Category Archives: How To
Palo Alto Networks Global Protect check Script

I had a customer that wanted to make sure that the Global Protect Client was installed on every windows machine on their domain. To fill this need I created a Power Shell script that scans a list of ip subnets from a text file determines what hosts are up and then checks these hosts for a Global Protect installation by looking for a specific file.

Keep in mind I am not a Power Shell guru (lots of google searching when creating this) so I am sure there are many enhancements that can be made such as multi thread and the like. At any rate hopefully someone else can make use of this. Use at your own risk.

 

#
# 2015-04-06 GP-scan.ps1
# disclaimer I am not a powershell expert just hacked this together to meet the need.
# Script Created by Brian Hitchcock to scan defined network ranges for live hosts then check for GLobal Protect install files.
#
# Script will need to be ran by a user that has permissions to the end machines file system to verify the file is in place.
#
# c:\script\networks.txt File containing /24 networks to check in format 192.168.0 no ending . not extra spaces
# 192.168.0
# 10.10.0.
# c:\script\ips.txt File that is created from ping scan for live hosts. File is over written at each script run

function check-remotefile {

PROCESS {
$file = “\\$_\c$\Program Files\Palo Alto Networks\GlobalProtect\pinfo.dat”
if (test-path $file)
{
write-host “GP installed ” -nonewline
echo $_
}
else
{
write-host “!GP not installed ” -nonewline
echo $_
}
}
}

# Create ips.txt file
echo ” GP-scan by Brian Hitchcock”
echo “Scanning for hosts”
echo ” ” | Out-File c:\script\ips.txt

# loop through networks.txt file do ping scans and write live hosts to ips.txt file
foreach ($network in Get-Content c:\script\networks.txt) {
1..254 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send(“$network.$_”) } | where-object {$_.Status -eq “success”} | select Address | format-table Address -autosize -hidetableheaders | Out-File c:\script\ips.txt -Append
}

# remove blank lines from ips.txt
( Get-Content c:\script\ips.txt ) | Where { $_.Trim(” `t”) } | Set-Content c:\script\ips.txt

echo “Check live hosts for Global Protect”
# check host for Global Protect file
Get-Content c:\script\ips.txt | check-remotefile

 

#####################
Sample run
######################

PS C:\script> .\gp-scan.ps1
GP-scan by Brian Hitchcock
Scanning for hosts
Check live hosts for Global Protect
!GP not installed 192.168.18.1
!GP not installed 192.168.18.2
!GP not installed 192.168.18.3
!GP not installed 192.168.18.4
GP installed 192.168.18.5
!GP not installed 192.168.18.10
!GP not installed 192.168.18.130
!GP not installed 192.168.18.251
!GP not installed 192.168.18.252
!GP not installed 10.20.10.7
!GP not installed 10.20.10.8
!GP not installed 10.20.10.9
!GP not installed 10.20.10.12
!GP not installed 10.20.10.13
!GP not installed 10.20.10.14
!GP not installed 10.20.10.16

 

Import Aruba Networks 802.1x USER-ID to Palo Alto Network via syslog

This document outlines the steps needed to import user-id information from an Aruba Networks controller to a Palo Alto Network firewall directly using syslog.

First step is to setup the Aruba controller to log user login/logout and send to a remote syslog server.

Login to the Aruba Networks Controller Web Interface.

Aruba-login

Click on the Configuration tab and select clock from the left hand menu. Make sure an NTP server is setup for the proper time zone to match the Palo Alto firewall.

Aruba-NTP

Next click the logging menu item on the left hand side. Add a new logging server using the management interface of the Palo Alto Network firewall to receive the User-ID information. Multiple can be added if needed.

aruba-add-SNMP-server

Next click the levels tab. Click the User logs check box, Captive portal and dot1x. Select the informational logging level and click done and apply. Also make sure to save the changes.

Aruba-SNMP-logging-level

Next we want to validate the logging information. To do this access the CLI of the Aruba Networks controller. Via console or SSH. Enter enable mode. Once logged into the controller login to an 802.1x authenticated wireless network then type

show user log 20

You should see logging information similar to below. If you see this info we know proper authentication logging is taking place and the syntax of the log.

Aruba-show-user-log

The Aruba portion of the setup should now be complete. Now login to the Web interface of the Palo Alto Networks firewall.

Once logged in click on the device tab. Then click the setup menu item. Make sure the proper time zone is set under the general settings.

Now click on the Services tab and make sure you are using the same NTP server as the Aruba Networks controller.

Next we will make sure the user-id syslog is allowed on the management interface. Go back to the management tab and select Management interface setting. Make sure USER-ID and USER-ID Syslog Listener-UDP is checked.

[SETTINGS IMAGE]

Now we need to setup the user-id syslog filter. Select the User Identification menu item on the left hand side. Next select the Palo Alto Networks User ID Agent Setup settings and click the Syslog Filters Tab.

[image]

Click add on the bottom to create a new filter. Enter a profile name and description and select Field Identifier. Now based on the log information from the Aruba Networks logs fill out the required boxes. From our log sample we have and event string of Authentication Successful a Username Prefix of username= an address prefix of IP= and the Delimiters are \s

[image]

Click ok twice to return to the main User Mappings tab. Now under Server Monitoring click add. Give the monitor a name such as Aruba controller. Click enable. Select the type of Syslog Sender. Enter the IP address of the Aruba controller under network address. Select the connection type of UDP. Now select the filter you just created and enter the default domain name used.

[image]

Now commit and save your changes.

Next login to the CLI of the Palo Alto Network firewall and type

show user server-monitor state all

You should see auth success messages here when a user connects to an 802.1x SSID.

 

You can also type
show user ip-user-mapping all

And you should see user-id information and SYSLOG in the from field for a successful deployment.