This is a demo of Palo Alto Networks firewall acting in a passive IDS mode in Google Compute Cloud (GCP) environment. It is assumed the IDS should be receiving network traffic via GCP Packet Mirroring service. Throughout the demo, a breach and attack simulation software Keysight Threat Simulator is used to create conditions resembling real malicious activities. The goals of the demo are:
- Validate operational readiness and basic efficacy of a network security monitoring tool.
- Compare efficacy of various tools against identical attack scenarios -- as more tools are added to the demo.
- Fine tune configuration of the tool to increase its efficacy.
In this iteration of the demo, a combination of the following security monitoring products is being validated:
- Palo Alto Networks vm-series firewall acting as an IDS, and
- Splunk Enterprise log data indexing solution acting as a SIEM.
- Throughout the document, a GCP Project ID parameter
--project=kt-nas-demo
is used forgcloud
command syntax. Please changekt-nas-demo
to specify a GCP Project ID you intend to use for the deployment - Where applicable, GCP Region
us-west1
(Oregon) and/or Zoneus-west1-b
are used withing the document. Consider changing to a region and zone that fit your deployment via--region=us-west1
and--zone=us-west1-b
parameters.
- Create a demo VPC for Threat Simulator agent and IDS deployment. If needed, change IP address ranges to fit your design.
Parameter | Value |
---|---|
Name | ts-demo-vpc |
Description | ThreatSim Demo |
Subnets | custom |
Name | ts-demo-app-subnet |
Region | us-west1 |
IP address range | 192.168.201.0/24 |
Name | ts-demo-ids-subnet |
Region | us-west1 |
IP address range | 192.168.202.0/24 |
gcloud compute networks create ts-demo-vpc --project=kt-nas-demo --description="ThreatSim Demo" --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
gcloud compute networks subnets create ts-demo-app-subnet --project=kt-nas-demo --range=192.168.201.0/24 --network=ts-demo-vpc --region=us-west1
gcloud compute networks subnets create ts-demo-ids-subnet --project=kt-nas-demo --range=192.168.202.0/24 --network=ts-demo-vpc --region=us-west1
For successful PAN deployment, we need another VPC to be on "trusted" security zone side on the PAN instance. It will not be used in any other way.
Parameter | Value |
---|---|
Name | ts-pan-trust-vpc |
Description | ThreatSim Demo - Palo Alto Trusted NIC VPC |
Subnets | custom |
Name | ts-pan-trust-subnet |
Region | us-west1 |
IP address range | 192.168.203.0/24 |
gcloud compute networks create ts-pan-trust-vpc --project=kt-nas-demo --description="ThreatSim Demo - Palo Alto Trusted NIC VPC" --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
gcloud compute networks subnets create ts-pan-trust-subnet --project=kt-nas-demo --range=192.168.203.0/24 --network=ts-pan-trust-vpc --region=us-west1
- Create VPC Firewall rules in
ts-demo-vpc
to permit HTTP and HTTPS traffic to any target tagged ashttp-server
andhttps-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-http --description="Allow http ingress to any instance tagged as http-server" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-allow-https --description="Allow https ingress to any instance tagged as https-server" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:443 --source-ranges=0.0.0.0/0 --target-tags=https-server
- (Optional) Permit SSH access to GCP instances via a browser. See https://cloud.google.com/iap/docs/using-tcp-forwarding for more information.
gcloud compute --project=kt-nas-demo firewall-rules create allow-ssh-from-browser-default-vpc --description="https://cloud.google.com/iap/docs/using-tcp-forwarding" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 --source-ranges=35.235.240.0/20
gcloud compute --project=kt-nas-demo firewall-rules create allow-ssh-from-browser-ts-demo-vpc --description="https://cloud.google.com/iap/docs/using-tcp-forwarding" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=tcp:22 --source-ranges=35.235.240.0/20
- If you do not have an active Threat Simulator account, request evaluation access at https://threatsimulator.cloud/login
- Once the eval is approved, login to Theat Simulator console, navigate to Deployment page, and open "Anywhere" for a deployment type
- Scroll down to AGENT INSTALLATION to a CURL command line, which looks similar to the following. In your case, there will be a different
OrganizationID
. Agent version would vary with time as well.
curl "https://api.threatsimulator.cloud/agent/download?OrganizationID=1234567890abcdef1234567890abcdef&Type=onpremise-linux" > agent-21.3.0.2325.run
- Copy the 32-character value of
OrganizationID
string from the line above and paste it to the script below on the lineorganizationID
right after the=
sign. Deploy a Threat Simulator Agent instance on GCP by running the following command in GCP Console.
gcloud compute instances create ts-workload-1 \
--zone=us-west1-b \
--machine-type=e2-small \
--subnet=ts-demo-app-subnet \
--image-family=ubuntu-2004-lts \
--image-project=ubuntu-os-cloud \
--boot-disk-size=10GB \
--boot-disk-device-name=ts-workload-1 \
--tags=ts-agent,http-server,https-server \
--metadata=startup-script='#!/bin/bash -xe
if [ ! -f /home/threatsim/.tsinstalled ]; then
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
apt update
apt -y install docker.io
systemctl restart docker
systemctl enable docker
useradd -m -G google-sudoers threatsim
organizationID="1234567890abcdef1234567890abcdef"
name="GCP-Demo-1"
APIbaseURL="https://api.threatsimulator.cloud"
curl $APIbaseURL/agent/download\?OrganizationID\=${organizationID}\&Type\=onpremise-linux >/home/threatsim/agent-init.run
chown threatsim:threatsim /home/threatsim/agent-init.run
sudo -u threatsim /bin/bash /home/threatsim/agent-init.run --quiet -- -y -n "${name}"
if [ `docker ps -qf name=ts-filebeat | wc -l` -ge 1 ]; then touch /home/threatsim/.tsinstalled; fi
fi'
- After about 5 minutes the Threat Simulator workload should appear in Threat Simulator UI under Agents section
- Deploy a VM Instance with Ubuntu 20.04 LTS for Splunk Enterprise
gcloud beta compute --project=kt-nas-demo instances create ts-splunk-1 \
--zone=us-west1-b \
--machine-type=n1-standard-16 \
--subnet=default \
--network-tier=PREMIUM \
--maintenance-policy=MIGRATE \
--service-account=461244098184-compute@developer.gserviceaccount.com \
--scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append \
--image=ubuntu-2004-focal-v20210315 \
--image-project=ubuntu-os-cloud \
--boot-disk-size=100GB \
--boot-disk-type=pd-balanced \
--boot-disk-device-name=ts-splunk-1 \
--no-shielded-secure-boot \
--shielded-vtpm \
--shielded-integrity-monitoring \
--reservation-affinity=any \
--tags=splunk-server
- Open SSH session and download Splunk Enterprise Deb package
wget "https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.1.3&product=splunk&filename=splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb&wget=true"
mv DownloadActivityServlet\?architecture\=x86_64\&platform\=linux\&version\=8.1.3\&product\=splunk\&filename\=splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb\&wget\=true splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb
- Install Splunk, provide admin username and password you would like to use when requested
sudo dpkg -i splunk-8.1.3-63079c59e632-linux-2.6-amd64.deb
dpkg --status splunk
cd /opt/splunk/bin
sudo ./splunk start --accept-license
sudo ./splunk enable boot-start
- Allow remote access to API
sudo vi /opt/splunk/etc/system/local/server.conf
# +++
[general]
allowRemoteLogin = always
# ---
sudo /opt/splunk/bin/splunk restart
- Configure NTP for time syncronization on Splunk instance
sudo apt update
sudo apt install ntp -y
- Permit connection to Splunk services in VPC Firewall by running the following command in GCP Console
gcloud compute --project=kt-nas-demo firewall-rules create ts-splunk --description="Access to Splunk instace" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8000 --source-ranges=0.0.0.0/0 --target-tags=splunk-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-splunk-syslog --description="Syslog to Splunk instace" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:5514 --source-tags=ts-siem-agent --target-tags=splunk-server
gcloud compute --project=kt-nas-demo firewall-rules create ts-splunk-api --description="API to Splunk instace" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:8089 --source-tags=ts-siem-agent --target-tags=splunk-server
-
Access Splunk Web UI via browser on http port tcp/8000
-
Use SIEM integration guide on https://threatsimulator.cloud/security/settings/siem/siem-deployment-how-to to setup Splunk integration
SIEM API Token: xxx
Create a SIEM Agent instance
gcloud beta compute --project=kt-nas-demo instances create ts-siem-agent-1 \
--zone=us-west1-b \
--machine-type=e2-micro \
--subnet=default \
--network-tier=PREMIUM \
--maintenance-policy=MIGRATE \
--service-account=461244098184-compute@developer.gserviceaccount.com \
--scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/trace.append \
--image=ubuntu-2004-focal-v20210315 \
--image-project=ubuntu-os-cloud \
--boot-disk-size=10GB \
--boot-disk-type=pd-balanced \
--boot-disk-device-name=ts-siem-agent-1 \
--no-shielded-secure-boot \
--shielded-vtpm \
--shielded-integrity-monitoring \
--reservation-affinity=any \
--tags=ts-siem-agent
Download agent
wget "https://api.threatsimulator.cloud/agent/download?OrganizationID=1234567890abcdef1234567890abcdef&Type=siem-agent-installer"
sudo su -
apt update
apt -y install docker.io
systemctl restart docker
systemctl enable docker
useradd -m -G google-sudoers threatsim
APIbaseURL="https://api.threatsimulator.cloud"
organizationID="1234567890abcdef1234567890abcdef"
curl $APIbaseURL/agent/download\?OrganizationID\=${organizationID}\&Type\=siem-agent-installer >/home/threatsim/install-siem-agent.sh
chown threatsim:threatsim /home/threatsim/install-siem-agent.sh
sudo -u threatsim /bin/bash /home/threatsim/install-siem-agent.sh
- Configure NTP for time syncronization on SIEM Agent instance
sudo apt update
sudo apt install ntp -y
- Follow SIEM CONFIGURATION > SIEM SETUP > SPLUNK SIEM INSTRUCTIONS on https://threatsimulator.cloud/security/settings/siem/siem-deployment-how-to/splunk.
Parameter | Value |
---|---|
Input Type | TCP Port |
Port Number | 5514 |
Source name override | N/A |
Restrict to Host | N/A |
Source Type | threatsim |
App Context | TA_threatsimulator |
Method | IP |
Index | threatsim |
- Start with Splunk SIEM configuration for Palo Alto Networks IDS. In Splunk Web UI, go to Apps → Find More Apps, type "Palo Alto Networks Add-on for Splunk" in search field. From search results, choose "Palo Alto Networks Add-on for Splunk" and click Install. Once done, click "Go Home".
- Create index: Go to Settings > Data > Indexes. Select New index and configure the following and Save
Parameter | Value |
---|---|
Index name | pan |
App | Palo Alto Networks Add-on |
- Create data input (TCP): Go to Settings > Data > Data inputs. In the Local inputs section, click Add new (from TCP section). Configure:
Parameter | Value |
---|---|
Input Type | TCP Port |
Port Number | 5614 |
Source name override | N/A |
Restrict to Host | N/A |
Source Type | pan:log |
App Context | Palo Alto Networks Add-on |
Method | IP |
Index | pan |
- Permit connection to the Splunk Data input service in VPC Firewall by running the following command in GCP Console
gcloud compute --project=kt-nas-demo firewall-rules create ts-splunk-syslog-pan --description="PAN Syslog to Splunk instace" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:5614 --source-tags=pan-security --target-tags=splunk-server
- Configure your specific timezone on Splunk instance via SSH
sudo su -
cd /opt/splunk/etc/apps/Splunk_TA_paloalto/local
cat >> props.conf << EOF
[pan:log]
TZ = US/Pacific
EOF
- Deploy PAN IDS instance. GCP Compute instances > Create new > Marketplace: Palo Alto VM-Series Next-Generation Firewall (Bundle1)
Parameter | Value |
---|---|
Deployment name | vmseries-flex-bundle1-1 |
Zone | us-west1-b |
Machine type | 4 vCPUs / 15G RAM |
Interfaces swap | Yes (Do not miss this one!) |
SSH Key | <admin:ssh-rsa ADD PUBLIC SSH KEY HERE> |
Networking (VPCs and subnets must be pre-created) | |
nic0 - Untrust (IDS) | |
Network | ts-demo-vpc |
Subnetwork | ts-demo-ids-subnet |
Enable External IP for Management inteface | No (swapped to Untrust) |
nic1 - Management | |
Network | default |
Subnetwork | default |
Enable External IP for Untrust | Yes (swapped to Management) |
nic2 - Trust (not used) | |
Network | ts-pan-trust-vpc |
Subnetwork | ts-pan-trust-subnet |
Enable External IP for Trust | No |
-
Edit PAN IDS instance and add Network tags:
pan-security
-
Permit connection to PAN IDS management in VPC Firewall by running the following command in GCP Console
gcloud compute --project=kt-nas-demo firewall-rules create ts-pan-mgmt --description="PAN Management" --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:443,tcp:22 --source-ranges=0.0.0.0/0 --target-tags=pan-security
- Connect via SSH to the PAN IDS instance, setup admin password (if you see a password prompt when connecting over SSH, disconnect and wait before connecting again - you should be able connect without a password)
ssh -i <ssh_rsa_private_key> admin@<pan_workload_ip_address>
configure
set mgt-config users admin password
commit
-
Register the PAN IDS instance on PAN support portal, download and install Dynamic Updates for Applications and Threats
-
Configure PAN as an IDS (outside the scope of this guide)
- Configure Event forwarding from PAN IDS to Splunk (outside the scope of this guide)
- Start with creating an unmanaged GCP Instace Group for Packet Mirroring load balancer backends with PAN IDS monitoring interface:
gcloud compute --project=kt-nas-demo instance-groups unmanaged create pan-ids-ig --zone=us-west1-b --description="PAN IDS group"
gcloud compute --project=kt-nas-demo instance-groups unmanaged add-instances pan-ids-ig --zone=us-west1-b --instances=vmseries-flex-bundle1-1
- To monitor PAN IDS instance availability, create a Health Check for SSH service and allow connections for this health check in Firewall rules
gcloud beta compute health-checks create tcp ssh-health-check --project=kt-nas-demo --port=22 --proxy-header=NONE --no-enable-logging --description=TCP\ health-check\ for\ SSH\ service --check-interval=5 --timeout=5 --unhealthy-threshold=2 --healthy-threshold=2
gcloud compute firewall-rules create fw-allow-health-checks \
--network=ts-demo-vpc \
--action=ALLOW \
--direction=INGRESS \
--source-ranges=35.191.0.0/16,130.211.0.0/22 \
--target-tags=pan-security \
--rules=tcp
- VPC Network > Packet Mirroring, Create Policy. Take a note on Frontend Internal IP automatically assigned when creating a load balancer.
Parameter | Value |
---|---|
Name | ts-demo-pan-mirror |
Region | us-west1 |
Policy enforcement | Enabled |
Mirrored source and destinations are in the same VPC network | ts-demo-vpc |
Mirrored source - Select with network tags | ts-agent |
Mirrored destination | Create new L4 internal load balancer |
Name | ts-demo-pan-ids-ilb |
Backend configuration | |
Region | us-west1 |
Network | ts-demo-vpc |
Backends instance Group | pan-ids-ig |
Health check | ssh-health-check |
Frontend configuration | |
Name | ts-demo-pan-ids-ilb-fe |
Subnetwork | ts-demo-ids-subnet |
Internal IP | |
Purpose | Non-shared |
IP address | Static internal IP address |
Name | ts-demo-pan-ids-ilb-fe-ip |
Address | Assign automatically |
Global access | Disable |
Packet mirroring (advanced configuration) | Enable this load balancer for Packet Mirroring |
Collector destination | ts-demo-pan-ids-ilb-fe |
Select mirrored traffic | Mirror all traffic |
- Create firewall rules to permit mirrored traffic
Egress from source instances. Use an IP address assiged as a Frontend Internal IP in the previous step as --destination-ranges
.
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-packet-mirror-egress --description="Packet mirroring egress from sources to PAN" --direction=EGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=all --destination-ranges=192.168.202.4/32
Ingress to PAN IDS
gcloud compute --project=kt-nas-demo firewall-rules create ts-demo-packet-mirror-pan --description="Packet mirrirong ingress traffic to PAN IDS" --direction=INGRESS --priority=1000 --network=ts-demo-vpc --action=ALLOW --rules=all --source-ranges=0.0.0.0/0 --target-tags=pan-security
- In PAN IDS configuration, add a loopback.1 interface with an IP address assiged as a Frontend Internal IP in the previous step. Add loopback.1 to a virtual router configuration. Create static routes for the following health-check IP address ranges:
35.191.0.0/16,130.211.0.0/22
pointing to a default gateway in the subnet ofEthenet1/1
interface:192.168.202.1