Overview
In my recent work with Palo Alto firewalls, I noticed that keeping configurations compliant can get complex, especially when administrators need to modify default settings for certain applications. Small changes to session handling or TCP timeouts, while necessary for specific use cases, can introduce inconsistencies and potential compliance issues. I developed straightforward NQEs to create compliance checks that help us monitor and manage these configurations effectively.
Key Benefits:
- Improved Visibility: The compliance checks I set up give us a clear view into any configuration deviations across firewalls, making it easy to spot unauthorized changes.
- Targeted Control: By creating separate compliance checks for different parameters, like session setup and timeouts, we can focus on what matters most in our environment.
- Unified Compliance Management: Even though Panorama handles many configurations, Forward Networks fills in the gaps by providing custom compliance checks, giving us a more complete picture.
How It Works
Using custom commands, I configured compliance checks specifically for Palo Alto firewalls to retrieve key values, such as session setup and timeout configurations. These checks pull data directly from each firewall and compare it against a predefined gold standard. For instance, let’s say a TCP session timeout is changed from its default value of 3600 to 36000 to support a specific application. The compliance check catches this deviation immediately, flagging it as non-compliant. This way, we can stay on top of any changes that could affect the network’s performance or security.
Verify Session Setup values match gold standard
sampleBlock="""
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 65534
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active HTTP2-5gc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Number of active PFCP sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
5GC delete timeout: 15 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Software Cut Through: False
Hardware UDP session offloading: True
Run-to-completion mode: False
Tunnel acceleration: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
Reject TCP SYN with different seq/options: True
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
""";
pattern = ```
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Software Cut Through: False
Hardware UDP session offloading: True
Run-to-completion mode: False
Tunnel acceleration: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
Reject TCP SYN with different seq/options: True
ICMP Unreachable Packet Rate: 200 pps
```;
foreach block in bsampleBlock]
let fwcheck=parseConfigBlocks(OS.OTHER, block)
let matches=blockDiff(fwcheck, pattern)
let violation=matches.diffCount > 0
select {
violation,
missing:matches.blocks,
deviceiscompliant:if violation == false then "COMPLIANT" else "NOT COMPLIANT"
}
Verify Session Timeout values match gold standard
sampleBlock="""
target-dp: *.dp0
--------------------------------------------------------------------------------
Number of sessions supported: 65534
Number of allocated sessions: 0
Number of active TCP sessions: 0
Number of active UDP sessions: 0
Number of active ICMP sessions: 0
Number of active GTPc sessions: 0
Number of active HTTP2-5gc sessions: 0
Number of active GTPu sessions: 0
Number of pending GTPu sessions: 0
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 0
Number of active SCTP sessions: 0
Number of active SCTP associations: 0
Number of active PFCP sessions: 0
Session table utilization: 0%
Number of sessions created since bootup: 0
Packet rate: 0/s
Throughput: 0 kbps
New connection establish rate: 0 cps
--------------------------------------------------------------------------------
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
5GC delete timeout: 15 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
--------------------------------------------------------------------------------
Session accelerated aging: True
Accelerated aging threshold: 80% of utilization
Scaling factor: 2 X
--------------------------------------------------------------------------------
Session setup
TCP - reject non-SYN first packet: True
Hardware session offloading: True
Software Cut Through: False
Hardware UDP session offloading: True
Run-to-completion mode: False
Tunnel acceleration: True
IPv6 firewalling: True
Strict TCP/IP checksum: True
Strict TCP RST sequence: True
Reject TCP small initial window: False
Reject TCP SYN with different seq/options: True
ICMP Unreachable Packet Rate: 200 pps
--------------------------------------------------------------------------------
Application trickling scan parameters:
Timeout to determine application trickling: 10 secs
Resource utilization threshold to start scan: 80%
Scan scaling factor over regular aging: 8
--------------------------------------------------------------------------------
Session behavior when resource limit is reached: drop
--------------------------------------------------------------------------------
Pcap token bucket rate : 10485760
--------------------------------------------------------------------------------
Max pending queued mcast packets per session : 0
--------------------------------------------------------------------------------
""";
pattern = ```
Session timeout
TCP default timeout: 3600 secs
TCP session timeout before SYN-ACK received: 5 secs
TCP session timeout before 3-way handshaking: 10 secs
TCP half-closed session timeout: 120 secs
TCP session timeout in TIME_WAIT: 15 secs
TCP session delayed ack timeout: 250 millisecs
TCP session timeout for unverified RST: 30 secs
UDP default timeout: 30 secs
ICMP default timeout: 6 secs
SCTP default timeout: 3600 secs
SCTP timeout before INIT-ACK received: 5 secs
SCTP timeout before COOKIE received: 60 secs
SCTP timeout before SHUTDOWN received: 30 secs
5GC delete timeout: 15 secs
other IP default timeout: 30 secs
Captive Portal session timeout: 30 secs
Session timeout in discard state:
TCP: 90 secs, UDP: 60 secs, SCTP: 60 secs, other IP protocols: 60 secs
```;
foreach block in hsampleBlock]
let fwcheck=parseConfigBlocks(OS.OTHER, block)
let matches=blockDiff(fwcheck, pattern)
let violation=matches.diffCount > 0
select {
violation,
missing:matches.blocks,
deviceiscompliant:if violation == false then "COMPLIANT" else "NOT COMPLIANT"
}
The best part is that these checks are flexible. We can extend this same approach to other devices and configurations, making it a powerful tool across the network. Using Forward Networks’ intent checks and decorators, we have even more options to tailor compliance to our needs. This setup has made compliance tracking and management much more streamlined, enabling us to keep our firewalls and network environment secure and aligned with our standards.
