IPSec-crypto-profile

Show advanced Option

Enable Replay Protection

IPsec Mode: Tunnel

Tunnel Monitor:

Destination IP 192.168.255.254

Profile: Default

Troubleshooting

Initial Configuration

Initial Access to the System
Configuration Management
Licensing and Software Updates
Account Administration
Account Administration using Radius
Admin Roles
Interface Configuration
Security Zones
Layer 2, Layer 3, Virtual Wire, and Tap
Sub-Interface
DHCP
Virutal Routers
Multi VR Setup and Use Case

Security and NAT Policies
Security Policy Configuration
Policy Administration
NAT (Source and Destination

App-ID
App-ID Overview
Application Groups and Filters
Content-ID Overview
AntiVirus
Anti-Spyware
Vulnerability
URL Filtering

External Dynamic List
File Blocking Wildfire
Security Profiles File Blocking
WildFire
Zone Protection and DOS Protection
Decryption

Certificate Management
SSL Handshake
Outbound SSL Decryption
Inbound SSL Decryption

VPN Virtual Private Network
Allow a secure communication over public Network.
VPN try to maintain CIA (Confidentiality, Integrity and Authentication)

Types of VPN
1. Site to Site VPN  (IPSec s2s)
2. Remote Access VPN ( SSL VPN or Global Protect)

IPSec Site to Site VPN requires CIA
Confidentiality:  Encryption
Integrity: HASH
Authentication: PSA/PKI

It will also provide Antireplay protection
Encryption: IT will convert Plain text in to cipher text by using the key.
Decryption: It will convert Cipher Text into the plan text by using the key

Symmetric Encryption
1. DES (56 bit) 3DES (168 bit) ASE (128, 192. 256 bit) RC4 (128bit_
2. Same key used for encryption and decryption
3. Block Cipher ( DES, 3DES, block the data ex 64 bit block, ASE - Same data block whatever size of Key)
4. Stream Cipher: (RC4: Bit by Bit Encryption)

Asymmetric Encryption
1. RSA (SSH), DH
2. Both sites have 2 keys Private and Public key. Share public key with each other
When ever data is encrypted with private key, you can use public key to decrypt it and visa versa

HQ Head Office in Delhi
Branch Office BLR Bangalore 

1.