The Palo Alto Networks Next-Generation Firewall (NGFW) enables internal APIs to securely call third-party APIs when deployed as a forward proxy for outbound connections. PAN-OS, the software that runs all Palo Alto Networks next-generation firewalls, enables decryption on the firewalls in order to inspect and control SSL/TLS traffic. Decryption can enforce policies on encrypted traffic to enable the firewall to handle encrypted traffic according to the configured security settings. PAN NGFW can create a copy of the decrypted traffic and send it to a traffic collection tool such as a Cequence Sensor, which can receive raw packet captures that can subsequently be prepped for analysis by the Cequence Unified API Protection (UAP) platform. For more information around decryption capabilities of the Palo Alto Networks Next-Generation Firewalls, see the Palo Alto Networks documentation.
The Cequence UAP platform is a comprehensive solution that protects applications from a wide range of threats, including bot attacks, data loss, fraud, and business disruption. The Cequence UAP platform provides continuous, real-time protection across all phases of the application lifecycle, from discovery and inventory to risk assessment and mitigation. The Cequence UAP platform follows a hub-and-spoke deployment model that centralizes API management and application security controls in a central hub, while spokes handle distributed application traffic. For a detailed overview of the Cequence UAP platform, see the Cequence documentation.
Cequence Unified API Protection integrates passively with the Palo Alto Network Firewall by utilizing a Cequence Sensor, a data plane component, which is deployed as a docker container on a Virtual Machine or Linux host connected to one of the firewall interfaces. Passive deployment is less effective at threat protection than active deployment, but it does not add any latency to application transactions.
The Cequence Sensor is responsible for capturing the traffic mirrored by the Palo Alto Network Firewall and sending it to the Cequence UAP platform for analysis. The Cequence Sensor organizes, filters, and normalizes network packet flow before forwarding the telemetry to the Cequence control plane for analysis.
Prerequisites
Confirm that your environment meets the following prerequisites before beginning the integration process. The integration steps outlined in this document assume that the Palo Alto Network Firewall is deployed as a SSL Forward Proxy.
Palo Alto Network Firewall requirements
- Confirm that you have administrative access to the Palo Alto Network Firewall.
- While the features required are available in PAN-OS 6.x and later, the Cequence integration has been validated with PAN-OS 10.2 and later releases.
- The Palo Alto Network Firewalls use for two different certificates for SSL Forward Proxy Decryption as described below. For more information on the certificates for decryption policies, see the Palo Alto Networks documentation.
- A Forward Trust Certificate: The certificate the firewall presents to internal servers, during decryption, if the third-party API host that the internal API is attempting to connect to has a certificate signed by a CA that the firewall trusts. The internal servers must trust this certificate to avoid certificate warnings.
- A Forward Untrust Certificate: The certificate the firewall presents to internal servers, during decryption, if the third-party API host that the internal API is attempting to connect to has a certificate that is signed by a CA that the firewall does not trust.
- While decrypting SSL traffic does not require a license, you must activate a free license in order to enable Decryption Mirroring. For more information on the Decryption Mirroring license, see the Palo Alto Networks documentation.
- Identify the traffic that needs to be decrypted and mirrored to the Cequence Sensor to configure the Decryption Policy rule.
- Confirm that the Palo Alto Network Firewall has enough free CPU resources since decrypting encrypted traffic consumes firewall CPU resources and can affect throughput.
- Confirm that the Palo Alto Network Firewall has a free interface to connect to the Cequence Sensor and mirror the decrypted traffic.
- Review the Decryption deployment best practices checklist published by Palo Alto Networks to follow the recommended procedures.
Known limitations
- Palo Alto Network Firewall SSL Forward Proxy Decryption cannot decrypt sessions with mutual authentication, pinned certificates and unsupported ciphers.
- Palo Alto Network Firewall does not support High Availability (HA) sync for decrypted SSL sessions.
- Decryption Mirroring feature is not available on the Palo Alto Network Firewall VM-Series for public cloud platforms (AWS, Azure, Google Cloud Platform) and VMware NSX.
- Decryption Mirroring requires the mirroring interface on the Palo Alto Network Firewall to be directly connected to the traffic collector such as the Cequence Sensor.
Cequence UAP platform requirements
- Confirm that the Cequence UAP platform is installed and working properly before proceeding with the integration. On a new install, a member of the Cequence Customer Success team can confirm that the Cequence UAP platform is working properly.
- Confirm that you have access to the credentials for a user account on the Cequence UAP platform that has the privileges to create a client token for traffic ingestion using the User Management menu.
- Gather the following information from the Cequence UAP platform:
- The client ID and client secret generated for traffic ingestion from the Cequence Sensor.
- The URLs for the following Cequence UAP endpoints:
- Edge (typically https://edge.uap.yourdomain.com)
- Authentication (typically https://auth.uap.yourdomain.com)
- Policy Engine (typically https://policy-engine.uap.yourdomain.com)
Cequence Sensor requirements
- Identify the deployment method for the Cequence Sensor. The Cequence Sensor can be deployed as a docker container on a linux host or as a virtual appliance in VMWare.
- Connect the Cequence Sensor host interface that will receive the mirrored traffic to the interface on the Palo Alto Network Firewall that is configured for Decryption Mirroring.
- Confirm that the Cequence Sensor depolyment resource prerequistes are met as described in the deployment method chosen.
- The Cequence Sensor container will need to run as root user since it needs the escalated privileges to capture traffic from the interfaces it is monitoring.
- Confirm that the Cequence Sensor can connect to the Cequence UAP platform using the URLs listed in the previous subsection. The Cequence Sensor sends the metadata collected from the captured traffic to the Cequence UAP platform over HTTPS.
Integration Steps
Depending on the deployment method chosen for the Cequence Sensor, pull the docker container image or the OVA image from Cequence to the host connected to the Palo Alto Network Firewall.
Deploy the Cequence Sensor container image on a Linux host or as a VM on a VMWare host as outlined in the linked documentation.
- Verify that the Decryption Mirroring license is activated on the Palo Alto Network Firewall. View the license status by navigating to DEVICE > Licenses and check the Decryption Port Mirror panel to confirm that the Active status is set to Yes.
- Enable the Palo Alto Network Firewall to forward decrypted traffic by navigating to DEVICE > Setup > Content-ID and selecting the Allow forwarding of decrypted content checkbox.
- Enable the interface on the Palo Alto Network Firewall connected to the Cequence Sensor for Decryption Mirroring. Navigate to NETWORK > Interfaces > Ethernet tab, select the interface connected to the Cequence Sensor host, and select Decrypt Mirror as the Interface Type.
- Validate that the Palo Alto Network Firewall has a Forward Trust certificate and a Forward Untrust certificate setup. View the certificates by navigating to DEVICE > Certificate Management > Certificates > Device Certificates tab. Instructions on setting up these certificates can be found in the Configure SSL Forward Proxy section of the Palo Alto Networks documentation.
As a best practice, use an enterprise CA signed certificate since other devices on the network and the servers usually have the enterprise CA in their trust stores. - Create a Decryption Profile to setup decryption settings and the interface for Decryption Mirroring. To add a new Decryption Profile, navigate to OBJECTS > Decryption > Decryption Profile and select Add from the bottom of the page. Mirror decrypted traffic after the security policy enforcement by the Firewall by selecting the Forwarded Only check box. A decryption profile allows you to perform checks on the decrypted traffic as well as exclude certain SSL sessions from decryption (sessions with mutual authentication or pinned certificates). For more information on creating a Decryption Profile, consult the Palo Alto Networks documentation.
- Create a Decryption Policy to define the SSL traffic to be decrypted by the Palo Alto Network Firewall, to enable the decryption on the SSL Forward Proxy, and to enforce the Decryption Profile settings on the traffic that matches the policy. To add a new Decryption Profile, navigate to POLICIES > Decryption and select Add from the bottom of the page. Select Options to set the Action to Decrypt, Type to SSL Forward Proxy and the Decryption Profile to the profile created earlier in this procedure. Detailed instructions on creating a Decryption Policy to match traffic based on network and policy objects, can be found in the Palo Alto Networks documentation.
- Save the configuration by selecting Commit at the top right of the UI.
- Confirm that the Cequence Sensor container is capturing the traffic to the applications and sending the traffic to the Cequence UAP platform for analysis.
- Log in to Cequence UAP UI and navigate to Sitemap Discovery under the Threat Protection section on the left navigation pane to check the hosts and endpoints discovered.
- Navigate to Detection under the Threat Protection section on the left navigation pane to check real time traffic chart and anlysis of the transactions being sent by the Sensor.
- Navigate to Dashboard under the Runtime Inventory section on the left navigation pane to check the API endpoints discovered and initial analysis of the APIs.
Troubleshooting
If the Cequence UAP UI does not show any traffic in Sitemap Discovery, check the logs of the Cequence Sensor for any errors.
docker exec -it sensor bash
cd sensor-connector/logs
tail -f sensor-connector.log
A working integration produces output similar to the following example:
===========================================================================
2024-07-31T06:39:43.663Z info
==============================connector stats==============================
{}
reader: read: 26, rate: 26, read-queue: length: 0, adds: 0, removes: 0, drops: 0, avg-rec-sz: 0.00kb;
pipeline: sensor-api-edge, received: 26, filtered out: 0, written: 23
datasink: sensor-api-edge, type: http, connected: true, received: 26, written: 23, errors: 0, conn_drops: 0, rate: 23, write_time: 119633us
===========================================================================
If the errors indicate authentication issues, check the client ID and client secret in the config.json file used to launch the Cequence Sensor container.
If there are connectivity errors, check the connectivity to the Cequence UAP platform endpoints from the Cequence Sensor.
If the written counters under datasink are not incrementing, check that the Cequence UAP platform endpoints are configured correctly in the config.json file used to launch the Cequence Sensor container.
If the received counters under datasink are not incrementing, validate that the Cequence Sensor host is receiving the traffic on the interface connected to the Palo Alto Network Firewall by running the following command at the host. Note that this command requires access to an account on the host with sudo or root privileges.
sudo tcpdump -i <interface-name> tcp port 443
If the Cequence Sensor host is receiving the traffic, contact the Cequence Customer Success team for further assistance.
If the Cequence Sensor host is not receiving the traffic, validate Decryption on the Palo Alto Network Firewall by navigating to MONITOR > Logs > Decryption to examine successful and unsuccessful decryption activity. For troubleshooting Decryption, consult the Palo Alto Networks documentation.
If the Palo Alto Network Firewall is successfully decrypting the traffic, validate that the Decryption Mirroring interface is sending the traffic by taking packet captures. For detailed information on taking packet captures, consult the Palo Alto Networks documentation.
For further assistance on troubleshooting failures on the Palo Alto Network Firewall, please contact Palo Alto Customer Support.