HackDig : Dig high-quality web security articles for hacker

Managing Palo Alto Firewalls Custom URL Categories

2015-12-23 22:10

[The post Managing Palo Alto Firewalls Custom URL Categories has been first published on /dev/random]

Custom URLPalo Alto Networks firewalls are very popular due to the huge amount of features they provide in a unique chassis. Besides the traditional traffic inspection, they can play up to the 7th layer of the ISO model. The rule base can contain rules which inspect the web traffic and prevent users to access specific URLs. The classic model used is the URLs categorization in multiple topics like the classic “Games“, “Adult“, “Auctions“, “Hacking“, etc. (A complete list of categories is available here). But they also provide a way to create custom categories that can be populated later. There is a feature called “Dynamic Block Lists” that allows the creation of objects which will be populated automatically with data pulled over HTTP (like a crontab). But such lists are only based on IP addresses.

I had to do the same for URLs and I wrote a small Python script “pum.py” (which stands for “Palo Alto URL Manager“) to manage dynamic lists of URLs. It helps to add, delete and list URLs stored on multiple firewalls and customer URL categories. The purpose of the script is to be called from other applications/scripts. In my project, it is called from a Splunk instance. The syntax is easy to understand:

$ ./pum.py -h
usage: pum.py [-h] [-f FIREWALL [FIREWALL ...]] [-c CONFIGFILE]
 [-u URLCATEGORY] [-n] [-v] [-s] [-p] [-l | -a | -d]
 [URL [URL ...]]

Manage custom URL categories in a Palo Alto Networks firewall

positional arguments:
 URL the URL(s) to add/remove (format is IP/FQDN)

optional arguments:
 -h, --help show this help message and exit
 -f FIREWALL [FIREWALL ...], --firewall FIREWALL [FIREWALL ...]
 firewall IP address or hostname
 -c CONFIGFILE, --config CONFIGFILE
 configuration file (default: /etc/pum.conf)
 -u URLCATEGORY, --url-category URLCATEGORY
 custom URL category to manage
 -n, --no-ssl-verification
 ignore SSL certificate errors
 -v, --verbose enable verbose output
 -s, --save commit the configuration (save)
 -p, --partial perform a partial commit (objects only)
 -l, --list list URLs from the custom URL category
 -a, --add add the URL(s) to the custom URL category
 -d, --delete remove the URL(s) from the custom URL category

The script uses the Palo Alto API to talk to the firewalls. You just need to create an API key and store it in a configuration file. You can define as many firewall as you have:

$ cat pum.conf
[192.168.0.1]
apikey: <redacted>
urlcategory: my_malicious_urls
[192.168.0.2]
apikey: <redacted>
urlcategory: my_malicious_urls
# To be added soon...
[proxy]
host:
port:
username:
password:

To add an URL, use the following command:

$ ./pum.py -v -f 192.168.1.1 -c pum.conf -n -a www.maliciousdomain.cn
+++ Verbose output enabled
+++ Processing firewall 192.168.1.1
+++ WARNING: SSL certificate check disabled
+++ Added www.maliciousdomain.cn in my_malicious_urls

It is possible to record multiple URLs at a time by reading them from STDIN:

$ cat bad_urls.txt
www.baddomain2.ru
c2.malicious.com
www.pwnedwordpress.fr
$ cat bad_urls.txt | ./pum.py -f 192.168.1.1 -c pum.conf -v -n -a -
+++ Verbose output enabled
+++ Processing firewall 192.168.1.1
+++ WARNING: SSL certificate check disabled
+++ Added www.baddomain2.ru in my_malicious_urls
+++ Added c2.malicious.com in my_malicious_urls
+++ Added www.pwnedwordpress.fr in my_malicious_urls

It is possible to list the URLs present in a specific category:

$ ./pum.py -v -f 192.168.1.1 -c pum.conf -n -l
+++ Verbose output enabled
+++ Processing firewall 192.168.1.1
+++ WARNING: SSL certificate check disabled
+++ Fetching list of URLs for 192.168.1.1/my_malicious_urls
2015/12/23 09:42:52 | 192.168.1.1 | my_malicious_urls | www.maliciousdomain.cn
2015/12/23 09:44:38 | 192.168.1.1 | my_malicious_urls | www.baddomain2.ru
2015/12/23 09:44:38 | 192.168.1.1 | my_malicious_urls | c2.malicious.com
2015/12/23 09:44:38 | 192.168.1.1 | my_malicious_urls | www.pwnedwordpress.fr

The custom URL category is populated and available immediately in the web GUI:

Custom URL Detail

And can be applied to rules in your security policy:

Custom URL Usage

Some useful tips:

  • The customer URL category must exists in the firewall configuration
  • By default, the new policy is not committed (use the flag ‘-s’ to commit and ‘-p’ to make a partial commit)
  • The script has been tested against PanOS 7.x (I know that the API syntax changes sometimes)

The script is available here.

[The post Managing Palo Alto Firewalls Custom URL Categories has been first published on /dev/random]


Source: /seirogetac-lru-motsuc-sllawerif-otla-olap-gniganam/32/21/5102/eb.llehstoor.golb

Read:4802 | Comments:0 | Tags:Security IOC Palo Alto

“Managing Palo Alto Firewalls Custom URL Categories”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud