Register and activate licenses in Palo Alto firewall

Register the Firewall

STEP 1 Log in to the web interface of the firewall (https://<IP address>)
STEP 2 copy serial number of device from the General Information section of the Dashboard screen

STEP 3 Go to
STEP 4 Register and verify the email 

Note : To register, you must provide your sales order number or customer ID, and the serial number of your firewall (which you can paste from your clipboard) or the authorization code you received with your order. You will also be prompted to set up a username and password for access to the Palo Alto Networks support community.
STEP 5 : Once email is verified,login to using the email address and password
STEP 6 : You will be prompted to choose two security questions and answers to use if you forget the password.
STEP 7 : Register new device by going to Asset tab > Devices > Register new device and fill the details needed

Activate Licenses and Subscriptions

STEP 1 : Locate the activation codes for the licenses you purchased from the registered email address you have provided while purchasing device.If you cannot locate this email, contact customer support to obtain your activation codes before you proceed.
STEP 2 : Launch the web interface and go to Device > Licenses
STEP 3 : Activate each license you purchased either by following method
Retrieve license keys from license server —Use this option if you activated your license on the support portal. 

Activate feature using authorization code —Use this option to enable purchased subscriptions using an authorization code for licenses that have not been previously activated on the support portal. When prompted, enter the Authorization Code and then click OK.

Manually upload license key —Use this option if your device does not connected to internet. In this case, you must download a license key file from the support site on an Internet connected computer and then upload to the device.
STEP 4 : Verify that the license was successfully activated from Device > Licenses .You can see the issue and expiry date of the licenses here once its activated
STEP 5 : (WildFire subscriptions only) Perform a commit to complete WildFire subscription activation.


Different types of Attacks in Network security

Denial-of-Service (DoS) Attacks
A DoS attack focuses on disrupting the service to a network. Attackers send high volumes of data or traffic through the network until the network becomes overloaded and can no longer function.

Distributed-denial-of-service (DDoS) attack. This involves the attacker using multiple computers to send the traffic or data that will overload the system. In many instances, a person may not even realize that his or her computer has been hijacked and is contributing to the DDoS attack.

 An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

MiTM (Man in the middle) attacks
The man-in-the middle attack intercepts a communication between two systems. In this attack an hacker captures data from middle of transmission and changes it, then send it again to the destination. Receiving person thinks that this message came from original source and reply back 

Brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords or PIN .Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking.

Spoof attack
In this kind of attack an hacker changes the sources address of packet so receiver assumes that packet comes from someone else. This technique is typically used to bypass the firewall rules.

Ping sweep attack
In this attack an attacker pings all possible IP addresses on a subnet to find out which hosts are up. Once he finds an up system, he tries to scan the listening ports. From listing ports he can learn about the type of services running on that system. Once he figures out the services, he can try to exploit the vulnerabilities associated with those services.

Phishing Attack
In this attack an hacker creates fake email address or website which looks like a reputed mail address or popular site. These emails contain convincing message, some time with a link that leads to a fake site. This fake site looks exactly same as original site. Without knowing the truth user tries to log on with their account information, hacker records this authentication information and uses it on real site.

Passive attack
In this attack an hacker deploys a sniffer tool and waits for sensitive information to be captured. This information can be used for other types of attacks. It includes packet sniffer tools, traffic analysis software, filtering clear text passwords from unencrypted traffic and seeking authentication information from unprotected communication. Once an hacker found  information he needed, it will be used without the knowledge of the user.

Active Attack
In this attack an hacker does not wait for any sensitive or authentication information. He actively tries to break or bypass the secured systems. It includes viruses, worms, trojan horses, stealing login information, inserting malicious code and penetrating network backbone. Active attacks are the most dangerous in natures. It results in disclosing sensitive information, modification of data or complete data lost.

BlackNurse attack or the low-rate "Ping of Death" attack, the technique can be used to launch several low-volume DoS attacks by sending specially formed Internet Control Message Protocol (ICMP) packets, or 'pings' that overwhelm the processors on server protected by firewalls from Cisco, Palo Alto Networks, among others. 

Above list is not a complete .This will be updating periodically....Please let me know if i miss anything important

Reset admin password in Cisco ISE in CLI (Vmware)

There will be occasions that you forget the admin password or you got locked out and the only option option left is to reset the admin password.Follow below steps to reset your password 

NOTE : Below steps were tried on ISE 1.3

Recommended : For safety I prefer to take a VM snapshot before proceeding.

To take a Snapshot in the vSphere Client

1. Right click on the  Virtual Machine and choose option  Snapshot > Take Snapshot.
2. Type a name for the snapshot.
3. Type a description for the snapshot.
Adding a date and time or a description, for example, "Snapshot before applying XYZ patch," can help you determine which snapshot to restore or delete.
4.Click OK

Revert to a Snapshot in the vSphere Client

1.Right-click a virtual machine in the vSphere Client inventory and select Revert to Current Snapshot.

Password Recovery for ISE virtual machine

Step 1. Download  the ISO file of the current ISE version form Cisco software download site and upload it to the virtual machine's datastore.
Step 2. Power off  the virtual machine.
Step 3. Right Click ISE VM from the list and select Edit settings.
Step 4. In the virtual Machine properties window, navigate to  Hardware > CD/DVD, then select option Datastore ISO file and click on browse to the ISE version ISO under datastore ISO file.
Step 5. Click Connect At Power On  option.
Step 6. Navigate to Options tab in the same virtual machine properties window> go to Boot options, enable the option for FORCE BIOS Setup [The next time the virtual machine boots,force entry to bios setup screen and Click Ok. [Or you can press F2 or F12 continously while booting]
Step 7. Power on the VM and open VM console.
Step 8. You get a BIOS prompt.
Step 9. Change the order of CD-ROM Drive to be before the hard drive. [You can change the setting using + or - keys] and hit F10 to save the settings 

Step 10. On the next screen you get the options, as shown in this image.
Step 11. Select Option 3. You are prompted on this screen.

Select Option 1 for username admin and enter new password.

After successful password reset. it redirects you to the prompt shown in Step 10
Step 12. Click Enter in order to boot the ISE from existing hard disk.
Step 13. (Optional). You can redo steps 6-8  in order to restore the boot order to the hard drive as first option after successful password recovery in order to avoid  entering the  admin password recovery prompt every time a user access ISE VM console.

While doing the password recovery once we faced a situation that we didnt see the option to in step 11 [Select Option 1 for username admin and enter new password.].We tried to reboot again and was not getting option to reset admin password.Instead of that it was asking to set a new username and password.Even you enter a new username and password ,ISE used to get stuck in the loading screen in VMconsole.We restored the VMsnapshot and did the steps as per the procedure and we were able to 

Short note on basic Cisco ISE (Identity Services Engine) Features

Cisco ISE (Identity Services Engine) is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.Cisco ISE Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

Identity-Based Network Access

The Cisco ISE solution provides context-aware identity management in the following areas:
• Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
• Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
• Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role,location, device type, and so on).
• Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

Basic User Authentication and Authorization

User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.

Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks.

Client Posture Assessment

To ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access.

Posture assessment and compliance occurs using one of the following agent types available in Cisco ISE:
Cisco NAC Web Agent—A temporal agent that the users install on their system at the time of login and that is no longer visible on the client machine once the login session terminates.
Cisco NAC Agent—A persistent agent that, once installed, remains on a Windows or Mac OS X client machine to perform all security compliance functions.
AnyConnect ISE Agent — A persistent agent that can be installed on Windows or Mac OS X client to perform posture compliance functions.

Profiled Endpoints on the Network

The Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups.

The Profiler Feed service allows administrators to retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in to Cisco ISE.

Short note on Cisco Trustsec

Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. 

The Cisco TrustSec solution establishes clouds of trusted network devices to build secure networks. Each device in the Cisco TrustSec cloud is authenticated by its neighbors (peers). Communication between the devices in the TrustSec cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. 

The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.

Familiar with Trustsec terms

802.1AE Tagging (MACsec) - Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.Between MACsec-capable devices, packets are encrypted on egress from the transmitting device,decrypted on ingress to the receiving device, and in the clear within the devices.This feature is only available between TrustSec hardware-capable devices.

Endpoint Admission Control (EAC) - EAC is an authentication processfor an endpoint user or a device connecting to the TrustSec domain.Usually EAC takes place at the access level switch.Successful authentication and authorization in the EAC process results in Security Group Tag assignment for the user or device. Currently EAC can be 802.1X, MAC Authentication Bypass(MAB), and Web Authentication Proxy (WebAuth).

Network Device Admission Control (NDAC) - NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness of its peer device.NDAC utilizes an authentication framework based on IEEE 802.1X port-based authentication and uses EAP-FAST as its EAP method. Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802.1AE encryption 

Security Group Access Control List (SGACL) - A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced uponSGT-tagged traffic egressing the TrustSec domain.

Security Association Protocol (SAP) - After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for subsequent MACSec link encryption between TrustSec peers. SAP is defined in IEEE 802.11i.

Security Group Tag (SGT) - An SGT is a 16-bit single label indicating the security classification of a source in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.

SGT Exchange Protocol (SXP) - Security Group Tag Exchange Protocol (SXP). With SXP, devicesthat are not TrustSec-hardware-capable can receive SGT attributes for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control System (ACS). The devices can then forward a sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the source traffic for SGACL enforcement.

Points to Remember

  • Trustsec is a context based firewall or access control solution.Classification of system or users based on the context [users,user groups ,role of the user etc]
  • Key function of Trustsec is Classify , Propagate , Enforce 
  • Classification can be done Dynamically or statically .Need to keep in mind that NOT all platform support all types of static classification. It is  very important to verify support on hardware and software.
  • SGT information is carried in 802.1AE
  • A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices.
  • To prevent confidentiality and integrity there will be Hop by Hop encryption by 802.1AE
  • Packets are encrypted in Ingress and decrypted in Egress
  • Security Group Access Control List (SGACL) - This SGACL is not using IP addresses

Main 3 components of Cisco Trustsec are 

  • Authentication - Identify and access privileges
  • Secure Communication - Data is transferred by secure link level encryption with 802.1AE 
  • SGACL - SGACL enforces security policies before allowing endpoint access to resources

All the devices in Trustsec domain need to get authenticated itself in the Trustsec network.This will help to keep away unauthenticated devices getting network access.This is done by using
Security Group tag (SGT) 

- SGT uses a 16 bit tag for each individual role and device connected to a Trustsec domain. This Tag represent the privilege level across the entire domain
- SGT is added to packet header at the ingress point of the trustsec domain and SGT tag carry information that is used to endpoint access privilege 
- SGT will be adding to the packet at the time of authorization process when endpoint using 802.1x method to get authenticated to the network 
- SGT will be passed to a switch dynamically and later will be authenticated based on MAB /Web Auth/802.1x
- SGT will dynamically automate the process of network wired policy deployment and enforcement