Quick note on troubleshooting password based Kerberos authentication on a Palo Alto Networks firewall

While endeavoring to test a Kerberos based authentication profile on a clients Palo Alto Networks I ran into a couple of error messages that need a little clarification.To test the authentication I connected to the CLI on the firewall and issued the following command: test authentication authentication-profile client-test-1 username genesyswave passwordThis prompts me to enter my password and the firewall will then use either the management interface (default) or the configured service route interface for the authentication server type (LDAP, RADIUS, Kerberos or TACACS+).In the first attempt I received the following ,message:Failed to initialize KERBEROS auth context: Improper format of Kerberos configuration fileA quick search of the Internet returned results about the device not being properly joined to the realm, but that is not required for password based authentication to Kerberos on a Palo Alto Networks firewall. I then checked the authd.log for more specifics on the Kerberos configuration file pan_authd_create_krb5_config(pan_authd_shared_util.c:186): krb5 config:    dns_lookup_kdc = false    default_realm = DOMAIN.CLIENT.COMDOMAIN.CLIENT.COM = {    kdc =     default_domain = pge}This indicates that there is a DNS name resolution issue with the firewall.  DNS was not configured on this particular firewall.  DNS configuration was updated.Tested the authentication again and received a different error message:Authentication...
Read more

PHP configuration for use with Palo Alto Networks Configurator

Palo Alto Networks has a tool that allows you to gather configuration information from a firewalls and Panorama systems.The PHP scripts can be found here.https://github.com/PaloAltoNetworks-BD/pan-configurator/Download and extract the files to your system. I chose to extract them to c:\pan-configurator-masterExample scripts for how to use are found at the links below (they do require a Palo Alto Networks customer account)https://live.paloaltonetworks.com/t5/SDK-API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CLI/ta-p/53321https://live.paloaltonetworks.com/t5/SDK-API-Articles/Simple-export-of-rules-as-Excel-or-HTML/ta-p/65082https://live.paloaltonetworks.com/t5/SDK-API-Articles/PAN-Configurator-scripting-library-and-utilities/ta-p/52163If you don't have PHP already installed on your Windows system, here is how I configured my system.Download and install PHP to your machine from http://www.php.net. I used version 5.5.3.0 and installed to c:\phpOnce the PHP has been installed, copy the php.ini-production to php.ini, and edit the following lines by removinig the semicolons:include_path = ".;c:\php\includes"; On windows:extension_dir = "ext";  Enable cURL extension in PHPextension=php_curl.dllCopy the following dll’s to the c:\windows\system32 directoryssleay32.dlllibeay32.dlllibssh2.dllphp_curl.dllIf you want to be able to run the scripts from directories other than c:\php update your path at the command line with the following command: set path=%path%;"c:\php"When you connect to a device the first time it will ask for either a username and password or an API keyYou can generate an API key via your browser - https:///api/?type=keygen&user=&password=Replace the data in between < > with the...
Read more