Defaults from Iron Skillet for WF sizes don't match best practices

Here's an output from a BPA from a firewall that's a fresh config and has had Iron Skillet applied (including the items that are correct):

Archive File Size Limit (Fail): It is recommended to set the file size limit for "archive" to a value of 50
Flash File Size Limit (Pass)
Jar File Size Limit (Pass)
Linux File Size Limit (Fail): It is recommended to set the file size limit for "linux" to a value of 50
MacOSX File Size Limit (Fail): It is recommended to set the file size limit for "MacOSX" to a value of 10
MS Office File Size Limit (Fail): It is recommended to set the file size limit for "ms-office" to a value of 16384
PDF File Size Limit (Fail): It is recommended to set the file size limit for "pdf" to a value of 3072
PE File Size Limit (Fail): It is recommended to set the file size limit for "pe" to a value of 16
Report Grayware Files Enabled (Pass)
Session Information Settings (Pass)

does this work?

Please update Panhandler to add support for PAN-OS 10.1.

the zone protection snippet is set up like so:

<flood>
    <tcp-syn>
      <red>
        <alarm-rate>10000</alarm-rate>
        <activate-rate>10000</activate-rate>
        <maximal-rate>40000</maximal-rate>
      </red>
      <enable>no</enable>

since these settings are default (untuned rates and disabled protection) with only a few protections enabled (scanning + spoofing), I would like to propose renaming the profile to 'NeedsTuning" or "unconfigured', so a novice user does not implement the profile assuming this is Recommended (this snippet is also used in Day1 which is intended for novice users)

The file iron_skillet_panos_full.conf in the branch https://github.com/PaloAltoNetworks/iron-skillet/tree/panos_v9.1/loadable_configs/sample-mgmt-static/panos contains several configuration commands for a management interface with a dynamic address, not a static address.

See lines 56-59 in that file, which all begin with "set deviceconfig system type dhcp-client"

Expected behavior

Configuration commands for dynamic management addresses should be in the sample-mgmt-dhcp files, not the sample-mgmt-static files.

Current behavior

The loadable configs for sample-mgmt-static contain commands related to dynamic management addresses.

Possible solution

Remove inapplicable commands from scenario-based configuration files, or replace them with scenario-specific commands.

Your Environment

• Version used: PAN-OS v9.1

The BPA tool wants a setting specified for the GP Clientless VPN dynamic update time. Propose adding the following where appropriate:

            <global-protect-clientless-vpn>
              <recurring>
                <hourly>
                  <at>36</at>
                  <action>download-and-install</action>
                </hourly>
              </recurring>
            </global-protect-clientless-vpn>

This is blank without a reference IP-Tag event template setting. May be newer for 9.x releases and missed when upgraded from the 8.x config templates

Describe the bug

Running build_all.sh results in errors.

Expected behavior

The build should run error-free.

Current behavior

Affects Panhandler: PaloAltoNetworks/panhandler#231
Build_All.sh_output.txt

Possible solution

This appears to be the first line of code that returns an error:

sli -sd ../../ rollup_playlist -n ironskillet_panos_10_1 ../templates/panos/snippets/.meta-cnc.yaml
Invalid action, run "sli --help" for list of available actions

Steps to reproduce

git clone https://github.com/PaloAltoNetworks/iron-skillet.git
./build_all.sh

Screenshots

Build_All.sh_output.txt

Context

I can't run panhandler to generate a day one config

Your Environment

Ran in multiple environments - Linux OSes, Docker etc. All return the same result.

The predefined PAN Bulletproof IP EDL Should be added to the Inbound and Outbound block rules.

include the admin lockout configuration as part of the day 1

NAME: Failed Attempts / Lockout Time / Idle Timeout / Acquire Commit Lock
PATH: <config urldb="paloaltonetworks" version="VERSION"><devices><entry name="localhost.localdomain"><template><entry name="iron-skillet"><config><devices><entry name="localhost.localdomain"><deviceconfig><setting><management>
PATH: <config urldb="paloaltonetworks" version="VERSION"><devices><entry><deviceconfig><setting><management>


XML:
  <admin-lockout>
    <failed-attempts>5</failed-attempts>
    <lockout-time>30</lockout-time>
  </admin-lockout>
  <idle-timeout>10</idle-timeout>
  <auto-acquire-commit-lock>yes</auto-acquire-commit-lock>

The BPA tool shows that a minimum password complexity should be set. I propose adding the following to the appropriate place:

    <password-complexity>
      <enabled>yes</enabled>
      <minimum-length>8</minimum-length>
      <minimum-uppercase-letters>1</minimum-uppercase-letters>
      <minimum-lowercase-letters>1</minimum-lowercase-letters>
      <minimum-numeric-letters>1</minimum-numeric-letters>
      <minimum-special-characters>1</minimum-special-characters>
      <block-username-inclusion>yes</block-username-inclusion>
    </password-complexity>

Currently not clear how to get started with zero python skills, docker containers, etc.

Should purely be a documentation fix

Testing if issues are sent to the team.

Hi, I am getting the followoing errors when trying to run the script. I tried on different platforms.
$ python3 ./build_my_configs.py
Traceback (most recent call last):
File "./build_my_configs.py", line 39, in
from passlib.hash import des_crypt
ModuleNotFoundError: No module named 'passlib'

debug.txt

Describe the bug

Expected behavior

Current behavior

Possible solution

Steps to reproduce

Screenshots

Context

Your Environment

• Version used:
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

The BPA tool wants to add the following categories as block categories. Propose adding the following categories to the block list:

copyright-infringement
dynamic-dns
extremism
parked
proxy-avoidance-and-anonymizers
unknown

The BPA tool doesn't call these out as necessary. Can they be removed from the baseline? If not, potentially include a variable that allows their exclusion?

Panhandler displays "This skillet does a full NGFW validation of IronSkillet day one configuration - panos v10.0" in the initial skillet selection page.

After the assessment is run, Panhandler displays "PAN-OS 9.x" on the results page.

This is with Panhandler version 4.4 2021-05-20T15:24:19, running against a PA-220 with PAN-OS 10.1.0

Screenshots attached.

• Version used: Version: 4.4 2021-05-20T15:24:19

Describe the bug

Default value in iron_skillet_panos_full.xlsx is wrong for sinkhole (11.0 branch)

Expected behavior

The set commands in Excel should work out of the box if i want to use PaloAlto Sinkhole.

Current behavior

Now I get commit error on Spyware. Invalid ipv4-address for sinkhole.

Possible solution

Change row B12 "sinkhole.paloaltonetworks.com" to "pan-sinkhole-default-ip"
With correct default value the commit works

Steps to reproduce

1. Download Excel file iron_skillet_panos_full.xlsx
2. Copy row 205 to 388 and paste it into firewall ssh session.
3. Commit FW and check for warning on the commit.

Context

Want Iron-Skillet to be as ready as possible out of the box, more easy to use.

Your Environment

• Version used: 11.1.2-H3
• Environment name and version Microsoft Edge 123
• Operating System and version (desktop or mobile): Windows 11 Desktop

Somehow the config template is using 'Panorama' as the email display name instead of Threat Alerts

Previously there was a custom report created for potentially compromised machines as well as an email scheduler created. I'm not seeing those created. Is that on purpose?

Hi,

I test right now your iron skillet full xml file for Azure and AWS in Automation Tool (FCA). I figured out that the xml file will override from every Firewall the Device Name to"sample".

</ntp-servers> <login-banner>You have accessed a protected system. Log off immediately if you are not an authorized user.</login-banner> <timezone>UTC</timezone> **<hostname>sample</hostname>** <type>

https://github.com/PaloAltoNetworks/iron-skillet/blob/panos_v8.1/loadable_configs/sample-cloud-Azure/panos/iron_skillet_panos_full.xml

Is there really a need that the Iron Skillet is overriding the Device hostname? Then this occurs many issues for us in the FCA tool.

Regards,

Torsten

Describe the bug

One of the tests in the "IronSkillet - check NGFW config for updated v10.1 elements" skillet is for the SSL Decryption protocol version.

The text in the test result is a clickable hyperlink which takes the user to some online documentation, but the wrong documentation.

It takes the user to https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html#url-filtering

It should take the user to https://iron-skillet.readthedocs.io/en/docs_master/viz_guide_panos.html#decryption-profile

• Version used: 4.5 2021-06-11T19:29:39 / the latest 10.1 skillets pulled down at the time of submitting this issue.

If using the provided sample .conf files to apply configuration selectively, the administrator may be tripped up by the sinkhole configuration lines.

These files:

• loadable_configs\sample-cloud-AWS\panos\iron_skillet_panos_full.conf
• loadable_configs\sample-cloud-Azure\panos\iron_skillet_panos_full.conf
• loadable_configs\sample-cloud-GCP\panos\iron_skillet_panos_full.conf
• loadable_configs\sample-mgmt-dhcp\panos\iron_skillet_panos_full.conf
• loadable_configs\sample-mgmt-static\panos\iron_skillet_panos_full.conf

All contain the line:

• set address Sinkhole-IPv4 ip-netmask sinkhole.paloaltonetworks.com

However (on a PA-220 running 9.0.3-h3 - I don't know if the same occurs on other models and software releases)...

# set address Sinkhole-IPv4 ip-netmask sinkhole.paloaltonetworks.com
sinkhole.paloaltonetworks.com is not a valid IPV4/V6 address-netmask.

Invalid syntax.
[edit]

Instead...

# set address Sinkhole-IPv4 fqdn sinkhole.paloaltonetworks.com

[edit]

The BPA tool wants a setting specified for the GP Data File dynamic update time. Propose adding the following where appropriate:

            <global-protect-datafile>
              <recurring>
                <hourly>
                  <at>26</at>
                  <action>download-and-install</action>
                </hourly>
              </recurring>
            </global-protect-datafile>

proposal to remove or continue to make optional due to bootstrap and no content update issues. This is a recommended best practice yet tricky based on workflow order used to boot a firewall, apply a config, apply content updates

Now that 9.1.0 is out, will iron-skillet be updated to accommodate the new release?

off of GP - what happens?

Now that 10.0.0 is out, will iron-skillet be updated to accommodate the new release?

When using the panos_v9.0 branch and after running "python3 create_loadable_configs.py", the produced iron_skillet_panos_full.conf says this on line 1:

# set command configuration for panos version 8.1

It should say:

# set command configuration for panos version 9.0

Describe the bug

The firewall's SSL decryption policy has the SSL Protocol Max Version set to "Max".

Panhandler reports this as a failure; from observation it appears to be explicitly expecting "TLSv1.3".

This is with Panhandler version 4.4 2021-05-20T15:24:19, running against a PA-220 with PAN-OS 10.1.0

Screenshots attached.

• Version used: 4.4 2021-05-20T15:24:19

Per NIST guidelines (https://pages.nist.gov/800-63-FAQ/#q-b05), expiring passwords are no longer recommended. I propose setting password expiration to zero in the password complexity settings. Not sure if it defaults to zero or if you need something like this:

<password-complexity>
      <password-change>
        <expiration-period>0</expiration-period>
      </password-change>
</password-complexity>

If this change isn't palletable then I propose adding password expiration change warning to the password requirements as right now that is set to zero (I believe by default). Which means that passwords expire without warning.

content release updates will add the 2 new categories that by default show up as 'allow' and won't be blocked/alerted or logged.

Recommendation to add grayware as blocked and cryptcurrency to alert.

Describe the bug

The file iron-skillet-panos_v10.1\loadable_configs\sample-mgmt-dhcp\panos\iron_skillet_panos_full.conf contains some lines (6-12) relating to a static IP configuration.

The file iron-skillet-panos_v10.1\loadable_configs\sample-mgmt-static\panos\iron_skillet_panos_full.conf contains some lines (14-18) relating to a DHCP configuration.

Expected behavior

The loadable_configs files should contain only commands specific to their intended scenarios.

Current behavior

The loadable_configs files contain extra commands unrelated to their intended scenarios.

• Version used: 10.1, latest available commit downloaded today

Describe the bug

Similar to #118 Panhandler appears to be looking for a single specific value for a setting, where more than one value may be appropriate.

Panhandler reports a failure if the firewall's timezone is not "UTC". However, many systems use the recognised standard "Etc/UTC", which is also supported by PAN-OS.

See ftp://ftp.iana.org/tz/data/ for further details on the available timezone names in the tz database

Expected behavior

Panhandler / Iron Skillet should allow for multiple equivalent values, where appropriate.

Current behavior

Panhandler / Iron Skillet checks for a single specific value.

Possible solution

Suggest updating Panhandler / Iron Skillet to accommodate multiple equally-valid options for the time zone.

Steps to reproduce

1. Set the firewall's timezone to Etc/UTC.
2. Run an Iron Skillet check against the firewall
3. Observe the timezone failure in the report.

Screenshots

Firewall:

Panhandler:

Your Environment

• Version used: Panhandler 4.5 2021-06-11T19:29:39 // Iron Skillet v10.1 updated 2021-07-06 20:55

Regardless of the "INCLUDE_PAN_EDL" setting, the PAN EDLs are not included in the security policies.

The BPA tool wants a value for new app threshold. Propose adding the following where appropriate:

<new-app-threshold>12</new-app-threshold>

On some platforms the following error is thrown upon list download:

Warning: EDL(Team Cymru Bogons IPv6) Exceeded maximum number of ips at line 46960

Just want to put it out there to brainstorm ways around this. Perhaps don't include the IPv6 in the default block rules? Open to thoughts...

Hi - I generated an iron_skillet config using the tool and when I try to load it to the FW, it complains

Config loaded from iron_skillet_day1_template.xml
deviceconfig -> setting -> ctd -> allow-http-range unexpected here. Discarding.

Thanks,
Natasha

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Current score: 90
Target threshold: 100
Total possible: 110

changed since 8.1

The white-list category should be alert rather than allow.

The BPA tool wants the zone protection profile to not use default values. Is it possible to change the default values slightly? Propose adding the following where appropriate:

          <zone-protection-profile>
            <entry name="Recommended_Zone_Protection">
              <flood>
                <tcp-syn>
                  <red>
                    <alarm-rate>10001</alarm-rate>
                    <activate-rate>10001</activate-rate>
                    <maximal-rate>40001</maximal-rate>
                  </red>
                  <enable>yes</enable>
                </tcp-syn>
                <icmp>
                  <red>
                    <alarm-rate>10001</alarm-rate>
                    <activate-rate>10001</activate-rate>
                    <maximal-rate>40001</maximal-rate>
                  </red>
                  <enable>yes</enable>
                </icmp>
                <icmpv6>
                  <red>
                    <alarm-rate>10001</alarm-rate>
                    <activate-rate>10001</activate-rate>
                    <maximal-rate>40001</maximal-rate>
                  </red>
                  <enable>yes</enable>
                </icmpv6>
                <other-ip>
                  <red>
                    <alarm-rate>10001</alarm-rate>
                    <activate-rate>10001</activate-rate>
                    <maximal-rate>40001</maximal-rate>
                  </red>
                  <enable>yes</enable>
                </other-ip>
                <udp>
                  <red>
                    <alarm-rate>10001</alarm-rate>
                    <activate-rate>10001</activate-rate>
                    <maximal-rate>40001</maximal-rate>
                  </red>
                  <enable>yes</enable>
                </udp>
              </flood>
              <scan>
                <entry name="8001">
                  <action>
                    <alert/>
                  </action>
                  <interval>2</interval>
                  <threshold>100</threshold>
                </entry>
                <entry name="8002">
                  <action>
                    <alert/>
                  </action>
                  <interval>10</interval>
                  <threshold>100</threshold>
                </entry>
                <entry name="8003">
                  <action>
                    <alert/>
                  </action>
                  <interval>2</interval>
                  <threshold>100</threshold>
                </entry>
              </scan>
              <discard-ip-spoof>yes</discard-ip-spoof>
              <discard-malformed-option>yes</discard-malformed-option>
              <remove-tcp-timestamp>yes</remove-tcp-timestamp>
              <strip-tcp-fast-open-and-data>no</strip-tcp-fast-open-and-data>
              <strip-mptcp-option>global</strip-mptcp-option>
              <discard-overlapping-tcp-segment-mismatch>yes</discard-overlapping-tcp-segment-mismatch>
            </entry>
          </zone-protection-profile>