search

PaloAltoNetworks / azure-applicationgateway

Scale out security for web deployments using VM-Series firewalls and Azure Application Gateway web load balancer
27 stars 52 forks source link

Solution incomplete - missing static route in panos config via appgw sample config #14

Open cgtheflash opened 2 years ago

cgtheflash commented 2 years ago

The solution provides the appgw sample configuration file. That sample configuration file is missing a static route on the default VR. That static route should be: destination: 192.168.4.0/24 interface: ethernet 1/2 next hop: ip address: 192.168.2.1

Once that is in place and the configuration is committed the default apache web server is accessible via application gateway.

Here's the updated sample xml config file code:

<config urldb="paloaltonetworks" version="9.1.0">
<mgt-config>
<users>
<entry name="admin">
<phash>*</phash>
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
</entry>
<entry name="pandemo">
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
<phash>$1$ljjdxeva$.isIbumicIMfaHvG/EKqd.</phash>
</entry>
</users>
</mgt-config>
<shared>
<application/>
<application-group/>
<service/>
<service-group/>
<botnet>
<configuration>
<http>
<dynamic-dns>
<enabled>yes</enabled>
<threshold>5</threshold>
</dynamic-dns>
<malware-sites>
<enabled>yes</enabled>
<threshold>5</threshold>
</malware-sites>
<recent-domains>
<enabled>yes</enabled>
<threshold>5</threshold>
</recent-domains>
<ip-domains>
<enabled>yes</enabled>
<threshold>10</threshold>
</ip-domains>
<executables-from-unknown-sites>
<enabled>yes</enabled>
<threshold>5</threshold>
</executables-from-unknown-sites>
</http>
<other-applications>
<irc>yes</irc>
</other-applications>
<unknown-applications>
<unknown-tcp>
<destinations-per-hour>10</destinations-per-hour>
<sessions-per-hour>10</sessions-per-hour>
<session-length>
<maximum-bytes>100</maximum-bytes>
<minimum-bytes>50</minimum-bytes>
</session-length>
</unknown-tcp>
<unknown-udp>
<destinations-per-hour>10</destinations-per-hour>
<sessions-per-hour>10</sessions-per-hour>
<session-length>
<maximum-bytes>100</maximum-bytes>
<minimum-bytes>50</minimum-bytes>
</session-length>
</unknown-udp>
</unknown-applications>
</configuration>
<report>
<topn>100</topn>
<scheduled>yes</scheduled>
</report>
</botnet>
</shared>
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<dhcp-client/>
</layer3>
</entry>
<entry name="ethernet1/2">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<dhcp-client>
<create-default-route>no</create-default-route>
</dhcp-client>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
</ethernet>
</interface>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
</ike>
<qos>
<profile>
<entry name="default">
<class-bandwidth-type>
<mbps>
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</mbps>
</class-bandwidth-type>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="default">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
<rip>
<enable>no</enable>
</rip>
<ospf>
<enable>no</enable>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
</protocol>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="appgw">
<nexthop>
<ip-address>192.168.1.1</ip-address>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<interface>ethernet1/1</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
</entry>
<entry name="webBackendSubnet">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<ip-address>192.168.2.1</ip-address>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<interface>ethernet1/2</interface>
<metric>10</metric>
<destination>192.168.4.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
</network>
<deviceconfig>
<system>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<weekly>
<day-of-week>wednesday</day-of-week>
<at>01:02</at>
<action>download-only</action>
</weekly>
</recurring>
</threats>
</update-schedule>
<timezone>US/Pacific</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<type>
<dhcp-client>
<send-hostname>yes</send-hostname>
<send-client-id>no</send-client-id>
<accept-dhcp-hostname>no</accept-dhcp-hostname>
<accept-dhcp-domain>no</accept-dhcp-domain>
</dhcp-client>
</type>
<server-verification>yes</server-verification>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<application/>
<application-group/>
<zone>
<entry name="untrust">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="trust">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="allow_http" uuid="17016239-fae2-4aa4-b23f-50a8cfea0f41">
<to>
<member>any</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>service-http</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
<entry name="deny_all" uuid="ba84cbca-aa47-486f-ba47-2bdf7476cf26">
<to>
<member>any</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>any</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>deny</action>
<log-start>yes</log-start>
</entry>
</rules>
</security>
<nat>
<rules>
<entry name="ilb" uuid="d6b8a22c-a8e9-45cb-9ed2-6cfdf3b43040">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/2</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>untrust</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>firewall-untrust-IP</member>
</destination>
<destination-translation>
<translated-address>internal-load-balancer-IP</translated-address>
</destination-translation>
<service>any</service>
</entry>
</rules>
</nat>
</rulebase>
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
</interface>
</network>
</import>
<address>
<entry name="firewall-untrust-IP">
<ip-netmask>192.168.1.4</ip-netmask>
</entry>
<entry name="internal-load-balancer-IP">
<ip-netmask>192.168.2.6</ip-netmask>
</entry>
</address>
</entry>
</vsys>
</entry>
</devices>
</config>

appgwUpdated.txt

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!