How to limit unnecessary exposure to the internet (for GlobalProtect and other services)
Objective
The objective of this KB article is to limit unnecessary threat exposure of internet-facing interfaces.
Environment
- Palo Alto Networks firewall
- Current PAN-OS versions
Procedure
Your firewall offers various features to safeguard your network from unwanted traffic. Here's how you can effectively utilize them:
1. DoS Policies for Limiting Exposure: DoS Policies help in limiting exposure to potential threats. They drop packets early, before security policies come into play, thereby reducing system load and noise in firewall logs. However, keep in mind that using DoS Policies may reduce visibility into traffic. Additionally, it's important to note that DoS policies do not allow a configuration with Destination Zone: any. Therefore, distinct DoS policies must be established for inbound traffic destined for services hosted by the firewall, as well as separate policies for traffic directed towards each destination zone with services hosted behind the firewall.
2. Security Policies for Comprehensive Protection: Security Policies are essential for processing and managing traffic. They offer a comprehensive approach to network security.
3. Caution with PBF Policies: While PBF policies can also discard traffic, it's advisable to prioritize DoS and Security Policies. Incorrectly configured PBF policies may lead to unintended drops or unreliable detections. Exercise caution when using PBF policies.
4. Combining DoS and Security Policies: You can combine the use of DoS and Security Policies to suppress repeat detections. This involves leveraging Security Policies with log forwarding built-in actions to maintain a dynamic list, which is then utilized by a DoS Policy to suppress repeat denied traffic.
To limit exposure we then recommend the following configuration:
DoS Rule Number: (last)
DoS Rule Name: Untrust to Untrust - Deny All - Other IP
Source Zone: Untrust
Destination Zone: Untrust
Destination Address: Public IP
Action: Deny
a. [Policies > DoS Protection > Add ] General : Set the DoS Policy name Untrust to Untrust - Deny All - Other IP
b. [Policies > DoS Protection > Add ] Source : Add Source Zone Untrust.
c. [Policies > DoS Protection > Add ] Destination : Set Zone Untrust, and Destination Address: [Public IP]
d. [Policies > DoS Protection > Add ] Option/Protection : If you want to block Other IP traffic, set Action to Deny. If you want to allow Other IP traffic (such as ICMP and ESP), set the action to Allow.
e. Resulting DoS Policy:
DoS Rule Number: (last)
DoS Rule Name: Untrust to Untrust - Deny All - UDP and TCP
Source Zone: Untrust
Destination Zone: Untrust
Destination Address: Public IP
Option/Protection | Service: [ udp-range-0-65535, tcp-range-0-65535 ]
Action: Deny
a. [Policies > DoS Protection > Add ] General : Set the DoS Policy name Untrust to Untrust - Deny All - UDP and TCP
b. [Policies > DoS Protection > Add ] Source : Add Source Zone Untrust.
c. [Policies > DoS Protection > Add ] Destination : Set Zone Untrust, and Destination Address: [Public IP]
d. [Policies > DoS Protection > Add > Option/Protection > Action]: Deny.
[Policies > DoS Protection > Add > Option/Protection > Service]: udp-range-0-65535 and tcp-range-0-65535.
e. Resulting DoS Policy:
DoS Rule Number: (before-last)
DoS Rule Name: Untrust to DMZ - Deny All
Source Zone: Untrust
Destination Zone: DMZ
Destination Address: Public IP
Action: Deny
a. [Policies > DoS Protection > Add ] General : Set the DoS Policy name Untrust to DMZ - Deny All
b. [Policies > DoS Protection > Add ] Source : Add Source Zone Untrust.
c. [Policies > DoS Protection > Add ] Destination : Set Zone DMZ, and Destination Address: [Public IP]
d. [Policies > DoS Protection > Add ] Option/Protection : Set Action to Deny
e. Resulting DoS Policy:
GlobalProtect example:
DoS Rule Number: (before Deny All policies)
DoS Rule Name: Untrust to Untrust - Pinhole - GlobalProtect
Source Zone: Untrust
Destination Zone: Untrust
Destination Address: (Public IP)
Service: [ tcp-443, udp-4501 ]
Action: Allow, or Protect(Optional)
IPSec example:
DoS Rule Number: (before Deny All policies)
DoS Rule Name: Untrust to Untrust - Pinhole - IPSec
Source Zone: Untrust
Source Address: (Add IPSec-tunnel peer IP addresses, or at the very least limit exposure by defining source Country)
Destination Zone: Untrust
Destination Address: (Public IP)
Service: [ udp-500, udp-4500 ]
Action: Allow, or Protect(Optional)
Protect(Optional) settings:
DoS Protection profile
Name: Untrust Protect
Type: Classified
Flood Protection: SYN Flood, UDP Flood, ICMP Flood, ICMPv6 Flood, Other IP Flood (enable as needed).
a. [Policies > DoS Protection > Add ] General : Set the DoS Policy name Untrust to Untrust - Pinhole - <Service>
b. [Policies > DoS Protection > Add ] Source : Add Source Zone Untrust.
c. [Policies > DoS Protection > Add ] Destination : Set Zone Untrust, and Destination Address: [Public IP]
d. [Policies > DoS Protection > Add ] Option/Protection : Set Action to Allow or Protect.
GlobalProtect example:
IPSec example:
e. Resulting DoS Policy
DoS Rule Number: (before Deny All policies)
DoS Rule Name: Untrust to DMZ - Pinhole - <Service>
Source Zone: Untrust
Destination Zone: DMZ
Destination Address: (Public IP)
Service: [ tcp-8443 ] (These are examples, add any ports that are needed).
Action: Allow, or Protect(Optional)
Protect(Optional) settings:
DoS Protection profile
Name: Untrust Protect
Type: Classified
Flood Protection: SYN Flood, UDP Flood, ICMP Flood, ICMPv6 Flood, Other IP Flood (enable as needed).
a. [Policies > DoS Protection > Add ] General : Set the DoS Policy name Untrust to DMZ - Pinhole - <Service>
b. [Policies > DoS Protection > Add ] Source : Add Source Zone Untrust.
c. [Policies > DoS Protection > Add ] Destination : Set Zone DMZ, and Destination Address: [Public IP]
d. [Policies > DoS Protection > Add ] Option/Protection : Set Action to Allow or Protect.
e. Resulting DoS Policy
At this stage, the firewall will only allow connections from the internet to specific pin-holed TCP and UDP ports, efficiently discarding everything else. DoS Deny and Allow actions do not generate log entries in the Threat logs. Protect actions will write entries in the Threat logs as log type 'flood' whenever the Alert thresholds defined in the DoS Profiles are met or surpassed.
3. Utilize Security Policies to establish a list of allowed countries. If this proves too restrictive, consider compiling a list of countries to block. Alternatively, you can combine both to create a comprehensive block list of countries not permitted to access any services, along with a separate list for countries allowed to connect to GlobalProtect (with an intrazone-untrust-drop rule following it). These allow and block lists can also be employed to regulate outbound traffic. Select countries to block (e.g. OFAC Sanctioned Countries) to mitigate cyber-security risks. Ensure the action is set to 'Drop' to prevent the firewall from responding to any requests and remain undiscoverable.
Example country list:
[ AF BY CD CF CN CU CY ER ET HT IQ IR KG KP LB LY ML NI RU SD SO SS SY VE YE ZW ]
a. Policy limiting inbound traffic from OFAC (example) countries.
b. Policy allowing certain countries to connect to GlobalProtect.
c. Policies for managing intrazone-untrust traffic. Here, we permit IPSec for site-to-site tunnels originating from specific source countries or from specific peer IP addresses, and include a cleanup intrazone-untrust-drop rule at the end.
5. Further limit exposure (from allowed source countries) by leveraging IP blocklists with External Dynamic Lists (EDL’s). Threat Intelligence providers offer access to reputable IP blocklists for a fee. For more information please refer to our EDL Tech Docs.
6. When blocking traffic from undesired sources using Security Policies, it can result in a significant volume of log entries. The rationale for avoiding this approach with DoS Policies is due to potential inaccuracies in IP-to-country mappings, leading to false positive detections. If you encounter situations where permitted traffic is unexpectedly blocked, having a log entry of such activity is invaluable for troubleshooting. However, you may not wish to receive repetitive log entries for the same issue. In such cases, you can suppress these recurring entries by managing a dynamic address group through timed IP-tags, utilizing log-forwarding built-in actions.
a. Create a tag.
b. Create a Dynamic Address Group to use this tag with.
c. Add a Log Forwarding profile to the policy that needs to have repeat entries suppressed. In this example we named it OFAC suppression.
d. Edit the Log Forwarding profile. Add an entry for traffic logs filtering the matched source ofac-countries for IP tagging.
Example country filter:
(srcloc eq 'AF') or (srcloc eq 'BY') or (srcloc eq 'CD') or (srcloc eq 'CF') or (srcloc eq 'CN') or (srcloc eq 'CU') or (srcloc eq 'CY') or (srcloc eq 'ER') or (srcloc eq 'ET') or (srcloc eq 'HT') or (srcloc eq 'IQ') or (srcloc eq 'IR') or (srcloc eq 'KG') or (srcloc eq 'KP') or (srcloc eq 'LB') or (srcloc eq 'LY') or (srcloc eq 'ML') or (srcloc eq 'NI') or (srcloc eq 'RU') or (srcloc eq 'SD') or (srcloc eq 'SO') or (srcloc eq 'SS') or (srcloc eq 'SY') or (srcloc eq 'VE') or (srcloc eq 'YE') or (srcloc eq 'ZW')
e. Define the built-in action. Here we IP-Tag the source ip with 'ofac-countries' for 480 minutes. After the expiry, the entry will be removed from the Dynamic Address Group.
f. Add a DoS Policy to action Deny anything matching Source Address: ofac-countries (time ip-tagged dynamic address group)
g. Define a failsafe Security Policy with the same settings. Since we don't want to log, uncheck the Log at Session End checkbox in the Security Policy Actions tab. The reason for this failsafe rule, is that DoS Policies cannot define 'any' as destination Zone, it is possible that a DNAT rule is or will be defined to a destination Zone that was not configured in DoS Policies, causing missed detections.