Using the REST API to add address objects to a Dynamic address group

To add a new entry to a dynamic address object, use the following XML API syntax:

https://<IP>/api/?type=user-id&action=set&key=<KEY>=&file-name=<XMLFILE>

Where IP is the IP address of the firewall under management, KEY is the pre-generated key for the PAN-OS firewall and XMLFILE is the name of the XML file with the needed additions and/or deletions for the dynamic address object.

The XML file must have the following format for adding new IP addresses to an existing object:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=“OBJECT ID” ip=”IP”/>
</register>
</payload>
</uid-message>

Multiple additions can be made to the same object or to multiple objects in one API call by adding them to the same XML file:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=“OBJECT ID 1″ ip=”IP1″/>
<entry identifier=“OBJECT ID 1″ ip=”IP2″/>
<entry identifier=“OBJECT ID 2″ ip=”IP3″/>
</register>
</payload>
</uid-message>

Removing an IP address from an object is similar:
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<unregister>
<entry identifier=“OBJECT ID 1″ ip=”IP1″/>
<entry identifier=“OBJECT ID 1″ ip=”IP2″/>
<entry identifier=“OBJECT ID 2″ ip=”IP3″/>
</unregister>
</payload>
<uid-message>

Address can be added and removed in same call :
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=“OBJECT ID 3″ ip=”IP4″/>
<entry identifier=“OBJECT ID 3″ ip=”IP5″/>
</register>
<unregister>
<entry identifier=“OBJECT ID 4″ ip=”IP6″/>
</unregister>
</payload>
</uid-message>

Here is something that I replicated in my lab :
1. Used wget in Kali Linux as a REST client.
2. REST API :

wget –no-check-certificate –post-file=Desktop/T11.xml “https://10.50.243.81/api/?type=user-id&action=set&key=LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09&file-name=T11.xml&client=wget&#8221;  –no-http-keep-alive -O Desktop/TOP 

NOTE :

T11.xml:
——-
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier=“palo” ip=”1.1.1.1″/>
</register>
</payload>
</uid-message>

TOP File : ( This reflects the result of the triggered API query)
——–

3.  This is what you should be seeing on the Palo Alto Networks firewall:

CLI :
—-

> show object dynamic-address-group all

Dynamic address groups in vsys vsys1:
—————————————————-

—————-defined in vsys ——————–

—————-defined in shared——————-
DynTest
filter: “palo”
members: total 2
1.1.1.1 (R)

O: address object; R: registered ip; D: dynamic group; S: static group
=========================

> show object registered-ip tag palo

registered IP Tags
—————————————- —————–

1.1.1.1 #
“palo”

Total: 1 registered addresses
*: received from user-id agent #: persistent

GUI :
—-

NOTE :
======
A) I observed buggy behavior with PAN OS 7.1.4 – h2.
Observed Behavior :
—————–
— Could see registered IPs in the CLI.
— But could not see the IPs in Dynamic Address Group.
— Addresses were not visible in the GUI as well.
— Forced commit. (No changes to commit observed so had to force commit)
— Even after commit, could not see the IPs in the dynamic address group.
— Clicked “more”, after which we could see the dynamic addresses in the dynamic address object.
— Checked in CLI, the registered IPs were visible.
— Tested this with different inputs and firewalls, observed the same behavior everytime.
— Unregistered the IP addresses after which we did not see any registered IP but could see those IPs still stuck in Dynamic address group.
— PAN OS 5 had a command to clear the objects using type=op. But the command is no longer available in PAN OS 7.1.

B) This should be filed as a bug shortly. Already shared the results with the concerned PA Team.

Create a Desktop item for an application you installed in Kali Linux 2

Execute the following commands via the Terminal :
——————————————-

apt-get install –no-install-recommends gnome-panel -y
gnome-desktop-item-edit /root/Desktop/ –create-new

NOTE: If you’re not running as root, don’t use the “/root/Desktop” path, use “~/Desktop” instead:
gnome-desktop-item-edit ~/Desktop/ –create-new

Create a template on Panorama in specific vsys using the REST API

You can create a template in a “specific vsys” using API using 2 different APIs. Please use the APIs in the following sequence.

API 1 :
=======

https://<PANORAMA IP>/api/?type=config&action=set&key=<KEY>&xpath=/config/devices/entry[@name=’localhost.localdomain’]/template/
entry[@name=’TEST’]/config/devices/entry[@name=’localhost.localdomain’]/
vsys&element=<entry name=’vsys1’/>

API 2:
======
https://<PANORAMA IP>/api/?type=config&action=set&xpath=/config/devices/entry[@name=’localhost.localdomain’]/template/
entry[@name=’TEST’]/settings&element=<default-vsys>vsys1</default-vsys>&key=<KEY>

 

NOTE : These APIs have been tested and work absolutely fine 🙂

Palo Alto Firewalls – Unable to decrypt SSL Inbound traffic.

Scenario : Hosts from internet connects to the web server behind the Palo Alto firewall. Traffic log shows that traffic is not being decrypted.

1. There can be multiple reason why the inbound traffic is not being decrypted. One of the most common reasons is unsupported cipher suites. But this article is about Extended Master Secret and SSL Inbound Decryption.

2. Global counters reflects the following :
=================================
proxy_process 6 0 info proxy pktproc Number of flows go through proxy
proxy_wqe_queued 5 0 info proxy resource The number of wqe currently held as part of proxy
proxy_reverse_failure 1 0 warn proxy pktproc The number of sessions failed for reverse proxy
proxy_decrypt_error_overall 1 0 info proxy pktproc Overrall number of decrypt error(not including cert validation and unsupport param)
ssl_hs_mac_error 1 0 warn ssl pktproc ssl handshake mac state unmatched with version
ssl_client_sess_ticket 6 0 info ssl pktproc Number of ssl session with non empty client sess ticket ext

3. Analyze ssl basic, you will came across handler error -20.

4. Go for a packet capture on the firewall. You should find extended master secret being used by both client and the server.

Sample snap shot:

5.  Extended Master Secret Extension (RFC7627) has been activated by Microsoft with Security Update for Schannel to Address Spoofing (3081320). This affects software using Schannel including IIS and IE. Latest version of Google Chrome also has the extension activated. OpenSSL will support it with 1.1.0.

6. When the extension is present in both Client Hello and Server Hello, master secret computation differs from that described in RFC 5246, and therefore we cannot decrypt sessions using it with inbound SSL decryption. Palo Alto Firewall does not support decryption in such scenarios.

7. Workaround is to disable Extended Master Secret in SChannel on both the IIS and the Client.
To make these registry changes, follow these steps:

1.  Click Start, click Run, type regedit in the Open box, and then click OK.

2.  Locate and then click the following subkey in the registry:
3.  HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel

Scroll Down :

 

4.  On the Edit menu, point to New, and then click DWORD Value.
5.  For the computer that is receiving the connection request, type     DisableServerExtendedMasterSecret ( DisableClientExtendedMasterSecret for Client):   REG_DWORD for the name of the DWORD, and then press ENTER.

6.  For the computer that is initiating the connection request, type DisableClientExtendedMasterSecret ( DisableClientExtendedMasterSecret for Client) for the name of the DWORD, and then press ENTER.
7.  Right-click the new DWORD entry, and then click Modify.
8.  Type 1 (or any non-zero value) in the Value data box to disable the TLS extension.

 

NOTE : After making these changes you will find that the traffic is being decrypted. But practically, it is not possible to disable Extended Master Secret in SChannel for clients as most of the times we do not have control over the clients/traffic coming in from the internet.