SECCDCq 2023 Networking Strat

# SECCDCq 2023 Networking Strat #### Secure Palo admin acccess - [ ] If you can't get into the web interface, SSH in and set up user account ``` > configure # set mgt-config users admin password # commit ``` - [ ] Lock down admin `Device -> Administrators` - [ ] Make new admin account + set password - [ ] Login to new account to verify - [ ] Disable old admin - [ ] Clear authorized SSH keys - [ ] Restrict administrative login to your IP (check where you're logged in from on the Dashboard) `Device -> Setup -> Interfaces` - [ ] **Exfil Palo config** #### Threat blocking - [ ] Updates (Antivirus, Applications and Threats, Wildfire) `Device -> Dynamic Updates` - [ ] Create custom Vulnerability Profile `Objects -> Security Profiles -> Vulnerability Protection` - [ ] Block all critical / high - [ ] Warn on medium - [ ] Exceptions: SSH Bruteforce (block on 10 attempts in 60 sec) - [ ] Create Security Profile Group `Objects -> Security Profile Groups` - [ ] Apply Security Profile Group to all policies `Policies -> Security` then `Actions -> Profile Setting` - [ ] Flood protection + Reconnaissance Protection (IP block 180 sec) `Network -> Network Profiles -> Zone Protection` #### Determine network layout - [ ] Is NAT occuring? Where? - [ ] Check for AWS NAT Gateway or NAT on Palo - [ ] Do we have a DNS server? If not, what should be used? - [ ] Who has public IPs? - [ ] Where are scoring checks coming from? - [ ] Palo CLI - [ ] `curl interface dst-URL` - [ ] `tcpdump` - [ ] `netstat -planet` and `tcpdump port 25 -i any` on boxes - [ ] Worstttttt case Wireshark on Windows boxes #### If we have time between injects + AWS stuff - [ ] Nmap everyone (add your IP to ZPP exceptions) - [ ] Inbound rule per host if you can - [ ] Kill internet? - [ ] URL filtering #### If you blocked stuff List blocked IPs `> debug dataplane show dos block-table` Empty the block table `> debug dataplane reset dos block-table` #### Help troubleshoot `uname -r` (OS version number) `netstat -planet` `tcpdump -D` (lists available interfaces) `tcpdump -i eth0` `tcpdump -i any` `tcpdump port 25` `route print` (Windows) `route` or `ip route` (Linux) Supposedly you can unblock a single IP with something like this `> debug dataplane reset dos zone L3_Untrust block-table source x.x.x.x` After being removed from the block table, you might need to clear sessions `> show session all filter source x.x.x.x` `> clear session id 45629`