Welcome to Home Skillet documentation!

HomeSkillet Overview

HomeSkillet is a home-based deployment configuration as a simple Internet Gateway using 2 zones.

It is compatible with PAN-OS versions 10.0, 10.1 and 10.2.

Note

As of PAN-OS 10.2 HomeSkillet has reached End of Engineering status and future versions will no longer be actively worked on or supported by Palo Alto Networks.

Key Features

  • IronSkillet foundation providing security profiles and device hardening

  • 2 zones and interfaces, one internet and one internal

  • L3, Hybrid L2/L3, and vwire options available for network configuration

  • Outbound port-based NAT policy

  • Outbound security policies referencing the Outbound security profile group

  • DHCP client interface for the untrust interface

  • Simple DHCP server configuration inheriting DNS from the untrust interface

Relationship to the IronSkillet Project

The configuration is based extensively on the IronSkillet configuration with a few variations designed for basic home use.

The config element omitted from HomeSkillet include:

  • No certificate checks for the no-decrypt traffic that may cause issues with in-home devices

  • No email alert configuration elements

  • No http range that when disabled can impact video streaming services

More information about IronSkillet can be found at: https://iron-skillet.readthedocs.io

Required Subscriptions

The configuration assumes all subscriptions are enabled including:

  • Threat Protection

  • URL Filtering

  • Wildfire Analysis

  • DNS Cloud Service

kplay Solutions Content

Visit the kplay Solutions page in the LIVE Community for additional updates and related skillets.

Using PanHandler

This skillet is designed for XML-based API configuration. It requires the use of the PanHandler tool for variable substitution and API interactions.

Check the kplay Solutions page to get started with PanHandler

Detailed information can be found at https://panhandler.readthedocs.io

Main Workflow

HomeSkillet functions as a workflow to allow for menu inputs and play the necessary skillets/submodules. This workflow allows the user to go from a baseline NGFW to a fully configured NGFW with proper network components, zones, policies, etc. including IronSkillet best practices.

Full End-to-End Workflow

Provides an end-to-end experience using the following options:

Workflow Options

  1. Load empty baseline configuration

  2. Perform content updates

  3. Validation check (pre-ironskillet) [fail expected]

  4. IronSkillet-based configuration (commit required for online validation test)

  5. Validation check (post-ironskillet) [pass expected]

  6. Configure HomeSkillet network components

  7. Configure security policies

Network Deployment Options

Selected choice will apply to the configuration mode in step (6)

  • L3 routing mode with 2 zones and 2 interfaces

  • Hybrid L3 with L2 interfaces

  • Virtual Wire (vwire)

Add-on configuration options

  • Basic gateway security policies

Version Selection Options

Selected choice will apply to the configuration mode in step (4)

  • v10.0 - loads IronSkillet 10.0 snippets

  • v10.1 - loads IronSkillet 10.1 snippets

  • v10.2 - loads IronSkillet 10.2 snippets

REST device queries

Not shown in the menus yet part of the skillet framework are REST skillet types. These are used to query the firewall and get the interface and zone name information to be used as dropdown options in the deployment and security policy web forms.

Preliminary Setup

These skillets are used in the workflow ahead of configuration to create an empty configuration and install the latest content updates.

Load Empty Baseline Config

A python skillet that resets the configuration to an empty baseline with only the management interface, admin user, and DNS configured.

The steps of the skillet include:

  • Render the full configuration using supplied values

  • Import the configuration file

  • Load the configuration as candidate

  • Commit the configuration

Content Updates

An ansible playbook that checks if the latest content and threat updates are installed. If not, the playbook will download and install the latest updates.

The content update is often required before configuration of skillets to have the latest predefined elements such as Palo ALto EDLs, URL filtering categories, WF filetypes, etc. Updates may also be required before software upgrades.

Validations

Network and Policy Dependencies

A set of validation checks are performed to ensure dependency required for config elements added in previous steps exist in the firewall.

This validation is used twice in the workflow: once before the IronSkillet configuration with an assumed fail for a new install and then after the IronSkillet configuration and commit to show a pass condition.

Dependency Checks

The following categories of tests are performed

  • named zone protect profile exists

  • referenced security profiles and profile groups

  • referenced logging profile

IronSkillet Baseline

The initial configuration adds most of the IronSkillet configuration to the firewall to harden and add needed security policies and groups referenced in later workflow stages.

IronSkillet Deltas

In order to create a simplified in-home template, the following elements have been removed from the standard IronSkillet configuration:

  • email alerts and scheduling: assumes no email server available in a simple deployment

  • disable the ‘no decrypt’ decryption rule to avoid untrusted and expired cert issues

  • remove the superuser admin/password config - assumes user has setup their own login access

  • remove the management interface IP and DNS configuration - assumes already online for initial updates

  • allows for http range to avoid issues with home use

Network Layer Skillets

The workflow menu network dropdown allows the user to select a deployment option.

Layer 3 Routing

The L3 deployment is a 2-zone, 2-interface model with IP routing.

Interface settings

Sample interface configurations with one for external/untrust and one internal/trust.

  • untrust interface uses DHCP and provides default route inheritance to the internet

  • trust interface iuses a static IP configuration

  • the interface names and the trust IP address are variables to adjust as needed

Zones

Two zones are provided in the template. The names are variables with default values set to trust and internet.

Virtual Router

The internet gateway deployment uses L3 zones and interfaces so routing configuration is required.

  • adds each of the firewall interfaces

  • uses inheritance from the DHCP internet interface to create a default gateway route to the internet

Source NAT

Provides dynamic ip and port mapping using the public internet interface address.

DHCP Server

Simple DHCP server mapped to the trust interface

  • use of IP address range located in the trust subnet

  • inherits DNS information from the untrust interface

Note

This skillet does not include Dynamic DNS (DDNS) although it is a supported feature in PAN-OS v10.0. DDNS is recommended if GlobalProtect or other configurations using the public IP are used.

Network Profiles

Interface management profiles

  • sets the interface interface for ping only

  • allows for configuration access from the trust interface

Note

Device management will vary by users. It is expected that these profiles will be updated specific to the user management model.


Virtual Wire

The vwire deployment is a 2-zone, 2-interface model as a virtual wire.

Interface settings

Sample interface configurations with one for external/untrust and one internal/trust.

  • Interface are set to vwire type

  • virtual wire created using the 2 interfaces

Zones

Zones created with type = virtual wire


L2/L3 Hybrid Switching/Routing

Interface settings

Sample interface configurations with

  • Internal interfaces set to Layer 2

  • vlan and internet interfaces set to Layer 3

Zones

3 Zone configuration

  • L2 - trust

  • L3 - untrust

  • L3 - trust

Virtual Router

The internet gateway deployment uses L3 zones and interfaces so routing configuration is required.

  • contained in the vlan interface

  • uses inheritance from the DHCP internet interface to create a default gateway route to the internet

Source NAT

Provides dynamic ip and port mapping using the public internet interface address.

DHCP Server

Simple DHCP server mapped to the vlan L3 trust interface

  • use of IP address range located in the trust subnet

  • inherits DNS information from the untrust internet interface

Note

This skillet does not include Dynamic DNS (DDNS) although it is a supported feature in PAN-OS v10.0. DDNS is recommended if GlobalProtect or other configurations using the public IP are used.

Network Profiles

Interface management profiles

  • sets the interface interface for ping only

  • allows for configuration access from the trust interface

Security Policies

Outbound Only Configuration

Unknown URL Category Profile Group

This adds additional protections with a more aggressive file blocking posture when the URL category is unknown. It is referenced in the gold security rules.

Security Rules

These are outbound-specific rules levering the IronSkillet security profile groups.

  • Block to force usage of SSL to assist URL-filtering category discovery

  • Aggressive file blocking including PE file types when URL category = unknown

  • Outbound access for all applications using ‘application default’ port requirements

  • Non-defaul SSL ports: allows bypass of app defaults for SSL traffic; tracking for non-standard ports

  • Non-default web ports: allows bypass of app defaults for web traffic; tracking for non-standard ports

  • Non-default application ports: allows bypass of app defaults for all traffic; tracking for non-standard ports

Warning

The non-default ports effectively allow all outbound traffic on any port. These are provided due to the variance of ports used and for SMB deployments to avoid rampant support calls. The explicit rules provide for hit counts to track and monitor out-of-bounds and suspicious applications.

Release and Update History

Includes:

  • template releases

  • tools updates

  • documentation revisions

Template Release History

Template content updates are high level. Details can be found in the template guides.

0.1.0

Released March 15th, 2019

Template Content

  • updated yaml files with 9.0 versions

  • no local content changes - new features come from IronSkillet 9.0 baseline

0.2.0

Released July 15th, 2019 (dev branch)

Template Content

  • updated to match new IronSkillet version

    • password complexity profile and admin lockout

    • GlobalProtect dynamic updates

    • remove Bogon elements and opt-in for the EDL policies

0.3.0

Released January 14, 2020

Template Content

  • addition of load empty starter config and content update skillets

  • inclusion of post step 1 validation skillet - ensure dependencies met

  • full and config-only workflows

  • ability to hide/show ip addresses based on mgmt interface type

Released April 23, 2020

Template Content

  • added vwire deployment option

  • fixed missing DHCP server snippet

  • menu text clean up

0.4.0

Released June 18, 2021

Template Content

  • removed 9.x version

  • added 10.1 version

  • update to playlist/workflow model

  • incorporate use of submodules (ironskillet, panos upgrade/downgrade, panos config elements)

Documentation Revisions

Documentation revisions outside of template-tooling updates. These are documented by date, not version.

Initial content based on 9.0 baseline

Mar 15, 2019

  • create 9.0 branch and associated documentation

Jul 15, 2019

  • release-based updates mapping to IronSkillet

Apr 23, 2020

  • restructure the content

  • add PanHandler kstart link

July 21, 2020

  • IronSkillet 10.0 based feature updates

June 18, 2021

  • minor docs edits

  • update workflow

  • add 10.1 feature updates