How to configure Pal Alto Firewall site to site VPN connecting to Azure

  1. Login PA firewall WebGUI.
  2. Go to Network > Interfaces > Tunnel, click Add

2. In Tunnel Interface, choose Interface Name, Virtual Router, default in our example, Security Zone (you can have preset zone or an IP on the same subnet as the Azure Gateway for dymanic routing)

3. To configure IKE Gateway, go to Network > Network Profiles >IKE Gateway. Click Add. The following values are to be configured: Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’

1) Choose the following values. Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’. Interface: Set to the public(internet) facing interface of the firewall used to connect to Azure, ethenet1/1 in our example.  Local IP Address: IP address of the external interface of the firewall. If not behind a NAT device, this will be the VPN Gateway Address as configured in Azure. Peer IP Address: IP address of the Azure VPN Gateway. This can be obtained from the Azure Virtual Network dashboard. Note: Make sure you use the NAT-ed IP on Azure to define the peer IP. Pre-shared Key: Azure uses a Pre-shared key(PSK or Pre-Shared Secret) for authentication. The Key should be configured as the same value on Azure VPN settings and Palo Alto Networks’ firewall.

2) On the Advanced Options tab, leave the Enable Passive Mode (Set as responder) unchecked, and in the IKEv2 section leave Liveness Check enabled. Note: Enable NAT traversal if the firewall is behind a NAT device.

4. To configure IKE Crypto Profile, go to Network > Network Profiles >IKE Crypto. this is PA default settings:  DH Group: group2 Encryption: aes-256-cbc, 3des Authentication: sha1, sha256 Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set phase 1 lifetime to 28800 seconds.

You are better to configure new crypto profile, which matches the IKE crypto settings of Azure VPN. This is our working configuration.

5. Configure a new IPSec Tunnel by going to Network->IPSec Tunnels. The following values are to be configured: Tunnel Interface: Select the configured Tunnel Interface in Step 2. above.

How to configure Palo Alto Firewall and Microsoft Azure Site to site VPN

Microsoft Azure requires IKEv2 (route-based VPN) for dynamic routing. IKEv1 is restricted to static routing only.  IKEv2 is supported in PAN-OS 7.1.4 and newer versions, and fully supports the necessary route-based VPN and crypto profiles to connect to MS Azure’s dynamic VPN architecture. This document discusses the basic configuration on both Palo Alto Networks firewall and Microsoft Azure site to site VPN.

Part 1 Create a Site-to-Site VPN (VNet) using the Azure portal

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.

  1. Login the Azure portal.
  2. Click Create a resource.


3. In the Search the marketplace field, type ‘virtual network’. Locate Virtual network from the returned list and click to open the Virtual Network page.

4. From the Select a deployment model list, select Resource Manager, and then click Create. This opens the ‘Create virtual network’ page.

5. With the ‘Create virtual network’ open, enter information such as Name, Address space, Address range. Click Create to create VNet.

6. Now, you should the VNet created.

How to assign a user permissions to access Exchange resource

You may use Powershell. Here is how.

  1. Set-ExecutionPolicy unrestricted -scope currentuser.
  2. $UserCredential = Get-Credential
  3. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
  4. Import-PSSession $Session -DisableNameChecking
  5. Get-MailboxolderPermission “Email Address”
  6. Get-MailboxFolderPermission
  7. Add-MailboxFolderPermission -Identity “resource Email”:\calendar -User “Your Email Adress” -Accessrights Editor

This is the example and result.

PS C:\Users\blin> Set-ExecutionPolicy unrestricted -scope currentuser Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”): y

PS C:\Users\blin> $UserCredential = Get-Credential

cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential

PS C:\Users\blin> $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

PS C:\Users\blin> Import-PSSession $Session -DisableNameChecking

ModuleType Version Name ExportedCommands ———- ——- —- —————- Script 1.0 tmp_4uncrkjn.uv3 {Add-AvailabilityAddressSpace, Add-DistributionGroupMember…

PS C:\Users\blin> Get-MailboxFolderPermission boardroom@chicagotech.net FolderName User AccessRights SharingPermissionFlags ———- —- ———— ———————- Top of Informatio… Default {None} Top of Informatio… Anonymous {None}

PS C:\Users\blin> Add-MailboxFolderPermission -Identity boardroom@chicagotech.net -User “blin@chicagotech.net” -Accessrights Editor

FolderName User AccessRights SharingPermissionFlags ———- —- ———— ———————- Top of Informatio… Bob Lin {Editor}

PS C:\Users\blin> Get-MailboxFolderPermission

cmdlet Get-MailboxFolderPermission at command pipeline position 1 Supply values for the following parameters: Identity: boardroom@Chicagotech.net FolderName User AccessRights SharingPermissionFlags ———- —- ———— ———————- Top of Informatio… Default {None} Top of Informatio… Anonymous {None} Top of Informatio… Bob Lin {Editor}

PS C:\Users\blin> Get-DistributionGroupMember cmdlet Get-DistributionGroupMember at command pipeline position 1 Supply values for the following parameters: Identity: AllEmployees@chicagotech.net Name RecipientType —- ————- blin                  UserMailbox

……..

PS C:\Users\blin> Get-DistributionGroupMember “AllEmployees@chicagotech.net” | export-csv c:\temp\list.csv

PS C:\Users\blin> Import-csv c:\temp\list.csv | %{Add-MailboxFolderPermission -identity boardroom@chicagotech.net:\calendar -user $_.PrimarySMTPAddress -Accessrights Editor} FolderName

User AccessRights SharingPermissionFlags ———- —- ———— ———————- Calendar Doug Simon {Editor}

How to boot into Windows 10 Safe Mode

You might have noticed that pressing the F8 or the SHIFT + F8 keys on your keyboard to enter Safe Mode no longer work in Windows 10. Here are some ways to run Safe Mode in Windows 10.

  1. Use bcdedit Command. Boot Windows 10 setup DVD or Install media. Select “Repair your computer”. When asked what option you prefer, choose Troubleshoot. On the “Advanced options” screen, click or tap “Command Prompt”. Type the command: bcdedit /set {default} safeboot minimal. Press Enter on your keyboard and, after a moment, it tells you that “The operation completed successfully.” Or you can try this command: bcdedit /set {default} bootmenupolicy legacy. Now, restart your computer and press F8 when starting.
  2. Use “Startup Settings” in Windows 10 installation DVD or USB recovery drive. Boot from Windows 10 installation DVD or USB recovery drive. Go to “Advanced options -> Startup Settings -> Restart.”.
  3. Interrupt the normal boot process of Windows 10 three times. If Windows 10 fails to boot normally three times over, the fourth time it enters by default in an Automatic Repair mode. Using this mode, you can boot into Safe Mode.

How to Disable Windows 10 Update

  1. Run services.msc. Disable Windows update and Windows Update Medic Services by navigating to Windows Update, and Windows Update Medic Services. then disable them.
  2. Change the Setting of the Group Policy Editor. Run gpedit.msc. Go to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Double-click Configure Automatic Updates. Select Disabled in Configured Automatic Updates on the left, and click Apply and OK to disable the Windows automatic update feature.
  3. Disable Windows update by using Registry. Run Change the way of Windows 10 Updates Using Registry. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows. Right-click the Windows (folder) key, select New, and then click Key. Name the new key WindowsUpdate and press Enter. Right-click the newly created key, select new, and click Key. Name the new key AU and press Enter. Inside the newly created key, right-click on the right side, select New, and click on DWORD (32-bit) Value.  Name the new key AUOptions and press Enter. Double-click the newly created key and change its value to 2. It’s for “Notify for download and notify for install”. Click OK. Close the Registry to complete the task.
  4. Never check for updates settings.

How to export and import Palo Alto Firewall configuration

Q: How do you export and import Palo Alto Firewall configuration?

Chicagotech.net:

  1. To exported PA firewall configuration, you need to save named configuration by going to Device>Setup>Operation. Click on Save Named Configuration and enter the file name with .xml.

2. To export it, under Configuration Management, click on Exported named configuration snapshot. Select the saved name configuration in step 1.

Or From the CLI:
> scp export configuration [tab for command help]
For example,
> scp export configuration from 2014-09-22_CurrentConfig.xml to username@scpserver/PanConfigs

Note: A single ‘/’ specified after the username@scpserver denotes a path that begins in that user’s home directory. Using ‘//’ means a path that starts at the root of the file system.

3. To Import: From the GUI, go to Device > Setup > Operations and click Import named configuration snapshot and enter the Exported name configuration file.

This can also be done from the CLI:
For example:
> scp import configuration username@scpserver/PanConfigs/2014-09-22_CurrentConfig.xml

4. Load an imported configuration.

From the GUI, go to  Device > Setup > Operations and click Load named configuration snapshot. When the configuration has been selected, click OK and commit the configuration.

This can also be done from the CLI, for example:
> configure
# load config from 2014-09-22_CurrentConfig.xml
# commit
# exit
>

Note: 1. Make sure both firewall are running the same version of the software.

2. If they are not, some configuration may not work

3. Some hardware settings may not change, for example Ip address and S/N.