Administrator Guide PAN-OS 7.1

PANOS
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May19,2016
2 PANOS7.1AdministratorsGuide
TableofContents
GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................19
SetUpNetworkAccessforExternalServices......................................23
RegistertheFirewall ...............................................................27
ActivateLicensesandSubscriptions .................................................28
InstallContentandSoftwareUpdates................................................30
SegmentYourNetworkUsingInterfacesandZones ...................................34
NetworkSegmentationforaReducedAttackSurface..............................34
ConfigureInterfacesandZones..................................................35
SetUpaBasicSecurityPolicy .......................................................38
AssessNetworkTraffic ............................................................42
EnableBasicThreatPreventionFeatures .............................................44
EnableBasicWildFireForwarding ...............................................44
ScanTrafficforThreats.........................................................46
ControlAccesstoWebContent.................................................50
EnableAutoFocusThreatIntelligence............................................53
BestPracticesforCompletingtheFirewallDeployment................................55
FirewallAdministration ............................................... 57
ManagementInterfaces ............................................................58
UsetheWebInterface .............................................................59
LaunchtheWebInterface ......................................................59
ConfigureBanners,MessageoftheDay,andLogos ................................60
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............62
ManageandMonitorAdministrativeTasks ........................................64
Commit,Validate,andPreviewFirewallConfigurationChanges......................64
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............66
ManageLocksforRestrictingConfigurationChanges...............................67
ManageConfigurationBackups .....................................................69
BackUpaConfiguration ........................................................69
RestoreaConfiguration ........................................................70
ManageFirewallAdministrators .....................................................72
AdministrativeRoles...........................................................72
AdministrativeAuthentication ...................................................73
ConfigureAdministrativeAccountsandAuthentication .............................74
ConfigureanAdministrativeAccount.............................................74
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......75
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication .......78
PANOS7.1AdministratorsGuide 3
TableofContents
Reference:WebInterfaceAdministratorAccess....................................... 80
WebInterfaceAccessPrivileges ................................................. 80
PanoramaWebInterfaceAccess ................................................120
Reference:PortNumberUsage.....................................................124
PortsUsedforManagementFunctions ..........................................124
PortsUsedforHA ............................................................125
PortsUsedforPanorama ......................................................125
PortsUsedforUserID ........................................................126
ResettheFirewalltoFactoryDefaultSettings ........................................128
BootstraptheFirewall.............................................................129
USBFlashDriveSupport .......................................................129
Sampleinitcfg.txtFiles ........................................................130
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................131
BootstrapaFirewallUsingaUSBFlashDrive .....................................134
Authentication..................................................... 137
ConfigureanAuthenticationProfileandSequence ....................................138
ConfigureKerberosSingleSignOn .................................................141
ConfigureLocalDatabaseAuthentication ............................................142
ConfigureExternalAuthentication ..................................................143
ConfigureAuthenticationServerProfiles.........................................143
ConfigureaRADIUSServerProfile ..............................................143
RADIUSVendorSpecificAttributesSupport .....................................144
ConfigureaTACACS+ServerProfile ............................................145
ConfigureanLDAPServerProfile ...............................................146
ConfigureaKerberosServerProfile.............................................148
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................148
EnableExternalAuthenticationforUsersandServices .............................149
TestAuthenticationServerConnectivity.............................................150
RuntheTestAuthenticationCommand ..........................................150
TestaLocalDatabaseAuthenticationProfile.....................................151
TestaRADIUSAuthenticationProfile ...........................................152
TestaTACACS+AuthenticationProfile ..........................................154
TestanLDAPAuthenticationProfile ............................................155
TestaKerberosAuthenticationProfile...........................................156
TroubleshootAuthenticationIssues .................................................158
CertificateManagement............................................ 159
KeysandCertificates..............................................................160
CertificateRevocation.............................................................162
CertificateRevocationList(CRL) ................................................162
OnlineCertificateStatusProtocol(OCSP) ........................................163
CertificateDeployment............................................................164
SetUpVerificationforCertificateRevocationStatus ..................................165
ConfigureanOCSPResponder .................................................165
ConfigureRevocationStatusVerificationofCertificates ...........................166
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption.166
TableofContents
ConfiguretheMasterKey......................................................... 168
ObtainCertificates ............................................................... 169
CreateaSelfSignedRootCACertificate ........................................ 169
GenerateaCertificate ......................................................... 170
ImportaCertificateandPrivateKey............................................. 171
ObtainaCertificatefromanExternalCA ........................................ 172
ExportaCertificateandPrivateKey ................................................ 174
ConfigureaCertificateProfile...................................................... 175
ConfigureanSSL/TLSServiceProfile ............................................... 177
ReplacetheCertificateforInboundManagementTraffic.............................. 178
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 179
RevokeandRenewCertificates .................................................... 180
RevokeaCertificate .......................................................... 180
RenewaCertificate ........................................................... 180
SecureKeyswithaHardwareSecurityModule....................................... 181
SetupConnectivitywithanHSM ............................................... 181
EncryptaMasterKeyUsinganHSM ............................................ 186
StorePrivateKeysonanHSM.................................................. 187
ManagetheHSMDeployment ................................................. 188
HighAvailability....................................................189
HAOverview.................................................................... 190
HAConcepts .................................................................... 191
HAModes ................................................................... 191
HALinksandBackupLinks..................................................... 192
DevicePriorityandPreemption ................................................ 195
Failover ..................................................................... 195
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 196
FloatingIPAddressandVirtualMACAddress.................................... 196
ARPLoadSharing ............................................................ 198
RouteBasedRedundancy ..................................................... 200
HATimers................................................................... 200
SessionOwner............................................................... 203
SessionSetup................................................................ 203
NATinActive/ActiveHAMode ................................................ 205
ECMPinActive/ActiveHAMode ............................................... 206
SetUpActive/PassiveHA ......................................................... 207
PrerequisitesforActive/PassiveHA............................................. 207
ConfigurationGuidelinesforActive/PassiveHA.................................. 208
ConfigureActive/PassiveHA................................................... 210
DefineHAFailoverConditions ................................................. 215
VerifyFailover ............................................................... 216
SetUpActive/ActiveHA .......................................................... 217
PrerequisitesforActive/ActiveHA.............................................. 217
ConfigureActive/ActiveHA ................................................... 218
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy.............. 224
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses .................. 225
TableofContents
UseCase:ConfigureA/AHAwithARPLoadSharing ..............................226
UseCase:ConfigureA/AHAwithFloatingIPAddressBoundtoAPFirewall.........227
UseCase:ConfigureA/AHAwithSourceDIPPNATUsingFloatingIPAddresses .....231
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforA/AHAFirewalls ....234
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNAT ...........235
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNATinLayer3 ..238
HAFirewallStates................................................................241
Reference:HASynchronization.....................................................243
WhatSettingsDontSyncinActive/PassiveHA?..................................243
WhatSettingsDontSyncinActive/ActiveHA?...................................245
SynchronizationofSystemRuntimeInformation..................................247
Monitoring ........................................................ 249

UsetheDashboard ...............................................................250
UsetheApplicationCommandCenter ...............................................251
ACCFirstLook ..............................................................252
ACCTabs....................................................................253
ACCWidgets .................................................................254
WidgetDescriptions...........................................................255
ACCFilters ...................................................................259
InteractwiththeACC .........................................................260
UseCase:ACCPathofInformationDiscovery ...................................263
AppScope .......................................................................270
SummaryReport ..............................................................271
ChangeMonitorReport........................................................272
ThreatMonitorReport.........................................................273
ThreatMapReport ............................................................274
NetworkMonitorReport.......................................................275
TrafficMapReport ............................................................276
UsetheAutomatedCorrelationEngine ..............................................277
AutomatedCorrelationEngineConcepts .........................................277
ViewtheCorrelatedObjects ...................................................278
InterpretCorrelatedEvents ....................................................279
UsetheCompromisedHostsWidgetintheACC ..................................281
TakePacketCaptures.............................................................282
TypesofPacketCaptures ......................................................282
DisableHardwareOffload......................................................283
TakeaCustomPacketCapture .................................................284
TakeaThreatPacketCapture ..................................................288
TakeanApplicationPacketCapture .............................................289
TakeaPacketCaptureontheManagementInterface..............................292
MonitorApplicationsandThreats...................................................294
MonitorandManageLogs.........................................................295
LogTypesandSeverityLevels ..................................................295
WorkwithLogs ...............................................................299
ConfigureLogStorageQuotasandExpirationPeriods.............................305
ScheduleLogExportstoanSCPorFTPServer....................................305
TableofContents
ManageReporting ................................................................ 307

ReportTypes................................................................. 307
ViewReports................................................................. 308
ConfiguretheReportExpirationPeriod.......................................... 308
DisablePredefinedReports.................................................... 309
GenerateCustomReports ..................................................... 309
GenerateBotnetReports...................................................... 314
GeneratetheSaaSApplicationUsageReport ..................................... 316
ManagePDFSummaryReports................................................. 318
GenerateUser/GroupActivityReports.......................................... 319
ManageReportGroups ........................................................ 321
ScheduleReportsforEmailDelivery ............................................ 322
UseExternalServicesforMonitoring ............................................... 323
ConfigureLogForwarding ......................................................... 324
ConfigureEmailAlerts ............................................................ 327
UseSyslogforMonitoring ......................................................... 328
ConfigureSyslogMonitoring ................................................... 328
SyslogFieldDescriptions ...................................................... 330
SNMPMonitoringandTraps....................................................... 346
SNMPSupport............................................................... 346
UseanSNMPManagertoExploreMIBsandObjects.............................. 347
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 351
MonitorStatisticsUsingSNMP ................................................. 351
ForwardTrapstoanSNMPManager ............................................ 353
SupportedMIBs.............................................................. 355
NetFlowMonitoring .............................................................. 362
ConfigureNetFlowExports.................................................... 362
NetFlowTemplates........................................................... 363
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 367
UserID ...........................................................369
UserIDOverview ................................................................ 370
UserIDConcepts................................................................ 372
GroupMapping............................................................... 372
UserMapping ................................................................ 372
EnableUserID................................................................... 376
MapUserstoGroups............................................................. 377
MapIPAddressestoUsers........................................................ 380
ConfigureUserMappingUsingtheWindowsUserIDAgent....................... 380
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent.............. 386
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender ................. 389
MapIPAddressestoUsernamesUsingCaptivePortal ............................. 398
ConfigureUserMappingforTerminalServerUsers ............................... 405
SendUserMappingstoUserIDUsingtheXMLAPI............................... 412
EnableUserandGroupBasedPolicy ............................................... 413
EnablePolicyforUserswithMultipleAccounts ...................................... 415
TableofContents
VerifytheUserIDConfiguration ...................................................417
DeployUserIDinaLargeScaleNetwork............................................419
DeployUserIDforNumerousMappingInformationSources .......................419
ConfigureFirewallstoRedistributeUserMappingInformation......................423
AppID ........................................................... 429

AppIDOverview .................................................................430
ManageCustomorUnknownApplications ...........................................431
ManageNewAppIDsIntroducedinContentReleases................................432
ReviewNewAppIDs..........................................................432
ReviewNewAppIDsSinceLastContentVersion .................................433
ReviewNewAppIDImpactonExistingPolicyRules ..............................434
DisableorEnableAppIDs .....................................................435
PreparePolicyUpdatesForPendingAppIDs .....................................435
UseApplicationObjectsinPolicy ...................................................437
CreateanApplicationGroup ...................................................437
CreateanApplicationFilter ....................................................438
CreateaCustomApplication ...................................................439
ApplicationswithImplicitSupport ..................................................444
ApplicationLevelGateways ........................................................447
DisabletheSIPApplicationlevelGateway(ALG)......................................448
ThreatPrevention .................................................. 449

SetUpSecurityProfilesandPolicies ................................................450
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection.......................450
SetUpDataFiltering..........................................................453
SetUpFileBlocking ...........................................................456
PreventBruteForceAttacks.......................................................458
CustomizetheActionandTriggerConditionsforaBruteForceSignature................459
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions............462
EnableDNSProxy................................................................467
EnablePassiveDNSCollectionforImprovedThreatIntelligence ........................470
UseDNSQueriestoIdentifyInfectedHostsontheNetwork ...........................471
DNSSinkholing ...............................................................471
ConfigureDNSSinkholingforaListofCustomDomains...........................473
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork ...............475
IdentifyInfectedHosts ........................................................479
ContentDeliveryNetworkInfrastructureforDynamicUpdates ........................481
ThreatPreventionResources.......................................................483
TableofContents
Decryption .........................................................485
DecryptionOverview ............................................................. 486
DecryptionConcepts ............................................................. 487
KeysandCertificatesforDecryptionPolicies..................................... 487
SSLForwardProxy............................................................ 488
SSLInboundInspection........................................................ 489
SSHProxy................................................................... 490
DecryptionExceptions ........................................................ 491
DecryptionMirroring.......................................................... 492
DefineTraffictoDecrypt.......................................................... 493
CreateaDecryptionProfile.................................................... 493
CreateaDecryptionPolicyRule................................................ 495
ConfigureSSLForwardProxy ...................................................... 497
ConfigureSSLInboundInspection .................................................. 502
ConfigureSSHProxy ............................................................. 504
ConfigureDecryptionExceptions................................................... 505
ExcludeTrafficfromDecryption ................................................ 505
ExcludeaServerfromDecryption .............................................. 506
EnableUserstoOptOutofSSLDecryption ......................................... 507
ConfigureDecryptionPortMirroring................................................ 509
TemporarilyDisableSSLDecryption ................................................ 511
URLFiltering.......................................................513
URLFilteringOverview ........................................................... 514
URLFilteringVendors ......................................................... 514
InteractionBetweenAppIDandURLCategories................................. 515
PANDBPrivateCloud........................................................ 515
URLFilteringConcepts............................................................ 518
URLCategories............................................................... 518
URLFilteringProfile .......................................................... 520
URLFilteringProfileActions ................................................... 520
BlockandAllowLists.......................................................... 521
ExternalDynamicListforURLs ................................................. 522
SafeSearchEnforcement ...................................................... 522
ContainerPages .............................................................. 524
HTTPHeaderLogging ......................................................... 524
URLFilteringResponsePages .................................................. 525
URLCategoryasPolicyMatchCriteria .......................................... 527
PANDBCategorization ........................................................... 529
PANDBURLCategorizationComponents ....................................... 529
PANDBURLCategorizationWorkflow ......................................... 530
EnableaURLFilteringVendor ..................................................... 532
EnablePANDBURLFiltering.................................................. 532
EnableBrightCloudURLFiltering............................................... 533
DetermineURLFilteringPolicyRequirements........................................ 536
UseanExternalDynamicListinaURLFilteringProfile ................................ 538
TableofContents
MonitorWebActivity .............................................................540
MonitorWebActivityofNetworkUsers .........................................540
ViewtheUserActivityReport..................................................542
ConfigureCustomURLFilteringReports .........................................544
ConfigureURLFiltering ...........................................................545
CustomizetheURLFilteringResponsePages.........................................547
ConfigureURLAdminOverride.....................................................548
EnableSafeSearchEnforcement ...................................................550
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................550
EnableTransparentSafeSearchEnforcement ....................................553
SetUpthePANDBPrivateCloud..................................................558
URLFilteringUseCaseExamples...................................................563
UseCase:ControlWebAccess .................................................563
UseCase:UseURLCategoriesforPolicyMatching ................................567
TroubleshootURLFiltering ........................................................569
ProblemsActivatingPANDB...................................................569
PANDBCloudConnectivityIssues..............................................570
URLsClassifiedasNotResolved ................................................571
IncorrectCategorization.......................................................572
URLDatabaseOutofDate .....................................................573
QualityofService .................................................. 575

QoSOverview ...................................................................576
QoSConcepts....................................................................578
QoSforApplicationsandUsers .................................................578
QoSPolicy...................................................................578
QoSProfile...................................................................579
QoSClasses ..................................................................579
QoSPriorityQueuing ..........................................................579
QoSBandwidthManagement ..................................................580
QoSEgressInterface..........................................................581
QoSforClearTextandTunneledTraffic.........................................581
ConfigureQoS ...................................................................582
ConfigureQoSforaVirtualSystem.................................................587
EnforceQoSBasedonDSCPClassification ..........................................592
QoSUseCases ...................................................................595
UseCase:QoSforaSingleUser ................................................595
UseCase:QoSforVoiceandVideoApplications ..................................597
VPNs ............................................................. 601

VPNDeployments ................................................................602
SitetoSiteVPNOverview ........................................................603
SitetoSiteVPNConcepts .........................................................604
IKEGateway .................................................................604
TunnelInterface..............................................................604
TableofContents
TunnelMonitoring ............................................................ 605

InternetKeyExchange(IKE)forVPN ............................................ 606
IKEv2 ....................................................................... 608
SetUpSitetoSiteVPN ........................................................... 612
SetUpanIKEGateway ........................................................ 612
DefineCryptographicProfiles.................................................. 618
SetUpanIPSecTunnel........................................................ 621
SetUpTunnelMonitoring ..................................................... 624
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 625
TestVPNConnectivity........................................................ 627
InterpretVPNErrorMessages.................................................. 627
SitetoSiteVPNQuickConfigs .................................................... 629
SitetoSiteVPNwithStaticRouting............................................ 629
SitetoSiteVPNwithOSPF.................................................... 633
SitetoSiteVPNwithStaticandDynamicRouting ................................ 639
LargeScaleVPN(LSVPN)............................................645
LSVPNOverview................................................................. 646
CreateInterfacesandZonesfortheLSVPN.......................................... 647
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 649
AboutCertificateDeployment.................................................. 649
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 649
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 652
ConfigurethePortaltoAuthenticateSatellites ....................................... 655
ConfigureGlobalProtectGatewaysforLSVPN....................................... 657
PrerequisiteTasks ............................................................ 657
ConfiguretheGateway ........................................................ 657
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 660
PrerequisiteTasks ............................................................ 660
ConfigurethePortal .......................................................... 660
DefinetheSatelliteConfigurations.............................................. 661
PreparetheSatellitetoJointheLSVPN ............................................. 665
VerifytheLSVPNConfiguration.................................................... 667
LSVPNQuickConfigs ............................................................. 668
BasicLSVPNConfigurationwithStaticRouting ...................................... 669
AdvancedLSVPNConfigurationwithDynamicRouting ............................... 672
Networking ........................................................675
InterfaceDeployments ............................................................ 676
VirtualWireDeployments ..................................................... 676
Layer2Deployments ......................................................... 679
Layer3Deployments ......................................................... 679
TapModeDeployments ....................................................... 680
ConfigureanAggregateInterfaceGroup ............................................ 682
UseInterfaceManagementProfilestoRestrictAccess................................ 685
VirtualRouters ................................................................... 687
TableofContents
StaticRoutes .....................................................................689
RIP .............................................................................691
OSPF ...........................................................................693
OSPFConcepts ...............................................................693
ConfigureOSPF ..............................................................695
ConfigureOSPFv3............................................................700
ConfigureOSPFGracefulRestart ...............................................702
ConfirmOSPFOperation ......................................................703
BGP.............................................................................705
SessionSettingsandTimeouts .....................................................710
TransportLayerSessions.......................................................710
TCP.........................................................................710
UDP.........................................................................715
ICMP ........................................................................715
ConfigureSessionTimeouts ....................................................716
ConfigureSessionSettings.....................................................718
PreventTCPSplitHandshakeSessionEstablishment ..............................720
DHCP ...........................................................................722
DHCPOverview ..............................................................722
FirewallasaDHCPServerandClient ............................................723
DHCPMessages ..............................................................723
DHCPAddressing .............................................................724
DHCPOptions................................................................726
ConfigureanInterfaceasaDHCPServer ........................................728
ConfigureanInterfaceasaDHCPClient .........................................732
ConfiguretheManagementInterfaceasaDHCPClient ............................733
ConfigureanInterfaceasaDHCPRelayAgent ...................................735
MonitorandTroubleshootDHCP...............................................735
NAT ............................................................................737
NATPolicyRules..............................................................737
SourceNATandDestinationNAT ...............................................740
NATRuleCapacities...........................................................741
DynamicIPandPortNATOversubscription ......................................741
DataplaneNATMemoryStatistics ..............................................743
ConfigureNAT ...............................................................744
NATConfigurationExamples ...................................................751
NPTv6 ..........................................................................759
NPTv6Overview .............................................................759
HowNPTv6Works ...........................................................761
NDPProxy ...................................................................762
NPTv6andNDPProxyExample ................................................764
CreateanNPTv6Policy........................................................765
ECMP ...........................................................................768
ECMPLoadBalancingAlgorithms ...............................................768
ECMPPlatform,Interface,andIPRoutingSupport ................................769
ConfigureECMPonaVirtualRouter ............................................770
EnableECMPforMultipleBGPAutonomousSystems.............................771
VerifyECMP .................................................................773
TableofContents
LLDP ........................................................................... 774

LLDPOverview .............................................................. 774
SupportedTLVsinLLDP....................................................... 775
LLDPSyslogMessagesandSNMPTraps......................................... 776
ConfigureLLDP .............................................................. 777
ViewLLDPSettingsandStatus ................................................. 779
ClearLLDPStatistics .......................................................... 780
BFD............................................................................ 781
BFDOverview ............................................................... 781
ConfigureBFD............................................................... 784
Reference:BFDDetails ........................................................... 791
Policy..............................................................795
PolicyTypes ..................................................................... 796
SecurityPolicy................................................................... 797
ComponentsofaSecurityPolicyRule........................................... 797
SecurityPolicyActions........................................................ 800
CreateaSecurityPolicyRule ................................................... 800
PolicyObjects ................................................................... 803
SecurityProfiles.................................................................. 804
AntivirusProfiles ............................................................. 805
AntiSpywareProfiles......................................................... 805
VulnerabilityProtectionProfiles................................................ 806
URLFilteringProfiles.......................................................... 806
DataFilteringProfiles......................................................... 807
FileBlockingProfiles .......................................................... 808
WildFireAnalysisProfiles ...................................................... 808
DoSProtectionProfiles........................................................ 808
ZoneProtectionProfiles ....................................................... 809
SecurityProfileGroup ......................................................... 809
BestPracticeInternetGatewaySecurityPolicy....................................... 813
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 813
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 815
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 816
IdentifyWhitelistApplications.................................................. 817
CreateUserGroupsforAccesstoWhitelistApplications .......................... 820
DecryptTrafficforFullVisibilityandThreatInspection ............................ 820
CreateBestPracticeSecurityProfiles ........................................... 822
DefinetheInitialInternetGatewaySecurityPolicy ................................ 826
MonitorandFineTunethePolicyRulebase...................................... 834
RemovetheTemporaryRules.................................................. 835
MaintaintheRulebase......................................................... 836
EnumerationofRulesWithinaRulebase ............................................ 837
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem .................... 838
UseTagstoGroupandVisuallyDistinguishObjects .................................. 839
CreateandApplyTags ........................................................ 839
ModifyTags ................................................................. 840
UsetheTagBrowser .......................................................... 840
TableofContents
UseanExternalDynamicListinPolicy ..............................................845
ExternalDynamicList .........................................................845
FormattingGuidelinesforanExternalDynamicList ...............................846
EnforcePolicyonEntriesinanExternalDynamicList ..............................847
ViewtheListofEntriesinanExternalDynamicList ...............................850
RetrieveanExternalDynamicListfromtheWebServer ...........................851
RegisterIPAddressesandTagsDynamically .........................................852
MonitorChangesintheVirtualEnvironment .........................................853
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................853
AttributesMonitoredintheAWSandVMwareEnvironments ......................855
UseDynamicAddressGroupsinPolicy..........................................856
CLICommandsforDynamicIPAddressesandTags...................................859
IdentifyUsersConnectedthroughaProxyServer.....................................861
UseXFFValuesforPoliciesandLoggingSourceUsers .............................861
AddXFFValuestoURLFilteringLogs ...........................................862
PolicyBasedForwarding ..........................................................863
PBF.........................................................................863
CreateaPolicyBasedForwardingRule..........................................866
UseCase:PBFforOutboundAccesswithDualISPs ...............................867
DoSProtectionAgainstFloodingofNewSessions....................................875
DoSProtectionAgainstFloodingofNewSessions ................................875
ConfigureDoSProtectionAgainstFloodingofNewSessions.......................878
UsetheCLItoEndaSingleAttackingSession ....................................881
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............881
DiscardaSessionWithoutaCommit ............................................884
VirtualSystems.................................................... 885
VirtualSystemsOverview .........................................................886
VirtualSystemComponentsandSegmentation ...................................886
BenefitsofVirtualSystems .....................................................887
UseCasesforVirtualSystems..................................................887
PlatformSupportandLicensingforVirtualSystems ...............................888
AdministrativeRolesforVirtualSystems .........................................888
SharedObjectsforVirtualSystems ..............................................888
CommunicationBetweenVirtualSystems............................................889
InterVSYSTrafficThatMustLeavetheFirewall..................................889
InterVSYSTrafficThatRemainsWithintheFirewall ..............................890
InterVSYSCommunicationUsesTwoSessions ...................................892
SharedGateway ..................................................................893
ExternalZonesandSharedGateway.............................................893
NetworkingConsiderationsforaSharedGateway.................................894
ServiceRoutesforVirtualSystems ..................................................895
UseCasesforServiceRoutesforaVirtualSystem.................................895
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.896
DNSProxyObject ............................................................896
DNSServerProfile ............................................................897
MultiTenantDNSDeployments ................................................897
TableofContents
ConfigureVirtualSystems ......................................................... 899

ConfigureInterVirtualSystemCommunicationwithintheFirewall..................... 902
ConfigureaSharedGateway....................................................... 903
CustomizeServiceRoutesforaVirtualSystem ....................................... 904
CustomizeServiceRoutestoServicesforVirtualSystems.......................... 904
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem ................ 906
ConfigureaDNSProxyObject................................................. 907
ConfigureaDNSServerProfile ................................................. 909
ConfigureAdministrativeAccessPerVirtualSystemorFirewall..................... 910
DNSResolutionThreeUseCases ................................................. 912
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes ........... 912
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Re
porting,andServiceswithinitsVirtualSystem914
UseCase3:FirewallActsasDNSProxyBetweenClientandServer ................. 916
VirtualSystemFunctionalitywithOtherFeatures .................................... 918
Certifications .......................................................919
EnableFIPSandCommonCriteriaSupport .......................................... 920
FIPSCCSecurityFunctions........................................................ 921
TableofContents
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment
GettingStarted
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
DetermineYourManagementStrategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
GettingStarted
PerformInitialConfiguration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
Step1
Gathertherequiredinformationfrom
yournetworkadministrator.
Step2
Connectyourcomputertothefirewall.
Youcanconnecttothefirewallinoneofthefollowingways:
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.
Step3
Whenprompted,logintothefirewall.
Youmustloginusingthedefaultusernameandpassword
(admin/admin).Thefirewallwillbegintoinitialize.
Step4
ConfiguretheMGTinterface.
1.
SelectDevice > Setup > Managementandeditthe

ManagementInterfaceSettings.
2.
ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP.Tousethismethod,you
mustConfiguretheManagementInterfaceasaDHCP
Client.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
IPaddressforMGTport
Netmask
Defaultgateway
DNSserveraddress
3.
SettheSpeedtoauto-negotiate.
4.
Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5.
ClickOK.
GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
Step5
Step6
ConfigureDNS,updateserver,and
1.
proxyserversettings.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
resolvehostnames;itwillnotuse
2.
DNSserversettingsfrom
anothersource,suchasanISP.
Configuredateandtime(NTP)settings.
SelectDevice > Setup > Services.

Formultivirtualsystemplatforms,selectGlobalandedit
theServicessection.
Forsinglevirtualsystemplatforms,edittheServices
section.
OntheServicestab,forDNS,clickoneofthefollowing:
ServersEnterthePrimary DNS Serveraddressand
Secondary DNS Server address.
DNS Proxy ObjectFromthedropdown,selecttheDNS
Proxy thatyouwanttousetoconfigureglobalDNS
services,orclickDNS ProxytoconfigureanewDNSproxy
object.
3.
ClickOK.
1.

Formultivirtualsystemplatforms,selectGlobalandedit
theServicessection.
Forsinglevirtualsystemplatforms,edittheServices
section.
2.
OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthePrimary
NTP ServerorentertheIPaddressofyourprimaryNTP
server.
3.
(Optional)EnteraSecondary NTP Serveraddress.
4.
(Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5.
ClickOK.
GettingStarted
Step7
Step8
Step9
(Optional)Configuregeneralfirewall
settingsasneeded.
Setasecurepasswordfortheadmin
account.
1.
SelectDevice > Setup > ManagementandedittheGeneral

Settings.
2.
EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3.
EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4.
EntertheLatitude andLongitude toenableaccurate

placementofthefirewallontheworldmap.
5.
ClickOK.
1.
SelectDevice > Administrators.
2.
Selectthe adminrole.
3.
Enterthecurrentdefaultpasswordandthenewpassword.
4.
ClickOKtosaveyoursettings.
Commityourchanges.
ClickCommitatthetoprightofthewebinterface.Thefirewallcan
Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivity
tothewebinterfacebecausethe
IPaddresshaschanged.
Step10 Connectthefirewalltoyournetwork.
Step11 OpenanSSHmanagementsessionto
thefirewall.
1.
Disconnectthefirewallfromyourcomputer.
2.
ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.
Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH
sessiontothefirewallusingthenewIPaddressyouassignedtoit.
GettingStarted
Step12 Verifynetworkaccesstoexternal
servicesrequiredforfirewall
management,suchasthePaloAlto
NetworksUpdateServer.
Youcandothisinoneofthefollowing
ways:
Ifyoudonotwanttoallowexternal
networkaccesstotheMGTinterface,
youwillneedtosetupadataportto
retrieverequiredserviceupdates.
ContinuetoSetUpNetworkAccess
forExternalServices.
Ifyoudoplantoallowexternal
networkaccesstotheMGTinterface,
verifythatyouhaveconnectivityand
thenproceedtoRegistertheFirewall
andActivateLicensesand
Subscriptions.
IfyoucabledyourMGTportforexternalnetworkaccess,verify
thatyouhaveaccesstoandfromthefirewallbyusingtheping
utilityfromtheCLI.Makesureyouhaveconnectivitytothedefault
gateway,DNSserver,andthePaloAltoNetworksUpdateServer
asshowninthefollowingexample:
admin@PA-200> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms
Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
thepings.
GettingStarted
SetUpNetworkAccessforExternalServices
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
Step1
Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.
accesstoexternalservicesandconnect
ittoyourswitchorrouterport.
Step2
Logintothewebinterface.
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.
Step3
(Optional)Thefirewallcomes
preconfiguredwithadefaultvirtualwire
interfacebetweenportsEthernet1/1
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou
donotplantousethisvirtualwire
configuration,youmustmanuallydelete
theconfigurationtopreventitfrom
interferingwithotherinterfacesettings
youdefine.
Youmustdeletetheconfigurationinthefollowingorder:
1.
Todeletethedefaultsecuritypolicy,selectPolicies >
Security,selecttherule,andclickDelete.
2.
Todeletethedefaultvirtualwire,selectNetwork > Virtual

Wires,selectthevirtualwireandclickDelete.
3.
Todeletethedefaulttrustanduntrustzones,selectNetwork
> Zones,selecteachzoneandclickDelete.
4.
Todeletetheinterfaceconfigurations,selectNetwork >
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5.
Committhechanges.
GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
Step4
Configuretheinterfaceyouplantouse
forexternalaccesstomanagement
services.
1.
SelectNetwork > Interfacesandselecttheinterfacethat

correspondstotheportyoucabledinStep1.
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4.
IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5.
SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6.
SelectAdvanced > Other Info,expandtheManagement

Profiledropdown,andselectNew Management Profile.
7.
EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8.
Tosavetheinterfaceconfiguration,clickOK.
GettingStarted
Step5
Step6
Configuretheserviceroutes.
1.
Bydefault,thefirewallusestheMGT
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice
routes.
Thisexampleshowshowtoset
upglobalserviceroutes.For
informationonsettingup
networkaccesstoexternal
2.
servicesonavirtualsystembasis
ratherthanaglobalbasis,see
PerVirtualSystemService
Routes.
SelectDevice > Setup > Services > Global andclickService

Route Configuration.
Forthepurposesofactivatingyourlicensesand
gettingthemostrecentcontentandsoftwareupdates,
youwillwanttochangetheservicerouteforDNS,
Palo Alto Updates,URL Updates,WildFire,and
AutoFocus.
ClicktheCustomizeradiobutton,andselectoneofthe
following:
Forapredefinedservice,selectIPv4orIPv6andclickthe
linkfortheserviceforwhichyouwanttomodifythe
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,the Source Address dropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3.
ClickOKtosavethesettings.
4.
Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5.
Commityourchanges.
Configureanexternalfacinginterface
1.
andanassociatedzoneandthencreatea
securitypolicyruletoallowthefirewall
tosendservicerequestsfromthe
internalzonetotheexternalzone.
SelectNetwork > Interfacesandthenselectthe

externalfacinginterface.SelectLayer3astheInterface Type,
AddtheIPaddress(ontheIPv4orIPv6tab),andcreatethe
associatedSecurity Zone(ontheConfigtab),suchasInternet.
ThisinterfacemusthaveastaticIPaddress;youdonotneed
tosetupmanagementservicesonthisinterface.
2.
Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).
GettingStarted
Step7
Step8
CreateaNATpolicyrule.
Verifythatyouhaveconnectivityfrom
thedataporttotheexternalservices,
includingthedefaultgateway,andthe
PaloAltoNetworksUpdateServer.
Afteryouverifyyouhavetherequired
networkconnectivity,continueto
RegistertheFirewallandActivate
LicensesandSubscriptions.
1.
IfyouareusingaprivateIPaddressontheinternalfacing
interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
2.
Commityourchanges.
LaunchtheCLIandusethepingutilitytoverifythatyouhave
connectivity.Keepinmindthatbydefaultpingsaresentfromthe
MGTinterface,sointhiscaseyoumustspecifythesource
interfaceforthepingrequestsasfollows:
admin@PA-500> ping source 192.168.1.254 host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) from
192.168.1.254 : 56(84) bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=242 time=56.7 ms
^C
Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
thepings.
GettingStarted
RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
Step1
Step2
Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

theclipboard.
Informationsectionofthescreen.
Step3
GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto
Supportportalandlogin.
https://www.paloaltonetworks.com/support/tabs/overview.html.
Step4
Registerthefirewall.
Youmusthaveasupportaccount
toregisterafirewall.Ifyoudonot
yethaveasupportaccount,click
theRegisterlinkonthesupport
loginpageandfollowthe
instructionstogetyouraccount
setupandregisterthefirewall.
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Ifyoualreadyhaveasupportaccount,loginandregisterthe
hardwarebasedfirewallasfollows:
1.
SelectAssets > Devices.
2.
ClickRegister New Device.
3.
SelectRegister device using Serial Number or Authorization

CodeandclickSubmit.
4.
EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5.
(Optional)EntertheDevice NameandDevice Tag.
6.
Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7.
Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.
GettingStarted
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
Step1
Locatetheactivationcodesforthe
licensesyoupurchased.
Step2
ActivateyourSupportlicense.
Youwillnotbeabletoupdateyour
PANOSsoftwareifyoudonothavea
validSupportlicense.
Whenyoupurchasedyoursubscriptionsyoushouldhavereceived
anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.
1.
LogintothewebinterfaceandthenselectDevice > Support.
2.
ClickActivate support using authorization code.
3.
EnteryourAuthorization CodeandthenclickOK.
GettingStarted
ActivateLicensesandSubscriptions(Continued)
Step3
Activateeachlicenseyoupurchased.
SelectDevice > Licensesandthenactivateyourlicensesand

subscriptionsinoneofthefollowingways:
Retrieve license keys from license serverUsethisoptionif
youactivatedyourlicenseontheCustomerSupportportal.
Activate feature using authorization codeUsethisoptionto
enablepurchasedsubscriptionsusinganauthorizationcodefor
licensesthathavenotbeenpreviouslyactivatedonthesupport
portal.Whenprompted,entertheAuthorization Codeandthen
clickOK.
Manually upload license keyUsethisoptionifyourfirewall
doesnothaveconnectivitytothePaloAltoNetworksCustomer
Supportwebsite.Inthiscase,youmustdownloadalicensekey
filefromthesupportsiteonanInternetconnectedcomputer
andthenuploadtothefirewall.
Step4
Verifythatthelicensewassuccessfully
activated
OntheDevice > Licenses page,verifythatthelicensewas

successfullyactivated.Forexample,afteractivatingtheWildFire
license,youshouldseethatthelicenseisvalid:
Step5
(WildFiresubscriptionsonly)Performa
committocompleteWildFire
subscriptionactivation.
AfteractivatingaWildFiresubscription,acommitisrequiredfor
thefirewalltobeginforwardingadvancedfiletypes.Youshould
either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.
GettingStarted
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.
GettingStarted
Step1
Ensurethatthefirewallhasaccesstothe 1.
updateserver.
Bydefault,thefirewallaccessestheUpdate Serverat
updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2.
(Optional)ClickVerify Update Server Identityforanextra

levelofvalidationtoenablethefirewalltocheckthatthe
serversSSLcertificateissignedbyatrustedauthority.
3.
(Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.
GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step2
Checkforthelatestcontentupdates.
SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

thelowerlefthandcornerofthewindow)tocheckforthelatest
updates.ThelinkintheActioncolumnindicateswhetheranupdate
isavailable:
DownloadIndicatesthatanewupdatefileisavailable.Click
thelinktobegindownloadingthefiledirectlytothefirewall.
Aftersuccessfuldownload,thelinkintheActioncolumn
changesfromDownloadtoInstall.
Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
Step3
Installthecontentupdates.
ClicktheInstalllinkintheActioncolumn.Whentheinstallation
completes,acheckmarkdisplaysintheCurrently Installed
Installationcantakeupto20
minutesonaPA200,PA500,or column.
PA2000Seriesfirewallandupto
twominutesonaPA3000
Series,PA4000Series,PA5000
Series,PA7000Series,or
VMSeriesfirewall.
GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step4
Step5
Scheduleeachcontentupdate.
1.
Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
2.
becausethefirewallcanonly
downloadoneupdateatatime.If
youscheduletheupdatesto
downloadduringthesametime
interval,onlythefirstdownload
willsucceed.
Specifyhowoftenyouwanttheupdatestooccurbyselecting
avaluefromtheRecurrencedropdown.Theavailablevalues
varybycontenttype(WildFireupdatesareavailableEvery
Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
whereasApplicationsandThreatsupdatescanbescheduled
forDailyorWeeklyupdateandAntivirusupdatescanbe
scheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3.
SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4.
SpecifywhetheryouwantthesystemtoDownload Only or,as

abestpractice,Download And Installtheupdate.
5.
Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6.
ClickOKtosavetheschedulesettings.
7.
ClickCommittosavethesettingstotherunning
configuration.
UpdatePANOS.
1.
Alwaysupdatecontentbefore
2.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.
SetthescheduleofeachupdatetypebyclickingtheNonelink.
ReviewtheReleaseNotes.
UpdatethePANOSsoftware.
GettingStarted
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
NetworkSegmentationforaReducedAttackSurface
Thefollowingdiagramshowsaverybasicexampleofhowyoucancreatezonestosegmentyournetwork.
Themoregranularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstraffic
betweenzones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflow
freelywithinazone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyou
defineaSecuritypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhave
assignedittoazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontrolover
accesstosensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishinga
communicationchannelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyour
network.
GettingStarted
ConfigureInterfacesandZones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.EachinterfaceonthefirewallsupportsallInterfaceDeploymentsandthe
deploymentyouwillusedependsonthetopologyofeachpartofthenetworkyouareconnectingto.The
followingworkflowshowshowtoconfigureLayer3interfacesandassignthemtozones.Fordetailson
integratingthefirewallusingadifferenttypeofinterfacedeployments(forexampleVirtualWire
DeploymentsorLayer2Deployments),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.
SelectNetwork > Virtual Routerandthenselectthedefault

linktoopentheVirtualRouterdialog.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
SelecttheIP AddressradiobuttonintheNext Hopfieldand

thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,203.0.113.1).
4.
ClickOKtwicetosavethevirtualrouterconfiguration.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).
SelectNetwork > Interfacesandthenselecttheinterfaceyou

wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/16astheexternalinterface.
2.
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3.
OntheConfigtab,selectNew ZonefromtheSecurity Zone

dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleInternet,andthenclickOK.
4.
IntheVirtual Routerdropdown,selectdefault.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6.
Toenableyoutopingtheinterface,selectAdvanced > Other

Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.
7.
GettingStarted
SetUpInterfacesandZones(Continued)
Step3
Step4
Step5
Step6
Configuretheinterfacethatconnectsto 1.
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment 2.
thatusesprivateIPaddresses.
3.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.
4.
Configuretheinterfacethatconnectsto
yourdatacenterapplications.
Althoughthisbasicsecurity
policyexampleconfiguration
depictsusingasinglezoneforall
ofyourdatacenterapplications,
asabestpracticeyouwould
wanttodefinemoregranular
zonestopreventunauthorized
accesstosensitiveapplications
ordataandeliminatethe
possibilityofmalwaremoving
laterallywithinyourdatacenter.
(Optional)Createtagsforeachzone.
Savetheinterfaceconfiguration.
SelectNetwork > Interfacesandselecttheinterfaceyouwant

toconfigure.Inthisexample,weareconfiguringEthernet1/15
astheinternalinterfaceourusersconnectto.
SelectLayer3astheInterface Type.
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleUsers,andthenclickOK.
SelectthesameVirtualRouteryouusedinStep 2,defaultin
thisexample.
5.
192.168.1.4/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
1.
Selecttheinterfaceyouwanttoconfigure.
2.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/1astheinterfacethat
providesaccesstoyourdatacenterapplications.
3.
zone,forexampleDataCenterApplications,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
10.1.1.1/24.
6.
7.
Tagsallowyoutovisuallyscanpolicyrules.
1.
SelectObjects > TagsandAdd.
2.
SelectazoneName.
3.
SelectatagColorandclickOK.
ClickCommit.
GettingStarted
Step7
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step8
Verifythattheinterfacesareactive.
SelectDashboardandverifythattheinterfacesyouconfigured
showasgreenintheInterfaceswidget.
GettingStarted
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.
DefineBasicSecurityPolicyRules
Step1
(Optional)Deletethedefaultsecurity
policyrule.
Step2
CreatetheFileBlockingprofilesyouwill 1.
needtopreventupload/downloadof
maliciousfilesandfordrivebydownload
protection.
ConfigureaFileBlockingprofileforgeneraluse.Youwill
attachthisprofiletomostofyoursecurityprofilestoblock
filesknowntocarrythreatsorthathavenorealbusinessuse
forupload/download.
2.
ConfigureaFileBlockingprofileforriskytraffic.Youwill
attachthisprofiletosecuritypolicyrulesthatallowgeneral
webaccesstopreventusersfromunknowinglydownloading
maliciousfilesfromtheInternet.
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
GettingStarted
DefineBasicSecurityPolicyRules(Continued)
Step3
Allowaccesstoyournetwork
infrastructureresources.
1.
SelectPolicies > SecurityandclickAdd.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
IntheSourcetab,settheSource Zone toUsers.
4.
IntheDestinationtab,settheDestination ZonetoIT
Infrastructure.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectdns,ntp,ocsp,ping,smtp.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9.
VerifythatLog at Session Endisenabled.Onlytrafficthat

matchesasecurityrulewillbelogged.
10. ClickOK.
GettingStarted
Step4
EnableaccesstogeneralInternet
applications.
Thisisatemporaryrulethat
allowsyoutogatherinformation
aboutthetrafficonyour
network.Afteryouhavemore
insightintowhatapplications
yourusersneedaccessto,you
canmakeinformeddecisions
aboutwhatapplicationstoallow
andcreatemoregranular
applicationbasedrulesforeach
usergroup.
1.
2.
3.
4.
IntheDestinationtab,settheDestination ZonetoInternet.
5.
IntheApplicationstab,AddanApplication Filterandentera
Name.Tosafelyenableaccesstolegitimatewebbased
applications,settheCategoryintheapplicationfilterto
general-internetandthenclickOK.Toenableaccessto
encryptedsites,Addthesslapplication.
6.
7.
8.
File Blockingstrictprofileyouconfiguredforriskytraffic.
9.

10. ClickOK.
Step5
Enableaccesstodatacenter
applications.
1.
2.
3.
4.
IntheDestinationtab,settheDestination ZonetoData
CenterApplications.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectactivesync,imap,kerberos,ldap,
ms-exchange,and ms-lync.
6.
7.
8.
File Blockingprofileyouconfiguredforgeneraltraffic.
9.

10. ClickOK.
GettingStarted
Step6
Saveyourpoliciestotherunning
configurationonthefirewall.
ClickCommit.
Step7
Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
admin@PA-3050>test security-policy-match
source 10.35.14.150 destination 10.43.2.2
application dns protocol 53
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
GettingStarted
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine.
applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare
Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges.
users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.
WorkwithLogs.
Specifically,viewthetrafficandthreatlogs(Monitor > Logs).

Trafficlogsaredependentonhowyoursecuritypolicies
aredefinedandsetuptologtraffic.TheApplicationUsage
widgetintheACC,however,recordsapplicationsand
statisticsregardlessofpolicyconfiguration;itshowsall
trafficthatisallowedonyournetwork,thereforeit
includestheinterzonetrafficthatisallowedbypolicyand
thesamezonetrafficthatisallowedimplicitly.
GettingStarted
MonitorNetworkTraffic
ViewAutoFocusThreatDataforLogs.
ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers.
ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
GettingStarted
ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.
Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.
Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,grayware,orbenign.WithWildFireenabled,aPaloAlto
NetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscoveredmalware,
WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactiveWildFire
licenses.Thisenablesglobalfirewallstodetectandpreventmalwarefoundbyasinglefirewall.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifdonothaveaWildFiresubscription,butyoudohaveaThreat
Preventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448hours(as
partoftheantivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
GettingStarted
BeforeYouBegin:
Confirmthatyourfirewallisregisteredandthat
youhaveavalidsupportaccountaswellasany
subscriptionsyourequire.
Step1
Step2
Step3
SettheWildFireforwardingsettings.
EnablethefirewalltoforwardPEsfor
analysis.
1.
GotothePaloAltoNetworksCustomerSupportwebsite,log
in,andselectMy Devices.
2.
Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
theFirewall.
3.
(Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
1.
SelectDevice > Setup > WildFireandedittheGeneral

Settings.
2.
SettheWildFire Public Cloudfieldto:

wildfire.paloaltonetworks.com.
3.
(Optional)Setthe File Size LimitforPEsthatthefirewallcan

forward.
4.
ClickOKtosaveyourchanges.
1.
SelectObjects > Security Profiles > WildFire Analysis and

Addanewprofilerule.
2.
Namethenewprofilerule.
3.
ClickAddtocreateaforwardingruleandenteraname.
4.
IntheFile Types column,addpefilestotheforwardingrule.
5.
IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6.
ClickOK.
ApplythenewWildFireAnalysisprofile 1.
totrafficthatthefirewallallows.
SelectPolicies > Securityandeitherselectanexistingpolicy

orcreateanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2.
SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3.
SelecttheWildFire Analysis profileyoucreatedinStep 2to

applythatprofileruletoalltrafficthispolicyallows.
4.
ClickOK.
Step4
ClickCommittosaveyourconfigurationupdates.
Step5
VerifythatthefirewallisforwardingPE SelectMonitor > Logs > WildFire Submissionstoviewlogentries

forPEsthefirewallsuccessfullysubmittedforWildFireanalysis.
filestotheWildFirepubliccloud.
TheVerdictcolumndisplayswhetherWildFirefoundthePEtobe
malicious,grayware,orbenign.
Step6
(ThreatPreventionsubscriptiononly)If 1.
youhaveaThreatPrevention
2.
subscription,butdonothaveaWildFire
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.
SelectDevice > Dynamic Updates.

Checkthatthefirewallissettoretrieve,download,andinstall
Antivirusupdates.
GettingStarted
ScanTrafficforThreats
SecurityProfilesprovidethreatprotectioninsecuritypolicies.Forexample,youcanapplyanantivirusprofile
toasecuritypolicyandalltrafficthatmatchesthesecuritypolicywillbescannedforviruses.
Thefollowingsectionsprovidestepsforsettingupabasicthreatpreventionconfiguration:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking
EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionlicensebundlestheAntivirus,
license.
AntiSpyware,andtheVulnerabilityProtectionfeaturesinone
license.
SelectDevice > LicensestoverifythattheThreat Prevention
licenseisinstalledandvalid(checktheexpirationdate).
Step2
Downloadthelatestantivirusthreat
signatures.
1.
SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

bottomofthepagetoretrievethelatestsignatures.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
Antivirus,andApplicationsandThreatssignatures.
GettingStarted
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3
Schedulesignatureupdates.
1.
Performadownload-and-install
onadailybasisforantivirus
updatesandweeklyfor
2.
applicationsandthreatsupdates.
FromDevice > Dynamic Updates,clickthetexttotherightof

Scheduletoautomaticallyretrievesignatureupdatesfor
AntivirusandApplications and Threats.
Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
RecommendationsforHAConfigurations:
Active/PassiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewallso
thateachfirewalldownloadsandinstallscontentindependently.Ifthefirewallsareusingadataportforcontent
updates,thepassivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscasesetaschedule
oneachpeerandenableSync To Peertoensurethatcontentupdatesontheactivepeersynctothepassivepeer.
Active/ActiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewall,but
donotenableSync To Peer.Ifthefirewallsareusingadataportforcontentupdates,schedulecontentupdateson
eachfirewallandselectSync To Peertoenabletheactiveprimaryfirewalltodownloadandinstallthecontent
updatesandthenpushthecontentupdatetotheactivesecondarypeer.
GettingStarted
Step4
Step5
Attachthesecurityprofilestoasecurity 1.
policy.
Attachacloneofapredefined
2.
securityprofiletoyourbasic
Securitypolicyrules.Thatway,if
youwanttocustomizetheprofileyou
candosowithoutdeletingthereadonly
predefinedstrictordefaultprofileand
attachingacustomizedprofile.
Savetheconfiguration.
SelectPolicies > Security,selectthedesiredpolicytomodify

itandthenclicktheActionstab.
InProfile Settings,clickthedropdownnexttoeachsecurity
profileyouwouldliketoenable.Inthisexamplewechoose
defaultforAntivirusandWildFire Analysis,andstrictfor
Vulnerability Protection and Anti-Spyware.
Ifyoudontseedropdownsforselectingprofiles,
selectProfiles fromtheProfileTypedropdown.
ClickCommit.
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
GettingStarted
ConfigureFileBlocking
Step6
ConfigureaFileBlockingprofilefor
generaluse.
1.
SelectObjects > Security Profiles > File Blockingandclick

Add.
2.
EnteraNameforthefileblockingprofile,forexample
generalfileblocking.
3.
OptionallyenteraDescription,suchasblockriskyapps.Click
Addtodefinetheprofilesettings.
4.
EnteraName,suchasblockrisky.
5.
SetFile Types toblock.Forexample,Addthefollowing:bat,

dll, jar, hlp, lnk,andtorrent.
6.
LeavetheDirectionsettoboth.
7.
SettheActiontoblock.
8.
AddasecondruleandenteraName,forexamplecontinueexe
andarchive.
9.
SetFile Types tocontinue.Forexample,Addthefollowing:

PE,zipandrar.
10. LeavetheDirectionsettoboth.
11. SettheActiontoblock.
12. ClickOKtosavetheprofile.
Step7
Step8
ConfigureaFileBlockingprofileforrisky
traffic.
Whenusersarewebbrowsingit
ismuchmorelikelythattheywill
downloadamaliciousfile
unintentionally.Therefore,itis
importanttoattachastricterfile
blockingpolicythanyouwould
attachtoSecuritypolicyrules
thatallowaccesstoless
riskproneapplicationtraffic.
1.
OntheObjects > Security Profiles > File Blockingpage,

selectthefileblockingprofileyoujustcreatedforgeneral
trafficandclickClone.SelecttheprofiletocloneandclickOK.
2.
Selecttheclonedprofileandgiveitanew Name,suchas
strictblockriskyapps.
3.
ClickintheFileTypessectionoftheblockruleandAddthePE
filetype.
4.
ClickintheFileTypessectionofthecontinuerule,selectPE
andclickDelete.
5.
ClickOKtosavetheprofile.
Attachthefileblockingprofiletothe
securitypoliciesthatallowaccessto
content.
1.
SelectPolicies > Securityandeitherselectanexistingpolicy

orcreateanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2.
ClicktheActionstabwithinthesecuritypolicy.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyoucreated.
Ifyoudontseedropdownsforselectingprofiles,
selectProfiles fromtheProfileTypedropdown.
GettingStarted
ConfigureFileBlocking(Continued)
Step9
Enableresponsepagesinthe
1.
managementprofileforeachinterface
onwhichyouareattachingfileblocking
profilewithacontinueaction.
2.
SelectNetwork > Network Profiles > Interface Mgmtand

thenselectaninterfaceprofiletoeditorclickAddtocreatea
newprofile.
SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3.
ClickOKtosavetheinterfacemanagementprofile.
4.
SelectNetwork > Interfaces andselecttheinterfacetowhich

toattachtheprofile.
5.
OntheAdvanced > Other Infotab,selecttheinterface

managementprofileyoujustcreated.
6.
ClickOKtosavetheinterfacesettings.
Step10 Savetheconfiguration.
1.
ClickCommit.
Step11 Testthefileblockingconfiguration.
FromaclientPCinthetrustzoneofthefirewall,attemptto
downloadan.exefilefromawebsiteintheInternetzone.Make
surethefileisblockedasexpectedbasedontheactionyoudefined
inthefileblockingprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedblockastheaction,theFileBlockingBlockPage
responsepageshoulddisplay.
Ifyouselectedthecontinueaction,theFileBlockingContinue
Pageresponsepageshoulddisplay.ClickContinuetodownload
thefile.ThefollowingshowsthedefaultFileBlockingContinue
Page.
ControlAccesstoWebContent
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormore(fromapproximately60)categories.Youcanthen
createpoliciesthatspecifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichit
belongs.ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,
andattachthemtosecuritypoliciestoenforceabasicURLfilteringpolicy.
GettingStarted
ConfigureURLFiltering
Step1
Step2
Step3
ConfirmlicenseinformationforURL
Filtering.
Downloadtheseeddatabaseand
activatethelicense.
1.
ObtainandinstallaURLFilteringlicense.SeeActivate
LicensesandSubscriptionsfordetails.
2.
SelectDevice > LicensesandverifythattheURLFiltering

licenseisvalid.
1.
Todownloadtheseeddatabase,clickDownloadnextto
Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3.
Afterthedownloadcompletes,clickActivate.
1.
CreateaURLfilteringprofile.
BecausethedefaultURLfiltering 2.
profileblocksriskyand
threatpronecontent,clonethis
3.
profilewhencreatinganew
profileinordertopreservethe
defaultsettings.
SelectObjects > Security Profiles >URL Filtering.

SelectthedefaultprofileandthenclickClone.Thenewprofile
willbenameddefault1.
Selectthenewprofileandrenameit.
GettingStarted
ConfigureURLFiltering(Continued)
Step4
Step5
Definehowtocontrolaccesstoweb
1.
content.
Ifyouarenotsurewhattrafficyouwant
tocontrol,considersettingthe
categories(exceptforthoseblockedby
default)toalert.Youcanthenusethe
visibilitytoolsonthefirewall,suchasthe
ACCandAppScope,todeterminewhich
webcategoriestorestricttospecific
groupsortoblockentirely.Youcanthen
gobackandmodifytheprofiletoblock
andallowcategoriesasdesired.
Youcanalsodefinespecificsitesto
alwaysalloworalwaysblockregardless
ofcategoryandenablethesafesearch
optiontofiltersearchresultswhen
definingtheURLFilteringprofile.
AttachtheURLfilteringprofiletoa
securitypolicy.
Foreachcategorythatyouwantvisibilityintoorcontrolover,
selectavaluefromtheActioncolumnasfollows:
Ifyoudonotcareabouttraffictoaparticularcategory(that
isyouneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Topresentaresponsepagetousersattemptingtoaccessa
particularcategorytoalertthemtothefactthatthe
contenttheyareaccessingmightnotbeworkappropriate,
selectcontinue.
Topreventaccesstotrafficthatmatchestheassociated
policy,selectblock(thisalsogeneratesalogentry).
2.
ClickOKtosavetheURLfilteringprofile.
1.
SelectPolicies > Security.
2.
Selectthedesiredpolicytomodifyitandthenclickthe
Actionstab.
3.
Ifthisisthefirsttimeyouaredefiningasecurityprofile,select
ProfilesfromtheProfile Typedropdown.
4.
IntheProfile Settingslist,selecttheprofileyoujustcreated
fromtheURL Filteringdropdown.(Ifyoudontsee
dropdownsforselectingprofiles,selectProfiles fromthe
ProfileTypedropdown.)
5.
6.
Committheconfiguration.
GettingStarted
ConfigureURLFiltering(Continued)
Step6
Enableresponsepagesinthe
managementprofileforeachinterface
onwhichyouarefilteringwebtraffic.
1.

thenselectaninterfaceprofiletoeditorclickAddtocreatea
newprofile.
2.
SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3.
4.
SelectNetwork > Interfaces andselecttheinterfacetowhich

toattachtheprofile.
5.
OntheAdvanced > Other Infotab,selecttheinterface

managementprofileyoujustcreated.
6.
ClickOKtosavetheinterfacesettings.
Step7
ClickCommit.
Step8
TesttheURLfilteringconfiguration.
AccessaclientPCinthetrustzoneofthefirewallandattemptto
accessasiteinablockedcategory.MakesureURLfilteringis
appliedbasedontheactionyoudefinedintheURLfilteringprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedthecontinueaction,theURLFilteringContinue
andOverridePageresponsepageshoulddisplay.Continueto
thesite.
Ifyouselectedblockastheaction,theURLFilteringand
CategoryMatchBlockPageresponsepageshoulddisplayas
follows:
EnableAutoFocusThreatIntelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
GettingStarted
EnableAutoFocusThreatIntelligenceontheFirewall
Step1
Step2
VerifythattheAutoFocuslicenseisactivatedon 1.
thefirewall.
SelectDevice > LicensestoverifythattheAutoFocus

DeviceLicenseisinstalledandvalid(checkthe
expirationdate).
2.
Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.
1.

AutoFocussettings.
2.
EntertheAutoFocus URL:
ConnectthefirewalltoAutoFocus.
https://autofocus.paloaltonetworks.com:1
0443
Step3
Step4
ConnectAutoFocustothefirewall.
Testtheconnectionbetweenthefirewalland
AutoFocus.
3.
UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4.
SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5.
ClickOK.
6.
CommityourchangestoretaintheAutoFocus
settingsuponreboot.
1.
LogintotheAutoFocusportal:
https://autofocus.paloaltonetworks.com
2.
SelectSettings.
3.
Add newremotesystems.
4.
EnteradescriptiveNametoidentifythefirewall.
5.
SelectPanOSastheSystemType.
6.
EnterthefirewallIPAddress.
7.
ClickSave changestoaddtheremotesystem.
8.
ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.
1.
Onthefirewall,selectMonitor > Logs > Traffic.
2.
VerifythatyoucanViewAutoFocusThreatDatafor
Logs.
GettingStarted
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
GettingStarted
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
Step1
LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.
Step2
EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.
Step3
Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.
Step4
Step5
ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.
UsetheWebInterface
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
Step1
Step2
Configuretheloginbanner.
Setthemessageoftheday.
1.

Settings.
2.
EntertheLogin Banner(upto3,200characters).
3.
(Optional)SelectForce Admins to Acknowledge Login

BannertoforceadministratorstoselectanI Accept and
Acknowledge the Statement Belowcheckboxabovethe
bannertexttoactivatetheLoginbutton.
4.
ClickOK.
1.
SelectDevice > Setup > ManagementandedittheBanners

andMessagessettings.
2.
EnabletheMessage of the Day.
3.
EntertheMessage of the Day(upto3,200characters).

AfteryouenterthemessageandclickOK,
administratorswhosubsequentlylogin,andactive
administratorswhorefreshtheirbrowsers,seethe
neworupdatedmessageimmediately;acommitisnt
necessary.Thisenablesyoutoinformother
administratorsofanimpendingcommitthatmight
affecttheirconfigurationchanges.Basedonthe
committimethatyourmessagespecifies,the
administratorscanthendecidewhethertocomplete,
save,orundotheirchanges.
4.
(Optional)SelectAllow Do Not Display Again(defaultis

disabled)togiveadministratorstheoptiontosuppressa
messageofthedayafterthefirstloginsession.Each
administratorcansuppressmessagesonlyforhisorherown
loginsessions.Inthemessageofthedaydialog,eachmessage
willhaveitsownsuppressionoption.
5.
(Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).
UsetheWebInterface
ConfigureBanners,MessageoftheDay,andLogos(Continued)
Step3
Step4
Configuretheheaderandfooter
banners.
Abrightbackgroundcolorand
contrastingtextcolorcan
increasethelikelihoodthat
administratorswillnoticeand
readabanner.Youcanalsouse
colorsthatcorrespondto
classificationlevelsinyour
organization.
1.
EntertheHeader Banner(upto3,200characters).
2.
(Optional)ClearSame Banner Header and Footer(enabledby

default)tousedifferentheaderandfooterbanners.
3.
EntertheFooter Banner(upto3,200characters)iftheheader
andfooterbannersdiffer.
4.
ClickOK.
Replacethelogosontheloginpageand 1.
intheheader.
Themaximumsizeforanylogo 2.
imageis128KB.
3.
Step5
Verifythatthebanners,messageofthe 1.
day,andlogosdisplayasexpected.
SelectDevice > Setup > OperationsandclickCustom Logosin

theMiscellaneoussection.
PerformthefollowingstepsforboththeLogin Screenlogo
andtheMain UI(header)logo:
a. Clickupload .
b. SelectalogoimageandclickOpen.
Youcanpreview theimagetoseehowPANOS
willcropittofit.
c. ClickClose.
Commityourchanges.
Logouttoreturntotheloginpage,whichdisplaysthenew
logosyouselected.
2.
Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktheright orleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3.
(Optional)YoucanselectDo not show againforthemessage

youconfiguredandforanymessagesthatPaloAltoNetworks
embedded.
4.
Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.
UsetheWebInterface
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
Step1
Viewtheloginactivityindicatorsto
1.
monitorrecentactivityonyouraccount.
LogintothewebinterfaceonyourfirewallorPanorama
managementserver.
2.
Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.
3.
Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.
UsetheWebInterface
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
4.
Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.
Step2
Takethefollowingactionsifyoudetect 1.
anaccountcompromise.
SelectMonitor > Logs > Configuration andviewthe

configurationchangesandcommithistorytodetermineifyour
accountwasusedtomakechangeswithoutyourknowledge.
2.
SelectDevice > Config Audit tocomparethecurrent

configurationandtheconfigurationthatwasrunningjustprior
totheconfigurationyoususpectwaschangedusingyour
credentials.YoucanalsodothisusingPanorama.
Ifyouradministratoraccountwasusedtocreateanew
account,performingaconfigurationaudithelpsyou
detectchangesthatareassociatedwithany
unauthorizedaccounts,aswell.
3.
Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.For
example,theconfigurationthatyoureverttomaynot
containrecentchanges,soapplythosechangesafter
youcommitthebackupconfiguration.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
UsetheWebInterface
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
Step1
ClickTasksatthebottomofthewebinterface.
Step2
ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3
Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit,Validate,andPreviewFirewallConfigurationChanges
Acommitistheprocessofactivatingchangesthatyoumadetothefirewallconfiguration.Thefirewall
queuescommitoperationsintheorderyouandotheradministratorsinitiatethem.Ifthequeuealreadyhas
themaximumnumberofcommits(whichvariesbyplatform),youmustwaitforthefirewalltoprocessa
pendingcommitbeforeinitiatinganewcommit.Tocancelpendingcommitsorviewdetailsaboutcommits
ofanystatus,seeManageandMonitorAdministrativeTasks.Tocheckwhichchangesacommitwillactivate,
youcanrunacommitpreview.
Fordetailsoncandidateandrunningconfigurations,seeManageConfigurationBackups.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
UsetheWebInterface
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.
Preview,Validate,orCommitFirewallConfigurationChanges
Step1
Step2
Step3
Configurethecommit,validation,or
previewoptions.
1.
ClickCommitatthetopofthewebinterface.
2.
(Optional)Excludecertaintypesofconfigurationchanges.
Theseoptionsareincluded(enabled)bydefault.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,ifyourchangesintroduceanewLog
Forwardingprofile(anobject)thatreferencesanew
Syslogserverprofile(adevicesetting),thecommit
mustincludeboththepolicyandobjectconfiguration
andthedeviceandnetworkconfiguration.
Include Device and Network configuration
Include Policy and Object configurationThisisavailable
onlyonfirewallsforwhichmultiplevirtualsystems
capabilityisdisabled.
Include Shared Object configurationThisisavailableonly
onfirewallswithmultiplevirtualsystems.
Include Virtual System configurationThisisavailable
onlyonfirewallswithmultiplevirtualsystems.Select All
virtual systems(default)orSelect one or more virtual
systemsinthelist.
3.
(Optional)EnteraDescriptionforthecommit.Abrief
summaryofwhatchangedintheconfigurationisusefulto
otheradministratorswhowanttoknowwhatchangeswere
madewithoutperformingaconfigurationaudit.
(Optional)Previewthechangesthatthe 1.
commitwillactivate.Thiscanbeuseful 2.
if,forexample,youdontrememberall
yourchangesandyourenotsureyou
wanttoactivateallofthem.
Thefirewalldisplaysthechangesina
newwindowthatshowstherunningand
candidateconfigurationssidebyside
usingcolorstohighlightthedifferences
linebyline.
(Optional)Validatethechangesbefore
youcommittoensurethecommitwill
succeed.
ClickPreview Changes.
SelecttheLines of Context,whichisthenumberoflinesfrom
thecomparedconfigurationfilestodisplaybeforeandafter
eachhighlighteddifference.Theseadditionallineshelpyou
correlatethepreviewoutputtosettingsinthewebinterface.
Becausethepreviewresultsdisplayinanewwindow,
yourbrowsermustallowpopupwindows.Ifthe
previewwindowdoesnotopen,refertoyourbrowser
documentationforthestepstounblockpopup
windows.
3.
Closethepreviewwindowwhenyoufinishreviewingthe
changes.
1.
ClickValidate Changes.Theresultsdisplayalltheerrorsand
warningsthatanactualcommitwoulddisplay.
2.
Resolveanyerrorsthatthevalidationresultsidentify.
UsetheWebInterface
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
Step4
Commityourconfigurationchanges.
ClickCommit.
Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,orapplicationname.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
UsetheWebInterface
UseGlobalFind(Continued)
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
Lockingthecandidateorrunningconfigurationpreventsotheradministratorsfromchangingthe
configurationuntilyoumanuallyremovethelock,asuperuserremovesthelock,orthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
Viewdetailsaboutcurrentlocks.
Forexample,youcancheckwhetherother
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.
Clickthelock atthetopofthewebinterface.Anadjacent
numberindicatesthenumberofcurrentlocks.
UsetheWebInterface
ManageLocksforRestrictingConfigurationChanges(Continued)
Lockaconfiguration.
1.
Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2.
Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3.
(Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4.
(Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5.
ClickOKandClose.
Unlockaconfiguration.
1.
Onlyasuperuserortheadministratorwho
2.
lockedtheconfigurationcanmanuallyunlockit.
3.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
Clickthelock
Configurethefirewalltoautomaticallylockthe 1.
runningconfigurationwhenyouchangethe
candidateconfiguration.Thissettingappliesto 2.
alladministrators.

Settings.
atthetopofthewebinterface.
Selectthelockentryinthelist.
ClickRemove Lock,OK,andClose.
SelectAutomatically Acquire Commit LockandthenclickOK

andCommit.
Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.
BackUpaConfiguration
RestoreaConfiguration
CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.
Step1
Savealocalbackupsnapshotofthe
candidateconfigurationifitcontains
changesthatyouwanttopreservein
theeventthefirewallreboots.
Thesearechangesyouarenotreadyto
commitforexample,changesyou
cannotfinishinthecurrentloginsession.
Performoneofthefollowingtasksbasedonwhetheryouwantto
overwritethedefaultsnapshot(.snapshot.xml)orcreateasnapshot
withacustomname:
OverwritethedefaultsnapshotClickSaveatthetopofthe
webinterface.
Createacustomnamedsnapshot:
a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. EnteraNameforthesnapshotorselectanexisting
snapshottooverwrite.
c. ClickOKandClose.
Step2
Exportacandidateconfiguration,a
runningconfiguration,orthefirewall
stateinformationtoahostexternalto
thefirewall.
SelectDevice > Setup > Operationsandclickanexportoption:

Export named configuration snapshotExportthecurrent
runningconfiguration,anamedcandidateconfiguration
snapshot,orapreviouslyimportedconfiguration(candidateor
running).ThefirewallexportstheconfigurationasanXMLfile
withtheNameyouspecify.
Export configuration versionSelectaVersionoftherunning
configurationtoexportasanXMLfile.Thefirewallcreatesa
versionwheneveryoucommitconfigurationchanges.
Export device stateExportthefirewallstateinformationasa
bundle.Besidestherunningconfiguration,thestateinformation
includesdevicegroupandtemplatesettingspushedfrom
Panorama.IfthefirewallisaGlobalProtectportal,the
informationalsoincludescertificateinformation,alistof
satellites,andsatelliteauthenticationinformation.Ifyoureplace
afirewallorportal,youcanrestoretheexportedinformationon
thereplacementbyimportingthestatebundle.
Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).
Restorethecurrentrunningconfiguration.
1.
Thisoperationundoesallthechangesyoumade
tothecandidateconfigurationsincethelast
2.
commit.
SelectDevice > Setup > OperationsandRevert to running

configuration.
ClickYestoconfirmtheoperation.
RestoreaConfiguration(Continued)
Restorethedefaultsnapshotofthecandidate 1.
configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2.
whenyouclickSaveatthetoprightoftheweb
3.
interface.
SelectDevice > Setup > OperationsandRevert to last saved

configuration.
Restoreapreviousversionoftherunning
configurationthatisstoredonthefirewall.
Thefirewallcreatesaversionwheneveryou
commitconfigurationchanges.
1.
SelectDevice > Setup > OperationsandLoad configuration

version.
2.
SelectaconfigurationVersionandclickOK.
3.
(Optional)ClickCommittooverwritetherunning
configurationwiththeversionyoujustrestored.
Restoreoneofthefollowing:
1.
Currentrunningconfiguration(named
runningconfig.xml)
2.
Customnamedversionoftherunning
3.
configurationthatyoupreviouslyimported
Customnamedcandidateconfiguration
snapshot(insteadofthedefaultsnapshot)
Restorearunningorcandidateconfiguration
thatyoupreviouslyexportedtoanexternal
host.
ClickYestoconfirmtheoperation.
configurationwiththesnapshot.
SelectDevice > Setup > OperationsandclickLoad named

SelectthesnapshotNameandclickOK.
configurationwiththesnapshot.
1.
SelectDevice > Setup > Operations,clickImport named

configuration snapshot,Browsetotheconfigurationfileon
theexternalhost,andclickOK.
2.
ClickLoad named configuration snapshot,selecttheNameof

theconfigurationfileyoujustimported,andclickOK.
3.
configurationwiththesnapshotyoujustimported.
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall.
1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate
Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
AdministrativeRoles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole
Privileges
Superuser
Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser(readonly)
Readonlyaccesstothefirewall.
Virtualsystemadministrator
Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.
Deviceadministrator
Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Deviceadministrator(readonly)
Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
Step1
SelectDevice > Admin RolesandclickAdd.
Step2
EnteraNametoidentifytherole.
Step3
ForthescopeoftheRole,selectDeviceorVirtual System.
Step4
IntheWeb UIandXML API tabs,clicktheiconforeachfunctionalareatotoggleittothedesiredsetting:

Enable,ReadOnly,orDisable.FordetailsontheWeb UIoptions,seeWebInterfaceAccessPrivileges.
Step5
SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:
Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone
Step6
Step7
Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.
AdministrativeAuthentication
Youcanconfigurethefollowingtypesofadministratorauthentication:
AccountType Authentication Description
Method
Local
Local(no
database)
Theadministratoraccountcredentialsandtheauthenticationmechanismsarelocal
tothefirewall.Youcanfurthersecurelocalaccountsbysettingglobalpassword
complexityandexpirationsettingsforallaccountsorbycreatingapasswordprofile
thatdefinespasswordexpirationsettingsforspecificaccounts.Fordetails,see
ConfigureanAdministrativeAccount.
AccountType Authentication Description

Method
Local
Localdatabase
Thefirewallusesalocaldatabasetostoretheadministratoraccountcredentialsand
toperformauthentication.IfyournetworksupportsKerberossinglesignon(SSO),
youcanconfigurelocalauthenticationasafallbackincaseSSOfails.Fordetails,see
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators.
Local
SSLbased
Theadministratoraccountsarelocaltothefirewall,butauthenticationisbasedon
SSHcertificates(forCLIaccess)orclientcertificates(forwebinterfaceaccess).For
details,seeConfigureSSHKeyBasedAdministratorAuthenticationtotheCLIand
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface.
Local
Externalservice Theadministratoraccountsarelocaltothefirewall,butexternalservices(LDAP,
Kerberos,TACACS+,orRADIUS)handletheauthenticationfunctions.Ifyour
networksupportsKerberossinglesignon(SSO),youcanconfigureexternal
authenticationasafallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSO
andExternalorLocalAuthenticationforAdministrators.
External
Externalservice AnexternalRADIUSserverhandlesaccountmanagementandauthentication.You
mustdefineVendorSpecificAttributes(VSAs)onyourRADIUSserverthatmapto
theadministratorrole,accessdomain,usergroup(ifapplicable),andvirtualsystem(if
applicable).Fordetails,seeConfigureRADIUSVendorSpecificAttributesfor
AdministratorAuthentication.
ConfigureAdministrativeAccountsandAuthentication
IfyouhavealreadyconfiguredAdministrativeRolesandexternalauthenticationservices(ifapplicable),you
canConfigureanAdministrativeAccount.Otherwise,performoneoftheotherprocedureslistedbelowto
configureadministrativeaccountsforspecifictypesofauthentication.
Administrativeaccountsspecifyhowadministratorsauthenticatetothefirewall.Toconfigurehowthefirewall
authenticatestoadministrators,seeReplacetheCertificateforInboundManagementTraffic.
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.
Step1
Step2
(Optional)Definepasswordcomplexity 1.
andexpirationsettingsforadministrator
accountsthatarelocaltothefirewall.
Thesesettingscanhelpprotectthe
firewallagainstunauthorizedaccessby
makingitharderforattackerstoguess
passwords.
2.
Youcannotconfigurethese
settingsforlocalaccountsthat
usealocaldatabaseorexternal
serviceforauthentication.
Addanadministrativeaccount.
Defineglobalpasswordcomplexityandexpirationsettingsfor
alllocaladministrators.
a. SelectDevice > Setup > Managementandeditthe
MinimumPasswordComplexitysettings.
b. SelectEnabled.
c. DefinethepasswordsettingsandclickOK.
DefineaPasswordProfileifyouwantcertainlocal
administratorstohavepasswordexpirationsettingsthat
overridetheglobalsettings.
a. SelectDevice > Password Profiles andAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.
1.
SelectDevice > AdministratorsandAddanadministrator.
2.
EnterauserName.
3.
SelectanAuthentication Profileorsequenceifyou
configuredeitherfortheuser.
Thedefaultoption(None)specifiesthatthefirewallwilllocally
manageandauthenticatetheaccountwithoutalocal
database.Inthiscase,youmustenterandconfirma
Password.
4.
SelecttheAdministrator Type.Ifyouconfiguredacustomrole
fortheuser,selectRole BasedandselecttheAdminRole
Profile.Otherwise,selectDynamic(default)andselecta
dynamicrole.Ifthedynamicroleisvirtual system
administrator,addoneormorevirtualsystemsthatthe
virtualsystemadministratorisallowedtomanage.
5.
(Optional)SelectaPassword Profileforlocaladministrators.
ThisoptionisavailableonlyifyousettheAuthentication
ProfiletoNone.
6.
ClickOKandCommit.
ConfigureKerberosSSOandExternalorLocalAuthenticationfor
Administrators
YoucanconfigurethefirewalltofirsttryKerberossinglesignon(SSO)authenticationand,ifthatfails,fall
backtoExternalserviceorLocaldatabaseauthentication.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
Step1
ConfigureaKerberoskeytabforthe
firewall.
RequiredforKerberosSSO
authentication.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
accountinformation(principalnameandhashedpassword)forthe
firewall.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)
Step2
Configurealocaldatabaseorexternal
serverprofile.
Requiredforlocaldatabaseorexternal
authentication.
LocaldatabaseauthenticationPerformthefollowingtasks:
a. Configuretheuseraccount.
b. (Optional)Configureausergroup.
ExternalauthenticationPerformoneofthefollowingtasks:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
Step3
Configureanauthenticationprofile.
Ifyourusersareinmultiple
Kerberosrealms,createan
authenticationprofileforeach
realmandassignalltheprofiles
toanauthenticationsequence.
Youcanthenassignthesame
authenticationsequencetoall
useraccounts(Step 4).
ConfigureanAuthenticationProfileandSequence.
Step4
Configureanadministratoraccount.
Forlocaldatabaseauthentication,specifytheNameoftheuser
youdefinedinStep 2.
AssigntheAuthentication ProfileorsequenceandtheAdmin
RoleProfilethatyoujustcreated.
ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface
AsamoresecurealternativetopasswordbasedauthenticationtothewebinterfaceofaPaloAltoNetworks
firewall,youcanconfigurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothe
firewall.Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinstead
ofapassword.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
Step1
Generateacertificateauthority(CA)
certificateonthefirewall.
YouwillusethisCAcertificatetosign
theclientcertificateofeach
administrator.
CreateaSelfSignedRootCACertificate.
Alternatively,ImportaCertificateandPrivateKeyfrom
yourenterpriseCA.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
Step2
Configureacertificateprofilefor
securingaccesstothewebinterface.
ConfigureaCertificateProfile.
SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.
Step3
Configurethefirewalltousethe
certificateprofileforauthenticating
administrators.
1.

AuthenticationSettings.
2.
SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.
Step4
Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,
useclientcertificateauthentication.
ConfigureanAdministrativeAccountandselectUse only client
certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.
Step5
Generateaclientcertificateforeach
administrator.
Step6
Exporttheclientcertificate.
GenerateaCertificate.IntheSigned Bydropdown,selecta
selfsignedrootCAcertificate.
1.
ExportaCertificateandPrivateKey.
2.
Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.
Step7
Refertoyourwebbrowserdocumentation.
Importtheclientcertificateintothe
clientsystemofeachadministratorwho
willaccessthewebinterface.
Step8
Verifythatadministratorscanaccessthe 1.
webinterface.
2.
OpenthefirewallIPaddressinabrowseronthecomputer
thathastheclientcertificate.
Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3.
Addthecertificatetothebrowserexceptionlist.
4.
ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
Step1
UseanSSHkeygenerationtoolto
createanasymmetrickeypaironthe
clientsystemoftheadministrator.
ThesupportedkeyformatsareIETF
SECSHandOpenSSH.Thesupported
algorithmsareDSA(1,024bits)andRSA
(7684,096bits).
Forthecommandstogeneratethekeypair,refertoyourSSHclient
documentation.
Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
locationthatthefirewallcanaccess.Foraddedsecurity,entera
passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
administratorforthispassphraseduringlogin.
Step2
Configuretheadministratoraccountto
usepublickeyauthentication.
1.
Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
2.
Commityourchanges.
Step3
ConfiguretheSSHclienttousethe
privatekeytoauthenticatetothe
firewall.
Performthistaskontheclientsystemoftheadministrator.Forthe
steps,refertoyourSSHclientdocumentation.
Step4
Verifythattheadministratorcanaccess 1.
thefirewallCLIusingSSHkey
authentication.
2.
Useabrowserontheclientsystemoftheadministratortogo
tothefirewallIPaddress.
LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3.
Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.
ConfigureRADIUSVendorSpecificAttributesforAdministrator
Authentication
ThefollowingprocedureprovidesanoverviewofthetasksrequiredtouseRADIUSVendorSpecific
Attributes(VSAs)foradministratorauthenticationtoPaloAltoNetworksfirewalls.Fordetailedinstructions,
refertothefollowingKnowledgeBasearticles:
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA
Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.
UseRADIUSVendorSpecificAttributesforAccountAuthentication
Step1
Step2
Configurethefirewall.
ConfiguretheRADIUSserver.
1.
ConfigureanAdminRoleProfileiftheadministratorwillusea
customrole.
2.
Configureanaccessdomainifthefirewallhasmorethanone
virtualsystem(vsys):
a. SelectDevice > Access Domain,Addanaccessdomain,and
enteraNametoidentifytheaccessdomain.
b. Addeachvsysthattheadministratorwillaccess,andthen
clickOK.
3.
4.
Configureanauthenticationprofile.Settheauthentication
TypetoRADIUSandassigntheRADIUSServer Profile.
5.
Configurethefirewalltousetheauthenticationprofilefor
administratoraccessSelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profile.
6.
ClickOKandCommit.
1.
AddthefirewallIPaddressorhostnameastheRADIUSclient.
2.
DefinetheVSAsforadministratorauthentication.Youmust
specifythevendorcode(25461forPaloAltoNetworks
firewalls)andtheVSAname,number,andvalue:seeRADIUS
VendorSpecificAttributesSupport.
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccess
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual Systemlevel;thechoiceismadeintheAdminRole
ProfilebyclickingtheDeviceorVirtual Systemradiobutton.IftheVirtual Systembuttonisselected,theadmin
assignedthisprofileisrestrictedtothevirtualsystem(s)heorsheisassignedto.Furthermore,onlytheDevice
> Setup > Services > Virtual Systems tabisavailabletothatadmin,nottheGlobaltab.
Thefollowingtabledescribesthetablevelaccessprivilegesyoucanassigntotheadminroleprofileatthe
Devicelevel.Italsoprovidescrossreferencestoadditionaltablesthatdetailgranularprivilegeswithinatab.
YoucanalsoconfigureanAdminRoleprofileto:
DefineUserPrivacySettingsintheadministratorRoleProfile
RestrictAdministratorAccesstoCommitFunctions
RestrictAdministratorAccesstoValidateFunctions
ProvideGranularAccesstoGlobalSettings
AccessLevel
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
Enable
ReadOnly Disable
No
Yes
AccessLevel
Description
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
No
Yes
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
AccesstotheDeviceTab.
YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
ReadOnly Disable
No
Yes
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
AccessLevel
Description
Monitor
Logs
Read
Only
Disable
Yes
EnablesordisablesaccesstotheMonitor Firewall:Yes
tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogsor DeviceGroup/Template:Yes
reports.
No
Yes
Enablesordisablesaccesstoalllogfiles. Firewall:Yes
Yes
Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.
No
Yes
AdministratorRole
Availability
Enable
AccessLevel
Description
AdministratorRole
Availability
Traffic
Specifieswhethertheadministratorcan
seethetrafficlogs.
Threat
Read
Only
Disable
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
seethethreatlogs.
Firewall:Yes
Yes
Panorama:Yes
No
Yes
URLFiltering
seetheURLfilteringlogs.
Firewall:Yes
Yes
Panorama:Yes
No
Yes
WildFire
Submissions
Firewall:Yes
Yes
seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire
subscription.
No
Yes
Firewall:Yes
Yes
Panorama:Yes
No
Yes
Firewall:Yes
Yes
seetheHIPMatchlogs.HIPMatchlogsare Panorama:Yes
onlyavailableifyouhaveaGlobalProtect DeviceGroup/Template:Yes
portallicenseandgatewaysubscription.
No
Yes
DataFiltering Specifieswhethertheadministratorcan
seethedatafilteringlogs.
HIPMatch
Enable
Configuration Specifieswhethertheadministratorcan
seetheconfigurationlogs.
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
System
seethesystemlogs.
Firewall:Yes
Panorama:Yes
Yes
No
Yes
Alarms
seesystemgeneratedalarms.
Firewall:Yes
Yes
Panorama:Yes
No
Yes
Automated
Correlation
Engine
Enablesordisablesaccesstothe
correlationobjectsandcorrelatedevent
logsgeneratedonthefirewall.
Firewall:Yes
Yes
Panorama:Yes
No
Yes
Correlation
Objects
viewandenable/disablethecorrelation
objects.
Yes
Firewall:Yes
Panorama:Yes
No
Yes
Correlated
Events
Specifieswhethertheadministrator
Firewall:Yes
Yes
Panorama:Yes
No
Yes
AccessLevel
Description
Enable
Read
Only
Disable
Packet
Capture
Firewall:Yes
seepacketcaptures(pcaps)fromthe
Panorama:No
Monitortab.Keepinmindthatpacket
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.
Yes
Yes
Yes
AppScope
Firewall:Yes
Yes
seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.
No
Yes
Session
Browser
Firewall:Yes
browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inthesessionbrowserandyoushould
thereforedisabletheSession Browser
privilegeifyouareconcernedaboutuser
privacy.
Yes
No
Yes
Botnet
Firewall:Yes
generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inscheduledbotnetreportsandyou
shouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.
Yes
Yes
Yes
PDFReports
Yes
EnablesordisablesaccesstoallPDF
Firewall:Yes
reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs And
Reportsoption.
No
Yes
AdministratorRole
Availability
AccessLevel
Description
ManagePDF
Summary
Read
Only
Disable
Yes
Firewall:Yes
view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the
administratorcanseePDFsummaryreport
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
canneitherviewthereportdefinitionsnor
add/deletethem.
Yes
Yes
Yes
PDFSummary Specifieswhethertheadministratorcan
Firewall:Yes
Reports
seethegeneratedPDFSummaryreportsin Panorama:Yes
Monitor > Reports.Ifyoudisablethis
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.
No
Yes
Yes
Firewall:Yes
Panorama:Yes
Yes
Yes
Yes
SaaS
Firewall:Yes
Application
view,addordeleteaSaaSapplication
Panorama:Yes
UsageReport usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotaddor
deletethem.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoraddordeletethem.
Yes
Yes
Report
Groups
Yes
Firewall:Yes
view,addordeletereportgroup
Panorama:Yes
definitions.Withreadonlyaccess,the
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
cannotseethiscategoryofPDFreport.
Yes
Yes
Email
Scheduler
Yes
Firewall:Yes
schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/ortheShow
User Names In Logs And Reportsoptions
andbecausetheymayalsoshowlogdata
towhichtheadministratordoesnothave
access,youshoulddisabletheEmail
Scheduleroptionifyouhaveuserprivacy
requirements.
Yes
Yes
UserActivity Specifieswhethertheadministratorcan
Report
view,addordeleteUserActivityreport
definitionsanddownloadthereports.
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
cannotseethiscategoryofPDFreport.
AdministratorRole
Availability
Enable
AccessLevel
Description
Manage
Custom
Reports
Application
Statistics
Read
Only
Disable
Enablesordisablesaccesstoallcustom
Yes
Firewall:Yes
reportfunctionality.Youcanalsoleavethis Panorama:Yes
privilegeenabledandthendisablespecific DeviceGroup/Template:Yes
customreportcategoriesthatyoudonot
wanttheadministratortobeableto
access.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhilestill
providingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
option.
Reportsthatarescheduledtorun
ratherthanrunondemandwill
showIPaddressanduser
information.Inthiscase,besureto
restrictaccesstothe
correspondingreportareas.In
addition,thecustomreportfeature
doesnotrestricttheabilityto
generatereportsthatcontainlog
datacontainedinlogsthatare
excludedfromtheadministrator
role.
No
Yes
Yes
Firewall:Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase.
No
Yes
DataFiltering Specifieswhethertheadministratorcan
Firewall:Yes
Yes
Log
fromtheDataFilteringlogs.
No
Yes
ThreatLog
Firewall:Yes
Yes
fromtheThreatlogs.
No
Yes
Threat
Summary
Yes
Firewall:Yes
fromtheThreatSummarydatabase.
No
Yes
TrafficLog
Firewall:Yes
Yes
fromtheTrafficlogs.
No
Yes
Traffic
Summary
Firewall:Yes
Yes
fromtheTrafficSummarydatabase.
No
Yes
URLLog
Yes
Firewall:Yes
fromtheURLFilteringlogs.
No
Yes
AdministratorRole
Availability
Enable
AccessLevel
Description
Hipmatch
AdministratorRole
Availability
Enable
Read
Only
Disable
Firewall:Yes
Yes
fromtheHIPMatchlogs.
No
Yes
WildFireLog
Firewall:Yes
Yes
fromtheWildFirelogs.
No
Yes
View
Scheduled
Custom
Reports
viewacustomreportthathasbeen
scheduledtogenerate.
Firewall:Yes
Yes
Panorama:Yes
No
Yes
View
Predefined
Application
Reports
Yes
Firewall:Yes
viewApplicationReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Threat
Reports
Yes
Firewall:Yes
viewThreatReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
View
Predefined
URLFiltering
Reports
Yes
Firewall:Yes
viewURLFilteringReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Traffic
Reports
Yes
Firewall:Yes
viewTrafficReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
AccessLevel
Description
Security
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.
Yes
Yes
NAT
Yes
view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.
Yes
Yes
QoS
Yes
view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.
Yes
Yes
PolicyBased
Forwarding
Yes
view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.
Yes
Yes
Decryption
Yes
view,add,and/ordeletedecryptionrules.Setthe
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.
Yes
Yes
ApplicationOverride
view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingtheapplicationoverriderulebase,disablethis
privilege.
Yes
Yes
Yes
CaptivePortal
Yes
view,add,and/ordeleteCaptivePortalrules.Setthe
preventtheadministratorfromseeingtheCaptive
Portalrulebase,disablethisprivilege.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
DoSProtection
Yes
view,add,and/ordeleteDoSprotectionrules.Setthe
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.
ReadOnly Disable
Yes
Yes
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
AccessLevel
Description
Addresses
Specifieswhethertheadministratorcanview,add,or Yes
deleteaddressobjectsforuseinsecuritypolicy.
Yes
Yes
AddressGroups
deleteaddressgroupobjectsforuseinsecuritypolicy.
Yes
Yes
Regions
deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.
Yes
Yes
Applications
deleteapplicationobjectsforuseinpolicy.
Yes
Yes
ApplicationGroups
deleteapplicationgroupobjectsforuseinpolicy.
Yes
Yes
ApplicationFilters
deleteapplicationfiltersforsimplificationofrepeated
searches.
Yes
Yes
Services
deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.
Yes
Yes
ServiceGroups
deleteservicegroupobjectsforuseinsecuritypolicy.
Yes
Yes
Tags
deletetagsthathavebeendefinedonthefirewall.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
GlobalProtect
deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.
No
Yes
HIPObjects
deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.
Yes
Yes
HIPProfiles
deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.
Yes
Yes
DynamicBlockLists
deletedynamicblocklistsforuseinsecuritypolicy.
Yes
Yes
CustomObjects
Specifieswhethertheadministratorcanseethe
Yes
customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.
No
Yes
DataPatterns
deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
Spyware
deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.
Yes
Yes
Vulnerability
deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
URLCategory
deletecustomURLcategoriesforuseinpolicy.
Yes
Yes
SecurityProfiles
Specifieswhethertheadministratorcanseesecurity Yes
profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.
No
Yes
Antivirus
deleteantivirusprofiles.
Yes
Yes
AntiSpyware
deleteAntiSpywareprofiles.
Yes
Yes
Vulnerability
Protection
deleteVulnerabilityProtectionprofiles.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
URLFiltering
deleteURLfilteringprofiles.
Yes
Yes
FileBlocking
deletefileblockingprofiles.
Yes
Yes
DataFiltering
deletedatafilteringprofiles.
Yes
Yes
DoSProtection
deleteDoSprotectionprofiles.
Yes
Yes
SecurityProfileGroups Specifieswhethertheadministratorcanview,add,or Yes

deletesecurityprofilegroups.
Yes
Yes
LogForwarding
deletelogforwardingprofiles.
Yes
Yes
DecryptionProfile
deletedecryptionprofiles.
Yes
Yes
Schedules
deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.
Yes
Yes
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
AccessLevel
Description
Interfaces
deleteinterfaceconfigurations.
Yes
Yes
Zones
deletezones.
Yes
Yes
VLANs
deleteVLANs.
Yes
Yes
VirtualWires
deletevirtualwires.
Yes
Yes
VirtualRouters
Specifieswhethertheadministratorcanview,add,
modifyordeletevirtualrouters.
Yes
Yes
Yes
IPSecTunnels
modify,ordeleteIPSecTunnelconfigurations.
Yes
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
DHCP
modify,ordeleteDHCPserverandDHCPrelay
configurations.
Yes
Yes
Yes
DNSProxy
modify,ordeleteDNSproxyconfigurations.
Yes
Yes
Yes
GlobalProtect
Yes
modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.
No
Yes
Portals
Yes
modify,ordeleteGlobalProtectportalconfigurations.
Yes
Yes
Gateways
modify,ordeleteGlobalProtectgateway
configurations.
Yes
Yes
Yes
MDM
modify,ordeleteGlobalProtectMDMserver
configurations.
Yes
Yes
Yes
DeviceBlockList
modify,ordeletedeviceblocklists.
Yes
Yes
Yes
QoS
modify,ordeleteQoSconfigurations.
Yes
Yes
Yes
LLDP
Specifieswhethertheadministratorcanviewadd,
modify,ordeleteLLDPconfigurations.
Yes
Yes
Yes
NetworkProfiles
Setsthedefaultstatetoenableordisableforallofthe Yes
Networksettingsdescribedbelow.
No
Yes
IKEGateways
ControlsaccesstotheNetwork Profiles >IKE

Yes
Gateways node.Ifyoudisablethisprivilege,the
administratorwillnotseetheIKE Gatewaysnodeor
definegatewaysthatincludetheconfiguration
informationnecessarytoperformIKEprotocol
negotiationwithpeergateway.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredIKEGatewaysbutcannot
addoreditgateways.
Yes
Yes
GlobalProtectIPSec
Crypto
Yes
ControlsaccesstotheNetwork Profiles >
GlobalProtect IPSec Crypto node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethat node,orconfigurealgorithmsfor
authenticationandencryptioninVPNtunnels
betweenaGlobalProtectgatewayandclients.
Ifyousettheprivilegetoreadonly,theadministrator
canviewexistingGlobalProtectIPSecCryptoprofiles
butcannotaddoreditthem.
Yes
Yes
AccessLevel
Description
IPSecCrypto
ControlsaccesstotheNetwork Profiles >IPSec

Yes
Crypto node.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
IPSec Crypto nodeorspecifyprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPSecSA
negotiation.
thecurrentlyconfiguredIPSecCryptoconfiguration
butcannotaddoreditaconfiguration.
Yes
Yes
IKECrypto
Controlshowdevicesexchangeinformationtoensure Yes
securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).
Yes
Yes
Monitor
ControlsaccesstotheNetwork Profiles >Monitor

Yes
node.Ifyoudisablethisprivilege,theadministrator
willnotseetheNetwork Profiles >Monitor nodeor
beabletocreateoreditamonitorprofilethatisused
tomonitorIPSectunnelsandmonitoranexthop
deviceforpolicybasedforwarding(PBF)rules.
thecurrentlyconfiguredmonitorprofileconfiguration
Yes
Yes
InterfaceMgmt
ControlsaccesstotheNetwork Profiles >Interface Yes

Mgmt node.Ifyoudisablethisprivilege,the
Interface Mgmt nodeorbeabletospecifythe
protocolsthatareusedtomanagethefirewall.
thecurrentlyconfiguredInterfacemanagement
profileconfigurationbutcannotaddoredita
configuration.
Yes
Yes
ZoneProtection
Yes
ControlsaccesstotheNetwork Profiles >Zone
Protection node.Ifyoudisablethisprivilege,the
Zone Protection nodeorbeabletoconfigureaprofile
thatdetermineshowthefirewallrespondstoattacks
fromspecifiedsecurityzones.
thecurrentlyconfiguredZoneProtectionprofile
configurationbutcannotaddoreditaconfiguration.
Yes
Yes
QoSProfile
ControlsaccesstotheNetwork Profiles >QoS node. Yes

seetheNetwork Profiles >QoS nodeorbeableto
configureaQoSprofilethatdetermineshowQoS
trafficclassesaretreated.
thecurrentlyconfiguredQoSprofileconfigurationbut
cannotaddoreditaconfiguration.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
LLDPProfile
ControlsaccesstotheNetwork Profiles >LLDP node. Yes

seetheNetwork Profiles >LLDP nodeorbeableto
configureanLLDPprofilethatcontrolswhetherthe
interfacesonthefirewallcanparticipateintheLink
LayerDiscoveryProtocol.
thecurrentlyconfiguredLLDPprofileconfiguration
Yes
Yes
BFDProfile
ControlsaccesstotheNetwork Profiles > BFD Profile Yes

willnotseetheNetwork Profiles > BFD Profilenode
orbeabletoconfigureaBFDprofile.ABidirectional
ForwardingDetection(BFD)profileallowsyouto
configureBFDsettingstoapplytooneormorestatic
routesorroutingprotocols.Thus,BFDdetectsafailed
linkorBFDpeerandallowsanextremelyfastfailover.
thecurrentlyconfiguredBFDprofilebutcannotadd
oreditaBFDprofile.
Yes
Yes
ProvideGranularAccesstotheDeviceTab
AccessLevel
Description
Setup
ControlsaccesstotheSetupnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Management
Yes
ControlsaccesstotheManagementnode.Ifyou
disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panorama,managementinterface,banner,message,
andpasswordcomplexitysettings,andmore.
changes.
Yes
Yes
Operations
ControlsaccesstotheOperationsnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
manageconfigurationfiles,orrebootorshutdown
thefirewall,amongotherthings.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Services
ControlsaccesstotheServicesnode.Ifyoudisable Yes
configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
changes.
Yes
Yes
ContentID
ControlsaccesstotheContent-ID node.Ifyoudisable Yes

configureURLfilteringorContentID.
changes.
Yes
Yes
WildFire
ControlsaccesstotheWildFirenode.Ifyoudisable Yes
configureWildFiresettings.
changes.
Yes
Yes
Session
Yes
ControlsaccesstotheSessionnode.Ifyoudisable
configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
changes.
Yes
Yes
HSM
ControlsaccesstotheHSMnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
changes.
Yes
Yes
ConfigAudit
ControlsaccesstotheConfig Audit node.Ifyou

Yes
disablethisprivilege,theadministratorwillnotseethe
Config Audit nodeorhaveaccesstoanyfirewallwide
configurationinformation.
No
Yes
AdminRoles
No
ControlsaccesstotheAdmin Roles node.This
functioncanonlybeallowedforreadonlyaccess.
seetheAdmin Roles nodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Administrators
ControlsaccesstotheAdministrators node.This
No
functioncanonlybeallowedforreadonlyaccess.
seetheAdministrators nodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.
Yes
Yes
VirtualSystems
ControlsaccesstotheVirtual Systemsnode.Ifyou Yes

disablethisprivilege,theadministratorwillnotseeor
beabletoconfigurevirtualsystems.
thecurrentlyconfiguredvirtualsystemsbutcannot
addoreditaconfiguration.
Yes
Yes
SharedGateways
ControlsaccesstotheShared Gatewaysnode.Shared Yes

gatewaysallowvirtualsystemstoshareacommon
interfaceforexternalcommunications.
seeorbeabletoconfiguresharedgateways.
thecurrentlyconfiguredsharedgatewaysbutcannot
addoreditaconfiguration.
Yes
Yes
UserIdentification
ControlsaccesstotheUser Identification node.Ifyou Yes

User Identificationnodeorhaveaccessto
firewallwideUserIdentificationconfiguration
information,suchasUserMapping,UserIDAgents,
Service,TerminalServicesAgents,GroupMappings
SettingsorCaptivePortalSettings.
canviewconfigurationinformationforthefirewallbut
isnotallowedtoperformanyconfiguration
procedures.
Yes
Yes
VMInformationSource ControlsaccesstotheVM Information Sourcenode Yes

thatallowsyoutoconfigurethefirewall/Windows
UserIDagenttocollectVMinventoryautomatically.
seetheVM Information Source node.
canviewtheVMinformationsourcesconfiguredbut
cannotadd,edit,ordeleteanysources.
ThisprivilegeisnotavailabletoDeviceGroup
andTemplateadministrators.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
HighAvailability
ControlsaccesstotheHigh Availability node.Ifyou Yes

High Availabilitynodeorhaveaccesstofirewallwide
highavailabilityconfigurationinformationsuchas
GeneralsetupinformationorLinkandPath
Monitoring.
canviewHighAvailabilityconfigurationinformation
forthefirewallbutisnotallowedtoperformany
configurationprocedures.
Yes
Yes
Certificate
Management
Certificatesettingsdescribedbelow.
No
Yes
Certificates
ControlsaccesstotheCertificates node.Ifyou
Yes
Certificates nodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.
Yes
Yes
CertificateProfile
ControlsaccesstotheCertificate Profile node.Ifyou Yes

Certificate Profile nodeorbeabletocreate
certificateprofiles.
canviewCertificateProfilesthatarecurrently
configuredforthefirewallbutisnotallowedtocreate
oreditacertificateprofile.
Yes
Yes
OCSPResponder
ControlsaccesstotheOCSP Responder node.Ifyou Yes

OCSP Responder nodeorbeabletodefineaserver
thatwillbeusedtoverifytherevocationstatusof
certificatesissuesbythefirewall.
canviewtheOCSP Responder configurationforthe
firewallbutisnotallowedtocreateoreditanOCSP
responderconfiguration.
Yes
Yes
SSL/TLSServiceProfile ControlsaccesstotheSSL/TLS Service Profile node. Yes

seethenodeorconfigureaprofilethatspecifiesa
certificateandaprotocolversionorrangeofversions
forfirewallservicesthatuseSSL/TLS.
canviewexistingSSL/TLSServiceprofilesbutcannot
createoreditthem.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
SCEP
ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
canviewexistingSCEPprofilesbutcannotcreateor
editthem.
Yes
Yes
ResponsePages
ControlsaccesstotheResponse Pages node.Ifyou Yes

Response Page nodeorbeabletodefineacustom
HTMLmessagethatisdownloadedanddisplayed
insteadofarequestedwebpageorfile.
canviewtheResponse Page configurationforthe
firewallbutisnotallowedtocreateoreditaresponse
pageconfiguration.
Yes
Yes
LogSettings
Logsettingsdescribedbelow.
No
Yes
System
ControlsaccesstotheLog Settings > System node.If Yes

youdisablethisprivilege,theadministratorwillnot
seetheLog Settings > System nodeorbeableto
specifytheseveritylevelsofthesystemlogentries
thatareloggedremotelywithPanoramaandsentas
SNMPtraps,syslogmessages,and/oremail
notifications.
canviewtheLog Settings > System configurationfor
thefirewallbutisnotallowedtocreateoredita
configuration.
Yes
Yes
Config
ControlsaccesstotheLog Settings > Config node.If Yes

seetheLog Settings > Config nodeorbeableto
specifytheconfigurationlogentriesthatarelogged
remotelywithPanorama,andsentassyslogmessages
and/oremailnotification.
canviewtheLog Settings > Config configurationfor
configuration.
Yes
Yes
HIPMatch
ControlsaccesstotheLog Settings > HIP Match node. Yes

seetheLog Settings > HIP Match nodeorbeableto
specifytheHostInformationProfile(HIP)matchlog
settingsthatareusedtoprovideinformationon
securityrulesthatapplytoGlobalProtectclients
canviewtheLog Settings > HIP configurationforthe
firewallbutisnotallowedtocreateoredita
configuration.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Alarms
ControlsaccesstotheLog Settings > Alarms node.If Yes

seetheLog Settings > Alarms nodeorbeableto
configurenotificationsthataregeneratedwhena
securityrule(orgroupofrules)hasbeenhit
repeatedlyinasetperiodoftime.
canviewtheLog Settings > Alarms configurationfor
configuration.
Yes
Yes
ManageLogs
ControlsaccesstotheLog Settings > Manage Logs

Yes
willnotseetheLog Settings > Manage Logs nodeor
beabletocleartheindicatedlogs.
canviewtheLog Settings > Manage Logs information
butcannotclearanyofthelogs.
Yes
Yes
ServerProfiles
ServerProfilessettingsdescribedbelow.
No
Yes
SNMPTrap
ControlsaccesstotheServer Profiles > SNMP Trap Yes

willnotseetheServer Profiles > SNMP Trap nodeor
beabletospecifyoneormoreSNMPtrap
destinationstobeusedforsystemlogentries.
canviewtheServer Profiles > SNMP Trap Logs
informationbutcannotspecifySNMPtrap
destinations.
Yes
Yes
Syslog
ControlsaccesstotheServer Profiles > Syslog node. Yes

seetheServer Profiles > Syslog nodeorbeableto
specifyoneormoresyslogservers.
canviewtheServer Profiles > Syslog informationbut
cannotspecifysyslogservers.
Yes
Yes
Email
ControlsaccesstotheServer Profiles > Email node. Yes

seetheServer Profiles > Email nodeorbeableto
configureanemailprofilethatcanbeusedtoenable
emailnotificationforsystemandconfigurationlog
entries
canviewtheServer Profiles > Email informationbut
cannotconfigureandemailprofile.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Netflow
ControlsaccesstotheServer Profiles > Netflow

Yes
willnotseetheServer Profiles > Netflow nodeorbe
abletodefineaNetFlowserverprofile,which
specifiesthefrequencyoftheexportalongwiththe
NetFlowserversthatwillreceivetheexporteddata.
canviewtheServer Profiles > Netflow information
butcannotdefineaNetflowprofile.
Yes
Yes
RADIUS
ControlsaccesstotheServer Profiles > RADIUS

Yes
willnotseetheServer Profiles > RADIUS nodeorbe
abletoconfiguresettingsfortheRADIUSserversthat
areidentifiedinauthenticationprofiles.
canviewtheServer Profiles > RADIUS information
butcannotconfiguresettingsfortheRADIUSservers.
Yes
Yes
TACACS+
Yes
ControlsaccesstotheServer Profiles > TACACS+
node.
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.
Yes
Yes
LDAP
ControlsaccesstotheServer Profiles > LDAP node. Yes

seetheServer Profiles > LDAP nodeorbeableto
configuresettingsfortheLDAPserverstousefor
authenticationbywayofauthenticationprofiles.
canviewtheServer Profiles > LDAP informationbut
cannotconfiguresettingsfortheLDAPservers.
Yes
Yes
Kerberos
Yes
ControlsaccesstotheServer Profiles > Kerberos
willnotseetheServer Profiles > Kerberos nodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
canviewtheServer Profiles > Kerberos information
butcannotconfiguresettingsforKerberosservers.
Yes
Yes
LocalUserDatabase
LocalUserDatabasesettingsdescribedbelow.
No
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Users
Controlsaccesstothe Local User Database > Users Yes

willnotseethe Local User Database > Users nodeor
setupalocaldatabaseonthefirewalltostore
authenticationinformationforremoteaccessusers,
firewalladministrators,andcaptiveportalusers.
canviewtheLocal User Database > Users
informationbutcannotsetupalocaldatabaseonthe
firewalltostoreauthenticationinformation.
Yes
Yes
UserGroups
ControlsaccesstotheLocal User Database > Users Yes

willnotseetheLocal User Database > Users nodeor
beabletoaddusergroupinformationtothelocal
database.
canviewtheLocalUser Database > Users
informationbutcannotaddusergroupinformationto
thelocaldatabase.
Yes
Yes
AuthenticationProfile
ControlsaccesstotheAuthentication Profilenode.If Yes

seetheAuthentication Profile nodeorbeableto
createoreditauthenticationprofilesthatspecifylocal
database,RADIUS,TACACS+,LDAP,orKerberos
settingsthatcanbeassignedtoadministrator
accounts.
canviewtheAuthentication Profile informationbut
cannotcreateoreditanauthenticationprofile.
Yes
Yes
Authentication
Sequence
Controlsaccesstothe Authentication Sequence

Yes
willnotseetheAuthentication Sequence nodeorbe
abletocreateoreditanauthenticationsequence.
canviewtheAuthentication Profile informationbut
cannotcreateoreditanauthenticationsequence.
Yes
Yes
AccessDomain
Yes
ControlsaccesstotheAccess Domainnode.Ifyou
Access Domainnodeorbeabletocreateoreditan
accessdomain.
canviewtheAccess Domain informationbutcannot
createoreditanaccessdomain.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
ScheduledLogExport
ControlsaccesstotheScheduled Log Exportnode.If Yes

seetheScheduled Log Export nodeorbeable
scheduleexportsoflogsandsavethemtoaFile
TransferProtocol(FTP)serverinCSVformatoruse
SecureCopy(SCP)tosecurelytransferdatabetween
thefirewallandaremotehost.
canviewtheScheduled Log Export Profile
informationbutcannotscheduletheexportoflogs.
No
Yes
Software
ControlsaccesstotheSoftware node.Ifyoudisable Yes

thisprivilege,theadministratorwillnotseethe
Softwarenodeorviewthelatestversionsofthe
PANOSsoftwareavailablefromPaloAltoNetworks,
readthereleasenotesforeachversion,andselecta
releasetodownloadandinstall.
canviewtheSoftwareinformationbutcannot
downloadorinstallsoftware.
Yes
Yes
GlobalProtectClient
ControlsaccesstotheGlobalProtectClientnode.If Yes
seetheGlobalProtect Client nodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
canviewtheavailableGlobalProtect Client releases
butcannotdownloadorinstalltheagentsoftware.
Yes
Yes
DynamicUpdates
ControlsaccesstotheDynamic Updatesnode.Ifyou Yes

Dynamic Updatesnodeorbeabletoviewthelatest
updates,readthereleasenotesforeachupdate,or
selectanupdatetouploadandinstall.
canviewtheavailableDynamic Updates releases,
readthereleasenotesbutcannotuploadorinstallthe
software.
Yes
Yes
Licenses
Controlsaccesstothe Licensesnode.Ifyoudisable Yes

Licenses nodeorbeabletoviewthelicensesinstalled
oractivatelicenses.
canviewtheinstalledLicenses,butcannotperform
licensemanagementfunctions.
Yes
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
Support
ControlsaccesstotheSupportnode.Ifyoudisable Yes
Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
canviewtheSupport nodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.
Yes
Yes
MasterKeyand
Diagnostics
ControlsaccesstotheMaster Key and Diagnostics Yes

willnotseetheMaster Key and Diagnostics nodeor
beabletospecifyamasterkeytoencryptprivatekeys
onthefirewall.
canviewtheMaster Key and Diagnostics nodeand
viewinformationaboutmasterkeysthathavebeen
specifiedbutcannotaddoreditanewmasterkey
configuration.
Yes
Yes
DefineUserPrivacySettingsintheadministratorRoleProfile
AccessLevel
Description
Privacy
privacysettingsdescribedbelow.
N/A
Yes
ShowFullIPaddresses Whendisabled,fullIPaddressesobtainedbytraffic Yes

runningthroughthePaloAltofirewallarenotshown
inlogsorreports.InplaceoftheIPaddressesthatare
normallydisplayed,therelevantsubnetisdisplayed.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsand
reportsthataresentviascheduledemailswill
stilldisplayfullIPaddresses.Becauseofthis
exception,werecommendthatthefollowing
settingswithintheMonitortabbesetto
disable:CustomReports,ApplicationReports,
ThreatReports,URLFilteringReports,Traffic
ReportsandEmailScheduler.
N/A
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
ShowUserNamesin
LogsandReports
Whendisabled,usernamesobtainedbytraffic
Yes
runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreports
thataresentviatheemailschedulerwillstilldisplay
usernames.Becauseofthisexception,we
recommendthatthefollowingsettingswithinthe
Monitortabbesettodisable:CustomReports,
ApplicationReports,ThreatReports,URLFiltering
Reports,TrafficReportsandEmailScheduler.
N/A
Yes
ViewPCAPFiles
Whendisabled,packetcapturefilesthatarenormally Yes
availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.
N/A
Yes
RestrictAdministratorAccesstoCommitFunctions
AccessLevel
Description
Enable
ReadOnly Disable
Commit
Whendisabled,anadministratorcannotcommitany
changestoaconfiguration.
Yes
N/A
Yes
RestrictAdministratorAccesstoValidateFunctions
AccessLevel
Description
Enable
ReadOnly Disable
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
N/A
Enable
ReadOnly Disable
Yes
ProvideGranularAccesstoGlobalSettings
AccessLevel
Description
Global
globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.
N/A
Yes
SystemAlarms
Whendisabled,anadministratorcannotviewor
acknowledgealarmsthataregenerated.
N/A
Yes
Yes
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.
AccessLevel
Description
Setup
AdministratorRole
Availability
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
vieworeditPanoramasetup
information,suchasManagement,
Operations,Services,WildFire,or
HSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.
Yes
Yes
Yes
HighAvailability Specifieswhethertheadministratorcan Panorama:Yes

viewandmanagehighavailability(HA) DeviceGroup/Template:No
settingsforthePanoramamanagement
server.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewHA
configurationinformationforthe
Panoramamanagementserverbutcant
managetheconfiguration.
Ifyoudisablethisprivilege,the
administratorcantseeormanageHA
configurationsettingsforthePanorama
managementserver.
Yes
Yes
Yes
ConfigAudit
Yes
No
Yes
runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.
AccessLevel
Description
Administrators
Enable
Read Disable
Only
viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.
No
Yes
Yes
AdminRoles
viewPanoramaadministratorroles.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
administratorcantseeormanage
Panoramaadministratorroles.
No
Yes
Yes
AccessDomain
Yes
view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama
Youassignaccess
administrators.(Thisprivilegecontrols
domainstoDevice
accessonlytotheconfigurationof
GroupandTemplate
accessdomains,notaccesstothe
administratorssothey
devicegroups,templates,andfirewall
canaccessthe
contextsthatareassignedtoaccess
configurationand
domains.)
monitoringdatawithin
thedevicegroups,
administratorcanviewPanorama
templates,andfirewall
accessdomainconfigurationsbutcant
contextsthatare
managethem.
assignedtothose
accessdomains.
Panoramaaccessdomain
configurations.
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Authentication
Profile
Enable
Read Disable
Only
view,add,edit,delete,orclone
authenticationprofilesforPanorama
administrators.
authenticationprofilesbutcant
managethem.
Panoramaauthenticationprofiles.
Yes
Yes
Yes
Authentication
Sequence
authenticationsequencesforPanorama
administrators.
authenticationsequencesbutcant
managethem.
Panoramaauthenticationsequences.
Yes
Yes
Yes
Managed
Devices
view,add,edit,tag,ordeletefirewallsas DeviceGroup/Template:Yes
manageddevices,andinstallsoftware
orcontentupdatesonthem.
administratorcanseemanagedfirewalls
butcantadd,delete,tag,orinstall
updatesonthem.
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
Thisprivilegeappliesonlytothe
Panorama > Managed Devices
page.Anadministratorwith
DeviceDeploymentprivileges
canstillusethePanorama >
Device Deploymentpagesto
installupdatesonmanaged
firewalls.
Yes
(Nofor
Device
Group
and
Templat
eroles)
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Enable
Read Disable
Only
Templates
view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes
templatestacks.
DeviceGroupand
Ifyousettheprivilegetoreadonly,the
Template
administratorcanseetemplateand
administratorscansee
stackconfigurationsbutcantmanage
onlythetemplatesand
them.
stacksthatarewithin
theaccessdomains
assignedtothose
templateandstackconfigurations.
administrators.
Yes
(Nofor
Device
Group
and
Templat
e
admins)
Yes
Yes
DeviceGroups
Yes
view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
DeviceGroupand
administratorcanseedevicegroup
Template
configurationsbutcantmanagethem.
administratorscan
accessonlythedevice
groupsthatarewithin
theaccessdomains
devicegroupconfigurations.
assignedtothose
administrators.
Yes
Yes
Managed
Collectors
view,edit,add,ordeletemanaged
collectors.
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
Thisprivilegeappliesonlytothe
Panorama > Managed
Collectorspage.An
administratorwithDevice
Deploymentprivilegescanstill
usethePanorama > Device
Deploymentpagestoinstall
updatesonmanagedcollectors.
Yes
Yes
Yes
Collector
Groups
view,edit,add,ordeleteCollector
Groups.
administratorcanseeCollectorGroups
butcantmanagethem.
CollectorGroups.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Enable
Read Disable
Only
VMwareService Specifieswhethertheadministratorcan Panorama:Yes

Manager
viewandeditVMwareServiceManager DeviceGroup/Template:No
settings.
administratorcanseethesettingsbut
cantperformanyrelatedconfiguration
oroperationalprocedures.
administratorcantseethesettingsor
performanyrelatedconfigurationor
operationalprocedures.
Yes
Yes
Yes
Certificate
Management
Setsthedefaultstate,enabledor
disabled,forallofthePanorama
certificatemanagementprivileges.
Panorama:Yes
Yes
No
Yes
Certificates
view,edit,generate,delete,revoke,
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
PanoramacertificatesorHAkeys.
Yes
Yes
Yes
Certificate
Profile
view,add,edit,deleteorclone
Panoramacertificateprofiles.
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Panoramacertificateprofiles.
Yes
Yes
Yes
SSL/TLSService Specifieswhethertheadministratorcan Panorama:Yes

Profile
view,add,edit,deleteorcloneSSL/TLS DeviceGroup/Template:No
Serviceprofiles.
administratorcanseeSSL/TLSService
profilesbutcantmanagethem.
SSL/TLSServiceprofiles.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
AdministratorRole
Availability
Enable
Read Disable
Only
LogSettings
disabled,forallthelogsetting
privileges.
Panorama:Yes
Yes
No
Yes
System
seeandconfigurethesettingsthat
controltheforwardingofSystemlogsto
externalservices(syslog,email,or
SNMPtrapservers).
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoSystemlogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoSystemlogs
thatPanoramageneratesandto
SystemlogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
SystemlogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofSystemlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
AccessLevel
Description
Config
controltheforwardingofConfiglogsto
SNMPtrapservers).
administratorcanseetheConfiglog
forwardingsettingsbutcantmanage
them.
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoConfiglogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoConfiglogs
thatPanoramageneratesandto
ConfiglogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
ConfiglogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
forwardingofConfiglogs
AdministratorRole
Availability
Enable
Read Disable
Only
Yes
Yes
Yes
AccessLevel
Description
HIPMatch
Correlation
Enable
Read Disable
Only
controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
toexternalservices(syslog,email,or
SNMPtrapservers).
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofHIPMatchlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
forwardingofHIPMatchlogs
Yes
Yes
Yes
controltheforwardingofCorrelation
logstoexternalservices(syslog,email,
orSNMPtrapservers).
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
settings.
forwardingofCorrelationlogs
appliance.TheDevice > Log
forwardingofCorrelationlogs
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Traffic
Threat
Enable
Read Disable
Only
controltheforwardingofTrafficlogs
fromaPanoramavirtualapplianceto
SNMPtrapservers).
settingsofTrafficlogsbutcantmanage
them.
settings.
forwardingofTrafficlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
Trafficlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Yes
Yes
Yes
controltheforwardingofThreatlogs
SNMPtrapservers).
settingsofThreatlogsbutcantmanage
them.
settings.
forwardingofThreatlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
Threatlogsdirectlyfrom
Panorama).
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Wildfire
Enable
Read Disable
Only
controltheforwardingofWildFirelogs
SNMPtrapservers).
settingsofWildFirelogsbutcant
managethem.
settings.
forwardingofWildFirelogs
appliance.TheObjects > Log
Forwardingpagecontrolsthe
forwardingofWildFirelogs
Yes
Yes
Yes
ServerProfiles
Panorama:Yes
disabled,foralltheserverprofile
privileges.
Theseprivilegespertainonlyto
theserverprofilesthatareused
forforwardinglogsthat
Panoramageneratesorcollects
fromfirewallsandtheserver
profilesthatareusedfor
authenticatingPanorama
administrators.TheDevice >
Server Profilespagescontrol
theserverprofilesthatareused
forforwardinglogsdirectlyfrom
Panorama)andfor
authenticatingfirewall
administrators.
Yes
No
Yes
SNMPTrap
seeandconfigureSNMPtrapserver
profiles.
administratorcanseeSNMPtrapserver
SNMPtrapserverprofiles.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Syslog
Enable
Read Disable
Only
seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
administratorcanseeSyslogserver
Syslogserverprofiles.
Yes
Yes
Yes
Email
seeandconfigureemailserverprofiles. DeviceGroup/Template:No
administratorcanseeemailserver
administratorcantseeormanageemail
serverprofiles.
Yes
Yes
Yes
RADIUS
seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
RADIUSserverprofiles.
Yes
Yes
Yes
TACACS+
seeandconfiguretheTACACS+server DeviceGroup/Template:No
administratorcantseethe nodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
LDAP
Enable
Read Disable
Only
seeandconfiguretheLDAPserver
administratorcanseetheLDAPserver
LDAPserverprofiles.
Yes
Yes
Yes
Kerberos
seeandconfiguretheKerberosserver DeviceGroup/Template:No
administratorcanseetheKerberos
serverprofilesbutcantmanagethem.
Kerberosserverprofiles.
Yes
Yes
Yes
Scheduled
ConfigExport
scheduledPanoramaconfiguration
exports.
administratorcanviewthescheduled
exportsbutcantmanagethem.
scheduledexports.
Yes
No
Yes
AdministratorRole
Availability
AccessLevel
Description
Software
Dynamic
Updates
Enable
Read Disable
Only
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
softwareupdates;download,upload,or
installtheupdates;andviewthe
associatedreleasenotes.
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
softwareinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Softwarepage
controlsaccesstoPANOS
softwaredeployedonfirewalls
andPanoramasoftware
deployedonDedicatedLog
Collectors.
Yes
Yes
Yes
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
contentupdates(forexample,WildFire
updates);download,upload,install,or
reverttheupdates;andviewthe
administratorcanviewinformation
aboutPanoramacontentupdatesand
cantperformanyrelatedoperations.
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
contentupdatesinstalledona
ThePanorama > Device
Deployment > Dynamic
Updatespagecontrolsaccessto
contentupdatesdeployedon
firewallsandDedicatedLog
Collectors.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Support
Enable
Read Disable
Only
Panorama:Yes
can:viewPanoramasupportlicense
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.
Yes
Yes
Yes
Device
Deployment
Panorama:Yes
disabled,forallthedevicedeployment DeviceGroup/Template:Yes
privileges.
Theseprivilegepertainonlyto
softwareandcontentupdates
thatPanoramaadministrators
deployonfirewallsand
DedicatedLogCollectors.The
Panorama > Softwareand
Panorama > Dynamic Updates
pagescontrolthesoftwareand
contentupdatesinstalledona
Yes
No
Yes
Software
Panorama:Yes
can:viewinformationaboutthe
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
SSLVPNClient
GlobalProtect
Client
Enable
Read Disable
Only
Panorama:Yes
can:viewinformationaboutSSLVPN DeviceGroup/Template:Yes
clientsoftwareupdatesonfirewalls;
download,upload,oractivatethe
updates;andviewtheassociated
releasenotes.
SSLVPNclientsoftwareupdatesand
cantactivatetheupdatesonfirewalls.
aboutSSLVPNclientsoftwareupdates,
seetheassociatedreleasenotes,or
activatetheupdatesonfirewalls.
Yes
Yes
Yes
Panorama:Yes
can:viewinformationabout
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.
Yes
Yes
Yes
AdministratorRole
Availability
AccessLevel
Description
Dynamic
Updates
Licenses
AdministratorRole
Availability
Enable
Read Disable
Only
Panorama:Yes
can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
view,refresh,andactivatefirewall
licenses.
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
administratorcantview,refresh,or
activatefirewalllicenses.
Yes
Yes
Yes
Yes
Yes
Yes
MasterKeyand Specifieswhethertheadministratorcan Panorama:Yes

Diagnostics
viewandconfigureamasterkeyby
whichtoencryptprivatekeyson
Panorama.
administratorcanviewthePanorama
masterkeyconfigurationbutcant
changeit.
administratorcantseeoreditthe
Panoramamasterkeyconfiguration.
PanoramaWebInterfaceAccess
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI

accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.
AccessLevel
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
No
Yes
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
AccesstotheObjectsTab.
No
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
AccesstotheDeviceTab.
YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
No
Yes
Panorama
ControlsaccesstothePanoramatab.Ifyoudisable Yes
Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.
No
Yes
Privacy
Controlsaccesstotheprivacysettingsdescribedin Yes
DefineUserPrivacySettingsintheadministratorRole
Profile.
No
Yes
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
No
Yes
Commit
Setsthedefaultstate(enabledordisabled)forallthe Yes
commitsettingsdescribedbelow(Panorama,Device
Groups,Templates,ForceTemplateValues,Collector
Groups).
No
Yes
Panorama
Whendisabled,anadministratorcannotcommit
changestothePanoramaconfiguration.
Yes
No
Yes
DeviceGroups
changestodevicegroups.
Yes
No
Yes
Enable
ReadOnly Disable
AccessLevel
Description
Enable
ReadOnly Disable
Templates
changestotemplates.
Yes
No
Yes
ForceTemplateValues ThisprivilegecontrolsaccesstotheForce Template Yes

ValuesoptionintheCommitdialog.
Whendisabled,anadministratorcannotreplace
overriddensettingsinlocalfirewallconfigurations
withsettingsthatPanoramapushesfromatemplate.
No
Yes
CollectorGroups
changestoCollectorGroups.
Yes
No
Yes
Global
Controlsaccesstotheglobalsettings(systemalarms) Yes
describedinProvideGranularAccesstoGlobal
Settings.
No
Yes
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforUserID
PortsUsedforManagementFunctions
DestinationPort Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80
TCP
TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
123
UDP
PortthefirewallusesforNTPupdates.
443
TCP
Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis
alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.
162
UDP
Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP
Manager.
ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)
managertolistenonthisport.Fordetails,refertothedocumentationof
yourSNMPmanagementsoftware.
161
UDP
Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP
manager.
514
TCP
514
UDP
6514
SSL
Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog
serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
authenticationsyslogmessagesifyouConfigureUserIDtoReceiveUser
MappingsfromaSyslogSender.
2055
UDP
DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif
youConfigureNetFlowExports,butthisisconfigurable.
Description
5008
TCP
PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom
theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.
6080
TCP
6081
TCP
6082
TCP
PortsusedforCaptivePortal:6080forNTLANManager(NTLM)authentication,
6081forCaptivePortalintransparentmode,and6082forCaptivePortalin
redirectmode.
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
Description
28769
TCP
28260
TCP
UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer
firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.
28
TCP
UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
28770
TCP
ListeningportforHA1backuplinks.
28771
TCP
Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat
backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.
99
IP
29281
UDP
UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
DestinationPort
Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
443
TCP
UsedforcommunicationfromaclientsystemtothePanoramawebinterface.
DestinationPort
Protocol
Description
3978
TCP
UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged
collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors(MSeriesappliancesinLog
Collectormode).
28769(5.1andlater)
TCP
28260(5.0andlater)
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.
49160(5.0and
earlier)
TCP
28
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
28270(6.0andlater)
TCP
UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog
distribution.
TCP
UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.
49190(5.1and
earlier)
2049
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
Description
389
TCP
PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport
LayerSecurity(StartTLS)toMapUserstoGroups.
3268
TCP
PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver
(plaintextorStartTLS)toMapUserstoGroups.
636
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap
UserstoGroups.
Description
3269
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory
globalcatalogservertoMapUserstoGroups.
514
TCP
514
UDP
6514
SSL
PortthePANOSintegratedUserIDagentorWindowsbasedUserIDagent
listensonforauthenticationsyslogmessagesifyouConfigureUserIDtoReceive
UserMappingsfromaSyslogSender.
5007
TCP
PortthefirewalllistensonforusermappinginformationfromtheUserIDor
TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.
5006
TCP
PorttheUserIDagentlistensonforPANOSXMLAPIrequests.Thesourcefor
thiscommunicationistypicallythesystemrunningascriptthatinvokestheAPI.
88
UDP/TCP
PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
1812
UDP
PorttheUserIDagentusestoauthenticatetoaRADIUSserver.
49
TCP
PorttheUserIDagentusestoauthenticatetoaTACACS+server.
135
TCP
PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe
MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.
139
TCP
PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe
ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).
445
TCP
PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using
TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
Step1
Setupaconsoleconnectiontothe
firewall.
1.
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
Ifyourcomputerdoesnothavea9pinserialport,usea
USBtoserialportconnector.
2.
Enteryourlogincredentials.
3.
EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.
Step2
Resetthesystemtofactorydefault
settings.
1.
Whenthefirewallreboots,pressEntertocontinuetothe
maintenancemodemenu.
2.
SelectFactory ResetandpressEnter.
3.
SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USBFlashDriveSupport
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston
KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk
SiliconPower
SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY
PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)
SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
Sampleinitcfg.txtFiles
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress)
Sampleinitcfg.txt(DHCPClient)
type=static
ip-address=10.5.107.19
default-gateway=10.5.107.1
netmask=255.255.255.0
ipv6-address=2001:400:f00::1/64
ipv6-default-gateway=2001:400:f00::2
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no
dhcp-send-client-id=no
dhcp-accept-server-hostname=no
dhcp-accept-server-domain=no
type=dhcp-client
ip-address=
default-gateway=
netmask=
ipv6-address=
ipv6-default-gateway=
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=yes
dhcp-send-client-id=yes
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field
Description
type
(Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress
(RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.
defaultgateway
(RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask
(RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address
(RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
ipv6defaultgateway
(RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
hostname
(Optional)Hostnameforthefirewall.
Fieldsintheinitcfg.txtFile
Field
Description
panoramaserver
(Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2
(Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname
(Recommended)Panoramatemplatename.
dgname
(Recommended)Panoramadevicegroupname.
dnsprimary
(Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary
(Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey
(VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes
(Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain
firewallacceptsitsDNSserverfromtheDHCPserver.
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
Step1
Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.
Step2
RegisterS/Nsofnewfirewallsonthe
CustomerSupportportal.
1.
Gotosupport.paloaltonetworks.com,login,andselect
Assets > Register New Device > Register device using Serial
Number or Authorization Code.
2.
FollowthestepstoRegistertheFirewall.
3.
ClickSubmit.
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step3
Activateauthorizationcodesonthe
1.
CustomerSupportportal,whichcreates
licensekeys.
2.
Gotosupport.paloaltonetworks.com,login,andselectthe
Assets tab.
ForeachS/Nyoujustregistered,clicktheActionlink.
3.
SelectActivate Auth-Code.
4.
EntertheAuthorization code andclickAgreeandSubmit.
Step4
AddtheS/NsinPanorama.
CompleteStep1inAddaFirewallasaManagedDeviceinthe
PanoramaAdministratorsGuide.
Step5
Createtheinitcfg.txtfile.
Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap
parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefault
configurationinthenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineach
field;donotaddspacesbecausetheycausefailuresduring
parsingonthemanagementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.
Step6
(Optional)Createthebootstrap.xmlfile.
Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration
thatyoucanexportfromanexistingproductionfirewall.
1.
SelectDevice > Setup > Operations > Export named

2.
SelecttheNameofthesavedortherunningconfiguration.
3.
ClickOK.
4.
Renamethefileasbootstrap.xml.
Step7
Createanddownloadthebootstrap
bundlefromtheCustomerSupport
portal.
Foraphysicalfirewall,thebootstrap
bundlerequiresonlythe/licenseand
/configdirectories.
Useoneofthefollowingmethodstocreateanddownloadthe
bootstrapbundle:
UseMethod1tocreateabootstrapbundlespecifictoaremote
site(youhaveonlyoneinitcfg.txtfile).
UseMethod2tocreateonebootstrapbundleformultiplesites.
Method1
1.
Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2.
SelectAssets.
3.
SelecttheS/Nofthefirewallyouwanttobootstrap.
4.
SelectBootstrap Container.
5.
ClickSelect.
6.
UploadandOpen theinitcfg.txtfileyoucreatedinStep 5.
7.
(Optional)Selectthebootstrap.xmlfileyoucreatedinStep 6
andUpload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.
8.
SelectBootstrap Container Downloadtodownloadatar.gz

filenamedbootstrap_<S/N>_<date>.tar.gztoyourlocal
system.Thisbootstrapcontainerincludesthelicensekeys
associatedwiththeS/Nofthefirewall.
Method2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenamesasdescribed
inStep 5.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.
Step8
Importthetar.gzfile(thatyoucreatedin AccesstheCLIandenteroneofthefollowingcommands:
Step 7)toaPANOS7.1firewallusing tftp import bootstrap-bundle file <path and filename>
SecureCopy(SCP)orTFTP.
from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
scp import bootstrap-bundle from <<user>@<host>:<path

tofile>>
Forexample:
scp import bootstrap-bundle from
userx@10.1.2.3:/home/userx/bootstrap/devices/pa200_b
ootstrap_bundle.tar.gz
Step9
PreparetheUSBflashdrive.
1.
InserttheUSBflashdriveintothefirewallthatyouusedin
Step 8.
2.
EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3.
Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
Step10 DelivertheUSBflashdrivetoyour
remotesite.
4.
RemovetheUSBflashdrivefromthefirewall.
5.
YoucanprepareasmanyUSBflashdrivesasneeded.
IfyouusedMethod2tocreatethebootstrapbundle,youcanuse
thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
Step1
Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2
Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3
InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.
Step4
Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > System orbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > Licenses orbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.
Authentication
ManyoftheservicesthatPaloAltoNetworksfirewallsandPanoramaproviderequireauthentication,
includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,GlobalProtect
portals,andGlobalProtectgateways.Theauthenticationmethodsthatyoucanconfigurevarybyservice,
andcanincludeKerberossinglesignon(SSO),externalauthenticationservices,certificatesandcertificate
profiles,localdatabaseaccounts,RADIUSVendorSpecificAttributes(VSAs),andNTLANManager(NTLM).
ThefollowingtopicsdescribeauthenticationmethodsthatarecommontomostfirewallandPanorama
services,procedurestoconfigurethem,howtotestauthenticationprofiles,andhowtotroubleshoot
authenticationissues:
ConfigureanAuthenticationProfileandSequence
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
ConfigureExternalAuthentication
TestAuthenticationServerConnectivity
TroubleshootAuthenticationIssues
Authentication
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsofan
administratoraccountthatislocaltothefirewallorPanorama.Theauthenticationservicecanbealocal
database(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),orKerberos
singlesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatthefirewallorPanoramamatches
anadministratoragainstduringlogin.ThefirewallorPanoramachecksagainsteachprofileinsequenceuntil
onesuccessfullyauthenticatestheadministrator(thefirewallalwayschecksthelocaldatabasefirstifthe
sequenceincludesone).Anadministratorisdeniedaccessonlyifanauthenticationfailureoccursforallthe
profilesintheauthenticationsequence.
Step1
CreateaKerberoskeytab.
RequiredifthefirewallorPanoramawill accountinformation(principalnameandhashedpassword)forthe
firewallorPanorama.
useKerberosSSOauthentication.
Step2
Configurealocaldatabase(firewallonly) LocaldatabaseauthenticationPerformthefollowingtasks:
orexternalserverprofile(firewallor
a. Configuretheuseraccount.
Panorama).
b. (Optional)Configureausergroup.
Requiredforlocaldatabaseorexternal ExternalauthenticationPerformoneofthefollowingtasks:
authentication.
Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step3
Defineoneorbothofthefollowing:
KerberosSSOThefirewallor
PanoramafirsttriesSSO
authentication.Ifthatfails,itfallsback
toauthenticationoftheType
specifiedintheprofile.
Localdatabaseorexternal
authenticationThefirewallor
Panoramapromptstheusertoenter
logincredentials,andusesitslocal
database(firewallsonly)oranexternal
servicetoauthenticatetheuser.
1.
SelectDevice > Authentication ProfileandAddthe

authenticationprofile.
2.
EnteraNametoidentifytheauthenticationprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(avsysorShared)wheretheprofileisavailable.
4.
SelecttheauthenticationType.IfyouselectRADIUS,
TACACS+,LDAP,orKerberos,selecttheauthentication
Server Profilefromthedropdown.
IftheTypeisLDAP,definetheLogin Attribute.For
ActiveDirectory,entersAMAccountNameasthe
value.
5.
(Optional)SelecttheUser DomainandUsername Modifier

optionsasfollowstomodifythedomain/usernamestringthat
theuserwillenterduringlogin.Thisisusefulwhenthe
authenticationservicerequiresthestringinaparticularformat
andyoudontwanttorelyonuserstocorrectlyenterthe
domain.
Tosendonlytheunmodifieduserinput,leavetheUser
Domainblank(thedefault)andsettheUsername Modifier
tothevariable%USERINPUT%(thedefault).
Toprependadomaintotheuserinput,enteraUser
DomainandsettheUsername Modifierto
%USERDOMAIN%\%USERINPUT%.
Toappendadomaintotheuserinput,enteraUser Domain
andsettheUsername Modifierto
%USERINPUT%@%USERDOMAIN%.
6.
IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
7.
SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.Youcanselectusersandgroups
fromthelocaldatabaseor,ifyouconfiguredanLDAPserver
profile,fromanLDAPbaseddirectoryservicesuchasActive
Directory.Selectingallallowseveryusertoauthenticate.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsocreateandallowcustomgroupsbasedon
LDAPfilters:seeMapUserstoGroups.
8.
EnterthenumberofFailed Attempts(010)tologinthatthe
firewallorPanoramaallowsbeforelockingouttheuser.The
defaultvalue0meansthereisnolimit.
9.
EntertheLockout Time(060),whichisthenumberof
minutesforwhichthefirewallorPanoramalocksouttheuser
afterreachingtheFailed Attemptslimit.Thedefaultvalue0
meansthelockoutappliesuntilanadministratorunlocksthe
useraccount.
10. ClickOKtosavetheauthenticationprofile.
Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step4
Step5
Configureanauthenticationsequence. 1.
Requiredifyouwantthefirewallor
Panoramatotrymultipleauthentication 2.
profilestoauthenticateusers.The
3.
firewallorPanoramaevaluatesthe
profilesintoptobottomorder
applyingtheKerberosSSO,
authenticationservice,allowlist,and
accountlockoutvaluesforeachuntil
oneprofilesuccessfullyauthenticates
theuser.ThefirewallorPanorama
deniesaccessonlyifalltheprofilesinthe
sequencefailtoauthenticate.
Assigntheauthenticationprofileor
sequence.
SelectDevice > Authentication SequenceandAddthe

authenticationsequence.
EnteraNametoidentifytheauthenticationsequence.
Location(avsysorShared)wherethesequenceisavailable.
Toexpeditetheauthenticationprocess,thebest
practiceistoUse domain to determine authentication
profile:thefirewallorPanoramawillmatchthe
domainnamethatauserentersduringloginwiththe
User DomainorKerberos Realmofanauthentication
profileinthesequence,andthenusethatprofileto
authenticatetheuser.IfthefirewallorPanorama
doesntfindamatch,orifyouclearthecheckbox,it
triestheprofilesinthetoptobottomsequence.
4.
Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
5.
ClickOKtosavetheauthenticationsequence.
Assigntheauthenticationprofileorsequencetoanadministrator
accountortoafirewallorPanoramaservice.
TestAuthenticationServerConnectivitytoverifythatan
authenticationprofilecancommunicatewiththebackend
authenticationserverandthattheauthenticationrequest
succeeded.
Authentication
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.
Step1
CreateaKerberoskeytab.
1.
LogintotheKDCandopenacommandprompt.
2.
Enterthefollowingcommand,where<principal_name>,
<password>,and<algorithm>arevariables.TheKerberos
principalnameandpasswordareofthefirewallorPanorama,
nottheuser.
ktpass /princ <principal_name> /pass

<password> /crypto <algorithm> /ptype
KRB5_NT_PRINCIPAL /out <file_name>.keytab
IfthefirewallisinFIPS/CCmode,thealgorithmmust
beaes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalso
usedes3-cbc-sha1orarcfour-hmac.Tousean
AdvancedEncryptionStandard(AES)algorithm,the
functionalleveloftheKDCmustbeWindowsServer
2008orlaterandyoumustenableAESencryptionfor
thefirewallorPanoramaaccount.
Thealgorithminthekeytabmustmatchthealgorithm
intheserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithms
theserviceticketsuse.
Step2
Importthekeytabintoanauthentication ConfigureanAuthenticationProfileandSequence:
profile.
1. EntertheKerberos Realm(usuallytheDNSdomainofthe
users,exceptthattherealmisuppercase).
2.
Step3
ImporttheKerberos Keytabthatyoucreatedforthefirewall
orPanorama.
Assigntheauthenticationprofiletothe Configureanadministratoraccount.
administratoraccountortotheCaptive ConfigureCaptivePortal.
Portalsettings.
Authentication
Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.
IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.
Step1
Step2
Configuretheuseraccount.
Configureausergroup.
Requiredifyourusersrequiregroup
membership.
1.
SelectDevice > Local User Database > UsersandclickAdd.
2.
EnterauserNamefortheadministrator.
3.
EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4.
Enabletheaccount(enabledbydefault)andclickOK.
1.
SelectDevice > Local User Database > User Groupsandclick

Add.
2.
EnteraNametoidentifythegroup.
3.
AddeachuserwhoisamemberofthegroupandclickOK.
Step3
Step4
AdministratorsConfigureanAdministrativeAccount:
Assigntheauthenticationprofiletoan
administratoraccountorfirewallservice.
SpecifytheNameofauseryoudefinedinStep 1.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForallservices,youmustassigntheAuthentication
Profilethatyouconfiguredfortheaccounts:
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Step5
Verifythatthefirewallcancommunicate TestaLocalDatabaseAuthenticationProfile.
withtheauthenticationserver.
SettheauthenticationTypetoLocal Database.
Authentication
PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices
ConfigureAuthenticationServerProfiles
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
YoucanconfigurethefirewallorPanoramatouseaRADIUSserverformanagingadministratoraccounts(if
theyarenotlocal).YoucanalsoconfigurethefirewalltouseaRADIUSserverforauthenticatingendusers
andcollectingRADIUSVendorSpecificAttributes(VSAs)fromGlobalProtectclients.TouseaRADIUS
serverformanagingadministratoraccountsorcollectingGlobalProtectclientsVSAs,youmustdefineVSAs
ontheRADIUSserver.Fordetails,seethelistofsupportedRADIUSVendorSpecificAttributesSupport.
Bydefault,whenauthenticatingtotheRADIUSserver,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileis
assignedtoanauthenticationsequencefortheservicethatinitiatestheauthenticationprocess.
Authentication
Step1
Step2
AddaRADIUSserverprofile.
ImplementtheRADIUSserverprofile.
1.
SelectDevice > Server Profiles > RADIUSandclickAdd.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis130,defaultis3).
5.
EnterthenumberofautomaticRetriesfollowingaTimeout
beforetherequestfails(rangeis15,defaultis3).
6.
ForeachRADIUSserver,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(RADIUS
Serverfield),Secret/Confirm Secret(akeytoencrypt
passwords),andserverPortforauthenticationrequests
(defaultis1812).
7.
ClickOK.
1.
AssigntheRADIUSserverprofiletoanauthenticationprofile
orsequence.
2.
TestaRADIUSAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheRADIUSserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
4.
Commityourchanges.
RADIUSVendorSpecificAttributesSupport
PaloAltoNetworksfirewallsandPanoramasupportthefollowingRADIUSVendorSpecificAttributes
(VSAs).TodefineVSAsonaRADIUSserver,youmustspecifythevendorcode(25461forPaloAlto
NetworksfirewallsorPanorama)andtheVSAnameandnumber.SomeVSAsalsorequireavalue.
Name
Number Value
VSAsforadministratoraccountmanagementandauthentication
PaloAltoAdminRole
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain
Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4
ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup
Thenameofausergroupthatanauthenticationprofile
references.
Authentication
Name
Number Value
VSAsforwardedfromGlobalProtectclientstotheRADIUSserver
PaloAltoUserDomain
PaloAltoClientSourceIP
PaloAltoClientOS
PaloAltoClientHostname
PaloAltoGlobalProtectClientVersion
10
DontspecifyavaluewhenyoudefinetheseVSAs.
TerminalAccessControllerAccessControlSystemPlus(TACACS+)protocolprovidesbetterAuthentication
securitythanRADIUSbecauseitencryptsusernamesandpasswords(insteadofjustpasswords),andisalso
morereliable(itusesTCPinsteadofUDP).
Bydefault,whenauthenticatingtotheTACACS+server,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
Step1
AddaTACACS+serverprofile.
1.
SelectDevice > Server Profiles > TACACS+andclickAdd.
2.
3.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis120,defaultis3).
5.
SelecttheUse single connection for all authenticationcheck

boxtousethesameTCPsessionforallauthenticationsthat
usethisprofile.Thisoptionimprovesperformancebyavoiding
theneedtostartandendaseparateTCPsessionforeach
authentication.Thecheckboxisclearedbydefault.
6.
ForeachTACACS+server,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(TACACS+
Serverfield),Secret/Confirm Secret(akeytoencrypt
usernamesandpasswords),andserverPortforauthentication
requests(defaultis49).
7.
ClickOK.
Authentication
ConfigureaTACACS+ServerProfile(Continued)
Step2
ImplementtheTACACS+serverprofile.
1.
AssigntheTACACS+serverprofiletoanauthentication
profileorsequence.
2.
TestaTACACS+AuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheTACACS+server.
3.
4.
Commityourchanges.
AnLDAPserverprofileenablesyouto:
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.
Authentication
Step1
AddanLDAPserverprofile.
1.
SelectDevice > Server Profiles > LDAPandclickAdd.
2.
3.
4.
ForeachLDAPserver(uptofour),clickAddandenteraName
(toidentifytheserver),serverIPaddress(LDAP Serverfield),
andserverPort(default389).
5.
SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6.
IfyouwantthefirewallorPanoramatouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(itisselected
bydefault).TheprotocolthatthefirewallorPanoramauses
dependsontheserverPort:
389(default)TLS(Specifically,thefirewallorPanorama
usestheStartTLSoperation,whichupgradestheinitial
plaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallorPanoramafirsttriestouse
TLS.IfthedirectoryserverdoesntsupportTLS,thefirewall
orPanoramafallsbacktoSSL.
7.
Toimprovesecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthefirewallorPanoramaverifiesthecertificate
thatthedirectoryserverpresentsforSSL/TLSconnections.If
theverificationfails,theconnectionfails.Toenable
verification,youmustalsoselecttheRequire SSL/TLS
secured connectioncheckbox.ThefirewallorPanorama
verifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewallor
Panoramatotrustthecertificate,itsrootcertificate
authority(CA)andanyintermediatecertificatesmustbein
thecertificatestoreunderDevice > Certificate
Management > Certificates > Device Certificates.Import
thecertificateifnecessary:seeImportaCertificateand
PrivateKey.
ThecertificatenamemustmatchthehostNameofthe
LDAPserver.ThefirewallorPanoramafirstchecksthe
certificateattributeSubjectAltNameformatching,then
triestheattributeSubjectDN.Ifthecertificateusesthe
FQDNofthedirectoryserver,youmustenterthatFQDN
intheLDAP Serverfieldforthenamematchingtosucceed.
8.
ClickOK.
Authentication
ConfigureanLDAPServerProfile(Continued)
Step2
ImplementtheLDAPserverprofile.
1.
AssigntheLDAPserverprofiletoanauthenticationprofileor
sequence.
2.
TestanLDAPAuthenticationProfiletoverifythatthefirewall
orPanoramacanconnecttotheLDAPserver.
3.
4.
Commityourchanges.
AKerberosserverprofileenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleror
aKerberosV5compliantauthenticationserver.Thisauthenticationmethodisinteractive,requiringusersto
enterusernamesandpasswords,incontrastwithKerberossinglesignon(SSO),whichinvolvestransparent
authentication.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.
IPv6addressesarenotsupported.
Step1
Step2
AddaKerberosserverprofile.
ImplementtheKerberosserverprofile.
1.
SelectDevice > Server Profiles > KerberosandclickAdd.
2.
3.
4.
ForeachKerberosserver,clickAddandenteraName(to
identifytheserver),serverIPv4addressorFQDN(Kerberos
Serverfield),andanoptionalPortnumberforcommunication
withtheserver(default88).
5.
ClickOK.
1.
AssigntheKerberosserverprofiletoanauthenticationprofile
orsequence.
2.
TestaKerberosAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheKerberosserver.
3.
4.
Commityourchanges.
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
WhenyouconfigureaPaloAltoNetworksfirewallorPanoramatouseRADIUSorTACACS+server
authenticationforaparticularservice(suchasCaptivePortal),itfirsttriestoauthenticatetotheserverusing
ChallengeHandshakeAuthenticationProtocol(CHAP).ThefirewallorPanoramafallsbacktoPassword
Authentication
AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]
WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.
EnableExternalAuthenticationforUsersandServices
PaloAltoNetworksfirewallsandPanoramacanuseexternalservicestoauthenticateadministrators,end
users,andotherdevices.
EnableExternalAuthentication
Step1
Configureanexternalserverprofile.
Step2
Assigntheserverprofiletoan
Optionally,youcanassignmultiple
authenticationprofilestoan
authenticationsequence.
1.
ConfigureanAuthenticationProfileandSequence.
2.
TestAuthenticationServerConnectivity.
Step3
Assigntheauthenticationprofileor
Administrators:ConfigureanAdministrativeAccount.
sequencetoanadministratoraccountor Endusers:
toafirewallorPanoramaservice.
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Firewall/Panoramaservices:
ConfigureRoutingInformationProtocol(RIP).
ConfigureOpenShortestPathFirst(OSPF).
ConfigureBorderGatewayProtocol(BGP).
Authentication
AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile
Step1
OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Authentication
Step4
Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.
Step5
Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.
TestaLocalDatabaseAuthenticationProfile
ThefollowingexampleshowshowtotestaLocalDatabaseauthenticationprofilenamedLocalDBforauser
namedUser1LocalDBandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LocalDatabaseAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.
Step2
Authentication
LocalDatabaseAuthenticationProfileTestExample
Step3
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password
Step5
Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.
Step6
Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"
TestaRADIUSAuthenticationProfile
ThefollowingexampleshowshowtotestaRADIUSprofilenamedRADIUSProfileforausernamed
User2RADIUSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
RADIUSAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.
Step2
Authentication
RADIUSAuthenticationProfileTestExample
Step3
admin@PA-3060> set system setting target-vsys <vsysname>
admin@PA-3060> set system setting target-vsys vsys2
Step4
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password
Step5
Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.
Step6
Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
Step7
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"
Authentication
TestaTACACS+AuthenticationProfile
ThefollowingexampleshowshowtotestaTACACS+profilenamedTACACSProfileforausernamed
User3TACACSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
TACACS+AuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.
Step2
Step3
Step4
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password
Step5
Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
TheoutputshowserrorNetwork read timed out, whichindicatesthattheTACACS+servercouldnot

decrypttheauthenticationrequest.Inthiscase,theremaybeanissuewiththesecretdefinedintheTACACS+
serverprofile.
Step6
Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
Authentication
TACACS+AuthenticationProfileTestExample
Step7
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"
TestanLDAPAuthenticationProfile
ThefollowingexampleshowshowtotestaLDAPauthenticationprofilenamedLDAPProfileforauser
namedUser4LDAPandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
LDAPAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.
Step2
Step3
Step4
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword
Authentication
LDAPAuthenticationProfileTestExample
Step5
Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Theoutputshowsparse error of dn and attributes for user User4-LDAP, whichindicatesaBIND

DNvalueissuesintheLDAPserverprofile.Inthiscase,aDomainComponent(DC)valueisincorrect.
Step6
Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
Step7
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"
TestaKerberosAuthenticationProfile
ThefollowingexampleshowshowtotestaKerberosprofilenamedKerberosProfileforausernamed
User5Kerberosandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
KerberosAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.
Step2
Authentication
KerberosAuthenticationProfileTestExample
Step3
Step4
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password
Step5
Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Inthiscase,theoutputshowsWrong realm, whichindicatesthattheKerberosrealmhasanincorrectvalue.

Step6
Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
Step7
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"
Authentication
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task
Command
show authentication locked-users

Displaythenumberoflockeduseraccountsassociated
{
withtheauthenticationprofile(auth-profile),
vsys <value> |
authenticationsequence(is-seq),orvirtualsystem(vsys).
auth-profile <value> |
is-seq
Tounlockusers,usethefollowingoperational
{yes | no}
command:
{auth-profile | vsys} <value>
request authentication [unlock-admin |
unlock-user]
debug authentication
Usethedebug authenticationcommandto
{
troubleshootauthenticationevents.
on {debug | dump | error | info | warn} |
show |
Usetheshowoptionstodisplayauthenticationrequest
show-active-requests |
statisticsandthecurrentdebugginglevel:
show-pending-requests |
connection-show |
showdisplaysthecurrentdebugginglevelforthe
{
authenticationservice(authd).
connection-id |
protocol-type
show-active-requestsdisplaysthenumberofactive
{
checksforauthenticationrequests,allowlists,and
Kerberos connection-id <value> |
lockeduseraccounts.
LDAP connection-id <value> |
RADIUS connection-id <value> |
show-pending-requests displaysthenumberof
TACACS+ connection-id <value> |
pendingchecksforauthenticationrequests,allowlists,
}
connection-debug-on |
andlockeduseraccounts.
{
connection-showdisplaysauthenticationrequestand
connection-id |
debug-prefix |
responsestatisticsforallauthenticationserversorfora
protocol-type
specificprotocoltype.
{
Usetheconnection-debugoptionstoenableordisable
authenticationdebugging:
Usetheonoptiontoenableortheoffoptiontodisable
}
debuggingforauthd.
connection-debug-off |
{
Usetheconnection-debug-onoptiontoenableorthe
connection-id |
connection-debug-offoptiontodisabledebugging
protocol-type
forallauthenticationserversorforaspecificprotocol
{
type.
}
connection-debug-on
}
CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule
KeysandCertificates
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage
Description
AdministrativeAccess
SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
CaptivePortal
IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,
designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
ForwardTrust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
ForwardUntrust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSLInboundInspection
ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.
KeysandCertificates
Description
SSLExcludeCertificate
CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.
GlobalProtect
AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
SitetoSiteVPNs(IKE)
InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
MasterKey
Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
SecureSyslog
Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
TrustedRootCA
ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
Step1
Step2
DefineanOCSPresponder.
EnableOCSPcommunicationonthe
firewall.
1.
SelectDevice > Certificate Management > OCSP Responder

andclickAdd.
2.
EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
3.
Location(vsysorShared)forthecertificate.
4.
IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.Fromthisvalue,
PANOSautomaticallyderivesaURLandaddsittothe
certificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices(specifiedinStep 3).
5.
ClickOK.
1.
SelectDevice > Setup > Management.
2.
IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.
Step3
(Optional)Toconfigurethefirewallitself 1.
asanOCSPresponder,addanInterface 2.
ManagementProfiletotheinterface
usedforOCSPservices.
3.
SelectNetwork > Network Profiles > Interface Mgmt.

ClickAddtocreateanewprofileorclickthenameofan
existingprofile.
SelecttheHTTP OCSPcheckboxandclickOK.
4.
SelectNetwork > Interfacesandclickthenameofthe

interfacethatthefirewallwilluseforOCSPservices.The
OCSPHost NamespecifiedinStep 1mustresolvetoanIP
addressinthisinterface.
5.
SelectAdvanced > Other infoandselecttheInterface

ManagementProfileyouconfigured.
6.
ClickOKandCommit.
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
Step1
ConfigureaCertificateProfileforeach
application.
AssignoneormorerootCAcertificatestotheprofileandselect
howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates
Step2
Assignthecertificateprofilestothe
relevantapplications.
Thestepstoassignacertificateprofiledependontheapplication
thatrequiresit.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
Step1
Definetheservicespecifictimeout
intervalsforrevocationstatusrequests.
1.
SelectDevice > Setup > Sessionand,intheSessionFeatures

section,selectDecryption Certificate Revocation Settings.
2.
Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.
Step2
Definethetotaltimeoutintervalfor
revocationstatusrequests.
EntertheCertificate Status Timeout.Thisistheinterval(160

seconds)afterwhichthefirewallstopswaitingforaresponsefrom
anycertificatestatusserviceandappliesthesessionblockinglogic
youoptionallydefineinStep 3.TheCertificate Status Timeout
relatestotheOCSP/CRLReceive Timeoutasfollows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthetwo
Receive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:theCertificate
Status TimeoutvalueortheOCSPReceive Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequesttimeout
afterthelesseroftwointervalspasses:theCertificate Status
TimeoutvalueortheCRLReceive Timeoutvalue.
Step3
Definetheblockingbehaviorfor
unknowncertificatestatusora
revocationstatusrequesttimeout.
IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP
orCRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.
Step4
Saveandapplyyourentries.
ClickOKandCommit.
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsprivatekeysand
othersecrets(suchaspasswordsandsharedkeys).Theprivatekeysauthenticateuserswhentheyaccess
administrativeinterfacesonthefirewall.Asabestpracticetosafeguardthekeys,configurethemasterkey
oneachfirewalltobeuniqueandperiodicallychangeit.Foraddedsecurity,useawrappingkeystoredona
hardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,seeEncryptaMasterKeyUsingan
HSM.
Inahighavailability(HA)configuration,ensurebothfirewallsorPanoramamanagementservers
inthepairusethesamemasterkeytoencryptprivatekeysandcertificates.Ifthemasterkeys
differ,HAconfigurationsynchronizationwillnotworkproperly.
WhenyouexportafirewallorPanoramaconfiguration,themasterkeyencryptsthepasswords
ofusersmanagedonexternalservers.Forlocallymanagedusers,thefirewallorPanoramahashes
thepasswordsbutthemasterkeydoesnotencryptthem.
ConfigureaMasterKey
Step1
SelectDevice > Master Key and DiagnosticsandedittheMasterKeysection.
Step2
EntertheCurrent Master Keyifoneexists.
Step3
DefineanewNew Master Key andthenConfirm New Master Key.Thekeymustcontainexactly16

characters.
Step4
(Optional)TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekey
willexpire.Ifyousetalifetime,createanewmasterkeybeforetheoldkeyexpires.
Step5
(Optional)Ifyousetakeylifetime,enteraTime for ReminderthatspecifiesthenumberofDaysandHours

precedingmasterkeyexpirationwhenthefirewallemailsyouareminder.
Step6
(Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7
ClickOKandCommit.
ObtainCertificates
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
CreateaSelfSignedRootCACertificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1
SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
ClickGenerate.
Step4
EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31
characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step6
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step7
LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.
Step8
(Required)SelecttheCertificate Authoritycheckbox.
Step9
LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.
Step10 ClickGenerateandCommit.
ObtainCertificates
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
Step1
Step2
Step3
ClickGenerate.
Step4
SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect
clients.
Step5
EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand
useonlyletters,numbers,hyphens,andunderscores.
Step6
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step7
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step8
IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.
Step9
(Optional)SelectanOCSP Responder.
Step10 ForthekeygenerationAlgorithm,selectRSA(default)orElliptical Curve DSA(ECDSA).ECDSAis

recommendedforclientbrowsersandoperatingsystemsthatsupportit.
FirewallsthatrunPANOS6.1andearlierreleaseswilldeleteanyECDSAcertificatesthatyoupush
fromPanorama,andanyRSAcertificatessignedbyanECDSAcertificateauthority(CA)willbe
invalidonthosefirewalls.
Step11 SelecttheNumber of Bitstodefinethecertificatekeylength.Highernumbersaremoresecurebutrequire
moreprocessingtime.
Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.
Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.
Step14 (Optional)AddtheCertificate Attributestouniquelyidentifythefirewallandtheservicethatwillusethe
certificate.
IfyouaddaHost Name(DNSname)attribute,itisabestpracticeforittomatchtheCommon Name.
ThehostnamepopulatestheSubjectAlternativeNamefieldofthecertificate.
Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.
ObtainCertificates
GenerateaCertificate(Continued)
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslog checkbox.
Step17 ClickOKandCommit.
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
Step1
FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step2
Step3
Step4
ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It
mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step6
EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.
Step7
SelectaFile Format:
Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security ModulecheckboxandskipStep8.Otherwise,selecttheImport Private Keycheck
box,entertheKey FileorBrowsetoit,thenperformStep8.
Step8
Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
ObtainCertificates
Step9
ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.
Step1
Requestthecertificatefromanexternal 1.
CA.
SelectDevice > Certificate Management > Certificates >

Device Certificates.
2.
3.
ClickGenerate.
4.
EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5.
IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6.
Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7.
IntheSigned Byfield,selectExternal Authority (CSR).
8.
Ifapplicable,selectanOCSP Responder.
9.
(Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatory
forGlobalProtect).Thehostnamepopulatesthe
SubjectAlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.
Step2
SubmittheCSRtotheCA.
1.
SelecttheCSRandclickExporttosavethe.csrfiletoalocal
computer.
2.
Uploadthe.csrfiletotheCA.
ObtainCertificates
Step3
Step4
Importthecertificate.
Configurethecertificate.
1.
AftertheCAsendsasignedcertificateinresponsetotheCSR,
returntotheDevice CertificatestabandclickImport.
2.
EntertheCertificate NameusedtogeneratetheCSRin
Step 14.
3.
EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4.
ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.
1.
ClickthecertificateName.
2.
Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.
3.
ClickOKandCommit.
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step3
Selectthecertificate,clickExport,andselectaFile Format:
Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.
Step4
EnteraPassphraseandConfirm PassphrasetoencrypttheprivatekeyiftheFile FormatisPKCS12orifit

isPEMandyouselectedtheExport Private Keycheckbox.Youwillusethispassphrasewhenimportingthe
certificateandkeyintoclientsystems.
Step5
ClickOKandsavethecertificate/keyfiletoyourcomputer.
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
Step1
Obtainthecertificateauthority(CA)
certificatesyouwillassign.
PerformoneofthefollowingstepstoobtaintheCAcertificates
youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).
Step2
Identifythecertificateprofile.
1.
SelectDevice > Certificate Management > Certificates

ProfileandclickAdd.
2.
EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
3.
Step3
Assignoneormorecertificates.
PerformthefollowingstepsforeachCAcertificate:
1.
IntheCACertificatestable,clickAdd.
2.
SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3.
(Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4.
ClickOK.TheCACertificatestabledisplaystheassigned
certificate.
Step4
Step5
Definethemethodsforverifying
certificaterevocationstatusandthe
associatedblockingbehavior.
Saveandapplyyourentries.
1.
SelectUse CRLand/orUse OCSP.Ifyouselectboth,the

firewallfirsttriesOCSPandfallsbacktotheCRLmethodonly
iftheOCSPresponderisunavailable.
2.
Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3.
EntertheCertificate Status Timeout.Thisistheinterval(160

seconds)afterwhichthefirewallstopswaitingforaresponse
fromanycertificatestatusserviceandappliesany
sessionblockinglogicyoudefine.TheCertificate Status
TimeoutrelatestotheOCSP/CRLReceive Timeoutas
follows:
IfyouenablebothOCSPandCRLThefirewallregistersa
requesttimeoutafterthelesseroftwointervalspasses:the
Certificate Status Timeoutvalueortheaggregateofthe
twoReceive Timeoutvalues.
IfyouenableonlyOCSPThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheOCSPReceive
Timeoutvalue.
IfyouenableonlyCRLThefirewallregistersarequest
timeoutafterthelesseroftwointervalspasses:the
Certificate Status TimeoutvalueortheCRLReceive
Timeoutvalue.
4.
IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5.
Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.
ClickOKandCommit.
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
Step1
Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notcertificateauthority(CA)certificates,forSSL/TLSservices.
Step2
SelectDevice > Certificate Management > SSL/TLS Service Profile.
Step3
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4
ClickAddandenteraNametoidentifytheprofile.
Step5
SelecttheCertificateyoujustobtained.
Step6
Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
Step7
ClickOKandCommit.
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.
Step1
Obtainthecertificatethatwill
YoucansimplifyyourCertificateDeploymentbyusingacertificate
authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators.
thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetheroot
CAcertificateisnotinthetrustedrootcertificatestoreof
clientsystems.Topreventthis,deploytheselfsignedroot
CAcertificatetoallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.
Step2
ConfigureanSSL/TLSServiceProfile.
SelecttheCertificateyoujustobtained.
Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.
Step3
ApplytheSSL/TLSServiceProfileto
inboundmanagementtraffic.
1.

Settings.
2.
SelecttheSSL/TLS Service Profileyoujustconfigured.
3.
ClickOKandCommit.
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
Step1
SelectDevice > Setup > Sessionand,intheDecryptionSettingssection,clickSSL Forward Proxy Settings.
Step2
SelectaKey Size:
Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.
Step3
ClickOKandCommit.
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step1
Step2
Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3
Selectthecertificatetorevoke.
Step4
ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step1
Step2
Step3
SelectacertificatetorenewandclickRenew.
Step4
EnteraNew Expiration Interval(indays).
Step5
ClickOKandCommit.
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SetupConnectivitywithanHSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
Step1
Step2
Step3
Configurethefirewallto
communicatewiththeSafeNet
NetworkHSM.
(Optional)Configureaservice
routetoenablethefirewallto
connecttotheHSM.
Bydefault,thefirewallusesthe
ManagementInterfaceto
communicatewiththeHSM.To
useadifferentinterface,you
mustconfigureaserviceroute.
Configurethefirewallto
authenticatetotheHSM.
1.
LogintothefirewallwebinterfaceandselectDevice > Setup > HSM.
2.
EdittheHardwareSecurityModuleProvidersectionandselect
Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3.
ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4.
EntertheIPv4addressoftheHSMmoduleasthe Server Address.

IfyouareconfiguringahighavailabilityHSMconfiguration,enter
modulenamesandIPaddressesfortheadditionalHSMdevices.
5.
(Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
6.
ClickOKandCommit.
1.
2.
SelectService Route Configuration fromtheServicesFeaturesarea.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
7.
ClickOKandCommit.
1.
SelectDevice > Setup > HSM.
2.
SelectSetup Hardware Security ModuleintheHardwareSecurity

Operationsarea.
3.
SelecttheHSMServer Namefromthedropdown.
4.
Enterthe Administrator Password toauthenticatethefirewalltothe

HSM.
5.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6.
ClickOK.
SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
Step4
Registerthefirewall(theHSM 1.
client)withtheHSMandassign 2.
ittoapartitionontheHSM.
IftheHSMalreadyhasa
firewallwiththesame
<cl-name>registered,
youmustremovethe
3.
duplicateregistration
usingthefollowing
commandbefore
registrationwillsucceed:
client delete -client
<cl-name>
LogintotheHSMfromaremotesystem.
Registerthefirewallusingthefollowingcommand:
client register -c <cl-name> -ip <fw-ip-addr>
where<cl-name>isanamethatyouassigntothefirewallforuseon
theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
beingconfiguredasanHSMclient.
Assignapartitiontothefirewallusingthefollowingcommand:
client assignpartition -c <cl-name> -p <partition-name>
where<cl-name>isthenameassignedtothefirewallintheclient
register commandand<partition-name>isthenameofa
previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.
Step5
Step6
Step7
Configurethefirewalltoconnect 1.
totheHSMpartition.
2.
(Optional)Configurean
additionalHSMforhigh
availability(HA).
Verifyconnectivitywiththe
HSM.

ClicktheRefreshicon.
3.
SelecttheSetup HSM PartitionintheHardwareSecurityOperations

area.
4.
Enterthe Partition Passwordtoauthenticatethefirewalltothe

partitionontheHSM.
5.
ClickOK.
1.
FollowStep 1throughStep 5toaddanadditionalHSMforhigh

availability(HA).
ThisprocessaddsanewHSMtotheexistingHAgroup.
2.
IfyouremoveanHSMfromyourconfiguration,repeatStep 5.
ThiswillremovethedeletedHSMfromtheHAgroup.
1.
2.
ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.
SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
Step1
Step2
Step3
ConfiguretheThales
1.
nShieldConnectserveras
thefirewallsHSM
2.
provider.
3.
(Optional)Configurea
serviceroutetoenable
thefirewalltoconnectto
theHSM.
Bydefault,thefirewall
usestheManagement
Interfacetocommunicate
withtheHSM.Tousea
differentinterface,you
mustconfigureaservice
route.
Registerthefirewall(the
HSMclient)withtheHSM
server.
Thisstepbrieflydescribes
theprocedureforusing
thefrontpanelinterface
oftheThalesnShield
ConnectHSM.Formore
details,consulttheThales
documentation.
Fromthefirewallwebinterface,selectDevice > Setup > HSMandeditthe

HardwareSecurityModuleProvider section.
SelectThales Nshield ConnectastheProvider Configured.
ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto31
charactersinlength.
4.
EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5.
EntertheIPv4addressoftheRemote Filesystem Address.
6.
ClickOKandCommit.
1.
2.
SelectService Route Configuration fromtheServicesFeaturesarea.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
IfyouselectadataplaneconnectedportforHSM,issuingtheclear
session allCLIcommandwillclearallexistingHSMsessions,
causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
7.
ClickOKandCommit.
1.
LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.
2.
Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
System > System configuration > Client config > New client.
3.
EntertheIPaddressofthefirewall.
4.
SelectSystem > System configuration > Client config > Remote file system
andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
filesystem.
SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
Step4
Setuptheremote
filesystemtoaccept
connectionsfromthe
firewall.
1.
Logintotheremotefilesystem(RFS)fromaLinuxclient.
2.
Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
KNETIkeyauthenticatesthemoduletoclients:
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3.
Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4.
UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.
Step5
Step6
Step7
Configurethefirewallto 1.
authenticatetotheHSM. 2.
Fromthefirewallwebinterface,selectDevice > Setup > HSM.

SelectSetup Hardware Security ModuleintheHardwareSecurity
Operationsarea.
3.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4.
ClickOK.
Synchronizethefirewall
withtheremote
filesystem.
1.
SelecttheDevice > Setup > HSM.
2.
SelectSynchronize with Remote Filesystem intheHardwareSecurity

Operations section.
Verifythatthefirewall
canconnecttotheHSM.
1.
2.
ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
Name:ThenameoftheHSMattemptingtobeauthenticated.
IP address:TheIPaddressoftheHSMthatwasassignedonthefirewall.
Module State:ThecurrentoperatingstateoftheHSM:Authenticated orNot
Authenticated.
AmasterkeyisconfiguredonaPaloAltoNetworksfirewalltoencryptallprivatekeysandpasswords.Ifyou
havesecurityrequirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkey
usinganencryptionkeythatisstoredonanHSM.ThefirewallthenrequeststheHSMtodecryptthemaster
keywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSMislocated
inahighlysecurelocationthatisseparatefromthefirewallforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,thisencryptionkeymust
occasionallybechanged.Forthisreason,acommandisprovidedonthefirewalltorotatethewrappingkey
whichchangesthemasterkeyencryption.Thefrequencyofthiswrappingkeyrotationdependsonyour
application.
MasterkeyencryptionusinganHSMisnotsupportedonfirewallsconfiguredinFIPS/CCmode.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
Step1
SelectDevice > Master Key and Diagnostics.
Step2
Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3
Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4
SelecttheHSMcheckbox.
Life Time:Thenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for Reminder:Thenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5
ClickOK.
Asabestpractice,refreshthemasterkeyencryptiononaregularbasisbyrotatingthemasterkeywrapping
keyontheHSM.ThiscommandisthesameforboththeSafeNetNetworkandThalesnShieldConnect
HSMs.
Step1
UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLforwardproxyTheHSMcanstoretheprivatekeyoftheCAcertificatethatisusedtosign
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthemtotheclient.
SSLinboundinspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
Step1
OntheHSM,importorgenerate ForinstructionsonimportingorgeneratingaprivatekeyontheHSM,refer
theprivatekeyusedinyourSSL toyourHSMdocumentation.
forwardproxyorSSLinbound
inspectiondeployment.
Step2
(ThalesnShieldConnectonly)
Synchronizethekeydatafrom
theHSMremotefilesystemto
thefirewall.
Step3
1.
AccessthefirewallwebinterfaceandselectDevice > Setup > HSM.
2.
SelectSynchronize with Remote FilesystemintheHardwareSecurity

Operationssection.
Importthecertificatethat
1.
correspondstotheHSMstored
keyontothefirewall.
2.
SelectDevice > Certificate Management > Certificates > Device

CertificatesandclickImport.
EntertheCertificate Name.
3.
EnterthefilenameoftheCertificate FileyouimportedtotheHSM.
4.
SelectaFile Format.
5.
SelectthePrivate Key resides on Hardware Security Modulecheck

box.
6.
ClickOKandCommit.
StorePrivateKeysonanHSM(Continued)
Step4
Step5
(Forwardtrustcertificatesonly) 1.
Enablethecertificateforusein
SSL/TLSForwardProxy.
2.

Certificates.
OpenthecertificateyouimportedinStep 3forediting.
3.
SelecttheForward Trust Certificate checkbox.
4.
ClickOKandCommit.
Verifythatyousuccessfully
1.
importedthecertificateontothe
firewall.
2.

Certificates.
LocatethecertificateyouimportedinStep 3andchecktheiconinthe
Keycolumn:
LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.
ManagetheHSMDeployment
ManageHSM
ViewtheHSMconfiguration
settings.
DisplaydetailedHSM
information.
SelectShow Detailed InformationfromtheHardwareSecurityOperations

section.
InformationregardingtheHSMservers,HSMHAstatus,andHSMhardwareis
displayed.
ExportSupportfile.
SelectExport Support FilefromtheHardwareSecurityOperations section.

Atestfileiscreatedtohelpcustomersupportwhenaddressingaproblemwithan
HSMconfigurationonthefirewall.
ResetHSMconfiguration.
SelectReset HSM Configuration fromtheHardwareSecurityOperations section.

SelectingthisoptionremovesallHSMconnections.Allauthenticationprocedures
mustberepeatedafterusingthisoption.
HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization
HAOverview
HighAvailability
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.
HighAvailability
HAConcepts
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HAModes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
HAConcepts
HighAvailability
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HALinksandBackupLinks
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA3000Series,PA4000Series,PA5000Series,and
PA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethededicatedHAportsto
managecommunicationandsynchronizationbetweenthefirewalls.ForfirewallswithoutdedicatedHA
portssuchasthePA200,PA500,andPA2000Seriesfirewalls,asabestpracticeusethemanagementport
fortheHA1linktoallowforadirectconnectionbetweenthemanagementplanesonthefirewalls,andan
inbandportfortheHA2link.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.
HighAvailability
HAConcepts
HALinksand
BackupLinks
Description
ControlLink
TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
DataLink
TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
BackupLinks
ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
PacketForwardingLink
InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.
HAConcepts
HighAvailability
HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
HALinksand
BackupLinks
PortsontheSMC
Description
ControlLink
HA1A
Speed:Ethernet
10/100/1000
UsedforHAcontrolandsynchronizationinbothHAModes.Connect
thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
HA1Aonthesecondfirewallinthepair,orconnectthemtogether
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.
ControlLink
Backup
HA1B
Speed:Ethernet
10/100/1000port
UsedforHAcontrolandsynchronizationasabackupforHA1Ain
bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
thefirstfirewalltotheHA1Bonthesecondfirewallinthepair,or
connectthemtogetherthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.
DataLink
HSCIA
DataLink
Backup
HSCIB
TheHighSpeedChassisInterconnect(HSCI)portsareQuadPortSFP
(QSFP)interfaceswhichareusedtoconnecttwoPA7000Series
firewallsinanHAconfiguration.Eachportiscomprisedoffour10
gigabitlinksinternallyforacombinedspeedof40gigabits.
TheHSCIportsarenotroutableandmustbeconnecteddirectlyto
eachother.TheHSCIAonthefirstchassisconnectsdirectlyto
HSCIAonthesecondchassisandHSCIBonthefirstchassis
connectstoHSCIBonthesecondchassis.Thiswillprovidefull80
gigabittransferrates.Insoftware,bothports(HSCIAandHSCIB)
aretreatedasoneHAinterface.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link;theHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmustusetheHSCI
port.TheHA2linkandHA2backuplinkscanusetheHSCIportor
dataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.
HighAvailability
HAConcepts
DevicePriorityandPreemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.FordetailsontheHA
timersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.
HAConcepts
HighAvailability
LACPandLLDPPreNegotiationforActive/PassiveHA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,andPA7000Seriesfirewallssupportaprenegotiationconfiguration
dependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,orvirtualwiredeployment.An
HApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
FloatingIPAddressandVirtualMACAddress
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)
HighAvailability
HAConcepts
EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.
HAConcepts
HighAvailability
ARPLoadSharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.
HighAvailability
HAConcepts
HAConcepts
HighAvailability
RouteBasedRedundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HATimers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.
HighAvailability
Timers
HAConcepts
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500Series
PA4000Series
PA200Series
Panorama
MSeries
0/0
0/0
0/0
Preemptionhold
time
1/1
Timethatapassiveor
activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.
1/1
1/1
Heartbeatinterval
FrequencyatwhichtheHA
peersexchangeheartbeat
messagesintheformofan
ICMP(ping).
2000/1000
2000/1000
2000/500
2000/500
PA3000Series
VMSeries
Monitorfailholdup Intervalduringwhichthe
time
firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.
1000/1000
2000/1000(only
forVMSeriesin
AWS)
Promotionholdtime Timethatthepassivefirewall 2000/500

(inactive/passivemode)or
theactivesecondaryfirewall
(inactive/activemode)will
waitbeforetakingoverasthe
activeoractiveprimary
firewallaftercommunications
withtheHApeerhavebeen
lost.Thisholdtimewillbegin
onlyafterthepeerfailure
declarationhasbeenmade.
HAConcepts
Timers
HighAvailability
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500Series
PA4000Series
PA200Series
Panorama
MSeries
PA3000Series
VMSeries
Additionalmaster
holduptime
Timeintervalthatisappliedto 500/500
thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.
500/500
7000/5000
Hellointerval
Intervalinmilliseconds
8000/8000
betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.
8000/8000
8000/8000
Maximumno.of
flaps
3/3
Aflapiscountedwhenthe
firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).
3/3
NotApplicable
HighAvailability
HAConcepts
SessionOwner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
SessionSetup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption
Description
IP Modulo
ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash
ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Primary Device
Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall
sessionsetupresponsibilities.
First Packet
Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.
HAConcepts
HighAvailability
Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.
HighAvailability
HAConcepts
Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NATinActive/ActiveHAMode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:
HAConcepts
HighAvailability
ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMPinActive/ActiveHAMode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.
HighAvailability
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
PrerequisitesforActive/PassiveHA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.
HighAvailability
ConfigurationGuidelinesforActive/PassiveHA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingtableliststhesettingsthatyoumustconfigureidenticallyonbothfirewalls:
IdenticalConfigurationSettings
HAmustbeenabledonbothfirewalls.
BothfirewallsmusthavethesameGroupIDvalue.TheGroupIDvalueisusedtocreateavirtualMACaddressfor
alltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMACAddressforinformationaboutvirtualMAC
addresses.
Whenanewactivefirewalltakesover,GratuitousARPmessagesaresentfromeachoftheconnectedinterfaces
ofthenewactivemembertoinformtheconnectedLayer2switchesofthevirtualMACaddressnewlocation.
Ifusinginbandports,theinterfacesfortheHA1andHA2linksmustbesettotypeHA.
TheHAModemustbesettoActive Passive.
Ifrequired,preemptionmustbeenabledonbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onbothfirewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowingrecommendationsto
decidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
Recommendation:DonotenableHeartbeatBackup
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
Independent
PeerA
ConfigurationSettings
PeerB
ControlLink
IPaddressoftheHA1linkconfiguredon
thisfirewall(PeerB).
IPaddressoftheHA1linkconfiguredonthis
firewall(PeerA).
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
HighAvailability
Independent
PeerA
ConfigurationSettings
PeerB
DataLink
Bydefault,theHA2linkusesEthernet/Layer2.
Thedatalink
IfusingaLayer3connection,configuretheIP
addressforthedatalinkonthisfirewall(PeerA).
informationis
synchronizedbetween
thefirewallsafterHA
isenabledandthe
controllinkis
establishedbetween
thefirewalls.
Bydefault,theHA2linkuses
Ethernet/Layer2.
IfusingaLayer3connection,configure
theIPaddressforthedatalinkonthis
firewall(PeerB).
DevicePriority
Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority
lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
(required,if
preemptionisenabled) istofunctionastheactivefirewall,keepthe
onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.
LinkMonitoring
Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat
Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
condition(allorany)totriggerafailover.
anddefinethefailurecondition(allorany)
physicalinterfaces
totriggerafailover.
thathandlevitaltraffic
onthisfirewalland
definethefailure
condition.
PathMonitoring
Monitoroneormore
destinationIP
addressesthatthe
firewallcanuseICMP
pingstoascertain
responsiveness.
Definethefailurecondition(allorany),ping
intervalandthepingcount.Thisisparticularly
usefulformonitoringtheavailabilityofother
interconnectednetworkingdevices.Forexample,
monitortheavailabilityofarouterthatconnects
toaserver,connectivitytotheserveritself,or
someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.
Pickasimilarsetofdevicesordestination
IPaddressesthatcanbemonitoredfor
determiningthefailovertriggerforPeerB.
Definethefailurecondition(allorany),
pingintervalandthepingcount.
HighAvailability
ConfigureActive/PassiveHA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
ConnectandConfiguretheFirewalls
Step1
ConnecttheHAportstosetupa
physicalconnectionbetweenthe
firewalls.
ForfirewallswithdedicatedHAports,useanEthernetcableto
connectthededicatedHA1portsandtheHA2portsonpeers.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
Pickafirewallinthepairandcompletethefollowingsteps:
Step2
Step3
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
continuetothenextstep.
1.
SelectDevice > Setup > Management andeditthe

ManagementInterfaceSettings.
2.
SelectPingasaservicethatispermittedontheinterface.
1.
SelectNetwork > Interfaces.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
SettheLink SpeedandLink Duplex settings,asappropriate.
HighAvailability
ConnectandConfiguretheFirewalls(Continued)
Step4
Step5
Step6
Step7
SettheHAmodeandgroupID.
1.
SelectDevice > High Availability > GeneralandedittheSetup

section.
2.
SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3.
SetthemodetoActive Passive.
1.
Setupthecontrollinkconnection.
Thisexampleshowsaninbandportthat
issettointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
1.
(Optional)Enableencryptionforthe
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
Setupthebackupcontrollink
connection.
InDevice > High Availability > General,edittheControlLink

(HA1) section.
SelectthePortthatyouhavecabledforuseastheHA1link.
SettheIPv4/IPv6 AddressandNetmask.
IftheHA1interfacesareonseparatesubnets,entertheIP
addressoftheGateway.Donotaddagatewayaddressifthe
firewallsaredirectlyconnected
ExporttheHAkeyfromonefirewallandimportitintothepeer
firewall.
a. SelectDevice > Certificate Management > Certificates.
b. SelectExport HA key. SavetheHAkeytoanetwork
locationthatthepeercanaccess.
c. Onthepeerfirewall,select Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2.
SelectDevice > High Availability > General,edittheControl

Link(HA1) section.
3.
SelectEncryption Enabled.
1.

(HA1Backup)section.
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.
HighAvailability
Step8
Step9
Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
1.
InDevice > High Availability > General,edittheDataLink

(HA2)section.
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
VerifythatEnable Session Synchronizationisselected.
6.
SelectHA2 Keep-alive toenablemonitoringontheHA2data

linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythatfirewall
willsendthekeepalivemessages.Theotherfirewall
willbenotifiedifafailureoccurs.
7.
EdittheData Link (HA2 Backup) section,selecttheinterface,

andaddtheIPv4/IPv6 AddressandNetmask.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
inbandport.
2.
Youdonotneedtoenableheartbeat
backupifyouareusingthemanagement
portforthecontrollink.
InDevice > High Availability > General,edittheElection

Settings.
SelectHeartbeat Backup.
Toallowtheheartbeatstobetransmittedbetweenthe
firewalls,youmustverifythatthemanagementportacross
bothpeerscanroutetoeachother.
Enablingheartbeatbackupalsoallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdowncausingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievesthattheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Whentheheartbeatbackuplinkis
enabled,splitbrainispreventedbecauseredundant
heartbeatsandhellomessagesaretransmittedover
themanagementport.
HighAvailability
Step10 Setthedevicepriorityandenable
1.
preemption.
Thissettingisonlyrequiredifyouwishto 2.
makesurethataspecificfirewallisthe
preferredactivefirewall.For
information,seeDevicePriorityand
Preemption.
3.
Step11 (Optional)ModifytheHATimers.
1.
Bydefault,theHAtimerprofileissetto
theRecommendedprofileandissuited 2.
formostHAdeployments.
Step12 (Optional,onlyconfiguredonthepassive
firewall)ModifythelinkstatusoftheHA
portsonthepassivefirewall.
Thepassivelinkstateis
shutdown,bydefault.Afteryou
enableHA,thelinkstateforthe
HAportsontheactivefirewall
willbegreenandthoseonthe
passivefirewallwillbedownand
displayasred.

Settings.
SetthenumericalvalueinDevice Priority.Makesuretoseta
lowernumericalvalueonthefirewallthatyouwanttoassigna
higherpriorityto.
Ifbothfirewallshavethesamedevicepriorityvalue,
thefirewallwiththelowestMACaddressontheHA1
controllinkwillbecometheactivefirewall.
SelectPreemptive.
Youmustenablepreemptiveonboththeactivefirewalland
thepassivefirewall.
Settings.
SelecttheAggressiveprofilefortriggeringfailoverfaster;
selectAdvancedtodefinecustomvaluesfortriggeringfailover
inyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
SettingthelinkstatetoAutoallowsforreducingtheamountoftime
ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
anditallowsyoutomonitorthelinkstate.
Toenablethelinkstatusonthepassivefirewalltostayupand
reflectthecablingstatusonthephysicalinterface:
1.
InDevice > High Availability > General,edittheActivePassive

Settings.
2.
SetthePassive Link StatetoAuto.

Theautooptiondecreasestheamountoftimeittakesforthe
passivefirewalltotakeoverwhenafailoveroccurs.
Althoughtheinterfacedisplaysgreen(ascabledand
up)itcontinuestodiscardalltrafficuntilafailoveris
triggered.
Whenyoumodifythepassivelinkstate,makesurethat
theadjacentdevicesdonotforwardtraffictothe
passivefirewallbasedonlyonthelinkstatusofthe
firewall.
HighAvailability
Step13 EnableHA.
Step14 (Optional)EnableLACPandLLDP
PreNegotiationforActive/PassiveHA
forfasterfailoverifyournetworkuses
LACPorLLDP.
EnableLACPandLLDPbefore
configuringHAprenegotiation
fortheprotocolifyouwant
prenegotiationtofunctionin
activemode.
Step15 Saveyourconfigurationchanges.
1.
SelectDevice > High Availability > GeneralandedittheSetup

section.
2.
SelectEnable HA.
3.
SelectEnable Config Sync.Thissettingenablesthe

synchronizationoftheconfigurationsettingsbetweenthe
activeandthepassivefirewall.
4.
EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5.
EntertheBackup HA1 IP Address.
1.
EnsurethatinStep 12yousetthelinkstatetoAuto.
2.
SelectNetwork > Interfaces> Ethernet.
3.
ToenableLACPactiveprenegotiation:
a. SelectanAEinterfaceinaLayer2orLayer3deployment.
b. SelecttheLACPtab.
c. SelectEnable in HA Passive State.
d. ClickOK.
YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequires
uniqueinterfaceMACaddressesontheactiveand
passivefirewalls.
4.
ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5.
ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
IfyouwanttoallowLLDPpassiveprenegotiationfor
avirtualwiredeployment,performStep 5butdonot
enableLLDPitself.
ClickCommit.
Step16 CompleteStep 2throughStep 15ontheotherfirewallintheHApair.
HighAvailability
Step17 Afteryoufinishconfiguringboth
firewalls,verifythatthefirewallsare
pairedinactive/passiveHA.
Onthepassivefirewall:thestateofthelocal
firewallshoulddisplaypassive andtheRunning
Configshouldshowassynchronized.
1.
AccesstheDashboardonbothfirewalls,andviewtheHigh
Availabilitywidget.
2.
Ontheactivefirewall,clicktheSync to peerlink.
3.
Confirmthatthefirewallsarepairedandsynced,asshown
below:
Ontheactivefirewall:Thestateofthelocalfirewallshoulddisplay
active andtheRunningConfigshouldshowassynchronized.
DefineHAFailoverConditions
ConfiguretheFailoverTriggers
Step1
Step2
Step3
Toconfigurelinkmonitoring,definethe 1.
interfacesyouwanttomonitor.A
changeinthelinkstateofthese
2.
interfaceswilltriggerafailover.
SelectDevice > High Availability > Link and Path Monitoring

andAddaLinkGroup.
NametheLink Group,Add theinterfacestomonitor,and
selectthe Failure Condition forthegroup.TheLinkgroupyou
defineisaddedtothe Link Group section.
(Optional)Modifythefailurecondition 1.
fortheLinkGroupsthatyouconfigured 2.
(intheprecedingstep)onthefirewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.
SelecttheLink Monitoringsection.
Toconfigurepathmonitoring,definethe 1.
destinationIPaddressesthatthefirewall
shouldpingtoverifynetwork
connectivity.
2.
InthePath GroupsectionoftheDevice > High Availability >

Link and Path Monitoring tab,picktheAdd option for your set
up: VirtualWire,VLAN,orVirtualRouter.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
SelecttheappropriateitemfromthedropdownfortheName
and Add theIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
the Path Group section.
Step4
(Optional)Modifythefailurecondition
forallPathGroupsconfiguredonthe
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
Step5
Saveyourchanges.
ClickCommit.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
HighAvailability
VerifyFailover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1
Suspendtheactivefirewall.
Step2
Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall
overasactive.
changestoactiveintheHighAvailabilitywidget.
Step3
1.
Restorethesuspendedfirewalltoa
functionalstate.Waitforacoupleof
minutes,andthenverifythatpreemption
hasoccurred,ifPreemptiveisenabled. 2.
SelectDevice > High Availability > Operational Commands and

clicktheSuspend local device link.
Onthefirewallyoupreviouslysuspended,selectDevice > High

Availability > Operational Commands andclicktheMake local
device functional link.
IntheHighAvailability widgetontheDashboard, confirmthat
thefirewallhastakenoverastheactivefirewallandthatthe
peerisnowinapassivestate.
HighAvailability
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
PrerequisitesforActive/ActiveHA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsshouldberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.
HighAvailability
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,
orARPLoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
Step1
ConnecttheHAportstosetupa
ForfirewallswithdedicatedHAports,useanEthernetcableto
physicalconnectionbetweenthe
connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
Foreachusecase,thefirewalls
couldbeanyhardwareplatform; ForfirewallswithoutdedicatedHAports,selecttwodata
choosetheHA3stepthat
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
correspondswithyourplatform.
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.
Pickafirewallinthepairandcompletethefollowingsteps:
Step2
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
1.
InDevice > Setup > Management,editManagementInterface

Settings.
2.
SelectPingasaservicethatispermittedontheinterface.
HighAvailability
ConfigureActive/ActiveHA(Continued)
Step3
Step4
Step5
Step6
Step7
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
Enableactive/activeHAandsetthe
groupID.
1.
SelectNetwork > Interfaces.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
SettheLink SpeedandLink Duplex settings,asappropriate.
1.
InDevice > High Availability > General, editSetup.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
SettheDeviceID,enable
1.
synchronization,andidentifythecontrol 2.
linkonthepeerfirewall
3.
InDevice > High Availability > General, editSetup.

SelectDevice IDtobe0.
SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
4.
EnterthePeer HA1 IP Address,whichistheIPaddressofthe

HA1controllinkonthepeerfirewall.
5.
(Optional)EnteraBackup Peer HA1 IP Address,whichisthe

IPaddressofthebackupcontrollinkonthepeerfirewall.
6.
ClickOK.
1.
InDevice > High Availability > General,editElectionSettings.
2.
SelectPreemptivetocausethefirewallwiththelowerDevice
IDtoautomaticallyresumeactiveprimaryoperationafter
eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptive unselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
2.
inbandport.
Youneednotenableheartbeatbackupif
youareusingthemanagementportfor
thecontrollink.
Determinewhetherornotthefirewall
withthelowerDeviceIDpreemptsthe
activeprimaryfirewalluponrecovery
fromafailure.
SelectHeartbeat Backup.
Toallowtheheartbeatstobetransmittedbetweenthe
firewalls,youmustverifythatthemanagementportacross
bothpeerscanroutetoeachother.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.
HighAvailability
Step8
Step9
1.
(Optional)ModifytheHA Timers.
Bydefault,theHAtimerprofileissetto 2.
theRecommendedprofileandissuited
formostHAdeployments.
Setupthecontrollinkconnection.
1.
Thisexampleusesaninbandportthatis
settointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
InDevice > High Availability > General,editControlLink

(HA1).
SelectAggressivetotriggerfasterfailover.SelectAdvanced
todefinecustomvaluesfortriggeringfailoverinyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
SelectthePortthatyouhavecabledforuseastheHA1link.
SettheIPv4/IPv6 AddressandNetmask.
IftheHA1interfacesareonseparatesubnets,entertheIP
addressoftheGateway.Donotaddagatewayaddressifthe
firewallsaredirectlyconnected.
Step10 (Optional)Enableencryptionforthe
1.
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
ExporttheHAkeyfromonefirewallandimportitintothepeer
firewall.
b. SelectExport HA key. SavetheHAkeytoanetwork
locationthatthepeercanaccess.
c. Onthepeerfirewall,select Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2.

(HA1).
3.
SelectEncryption Enabled.
1.
InDevice > High Availability > General,editControlLink(HA1

Backup).
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.
Step11 Setupthebackupcontrollink
connection.
HighAvailability
Step12 Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
Step13 ConfiguretheHA3linkforpacket
forwarding.
Step14 (Optional)ModifytheTentativeHold
time.
1.
InDevice > High Availability > General,editDataLink(HA2).
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
VerifythatEnable Session Synchronizationisselected.
6.
SelectHA2 Keep-alive toenablemonitoringontheHA2data

linkbetweentheHApeers.Ifafailureoccursbasedonthe
thresholdthatisset(defaultis10000ms),thedefinedaction
willoccur.Foractive/passiveconfiguration,acriticalsystem
logmessageisgeneratedwhenanHA2keepalivefailure
occurs.
YoucanconfiguretheHA2keepaliveoptiononboth
firewalls,orjustonefirewallintheHApair.Ifthe
optionisonlyenabledononefirewall,onlythat
firewallwillsendthekeepalivemessages.Theother
firewallwillbenotifiedifafailureoccurs.
7.
EdittheData Link (HA2 Backup) section,selecttheinterface,

andaddtheIPv4/IPv6 AddressandNetmask.
8.
ClickOK.
1.
InDevice > High Availability > Active/Active Config,edit

PacketForwarding.
2.
ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3.
SelectVR Sync toforcesynchronizationofallvirtualrouters

configuredontheHApeers.Selectwhenthevirtualrouteris
notconfiguredfordynamicroutingprotocols.Bothpeersmust
beconnectedtothesamenexthoprouterthroughaswitched
networkandmustusestaticroutingonly.
4.
SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.
1.

PacketForwarding.
2.
ForTentative Hold Time (sec),enterthenumberofseconds

thatafirewallstaysinTentativestateafteritfails(rangeis
10600,defaultis60).
HighAvailability
Step15 ConfigureSessionOwnerandSession
Setup.
Step16 ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
AddressorARPLoadSharing.
Step17 ConfigurethefloatingIPaddress.
1.

PacketForwarding.
2.
ForSession Owner Selection,selectoneofthefollowing:

First PacketThefirewallthatreceivesthefirstpacketof
anewsessionisthesessionowner(recommendedsetting).
ThissettingminimizestrafficacrossHA3andloadshares
trafficacrosspeers.
Primary DeviceThefirewallthatisinactiveprimarystate
isthesessionowner.
3.
ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4.
ClickOK.
1.
InDevice > High Availability > Active/Active Config,Adda

VirtualAddress.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
EnteranIPv4 Address orIPv6 Address.
5.
ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandproceedtoStep 18.
1.
DonotselectFloating IP bound to the Active-Primary device

unlessyouwanttheactive/activeHApairtobehavelikean
active/passiveHApair.
2.
ForDevice 0 Priority andDevice 1 Priority,enterapriorityfor

thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3.
SelectFailover address if link state is downtocausethe

firewalltousethefailoveraddresswhenthelinkstateonthe
interfaceisdown.
4.
ClickOK.
HighAvailability
Step18 ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
Step19 Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
SwitchportsthatconnecttheHA3link
mustsupportjumboframestohandle
theoverheadassociatedwiththe
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.
ForDevice Selection Algorithm,selectoneofthefollowing:

IP ModuloThefirewallthatwillrespondtoARPrequests
isbasedontheparityoftheARPrequester'sIPaddress.
IP HashThefirewallthatwillrespondtoARPrequestsis
basedonahashoftheARPrequester'sIPaddress.
2.
ClickOK.
1.
SelectDevice > Setup > Session.
2.
IntheSessionSettingssection,selectEnable Jumbo Frames.
3.
ClickOK.
4.
Repeatonanyintermediarynetworkingdevices.
Step20 DefineHAfailoverconditions.
DefineHAFailoverConditions.
ClickCommit.
Step22 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
HighAvailability
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step1
PerformStep 1throughStep 15of

ConfigureActive/ActiveHA.
Step2
ConfigureOSPF.
SeeOSPF.
Step3
DefineHAfailoverconditions.
Step4
ClickCommit.
Step5
Configurethepeerfirewallinthesame
HighAvailability
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses
Step1

Step2
ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
Address.
Step3
ConfigurethefloatingIPaddress.
1.
InDevice > High Availability > Active/Active Config,Adda

VirtualAddress.
2.
3.
4.
5.
ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.
1.
DonotselectFloating IP bound to the Active-Primary device.
2.
ForDevice 0 Priority andDevice 1 Priority,enterapriorityfor

thefirewallconfiguredwithDeviceID0andDeviceID1,
respectively.Therelativeprioritiesdeterminewhichpeer
ownsthefloatingIPaddressyoujustconfigured(rangeis
0255).Thefirewallwiththelowestpriorityvalue(highest
priority)ownsthefloatingIPaddress.
3.

interfaceisdown.
4.
ClickOK.
HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step4
Enablejumboframesonfirewallsother
PerformStep 19ofConfigureActive/ActiveHA.
Step5
Step6
ClickCommit.
Step7
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing
Step1

HighAvailability
ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2
Step3
ThevirtualaddressisthesharedIP
addressthatallowsARPLoadSharing.
1.
SelectDevice > High Availability > Active/Active Config >

Virtual Address andclickAdd.
2.
3.
4.
5.
ForType,selectARP Load Sharing,whichallowsbothpeers

tousethevirtualIPaddressforARPLoadSharing.
ConfigureARPLoadSharing.
1.
sharing.
ForDevice Selection Algorithm,selectoneofthefollowing:

basedonahashoftheARPrequester'sIPaddress.
2.
ClickOK.
Step4
Step5
Step6
ClickCommit.
Step7
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper
metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
HighAvailability
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
HighAvailability
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
Step1

Step2
(Optional)Disablepreemption.
1.
Disablingpreemptionallowsyou
fullcontroloverwhenthe
2.
recoveredfirewallbecomesthe
3.
activeprimaryfirewall.
Step3

Settings.
ClearPreemptiveifitisenabled.
ClickOK.

HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)
Step4
Step5
Step6
ConfigureSessionOwnerandSession
Setup.
BindthefloatingIPaddresstothe
1.

PacketForwarding.
2.
ForSession Owner Selection,werecommendyouselect

Primary Device.Thefirewallthatisinactiveprimarystateis
thesessionowner.
Alternatively,forSession Owner Selection youcanselect
First PacketandthenforSession Setup,selectPrimary
Device orFirst Packet.
3.
ForSession Setup,selectPrimary DeviceThe

activeprimaryfirewallsetsupallsessions.Thisisthe
recommendedsettingifyouwantyouractive/active
configurationtobehavelikeanactive/passiveconfiguration
becauseitkeepsallactivityontheactiveprimaryfirewall.
Youmustalsoengineeryournetworktoeliminate
thepossibilityofasymmetrictrafficgoingtotheHA
pair.Ifyoudontdosoandtrafficgoestothe
activesecondaryfirewall,settingSession Owner
SelectionandSession SetuptoPrimary Device
causesthetraffictotraverseHA3togettothe
activeprimaryfirewallforsessionownershipand
sessionsetup.
4.
ClickOK.
1.

2.
3.
SelecttheIPv4orIPv6tabandAddanIPv4 Address orIPv6

Address.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5.
ClickOK.
1.
SelectFloating IP bound to the Active-Primary device.
2.

interfaceisdown.
3.
ClickOK.
Step7
Step8
ClickCommit.
Step9
HighAvailability
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
OnPA30502(DeviceID1),completethefollowingsteps:
Step1

HighAvailability
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step2
Enableactive/activeHA.
Step3

Step4
ConfigureSessionOwnerandSession
Setup.
Step5
Step6
ConfigurethefloatingIPaddress.
1.
InDevice > High Availability > General,editSetup.
2.
SelectEnable HA.
3.
4.
5.
SelectDevice ID1.
6.

default).
7.

8.

9.
ClickOK.
1.

PacketForwarding.
2.
ForSession Owner Selection,selectFirst PacketThe

firewallthatreceivesthefirstpacketofanewsessionisthe
sessionowner.
3.
ForSession Setup,selectIP ModuloDistributessession

setuploadbasedonparityofthesourceIPaddress.
4.
ClickOK.
1.

2.
SelectInterfaceeth1/1.
3.
SelectIPv4andAdd anIPv4 Addressof10.1.1.101.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
1.
DonotselectFloating IP bound to the Active-Primary device.
2.

interfaceisdown.
3.
ClickOK.
Step7
Step8
Step9
ClickCommit.
HighAvailability
Step10 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
Step11 StillonPA30501,createthesource
NATruleforDeviceID0.
1.
SelectPolicies > NATandclickAdd.
2.
EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3.
ForNAT Type,selectipv4(default).
4.
OntheOriginal Packet,forSource Zone,selectAny.
5.
ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6.
AllowDestination Interface,Service,Source Address,and

Destination AddresstoremainsettoAny.
7.
FortheTranslated Packet,selectDynamic IP And Portfor

Translation Type.
8.
ForAddress Type,selectInterface Address,inwhichcasethe

translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.100.
9.
OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID0.
10. ClickOK.
HighAvailability
Step12 CreatethesourceNATrulefor
Device ID 1.
1.
2.
EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
3.
4.
OntheOriginal Packet,forSource Zone,selectAny.For

Destination Zone,selectthezoneyoucreatedfortheexternal
network.
5.
AllowDestination Interface,Service,Source Address,and

Destination AddresstoremainsettoAny.
6.
FortheTranslated Packet,selectDynamic IP And Portfor

Translation Type.
7.
ForAddress Type,selectInterface Address,inwhichcasethe

translatedaddresswillbetheIPaddressoftheinterface.
SelectanInterface(eth1/1inthisexample)andanIP Address
ofthefloatingIPaddress10.1.1.101.
8.
OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID1.
9.
ClickOK.
ClickCommit.
UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
Step1
OnoneHAfirewall,createaddress
objects.
1.
SelectObjects > AddressesandAddanaddressobjectName,

inthisexample,DynIPPooldev0.
2.
ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3.
ClickOK.
4.
Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.
HighAvailability
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
Step2
Step3
Step4
CreatethesourceNATrulefor
Device ID 0.
CreatethesourceNATrulefor
Device ID 1.
1.
SelectPolicies > NATandAddaNATpolicyrulewithaName,

forexample, SrcNATdev0.
2.
ForOriginal Packet,forSource Zone,selectAny.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
ForTranslated Packet,forTranslation Type,selectDynamic

IP and Port.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6.
ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7.
ClickOK.
1.
SelectPolicies > NATandAddaNATpolicyrulewithaName,

forexample,SrcNATdev1.
2.
ForOriginal Packet,forSource Zone,selectAny.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
ForTranslated Packet,forTranslation Type,selectDynamic

IP and Port.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6.
ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7.
ClickOK.
SelectCommit.
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
Step1

Step2
1.
InDevice > High Availability > General,editSetup.
2.
SelectEnable HA.
3.
4.
5.
6.
7.

default).
8.

9.

10. ClickOK.
Step3
PerformStep 6throughStep 15in

HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
Step4
Step5
1.

2.
3.
4.
ForType,selectARP Load Sharing,whichconfiguresthe

virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
1.
2.
sharing.
ForDevice Selection Algorithm,selectIP Modulo.Thefirewall

thatwillrespondtoARPrequestsisbasedontheparityofthe
ARPrequester'sIPaddress.
ClickOK.
Step6
Step7
Step8
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATrulesothatthe
2.
activeprimaryfirewallrespondstoARP
requests.
3.

EnteraNamefortherulethat,inthisexample,identifiesitas
adestinationNATruleforLayer2ARP.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
AllowDestination Interface,Service,andSource Addressto

remainsettoAny.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
ForDestination Address Translation,entertheprivateIP

addressofthedestinationserver,inthisexample,
192.168.1.200.
10. OntheActive/Active HA Bindingtab,forActive/Active HA

Binding,select primarytobindtheNATruletothefirewallin
activeprimarystate.
11. ClickOK.
ClickCommit.
HighAvailability
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
Step1

HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2
1.
SelectDevice > High Availability > General > Setupandedit.
2.
SelectEnable HA.
3.
4.
5.
6.
7.

default).
8.

9.

10. ClickOK.
Step3
PerformStep 6throughStep 15in

Step4
Step5
1.

2.
3.
4.
ForType,selectARP Load Sharing,whichconfiguresthe

virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
1.
sharing.
2.
ForDevice Selection Algorithm,selectoneofthefollowing

basedonahashoftheARPrequester'ssourceIPaddress
anddestinationIPaddress.
ClickOK.
Step6
Step7
Step8
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATruleforbothDevice 2.
ID0andDeviceID1.
3.

EnteraNamefortherulethatinthisexampleidentifiesitasa
destinationNATruleforLayer3ARP.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
AllowDestination Interface,Service,andSource Addressto

remainsettoAny.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
ForDestination Address Translation,entertheprivateIP

addressofthedestinationserver,inthisexample
192.168.1.200.
10. OntheActive/Active HA Bindingtab,forActive/Active HA

Binding,select bothtobindtheNATruletobothDeviceID0
andDeviceID1.
11. ClickOK.
ClickCommit.
HighAvailability
HAFirewallStates
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
HAFirewallState
OccursIn
Description
Initial
A/PorA/A
TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis
stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.
Active
A/P
Stateoftheactivefirewallinanactive/passiveconfiguration.
Passive
A/P
Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive
firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.
ActivePrimary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.
ActiveSecondary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.
HAFirewallStates
HighAvailability
HAFirewallState
OccursIn
Description
Tentative
A/A
Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe
following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.
Nonfunctional
A/PorA/A
Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly
onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.
Suspended
A/PorA/A
Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein
theHAelectionprocess.
HighAvailability
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Passive?
ManagementInterface
Settings
Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
HighAvailability
ConfigurationItem
WhatDoesntSyncinActive/Passive?
Administrator
AuthenticationSettings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings
SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP
Device > Setup > Operations > SNMP Setup
StatisticsCollection
Device > Setup > Operations > Statistics Service Setup
Services
Device > Setup > Services
GlobalServiceRoutes
Device > Setup > Services > Service Route Configuration
DataProtection
Device > Setup > Content-ID > Manage Data Protection
JumboFrames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer
CertificateSettings
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
MasterKeySecuredby
HSM
Device > Setup > HSM > Hardware Security Module Provider > Master Key
Secured by HSM
LogExportSettings
Device > Scheduled Log Export
SoftwareUpdates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Dynamic Updates
Licenses/Subscriptions
Device > Licenses
SupportSubscription
Device > Support
MasterKey
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and
DashboardSettings
Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HAsettings
Device > High Availability
HighAvailability
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Active?
ManagementInterface
Settings
Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator
AuthenticationSettings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings
SetthefollowingPanoramasettingsoneachfirewall(Device > Setup >

Management > Panorama Settings).
Panorama Servers
Disable Panorama Policy and ObjectsandDisable Device and Network Template
SNMP
Device > Setup > Operations > SNMP Setup
StatisticsCollection
Device > Setup > Operations > Statistics Service Setup
Services
Device > Setup > Services
GlobalServiceRoutes
Device > Setup > Services > Service Route Configuration
DataProtection
Device > Setup > Content-ID > Manage Data Protection
JumboFrames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer
CertificateSettings
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
HSMConfiguration
Device > Setup > HSM
LogExportSettings
Device > Scheduled Log Export
HighAvailability
ConfigurationItem
SoftwareUpdates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Software
GlobalProtectAgent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
Device > Dynamic Updates
Licenses/Subscriptions
Device > Licenses
SupportSubscription
Device > Support
EthernetInterfaceIP
Addresses
AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
> Interface > Ethernet).
LoopbackInterfaceIP
Addresses
AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
(Network > Interface > Loopback).
TunnelInterfaceIP
Addresses
AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >
Interface > Tunnel).
LACPSystemPriority
EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
VLANInterfaceIPAddress AllVLANinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >

Interface > VLAN).
VirtualRouters
VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >
High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.
IPSecTunnels
IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtectPortal
Configuration
GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
GlobalProtectGateway
Configuration
GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
HighAvailability
ConfigurationItem
QoS
QoSconfigurationsynchronizesonlyifyouhaveenabledQoS Sync(Device > High

Availability > Active/Active Config > Packet Forwarding).Youmightchoosenotto
syncQoSsettingif,forexample,youhavedifferentbandwidthoneachlinkor
differentlatencythroughyourserviceproviders.
LLDP
NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD
NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKEGateways
IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
MasterKey
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and
DashboardSettings
Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HAsettings
Device > High Availability

(TheexceptionisDevice>HighAvailability>Active/ActiveConfiguration>
VirtualAddresses,whichdosync.)
SynchronizationofSystemRuntimeInformation
RuntimeInformation
ConfigSynced?
HALink
A/P
A/A
UsertoGroupMappings
Yes
Yes
HA1
DHCPLease(asserver)
Yes
Yes
HA1
DNSCache
No
No
N/A
FQDNRefresh
No
No
N/A
IKEKeys(phase2)
Yes
Yes
HA1
BrightCloudURLDatabase No
No
N/A
BrightCloudURLCache
No
N/A
Details
ManagementPlane
No
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
RuntimeInformation
HighAvailability
ConfigSynced?
HALink
Details
A/P
A/A
BrightCloudBloomFilter
No
No
N/A
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
PANDBURLCache
Yes
No
HA1
Thisissynchronizedupondatabase
backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.
Content(manualsync)
Yes
Yes
HA1
PPPoE,PPPoELease
Yes
Yes
HA1
DHCPClientSettingsand Yes
Lease
Yes
HA1
SSLVPNLoggedinUser
List
Yes
Yes
HA1
ForwardInformationBase Yes
(FIB)
Yes
HA1
Dataplane
SessionTable
Yes
Yes
HA2
Active/passivepeersdonotsyncICMP
orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.
ARPTable
Yes
No
HA2
UponupgradetoPANOS7.1,theARP
tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.
NeighborDiscovery(ND)
Table
Yes
No
HA2
MACTable
Yes
No
HA2
IPSecSequenceNumber
(antireplay)
Yes
Yes
HA2
DoSProtection
Yes
Yes
HA2
UsertoIPAddress
Mappings
Yes
Yes
HA2
VirtualMAC
Yes
Yes
HA2
Monitoring
Inordertoforestallpotentialissues,andaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceontrafficanduserpatternsandcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Youcan,forexample,usethepredefinedtemplatestogeneratereportsonuseractivities,
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtablesthatyoucaninteractwithtofindinformationthatyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
AppScope
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
MonitorandManageLogs
ManageReporting
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
NetFlowMonitoring
UsetheDashboard
Monitoring
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts
Descriptions
TopApplications
Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
GeneralInformation
Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
InterfaceStatus
Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
ThreatLogs
DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
ConfigLogs
Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
DataFilteringLogs
Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URLFilteringLogs
Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
SystemLogs
Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
SystemResources
DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
LoggedInAdmins
DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
ACCRiskFactor
Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
HighAvailability
Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks
Showsconfigurationlockstakenbyadministrators.
Monitoring
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery
Monitoring
ACCFirstLook
TakeaquicktouroftheACC.
ACCFirstLook
Tabs
TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets
Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.
Monitoring
ACCFirstLook(Continued)
Time
Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Global Filters
TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The
charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.
Risk Factor
Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe
applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.
Source
Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData Source asPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export
YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACCTabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab
Description
Network Activity
Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:
Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.
Monitoring
Tab
Description
Threat Activity
Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.
Blocked Activity
Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin
thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.
ACCWidgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.
Monitoring
Widgets
View
Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.
Graph
Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table
Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Actions
MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs > Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
WidgetDescriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget
Description
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.
Monitoring
Widget
Description
Application Usage
Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining
applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)
User Activity
Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe
largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source IP Activity
DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated
activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Destination IP Activity
DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere
accessedbyusersonthenetwork.
Source Regions
Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld
fromwhereusersinitiatedactivityonyournetwork.
Chartsavailable:map,bar
Destination Regions
Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe
worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Chartsavailable:map,bar
GlobalProtect Host
Information
Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis
running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall. IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar
Rule Usage
Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis
widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Chartsavailable:line
Monitoring
Widget
Description
Ingress Interfaces
Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe
network.
Sortattributes:bytes,bytessent,bytesreceived
Egress Interfaces
Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.
Sortattributes:bytes,bytessent,bytesreceived
Source Zones
Displaysthezonesthataremostusedforallowingtrafficintothenetwork.
Destination Zones
Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork
Compromised Hosts
Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget
summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA7000Series,andPanorama.
Sortattributes:severity(bydefault)
Hosts Visiting Malicious

URLs
Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork
haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Hosts Resolving Malicious DisplaysthetophostsmatchingDNSsignatures;hostsonthenetworkthatare

Domains
attemptingtoresolvethehostnameordomainofamaliciousURL.Thisinformation
is gatheredfromananalysisoftheDNSactivityonyournetwork.Itutilizespassive
DNSmonitoring,DNStrafficgeneratedonthenetwork,activityseeninthesandbox
ifyouhaveconfiguredDNSsinkholeonthefirewall,andDNSreportsonmalicious
DNSsourcesthatareavailabletoPaloAltoNetworkscustomers.
Sortattributes:count
Threat Activity
Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature
matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column
WildFire Activity by
Application
DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget
usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Monitoring
Widget
Description
WildFire Activity by File

Type
Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat
generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Applications using Non

Standard Ports
Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If
youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Chartsavailable:treemap,line
Rules Allowing
Applications On Non
Standard Ports
Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The
graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Chartsavailable:treemap,line
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork
Blocked Application
Activity
Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview
thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column
Blocked User Activity
Displaysuserrequeststhatwereblockedbyamatchonanantivirus,antispyware,
fileblockingorurlfilteringprofileattachedtosecuritypolicy.
Blocked Threats
Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats
werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Blocked Content
Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent
wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data
Monitoring
Widget
Description
Security Policies Blocking Displaysthesecuritypolicyrulesthatblockedorrestrictedtrafficintoyournetwork.

Activity
Becausethiswidget displaysthethreats,content,andURLsthatweredeniedaccess
intoyournetwork,youcanuseittoassesstheeffectivenessofyourpolicyrules.This
widgetdoesnotdisplaytrafficthatblockedbecauseofdenyrulesthatyouhave
definedinpolicy.
ACCFilters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
Monitoring
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
InteractwiththeACC
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkwiththeTabsandWidgets
Addatab.
1.
Selectthe
2.
AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.
iconalongthelistoftabs.
Editatab.
Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample
.
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Seewhatwidgetsareincludedinatab.
1.
Selectthetab,andclickonthepencilicontoeditit.
2.
SelecttheAdd Widget dropdownandverifythewidgetsthat

havethecheckboxesselected.
Monitoring
WorkwiththeTabsandWidgets(Continued)
Addawidgetorawidgetgroup.
Deleteataborawidgetgroup/widget.
1.
Addanewtaboreditapredefinedtab.
2.
SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3.
(Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
1.
Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2.
Resetthedefaultwidgetsinatab.
Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.
Onapredefinedtab,suchastheBlocked Activitytab,youcan
deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph.
youzoomintoalinegraph,ittriggersarequeryandthefirewall
fetchesthedatafortheselectedtimeperiod.Itisnotamere
Watchhowthezoomincapabilityworks.
magnification.
Usethetabledropdowntofindmore
informationonanattribute.
1.
Hoveroveranattributeinatabletoseethedropdown.
2.
Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
1.
Setawidgetfilter.
Youcanalsoclickanattributeinthe
2.
table(belowthegraph)toapplyitasa
3.
widgetfilter.
Selectawidgetandclickthe
Clickthe
icon.
icontoaddthefiltersyouwanttoapply.
ClickApply.Thesefiltersarepersistentacrossreboots.
Theactivewidgetfiltersareindicatednexttothe
widgetname.
Monitoring
Negateawidgetfilter
Setaglobalfilterfromatable.
1.
Clickthe
2.
Addafilter,andthenclickthe
negateicon.
Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilterspane. 1.
Watchglobalfiltersinaction.
Promoteawidgetfiltertoaglobalfilter.
icontodisplaytheSetupLocalFiltersdialog.
LocatetheGlobal FilterspaneontheleftsideoftheACC.
2.
Clickthe
icontoviewthelistoffiltersyoucanapply.
1.
Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2.
Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Removeafilter.
Clickthe icontoremoveafilter.
Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.
Clearallfilters.
Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.
Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.
Monitoring
Seewhatfiltersareinuse.
Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget.
Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
UseCase:ACCPathofInformationDiscovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activity tab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.
Monitoring
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
Monitoring
ToknowwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
Monitoring
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
Toinvestigateeachthreatbyname,youcancreateaglobalfilterforsay,Microsoft Works File Converter Field

Length Remote Code Execution Vulnerability.Then,viewtheUser Activity widgetintheNetwork Activitytab.The
tabisautomaticallyfilteredtodisplaythreatactivityforMarsha(noticetheglobalfiltersinthescreenshot).
Monitoring
NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.
Monitoring
Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
BecausethesessioncountfromthisIPaddressishigh,checktheBlocked ContentandBlocked Threats widgets

intheBlocked ActivitytabforeventsrelatedtothisIPaddress.TheBlocked Activitytaballowsyoutovalidate
whetherornotyourpolicyrulesareeffectiveinblockingcontentorthreatswhenahostonyournetworkis
compromised.
UsetheExport PDF capabilityontheACCtoexportthecurrentview(createasnapshotofthedata)andsend
ittoanincidenceresponseteam.Toviewthethreatlogsdirectlyfromthewidget,youcanalsoclickthe
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).
Monitoring
YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.
AppScope
Monitoring
AppScope
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport
Monitoring
AppScope
SummaryReport
TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,
losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.
AppScope
Monitoring
ChangeMonitorReport
TheAppScopeChangeMonitorreport(Monitor > App Scope > Change Monitor)displayschangesovera
specifiedtimeperiod.Forexample,thefollowingchartdisplaysthetopapplicationsthatgainedinuseover
thelasthourascomparedwiththelast24hourperiod.Thetopapplicationsaredeterminedbysessioncount
andsortedbypercent.
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers
Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers
Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New
Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped
Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.
Monitoring
AppScope
Button
Description
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort
Determineswhethertosortentriesbypercentageorrawgrowth.
Export
Exportsthegraphasa.pngimageorasaPDF.
Compare
Specifiestheperiodoverwhichthechangemeasurementsaretaken.
ThreatMonitorReport
TheAppScopeThreatMonitorreport(Monitor > App Scope > Threat Monitor)displaysacountofthetop
threatsovertheselectedtimeperiod.Forexample,thefollowingfigureshowsthetop10threattypesover
thelast6hours.
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button
Description
Top 10
includedinthechart.
Threats
Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.
AppScope
Monitoring
Button
Description
Filter
Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheAppScopeThreatMapreport(Monitor > App Scope > Threat Map)showsageographicalviewofthreats,
includingseverity.Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.
Thefirewallusesgeolocationforcreatingthreatmaps.Thefirewallisplacedatthebottomofthethreatmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outdoing threats
Displaysoutgoingthreats.
Filer
Appliesafiltertodisplayonlytheselectedtypeofitems.
Zoom In and Zoom Out
Zoominandzoomoutofthemap.
Export
Indicatestheperiodoverwhichthemeasurementsaretaken.
Monitoring
AppScope
NetworkMonitorReport
TheAppScopeNetworkMonitorreport(Monitor > App Scope > Network Monitor)displaysthebandwidth
dedicatedtodifferentnetworkfunctionsoverthespecifiedperiodoftime.Eachnetworkfunctionis
colorcodedasindicatedinthelegendbelowthechart.Forexample,theimagebelowshowsapplication
bandwidthforthepast7daysbasedonsessioninformation.
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Export
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
AppScope
Monitoring
TrafficMapReport
TheAppScopeTrafficMap(Monitor > App Scope > Traffic Map)reportshowsageographicalviewoftraffic
flowsaccordingtosessionsorflows.
Thefirewallusesgeolocationforcreatingtrafficmaps.Thefirewallisplacedatthebottomofthetrafficmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons
Description
Top 10
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outgoing threats
Displaysoutgoingthreats.
Zoom In and Zoom Out
Zoominandzoomoutofthemap.
Export
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
Monitoring
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
AutomatedCorrelationEngineConcepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.
Monitoring
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ViewtheCorrelatedObjects
ViewtheCorrelationObjectsAvailableontheFirewall
Step1
Toviewthecorrelationobjectsthatarecurrentlyavailable,selectMonitor > Automated Correlation

Engine > Correlation Objects.Alltheobjectsinthelistareenabledbydefault.
Monitoring
ViewtheCorrelationObjectsAvailableontheFirewall
Step2
Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
InterpretCorrelatedEvents
YoucanviewandanalyzethelogsgeneratedforeachcorrelatedeventintheMonitor > Automated Correlation
Engine > Correlated Events tab.
CorrelatedEventsincludesthefollowingdetails:
Field
Description
Match Time
Thetimethecorrelationobjecttriggeredamatch.
Update Time
Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthe
firewallcollectsevidenceonpatternorsequenceofeventsdefinedinacorrelation
object,thetimestamponthecorrelatedeventlogisupdated.
Object Name
Thenameofthecorrelationobjectthattriggeredthematch.
Source Address
TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.
Source User
Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.
Monitoring
Field
Description
Severity
To
configure
the
firewallor
Panoramatosend
alertsusingemail,
SNMPorsyslog
messagesfora
desiredseverity
level,seeUse
ExternalServices
forMonitoring.
Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
indicatestheextentofdamageorescalationpattern,andthefrequencyof
occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
andtheseverityimpliesthefollowing:
CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
maliciousfile.
HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary
Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe
icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:
Monitoring
Tab
Description
Match
Information
ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Match
Evidence
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
evidencecollectedforeachsession.
UsetheCompromisedHostsWidgetintheACC
ThecompromisedhostswidgetonACC >Threat Activity,aggregatestheCorrelatedEventsandsortsthemby
severity.ItdisplaysthesourceIPaddress/userwhotriggeredtheevent,thecorrelationobjectthatwas
matchedandthenumberoftimestheobjectwasmatched.Usethematchcountlinktojumptothematch
evidencedetails.
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.
TakePacketCaptures
Monitoring
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
TypesofPacketCaptures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoexternalservers(LDAPandRADIUSforexample),softwareand
contentupdates,logforwarding,communicationwithSNMPservers,andauthenticationrequestsfor
GlobalProtectandCaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.
Monitoring
TakePacketCaptures
DisableHardwareOffload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA2000Series,PA3050,PA4000Series,PA5000Series,
andPA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1
DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2
Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes
TakePacketCaptures
Monitoring
Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
Step1
Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
Intheexamplethatfollows,wewilluseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.
Monitoring
TakePacketCaptures
TakeaCustomPacketCapture(Continued)
Step2
Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Filterswillmakeiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreducethe
processingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId 1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId 2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3
SetFilteringtoOn.
TakePacketCaptures
Monitoring
Step4
Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
2. ContinuetoAdd eachStageyouwanttocapture(receive, firewall,transmit,anddrop)andsetaunique

Filenameforeachstage.
Step5
SetPacket Captureto ON.

NotethewarningthatsystemperformancecanbedegradedandthenclickOK.Ifyoudefinefilters,thepacket
captureshouldhavelittleimpactonperformance,butyoushouldalwaysturnOffpacketcaptureafterthe
firewallcapturesthedatathatyouwanttoanalyze.
Step6
Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55
Monitoring
TakePacketCaptures
Step7
TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8
DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9
Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.
TakePacketCaptures
Monitoring
Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
Step1
Enablethepacketcaptureoptioninthe 1.
securityprofile.
Somesecurityprofilesallowyoutodefine
asinglepacketcapture,or
extendedcapture.Ifyouchoose
extendedcapture,definethecapture
length.Thiswillallowthefirewallto
capturemorepacketstoprovide
additionalcontextrelatedtothethreat.
Thefirewallcanonlycapture
packetsiftheactionforagiven
threatissettoalloworalert.
2.
Step2
Addthesecurityprofile(withpacket
1.
captureenabled)toaSecurityPolicyrule. 2.
3.
SelectObjects > Security Profilesandenablethepacket

captureoptionforthesupportedprofilesasfollows:
AntivirusSelectacustomantivirusprofileandinthe
AntivirustabselectthePacket Capturecheckbox.
Anti-SpywareSelectacustomAntiSpywareprofile,
clicktheDNS SignaturestabandinthePacket Capture
dropdown,selectsingle-packetorextended-capture.
Vulnerability ProtectionSelectacustomVulnerability
ProtectionprofileandintheRulestab,clickAddtoadda
newrule,orselectanexistingrule.SetPacket Captureto
single-packetorextended-capture.Notethatifthe
profilehassignatureexceptionsdefined,clickthe
ExceptionstabandinthePacket Capture columnfora
signature,setsingle-packetorextended-capture.
(Optional)Ifyouselectedextended-captureforanyofthe
profiles,definetheextendedpacketcapturelength.
a. SelectDevice > Setup > Content-IDandeditthe
ContentIDSettings.
b. IntheExtended Packet Capture Length (packets)
section,specifythenumberofpacketsthatthefirewall
willcapture(rangeis150;defaultis5).
c. ClickOK.
SelectPolicies > Securityandselectarule.
SelecttheActionstab.
IntheProfileSettingssection,selectaprofilethathaspacket
captureenabled.
Forexample,clicktheAntivirusdropdownandselecta
profilethathaspacketcaptureenabled.
Monitoring
TakePacketCaptures
TakeaThreatPacketCapture(Continued)
Step3
View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeanApplicationPacketCapture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1
Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes
TakePacketCaptures
Monitoring
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2
Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
Step3
Clickthepacketcaptureicon toviewthepacketcaptureorExportittoyourlocalsystem.
Monitoring
TakePacketCaptures
YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
Step1
Step2
Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3
Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache
: yes
Supernode
: yes
Heuristics
: yes
Cache Threshold
: 16
Bypass when exceeds queue limit: no
Traceroute appid
: yes
Traceroute TTL threshold
: 30
Use cache for appid
: no
Unknown capture
: on
Max. unknown sessions
: 5000
Current unknown sessions
: 0
Application capture
: on
Max. application sessions
: 5000
Current application sessions : 0
Application filter setting:
Rule
: rule1
From
: any
To
: any
Source
: any
Destination
: any
Protocol
: any
Source Port
: any
Dest. Port
: any
Application
: facebook-base
Current APPID Signature
Signature Usage
: 21 MB (Max. 32
TCP 1 C2S
: 15503 states
TCP 1 S2C
: 5070
states
TCP 2 C2S
: 2426
states
TCP 2 S2C
: 702
states
UDP 1 C2S
: 11379 states
UDP 1 S2C
: 2967
states
UDP 2 C2S
: 755
states
UDP 2 S2C
: 224
states
Step4
MB)
AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off
TakePacketCaptures
Monitoring
TakeaCustomApplicationPacketCapture(Continued)
Step5
View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaPacketCaptureontheManagementInterface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200,PA500,andPA2000Series
firewallscapture68bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA4000,
PA5000Series,thePA7000Seriesfirewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.To
definethenumberofpacketsthattcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).
Settingthesnaplento0willcausethefirewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step1
Step2
TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3
AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.
Monitoring
TakePacketCaptures
TakeaManagementInterfacePacketCapture(Continued)
Step4
Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394
0x00 length: 89
09:55:29.144354
09:55:29.379290
0x00 length: 70
09:55:34.379262
Step5
IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:

arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
arp who-has 10.5.104.99 tell 10.5.104.98
(Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6
Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.
Monitoring
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ViewAutoFocusThreatDataforLogstocheckwhetherloggedeventsonthefirewallposeasecurityrisk.
TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,activities,orbehaviorsassociated
withlogsinyournetworkandonaglobalscale,aswellastheWildFireverdictandAutoFocustagslinkedto
them.WithanactiveAutoFocussubscription,youcanusethisinformationtocreatecustomizedAutoFocus
Alertsthattrackspecificthreatsonyournetwork.
Monitoring
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
WorkwithLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
LogTypesandSeverityLevels
YoucanseethefollowinglogtypesintheMonitor > Logspages.
TrafficLogs
ThreatLogs
URLFilteringLogs
WildFireSubmissionsLogs
DataFilteringLogs
CorrelationLogs
ConfigLogs
SystemLogs
HIPMatchLogs
AlarmsLogs
UnifiedLogs
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
Monitoring
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click
packets.
besideanentrytoaccessthecaptured
ThefollowingtablesummarizestheThreatseveritylevels:
Severity
Description
Critical
Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High
Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium
Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low
Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
Monitoring
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludetheWildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Severity
Description
Benign
IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware
IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Malicious
IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Severity
Description
Critical
Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High
Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
Monitoring
Severity
Description
Medium
Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low
Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplaysentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Severity
Description
Critical
Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High
Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium
Midlevelnotifications,suchasantiviruspackageupgrades.
Low
Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
Monitoring
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms(
)atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries(
)inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
WorkwithLogs
ViewLogs
FilterLogs
ExportLogs
ViewAutoFocusThreatDataforLogs
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
Monitoring
ViewLogs
Step1
Step2
Step3
Selectalogtypetoview.
(Optional)Customizethelogcolumn
display.
1. SelectMonitor > Logs.

2.
Selectalogtypefromthelist.
Thefirewalldisplaysonlythelogsyouhavepermission
tosee.Forexample,ifyouradministrativeaccount
doesnothavepermissiontoviewWildFire
Submissionslogs,thefirewalldoesnotdisplaythatlog
typewhenyouaccessthelogspages.Administrative
Rolesdefinethepermissions.
1.
Clickthearrowtotherightofanycolumnheader,andselect
Columns.
2.
Selectcolumnstodisplayfromthelist.Thelogupdates
automaticallytomatchyourselections.
Viewadditionaldetailsaboutlogentries. Clickthespyglass(
)foraspecificlogentry.TheDetailedLog
Viewhasmoreinformationaboutthesourceanddestinationof
thesession,aswellasalistofsessionsrelatedtothelogentry.
(Threatlogonly)Click nexttoanentrytoaccesslocalpacket
capturesofthethreat.Toenablelocalpacketcaptures,seeTake
PacketCaptures.
NextSteps...
FilterLogs.
ExportLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
Step1
(Unifiedlogonly)Selectthelogtypesto 1.
includeintheUnifiedlogdisplay.
2.
3.
ClickEffectiveQueries(
).
Selectoneormorelogtypesfromthelist(traffic,threat,url,
data,andwildfire).
ClickOK.TheUnifiedlogupdatestoshowonlyentriesfrom
thelogtypesyouhaveselected.
Monitoring
FilterLogs
Step2
Addafiltertothefilterfield.
Clickoneormoreartifacts(suchastheapplicationtype
associatedwithtrafficandtheIPaddressofanattacker)inalog
Ifthevalueoftheartifact
entry.Forexample,clicktheSource10.0.0.25andApplication
matchestheoperator(suchas
web-browsingofalogentrytodisplayonlyentriesthatcontain
hasorin),enclosethevaluein
bothartifactsinthelog(ANDsearch).
quotationmarkstoavoida
).
syntaxerror.Forexample,ifyou Tospecifyartifactstoaddtothefilterfield,clickAddFilter(
filterbydestinationcountryand Toaddapreviouslysavedfilter,clickLoadFilter(
).
useINasavaluetospecify
INDIA,enterthefilteras
( dstloc eq IN ).
Step3
Applythefiltertothelog.
ClickApplyFilter(
).Thelogwillrefreshtodisplayonlylog
entriesthatmatchthecurrentfilter.
Step4
(Optional)Savefrequentlyusedfilters.
1.
ClickSaveFilter(
2.
EnteraNameforthefilter.
3.
ClickOK.YoucanviewyoursavedfiltersbyclickingLoadFilter
(
).
NextSteps...
).
ViewLogs.
ExportLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
Step1
Step2
Setthenumberofrowstodisplayinthe 1.
report.
Downloadthelog.
NextStep...
SelectDevice > Setup > Management,thenedittheLogging

andReportingSettings.
2.
ClicktheLog Export and Reportingtab.
3.
EditthenumberofMax Rows in CSV Export(upto100,000

rows).
4.
ClickOK.
1.
ClickExporttoCSV(
).Aprogressbarshowingthestatus
ofthedownloadappears.
2.
Whenthedownloadiscomplete,clickDownload filetosavea
copyofthelogtoyourlocalfolder.Fordescriptionsofthe
columnheadersinadownloadedlog,refertoSyslogField
Descriptions.
ScheduleLogExportstoanSCPorFTPServer.
Monitoring
Traffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogsincludeAutoFocus
threatintelligencedatatoprovidecontextforthefollowingartifactsfoundinthelogentries:
IPaddress
URL
Useragent
Threatname
Filename
SHA256hash
YoucanalsoopenanAutoFocussearchforlogartifacts.
Step1
ConnectthefirewalltoAutoFocustoEnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocusthreatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedtoAutoFocusand/orarerunningPANOS7.0andearlier
releaseversions(Panorama > Setup > Management > AutoFocus).
Step2
Selectalogtypetoview.
Step3
Step4
OpentheAutoFocusIntelligenceSummary
foranartifact.
1.
SelectMonitor > Logs.
2.
Selectoneofthefollowinglogtypes:Traffic,Threat,URL
Filtering,WildFire Submissions,Data Filtering,or
Unified.
1.
Clickthedropdown(
)foranIPaddress,URL,user
agent,threatname,filename,orSHA256hashinanylog
entry.
2.
ClickAutoFocus.
ReviewthelogsandstatisticsintheAutoFocusIntelligenceSummarytoassessthepervasivenessandriskof
theartifact:
Monitoring
ViewrecentpassiveDNShistoryforIPaddress,domain,and
URLartifacts.
Reviewthematchingtagsfortheartifact.AutoFocusTags
indicatewhetheranartifactislinkedtomalwareortargeted
attacks.
CreateAutoFocusAlertsfortagsissuedbyUnit42,the
PaloAltoNetworksthreatresearchteam.Alertsfor
Unit42tagshelpyoudetectadvancedsecuritythreats
andcampaignsastheyoccuronyournetwork.
Viewthenumberofsessionsloggedinyourfirewall(s)where
samplesassociatedwiththeartifactweredetected.
ComparetheWildFireverdicts(benign,malware,grayware)
forglobalandprivatesamplesthatcontaintheartifact.Global
referstosamplesfromallWildFiresubmissions,whileprivate
referstoonlysamplessubmittedtoWildFirebyyour
organization.
ViewthelatestprivatesampleswithwhichWildFirefoundthe
artifact.ArtifactsfoundwiththesamplesincludeSHA256
hash,thefiletype,thedatethatthesamplewasfirstanalyzed
byWildFire,theWildFireverdictforthesample,andthedate
thattheWildFireverdictwasupdated(ifapplicable).
Monitoring
Step5
AddartifactsfromthefirewalltoanAutoFocusSearch.
Clickthelinkforthelogartifact.TheAutoFocussearcheditoropensinanewbrowsertab,withthelog
artifactaddedasasearchcondition.
ClickanylinkedartifactinthetablesorchartstoadditasasearchconditiontoanAutoFocussearch.
Monitoring
NextStep...
LearnmoreaboutAutoFocusSearch.
Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
Ifyouwanttomanuallydeletelogs,selectDevice > Log Settingsand,intheManageLogs
section,clickthelinkstoclearlogsbytype.
Step1
SelectDevice > Setup > ManagementandedittheLoggingandReportingSettings.
Step2
SelectLog Storage andenteraQuota (%)foreachlogtype.Whenyouchangeapercentagevalue,thedialog

refreshestodisplaythecorrespondingabsolutevalue(QuotaGB/MBcolumn).
Step3
EntertheMax Days(expirationperiod)foreachlogtype(rangeis12,000).Thefieldsareblankbydefault,
whichmeansthelogsneverexpire.
Thefirewallsynchronizesexpirationperiodsacrosshighavailability(HA)pairs.Becauseonlytheactive
HApeergenerateslogs,thepassivepeerhasnologstodeleteunlessfailoveroccursanditstarts
generatinglogs.
Step4
ClickOKandCommit.
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
Step1
SelectDevice > Scheduled Log ExportandclickAdd.
Step2
EnteraNameforthescheduledlogexportandEnableit.
Step3
SelecttheLog Typetoexport.
Monitoring
Step4
SelectthedailyScheduled Export Start Time.Theoptionsarein15minuteincrementsfora24hourclock

(00:0023:59).
Step5
SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6
EntertheHostnameorIPaddressoftheserver.
Step7
EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
Step8
EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step9
EntertheUsernameand,ifnecessary,thePassword(andConfirm Password)toaccesstheserver.
Step10 (FTPonly)SelecttheEnable FTP Passive ModecheckboxifyouwanttouseFTPpassivemode,inwhichthe

firewallinitiatesadataconnectionwiththeFTPserver.Bydefault,thefirewallusesFTPactivemode,inwhich
theFTPserverinitiatesadataconnectionwiththefirewall.ChoosethemodebasedonwhatyourFTPserver
supportsandonyournetworkrequirements.
Step11 (SCPonly)ClickTest SCP server connection.Theconnectionisnotestablisheduntilthefirewallacceptsthe
hostkeyfortheSCPserver.
Step12 ClickOKandCommit.
Monitoring
ManageReporting
ManageReporting
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheReportExpirationPeriod
DisablePredefinedReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroupsScheduleReportsforEmailDelivery
ReportTypes
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportonthe
applicationuseandURLactivityforaspecificuserorforausergroup.ThereportincludestheURL
categoriesandanestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/Group
ActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
ManageReporting
Monitoring
ViewReports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheReportExpirationPeriod:thefirewallwillautomaticallydeletereportsthatexceedthe
period.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolderreportsto
createspaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresourcesonthe
firewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthereports(as
describedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step1
SelectMonitor > Reports.

Thereportsaregroupedintosections(types)ontherighthandsideofthepage:Custom Reports,Application
Reports,Traffic Reports,Threat Reports,URL Filtering Reports,andPDF Summary Reports.
Step2
Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
Step3
Toviewareportoffline,youcanexportthereporttoPDF,CSVortoXMLformats.ClickExport to PDF,
Export to CSV,orExport to XMLatthebottomofthepage,thenprintorsavethefile.
ConfiguretheReportExpirationPeriod
WhenyousettheReport Expiration Period,itappliestoallReportTypes.Thefirewallautomaticallydeletes
reportsthatexceedtheperiod.
ConfigureReportExpirationPeriods
Step1
SelectDevice > Setup > Management,edittheLoggingandReportingSettings,andselecttheLog Export

and Reportingtab.
Step2
EntertheReport Expiration Periodindays(rangeis12000,defaultisnoexpiration).

Youcantchangethestoragethatthefirewallallocatesforsavingreports:itispredefinedatabout200
MB.Whenthefirewallreachesthestoragemaximum,itautomaticallydeletesolderreportstocreate
spaceevenifyoudontsetaReport Expiration Period.
Step3
ClickOKandCommit.
Monitoring
ManageReporting
Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
Step1
SelectDevice > Setup > Management andedittheLoggingandReportingSettings.
Step2
SelectthePre-Defined Reportstabandclearthecheckboxforeachreportyouwanttodisable.Todisable
allpredefinedreports,clickDeselect All.
Step3
ClickOKandCommit.
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection
Description
DataSource
Thedatafilethatisusedtogeneratethereport.Thefirewallofferstwotypesofdata
sourcesSummarydatabasesandDetailedlogs.
Summarydatabasesareavailablefortraffic,threat,andapplicationstatistics.The
firewallaggregatesthedetailedlogsontraffic,application,andthreatat15minute
intervals.Thedataiscondensedduplicatesessionsaregroupedtogetherand
incrementedwitharepeatcounter,andsomeattributes(orcolumns)arenotincluded
inthesummarytoallowfasterresponsetimewhengeneratingreports.
Detailedlogsareitemizedandareacompletelistingofalltheattributes(orcolumns)
thatpertaintothelogentry.Reportsbasedondetailedlogstakemuchlongertorun
andarenotrecommendedunlessabsolutelynecessary.
Attributes
Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
SortBy/GroupBy
TheSort ByandtheGroup Bycriteriaallowyoutoorganize/segmentthedatainthe

report;thesortingandgroupingattributesavailablevarybasedontheselecteddata
source.
TheSortByoptionspecifiestheattributethatisusedforaggregation.Ifyoudonotselect
anattributetosortby,thereportwillreturnthefirstNnumberofresultswithoutany
aggregation.
TheGroupByoptionallowsyoutoselectanattributeanduseitasananchorforgrouping
data;allthedatainthereportisthenpresentedinasetoftop5,10,25or50groups.For
example,whenyouselectHourastheGroupByselectionandwantthetop25groupsfor
a24hrtimeperiod,theresultsofthereportwillbegeneratedonanhourlybasisovera
24hrperiod.Thefirstcolumninthereportwillbethehourandthenextsetofcolumns
willbetherestofyourselectedreportcolumns.
ManageReporting
Selection
Monitoring
Description
ThefollowingexampleillustrateshowtheSelected ColumnsandSort By/Group By
criteriaworktogetherwhengeneratingreports:
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup By columnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.
Monitoring
Selection
ManageReporting
Description
Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimePeriod
Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromlast15minutestothelast30days.Thereportscanbe
runondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder
Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.
ManageReporting
Monitoring
Step1
SelectMonitor > Manage Custom Reports.
Step2
ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Template andchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3
SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4
SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step5
Definethefilteringcriteria.SelecttheTime Frame,theSort Byorder,Group Bypreference,andselectthe

columnsthatmustdisplayinthereport.
Step6
(Optional)SelecttheQuery Builderattributesifyouwanttofurtherrefinetheselectioncriteria.Tobuilda
reportquery,specifythefollowingandclickAdd.Repeatasneededtoconstructthefullquery.
ConnectorChoosetheconnector(and/or)toprecedetheexpressionyouareadding.
NegateSelectthecheckboxtointerpretthequeryasanegation.If,forexample,youchoosetomatch
entriesinthelast24hoursand/orareoriginatingfromtheuntrustzone,thenegateoptioncausesamatch
onentriesthatarenotinthepast24hoursand/orarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthechoiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattributeapplies(suchas=).Theavailable
optionsdependonthechoiceofdatabase.
ValueSpecifytheattributevaluetomatch.
Forexample,thefollowingfigure(basedontheTraffic Logdatabase)showsaquerythatmatchesifthe
Trafficlogentrywasreceivedinthepast24hoursandisfromtheuntrustzone.
Step7
Totestthereportsettings,selectRun Now.Modifythesettingsasrequiredtochangetheinformationthatis
displayedinthereport.
Step8
ClickOKtosavethecustomreport.
Monitoring
ManageReporting
ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:
ManageReporting
Monitoring
Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
GenerateBotnetReports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.
Monitoring
ManageReporting
Step1
Step2
Definethetypesoftrafficthatindicate
possiblebotnetactivity.
1.
SelectMonitor > BotnetandclickConfigurationontheright

sideofthepage.
2.
EnableanddefinetheCountforeachtypeofHTTPTraffic
thatthereportwillinclude.
TheCountvaluesrepresenttheminimumnumberofeventsof
eachtraffictypethatmustoccurforthereporttolistthe
associatedhostwithahigherconfidencescore(higher
likelihoodofbotnetinfection).Ifthenumberofeventsisless
thantheCount,thereportwilldisplayalowerconfidence
scoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.Forexample,ifyousettheCounttothreeforMalware
URL visit,thenhoststhatvisitthreeormoreknownmalware
URLswillhavehigherscoresthanhoststhatvisitlessthan
three.Fordetails,seeInterpretBotnetReportOutput.
3.
Definethethresholdsthatdeterminewhetherthereportwill
includehostsassociatedwithtrafficinvolvingUnknownTCP
orUnknownUDPapplications.
4.
SelecttheIRCcheckboxtoincludetrafficinvolvingIRC
servers.
5.
ClickOKtosavethereportconfiguration.
Schedulethereportorrunitondemand. 1.
ClickReport Settingontherightsideofthepage.
2.
SelectatimeintervalforthereportintheTest Run Time

Frame dropdown.
3.
SelecttheNo. of Rows toincludeinthereport.
4.
(Optional)AddqueriestotheQueryBuildertofilterthereport
outputbyattributessuchassource/destinationIPaddresses,
users,orzones.
Forexample,ifyouknowinadvancethattrafficinitiatedfrom
theIPaddress10.3.3.15containsnopotentialbotnetactivity,
youcanaddnot (addr.src in 10.0.1.35)asaqueryto
excludethathostfromthereportoutput.Fordetails,see
InterpretBotnetReportOutput.
5.
SelectScheduledtorunthereportdailyorclickRun Nowto
runthereportimmediately.
6.
ClickOKandCommit.
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.
ManageReporting
Monitoring
NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications, allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(8pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,andthe
numberofusersusingtheseapplications.ThisfirstpartofthereportalsohighlightsthetopSaaS
applicationsubcategorieslistedinorderbymaximumnumberofapplicationsused,thenumberofusers,
andtheamountofdata(bytes)transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.
Monitoring
ManageReporting
Step1
Step2
Step3
Tagapplicationsthatyouapprovefor
1.
useonyournetworkasSanctioned.
2.
Theaccuracyofthereport
dependsonwhetheryouhave
3.
taggedanapplicationas
Sanctioned.Youcantagboth
SaaSandnonSaaSapplications
asSanctioned;thedetailed
browsingsectionoftheSaaS
ApplicationUsagereport
displayswhethertheapplication
isSaaSandwhetheritis
sanctioned.
ConfiguretheSaaSApplicationUsage
report.
ScheduleReportsforEmailDelivery.
SelectObject > Applications.

ClicktheapplicationNametoeditanapplicationandselect
EditintheTagsection.
SelectSanctionedfromtheTagsdropdown.
YoumustusethepredefinedSanctionedtag(withtheazure
coloredbackground).Ifyouuseanyothertagtoindicatethat
yousanctionedanapplication,thefirewallwillfailtorecognize
thetagandthereportwillbeinaccurate.
4.
ClickOKandClosetoexitallopendialogs.
1.
SelectMonitor > PDF Reports > SaaS Application Usage.
2.
ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecounttoeightpages.
3.
Togeneratethereportondemand,clickRun Now.Makesure
thatthepopupblockerisdisabledonyourbrowserbecause
thereportopensinanewtab.
4.
OnthePA200,PA500,andPA2000Seriesfirewalls,theSaaS
ApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkthatyoumustclicktoopen
thereportinawebbrowser.
ManageReporting
Monitoring
ManagePDFSummaryReports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
GeneratePDFSummaryReports
Step1
SetupaPDF Summary Report.
1.
SelectMonitor > PDF Reports > Manage PDF Summary.
2.
3.
Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
4.
ClickOK tosavethereport.
5.
Committhechanges.
Monitoring
ManageReporting
GeneratePDFSummaryReports
Step2
Viewthereport.
TodownloadandviewthePDFSummaryReport,seeView
Reports.
User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.
ManageReporting
Monitoring
Step1
Step2
Configurethebrowsetimesandnumber 1.
oflogsforUser/GroupActivityreports.
Requiredonlyifyouwanttochangethe
defaultvalues.
2.
GeneratetheUser/GroupActivity
report.
SelectDevice > Setup > Management,edittheLoggingand

ReportingSettings,andselecttheLog Export and Reporting
tab.
FortheMax Rows in User Activity Report,enterthemaximum
numberofrowsthatthedetaileduseractivityreportsupports
(rangeis11048576,defaultis5000).Thisdeterminesthe
numberoflogsthatthereportanalyzes.
3.
EntertheAverage Browse Timeinsecondsthatyouestimate

usersshouldtaketobrowseawebpage(rangeis0300,
defaultis60).Anyrequestmadeaftertheaveragebrowse
timeelapsesisconsideredanewbrowsingactivity.The
calculationusesContainerPages(loggedintheURLFiltering
logs)asthebasisandignoresanynewwebpagesthatare
loadedbetweenthetimeofthefirstrequest(starttime)and
theaveragebrowsetime.Forexample,ifyousettheAverage
Browse Timetotwominutesandauseropensawebpageand
viewsthatpageforfiveminutes,thebrowsetimeforthatpage
willstillbetwominutes.Thisisdonebecausethefirewallcant
determinehowlongauserviewsagivenpage.Theaverage
browsetimecalculationignoressitescategorizedasweb
advertisementsandcontentdeliverynetworks.
4.
ForthePage Load Threshold,entertheestimatedtimein

secondsforpageelementstoloadonthepage(defaultis20).
Anyrequeststhatoccurbetweenthefirstpageloadandthe
pageloadthresholdareassumedtobeelementsofthepage.
Anyrequeststhatoccuroutsideofthepageloadthresholdare
assumedtobetheuserclickingalinkwithinthepage.
5.
1.
SelectMonitor > PDF Reports > User Activity Report.
2.
3.
Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4.
SelecttheTime Periodforthereport.
5.
Optionally,selecttheInclude Detailed Browsingcheckbox

(defaultiscleared)toincludedetailedURLlogsinthereport.
Thedetailedbrowsinginformationcanincludealargevolume
oflogs(thousandsoflogs)fortheselecteduserorusergroup
andcanmakethereportverylarge.
6.
Torunthereportondemand,clickRun Now.
7.
Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
Monitoring
ManageReporting
ManageReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
SetupReportGroups
Step1
Setupreportgroups.
1.
YoumustsetupaReport Group 2.
toemailreport(s).
CreateanEmailserverprofile.
DefinetheReport Group.Areportgroupcancompile
predefinedreports,PDFSummaryreports,customreports,
andLogViewreportintoasinglePDF.
a. SelectMonitor > Report Group.
b. ClickAddandthenenteraNameforthereportgroup.
c. (Optional)SelectTitle Page andaddaTitleforthePDF
output.
d. SelectreportsfromtheleftcolumnandclickAddtomove
eachreporttothereportgroupontheright.
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
ManageReporting
Monitoring
ScheduleReportsforEmailDelivery
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.
ScheduleReportsforEmailDelivery
Step1
SelectMonitor > PDF Reports > Email SchedulerandclickAdd.
Step2
EnteraNametoidentifytheschedule.
Step3
SelecttheReport Groupforemaildelivery.Tosetupareportgroup;seeManageReportGroups.
Step4
FortheEmail Profile,selectanEmailserverprofiletousefordeliveringthereports,orclicktheEmail Profile

linktoCreateanEmailserverprofile.
Step5
SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step6
TheOverride Email Addressesfieldallowsyoutosendthisreportexclusivelytothespecifiedrecipients.

Whenyouaddrecipientstothefield,thefirewalldoesnotsendthereporttotherecipientsconfiguredinthe
Emailserverprofile.Usethisoptionforthoseoccasionswhenthereportisfortheattentionofsomeoneother
thantheadministratorsorrecipientsdefinedintheEmailserverprofile.
Step7
ClickOKandCommit.
Monitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.
Monitoring
TousePanoramaorUseExternalServicesforMonitoringthefirewall,youmustconfigurethefirewallto
forwarditslogs.Beforeforwardingtoexternalservices,thefirewallautomaticallyconvertsthelogstothe
necessaryformat:syslogmessages,SNMPtraps,oremailnotifications.Beforestartingthisprocedure,
ensurethatPanoramaortheexternalserverthatwillreceivethelogdataisalreadysetup.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservices.However,
whenyouusePanoramatomonitorlogsorgeneratereportsforadevicegroupthatincludesa
PA7000Seriesfirewall,PanoramaqueriesthePA7000Seriesfirewallinrealtimetodisplayits
logdata.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoManageReporting,butonlyonaperlogtype
basis,nottheentirelogdatabase.
Step1
Configureaserverprofileforeach
externalservicethatwillreceivelog
ConfigureanSNMPTrapserverprofile.ToenabletheSNMP
data.
manager(trapserver)tointerpretfirewalltraps,youmustload
thePaloAltoNetworksSupportedMIBsintotheSNMPmanager
Youcanuseseparateprofilesto
and,ifnecessary,compilethem.Fordetails,refertoyourSNMP
sendeachlogtypetoadifferent
managementsoftwaredocumentation.
server.Toincreaseavailability,
definemultipleserversinasingle ConfigureaSyslogserverprofile.Ifthesyslogserverrequires
profile.
clientauthentication,youmustalsoCreateacertificatetosecure
syslogcommunicationoverSSL.
Step2
Createalogforwardingprofile.
1.
Theprofiledefinesthedestinationsfor 2.
Traffic,Threat,andWildFireSubmission
logs.(ThreatlogsincludeURLFiltering
andDataFilteringlogs.)
3.
SelectObjects > Log Forwarding andclickAdd.

EnteraNametoidentifytheprofile.Ifyouwantthefirewallto
automaticallyassigntheprofiletonewsecurityrulesand
zones,enterdefault.Ifyoudontwantadefaultprofile,or
youwanttooverrideanexistingdefaultprofile,enteraName
thatwillhelpyouidentifytheprofilewhenassigningitto
securityrulesandzones.
Ifnologforwardingprofilenameddefaultexists,the
profileselectionissettoNonebydefaultinnew
securityrules(Log Forwardingfield)andnewsecurity
zones(Log Settingfield),althoughyoucanchangethe
selection.
Performthefollowingstepsforeachlogtypeandeach
severitylevelorWildFireverdict:
a. SelectthePanoramacheckboxifyouwanttoaggregate
firewalllogsonPanorama.(Youcanthenconfigure
Panoramatoforwardthelogstoexternalservices.)
b. SelecttheSNMP Trap,Email,orSyslogserverprofileyou
configuredforthislogtype,andclickOK.
Monitoring
ConfigureLogForwarding(Continued)
Step3
Step4
Step5
Assignthelogforwardingprofileto
securityrules.
Totriggerloggenerationandforwarding,
therulesrequirecertainSecurityProfiles
accordingtologtype:
TrafficlogsNosecurityprofileis
necessary;thetrafficonlyneedsto
matchaspecificsecurityrule.
ThreatlogsThetrafficmustmatch
anysecurityprofileassignedtoa
securityrule.
WildFirelogsThetrafficmustmatch
aWildFireAnalysisprofileassignedto
asecurityrule.
Performthefollowingstepsforeachrulethatwilltriggerlog
forwarding:
1.
SelectPolicies > Securityandclicktherule.
2.
SelecttheActionstabandselecttheLog Forwardingprofile
youjustcreated.
3.
IntheProfile Typedropdown,selectProfilesorGroup,and
thenselectthesecurityprofilesorGroup Profilerequiredto
triggerloggenerationandforwarding.
4.
ForTrafficlogs,selectoneorbothoftheLog At Session Start

andLog At Session Endcheckboxes,andclickOK.
ConfigurethedestinationsforSystem, 1.
Config,HIPMatch,andCorrelationlogs. 2.
(PA7000Seriesfirewallsonly)
1.
Configurealogcardinterfacetoperform
logforwarding.
2.
SelectDevice > Log Settings.

Performthefollowingstepsforeachlogtype.ForSystemand
Correlationlogs,startbyclickingtheSeveritylevel.ForConfig
andHIPMatchlogs,startbyeditingthesection.
a. SelectthePanoramacheckboxifyouwanttoaggregate
System,Config,andHIPMatchlogsonPanorama.
Optionally,youcanthenconfigurePanoramatoforward
thelogstotheexternalservices.
PanoramageneratesCorrelationlogsbasedonthe
firewalllogsitreceives,ratherthanaggregating
Correlationlogsfromfirewalls.
b. SelecttheSNMP Trap,Email,orSyslogserverprofileyou
configuredforthislogtypeandclickOK.
SelectNetwork > Interfaces > EthernetandclickAdd
Interface.
SelecttheSlotandInterface Name.
3.
FortheInterface Type,selectLog Card.
4.
EntertheIP Address,Default Gateway,and(forIPv4only)

Netmask.
5.
SelectAdvancedandspecifytheLink Speed,Link Duplex,and

Link State.
Thesefieldsdefaulttoauto,whichspecifiesthatthe
firewallautomaticallydeterminesthevaluesbasedon
theconnection.However,theminimum
recommendedLink Speedforanyconnectionis1000
(Mbps).
6.
Monitoring
ConfigureLogForwarding(Continued)
Step6
Commitandverifyyourchanges.
1.
ClickCommittocompletethelogforwardingconfiguration.
2.
Verifythelogdestinationsyouconfiguredarereceiving
firewalllogs:
PanoramaIfthefirewallforwardslogstoanMSeries
appliance,youmustconfigureaCollectorGroupbefore
Panoramawillreceivethelogs.Youcanthenverifylog
forwarding.
EmailserverVerifythatthespecifiedrecipientsare
receivinglogsasemailnotifications.
SyslogserverRefertothedocumentationforyoursyslog
servertoverifyitisreceivinglogsassyslogmessages.
SNMPmanagerUseanSNMPManagertoExploreMIBs
andObjectstoverifyitisreceivinglogsasSNMPtraps.
Monitoring
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
Step1
Step2
sendemailnotificationsforeach
logtypetoadifferentserver.To
increaseavailability,define
multipleservers(uptofour)ina
singleprofile.
1.
SelectDevice > Server Profiles > Email.
2.
ClickAddandthenenteraNamefortheprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
4.
ForeachSimpleMailTransportProtocol(SMTP)server(email
server),clickAddanddefinethefollowinginformation:
NameNametoidentifytheSMTPserver(131
characters).Thisfieldisjustalabelanddoesnthavetobe
thehostnameofanexistingemailserver.
Email Display NameThenametoshowintheFromfield
oftheemail.
FromTheemailaddressfromwhichthefirewallsends
emails.
ToTheemailaddresstowhichthefirewallsendsemails.
Additional RecipientIfyouwanttosendemailstoa
secondaccount,entertheaddresshere.Youcanaddonly
oneadditionalrecipient.Formultiplerecipients,addthe
emailaddressofadistributionlist.
Email GatewayTheIPaddressorhostnameoftheSMTP
gatewaytouseforsendingemails.
5.
(Optional)SelecttheCustom Log Formattabandcustomize

theformatoftheemailmessages.Fordetailsonhowtocreate
customformatsforthevariouslogtypes,refertotheCommon
EventFormatConfigurationGuide.
6.
ClickOKtosavetheEmailserverprofile.
ConfigureemailalertsforTraffic,Threat, 1.
andWildFireSubmissionlogs.
2.
Step3
1.
ConfigureemailalertsforSystem,
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheEmailserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheEmailserverprofile,andclickOK.
3.
ForConfigandHIPMatchlogs,editthesection,selectthe
Emailserverprofile,andclickOK.
4.
ClickCommit.
Monitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
Step1
ConfigureaSyslogserverprofile.
sendsyslogsforeachlogtypeto
adifferentserver.Toincrease
availability,definemultiple
servers(uptofour)inasingle
profile.
1.
SelectDevice > Server Profiles > Syslog.
2.
ClickAddandenteraNamefortheprofile.
3.
4.
Foreachsyslogserver,clickAddandentertheinformation
thatthefirewallrequirestoconnecttoit:
NameUniquenamefortheserverprofile.
Syslog ServerIPaddressorfullyqualifieddomainname
(FQDN)ofthesyslogserver.
TransportSelectTCP,UDP,orSSLasthemethodof
communicationwiththesyslogserver.
PortTheportnumberonwhichtosendsyslogmessages
(defaultisUDPonport514);youmustusethesameport
numberonthefirewallandthesyslogserver.
FormatSelectthesyslogmessageformattouse:BSD(the
default)orIETF.Traditionally,BSDformatisoverUDPand
IETFformatisoverTCPorSSL.
FacilitySelectasyslogstandardvalue(defaultis
LOG_USER)tocalculatethepriority(PRI)fieldinyour
syslogserverimplementation.Selectthevaluethatmapsto
howyouusethePRIfieldtomanageyoursyslogmessages.
5.
(Optional)Tocustomizetheformatofthesyslogmessages
thatthefirewallsends,selecttheCustom Log Formattab.For
detailsonhowtocreatecustomformatsforthevariouslog
types,refertotheCommonEventFormatConfiguration
Guide.
6.
ClickOKtosavetheserverprofile.
Monitoring
ConfigureSyslogMonitoring(Continued)
Step2
ConfiguresyslogforwardingforTraffic, 1.
Threat,andWildFireSubmissionlogs.
2.
Step3
Step4
ConfiguresyslogforwardingforSystem, 1.
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheSyslogserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheSyslogserverprofile,andclickOK.
3.
ForConfig,HIPMatch,andCorrelationlogs,editthesection,
selecttheSyslogserverprofile,andclickOK.
(Optional)Configuretheheaderformat 1.
ofsyslogmessages.
Thelogdataincludestheunique
2.
identifierofthefirewallthatgenerated
thelog.Choosingtheheaderformat
providesmoreflexibilityinfilteringand
reportingonthelogdataforsome
SecurityInformationandEvent
Management(SIEM)servers.
Thisisaglobalsettingandappliestoall
syslogserverprofilesconfiguredonthe
firewall.
SelectDevice > Setup > ManagementandedittheLoggingand

ReportingSettings.
3.
SelecttheLog Export and Reportingtabandselectthe Syslog

HOSTNAME Format:
FQDN(default)Concatenatesthehostnameanddomain
namedefinedonthesendingfirewall.
hostnameUsesthehostnamedefinedonthesending
firewall.
ipv4-addressUsestheIPv4addressofthefirewall
interfaceusedtosendlogs.Bydefault,thisistheMGT
interface.
ipv6-addressUsestheIPv6addressofthefirewall
interfaceusedtosendlogs.Bydefault,thisistheMGT
interface.
noneLeavesthehostnamefieldunconfiguredonthe
firewall.Thereisnoidentifierforthefirewallthatsentthe
logs.
Monitoring
ConfigureSyslogMonitoring(Continued)
Step5
Step6
Createacertificatetosecuresyslog
communicationoverSSL.
Requiredonlyifthesyslogserveruses
clientauthentication.Thesyslogserver
usesthecertificatetoverifythatthe
firewallisauthorizedtocommunicate
withthesyslogserver.
Ensurethefollowingconditionsaremet:
Theprivatekeymustbeavailableon
thesendingfirewall;thekeyscant
resideonaHardwareSecurity
Module(HSM).
Thesubjectandtheissuerforthe
certificatemustnotbeidentical.
Thesyslogserverandthesending
firewallmusthavecertificatesthatthe
sametrustedcertificateauthority(CA)
signed.Alternatively,youcan
generateaselfsignedcertificateon
thefirewall,exportthecertificate
fromthefirewall,andimportitinto
thesyslogserver.
Commityourchangesandreviewthe
logsonthesyslogserver.
1.
SelectDevice> Certificate Management > Certificates >

Device Certificatesandclick Generate.
2.
EnteraNameforthecertificate.
3.
IntheCommon Namefield,entertheIPaddressofthefirewall
sendinglogstothesyslogserver.
4.
InSigned by,selectthetrustedCAortheselfsignedCAthat
thesyslogserverandthesendingfirewallbothtrust.
ThecertificatecantbeaCertificate Authoritynoran
External Authority(certificatesigningrequest[CSR]).
5.
ClickGenerate.Thefirewallgeneratesthecertificateandkey
pair.
6.
ClickthecertificateNametoeditit,selecttheCertificate for
Secure Syslogcheckbox,andclickOK.
1.
ClickCommit.
2.
Toreviewthelogs,refertothedocumentationofyoursyslog
managementsoftware.YoucanalsoreviewtheSyslogField
Descriptions.
SyslogFieldDescriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionlogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogs
ThreatLogs
HIPMatchLogs
ConfigLogs
SystemLogs
CorrelatedEvents(Logs)
CustomLog/EventFormat
Monitoring
EscapeSequences
TrafficLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource
FieldName
Description
ReceiveTime(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(time_generated)
Timethelogwasgeneratedonthedataplane
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfSourceNATperformed,thepostNATSourceIPaddress
NATDestinationIP(natdst)
IfDestinationNATperformed,thepostNATDestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface(inbound_if)
Interfacethatthesessionwassourcedform
EgressInterface(outbound_if)
Interfacethatthesessionwasdestinedto
Monitoring
FieldName
Description
LogForwardingProfile(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt)
NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptive
portal(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes(bytes)
Numberoftotalbytes(transmitandreceive)forthesession
BytesSent(bytes_sent)
Numberofbytesintheclienttoserverdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
BytesReceived(bytes_received)
Numberofbytesintheservertoclientdirectionofthesession
Monitoring
FieldName
Description
Packets(packets)
Numberoftotalpackets(transmitandreceive)forthesession
StartTime(start)
Timeofsessionstart
ElapsedTime(elapsed)
Elapsedtimeofthesession
Category(category)
URLcategoryassociatedwiththesession(ifapplicable)
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes
PacketsSent(pkts_sent)
Numberofclienttoserverpacketsforthesession
PacketsReceived(pkts_received)
Numberofservertoclientpacketsforthesession
Monitoring
FieldName
Description
SessionEndReason
(session_end_reason)
Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
Monitoring
FieldName
Description
DeviceGroupHierarchy
(dg_hier_level_1todg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source)
Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
ThreatLogs
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_id,Filedigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName,FUTURE_USE,
FieldName
Description
ReceiveTime(receive_time)
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Monitoring
FieldName
Description
Subtype(subtype)
Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,grayware,orbenign,
dependingonwhatyouarelogging)isloggedintheWildFireSubmissionslog.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime
(time_generated)
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfsourceNATperformed,thepostNATsourceIPaddress
NATDestinationIP(natdst)
IfdestinationNATperformed,thepostNATdestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface
(inbound_if)
Interfacethatthesessionwassourcedfrom
EgressInterface
(outbound_if)
Interfacethatthesessionwasdestinedto
LogForwardingProfile
(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
Monitoring
FieldName
Description
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort
(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
Miscellaneous(misc)
Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire
Monitoring
FieldName
Description
ThreatID(threatid)
PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category(category)
ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,grayware,orbenign;Forothersubtypes,thevalueis
any.
Severity(severity)
Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical
Direction(direction)
Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype)
ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id)
Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest)
OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.
Monitoring
FieldName
Description
URLIndex(url_idx)
UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype)
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff)
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer)
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender)
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject)
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient)
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid)
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.
Monitoring
FieldName
Description
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name)
HIPMatchLogs
User,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,FUTURE_USE,
FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
FieldName
Description
ReceiveTime
(receive_time)
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
SubtypeofHIPmatchlog;unused
GeneratedTime
(time_generated)
SourceUser(srcuser)
VirtualSystem(vsys)
VirtualSystemassociatedwiththeHIPmatchlog
MachineName
(machinename)
Nameoftheusersmachine
OS
Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem)
SourceAddress(src)
IPaddressofthesourceuser
HIP(matchname)
NameoftheHIPobjectorprofile
NumberoftimestheHIPprofilematched
HIPType(matchtype)
WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile
Monitoring
FieldName
Description
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
APIquery:
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
ConfigLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Host,
VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,ActionFlags,
BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel
2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime
(receive_time)
Serialnumberofthedevicethatgeneratedthelog
Type(type)
Subtype(subtype)
Subtypeofconfigurationlog;unused
GeneratedTime
(time_generated)
Host(host)
HostnameorIPaddressoftheclientmachine
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
Command(cmd)
CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin)
UsernameoftheAdministratorperformingtheconfiguration
Client(client)
ClientusedbytheAdministrator;valuesareWebandCLI
Monitoring
FieldName
Description
Result(result)
Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path)
Thepathoftheconfigurationcommandissued;upto512bytesinlength
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
AbitfieldindicatingifthelogwasforwardedtoPanorama.
BeforeChangeDetail
(before_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail
(after_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathaftertheconfigurationchange.
(dg_hier_level_1to
dg_hier_level_4)
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
APIquery:
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
SystemLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
Type(type)
Subtype(subtype)
Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn
Monitoring
FieldName
Description
GeneratedTime
(time_generated)
VirtualSystem(vsys)
EventID(eventid)
Stringshowingthenameoftheevent
Object(object)
Nameoftheobjectassociatedwiththesystemevent
Module(module)
ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description(opaque)
Detaileddescriptionoftheevent,uptoamaximumof512bytes
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
(dg_hier_level_1to
dg_hier_level_4)
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
CorrelatedEvents(Logs)
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
LogID(logid)
ID(id)
Serialnumberofthedevicethatgeneratedthelog
MatchOID(match_oid)
Monitoring
FieldName
Description
ObjectID(objectid)
Nameoftheobjectassociatedwiththesystemevent
Version(version)
TheversionoftheCorrelationobjectscontentupdate,aspushedbyPaloAltoNetworks.
VirtualSystem(vsys)
(dg_hier_level_1to
dg_hier_level_4)
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Window(window)
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedtheevent.
Source(src)
IPaddressoftheuserwhoinitiatedtheevent.
LastUpdateTime
(last_update_time)
Thelasttimetheeventsinthecorrelatedeventwereupdatedwithmoreinformation.
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
MatchTime(match_time)
Thetimethattheeventmatchwasrecorded.
ObjectName(objectname)
Nameofthecorrelationobjectthatwasmatchedon
Summary(summary)
Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity
SyslogSeverity
Traffic
Info
Config
Info
Threat/SystemInformational
Info
Threat/SystemLow
Notice
Threat/SystemMedium
Warning
Threat/SystemHigh
Error
Threat/SystemCritical
Critical
Monitoring
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.
Monitoring
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSimpleNetworkManagementProtocol(SNMP),andtheprocedurestoconfigureSNMP
monitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMPSupport
YoucanuseaSimpleNetworkManagementProtocol(SNMP)managertomonitoreventdrivenalertsand
operationalstatisticsforthefirewall,Panorama,orWF500applianceandforthetraffictheyprocess.The
statisticsandtrapscanhelpyouidentifyresourcelimitations,systemchangesorfailures,andmalware
attacks.Youconfigurealertsbyforwardinglogdataastraps,andenablethedeliveryofstatisticsinresponse
toGETmessages(requests)fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).
RelatedOIDsareorganizedhierarchicallywithintheManagementInformationBases(MIBs)thatyouload
intotheSNMPmanagertoenablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
SNMP
Version
Authentication
MessagePrivacy
Message MIBAccessGranularity
Integrity
SNMPv2c
Communitystring
No(cleartext)
No
SNMPcommunityaccessforallMIBsona
device
SNMPv3
EngineID,username,and
authenticationpassword
(SHAhashingforthe
password)
Privacypasswordfor Yes
AES128encryption
ofSNMPmessages
Useraccessbasedonviewsthatincludeor
excludespecificOIDs
Monitoring
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
UseanSNMPManagertoExploreMIBsandObjects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.
Monitoring
Step1
LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2
SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3
Optionally,WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:
Monitoring
IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1
ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
Step2
OpentheMIBinatexteditorandperformakeywordsearch.Forexample,usingHardware versionasa
searchstringinPANCOMMONMIBidentifiesthepanSysHwVersionobject:
panSysHwVersion OBJECT-TYPE
SYNTAX
DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}
Monitoring
IdentifytheOIDforaStatisticorTrap(Continued)
Step3
InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.
Monitoring
IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
Step1
Step2
Createanapplicationgroup.
CreateasecurityruletoallowSNMP
services.
1.
SelectObjects > Application GroupandclickAdd.
2.
EnteraNametoidentifytheapplicationgroup.
3.
ClickAdd,typesnmp,andselectsnmpandsnmp-trapfrom
thedropdown.
4.
ClickOKtosavetheapplicationgroup.
1.
2.
IntheGeneraltab,enteraNamefortherule.
3.
IntheSourceandDestinationtabs,clickAddandentera
Source Zone andaDestination Zone forthetraffic.
4.
IntheApplicationstab,clickAdd,typethenameofthe
applicationsgroupyoujustcreated,andselectitfromthe
dropdown.
5.
IntheActionstab,verifythattheActionissettoAllow,and
thenclickOKandCommit.
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.
Monitoring
Step1
Step2
ConfiguretheSNMPManagertoget
statisticsfromfirewalls.
Thefollowingstepsprovideanoverviewofthetasksyouperform
ontheSNMPmanager.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
1.
ToenabletheSNMPmanagertointerpretfirewallstatistics,
loadtheSupportedMIBsforPaloAltoNetworksfirewallsand,
ifnecessary,compilethem.
2.
ForeachfirewallthattheSNMPmanagerwillmonitor,define
theconnectionsettings(IPaddressandport)and
authenticationsettings(SNMPv2ccommunitystringor
SNMPv3EngineID/username/password)forthefirewall.
NotethatallPaloAltoNetworksfirewallsuseport161.
TheSNMPmanagercanusethesameordifferentconnection
andauthenticationsettingsformultiplefirewalls.Thesettings
mustmatchthoseyoudefinewhenyouconfigureSNMPon
thefirewall(seeStep 3).Forexample,ifyouuseSNMPv2c,the
communitystringyoudefinewhenconfiguringthefirewall
mustmatchthecommunitystringyoudefineintheSNMP
managerforthatfirewall.
3.
Determinetheobjectidentifiers(OIDs)ofthestatisticsyou
wanttomonitor.Forexample,tomonitorthesession
utilizationpercentageofafirewall,aMIBbrowsershowsthat
thisstatisticcorrespondstoOID1.3.6.1.4.1.25461.2.1.2.3.1.0
inPANCOMMONMIB.my.Fordetails,seeUseanSNMP
ManagertoExploreMIBsandObjects.
4.
ConfiguretheSNMPmanagertomonitorthedesiredOIDs.
Performthisstepinthefirewallwebinterface.
EnableSNMPtrafficonafirewall
interface.
ToenableSNMPtrafficontheMGTinterface,selectDevice >
Setup > Management,edittheManagementInterfaceSettings,
Thisistheinterfacethatwillreceive
selectSNMP,andthenclickOKandCommit.
statisticsrequestsfromtheSNMP
manager.
ToenableSNMPtrafficonanyotherinterface,createan
interfacemanagementprofileforSNMPservicesandassignthe
PANOSdoesntsynchronize
profiletotheinterfacethatwillreceivetheSNMPrequests.The
management(MGT)interface
interfacetypemustbeLayer3Ethernet.
settingsforfirewallsinahigh
availability(HA)configuration.
Youmustconfiguretheinterface
foreachHApeer.
Monitoring
MonitorStatisticsUsingSNMP(Continued)
Step3
Configurethefirewalltorespondto
1.
statisticsrequestsfromanSNMP
manager.
2.
PANOSdoesntsynchronize
SNMPresponsesettingsfor
firewallsinahighavailability(HA)
configuration.Youmust
configurethesesettingsforeach
HApeer.
3.
Step4
Monitorthefirewallstatisticsinan
SNMPmanager.
SelectDevice > Setup > Operationsand,intheMiscellaneous

section,clickSNMP Setup.
SelecttheSNMPVersionandconfiguretheauthentication
valuesasfollows.Forversiondetails,seeSNMPSupport.
V2cEntertheSNMP Community String,whichidentifiesa
communityofSNMPmanagersandmonitoreddevices,and
servesasapasswordtoauthenticatethecommunity
memberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3CreateatleastoneSNMPviewgroupandoneuser.
Useraccountsandviewsprovideauthentication,privacy,
andaccesscontrolwhenfirewallsforwardtrapsandSNMP
managersgetfirewallstatistics.
ViewsEachviewisapairedOIDandbitwisemask:the
OIDspecifiesaMIBandthemask(inhexadecimalformat)
specifieswhichobjectsareaccessiblewithin(include
matching)oroutside(excludematching)thatMIB.Click
AddinthefirstlistandenteraNameforthegroupof
views.Foreachviewinthegroup,clickAddandconfigure
theviewName,OID,matchingOption(includeor
exclude),andMask.
Users:ClickAddinthesecondlist,enterausername
underUsers,selecttheViewgroupfromthedropdown,
entertheauthenticationpassword(Auth Password)used
toauthenticatetotheSNMPmanager,andenterthe
privacypassword(Priv Password)usedtoencryptSNMP
messagestotheSNMPmanager.
ClickOKandCommit.
RefertothedocumentationofyourSNMPmanager.
Whenmonitoringstatisticsrelatedtofirewallinterfaces,
youmustmatchtheinterfaceindexesintheSNMP
managerwithinterfacenamesinthefirewallwebinterface.
Fordetails,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
ForwardTrapstoanSNMPManager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.
Monitoring
ForwardFirewallTrapstoanSNMPManager
Step1
EnabletheSNMPmanagertointerpret
thetrapsitreceives.
LoadtheSupportedMIBsforPaloAltoNetworksfirewallsand,if
necessary,compilethem.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
Step2
ConfigureanSNMPTrapserverprofile.
Theprofiledefineshowthefirewall
accessestheSNMPmanagers(trap
servers).YoucandefineuptofourSNMP
managersforeachprofile.
Optionally,configureseparate
SNMPTrapserverprofilesfor
differentlogtypes,severity
levels,andWildFireverdicts.
1.
Logintothefirewallwebinterface.
2.
SelectDevice > Server Profiles > SNMP Trap.
3.
ClickAddandenteraNamefortheprofile.
4.
5.
SelecttheSNMPVersionandconfiguretheauthentication
valuesasfollows.Forversiondetails,seeSNMPSupport.
V2cForeachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),andCommunity String.The
communitystringidentifiesacommunityofSNMP
managersandmonitoreddevices,andservesasapassword
toauthenticatethecommunitymemberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3Foreachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),SNMPUseraccount(this
mustmatchausernamedefinedintheSNMPmanager),
EngineIDusedtouniquelyidentifythefirewall(youcan
leavethefieldblanktousethefirewallserialnumber),
authenticationpassword(Auth Password)usedto
authenticatetotheserver,andprivacypassword(Priv
Password)usedtoencryptSNMPmessagestotheserver.
6.
ClickOKtosavetheserverprofile.
1.
ConfigurethedestinationsofTraffic,Threat,andWildFire
traps:
a. Createalogforwardingprofile.Foreachlogtypeandeach
severitylevelorWildFireverdict,selecttheSNMP Trap
serverprofile.
b. Assignthelogforwardingprofiletosecurityrules.Therules
willtriggertrapgenerationandforwarding.
2.
ConfigurethedestinationsforSystem,Config,HIPMatch,and
Correlationlogs.Foreachlog(trap)typeandseveritylevel,
selecttheSNMP Trapserverprofile.
3.
ClickCommit.
Step3
Step4
Configurelogforwarding.
MonitorthetrapsinanSNMPmanager. RefertothedocumentationofyourSNMPmanager.
Whenmonitoringtrapsrelatedtofirewallinterfaces,you
mustmatchtheinterfaceindexesintheSNMPmanager
withinterfacenamesinthefirewallwebinterface.For
details,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
Monitoring
SupportedMIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType
SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF)
maintainsmoststandardMIBs.Youcandownloadthe
MIBsfromtheIETFwebsite.
PaloAltoNetworksfirewalls,Panorama,and
WF500appliancesdontsupporteveryobject
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe
supportedOIDs.
MIBII
IFMIB
HOSTRESOURCESMIB
ENTITYMIB
ENTITYSENSORMIB
ENTITYSTATEMIB
IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationsite.
PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup
Description
system
Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces
Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.
Monitoring
IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
ObjectGroup
Description
hrDevice
ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem
Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage
Providesinformationsuchastheamountofusedstorage.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object
Description
entPhysicalIndex
Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr
Thecomponentdescription.
Monitoring
Object
Description
entPhysicalVendorType
ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn
ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass
Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos
Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName
Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev
Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev
Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev
Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum
Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName
Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate
Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName
Thediskmodelnumber.
entPhysicalAlias
Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID
Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU
Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris
TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:
Monitoring
ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.
Monitoring
Table
Description
AggregatorConfiguration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
Table(dot3adAggTable)
firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
AggregationPortList
Table
(dot3adAggPortListTable)
Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Eachaggregate
grouphasoneentry.
Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
AggregationPortTable
(dot3adAggPortTable)
ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan
LACPStatisticsTable
(dot3adAggPortStatsTable aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforportsthat
)
arenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName
Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap
Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap
LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap
Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap
Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap
Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap
Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:
Monitoring
ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
ObjectGroup
Description
panSys
Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis
ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession
Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt
StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect
GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector
LogCollectorinformationsuchastheloggingrate,logdatabasestorageduration(indays),
andRAIDdiskusage.
Monitoring
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my > panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.
NetFlowMonitoring
Monitoring
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficthat
traversesitsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.The
NetFlowcollectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlow(Version9)exceptthePA4000Series
andPA7000Seriesfirewalls.ThefirewallssupportonlyunidirectionalNetFlow,notbidirectional.Youcan
enableNetFlowexportsonallinterfacetypesexceptHA,logcard,ordecryptmirror.Toidentifyfirewall
interfacesinaNetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
ConfigureNetFlowExports
NetFlowTemplates
Step1
Step2
Step3
CreateaNetFlowserverprofile.
1.
SelectDevice > Server Profiles > NetFlowandclickAdd.
2.
EnteraNamefortheprofile.
3.
SpecifythefrequencyatwhichthefirewallrefreshesNetFlow
TemplatesinMinutes(defaultis30)orPackets(defaultis20),
accordingtotherequirementsofyourNetFlowcollector.
4.
FortheActive Timeout,specifythefrequencyinminutesat
whichthefirewallexportsrecords(defaultis5).
5.
SelectthePAN-OS Field Typescheckboxifyouwantthe

firewalltoexportAppIDandUserIDfields.
6.
ForeachNetFlowcollector(uptotwoperprofile)thatwill
receivefields,clickAddandenteranidentifyingserverName,
hostnameorIPaddress(NetFlow Server),andaccessPort
(defaultis2055).
7.
AssigntheNetFlowserverprofiletothe 1.
interfacesthatcarrythetrafficyouwant
toanalyze.
2.
Inthisexample,youassigntheprofileto
anexistingEthernetinterface.
3.
SelectNetwork > Interfaces > Ethernetandclickaninterface

nametoeditit.
IntheNetFlow Profiledropdown,selecttheNetFlowserver
profileandclickOK.
ClickCommit.
MonitorthefirewalltrafficinaNetFlow RefertothedocumentationforyourNetFlowcollector.
collector.
Whenmonitoringstatistics,youmustmatchtheinterface
indexesintheNetFlowcollectorwithinterfacenamesin
thefirewallwebinterface.Fordetails,seeFirewall
InterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.
Monitoring
NetFlowMonitoring
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,yousettherefreshfrequencyaccordingtothe
requirementsofyourNetFlowcollector.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template
ID
IPv4Standard
256
IPv4Enterprise
257
IPv6Standard
258
IPv6Enterprise
259
IPv4withNATStandard
260
IPv4withNATEnterprise
261
IPv6withNATStandard
262
IPv6withNATEnterprise
263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
Value Field
Description
IN_BYTES
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofbytesassociatedwithanIP
flow.Bydefault,Nis4.
IN_PKTS
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofpacketsassociatedwithanIP
glow.Bydefault,Nis4.
PROTOCOL
IPprotocolbyte.
TOS
TypeofServicebytesettingwhenentering Alltemplates
theingressinterface.
TCP_FLAGS
TotalofalltheTCPflagsinthisflow.
L4_SRC_PORT
TCP/UDPsourceportnumber(forexample, Alltemplates
FTP,Telnet,orequivalent).
IPV4_SRC_ADDR
IPv4sourceaddress.
Templates
Alltemplates
Alltemplates
IPv4standard
IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
NetFlowMonitoring
Monitoring
Value Field
Description
10
INPUT_SNMP
Inputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
11
L4_DST_PORT
TCP/UDPdestinationportnumber(for
example,FTP,Telnet,orequivalent).
Alltemplates
12
IPV4_DST_ADDR
IPv4destinationaddress.
IPv4standard
IPv4enterprise
IPv4withNATstandard
14
OUTPUT_SNMP
Outputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
21
LAST_SWITCHED
Systemuptimeinmillisecondswhenthelast Alltemplates
packetofthisflowwasswitched.
22
FIRST_SWITCHED
Systemuptimeinmillisecondswhenthefirst Alltemplates
packetofthisflowwasswitched.
27
IPV6_SRC_ADDR
IPv6sourceaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
28
IPV6_DST_ADDR
IPv6destinationaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
32
ICMP_TYPE
InternetControlMessageProtocol(ICMP)
packettype.Thisisreportedas:
ICMPType*256+ICMPcode
Alltemplates
61
DIRECTION
Flowdirection:
0=ingress
1=egress
Alltemplates
148
flowId
Anidentifierofaflowthatisuniquewithin Alltemplates
anobservationdomain.Youcanusethis
informationelementtodistinguishbetween
differentflowsifflowkeyssuchasIP
addressesandportnumbersarenot
reportedorarereportedinseparaterecords.
TheflowIDcorrespondstothesessionID
fieldinTrafficandThreatlogs.
Templates
Monitoring
NetFlowMonitoring
Value Field
Description
Templates
233
firewallEvent
Indicatesafirewallevent:
0=Ignore(invalid)
1=Flowcreated
2=Flowdeleted
3=Flowdenied
4=Flowalert
5=Flowupdate(thesessionstate
changedfromactivetodeny)
Alltemplates
225
postNATSourceIPv4Address
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofsourceIPv4Address,
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
226
postNATDestinationIPv4Address
identicaltothatofdestinationIPv4Address, IPv4withNATenterprise
227
postNAPTSourceTransportPort
identicaltothatofsourceTransportPort,
addressporttranslationafterthepacket
228
postNAPTDestinationTransportPort Thedefinitionofthisinformationelementis IPv4withNATstandard

identicaltothatof
destinationTransportPort,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringnetworkaddressport
translationafterthepackettraversedthe
interface.
281
postNATSourceIPv6Address
identicaltothedefinitionofinformation
elementsourceIPv6Address,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringNAT64networkaddress
translationafterthepackettraversedthe
interface.SeeRFC2460forthedefinitionof
thesourceaddressfieldintheIPv6header.
SeeRFC6146forNAT64specification.
NetFlowMonitoring
Monitoring
Value Field
Description
282
postNATDestinationIPv6Address
identicaltothedefinitionofinformation
elementdestinationIPv6Address,except
thatitreportsamodifiedvaluethatthe
firewallproducedduringNAT64network
traversedtheinterface.SeeRFC2460for
thedefinitionofthedestinationaddressfield
intheIPv6header.SeeRFC6146forNAT64
specification.
346
privateEnterpriseNumber
Thisisauniqueprivateenterprisenumber
thatidentifiesPaloAltoNetworks:25461.
IPv4enterprise
IPv6enterprise
5670
1
AppID
ThenameofanapplicationthatAppID
identified.Thenamecanbeupto32bytes.
IPv4enterprise
IPv6enterprise
5670
2
UserID
AusernamethatUserIDidentified.The
namecanbeupto64bytes.
IPv4enterprise
IPv6enterprise
Templates
Monitoring
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
FirewallPlatform
Calculation
ExampleInterfaceIndex
Nonchassisbased:
MGTport+physicalportoffset
PA5000Seriesfirewall,Eth1/4=
VMSeries,PA200,PA500,
MGTportThisisaconstantthat
2(MGTport)+4(physicalport)=6
PA2000Series,PA3000Series,
dependsontheplatform:
PA4000Series,PA5000Series
2forhardwarebasedfirewalls(for
example,thePA5000Series
ThePA4000Series
firewall)
platformsupportsSNMP
butnotNetFlow.
1fortheVMSeriesfirewall
PhysicalportoffsetThisisthephysical
portnumber.
Chassisbased:
PA7000Seriesfirewalls
Thisplatformsupports
SNMPbutnotNetFlow.
(Max.ports*slot)+physicalportoffset+ PA7000Seriesfirewall,Eth3/9=
MGTport
[64(max.ports)*3(slot)]+9(physical
MaximumportsThisisaconstantof
port)+5(MGTport)=206
64.
SlotThisisthechassisslotnumberof
thenetworkinterfacecard.
PhysicalportoffsetThisisthephysical
portnumber.
MGTportThisisaconstantof5for
PA7000Seriesfirewalls.
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
Monitoring
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
InterfaceType
Range
Digit9 Digits78
Digits56
Digits14
Layer3
subinterface
101010001 Type:
19999999 1
9
Layer2
subinterface
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth1/5.22=100000000(type)+
suffix19999 100000(slot)+50000(port)+
(00019999) 22(suffix)=101050022
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth2/3.6=100000000(type)+
suffix19999 200000(slot)+30000(port)+6
(00019999) (suffix)=102030006
Vwire
subinterface
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth4/2.312=100000000(type)
suffix19999 +400000(slot)+20000(port)+
(00019999) 312(suffix)=104020312
VLAN
200000001 Type:
20000999 2
9
00
00
VLANsuffix:
19999
(00019999)
Loopback
300000001 Type:
30000999 3
9
00
00
Loopback
Loopback.55=300000000
suffix:19999 (type)+55(suffix)=300000055
(00019999)
Tunnel
400000001 Type:
40000999 4
9
00
00
Tunnelsuffix: Tunnel.55=400000000(type)+
19999
55(suffix)=400000055
(00019999)
Aggregategroup
500010001 Type:
50008999 5
9
00
AEsuffix: Subinterface: AE5.99=500000000(type)+

18(0108) suffix19999 50000(AESuffix)+99(suffix)=
(00019999) 500050099
ExampleInterfaceIndex
VLAN.55=200000000(type)+
55(suffix)=200000055
UserID
UserIdentification(UserID)ofthePaloAltoNetworksfirewallenablesyoutocreatepoliciesandperform
reportingbasedonusersandgroupsratherthanindividualIPaddresses.
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork
UserIDOverview
UserID
UserIDOverview
UserIDseamlesslyintegratesPaloAltoNetworksfirewallswitharangeofenterprisedirectoryandterminal
servicesofferings,enablingyoutotieapplicationactivityandpolicyrulestousersandgroupsnotjustIP
addresses.Furthermore,withUserIDenabled,theApplicationCommandCenter(ACC),AppScope,reports,
andlogsallincludeusernamesinadditiontouserIPaddresses.
PaloAltoNetworksfirewallssupportmonitoringofthefollowingenterpriseservices:
MicrosoftActiveDirectory
LightweightDirectoryAccessProtocol(LDAP)
NovelleDirectory
CitrixMetaframePresentationServerorXenApp
MicrosoftTerminalServices
Foruserandgroupbasedpolicies,thefirewallrequiresalistofallavailableusersandtheircorresponding
groupmappingsthatyoucanselectwhendefiningyourpolicies.ThefirewallcollectsGroupMapping
informationbyconnectingdirectlytoyourLDAPdirectoryserver.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforloginevents,probesclients,andlistensforsyslog
messagesfromauthenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,you
canconfigurethefirewalltoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheuser
mappingmechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsites.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
UserID
UserIDOverview
Figure:UserID
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDConcepts
UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.NextyoucreateagroupmappingconfigurationtoMapUserstoGroups.
ThenyoucanEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Havingthenamesoftheusersandgroupsisonlyonepieceofthepuzzle.Thefirewallalsoneedstoknow
whichIPaddressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserID
illustratesthedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshow
usermappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.
Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
ClientProbing
PortMapping
Syslog
CaptivePortal
GlobalProtect
PANOSXMLAPI
UserID
UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,domaincontrollers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.
Becauseservermonitoringrequiresverylittleoverheadandbecausethemajorityofuserscangenerallybe
mappedusingthismethod,itisrecommendedasthebaseusermappingmethodformostUserID
deployments.SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMapping
UsingthePANOSIntegratedUserIDAgentfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI).TheWindowsbasedUserIDagentcanalsoperform
NetBIOSprobing(notsupportedonthePANOSintegratedUserIDagent).Probingisparticularlyusefulin
environmentswithahighIPaddressturnoverbecausechangeswillbereflectedonthefirewallmorequickly,
enablingmoreaccurateenforcementofuserbasedpolicies.However,ifthecorrelationbetweenIP
addressesandusersisfairlystatic,youprobablydonotneedtoenableclientprobing.Becauseprobingcan
generatealargeamountofnetworktraffic(basedonthetotalnumberofmappedIPaddresses),theagent
thatwillbeinitiatingtheprobesshouldbelocatedascloseaspossibletotheendclients.
Ifprobingisenabled,theagentwillprobeeachlearnedIPaddressperiodically(every20minutesbydefault,
butthisisconfigurable)toverifythatthesameuserisstillloggedin.Inaddition,whenthefirewallencounters
anIPaddressforwhichithasnousermapping,itwillsendtheaddresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
UserIDConcepts
UserID
Syslog
Inenvironmentswithexistingnetworkservicesthatauthenticateuserssuchaswirelesscontrollers,802.1x
devices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccessControl(NAC)mechanisms
thefirewallUserIDagent(eithertheWindowsagentorthePANOSintegratedagentonthefirewall)can
listenforauthenticationsyslogmessagesfromthoseservices.Syslogfilters,whichareprovidedbyacontent
update(integratedUserIDagentonly)orconfiguredmanually,allowtheUserIDagenttoparseandextract
usernamesandIPaddressesfromauthenticationsyslogeventsgeneratedbytheexternalservice,andadd
theinformationtotheUserIDIPaddresstousernamemappingsmaintainedbythefirewall.SeeConfigure
UserIDtoReceiveUserMappingsfromaSyslogSenderforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
CaptivePortal
IfthefirewallortheUserIDagentcantmapanIPaddresstoausernameforexample,iftheuserisnt
loggedinorusesanoperatingsystemsuchasLinuxthatyourdomainserversdontsupportyoucan
configureCaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalpolicyrulerequires
userauthentication.Youcanbasetheauthenticationonatransparentbrowserchallenge(KerberosSingle
SignOn(SSO)orNTLANManager(NTLM)authentication),webform(forRADIUS,TACACS+,LDAP,
Kerberos,orlocaldatabaseauthentication),orclientcertificates.Fordetails,seeMapIPAddressesto
UsernamesUsingCaptivePortal.
UserID
UserIDConcepts
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
PANOSXMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtotheUserIDagentordirectlytothefirewall.SeeSend
UserMappingstoUserIDUsingtheXMLAPIfordetails.
EnableUserID
UserID
EnableUserID
Youmustcompletethefollowingtaskstosetupthefirewalltouserusersandgroupsinpolicyenforcement,
logging,andreporting:
MapUserstoGroups
UserID
MapUserstoGroups
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Usethefollowing
proceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroupMapping
information.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1
AddanLDAPserverprofile.
Theprofiledefineshowthefirewall
connectstothedirectoryserversfrom
whichitcollectsgroupmapping
information.Youcanadduptofour
serverstotheprofilebuttheymustbe
thesameType.
ConfigureanLDAPServerProfile:
1.
SelectDevice > Server Profiles > LDAP,clickAdd,andentera

Profile Name.
2.
ForeachLDAPserver,clickAddandentertheserverName,
IPaddress(LDAP Server),andPort(defaultis389).
3.
BasedonyourTypeselection(forexample,active-directory),
thefirewallautomaticallypopulatesthecorrectLDAP
attributesinthegroupmappingsettings.However,ifyou
customizedyourLDAPschema,youmightneedtomodifythe
defaultsettings.
4.
IntheBase DNfield,entertheDistinguishedName(DN)of
theLDAPtreelocationwhereyouwantthefirewalltobegin
itssearchforuserandgroupinformation.
5.
EntertheauthenticationcredentialsforbindingtotheLDAP
treeintheBind DN,Password,andConfirm Passwordfields.
TheBind DNcanbeafullyqualifiedLDAPname(forexample,
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(forexample,administrator@acme.local).
6.
MapUserstoGroups
UserID
MapUserstoGroups(Continued)
Step2
Configuretheserversettingsinagroup 1.
mappingconfiguration.
2.
3.
SelectDevice > User Identification > Group Mapping Settings.

Location(vsysorShared)forthisconfiguration.
ClickAddandenterauniqueNametoidentifythegroup
mappingconfiguration.
4.
SelecttheLDAPServer Profileyoujustcreated.
5.
(Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6.
(Optional)Tofilterthegroupsthatthefirewalltracksforgroup
mapping,intheGroupObjectssection,enteraSearch Filter
(LDAPquery),Object Class(groupdefinition),Group Name,
andGroup Member.
7.
(Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8.
(Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomainsin
yourorganizationintheMailDomainssection,Domain List
field.Usecommastoseparatemultipledomains(upto256
characters).AfteryouclickOK,PANOSautomatically
populatestheMail AttributesfieldbasedonyourLDAPserver
type(Sun/RFC,ActiveDirectory,orNovell).Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9.
MakesuretheEnabledcheckboxisselected.
UserID
MapUserstoGroups
MapUserstoGroups(Continued)
Step3
Limitwhichgroupswillbeavailablein
1.
policyrules.
Requiredonlyifyouwanttolimitpolicy
rulestospecificgroups.Bydefault,ifyou
dontspecifygroups,allgroupsare
2.
availableinpolicyrules.
Anycustomgroupsyoucreate
willalsobeavailableintheAllow
Listofauthenticationprofiles.
3.
Addexistinggroupsfromthedirectoryservice:
a. SelecttheGroup Include Listtab.
b. IntheAvailableGroupslist,selectthegroupsyouwantto
appearinpolicyrulesandclicktheAddicon.
Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.ThefirewalldoesntvalidateLDAPfilters,so
itsuptoyoutoensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
ClickOKandCommit.Acommitisnecessarybeforecustom
groupswillbeavailableinpoliciesandobjects.
UserID
ThetasksyouperformtomapIPaddressestousernamesdependsonthetypeandlocationoftheclient
systemsonyournetwork.Completeasmanyofthefollowingtasksasnecessarytoenablemappingofyour
clientsystems:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
Windowsclients,youmustconfiguretheUserIDagenttomonitorserverlogsandprobeclientsystems.
YoucaneitherConfigureUserMappingUsingthePANOSIntegratedUserIDAgentorConfigureUser
MappingUsingtheWindowsUserIDAgent.TheWindowsbasedUserIDagentisastandaloneagent
thatyouinstallononeormorememberserversinthedomainthatcontainstheserversandclientsthat
theagentwillmonitor.Forguidanceonwhichagentisappropriateforyournetworkandtherequired
numberandplacementsofagents,refertoArchitectingUserIdentificationDeployments.
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.You
canuseeithertheWindowsagentortheagentlessusermappingfeatureonthefirewalltolistenfor
authenticationsyslogmessagesfromthenetworkservices.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.
Forotherclientsthatyoucantmapusingtheprecedingmethods,youcanSendUserMappingsto
UserIDUsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,youshouldlocateyourUserID
agentsnearyourmonitoredservers(thatis,themonitoredserversandtheWindowsUserIDagentshould
notbeacrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccurs
betweentheagentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofIPaddress
mappingssincethelastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheUserIDAgent
UserID
ConfiguretheUserIDAgentforUserMapping
InstalltheUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertoOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
InstalltheWindowsUserIDAgent
Step1
DecidewheretoinstalltheUserID
agent.
TheUserIDagentqueriestheDomain
ControllerandExchangeserverlogs
usingMicrosoftRemoteProcedureCalls
(MSRPCs),whichrequireacomplete
transferoftheentirelogateachquery.
Therefore,alwaysinstalloneormore
UserIDagentsateachsitethathas
serverstobemonitored.
Formoredetailedinformationon
wheretoinstallUserIDagents,
refertoArchitectingUser
Identification(UserID)
Deployments.
YoumustinstalltheUserIDagentonasystemrunningoneof
thesupportedOSversions:seeOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentRelease
Notes.
MakesurethesystemthatwillhosttheUserIDagentisa
memberofthesamedomainastheserversitwillmonitor.
Asabestpractice,installtheUserIDagentclosetotheservers
itwillbemonitoring(thereismoretrafficbetweentheUserID
agentandthemonitoredserversthanthereisbetweenthe
UserIDagentandthefirewall,solocatingtheagentclosetothe
monitoredserversoptimizesbandwidthusage).
Toensurethemostcomprehensivemappingofusers,youmust
monitorallserversthatcontainuserlogininformation.Youmight
needtoinstallmultipleUserIDagentstoefficientlymonitorall
ofyourresources.
Step2
DownloadtheUserIDagentinstaller.
Asabestpractice,installtheUserID
agentversionthatisthesameasthe
PANOSversionrunningonthe
firewalls.
1.
Step3
Runtheinstallerasanadministrator.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
ScrolltotheUserIdentificationAgentsectionofthescreen
andDownloadtheversionoftheUserIDagentyouwantto
install.
4.
SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
whereyouplantoinstalltheagent.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4.
Whentheinstallationcompletes,Closethesetupwindow.
UserID
InstalltheWindowsUserIDAgent(Continued)
Step4
LaunchtheUserIDAgentapplication.
OpentheWindowsStartmenuandselectUser-ID Agent.
Step5
(Optional)Changetheserviceaccount
thattheUserIDagentusestologin.
Bydefault,theagentusestheadministratoraccountusedtoinstall
the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
Step6
1.
SelectUser Identification > SetupandclickEdit.
2.
SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3.
EnterthePasswordforthespecifiedaccount.
(Optional)Assignaccountpermissionsto 1.
theinstallationfolder.
Youonlyneedtoperformthisstepifthe
serviceaccountyouconfiguredforthe
UserIDagentisnotamemberofthe
administratorsgroupforthedomainora
memberofboththeServerOperators
andtheEventLogReadersgroups.
2.
Givetheserviceaccountpermissionstotheinstallationfolder:
a. FromtheWindowsExplorer,navigatetoC:\Program
Files\Palo Alto Networksandrightclickthefolderand
selectProperties.
b. OntheSecuritytab,AddtheUserIDagentserviceaccount
andassignitpermissionstoModify,Read & execute,List
folder contents,andReadandthenclickOKtosavethe
accountsettings.
GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3.
Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.
UserID
ConfiguretheUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent
Step1
DefinetheserverstheUserIDagent
willmonitortocollectIPaddresstouser
mappinginformation.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog
senders.
Tocollectalloftherequired
mappings,theUserIDagent
mustconnecttoallserversthat
youruserslogintoinorderto
monitorthesecuritylogfileson
allserversthatcontainlogin
events.
1.
2.
SelectUser Identification > Discovery.
3.
IntheServerssectionofthescreen,clickAdd.
4.
EnteraNameandServer Addressfortheservertobe
monitored.ThenetworkaddresscanbeaFQDNoranIP
address.
5.
SelecttheServer Type(Microsoft Active Directory,Microsoft

Exchange,Novell eDirectory,orSyslog Sender)andthen
clickOKtosavetheserverentry.Repeatthisstepforeach
servertobemonitored.
6.
(Optional)Toenablethefirewalltoautomaticallydiscover
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
Theautodiscoverylocatesdomaincontrollersinthe
localdomainonly;youmustmanuallyaddExchange
servers,eDirectoryservers,andsyslogsenders.
7.
(Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Asabestpractice,you
shouldincreasethevalueinthisfieldto5secondsin
environmentswitholderDomainControllersorhighlatency
links.ClickOKtosavethechanges.
UserID
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step2
Step3
(Optional)Ifyouconfiguredtheagentto 1.
connecttoaNovelleDirectoryserver,
youmustspecifyhowtheagentshould 2.
searchthedirectory.
SelectUser Identification > SetupandclickEditintheSetup

sectionofthewindow.
(Optional)Enableclientprobing.
1.
Clientprobingisusefulinenvironments
whereIPaddressesarenottightlybound
tousersbecauseitensuresthat
previouslymappedaddressesarestill
valid.However,asthetotalnumberof
learnedIPaddressesgrows,sodoesthe
amountoftrafficgenerated.Asabest
practice,enableprobingonlyonnetwork
segmentswhereIPaddressturnoveris
high.
Formoredetailsontheplacementof
UserIDagentsusingclientprobing,refer
toArchitectingUserIdentification
(UserID)Deployments.
OntheClient Probingtab,selecttheEnable WMI Probing

checkboxand/ortheEnable NetBIOS Probingcheckbox.
Bydefault,WMIprobingexcludesclientsystemswith
publicIPv4addresses.(PublicIPv4addressesare
thoseoutsidethescopeofRFC1918andRFC3927).
ToenableWMIprobingforsuchaddresses,youmust
explicitlyincludethemasfollows.However,notethat
ifyouexplicitlyincludespecificsubnetworks,the
firewallimplicitlyexcludesallothersubnetworks.
Therefore,ifyouaddsubnetworksforpublicIPv4
addresses,youmustalsoaddalltheother
subnetworksthatWMIprobingshouldinclude.
a. SelectUser Identification > Discovery.
b. AddeachsubnetworkofpublicIPv4addressestothe
Include/Exclude list of configured networkslist.
c. SetthediscoveryoptiontoInclude specified network.
d. EnteraNametoidentifythesubnetwork.
e. EntertheIPaddressrangeofthesubnetworkinthe
Network Addressfield.
f. ClickOK.
2.
MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
ForNetBIOSprobingtoworkeffectively,eachprobed
clientPCmustallowport139intheWindowsfirewall
andmustalsohavefileandprintersharingservices
enabled.WMIprobingisalwayspreferredover
NetBIOSwheneverpossible.
SelecttheeDirectorytabandthencompletethefollowing
fields:
Search BaseThestartingpointorrootcontextforagent
queries,forexample:dc=domain1, dc=example, dc=com.
Bind Distinguished NameTheaccounttousetobindto
thedirectory,forexample:cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThebindaccountpassword.Theagent
savestheencryptedpasswordintheconfigurationfile.
Search FilterThesearchqueryforuserentries(defaultis
objectClass=Person).
Server Domain PrefixAprefixtouniquelyidentifythe
user.Thisisonlyrequiredifthereareoverlappingname
spaces,suchasdifferentuserswiththesamenamefrom
twodifferentdirectories.
Use SSLSelectthecheckboxtouseSSLforeDirectory
binding.
Verify Server CertificateSelectthecheckboxtoverify
theeDirectoryservercertificatewhenusingSSL.
UserID
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step4
ClickOKtosavetheUserIDagentsetupsettingsandthenclick
CommittorestarttheUserIDagentandloadthenewsettings.
Step5
(Optional)Definethesetofusersfor
whichyoudonotneedtoprovideIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousethe
ignore-userlisttoidentify
userswhomyouwanttoforceto
authenticateusingCaptive
Portal.
Createanignore_user_list.txtfileandsaveittotheUserID
Agentfolderonthedomainserverwheretheagentisinstalled.
Listtheuseraccountstoignore;thereisnolimittothenumberof
accountsyoucanaddtothelist.Eachuseraccountnamemustbe
onaseparateline.Forexample:
Step6
SPAdmin
SPInstall
TFSReport
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\itadmin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
itadmin.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
UserIDagent.
totheUserIDagenttoreceiveusermappings:
1.
Step7
VerifythattheUserIDagentis
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
connecttotheagent.
SelectDevice > User Identification > User-ID Agentsandclick

Add.
2.
EnteraNamefortheUserIDagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
UserIDAgentisinstalled.
4.
EnterthePortnumber(165535)onwhichtheagentwill
listenforusermappingrequests.Thisvaluemustmatchthe
valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5.
MakesurethattheconfigurationisEnabled,thenclickOK.
6.
Committhechanges.
7.
VerifythattheConnected status displaysasconnected(a

greenlight).
1.
LaunchtheUserIDagentandselectUser Identification.
2.
VerifythattheagentstatusshowsAgent is running.Ifthe
Agentisnotrunning,clickStart.
3.
ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4.
ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5.
ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.
UserID
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
Step1
AddanActiveDirectoryaccountforthe Windows2008orlaterdomainserversAddtheaccounttothe
UserIDagenttoaccesstheservicesand
EventLogReadersgroup.IfyouareusingthePANOS
integratedUserIDagent,theaccountmustalsobeamemberof
hostsitwillmonitorforcollectinguser
theDistributedCOMUsersGroup.
mappinginformation.
WMIprobingMakesuretheaccounthasrightstoreadthe
CIMV2namespace;bydefault,DomainAdministratorandServer
Operatoraccountshavethispermission.
NTLMauthenticationBecausethefirewallmustjointhe
domainifyouareusingCaptivePortalNTLMauthenticationwith
aPANOSintegratedUserIDagent,theWindowsaccountyou
createforNTLMaccessmusthaveadministrativeprivileges.
NotethatduetoADrestrictionsonvirtualsystemsrunningon
thesamehost,ifthefirewallhasmultiplevirtualsystems,only
vsys1willbeabletojointhedomain.
UserID
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step2
Step3
Definetheserversthatthefirewallwill
monitortocollectusermapping
information.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Tocollectalltherequired
mappings,thefirewallmust
connecttoallserversthatyour
userslogintosoitcanmonitor
theSecuritylogfilesonall
serversthatcontainloginevents.
1.
2.
ClickAddintheServerMonitoringsection.
3.
EnteraNametoidentifytheserver.
4.
SelecttheTypeofserver.
5.
EntertheNetwork Address(anFQDNorIPaddress)ofthe
server.
6.
MakesuretheserverprofileisEnabledandclickOK
7.
(Optional)ClickDiscoverifyouwantthefirewallto
automaticallydiscoverdomaincontrollersonyournetwork
usingDNSlookups.
Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
g.
8.
(Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecified
frequency.
a. EditthePalo Alto Networks User ID Agent Setup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).
Asabestpractice,increasethevalueinthisfieldto
5secondsinenvironmentswitholderdomain
controllersorhighlatencylinks.
c. ClickOKtosavethechanges.
1.
Setthedomaincredentialsforthe
accountthefirewallwillusetoaccess
2.
Windowsresources.Thisisrequiredfor
monitoringExchangeserversanddomain
controllersaswellasforWMIprobing.
SelectDevice > User Identification > User Mapping.
EditthePaloAltoNetworksUserIDAgentSetup.
SelecttheWMI AuthenticationtabandentertheUser Name
andPasswordfortheaccountthattheUserIDagentwilluse
toprobetheclientsandmonitorservers.Entertheusername
usingthedomain\usernamesyntax.
UserID
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step4
(Optional)EnableWMIprobing.
1.
ThePANOSintegratedUserID
agentdoesnotsupportNetBIOS 2.
probing;onlythe
WindowsbasedUserIDagent
supportsit.
SelecttheClient ProbingtabandselecttheEnable Probing

checkbox.
(Optional)ModifytheProbe Interval(inminutes)ifnecessary
toensureitislongenoughfortheUserIDagenttoprobeall
thelearnedIPaddresses(defaultis20,rangeis11440).This
istheintervalbetweentheendofthelastproberequestand
thestartofthenextrequest.
Iftherequestloadishigh,theobserveddelaybetween
requestsmightsignificantlyexceedthespecified
interval.
3.
(Optional)EnableWMIprobingforpublicIPv4addressesif
desired.(PublicIPv4addressesarethoseoutsidethescopeof
RFC1918andRFC3927).Bydefault,WMIprobingexcludes
clientsystemswithpublicIPv4addresses.
Ifyouincludeanysubnetworksinthe
Include/Exclude Networkslist,thefirewallimplicitly
excludesallsubnetworksthatarenotinthelist.
Therefore,ifyouaddsubnetworksforpublicIPv4
addresses,youmustalsoaddalltheother
subnetworksthatWMIprobingshouldinclude.
a. SelectDevice > User Identification > User Mapping.
b. AddeachsubnetworkofpublicIPv4addressestothe
Include/Exclude Networkslist.
c. EnteraNametoidentifythesubnetwork.
d. SettheDiscoveryoptiontoInclude.
e. EntertheIPaddressrangeofthesubnetworkinthe
Network Addressfield.
f. EnsurethesubnetworkisEnabledandclickOK.
4.
MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
Step5
(Optional)Definethesetofusersfor
whichyoudontrequireIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousetheignoreuser
listtoidentifyuserswhomyou
wanttoforcetoauthenticate
usingCaptivePortal.
SelecttheIgnore User ListtabandAddeachusernametoexclude

fromusermapping.Youcanuseanasteriskasawildcardcharacter
tomatchmultipleusernames,butonlyasthelastcharacterinthe
entry.Forexample,corpdomain\it-admin*wouldmatchall
administratorsinthecorpdomaindomainwhoseusernamesstart
withthestringit-admin.Youcanaddupto5,000entriesto
excludefromusermapping.
Step6
Activateyourconfigurationchanges.
ClickOKandCommit.
Step7
Verifytheconfiguration.
1.
AccessthefirewallCLI.
2.
Enterthefollowingoperationalcommand:
> show user server-monitor state all
3.
OntheDevice > User Identification > User Mapping tabinthe

webinterface,verifythattheStatusofeachserveryou
configuredforservermonitoringisConnected.
UserID
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender
ThefollowingtopicsdescribehowtoconfigurethePANOSintegratedUserIDagentorWindowsbased
UserIDagentasaSysloglistener:
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigurethePANOSintegratedUserIDagenttoreceivesyslog
messagesfromauthenticatingservices.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,you
mustusecautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocol
andassuchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.
AlthoughyoucanrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstill
spooftheIPaddress,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothe
firewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,ifyoumust
useUDP,makesurethatthesyslogserverandclientarebothonadedicated,secureVLANto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
CollectUserMappingsfromSyslogSenders
Step1
Determinewhetherthereisa
1.
predefinedsyslogfilterforyour
particularsyslogsenders.
PaloAltoNetworksprovidesseveral
predefinedsyslogfilters,whichare
deliveredasApplicationcontentupdates
andarethereforeupdateddynamically
2.
asnewfiltersaredeveloped.The
predefinedfiltersareglobaltothe
firewall,whereasmanuallydefinedfilters
applytoasinglevirtualsystemonly.
Anynewsyslogfiltersinagiven
contentreleasewillbe
documentedinthe
correspondingreleasenote
alongwiththespecificregex
usedtodefinethefilter.
VerifythatyourApplicationorApplicationandThreat
databaseisuptodate:
a. SelectDevice > Dynamic Updates.
b. ClickCheck Now(locatedinthelowerlefthandcornerof
thewindow)tocheckforthelatestupdates.
c. Ifanewupdateisavailable,DownloadandInstallit.
Checktoseewhatpredefinedfiltersareavailable:
b. IntheServerMonitoringsectionofthescreen,clickAdd.
c. SelectSyslog SenderastheserverType.
d. SelecttheFilterdropdownandchecktoseeifthereisa
filterforthemanufacturerandproductyouplantoforward
syslogsfrom.Ifthefilteryouneedisavailable,skiptoStep 5
forinstructionsondefiningtheservers.Ifthefilteryou
needisnotavailable,continuetoStep 2.
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step2
Manuallydefinesyslogfiltersfor
extractingtheUserIDIP
addresstousernamemapping
informationfromsyslogmessages.
InordertobeparsedbytheUserID
agent,syslogmessagesmustmeetthe
followingcriteria:
Eachsyslogmessagemustbea
singlelinetextstring.Linebreaksare
delimitedbyacarriagereturnanda
newline(\r\n)oranewline(\n).
Themaximumallowedsizeofan
individualsyslogmessageis2048
bytes.
SyslogmessagessentoverUDPmust
becontainedinasinglepacket;
messagessentoverSSLcanspan
multiplepackets.
Asinglepacketmaycontainmultiple
syslogmessages.
1.
Reviewthesyslogsgeneratedbytheauthenticatingserviceto
identifythesyntaxoftheloginevents.Thisenablesyouto
createthematchingpatternsthatwillallowthefirewallto
identifyandextracttheauthenticationeventsfromthe
syslogs.
Whilereviewingthesyslogs,alsodeterminewhether
thedomainnameisincludedinthelogentries.Ifthe
authenticationlogsdonotcontaindomain
information,considerdefiningadefaultdomainname
whenaddingthesyslogsendertothemonitored
serverslistinStep 5.
2.
SelectDevice > User Identification > User Mappingandedit

thePaloAltoNetworksUserIDAgentSetupsection.
3.
SelecttheSyslog FilterstabandAddaSyslogParseprofile.
4.
EnteranamefortheSyslog Parse Profile.
5.
SpecifytheTypeofparsingtousetofilterouttheuser
mappinginformation:
Regex IdentifierWiththistypeofparsing,youspecify
regularexpressionstodescribesearchpatternsfor
identifyingandextractingusermappinginformationfrom
syslogmessages.ContinuetoStep 3forinstructionson
creatingtheregexidentifiers.
Field IdentifierWiththistypeofparsing,youspecifya
stringtomatchtheauthenticationevent,andprefixand
suffixstringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.
UserID
Step3
IfyouselectedRegex Identifierasthe 1.
parsingType,createtheregexmatching
patternsforidentifyingthe
authenticationeventsandextractingthe
usermappinginformation.
Thisexampleshowshowtoconfigurea
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Jul 5 13:15:04 2005 CDT] Administrator
2.
Specifyhowtomatchsuccessfulauthenticationeventsinthe
syslogsbyenteringamatchingpatternintheEvent Regex
field.Forexample,whenmatchedagainsttheexamplesyslog
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
[Tue
authentication success User:johndoe1
Source:192.168.3.212
Entertheregexforidentifyingthebeginningoftheusername
intheauthenticationsuccessmessagesintheUsername
Regexfield.Forexample,theregex
User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe1intheexamplemessageandextract
acme\johndoe1astheUserID.
Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
Ifthesyslogcontainsa
standalonespaceortabasa
delimiter,youmustusean\s(for
aspace)anda\t(foratab)for
theagenttoparsethesyslog.
Step4
3.
EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
4.
ClickOK.
IfyouselectedField Identifierasthe
1.
parsingType,definethestringmatching
Thisexampleshowshowtoconfigurea 2.
[Tue Jul 5 13:15:04 2005 CDT] Administrator

Source:192.168.3.212
syslogsbyenteringamatchingpatternintheEvent String
field.Forexample,whenmatchedagainstthesamplesyslog
message,youwouldenterthestringauthentication
successtoidentifyauthenticationeventsinthesyslog.
Enterthematchingstringforidentifyingthebeginningofthe
usernamefieldwithintheauthenticationsyslogmessageinthe
Username Prefixfield.Forexample,thestringUser:
identifiesthebeginningoftheusernamefieldinthesample
syslog.
3.
standalonespaceand/ortabasa
aspace)and/or\t(foratab)in
orderfortheagenttoparsethe
syslog.
4.
EntertheUsername Delimitertomarktheendofthe
usernamefieldwithinanauthenticationsyslogmessage.For
example,iftheusernameisfollowedbyaspace,youwould
enter\s toindicatethattheusernamefieldisdelimitedbya
standalonespaceinthesamplelog.
5.
EntertheAddress Delimiter tomarktheendoftheIPaddress

fieldwithintheauthenticationsuccessmessagewithinthe
field.Forexample,iftheaddressisfollowedbyalinebreak,
youwouldenter\ntoindicatethattheaddressfieldis
delimitedbyanewline.
6.
ClickOK.
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
UserID
Step5
Definetheserversthatwillsendsyslog
messagestothefirewallforuser
mappingpurposes.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Thefirewallwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
1.
SelectDevice > User Identification > User Mappingand,inthe

ServerMonitoringsection,clickAdd.
2.
EnteraNametoidentifytheserver.
3.
MakesuretheserverprofileisEnabled(default).
4.
SelectSyslog SenderastheserverType.
5.
EntertheNetwork Addressofthesyslogserver(IPaddressor
FQDN).
6.
SelecttheSyslogParseprofileyouconfiguredasaFilter.
7.
SelectUDPorSSL(default)astheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogserver.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogserverandclientarebothon
adedicated,secureVLANtopreventuntrustedhosts
fromsendingUDPtraffictothefirewall.
ASyslogsenderusingSSLtoconnectwillonlyshowa
StatusofConnected whenthereisanactiveSSL
connection.SyslogsendersusingUDPwillnotshowa
Statusvalue.
8.
(Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
9.
UserID
Step6
Step7
Enablesysloglistenerservicesinthe
1.
managementprofileassociatedwiththe
interfaceusedforusermapping.
2.
SelectNetwork > Network Profiles > Interface Mgmtandedit

anexistingInterfaceManagementprofileorAddanewprofile.
3.
EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfacewillonlyacceptsyslog
connectionsfromserversthathaveacorresponding
entryintheUserIDmonitoredserversconfiguration.
Thefirewalldiscardsconnectionsormessagesfrom
serversthatarenotonthelist.
4.
IfyoucreatedanewInterfaceManagementprofile,assignitto
theinterfaceusedforusermapping:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
SelectUser-ID Syslog Listener-SSLand/orUser-ID Syslog

Listener-UDP,dependingontheprotocolsyoudefinedforthe
syslogsendersintheServerMonitoringlist.
OntheWindowsUserIDagent,thedefaultlistening
portforsyslogoverUDPorTCPis514,buttheport
valueisconfigurable.FortheagentlessUserMapping
featureonthefirewall,onlysyslogoverUDPandSSL
aresupportedandthelisteningports(514forUDPand
6514forSSL)arenotconfigurable;theyareenabled
throughthemanagementserviceonly.
ClickCommittosavetheconfiguration.
UserID
Step8
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1)
Host: Syslog2(10.5.204.41)
number of log messages
:
number of auth. success messages
:
number of active connections
:
total connections made
:
1000
1000
0
4
Toseehowmanylogmessagescameinfromsyslogsendersandhowmanyentriesweresuccessfullymapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
------ ------- -------------------------------- -------------- vsys1 SYSLOG acme\jreddick

2476
2
vsys1
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
ConfiguretheWindowsUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigureaWindowsbasedUserIDagenttolistenforsyslogs
fromauthenticatingservices.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogserverandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1
Manuallydefinesyslogfilter(s)for
extractingtheUserIDIPaddressto
usernamemappinginformationfrom
syslogmessages.
InordertobeparsedbytheUserID
agent,syslogmessagesmustmeetthe
followingcriteria:
Eachsyslogmessagemustbea
singlelinetextstring.Linebreaksare
delimitedbyacarriagereturnanda
newline(\r\n)oranewline(\n).
Themaximumallowedsizeofan
individualsyslogmessageis2048
bytes.
SyslogmessagessentoverUDPmust
becontainedinasinglepacket;
messagessentoverSSLcanspan
multiplepackets.
Asinglepacketmaycontainmultiple
syslogmessages.
1.
2.
Reviewthesyslogsgeneratedbytheauthenticatingserviceto
identifythesyntaxoftheloginevents.Thisenablesyouto
createthematchingpatternsthatwillallowthefirewallto
identifyandextracttheauthenticationeventsfromthe
syslogs.
Whilereviewingthesyslogs,alsodeterminewhether
thedomainnameisincludedinthelogentries.Ifthe
authenticationlogsdonotcontaindomain
information,considerdefiningadefaultdomainname
whenaddingthesyslogsendertothemonitored
serverslistinStep 5.
3.
SelectUser Identification > SetupandclickEditintheSetup

sectionofthedialog.
4.
OntheSyslog tab,AddaSyslogParseprofile.
5.
EnteraProfile NameandDescription.
6.
SpecifytheTypeofparsingtousetofilterouttheuser
mappinginformationbyselectingoneofthefollowing
options:
RegexWiththistypeofparsing,youspecifyregular
expressionstodescribesearchpatternsforidentifyingand
extractingusermappinginformationfromsyslogmessages.
ContinuetoStep 3forinstructionsoncreatingtheregex
identifiers.
FieldWiththistypeofparsing,youspecifyastingto
matchtheauthenticationevent,andprefixandsuffix
stringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step2
1.
IfyouselectedRegex astheparsing
Type,createtheregexmatchingpatterns
foridentifyingtheauthenticationevents
andextractingtheusermapping
information.
Thisexampleshowshowtoconfigurea
Jul 5 13:15:04 2005 CDT] Administrator
2.
syslogsbyenteringamatchingpatternintheEvent Regex
field.Forexample,whenmatchedagainsttheexamplesyslog
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
[Tue
Source:192.168.3.212
Entertheregexforidentifyingthebeginningoftheusername
intheauthenticationsuccessmessagesintheUsername
Regexfield.Forexample,theregex
User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe1intheexamplemessageandextract
acme\johndoe1astheUserID.
Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
aspace)and\t(foratab)forthe
agenttoparsethesyslog.
Step3
3.
EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
4.
1.
IfyouselectedField Identifierasthe
parsingType,definethestringmatching
Thisexampleshowshowtoconfigurea 2.
[Tue Jul 5 13:15:04 2005 CDT] Administrator

Source:192.168.3.212
syslogsbyenteringamatchingpatternintheEvent String
field.Forexample,whenmatchedagainstthesamplesyslog
message,youwouldenterthestringauthentication
successtoidentifyauthenticationeventsinthesyslog.
usernamefieldwithintheauthenticationsyslogmessagein
theUsername Prefixfield.Forexample,thestringUser:
identifiesthebeginningoftheusernamefieldinthesample
syslog.
3.
aspace)and\t(foratab)forthe
agenttoparsethesyslog.
EntertheUsername Delimitertomarktheendofthe
usernamefieldwithinanauthenticationsyslogmessage.For
example,iftheusernameisfollowedbyaspace,youwould
enter\s toindicatethattheusernamefieldisdelimitedbya
standalonespaceinthesamplelog.
4.
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
5.
EntertheAddress Delimiter tomarktheendoftheIPaddress

fieldwithintheauthenticationsuccessmessagewithinthe
field.Forexample,iftheaddressisfollowedbyalinebreak,
youwouldenter\ntoindicatethattheaddressfieldis
delimitedbyanewline.
6.
UserID
Step4
Step5
Step6
Enablethesysloglisteningserviceonthe 1.
agent.
2.
Asabestpractice,makesurethat
thesyslogserverandclientare
3.
bothonadedicated,secure
VLANtopreventuntrustedhosts
fromsendingsyslogstothe
UserIDagent.
Definetheserversthatwillsendsyslog
messagestotheUserIDagent.
Withinthetotalmaximumof100servers
ofalltypesthattheUserIDagentcan
monitor,upto50canbesyslogsenders.
TheUserIDagentwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
SelecttheEnable Syslog Servicecheckbox.

(Optional)ModifytheSyslog Service Portnumbertomatch
theportnumberusedbythesyslogsender(default=514).
Tosavetheagentsyslogconfiguration,clickOK.
1.
SelectUser Identification > Discovery.
2.
IntheServerssectionofthescreen,clickAdd.
3.
EnteraNameandServer Addressfortheserverthatwillsend
syslogstotheagent.
4.
SelectSyslog SenderastheServer Type.
5.
SelectaFilteryoudefinedinStep 1.
6.
(Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
7.
UserID
Step7
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1)
Host: Syslog2(10.5.204.41)
number of log messages
:
number of auth. success messages
:
number of active connections
:
total connections made
:
1000
1000
0
4
Toseehowmanylogmessagescameinfromsyslogsendersandhowmanyentriesweresuccessfullymapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
------ ------- -------------------------------- -------------- vsys1 SYSLOG acme\jreddick

2476
2
vsys1
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
MapIPAddressestoUsernamesUsingCaptivePortal
IfthefirewallreceivesarequestfromasecurityzonethathasUserIDenabledandthesourceIPaddress
doesnothaveanyuserdataassociatedwithityet,thefirewallchecksitsCaptivePortalpolicyrulesfora
matchtodeterminewhethertoperformauthentication.Thisisusefulinenvironmentswhereyouhave
clientsthatarenotloggedintoyourdomainservers,suchasLinuxclients.Thefirewalltriggersthisuser
mappingmethodonlyforwebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalrulebuthasnotbeen
mappedusingadifferentmethod.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
UserID
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoobtainuserinformationfromtheclientwhenawebrequest
matchesaCaptivePortalrule:
AuthenticationMethod
Description
KerberosSSO
ThefirewallusesKerberosSingleSignOn(SSO)totransparentlyobtainuser
credentials.Tousethismethod,yournetworkrequiresaKerberosinfrastructure,
includingakeydistributioncenter(KDC)withanauthenticationserverandticket
grantingservice.ThefirewallmusthaveaKerberosaccount,includingaprincipal
nameandpassword.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourCaptivePortalconfiguration.
NTLANManager(NTLM)
Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourCaptivePortalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
WebForm
Thefirewallredirectswebrequeststoawebformforauthentication.Youcan
configureCaptivePortaltousealocaluserdatabase,RADIUSserver,TACACS+
server,LDAPserver,orKerberosservertoauthenticateusers.Althoughthe
firewallalwayspromptsusersforcredentials,thismethodworkswithallbrowsers
andoperatingsystems.
ClientCertificateAuthentication
Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
UserID
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode
Description
Transparent
ThefirewallinterceptsthebrowsertrafficpertheCaptivePortalruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,youshouldonlyusethismodewhen
absolutelynecessary,suchasinLayer2orvirtualwiredeployments.
Redirect
ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtoconfigureCaptivePortalusingthePANOSintegratedUserIDagent
toredirectwebrequeststhatmatchaCaptivePortalruletoaredirecthost.Aredirecthostistheintranet
hostname(ahostnamewithnoperiodinitsname)thatresolvestotheIPaddressoftheLayer3interfaceon
thefirewalltowhichthefirewallwillredirectrequests.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1
Configuretheinterfacesthatthefirewall 1.
willuseforredirectingwebrequests,
authenticatingusers,and
communicatingwithdirectoryserversto 2.
mapusernamestoIPaddresses.
Thefirewallusesthemanagement(MGT)
interfaceforallthesefunctionsby
default,butyoucanconfigureother
interfaces.Inredirectmode,youmust
3.
useaLayer3interfaceforredirecting
requests.
(MGTinterfaceonly)SelectDevice > Setup > Management,

edittheManagementInterfaceSettings,selecttheUser ID
checkbox,andclickOK.
(NonMGTinterfaceonly)AssignanInterfaceManagement
profiletotheLayer3interfacethatthefirewallwilluseto
redirectwebrequestsandcommunicatewithdirectory
servers.YoumustenableResponse PagesandUser IDinthe
InterfaceManagementprofile.
(NonMGTinterfaceonly)Configureaservicerouteforthe
interfacethatthefirewallwillusetoauthenticateusers.Ifthe
firewallhasmorethanonevirtualsystem(vsys),theservice
routecanbeglobalorvsysspecific.Theservicesmustinclude
LDAPandpotentiallythefollowing:
Kerberos,RADIUS,orTACACS+Configureaservice
routeforoneoftheseservicesonlyifyouwilluseitfor
externalauthentication.
UID AgentConfigurethisserviceonlyifyouwillenable
NTLANManager(NTLM)authenticationorifyouwill
EnableUserandGroupBasedPolicy.
4.
(Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2
MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:
isconfiguredtoresolveyourdomain
admin@PA-200> ping host dc1.acme.com
controlleraddresses.
Step3
CreateaKerberoskeytabfortheredirect
host.
RequiredforKerberosSSO
authentication.
accountinformation(principalnameandhashedpassword)forthe
redirecthost(thefirewall).
TosupportKerberosSSO,yournetworkmusthaveaKerberos
infrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step4
Step5
ConfigureclientstotrustCaptivePortal
certificates.
Requiredforredirectmodeto
transparentlyredirectuserswithout
displayingcertificateerrors.Youcan
generateaselfsignedcertificateor
importacertificatethatanexternal
certificateauthority(CA)signed.
Configureanauthenticationserver
profile.
Requiredforexternalauthentication.If
youenableKerberosSSOorNTLM
authentication,thefirewallusesthe
externalserviceonlyifthosemethods
fail.
Touseaselfsignedcertificate,createarootCAcertificateanduse
ittosignthecertificateyouwilluseforCaptivePortal:
1.

2.
CreateaSelfSignedRootCACertificateorimportaCA
certificate(seeImportaCertificateandPrivateKey).
3.
GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4.
ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5.
Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
ThePANOSwebservertimeout(defaultis3seconds)must
bethesameasorgreaterthantheserverprofiletimeout
multipliedbythenumberofserversintheprofile.For
RADIUSandTACACS+,thedefaultserverprofileTimeout
is3seconds.ForLDAP,thetimeoutisthetotaloftheBind
Timeout(defaultis30seconds)andSearch Timeout
(defaultis30seconds)foreachserver.ForKerberos,the
nonconfigurabletimeoutcantakeupto17secondsfor
eachserver.Also,theCaptivePortalsessiontimeout
(defaultis30seconds)mustbegreaterthanthewebserver
timeout.
Tochangethewebservertimeout,enterthefollowing
firewallCLIcommand,where<value>is330seconds:set
deviceconfig setting l3-service timeout <value>.
TochangetheCaptivePortalsessiontimeout,selectDevice
> Setup > Session,edittheSessionTimeouts,andentera
newCaptive Portalvalueinseconds(rangeis11,599,999).
Keepinmindthatthemoreyouraisethewebserverand
CaptivePortalsessiontimeouts,theslowerCaptivePortal
willrespondtousers.
UserID
Step6
Step7
Step8
Addtheusersandusergroupstothe
localdatabaseonthefirewall.
Requiredforlocaldatabase
authentication.IfyouenableKerberos
SSOand/orNTLMauthentication,the
firewallusesthelocaldatabaseonlyif
thosemethodsfail.
Addanauthenticationprofile
Theprofiledefinestheauthentication
methodstouse(KerberosSSO,external
service,orlocaldatabase)whena
CaptivePortalruleinvokesWebForm
authentication.Evenifyouenable
NTLM,youmustdefineasecondary
authenticationmethodincaseNTLM
authenticationfailsortheUserIDagent
doesntsupportNTLM.
Ifyousettheauthentication
TypetoRADIUS,specifya
RADIUSUser Domainincase
usersdontenterthedomainat
login.
(Optional)Addanauthentication
sequence
Ifthefirewallisconfiguredtouse
multipleauthenticationprofiles
inthesequenceforanyoneuser
(forexample,ifsomedirectory
serverconnectionsare
unreliable),thenthePANOS
webservertimeoutmustbethe
sameasorgreaterthanthe
timeoutforthesequence,which
isthetotalofthetimeoutsforall
itsauthenticationprofiles.Also,
thesessiontimeoutforCaptive
Portalmustbegreaterthanthe
webservertimeout.Tochange
thesetimeouts,seethenotein
Step 5.
1.
Configuretheuseraccount.
2.
(Optional)Configureausergroup.
Configureanauthenticationprofile:
1.
IftheauthenticationTypeisanexternalservice(RADIUS,
TACACS+,LDAP,orKerberos),selecttheauthentication
Server Profileyoucreated.
2.
IfyouuseKerberosSSO,entertheKerberos Realm(usually
theDNSdomainoftheusers,exceptthattherealmis
uppercase),andimporttheKerberos Keytabyoucreated.
3.
SelectAdvancedandAddtheusersandusergroupsthatcan
authenticateusingthisprofile.IftheauthenticationTypeis
Local Database,addtheCaptivePortalusersorusergroups
youcreated.Youcanselectalltoalloweveryuserto
authenticate.AftercompletingtheAllowList,clickOK.
IfyourusersareinmultipledomainsorKerberos
realms,youcancreateanauthenticationprofilefor
eachdomainorrealm,assignalltheprofilestothe
authenticationsequence(Step 8),andassignthe
sequencetotheCaptivePortalconfiguration.
Configureanauthenticationsequence:
1.
SelectDevice > Authentication Sequence,Addthe

authenticationsequence,andenteraNametoidentifyit.
2.
SelectUse domain to determine authentication profile.

Thefirewallwillmatchthedomainnamethatauserenters
duringloginwiththeUser DomainorKerberos Realmofan
authenticationprofileinthesequence,andthenusethat
profiletoauthenticatetheuser.
3.
Addeachauthenticationprofile.
4.
ClickOKtosavetheauthenticationsequence.
UserID
Step9
ConfigureClientCertificate
Authentication.
RequiredifCaptivePortalwillusethis
authenticationmethod.
Youdontneedanauthentication
profileorsequenceforclient
certificateauthentication.Ifyou
configurebothanauthentication
profile/sequenceandcertificate
authentication,usersmust
authenticateusingboth.
Step10 EnableNTLANManager(NTLM)
authentication.
RequiredforNLTMauthentication.
WhenusingthePANOS
integratedUserIDagent,the
firewallmustsuccessfullyresolve
theDNSnameofyourdomain
controllertojointhedomain
(usingthecredentialsyouenter
inthisstep).
1.
UsearootCAcertificatetogenerateaclientcertificatefor
eachuserwhowillauthenticatetoCaptivePortal.TheCAin
thiscaseisusuallyyourenterpriseCA,notthefirewall.
2.
ExporttheCAcertificateinPEMformattoasystemthatthe
firewallcanaccess.
3.
ImporttheCAcertificateontothefirewall:seeImporta
CertificateandPrivateKey.Aftertheimport,clickthe
importedcertificate,selectTrusted Root CA,andclickOK.
4.
ConfigureaCertificateProfile.
IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.
1.
Ifyouhaventalreadydoneso,createanActiveDirectory(AD)
accountfortheUserIDagent.
2.
SelectDevice > User Identification > User Mappingandedit

thePaloAltoNetworksUserIDAgentSetupsection.
3.
OntheNTLMtab,selecttheEnable NTLM authentication

processingcheckbox.
4.
EntertheNTLM DomainagainstwhichtheUserIDagenton
thefirewallwillcheckNTLMcredentials.
5.
IntheAdmin User Name,Password,andConfirm Password

fields,entertheusernameandpasswordoftheActive
DirectoryaccountyoucreatedfortheUserIDagent.
DonotincludethedomainintheAdmin User Name
field.Otherwise,thefirewallwillfailtojointhe
domain.
PaloAltoNetworksrecommendsthatyouusea
UserIDagentaccountthatisseparatefromyour
firewalladministratoraccount.
6.
YoudontneedtoconfigureanyothersettingsfortheUserID
agent:clickOK.
UserID
Step11 ConfiguretheCaptivePortalsettings.
1.
SelectDevice > User Identification > Captive Portal Settings

andeditthesettings.
2.
MakesuretheEnable Captive Portalcheckboxisselected.
3.
SelecttheSSL/TLS Service Profileyoucreatedforredirect

requestsoverTLS.
4.
SelecttheMode(inthisexample,Redirect).
5.
(Redirectmodeonly)SpecifytheRedirect Hostnamethat
resolvestotheIPaddressoftheLayer 3interfacefor
redirectedrequests.
6.
SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
TouseKerberosSSO,anexternalserver,orthelocal
database,selecttheAuthentication Profileor
authenticationsequenceyoucreated.
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
7.
ClickOKandCommittosavetheCaptivePortalconfiguration.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,referto
OperatingSystem(OS)CompatibilityTSAgentintheTerminalServicesAgentReleaseNotes.
UserID
Step1
DownloadtheTSagentinstaller.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
ScrolltotheTerminal Services AgentsectionandDownload

theversionoftheagentyouwanttoinstall.
4.
SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.
Step2
Runtheinstallerasanadministrator.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-6.0.
0-1.msi
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4.
Whentheinstallationcompletes,Closethesetupwindow.
IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,the
installationwizardpromptsyoutorebootthesystem
afterupgradinginordertousethenewdriver.
UserID
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step3
Step4
Definetherangeofportsforthe
TS Agenttoallocatetoendusers.
TheSystem Source Port
Allocation RangeandSystem
Reserved Source Portsfields
specifytherangeofportsthat
willbeallocatedtononuser
sessions.Makesurethevalues
specifiedinthesefieldsdonot
overlapwiththeportsyou
designateforusertraffic.These
valuescanonlybechangedby
editingthecorresponding
Windowsregistrysettings.
1.
OpentheWindowsStartmenuandselectTerminal Server
AgenttolaunchtheTerminalServicesagentapplication.
2.
SelectConfigureinthesidemenu.
3.
EntertheSource Port Allocation Range(default

2000039999).Thisisthefullrangeofportnumbersthatthe
TSagentwillallocateforusermapping.Theportrangeyou
specifycannotoverlapwiththeSystem Source Port
Allocation Range.
4.
(Optional)Ifthereareports/portrangeswithinthesourceport
allocationthatyoudonotwanttheTSAgenttoallocateto
usersessions,specifythemasReserved Source Ports.To
includemultipleranges,usecommaswithnospaces,for
example:2000-3000,3500,4000-5000.
5.
Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6.
SpecifythePort Allocation Maximum Size Per User,whichis

themaximumnumberofportstheTerminalServicesagent
canallocatetoanindividualuser.
7.
Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
TerminalServicesagent.
totheTerminalServicesagenttoreceiveusermappings:
1.
SelectDevice > User Identification > Terminal Server Agents

andclickAdd.
2.
EnteraNamefortheTerminalServicesagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4.
EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5.
MakesurethattheconfigurationisEnabledandthenclickOK.
6.
Committhechanges.
7.
VerifythattheConnected status displaysasconnected(a

greenlight).
UserID
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step5
VerifythattheTerminalServicesagentis 1.
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
2.
connecttotheagent.
3.
Step6
(Windows2012R2serversonly)Disable
EnhancedProtectedModeinMicrosoft
InternetExplorerforeachuserwhouses
thatbrowser.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor
MozillaFirefox.
TodisableEnhancedProtected
Modeforallusers,useLocal
SecurityPolicy.
OpentheWindowsStartmenuandselectTerminal Server
Agent.
Verifythatthefirewallscanconnectbymakingsurethe
Connection StatusofeachfirewallintheConnectionListis
Connected.
VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
PerformthesestepsontheWindowsServer:
1.
StartInternetExplorer.
2.
SelectInternet options > Advancedandscrolldowntothe

Securitysection.
3.
ClearEnable Enhanced Protected Mode.
4.
ClickOK.
InInternetExplorer,PaloAltoNetworksrecommendsthat
youdonotdisableProtectedMode,whichdiffersfrom
EnhancedProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIisaRESTfulAPIthatusesstandardHTTPrequeststosendandreceivedata.APIcalls
canbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
UserID
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1
GeneratetheAPIkeythat
willbeusedtoauthenticate
theAPIcommunication
betweenthefirewallandthe
terminalserver.Togenerate
thekeyyoumustprovide
logincredentialsforan
administrativeaccount;the
APIisavailabletoall
administrators(including
rolebasedadministrators
withXMLAPIprivileges
enabled).
Anyspecial
charactersinthe
passwordmustbe
URL/
percentencoded.
Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe
firewall,openanewbrowserwindowandenterthefollowingURL:
https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
password=<password>
Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland
<username> and<password> arethecredentialsfortheadministrativeuser
accountonthefirewall.Forexample:
https://10.1.2.5/api/?type=keygen&user=admin&password=admin
Thefirewallrespondswithamessagecontainingthekey,forexample:
<response status="success">
<result>
<key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
</result>
</response>
UserID
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2
Step3
(Optional)Generateasetup
messagethattheterminal
serverwillsendtospecifythe
portrangeandblocksizeof
portsperuserthatyour
terminalservicesagentuses.
Iftheterminalservicesagent
doesnotsendasetup
message,thefirewallwill
automaticallycreatea
TerminalServicesagent
configurationusingthe
followingdefaultsettings
uponreceiptofthefirstlogin
message:
Defaultportrange:1025
to65534
Peruserblocksize:200
Maximumnumberof
multiusersystems:1,000
Thefollowingshowsasamplesetupmessage:
Createascriptthatwill
extractthelogineventsand
createtheXMLinputfileto
sendtothefirewall.
Makesurethescriptenforces
assignmentofportnumber
rangesatfixedboundaries
withnoportoverlaps.For
example,iftheportrangeis
10001999andtheblock
sizeis200,acceptable
blockstartvalueswouldbe
1000,1200,1400,1600,or
1800.Blockstartvaluesof
1001,1300,or1850would
beunacceptablebecause
someoftheportnumbersin
therangewouldbeleft
unused.
Theloginevent
payloadthatthe
terminalserversends
tothefirewallcan
containmultiplelogin
events.
ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:
<uid-message>
<payload>
<multiusersystem>
<entry ip="10.1.1.23" startport="20000"
endport="39999" blocksize="100">
</multiusersystem>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
startportandendportspecifytheportrangetousewhenassigningportsto
individualusers,andblocksizespecifiesthenumberofportstoassignto
eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
allocateamaximumof1000blocks.
Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
<uid-message>
<payload>
<login>
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
<entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
<entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
</login>
</payload>
<type>update</type>
</uid-message>
Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
requesttouserjparkerforpolicyenforcement.
Eachmultiusersystemcanallocateamaximumof1,000portblocks.
UserID
Step4
Step5
Step6
Createascriptthatwill
extractthelogouteventsand
createtheXMLinputfileto
sendtothefirewall.
Uponreceiptofalogout
eventmessagewitha
blockstartparameter,the
firewallremovesthe
correspondingIP
addressportusermapping.If
thelogoutmessagecontains
ausernameandIPaddress,
butnoblockstart
parameter,thefirewall
removesallmappingsforthe
user.Ifthelogoutmessage
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:
Makesurethatthescripts
youcreateincludeawayto
dynamicallyenforcethatthe
portblockrangeallocated
usingtheXMLAPImatches
theactualsourceport
assignedtotheuseronthe
terminalserverandthatthe
mappingisremovedwhen
theuserlogsoutortheport
allocationchanges.
OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions
behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
example,toensurethatauserwiththeuserIDjjasoismappedtoasource
networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
scriptyoucreateshouldincludethefollowing:
Definehowtopackagethe
XMLinputfilescontainingthe
setup,login,andlogout
eventsintowgetorcURL
messagesfortransmissionto
thefirewall.
Toapplythefilestothefirewallusingwget:
<uid-message>
<payload>
<logout>
<entry name="acme\jjaso" ip="10.1.1.23"
blockstart="20000">
<entry name="acme\ccrisp" ip="10.1.1.23">
<entry ip="10.2.5.4">
</logout>
</payload>
<type>update</type>
</uid-message>
Youcanalsoclearthemultiusersystementryfromthefirewallusing
thefollowingCLIcommand:clear xml-api multiusersystem
[root@ts1 ~]# iptables -t nat -A POSTROUTING -m owner --uid-owner jjaso

-p tcp -j SNAT --to-source 10.1.1.23:20000-20099
Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
ortheportallocationchanges:
[root@ts1 ~]# iptables -t nat -D POSTROUTING 1
> wget --post file <filename>

https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&file-name=<inp
ut_filename.xml>&client=wget&vsys=<VSYS_name>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1
UserID
Step7
Verifythatthefirewallis
successfullyreceivinglogin
eventsfromtheterminal
servers.
VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland
thenrunningthefollowingCLIcommands:
ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
admin@PA-5050> show user xml-api multiusersystem
Host
Vsys
Users
Blocks
---------------------------------------10.5.204.43
vsys1
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43
Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtotheUserIDagentordirectlytothefirewall.ThePANOSXMLAPIusesstandard
HTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommandlineutilitiessuchas
cURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGETrequests.
ToenableanexternalsystemtosendusermappinginformationtotheUserIDagentordirectlytothe
firewall,youcancreatescriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothe
PANOSXMLAPIrequest.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall
(usingcURL,forexample)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,
refertothePANOSXMLAPIUsageGuide.
UserID
Toenablesecuritypolicybasedonusersandusergroups,youmustenableUserIDforeachzonethat
containsusersyouwanttoidentify.Youcanthendefinepolicyrulesthatallowordenytrafficbasedon
usernameorgroupmembership.Additionally,youcancreateCaptivePortalrulestoenableidentificationfor
IPaddressesthatdontyethaveanyuserdataassociatedwiththem.
PA5060andPA7000Seriesfirewallsthathavethemultiplevirtualsystemscapabilitydisabledcanbase
policiesonupto3,200distinctusergroups.Iftheseplatformshavemultiplevirtualsystems,thelimitis640
groups.Allotherfirewallplatformssupportupto640groupspervirtualsystemorperfirewall(ifitdoesnt
havemultiplevirtualsystems).
Foruserswithmultipleusernames,seeEnablePolicyforUserswithMultipleAccounts.
Step1
Step2
EnableUserIDonthesourcezonesthat 1.
containtheuserswhowillsendrequests 2.
thatrequireuserbasedaccesscontrols.
(Optional)Configurethefirewalltoread 1.
theIPaddressesofusersfromthe
XForwardedFor(XFF)headerinclient 2.
requestsforwebserviceswhenthe
firewallisbetweentheInternetanda
proxyserverthatwouldotherwisehide
theuserIPaddresses.
ThefirewallmatchestheIPaddresses
3.
withusernamesthatyourpolicyrules
referencesothatthoserulescancontrol
andlogaccessfortheassociatedusers
andgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.
SelectNetwork > ZonesandclicktheNameofthezone.

SelecttheEnable User IdentificationcheckboxandclickOK.
SelectDevice > Setup > Content-IDandeditthe
XForwardedForHeaderssettings.
SelecttheX-Forwarded-For Header in User-IDcheckbox.
SelectingtheStrip-X-Forwarded-For Headercheck
boxdoesntdisabletheuseofXFFheadersforuser
attributioninpolicyrules;thefirewallzeroesoutthe
XFFvalueonlyafterusingitforuserattribution.
UserID
EnableUserandGroupBasedPolicy(Continued)
Step3
Step4
Createsecurityrulesbasedonuserand 1.
usergroup.
Asabestpractice,createrules
basedongroupratherthanuser
wheneverpossible.Thisprevents
youfromhavingtocontinually
updateyourrules(whichrequires
acommit)wheneveryouruser
basechanges.
AfterconfiguringUserID,youwillbeabletochooseauser
nameorgroupnamewhendefiningthesourceordestination
ofasecurityrule:
a. SelectPolicies > SecurityandclickAddtocreateanewrule
orclickanexistingrulename.
b. SelecttheUsertabandspecifywhichusersandgroupsto
matchintheruleinoneofthefollowingways:
Ifyouwanttoselectspecificusers/groupsasmatching
criteria,clicktheAddbuttonintheSourceUsersectionto
displayalistofusersandgroupsdiscoveredbythe
firewallgroupmappingfunction.Selecttheusersand/or
groupstoaddtotherule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecific
userorgroupname,selectknown-userorunknownfrom
thedropdownabovetheSourceUserlist.
2.
ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
1.
SelectPolicies > Captive Portal.
2.
ClickAddandenteraNamefortherule.
3.
Definethematchingcriteriafortherulebycompletingthe
Source,Destination,andService/URL Categorytabsas
appropriatetomatchthetrafficyouwanttoauthenticate.The
matchingcriteriaonthesetabsisthesameasthecriteriayou
definewhencreatingasecurityrule.SeeSetUpaBasic
SecurityPolicyfordetails.
4.
DefinetheActiontotakeontrafficthatmatchestherule:
no-captive-portalAllowtraffictopasswithout
presentingaCaptivePortalpageforauthentication.
web-formPresentaCaptivePortalpagefortheuserto
explicitlyenterauthenticationcredentialsoruseclient
certificateauthentication.
browser-challengeTransparentlyobtainuser
authenticationcredentials.Ifyouselectthisaction,you
mustenableKerberosSingleSignOn(SSO)orNTLAN
Manager(NTLM)authenticationwhenyouConfigure
CaptivePortal.IfKerberosSSOauthenticationfails,the
firewallfallsbacktoNTLMauthentication.Ifyoudidnt
configureNTLM,orNTLMauthenticationfails,thefirewall
fallsbacktoweb-formauthentication.
5.
ClickOKandCommit.
CreateyourCaptivePortalrules.
UserID
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1
Configureausergroupforeachservice
thatrequiresdistinctaccessprivileges.
Inthisexample,eachgroupisforasingle
service(emailorMySQLserver).
However,itiscommontoconfigureeach
groupforasetofservicesthatrequire
thesameprivileges(forexample,one
groupforallbasicuserservicesandone
groupforalladministrativeservices).
Ifyourorganizationalreadyhasusergroupsthatcanaccessthe
servicesthattheuserrequires,simplyaddtheusernamethatis
usedforlessrestrictedservicestothosegroups.Inthisexample,
theemailserverrequireslessrestrictedaccessthantheMySQL
server,andcorp_useristheusernameforaccessingemail.
Therefore,youaddcorp_usertoagroupthatcanaccessemail
(corp_employees)andtoagroupthatcanaccesstheMySQLserver
(network_services).
Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1.
SelectDevice > User Identification > Group Mapping Settings

andAddagroupmappingconfigurationwithauniqueName.
2.
SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3.
SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4.
SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
5.
ClickOKandCommit.
Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmore
restrictedservices,youcanaddthoseusernamestothe
groupformorerestrictedservices.Thisscenarioismore
commonthantheinverse;auserwithaccesstomore
restrictedservicesusuallyalreadyhasaccesstoless
restrictedservices.
UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2
Step3
Step4
Configuretherulesthatcontroluser
accessbasedonthegroupsyoujust
configured.
ConfiguretheignorelistoftheUserID
agent.
ThisensuresthattheUserIDagent
mapstheclientIPaddressonlytothe
usernamethatisamemberofthegroups
assignedtotherulesyoujustconfigured.
Theignorelistmustcontainallthe
usernamesoftheuserthatarenot
membersofthosegroups.
Configureendpointauthenticationfor
therestrictedservices.
Thisenablestheendpointtoverifythe
credentialsoftheuserandpreservesthe
abilitytoenableaccessforuserswith
multipleusernames.
EnableUserandGroupBasedPolicy:
1.
Configureasecurityrulethatallowsthecorp_employees
grouptoaccessemail.
2.
Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Inthisexample,youaddadmin_usertotheignorelistofthe
WindowsbasedUserIDagenttoensurethatitmapstheclientIP
addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
inascorp_useroradmin_user,thefirewallidentifiestheuseras
corp_userandappliesbothrulesthatyouconfiguredbecause
corp_userisamemberofthegroupsthattherulesreference.
1.
Createanignore_user_list.txtfile.
2.
Openthefileandaddadmin_user.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3.
SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
IfyouusethePANOSintegratedUserIDagent,perform
Step 5underConfigureUserMappingUsingthePANOS
IntegratedUserIDAgenttoconfiguretheignorelist.
Inthisexample,youhaveconfiguredafirewallrulethatallows
corp_user,asamemberofthenetwork_servicesgroup,tosenda
servicerequesttotheMySQLserver.Youmustnowconfigurethe
MySQLservertorespondtoanyunauthorizedusername(suchas
corp_user)bypromptingtheusertoenterthelogincredentialsof
anauthorizedusername(admin_user).
Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingfor
theadmin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.
UserID
AfteryouconfiguregroupmappingandusermappingandenableUserIDonyoursecurityrulesandCaptive
Portalrules,youshouldverifythatitisworkingproperly.
Step1
Verifythatgroupmappingisworking.
FromtheCLI,enterthefollowingoperationalcommand:
> show user group-mapping statistics
Step2
Verifythatusermappingisworking.
IfyouareusingthePANOSintegratedUserIDagent,youcan
verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP
Vsys From User
Timeout (sec)
-----------------------------------------------------192.168.201.1
vsys1 UIA
acme\george
210
192.168.201.11 vsys1 UIA
acme\duane
210
192.168.201.50 vsys1 UIA
acme\betsy
210
192.168.201.10 vsys1 UIA
acme\administrator
210
192.168.201.100 vsys1 AD
acme\administrator
748
Total: 5 users
*: WMI probe succeeded
Step3
Testyoursecurityrule.
FromamachineinthezonewhereUserIDisenabled,attempt
toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
UserID
VerifytheUserIDConfiguration(Continued)
Step4
TestyourCaptivePortalconfiguration. 1.
Fromthesamezone,gotoamachinethatisnotamemberof
yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2.
Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesaCaptivePortal
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3.
Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4.
YoucanalsotestyourCaptivePortalpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step5
Verifythatthelogfilesdisplay
usernames.
Selectalogspage(forexample,Monitor > Logs > Traffic)andverify

thattheSourceUsercolumndisplaysusernames.
Step6
Verifythatreportsdisplayusernames.
1.
SelectMonitor > Reports.
2.
Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.
UserID
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,
globaldatacenterapplications).
DeployUserIDforNumerousMappingInformationSources
ConfigureFirewallstoRedistributeUserMappingInformation
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
UserID
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersTheymustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersTheymustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
UserID
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
Step1
Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2
ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3
ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
Step1
ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires
thememberserversthatwillcollect
administrativeprivilegesforconfiguringgrouppolicieson
loginevents.
Windowsservers.
Step2
InstalltheWindowsbasedUserID
agent.
InstalltheUserIDAgentonaWindowsserverthatcanaccessthe
memberservers.TheWindowsservercanbeinsideoroutsidethe
ActiveDirectoryforest;itdoesntneedtobeamemberserver
itself.
Step3
ConfiguretheUserIDagenttocollect
usermappinginformationfromthe
memberservers.
1.
StarttheWindowsbasedUserIDagent.
2.
SelectUser Identification > Discoveryandperformthe

followingstepsforeachmemberserverthatwillreceive
eventsfromdomaincontrollers:
a. IntheServerssection,clickAddandenteraNameto
identifythememberserver.
b. IntheServer Addressfield,entertheFQDNorIPaddress
ofthememberserver.
c. FortheServer Type,selectMicrosoft Active Directory.
d. ClickOKtosavetheserverentry.
3.
ConfiguretheremainingUserIDagentsettings:see
ConfiguretheUserIDAgentforUserMapping.
UserID
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step4
ConfigureanLDAPserverprofileto
1.
specifyhowthefirewallconnectstothe
GlobalCatalogservers(uptofour)for
2.
groupmappinginformation.
Toimproveavailability,useat
leasttwoGlobalCatalogservers
forredundancy.
Youcancollectgroupmapping
informationonlyforuniversal
groups,notlocaldomaingroups 3.
(subdomains).
SelectDevice > Server Profiles > LDAP,clickAdd,andentera

Namefortheprofile.
IntheServerssection,foreachGlobalCatalog,clickAddand
entertheserverName,IPaddress(LDAP Server),andPort.
ForaplaintextorStartTransportLayerSecurity(StartTLS)
connection,usePort3268.ForanLDAPoverSSLconnection,
usePort3269.IftheconnectionwilluseStartTLSorLDAP
overSSL,selecttheRequire SSL/TLS secured connection
checkbox.
IntheBase DNfield,entertheDistinguishedName(DN)of
thepointintheGlobalCatalogserverwherethefirewallwill
startsearchingforgroupmappinginformation(forexample,
DC=acbdomain,DC=com).
4.
FortheType,selectactive-directory.
5.
Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile.
Step5
ConfigureanLDAPserverprofileto
specifyhowthefirewallconnectstothe
servers(uptofour)thatcontaindomain
mappinginformation.
UserIDusesthisinformationtomap
DNSdomainnamestoNetBIOSdomain
names.Thismappingensuresconsistent
domain/usernamereferencesinpolicy
rules.
Toimproveavailability,useat
leasttwoserversforredundancy.
ThestepsarethesameasfortheLDAPserverprofileyoucreated
forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
LDAP ServerEntertheIPaddressofthedomaincontroller
thatcontainsthedomainmappinginformation.
PortForaplaintextorStartTLSconnection,usePort389.For
anLDAPoverSSLconnection,usePort636.Iftheconnection
willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
secured connectioncheckbox.
Base DNSelecttheDNofthepointinthedomaincontroller
wherethefirewallwillstartsearchingfordomainmapping
information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).
Step6
Createagroupmappingconfiguration
foreachLDAPserverprofileyou
created.
1.
SelectDevice > User Identification > Group Mapping Settings.
2.
ClickAddandenteraNametoidentifythegroupmapping
configuration.
3.
SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4.
Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5.
ClickOKandCommit.
UserID
ConfigureFirewallstoRedistributeUserMappingInformation
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.However,alargescale
networkwherenumerousfirewallsdirectlyquerythemappinginformationsourcesrequiresboththe
firewallsandsourcestouseconsiderableresources.Toimproveresourceefficiency,youcanconfiguresome
firewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.Redistribution
alsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesforauthentication
(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,globaldata
centerapplications).
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
Youcanorganizetheredistributionsequenceinlayers,whereeachlayerhasoneormorefirewalls.Inthe
bottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsandWindowsbasedUserIDagents
runningonWindowsserversperformtheIPaddresstousernamemapping.Eachhigherlayerhasfirewalls
thatreceivethemappinginformationfromupto100UserIDagentsinthelayerbeneathit.Thetoplayer
firewallsaggregatethemappinginformationfromalllayers.Thisdeploymentprovidestheoptionto
configureglobalpoliciesforallusers(intoplayerfirewalls)andregionorfunctionspecificpoliciesfora
subsetofusersinthecorrespondingdomains(inlowerlayerfirewalls).
Figure:UserIDRedistributionshowsadeploymentwiththreelayersoffirewallsthatredistributemapping
informationfromlocalinformationsources(directoryservers,inthisexample)toregionalofficesandthen
toaglobaldatacenter.Thedatacenterfirewallthataggregatesallthemappinginformationsharesitwith
otherdatacenterfirewallssothattheycanallenforceglobalpolicy.Onlythebottomlayerfirewallsuse
PANOSintegratedUserIDagentsandWindowsbasedUserIDagentstoquerythedirectoryservers.
TheinformationsourcesfromwhichUserIDagentscollectmappinginformationdonotcounttowardsthe
maximumoftenhopsinthesequence.However,WindowsbasedUserIDagentsthatforwardmapping
informationtofirewallsdocount.Therefore,inthisexample,redistributionfromtheEuropeanregiontoall
thedatacenterfirewallsrequiresonlythreehops,whileredistributionfromtheNorthAmericanregion
requiresfourhops.Alsointhisexample,thetoplayerhastwohops:thefirsttoaggregatemapping
informationinonedatacenterfirewallandthesecondtosharetheinformationwithotherdatacenter
firewalls.
UserID
Figure:UserIDRedistribution
Step1
Plantheredistributionarchitecture.
DecidewhichUserIDagentsandmethodstouseformapping
IPaddressestousernames.Youcanredistributeusermapping
informationcollectedthroughanymethodexceptTerminal
Services(TS)agents.YoucannotredistributeGroupMapping
orHIPmatchinformation.
DeterminethemostefficientFirewallDeploymentforUserID
Redistribution.Somefactorstoconsiderare:
Whichfirewallswillenforceglobalpoliciesforallusersand
whichfirewallswillenforceregionorfunctionspecific
policiesforasubsetofusers?
Howmanyhopsdoestheredistributionsequencerequireto
aggregatemappinginformationforfirewallsindifferent
functionalorregionallayerstoenforcepolicy?
Howcanyouminimizethenumberoffirewallsthatquery
theinformationsources?Thefewerthenumberofquerying
firewalls,thelowertheprocessingloadisonboththe
firewallsandsources.
UserID
ConfigureUserIDRedistribution(Continued)
Step2
ConfiguretheUserIDagentstoperform ConfigureUserMappingUsingthePANOSIntegratedUserID
theusermapping.
Agent.
ConfigureUserMappingUsingtheWindowsUserIDAgent.
Step3
Enableeachbottomlayerfirewallto
1.
forwardmappinginformationtofirewalls
inthelayerabove.
ConfigurethefirewalltofunctionasaUserIDagent.
b. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Location.YoumustconfiguretheUserIDsettingsforeach
virtualsystem.
Youcanredistributemappinginformationamong
virtualsystemsondifferentfirewallsoronthesame
firewall.Inbothcases,eachvirtualsystemcountsas
onehopintheredistributionsequence.
c. EditthePaloAltoNetworksUserIDAgentSetupand
selectRedistribution.
d. EnteraCollector NametoidentifythisfirewallasaUserID
agent.
e. EnterandconfirmaPre-Shared Keytosecure
communicationbetweenthisfirewallandthehigherlayer
firewalls.Onamultivsysfirewall,eachvsysrequiresa
uniquepresharedkey.
f. ClickOK.
2.
ConfigureanInterfaceManagementprofilewiththeUser-ID
serviceenabledandassigntheprofiletotheinterfaceyou
wantthefirewalltousewhenrespondingtomapping
informationqueriesfromfirewallsinthelayerabove.
3.
(Optional)Configurepoliciesthatarespecifictotheuser
accountsforwhichyouwantthisfirewalltocollectmapping
information.
4.
Commityourchanges.
UserID
Step4
Enableeachmiddlelayerfirewallto
1.
receivemappinginformationfromthe
layerbelowandforwardittothelayer
above.
Youmustalsoperformthistaskforany
firewallthatredistributesmapping
informationtootherfirewallsinthe
samelayer.Forexample,Figure:
UserIDRedistributionshowsonedata
centerfirewallthatredistributestoother
datacenterfirewalls.
Eachfirewallcanreceivemapping
informationfromupto100UserID
agents.
Figure:UserIDRedistribution
showsonlyonemiddlelayerof
firewallsbutyoucandeployas
manylayersastheredistribution
limitoftenhopsallows.
2.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
a. SelectDevice > User Identification > User-ID Agentsand
clickAdd.
b. EnteraNametoidentifythelowerlayerfirewall.
c. EntertheHostnameorIPaddressoftheinterfacethatyou
configuredonthelowerlayerfirewalltorespondto
mappinginformationqueries.
d. EnterthePortnumber(defaultis5007)onwhichthe
lowerlayerfirewallwilllistenforUserIDqueries.
e. EntertheCollector Nameyouspecifiedwhenconfiguring
thelowerlayerfirewalltoactasaUserIDagent.
f. EnterandconfirmtheCollector Pre-Shared Keyyou
specifiedonthelowerlayerfirewall.
g. EnsuretheconfigurationisEnabled(default)andclickOK.
h. ChecktheConnectedcolumntoconfirmthefirewallyou
).
justaddedasaUserIDagentisconnected(
3.
Enablethefirewalltoforwardthemappinginformationto
firewallsinthelayerabove.
a. ConfigurethefirewalltofunctionasaUserIDagent.
b. ConfigureanInterfaceManagementprofilewiththe
User-IDserviceenabledandassigntheprofiletothe
interfaceyouwantthefirewalltousewhenrespondingto
mappinginformationqueriesfromfirewallsinthelayer
above.
4.
(Optional)Configurepoliciesspecifictouseraccountsfor
whichyouwantthisfirewalltoaggregatemappinginformation
fromlowerlayers.
5.
Commityourchanges.
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
a. SelectDevice > Setup > Services.
b. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
(forafirewallwideserviceroute)orVirtual Systems(fora
virtualsystemspecificserviceroute).Fordetails,referto
CustomizeServiceRoutestoServicesforVirtualSystems.
c. ClickService Route Configuration,selectCustomize,and
selectIPv4orIPv6dependingonyournetworkprotocols.
Configuretheservicerouteforbothprotocolsifyour
networkusesboth.
d. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
e. ClickOKtwicetosavetheserviceroute.
UserID
Step5
Step6
Enableeachtoplayerfirewalltoreceive
mappinginformationfromallother
layers.
Youmustalsoperformthistaskforany
firewallthatisanendpointinthe
redistributionsequencewithinalayer.
IntheexampleofFigure:
UserIDRedistribution,youwould
performthistaskforthetwodatacenter
firewallsthatreceivemapping
informationfromanotherdatacenter
firewall.
1.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
2.
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
3.
(Optional)Configurepoliciesthatareglobaltoalluser
accounts.
4.
Commityourchanges.
Verifythatthetoplayerfirewallsare
1.
aggregatingmappinginformationfrom
allotherlayers.
Thisstepsamplesasingleusermapping 2.
thatiscollectedinabottomlayer
3.
firewallandforwardedtoatoplayer
firewall.Repeatthestepforseveraluser
mappingsandseveralfirewallstoensure
yourconfigurationissuccessful.
AccesstheCLIofabottomlayerfirewallandrunthefollowing
operationalcommand:
> show user ip-user-mapping all
RecordtheIPaddressassociatedwithanyusername.
AccesstheCLIofatoplayerfirewallandrunthefollowing
command,where<address> istheIPaddressyourecordedin
thepreviousstep:
> show user ip-user-mapping ip <address>
Ifthefirewallsuccessfullyreceivedtheusermappingfromthe
bottomlayerfirewall,itdisplaysoutputsimilartothe
followinganddisplaysthesameusernameasyourecordedin
thebottomlayerfirewall.
IP address:
192.0.2.0 (vsys1)
User:
corpdomain\username1
From:
AD
Idle Timeout:
2643s
Max. TTL:
2643s
Groups that the user belongs to (used in policy)
UserID
AppID
Tosafelyenableapplicationsonyournetwork,thePaloAltoNetworksnextgenerationfirewallsprovide
bothanapplicationandwebperspectiveAppIDandURLFilteringtoprotectagainstafullspectrumof
legal,regulatory,productivity,andresourceutilizationrisks.
AppIDenablesvisibilityintotheapplicationsonthenetwork,soyoucanlearnhowtheyworkand
understandtheirbehavioralcharacteristicsandtheirrelativerisk.Thisapplicationknowledgeallowsyouto
createandenforcesecuritypolicyrulestoenable,inspect,andshapedesiredapplicationsandblock
unwantedapplications.Whenyoudefinepolicyrulestoallowtraffic,AppIDbeginstoclassifytraffic
withoutanyadditionalconfiguration.
AppIDOverview
ManageCustomorUnknownApplications
ManageNewAppIDsIntroducedinContentReleases
UseApplicationObjectsinPolicy
ApplicationswithImplicitSupport
ApplicationLevelGateways
DisabletheSIPApplicationlevelGateway(ALG)
AppIDOverview
AppID
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.
AppID
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.
AppID
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesForPendingAppIDs
ReviewNewAppIDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules
AppID
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step1
SelectDevice > Dynamic Updates andselect Check Nowtorefreshthelistofavailablecontentupdates.
Step2
DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
Step3
ClicktheAppslinkintheFeatures columntoviewdetailsonnewlyidentifiedapplications:
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
NextSteps...
DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
AppID
ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step1
Step2
Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step3
SelectanewAppIDfromtheApplication dropdowntoviewpolicyrulesthatcurrentlyenforcethe
application.Therulesdisplayedarebasedontheapplicationssignaturesthatmatchtotheapplicationbefore
thenewAppIDisinstalled(viewapplicationdetailstoseethelistofapplicationsignaturesthatanapplication
wasPreviously Identified As beforethenewAppID).
Step4
UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesForPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add
thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
NextSteps...
DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
AppID
DisableorEnableAppIDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
DisableallAppIDsinacontentreleaseorfor
scheduledcontentupdates.
TodisableallnewAppIDsintroducedinacontentrelease,select
Device > Dynamic Updates andInstall anApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
Onthe Device > Dynamic Updatespage,selectSchedule.Choose
to Disable new apps in content updatefordownloadsand
installationsofcontentreleases.
DisableAppIDsforoneapplicationormultiple
applicationsatasingletime.
Toquicklydisableasingleapplicationormultipleapplicationsat
thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applications and
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
EnableAppIDs.
EnableAppIDsthatyoupreviouslydisabledbyselectingObjects >
Applications.Selectoneormoreapplicationcheckboxandclick
Enableoropenthedetailsforaspecificapplicationandclick
Enable App-ID.
PreparePolicyUpdatesForPendingAppIDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.
PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
AppID
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDlistedontheObjects > Applicationspage:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.
PerformSeamlessPolicyUpdatesforNewAppIDs
Toinstallthecontentreleaseversionnowandthen
updatepolicies:
Dothistobenefitfromnewthreatsignatures
immediately,whileyoureviewnewapplication
signaturesandupdateyourpolicies.
Toupdatepoliciesnowandtheninstallthecontent
releaseversion:
1.
SelectDevice > Dynamic UpdatesandDownloadthe

latestcontentreleaseversion.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
WhilereviewingthepolicyimpactfornewAppIDs,
youcanusethePolicy Review based on candidate
configurationtoaddanewAppIDtoexistingpolicy
rules:
.
1.
SelectDevice > Dynamic UpdatesandDownloadthe

latestcontentreleaseversion.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
Installthelatestcontentreleaseversion.Beforethe
contentreleaseisinstalled,youarepromptedto
4.
Disable new apps in content update.Selectthecheck
boxandcontinuetoinstallthecontentrelease.Threat
5.
signaturesincludedinthecontentreleasewillbe
installedandeffective,whileneworupdatedAppIDs
aredisabled.
4.
SelectPoliciesandupdateSecurity,QoS,andPolicy
Based Forwardingrulestomatchtoandenforcethe
6.
nowuniquelyidentifiedapplicationtraffic,usingthe
7.
pendingAppIDs.
5.
SelectObjects > Applicationsandselectoneor

multipledisabledAppIDsandclickEnable.
6.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
ThenewAppIDisaddedtotheexistingrulesasa
disabledAppID.
ContinuetoreviewthepolicyimpactforallAppIDs
includedinthelatestcontentreleaseversionby
selectingAppIDsintheApplicationsdropdown.
AddthenewAppIDstoexistingpoliciesasneeded.
Installthelatestcontentreleaseversion.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
AppID
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.:insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
insteadupdateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
Step1
SelectObjects > Application Groups.
Step2
AddagroupandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5
AppID
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
Step1
SelectObjects > Application Filters.
Step2
AddafilterandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.
Step5
AppID
Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentupdate424:HTTP,
HTTPS,DNS,FTP,IMAPSMTP,Telnet,IRC(InternetRelayChat),Oracle,RTMP,RTSP,SSH,
GNUDebugger,GIOP(GlobalInterORBProtocol),MicrosoftRPC,MicrosoftSMB(alsoknown
asCIFS).
Thefollowingisabasicexampleofhowtocreateacustomapplication.
AppID
Step1
Gatherinformationaboutthe
Captureapplicationpacketssothatyoucanfindunique
applicationthatyouwillbeabletouse
characteristicsabouttheapplicationonwhichtobaseyour
towritecustomsignatures.
customapplicationsignature.Onewaytodothisistoruna
protocolanalyzer,suchasWireshark,ontheclientsystemto
Todothis,youmusthavean
capturethepacketsbetweentheclientandtheserver.Perform
understandingoftheapplicationand
differentactionsintheapplication,suchasuploadingand
howyouwanttocontrolaccesstoit.For
downloading,sothatyouwillbeabletolocateeachtypeof
example,youmaywanttolimitwhat
sessionintheresultingpacketcaptures(PCAPs).
operationsuserscanperformwithinthe
application(suchasuploading,
Becausethefirewallbydefaulttakespacketcapturesforall
downloading,orlivestreaming).Oryou
unknowntraffic,ifthefirewallisbetweentheclientandthe
serveryoucanviewthepacketcapturefortheunknowntraffic
maywanttoallowtheapplication,but
directlyfromtheTrafficlog.
enforceQoSpolicing.
Usethepacketcapturestofindpatternsorvaluesinthepacket
contextsthatyoucanusetocreatesignaturesthatwilluniquely
matchtheapplicationtraffic.Forexample,lookforstring
patternsinHTTPresponseorrequestheaders,URIpaths,or
hostnames.Forinformationonthedifferentstringcontextsyou
canusetocreateapplicationsignaturesandwhereyoucanfind
thecorrespondingvaluesinthepacket,refertoCreatingCustom
ThreatSignatures.
Step2
Addthecustomapplication.
1.
SelectObjects > ApplicationsandclickAdd.
2.
OntheConfigurationtab,enteraNameandaDescriptionfor
thecustomapplicationthatwillhelpotheradministrators
understandwhyyoucreatedtheapplication.
3.
(Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
4.
DefinetheapplicationPropertiesandCharacteristics.
AppID
CreateaCustomApplication(Continued)
Step3
Definedetailsabouttheapplication,
suchastheunderlyingprotocol,theport
numbertheapplicationrunson,the
timeoutvalues,andanytypesof
scanningyouwanttobeabletoperform
onthetraffic.
OntheAdvancedtab,definesettingsthatwillallowthefirewallto
identifytheapplicationprotocol:
Specifythedefaultportsorprotocolthattheapplicationuses.
Specifythesessiontimeoutvalues.Ifyoudontspecifytimeout
values,thedefaulttimeoutvalueswillbeused.
Indicateanytypeofadditionalscanningyouplantoperformon
theapplicationtraffic.
Forexample,tocreateacustomTCPbasedapplicationthatruns
overSSL,butusesport4443(insteadofthedefaultportforSSL,
443),youwouldspecifytheportnumber.Byaddingtheport
numberforacustomapplication,youcancreatepolicyrulesthat
usethedefaultportfortheapplicationratherthanopeningup
additionalportsonthefirewall.Thisimprovesyoursecurity
posture.
AppID
Step4
Definethecriteriathatthefirewallwill 1.
usetomatchthetraffictothenew
application.
Youwillusetheinformationyou
2.
gatheredfromthepacketcapturesto
specifyuniquestringcontextvaluesthat
3.
thefirewallcanusetomatchpatternsin
theapplicationtraffic.
4.
OntheSignaturestab,clickAddanddefineaSignature Name
andoptionallyaCommenttoprovideinformationabouthow
youintendtousethissignature.
SpecifytheScopeofthesignature:whetheritmatchestoafull
SessionorasingleTransaction.
SpecifyconditionstodefinesignaturesbyclickingAdd And
ConditionorAdd Or Condition.
SelectanOperatortodefinethetypeofmatchconditionsyou
willuse:Pattern MatchorEqual To.
IfyouselectedPattern Match,selecttheContextandthen
usearegularexpressiontodefinethePatterntomatchthe
selectedcontext.Optionally,clickAddtodefinea
qualifier/valuepair.TheQualifierlistisspecifictothe
Contextyouchose.
IfyouselectedEqual To,selecttheContextandthenusea
regularexpressiontodefinethePositionofthebytesinthe
packetheadertousematchtheselectedcontext.Choose
fromfirst-4bytesorsecond-4bytes.Definethe4bytehex
valuefortheMask(forexample,0xffffff00)andValue(for
example,0xaabbccdd).
Forexample,ifyouarecreatingacustomapplicationforone
ofyourinternalapplications,youcouldusethe
ssl-rsp-certificateContexttodefineapatternmatchforthe
certificateresponsemessageofaSSLnegotiationfromthe
serverandcreateaPatterntomatchthecommonNameofthe
serverinthemessageasshownhere:
5.
Repeatstep3and4foreachmatchingcondition.
6.
Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7.
ClickOKtosavethesignaturedefinition.
AppID
Step5
Step6
Savetheapplication.
1.
ClickOKtosavethecustomapplicationdefinition.
2.
ClickCommit.
Validatethattrafficmatchesthecustom 1.
applicationasexpected.
2.
SelectPolicies > SecurityandAddasecuritypolicyruleto

allowthenewapplication.
Runtheapplicationfromaclientsystemthatisbetweenthe
firewallandtheapplicationandthenchecktheTrafficlogs
(Monitor > Traffic)tomakesurethatyouseetrafficmatching
thenewapplication(andthatitisbeinghandledperyour
policyrule).
AppID
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
557).
Table:ApplicationswithImplicitSupport
Application
ImplicitlySupports
360safeguardupdate
http
appleupdate
http
aptget
http
as2
http
avgupdate
http
aviraantivirupdate
http,ssl
blokus
rtmp
bugzilla
http
clubcooee
http
corba
http
cubby
http,ssl
dropbox
ssl
esignal
http
evernote
http,ssl
ezhelp
http
facebook
http,ssl
facebookchat
jabber
facebooksocialplugin
http
fastviewer
http,ssl
forticlientupdate
http
goodforenterprise
http,ssl
googlecloudprint
http,ssl,jabber
AppID
Application
ImplicitlySupports
googledesktop
http
googletalk
jabber
googleupdate
http
gotomypcdesktopsharing
citrixjedi
gotomypcfiletransfer
citrixjedi
gotomypcprinting
citrixjedi
hipchat
http
iheartradio
ssl,http,rtmp
infront
http
instagram
http,ssl
issuu
http,ssl
javaupdate
http
jepptechupdates
http
kerberos
rpc
kik
http,ssl
lastpass
http,ssl
logmein
http,ssl
mcafeeupdate
http
megaupload
http
metatrader
http
mochardp
t_120
mount
rpc
msfrs
msrpc
msrdp
t_120
msscheduler
msrpc
msservicecontroller
msrpc
nfs
rpc
oovoo
http,ssl
paloaltoupdates
ssl
panosglobalprotect
http
panoswebinterface
http
pastebin
http
AppID
Application
ImplicitlySupports
pastebinposting
http
pinterest
http,ssl
portmapper
rpc
prezi
http,ssl
rdp2tcp
t_120
renrenim
jabber
roboform
http,ssl
salesforce
http
stumbleupon
http
supremo
http
symantecavupdate
http
trendmicro
http
trillian
http,ssl
twitter
http
whatsapp
http,ssl
xmradio
rtsp
AppID
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
AsofContentReleaseversion504,thePaloAltoNetworksfirewallprovidesNATALGsupportforthe
followingprotocols:FTP,H.225,H.248,MGCP,MySQL,Oracle/SQLNet/TNS,RPC,RTSP,SCCP,SIP,and
UNIStim.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefirewallprovidesIPv6toIPv6NetworkPrefixTranslation(NPTv6)ALGsupportforthefollowing
protocols:FTP,Oracle,andRTSP.TheSIPALGisnotsupportedforNPTv6orNAT64.
AppID
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step1
SelectObjects > Applications.
Step2
Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3
SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step4
SelecttheDisable ALGcheckboxintheApplicationsipdialogboxandclickOK.
Step5
ClosetheApplicationdialogboxandCommitthechange.
ThreatPrevention
ThePaloAltoNetworksnextgenerationfirewallprotectsanddefendsyournetworkfromcommodity
threatsandadvancedpersistentthreats(APTs).Thefirewallsmultiprongeddetectionmechanismsinclude
asignaturebased(IPS/CommandandControl/Antivirus)approach,heuristicsbased(botdetection)
approach,sandboxbased(WildFire)approach,andLayer7protocolanalysisbased(AppID)approach.
Commoditythreatsareexploitsthatarelesssophisticatedandmoreeasilydetectedandpreventedusinga
combinationoftheantivirus,antispyware,vulnerabilityprotectionandtheURLfiltering/Application
identificationcapabilitiesonthefirewall.
Advancedthreatsareperpetuatedbyorganizedcybercriminalsormaliciousgroupsthatusesophisticated
attackvectorstotargetyournetwork,mostcommonlyforintellectualpropertytheftandfinancialdatatheft.
Thesethreatsaremoreevasiveandrequireintelligentmonitoringmechanismsfordetailedhostandnetwork
forensicsonmalware.ThePaloAltoNetworksnextgenerationfirewallinconjunctionwithWildFireand
Panoramaprovidesacomprehensivesolutionthatinterceptsandbreaktheattackchainandprovides
visibilitytopreventsecurityinfringementonyournetworkincludingmobileandvirtualizedinfrastructure.
SetUpSecurityProfilesandPolicies
PreventBruteForceAttacks
CustomizetheActionandTriggerConditionsforaBruteForceSignature
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
EnableDNSProxy
EnablePassiveDNSCollectionforImprovedThreatIntelligence
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPreventionResources
ThreatPrevention
Thefollowingsectionsprovidebasicthreatpreventionconfigurationexamples:
SetUpDataFiltering
SetUpFileBlocking
Forinformationoncontrollingwebaccessaspartofyourthreatpreventionstrategy,seeURLFiltering.
ThefollowingdescribesthestepsneededtosetupthedefaultAntivirus,AntiSpyware,andVulnerability
ProtectionSecurityProfiles.
AllantispywareandvulnerabilityprotectionsignatureshaveadefaultactiondefinedbyPaloAlto
Networks.YoucanviewthedefaultactionbynavigatingtoObjects > Security Profiles >
Anti-SpywareorObjects > Security Profiles >Vulnerability Protectionandthen
selectingaprofile.ClicktheExceptionstabandthenclickShow all signaturesandyouwill
seealistofthesignatureswiththedefaultactionintheActioncolumn.Tochangethedefault
action,youmustcreateanewprofileandthencreateruleswithanondefaultaction,and/oradd
individualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionsubscriptionbundlestheantivirus,
license.
antispyware,andthevulnerabilityprotectionfeaturesinone
license.ToverifythatyouhaveanactiveThreatPrevention
subscription,selectDevice > LicensestoverifythattheThreat
Preventionlicenseisinstalledandchecktheexpirationdate.
Step2
Downloadthelatestantivirusthreat
signatures.
1.
SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

bottomofthepagetoretrievethelatestsignatures.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
AntivirusandApplicationsandThreatssignatures.
ThreatPrevention
Step3
Schedulesignatureupdates.
1.
FromDevice > Dynamic Updates,clickthetexttotherightof

Scheduletoautomaticallyretrievesignatureupdatesfor
AntivirusandApplications and Threats.
2.
Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
BestPracticesforAntivirusSchedules
Thegeneralrecommendationforantivirussignatureupdateschedulesistoperformadownload-and-installonadaily
basisforantivirusandweeklyforapplicationsandvulnerabilities.
RecommendationsforHAConfigurations:
Active/PassiveHAIftheMGTportisusedforantivirussignaturedownloads,youshouldconfigureascheduleon
bothfirewallsandbothfirewallswilldownload/installindependently.Ifyouareusingadataportfordownloads,the
passivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscaseyouwouldsetascheduleon
bothfirewallsandthenselecttheSync To Peeroption.Thiswillensurethatwhicheverfirewallisactive,theupdates
willoccurandwillthenpushtothepassivefirewall.
Active/ActiveHAIftheMGTportisusedforantivirussignaturedownloadsonbothfirewalls,thenschedulethe
download/installonbothfirewalls,butdonotselecttheSync To Peeroption.Ifyouareusingadataport,schedule
thesignaturedownloadsonbothfirewallsandselectSync To Peer.Thiswillensurethatifonefirewallinthe
active/activeconfigurationgoesintotheactivesecondarystate,theactivefirewallwilldownload/installthe
signatureandwillthenpushittotheactivesecondaryfirewall.
ThreatPrevention
Step4
Step5
Attachthesecurityprofilestoasecurity 1.
policy.
SelectPolicies > Security,selectthedesiredpolicytomodify

itandthenclicktheActionstab.
2.
InProfile Settings,clickthedropdownnexttoeachsecurity
profileyouwouldliketoenable.Inthisexamplewechoose
defaultforAntivirus, Vulnerability Protection, and
Anti-Spyware.ThedefaultAntiSpywareruleenablesDNS
Sinkholing.
Ifnosecurityprofileshavebeenpreviouslydefined,
selectProfilesfromtheProfile Typedropdown.You
willthenseethelistofoptionstoselectthesecurity
profiles.
ClickCommit.
ThreatPrevention
SetUpDataFiltering
ThefollowingdescribesthestepsneededtoconfigureadatafilteringprofilethatwilldetectSocialSecurity
Numbersandacustompatternidentifiedin.docand.docxdocuments.
DataFilteringConfigurationExample
Step1
Step2
CreateaDataFilteringsecurityprofile.
1.
SelectObjects > Security Profiles > Data Filteringandclick

Add.
2.
EnteraNameandaDescriptionfortheprofile.Inthisexample
thenameisDF_Profile1withthedescriptionDetectSocial
SecurityNumbers.
3.
(Optional)Ifyouwanttocollectdatathatisblockedbythe
filter,selecttheData Capturecheckbox.
YoumustsetapasswordasdescribedinStep 2ifyou
areusingthedatacapturefeature.
1.
(Optional)Secureaccesstothedata
filteringlogstopreventother
2.
administratorsfromviewingsensitive
data.
3.
Whenyouenablethisoption,youwillbe
promptedforthepasswordwhenyou
viewlogsinMonitor > Logs > Data
Filtering.
SelectDevice > Setup > Content-ID.

ClickManage Data ProtectionintheContentIDFeatures
section.
Setthepasswordthatwillberequiredtoviewthedatafiltering
logs.
ThreatPrevention
DataFilteringConfigurationExample(Continued)
Step3
Step4
Definethedatapatternthatwillbeused 1.
intheDataFilteringProfile.
Inthisexample,wewillusethekeyword
confidentialandwillsettheoptionto
2.
searchforSSNnumberswithdashes
(Example9876544320).
Itishelpfultosettheappropriate 3.
thresholdsanddefinekeywords
withindocumentstoreducefalse
positives.
FromtheDataFilteringProfilepageclickAddandselectNew
fromtheData Patterndropdown.Youcanalsoconfiguredata
patternsfromObjects > Custom Signatures > Data Patterns.
4.
(Optional)YoucanalsosetCustom Patternsthatwillbe
subjecttothisprofile.Inthiscase,youspecifyapatterninthe
custompatternsRegexfieldandsetaweight.Youcanadd
multiplematchexpressionstothesamedatapatternprofile.In
thisexample,wewillcreateaCustom Patternnamed
SSN_Customwithacustompatternofconfidential(the
patterniscasesensitive)anduseaweightof20.Thereasonwe
usethetermconfidentialinthisexampleisbecauseweknow
thatoursocialsecurityWorddocscontainthisterm,sowe
definethatspecifically.
1.
SetApplicationstoAny.Thiswilldetectanysupported
applicationsuchas:webbrowsing,FTP,orSMTP.Ifyouwant
tonarrowdowntheapplication,youcanselectitfromthelist.
ForapplicationssuchasMicrosoftOutlookWebAppthatuses
SSL,youwillneedtoenabledecryption.Alsomakesureyou
understandthenamingforeachapplication.Forexample,
OutlookWebApp,whichistheMicrosoftnameforthis
applicationisidentifiedastheapplicationoutlookwebinthe
PANOSlistofapplications.Youcancheckthelogsforagiven
applicationtoidentifythenamedefinedinPANOS.
2.
SetFile Typestodocanddocxtoonlyscandocanddocxfiles.
Specifywhichapplicationstofilterand
setthefiletypes.
Forthisexample,nametheDataPatternsignatureDetectSS
NumbersandaddthedescriptionDataPatterntodetect
SocialSecuritynumbers.
IntheWeightsectionforSSN#enter3.SeeWeightand
ThresholdValuesformoredetails.
ThreatPrevention
Step5
Step6
Step7
Specifythedirectionoftraffictofilter
andthethresholdvalues.
AttachtheDataFilteringprofiletothe
securityrule.
1.
SettheDirectiontoBoth.Filesthatareuploadedor
downloadedwillbescanned.
2.
SettheAlert Thresholdto35. Inthiscase,analertwillbe

triggeredif5instancesofSocialSecurityNumbersexistand1
instanceofthetermconfidentialexists.Theformulais5SSN
instanceswithaweightof3=15plus1instanceoftheterm
confidentialwithaweightof20=35.
3.
SettheBlock Thresholdto50.Thefilewillbeblockedifthe
thresholdof50instancesofaSSNand/ortheterm
confidentialexistsinthefile.Inthiscase,ifthedoccontained
1instanceofthewordconfidentialwithaweightof20that
equals20towardthethreshold,andthedochas15Social
SecurityNumberswithaweightof3thatequals45.Add20
and45andyouhave65,whichwillexceedtheblockthreshold
of50.
1.
SelectPolicies > Securityandselectthesecuritypolicyruleto

whichtoapplytheprofile.
2.
Clickthesecuritypolicyruletomodifyitandthenclickthe
Actionstab.IntheData Filteringdropdown,selectthenew
datafilteringprofileyoucreatedandthenclickOKtosave.In
thisexample,thedatafilteringrulenameisDF_Profile1.
ThreatPrevention
Step8
Testthedatafilteringconfiguration.
IfyouhaveproblemsgettingData
Filteringtowork,youcanchecktheData
FilteringlogortheTrafficlogtoverify
theapplicationthatyouaretestingwith
andmakesureyourtestdocumenthas
theappropriatenumberofuniqueSocial
SecurityNumberinstances.Forexample,
anapplicationsuchasMicrosoftOutlook
WebApp mayseemtobeidentifiedas
webbrowsing,butifyoulookatthelogs,
theapplicationisoutlook-web.Also
increasethenumberofSSNs,oryour
custompatterntomakesureyouare
hittingthethresholds.
Whentesting,youmustuserealSocialSecurityNumbersandeach
numbermustbeunique.Also,whendefiningCustomPatternsas
wedidinthisexamplewiththewordconfidential,thepatternis
casesensitive.Tokeepyourtestsimple,youmaywanttojusttest
usingadatapatternfirst,thentesttheSSNs.
1.
AccessaclientPCinthetrustzoneofthefirewallandsendan
HTTPrequesttouploada.docor.docxfilethatcontainsthe
exactinformationyoudefinedforfiltering.
2.
CreateaMicrosoftWorddocumentwithoneinstanceofthe
termconfidentialandfiveSocialSecuritynumberswith
dashes.
3.
Uploadthefiletoawebsite.UseanHTTPsiteunlessyouhave
decryptionconfigured,inwhichcaseyoucanuseHTTPS.
4.
SelectMonitoring > Logs > Data Filteringlogs.
5.
Locatethelogthatcorrespondstothefileyoujustuploaded.
Tohelpfilterthelogs,usethesourceofyourclientPCandthe
destinationofthewebserver.Theactioncolumninthelogwill
showreset-both.YoucannowincreasethenumberofSocial
SecurityNumbersinthedocumenttotesttheblockthreshold.
SetUpFileBlocking
Thisexamplewilldescribethebasicstepsneededtosetupfileblocking.Inthisconfiguration,wewill
configuretheoptionsneededtopromptuserstocontinuebeforedownloading.exefilesfromwebsites.
Whentestingthisexample,beawarethatyoumayhaveothersystemsbetweenyouandthesourcethatmay
beblockingcontent.
ConfigureFileBlocking
Step1
Step2
Createthefileblockingprofile.
Configurethefileblockingoptions.
1.
SelectObjects > Security Profiles > File Blockingandclick

Add.
2.
EnteraNameforthefileblockingprofile,forexample
Block_EXE.OptionallyenteraDescription,suchasBlockusers
fromdownloadingexefilesfromwebsites.
1.
ClickAddtodefinetheprofilesettings.
2.
EnteraName,suchasBlockEXE.
3.
SettheApplicationsforfiltering,forexamplewebbrowsing.
4.
SetFile Types toexe.
5.
SettheDirectiontodownload.
6.
SettheActiontocontinue.Bychoosingthecontinueoption,
userswillbepromptedwitharesponsepagepromptingthem
toclickcontinuebeforethefilewillbedownloaded.
7.
ThreatPrevention
ConfigureFileBlocking(Continued)
Step3
Applythefileblockingprofiletoa
securitypolicy.
1.
SelectPolicies > Securityandeitherselectanexistingpolicyor

createanewpolicyasdescribedinSetUpaBasicSecurity
Policy.
2.
ClicktheActionstabwithinthepolicyrule.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyouconfigured.Inthiscase,theprofile
nameisBlock_EXE.
4. Committheconfiguration.
Ifnosecurityprofileshavebeenpreviouslydefined,selectthe
ProfileTypedropdownandselectProfiles.Youwillthenseethe
listofoptionstoselectthesecurityprofiles.
Step4
Totestyourfileblockingconfiguration,accessaclientPCinthetrustzoneofthefirewallandattemptto
downloadan.exefilefromawebsiteintheuntrustzone.Aresponsepageshoulddisplay.ClickContinueto
downloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichwillnotprovideacontinuepage
totheuser.ThefollowingshowsthedefaultresponsepageforFileBlocking:
Example:DefaultFileBlockingResponsePage
Step5
(Optional)Definecustomfileblockingresponsepages(Device > Response Pages).Thisallowsyoutoprovide

moreinformationtouserswhentheyseearesponsepage.Youcanincludeinformationsuchascompany
policyinformationandcontactinformationforaHelpdesk.
Whenyoucreateafileblockingprofilewiththeactioncontinue,youcanonlychoosetheapplication
webbrowsing.Ifyouchooseanyotherapplication,trafficthatmatchesthesecuritypolicywillnotflow
throughthefirewallduetothefactthattheuserswillnotbepromptedwithacontinuepage.Also,if
thewebsiteusesHTTPS,youwillneedtohaveadecryptionpolicyinplace.
Youmaywanttocheckyourlogstoconfirmwhatapplicationisbeingusedwhentestingthisfeature.
Forexample,ifyouareusingMicrosoftSharePointtodownloadfiles,eventhoughyouareusinga
webbrowsertoaccessthesite,theapplicationisactuallysharepoint-base,or
sharepoint-document.YoumaywanttosettheapplicationtypetoAnyfortesting.
ThreatPrevention
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,Severityandistriggeredwhenapatternisrecorded.The
patternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;some
signaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthepatternto
matchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthedefaultaction
forthesignature.
Toenforceprotection:
Attachthevulnerabilityprofiletoasecurityrule.SeeSetUpAntivirus,AntiSpyware,andVulnerability
Protection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.
ThreatPrevention
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignatureandchildsignature.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinatimeintervaland
matchthetrafficpatterndefinedinthechildsignature.
Typically,achildsignatureisofdefaultactionallowbecauseasingleeventisnotindicativeofanattack.In
mostcases,theactionforachildsignatureissettoallowsothatlegitimatetrafficisnotblockedandthreat
logsarenotgeneratedfornonnoteworthyevents.Therefore,PaloAltoNetworksrecommendsthatyou
onlychangethedefaultactionaftercarefulconsideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventbecauseofitsrecurrentpattern.Ifyouwould
liketocustomizetheactionforabruteforcesignature,youcandooneofthefollowing:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcandefine
theactiontoallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforaCVEanddefinean
exceptionforit.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature
youcanmodifytheactiononly.
Toeffectivelymitigateanattack,theblockipaddressactionisrecommendedoverthedropor
resetactionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
Step1
CreateanewVulnerabilityProtection
profile.
1.
SelectObjects > Security Profiles > Vulnerability Protection.
2.
ClickAddandenteraNamefortheVulnerabilityProtection
profile.
ThreatPrevention
Step2
Step3
Createarulethatdefinestheactionfor 1.
allsignaturesinacategory.
2.
(Optional)Customizetheactionfora
specificsignature.
SelectRules,clickAddandenteraNamefortherule.
SettheAction.Inthisexample,itissettoBlock IP.
3.
SetCategorytobrute-force.
4.
(Optional)Ifblocking,specifywhethertoblockbasedonHost
Typeserverorclient,thedefaultisany.
5.
SeeStep 3tocustomizetheactionforaspecificsignature.
6.
SeeStep 4tocustomizethetriggerthresholdforaparent
signature.
7.
ClickOKtosavetheruleandtheprofile.
1.
SelectExceptions andclickShow all signatures tofindthe

signatureyouwanttomodify.
Toviewallthesignaturesinthebruteforcecategory,search
for(categorycontains'bruteforce').
2.
Toeditaspecificsignature,clickthepredefineddefaultaction
intheActioncolumn.
3.
Settheactiontoallow,alertorblock-ip.
4.
Ifyouselectblockip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. IntheTrack Byfield,definewhethertoblocktheIPaddress
byIP source orbyIP source and destination.
5.
ClickOK.
6.
Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
7.
ClickOK.
ThreatPrevention
Step4
Step5
Step6
Customizethetriggerconditionsfora
1.
parentsignature.
Aparentsignaturethatcanbeeditedis 2.
markedwiththisicon:
.
Inthisexample,thesearchcriteriawas 3.
bruteforcecategoryand
CVE20081447.
4.
ClickOK.
Attachthisnewprofiletoasecurityrule. 1.
SelectSecurity > Policies.
Saveyourchanges.
Click toeditthetimeattributeandtheaggregationcriteria
forthesignature.
TomodifythetriggerthresholdspecifytheNumber of Hitsper
xseconds.
Specifywhethertoaggregatethenumberofhitsbysource,
destinationorbysource and destination.
2.
Modifyanexistingsecuritypolicyruleor Add anewrule.
3.
SelectActions.
4.
IntheProfileSettingsection,settheProfile TypetoProfiles.
5.
SelectthenewlycreatedVulnerability Protectionprofile.
6.
ClickOK tosavechangestothesecuritypolicyrule.
1.
ClickCommit.
ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.Forevasionprevention,upgradetoPANOS7.1.1andApplicationsand
Threatscontentreleaseversion579.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
EnableDNSProxy.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcaches
hostnametoIPaddressmappingsinordertoquicklyandefficientlyresolvesfutureDNSqueries.
Enableevasionsignatures.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscanalertwhenaclientconnectstoa
domainotherthanthedomainspecifiedintheoriginalDNSrequest.MakesurethatDNSproxyis
configuredifyouchoosetoenableevasionsignatures.WithoutDNSproxyenabled,evasion
signaturescantriggerwhenaDNSserverinDNSloadbalancingconfigurationreturnsdifferentIP
addresses(forservershostingidenticalresources)tothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoonlyallowtheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserversettheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
youshouldcreateanewcustomservicethatonlyincludesport587andusethatnewserviceinyour
securitypolicyruleinsteadofusingapplicationdefault.Additionally,makesuretorestrictaccessto
specificsourceanddestinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection.
CreateaVulnerabilityProtectionprofiletoblockallvulnerabilitieswithseveritylowandhigher.
CreateanAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
CreateanAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
Blockallunknownapplications/trafficusingSecuritypolicy.Typically,theonlyapplicationsthatare
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetwork,orpotentialthreats.
Becauseunknowntrafficcanbeanoncompliantapplicationorprotocolthatisanomalousorabnormal,
oraknownapplicationthatisusingnonstandardports,unknowntrafficshouldbeblocked.SeeManage
CustomorUnknownApplications.
CreateaFileBlockingprofilethatblocksPortableExecutable(PE)filetypesforInternetbasedSMB
(ServerMessageBlock)trafficfromtraversingthetrusttountrustzones,(msdssmbapplications).
ThreatPrevention
ThreatPrevention
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
SelecttheoptiontodropMalformedIPpackets(Packet Based Attack Protection > IP Drop).
RemoveTCPtimestampsonSYNpacketsbeforethefirewallforwardsthepacket.Whenyouselect
theRemove TCP TimestampoptioninaSYNpacket,theTCPstackonbothendsoftheTCP
connectionwillnotsupportTCPtimestamps.Therefore,bydisablingtheTCPtimestampforaSYN
packet,youcanpreventanattackthatusesdifferenttimestampsonmultiplepacketsforthesame
sequencenumber.(Packet Based Attack Protection > TCP Drop).
SelecttheoptiontodropMismatched overlapping TCP segment.Bydeliberatelyconstructing
connectionswithoverlappingbutdifferentdatainthem,attackerscanattempttocause
misinterpretationoftheintentoftheconnection.Thiscanbeusedtodeliberatelyinducefalse
positivesorfalsenegatives.AnattackercanuseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecthis/herowndataintotheconnection.Selectingthisoption
causesPANOStodiscardsuchframeswithmismatchedandoverlappingdata.Thescenarioswhere
thereceivedsegmentwillbediscardedarewhenthesegmentreceivediscontainedwithinanother
segment,thesegmentreceivedoverlapswithpartofanothersegment,orthesegmentcompletely
containsanothersegment.
ThreatPrevention
VerifythatsupportforIPv6isenabled,ifyouhaveconfiguredIPv6addressesonyournetworkhosts
(Network > Interfaces > Ethernet> IPv6).
ThisallowsaccesstoIPv6hostsandfiltersIPv6packetsthatareencapsulatedin
IPv4packets.EnablingsupportforIPv6preventsIPv6overIPv4multicast
addressesfrombeingleveragedfornetworkreconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyon
multicasttraffic.(Network > Virtual Router > Multicast).
ConfigurethefirewalltoCleartheUrgent Data FlagintheTCPheader(Device > Setup > Session > TCP

Settings).
ManyhostsusetheurgentdataflagintheTCPheadertopromoteapacketforimmediateprocessing,
removingitfromtheprocessingqueueandexpeditingitthroughtheTCP/IPstack.Thisprocessiscalled
outofbandprocessing.However,theimplementationoftheurgentdataflagvariesfromhosttohost.
Configuringthefirewalltoclearthisflageliminatesambiguityinhowthepacketisprocessedonthe
firewallandthehost,allowingthefirewallseesthesamestreamintheprotocolstackasthehostfor
whichthepacketisdestined.Whenthefirewallclearsthisflag,itincludesitinthepayloadandprevents
thepacketfrombeingprocessedurgently.
EnabletheDrop segments without flagoption(Device > Setup > Session > TCP Settings).
IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontentinspection.Whenyouenable
thisoption,thefirewallwilldroppacketsthathavenoflagssetintheTCPheader.
EnabletheDrop segments with null timestampoption(Device > Setup > Session > TCP Settings).
TheTCPtimestamprecordswhenthesegmentwassentandallowsthefirewalltoverifythatthe
timestampisvalidforthatsession,preventingTCPsequencenumberwrapping.TheTCPtimestampis
alsousedtocalculateroundtriptime.WhenaTCPTimestampissetto0(null)itcouldconfuseeitherend
oftheconnection,resultinginanevasion.Thefirewalldropspacketswithnulltimestampswiththis
settingenabled.
DisabletheForward segments exceeding TCP out-of-order queueoption(Device > Setup > Session > TCP
Settings).
Bydefault,thefirewallforwardssegmentsthatexceedtheTCPoutoforderqueuelimitof64per
session.Bydisablingthisoption,thefirewallinsteaddropssegmentsthatexceedtheoutoforderqueue
limit.
ThreatPrevention
DisabletheForward segments exceeding TCP App-ID inspection queueoption(Device > Setup > Content-ID >
Content-ID Settings).
Bydefault,whentheAppIDinspectionqueueisfullthefirewallskipsAppIDinspectionclassifyingthe
applicationasunknowntcpandforwardsthesegments.Bydisablingthisoption,thefirewallinstead
dropssegmentswhentheAppIDinspectionqueueisfull.
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding
TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfullthefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
DisabletheAllow HTTP Header Range Option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPRangeoptionallowsaclienttofetchpartofafileonly.Whenanextgenerationfirewallinthe
pathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithaRSTpacket.If
thewebbrowserimplementstheHTTPRangeoption,itcanstartanewsessiontofetchonlythe
remainingpartofthefile.Thispreventsthefirewallfromtriggeringthesamesignatureagainduetothe
lackofcontextintotheinitialsession,whileatthesametimeallowingthewebbrowsertoreassemble
thefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.
ThreatPrevention
EnableDNSProxy
EnableDNSProxy
Domainnamesystem(DNS)serverstranslateuserfriendlydomainstotheassociatedIPaddresseswhich
locateandidentifythecorrespondingresources.APaloAltoNetworksfirewallintermediatetoclientsand
serverscanactasaDNSproxytoresolvedomainnamequeries.
TheDNSproxyfeatureenablesthefirewallto:
Quickly,efficiently,andlocallyresolvedomainnamequeriesbasedonstaticandcachedDNSentries.
ReachouttospecificDNSserverstoresolvecertaintypesofDNSrequests(forexample,thefirewall
canresolvecorporatedomainsbasedonacorporateDNSserverhostnametoIPaddressmappings,and
resolveotherdomainsusingapublicorISPDNSserver).
EnabletheFirewalltoActasaDNSProxy
Step1
Step2
Specifytheinterfacesonwhichyou
wantthefirewalltolistenforDNS
requests.
1.
SelectNetwork > DNS ProxyandAddanewobject.
2.
VerifythatEnableisselectedandNametheobject.
3.
Add oneormoreInterfaceonwhichthefirewalllistensfor
DNSrequests.
4.
(VirtualSystemsOnly)AllowtheDNSproxyobjecttobe
sharedacrossallvirtualsystems,orsettheLocationtoapply
theDNSproxyobjectsettingstoaspecificvirtualsystem.
DefinetheDNSserverwithwhichthe
firewallshouldcommunicatetoresolve
DNSrequests.
IfyouareenablingDNSproxyonavirtualsystem,youmust
select NewintheServerProfiledropdownfirst,andthen
continuewitheitherofthefollowingoptions.
SpecifyDNSServers
1.
SetInheritance Source tonone.
2.
EnterathePrimaryDNSserverIPaddressoraddressobject.
3.
EntertheSecondary DNSserverIPaddressoraddressobject.
UseInheritedDNSServers
SelectanInheritance Sourcefromwhichthefirewallcanuse
existingDNSserversettingsfortheDNSproxyobject.
OnlyinterfacesconfiguredtobeDHCPclientinterfacesand
PPPoEclientinterfacesareavailableasinheritancesourcesfor
DNSserversettings.Inthiscase,theDNSserversettingstheclient
interfacedynamicallyreceivesfromaDHCPserverarealsousedto
populatethePrimaryandSecondaryDNSserversettings(just
continuetosetbothofthesefieldstoinherited).
EnableDNSProxy
ThreatPrevention
EnabletheFirewalltoActasaDNSProxy(Continued)
Step3
Step4
Step5
Enablethefirewalltoreachoutto
certainDNSserverstoresolvespecific
domains.
Forexample,thefirewallcanforward
corporatedomainstoacorporateDNS
serverfordomainnameresolution.
1.
SelectDNS Proxy Rules,Add arule,andgivetherulea

descriptiveName.
2.
Turn on caching of domains resolved by this mappingto

enablethefirewalltosaverecentlyresolvedDNSqueriesin
ordertoquicklyresolvefuturematchingqueries.
3.
AddoneormoreDomain Name.
4.
EntertheIPaddressesoraddressobjectsforthePrimaryand
SecondaryDNSservers.Thefirewallcommunicateswith
theseserverstoresolveDNSrequestsforthelisteddomain
names.
IfyouareenablingDNSproxyonavirtualsystem,you
caninsteadconfigureaDNSServerProfiletodefine
DNSsettingsforthevirtualsystem,includingthe
primaryandsecondaryDNSserver.
SetupstaticFQDNtoIPaddressentries 1.
thatthefirewallcanresolvelocally,
2.
withouthavingtoreachouttoaDNS
3.
server.
4.
SelectStatic Entries.
AddandNameanewstaticmappingentry.
EntertheFQDN thatyouwantthefirewalltoresolve.
AddoneormoreIPAddresstomaptothedomainyou
enteredinthelaststep.
Enablecachingforresolved
SelectAdvanced andconfiguresettingsto:
hostnametoIPaddressmappings,and StorerecentlyresolvedhostnametoIPaddressmappings.
customizeadditionalDNSsettings.
SelectCacheandcontinuetospecifythenumberofentriesfor
thecachetoholdandthenumberofhoursafterwhichallcached
DNSentriesareremoved.
EnableDNSqueriesusingTCP.
SpecifysettingsforUDPqueryretries.
ThreatPrevention
EnableDNSProxy
EnabletheFirewalltoActasaDNSProxy(Continued)
Step6
Step7
Enableevasionsignatures.
1.
WhenDNSproxyisenabled,
evasionsignaturesthatdetect
craftedHTTPorTLSrequests
canalerttoinstanceswherea
clientconnectstoadomainother
thanthedomainspecifiedinthe
originalDNSquery.
2.
InstalltheApplicationsandThreatscontentversion579or
later:
a. SelectDevice > Dynamic Updates.
b. Check NowtogetthelatestApplicationsandThreats
contentupdate.
c. DownloadandInstallApplicationsandThreatscontent
version579.
Definehowtrafficmatchedtoevasionsignaturesshouldbe
enforced:
a. SelectObjects > Security Profiles > Anti-SpywareandAdd
ormodifyanAntispywareprofile.
b. Select ExceptionsandselectShow all signatures.
c. Filtersignaturesbasedonthekeywordevasion.
d. Forallevasionsignatures,settheActiontoanysetting
otherthanalloworthedefaultaction(thedefaultactionis
forevasionsignaturesisallow).Forexample,settheaction
toalertonorblock.
e. ClickOK tosavetheupdatedAntispywareprofile.
f. AttachtheAntispywareprofiletoasecuritypolicyrule:
SelectPolicies > Security,selectthedesiredpolicyto
modifyandthenclicktheActions tab.InProfileSettings,
clickthedropdownnexttoAnti-Spyware andselectthe
antispywareprofileyoujustmodifiedtoenforceevasion
signatures.
Commit yourchanges.
LearnmoreaboutDNSfeatures...
UseDNSqueriestoidentifyinfectedhostsonthenetwork.
EnablepassiveDNScollectionforbetterthreatintelligence.
ToworkwithDNSfeaturesandvirtualsystems,seetheseDNS
usecasesforvirtualsystemsandlearnhowtoconfigureaDNS
proxyobjectandDNSserverprofilesforvirtualsystems.
EnablePassiveDNSCollectionforImprovedThreatIntelligence
ThreatPrevention
EnablePassiveDNSCollectionforImprovedThreat
Intelligence
PassiveDNSisanoptinfeaturethatenablesthefirewalltoactasapassiveDNSsensorandsendselectDNS
informationtoPaloAltoNetworksforanalysisinordertoimprovethreatintelligenceandthreatprevention
capabilities.Thedatacollectedincludesnonrecursive(i.e.originatingfromthelocalrecursiveresolver,not
individualclients)DNSqueryandresponsepacketpayloads.DatasubmittedviathePassiveDNSMonitoring
featureconsistssolelyofmappingsofdomainnamestoIPaddresses.PaloAltoNetworksretainsnorecord
ofthesourceofthisdataanddoesnothavetheabilitytoassociateitwiththesubmitteratafuturedate.
ThePaloAltoNetworksthreatresearchteamusesthisinformationtogaininsightintomalwarepropagation
andevasiontechniquesthatabusetheDNSsystem.Informationgatheredthroughthisdatacollectionis
usedtoimproveaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrolsignatures,andWildFire.
DNSresponsesareonlyforwardedtothePaloAltoNetworksandwillonlyoccurwhenthefollowing
requirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
PassiveDNSmonitoringisdisabledbydefault,butitisrecommendedthatyouenableittofacilitate
enhancedthreatintelligence.UsethefollowingproceduretoenablePassiveDNS:
EnablePassiveDNS
Step1
SelectObjects > Security Profiles > Anti-Spyware.
Step2
Selectanexistingprofiletomodifyitorconfigureanewprofile.
TheAntiSpywareprofilemustbeattachedtoasecuritypolicythatgovernsyour
DNSserversexternalDNStraffic.
Step3
SelecttheDNS Signatures tabandclicktheEnable Passive DNS Monitoring checkbox.
Step4
ClickOKandthenCommit.
ThreatPrevention
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNSSinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.
ThreatPrevention
Figure:DNSSinkholingExample
ThreatPrevention
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanexternaldynamiclistthatincludes
thedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoasecuritypolicy
rule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthedestinationIP
addressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddressforsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallplatformsupportsamaximumof50,000domainnamestotalinoneormoreExternalDynamic
Listbutnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
Step1
EnableDNSsinkholingforthecustom
listofdomainsinanexternaldynamic
list.
1.
SelectObjects > Security Profiles > Anti-Spyware.
2.
Modifyanexistingprofile,orselectoneoftheexistingdefault
profilesandcloneit.
3.
NametheprofileandselecttheDNS Signaturestab.
4.
ClickAddandselectExternal Dynamic Listsinthedropdown.

Whenyouconfiguretheexternaldynamiclistfromthe
AntiSpywareprofile,theTypeispresettoDomain List.
Ifyouhavealreadycreatedanexternaldynamiclistof
type:DomainList,youcanselectitfromhere.The
dropdowndoesnotdisplayexternaldynamiclistsof
typeURLorIPAddressthatyoumayhavecreated.
5.
ConfigureaccesstotheExternalDynamicList.
a. EnteradescriptiveNameforthelist.
b. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthe
list.Forexample,https://1.2.3.4/EDL_IP_2015.
c. Populatethelistwithdomainnames.SeeFormatting
GuidelinesforanExternalDynamicList.
d. ClickTest Source URLtoverifythatthefirewallcanconnect
tothelistonthewebserver.
Ifthewebserverisunreachableaftertheconnectionis
established,thefirewallorPanoramausesthelast
successfullyretrievedlistforenforcingpolicyuntilthe
connectionisrestoredwiththewebserver.
e. (Optional)SpecifytheRepeatfrequencyatwhichthe
firewallretrievesthelist.Bydefault,thelistisretrievedonce
everyhour.
f. ClickOK.
6.
(Optional)InthePacket Capturedropdown,select
single-packettocapturethefirstpacketofthesessionor
extended-capture tosetbetween150packets.Youcanthen
usethepacketcapturesforfurtheranalysis.
ThreatPrevention
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step2
Step3
Step4
Verifythesinkholingsettingsonthe
AntiSpywareprofile.
AttachtheAntiSpywareprofiletoa
Securitypolicyrule.
Testthatthepolicyactionisenforced.
7.
OntheDNS Signaturestab,verifythattheActionon DNS

Queriesissinkhole.
8.
IntheSinkholesection,verifythatSinkholeisenabled.For
yourconvenience,thedefaultSinkholeIPaddressissetto
accessaPaloAltoNetworksserver.PaloAltoNetworkscan
automaticallyrefreshthisIPaddressthroughcontentupdates.
IfyouwanttomodifytheSinkhole IPv4orSinkhole IPv6
addresstoalocalserveronyournetworkortoaloopback
address,seeConfiguretheSinkholeIPAddresstoaLocal
ServeronYourNetwork.
9.
ClickOKtosavetheAntiSpywareprofile.
1.
2.
OntheActionstab,selecttheLog at Session Startcheckbox

toenablelogging.
3.
IntheProfileSettingsection,clicktheProfile Typedropdown
toviewallProfiles.FromtheAnti-Spywaredropdownand
selectthenewprofile.
4.
ClickOKtosavethepolicyrule.
1.
Accessadomainintheexternaldynamiclist.
2.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theThreatActivityandBlockedActivityforthedomainyou
accessed.
b. SelectMonitor > Logs > Threat andfilterby(action eq
sinkhole)toviewlogsonsinkholeddomains.
ThreatPrevention
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step5
Verifywhetherentriesintheexternal
dynamiclistareignoredorskipped.
InalistoftypeURL,thefirewall
skipsentriesthatarenotURLsas
invalidandignoresentriesthat
exceedthemaximumlimitforthe
platform.
UsethefollowingCLIcommandonthefirewalltoreviewthedetails
aboutthelist.
request system external-list show type domain name
<list_name>
Forexample:
request system external-list show type domain name
My_List_of_Domains_2015
vsys1/EBLDomain:
Next update at : Thu May 21 10:15:39 2015
Source
:https://1.2.3.4/My_List_of_Domains_2015
Referenced : Yes
Valid
: Yes
Number of entries : 3
domains:
www.example.com
baddomain.com
qqq.abcedfg.com
Step6
(Optional)Retrievetheexternaldynamic Toforcethefirewalltoretrievetheupdatedlistondemandinstead
listondemand.
ofatthenextrefreshinterval(theRepeatfrequencyyoudefined
fortheexternaldynamiclist),usethefollowingCLIcommand:
request system external-list refresh type domain name
<list_name>
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5
ThreatPrevention
ConfigureSinkholingtoaLocalServeronYourNetwork
Step1
Configurethesinkholeinterfaceand
zone.
Trafficfromthezonewheretheclient
hostsresidemustroutetothezone
wherethesinkholeIPaddressisdefined,
sotrafficwillbelogged.
Useadedicatedzonefor
sinkholetraffic,becausethe
infectedhostwillbesending
traffictothiszone.
1.
SelectNetwork > Interfacesandselectaninterfaceto

configureasyoursinkholeinterface.
2.
IntheInterface Typedropdown,selectLayer3.
3.
ToaddanIPv4address,selecttheIPv4tabandselectStatic
andthenclickAdd.Inthisexample,add10.15.0.20astheIPv4
DNSsinkholeaddress.
4.
SelecttheIPv6tabandclickStaticandthenclickAddand
enteranIPv6addressandsubnetmask.Inthisexample,enter
fd97:3dec:4d27:e37c::/64astheIPv6sinkholeaddress.
5.
ClickOKtosave.
6.
Toaddazoneforthesinkhole,selectNetwork > Zonesand

clickAdd.
7.
EnterzoneName.
8.
IntheTypedropdownselectLayer3.
9.
IntheInterfacessection,clickAddandaddtheinterfaceyou
justconfigured.
10. ClickOK.
Step2
EnableDNSsinkholing.
Step3
Editthesecuritypolicyrulethatallows
trafficfromclienthostsinthetrustzone
totheuntrustzonetoincludethe
sinkholezoneasadestinationandattach
theAntiSpywareprofile.
Editingthesecurityrule(s)thatallows
trafficfromclienthostsinthetrustzone
totheuntrustzoneensuresthatyouare
identifyingtrafficfrominfectedhosts.By
addingthesinkholezoneasadestination
ontherule,youenableinfectedclientsto
sendbogusDNSqueriestotheDNS
sinkhole.
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNS
signatures.Tochangethesinkholeaddresstoyourlocalserver,see
step8inConfigureDNSSinkholingforaListofCustomDomains.
1.
2.
Selectanexistingrulethatallowstrafficfromtheclienthost
zonetotheuntrustzone.
3.
OntheDestinationtab,AddtheSinkholezone.Thisallows
clienthosttraffictoflowtothesinkholezone.
4.
OntheActionstab,selecttheLog at Session Startcheckbox

toenablelogging.Thiswillensurethattrafficfromclienthosts
intheTrustzonewillbeloggedwhenaccessingtheUntrustor
Sinkholezones.
5.
IntheProfile Settingsection,selecttheAnti-Spywareprofile
inwhichyouenabledDNSsinkholing.
6.
ClickOKtosavethesecurityruleandthenCommit.
ThreatPrevention
Step4
Toconfirmthatyouwillbeableto
1.
identifyinfectedhosts,verifythattraffic
goingfromtheclienthostintheTrust
zonetothenewSinkholezoneisbeing
logged.
Inthisexample,theinfectedclienthostis
192.168.2.10andtheSinkholeIPv4
addressis10.15.0.20.
Fromaclienthostinthetrustzone,openacommandprompt
andrunthefollowingcommand:
C:\>ping <sinkhole address>
Thefollowingexampleoutputshowsthepingrequesttothe
DNSsinkholeaddressat10.15.0.2andtheresult,whichis
Request timed out becauseinthisexamplethesinkholeIP
addressisnotassignedtoaphysicalhost:
C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2.
Onthefirewall,selectMonitor > Logs > Trafficandfindthelog

entrywiththeSource192.168.2.10andDestination
10.15.0.20.ThiswillconfirmthatthetraffictothesinkholeIP
addressistraversingthefirewallzones.
Youcansearchand/orfilterthelogsandonlyshow
logswiththedestination10.15.0.20.Todothis,click
theIPaddress(10.15.0.20)intheDestinationcolumn,
whichwilladdthefilter(addr.dstin10.15.0.20)tothe
searchfield.ClicktheApplyFiltericontotherightof
thesearchfieldtoapplythefilter.
ThreatPrevention
Step5
TestthatDNSsinkholingisconfigured 1.
properly.
Youaresimulatingtheactionthatan
infectedclienthostwouldperformwhen
amaliciousapplicationattemptstocall
home.
Findamaliciousdomainthatisincludedinthefirewalls
currentAntivirussignaturedatabasetotestsinkholing.
a. SelectDevice > DynamicUpdatesandintheAntivirus
sectionclicktheRelease Noteslinkforthecurrently
installedantivirusdatabase.Youcanalsofindtheantivirus
releasenotesthatlisttheincrementalsignatureupdates
underDynamicUpdatesonthePaloAltoNetworkssupport
site.
b. Inthesecondcolumnofthereleasenote,locatealineitem
withadomainextension(forexample,.com,.edu,or.net).
Theleftcolumnwilldisplaythedomainname.Forexample,
Antivirusrelease11171560,includesanitemintheleft
columnnamed"tbsbana"andtherightcolumnlists"net".
Thefollowingshowsthecontentinthereleasenoteforthis
lineitem:
conficker:tbsbana1 variants: net
2.
Fromtheclienthost,openacommandprompt.
3.
PerformanNSLOOKUPtoaURLthatyouidentifiedasa
knownmaliciousdomain.
Forexample,usingtheURLtrack.bidtrk.com:
C:\>nslookup track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:5
10.15.0.20
Intheoutput,notethattheNSLOOKUPtothemalicious
domainhasbeenforgedusingthesinkholeIPaddressesthat
weconfigured(10.15.0.20).Becausethedomainmatcheda
maliciousDNSsignature,thesinkholeactionwasperformed.
4.
SelectMonitor > Logs > Threat andlocatethecorresponding

threatlogentrytoverifythatthecorrectactionwastakenon
theNSLOOKUPrequest.
5.
Performapingtotrack.bidtrk.com,whichwillgenerate
networktraffictothesinkholeaddress.
ThreatPrevention
IdentifyInfectedHosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
UseAppScopetoidentifyinfectedclienthosts. 1.
SelectMonitor > App ScopeandselectThreat Monitor.
2.
ClicktheShow spywarebuttonalongthetopofthedisplay
page.
3.
Selectatimerange.
ThefollowingscreenshotshowsthreeinstancesofSuspicious
DNSqueries,whichweregeneratedwhenthetestclienthost
performedanNSLOOKUPonaknownmaliciousdomain.Click
thegraphtoseemoredetailsabouttheevent.
ThreatPrevention
DNSSinkholeVerificationandReporting(Continued)
Configureacustomreporttoidentifyallclient 1.
hoststhathavesenttraffictothesinkholeIP 2.
address,whichis10.15.0.20inthisexample.
3.
ForwardtoanSNMPmanager,Syslog
serverand/orPanoramatoenablealerts
ontheseevents.
Inthisexample,theinfectedclienthost
performedanNSLOOKUPtoaknown
maliciousdomainthatislistedinthePalo
AltoNetworksDNSSignaturedatabase.
Whenthisoccurred,thequerywassent
tothelocalDNSserver,whichthen
forwardedtherequestthroughthe
firewalltoanexternalDNSserver.The
firewallsecuritypolicywiththe
AntiSpywareprofileconfiguredmatched
thequerytotheDNSSignaturedatabase,
whichthenforgedthereplyusingthe
sinkholeaddressof10.15.0.20and
fd97:3dec:4d27:e37c:5:5:5:5.Theclient
attemptstostartasessionandthetraffic
logrecordstheactivitywiththesource
hostandthedestinationaddress,whichis
nowdirectedtotheforgedsinkhole
address.
Viewingthetrafficlogonthefirewall
allowsyoutoidentifyanyclienthostthat
issendingtraffictothesinkholeaddress.
Inthisexample,thelogsshowthatthe
sourceaddress192.168.2.10sentthe
maliciousDNSquery.Thehostcanthen
befoundandcleaned.WithouttheDNS
sinkholeoption,theadministratorwould
onlyseethelocalDNSserverasthe
systemthatperformedthequeryand
wouldnotseetheclienthostthatis
infected.Ifyouattemptedtorunareport 4.
onthethreatlogusingtheaction
Sinkhole,thelogwouldshowthelocal
DNSserver,nottheinfectedhost.
5.
SelectMonitor > Manage Custom Reports.

ClickAddandNamethereport.
Defineacustomreportthatcapturestraffictothesinkhole
addressasfollows:
DatabaseSelectTraffic Log.
ScheduledEnableScheduledandthereportwillrunevery
night.
Time Frame30days
Selected ColumnsSelectSource addressorSource User
(ifyouhaveUserIDconfigured),whichwillidentifythe
infectedclienthostinthereport,andDestination address,
whichwillbethesinkholeaddress.
Inthesectionatthebottomofthescreen,createacustom
queryfortraffictothesinkholeaddress(10.15.0.20inthis
example).Youcaneitherenterthedestinationaddressin
theQuery Builderwindow(addr.dstin10.15.0.20)orselect
thefollowingineachcolumnandclickAdd:Connector=
and,Attribute=DestinationAddress,Operator=in,and
Value=10.15.0.20.ClickAddtoaddthequery.
ClickRun Nowtorunthereport.Thereportwillshowallclient
hoststhathavesenttraffictothesinkholeaddress,which
indicatesthattheyaremostlikelyinfected.Youcannowtrack
downthehostsandcheckthemforspyware.
Toviewscheduledreportsthathaverun,selectMonitor >
Reports.
ThreatPrevention
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
Resource
URL
StaticAddresses(Ifastaticserveris
required)
ApplicationDatabase
updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
address199.167.52.15
Threat/AntivirusDatabase updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
downloads.paloaltonetworks.com:443 address199.167.52.15
Asabestpractice,settheupdateserver
toupdates.paloaltonetworks.com.This
allowsthePaloAltoNetworksfirewallto
receivecontentupdatesfromtheserver
closesttoitintheCDNinfrastructure.
PANDBURLFiltering
*.urlcloud.paloaltonetworks.com
ResolvestotheprimaryURL
s0000.urlcloud.paloaltonetworks.comand
isthenredirectedtotheregionalserver
thatisclosest:
s0100.urlcloud.paloaltonetworks.com
StaticIPaddressesarenotavailable.
However,youcanmanuallyresolveaURLto
anIPaddressandallowaccesstotheregional
serverIPaddress.
BrightCloudURLFiltering
database.brightcloud.com:443/80
service.brightcloud.com:80
ContactBrightCloudCustomerSupport.
ThreatPrevention
Resource
URL
WildFire
beta.wildfire.paloaltonetworks.com:443/ mail.wildfire.paloaltonetworks.com:25or
80
theIPaddress54.241.16.83
betas1.wildfire.paloaltonetworks.com:4 wildfire.paloaltonetworks.com:443/80or
43/80
54.241.8.199
Betasitesareonlyaccessedbya TheregionalURL/IPaddressesareasfollows:
firewallrunningaBetarelease cas1.wildfire.paloaltonetworks.com:44or
version.
54.241.34.71
mail.wildfire.paloaltonetworks.com:25 vas1.wildfire.paloaltonetworks.com:443or
174.129.24.252
wildfire.paloaltonetworks.com:443/80
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443or
54.238.53.161
portal3.wildfire.paloaltonetworks.com:443/
80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443or
54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/80
or180.37.183.53
StaticAddresses(Ifastaticserveris
required)
ThreatPrevention
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofThreatsandApplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.
ThreatPrevention
Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption
DecryptionOverview
Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
Decryption
DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSHProxy
DecryptionExceptions
DecryptionMirroring
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
TocontrolthetrustedCAsthatyourfirewalltrusts,usetheDevice > Certificate

Management > Certificates > Default Trusted Certificate Authoritiestabonthe
firewallwebinterface.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
DecryptionConcepts
Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Description
ForwardTrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
ForwardUntrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate
CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
Decryption
DecryptionConcepts
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.
DecryptionConcepts
Decryption
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
Decryption
DecryptionConcepts
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionExceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
DecryptionConcepts
Decryption
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
Decryption
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1
SelectObjects > Decryption Profile, Addormodifyadecryptionprofilerule,andgivetheruleadescriptive

Name.
Step2
(Optional)Allowtheprofileruletobe Shared acrosseveryvirtualsystemonafirewalloreveryPanorama

devicegroup.
Step3
(DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe
firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.
Decryption
ConfigureaDecryptionProfileRule(Continued)
SelectSSL Decryption:
SelectSSL Forward Proxytoconfiguresettingstoverify
certificates,enforceprotocolversionsandciphersuites,and
performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step4
(Optional)BlockandcontrolSSL
tunneledand/orinboundtraffic
undergoingSSLForwardProxy
decryptionorSSLInboundInspection.
Step5
(Optional)Blockandcontroltraffic(for SelectNo Decryptionandconfiguresettingstovalidatecertificates

example,aURLcategory)forwhichyou fortrafficthatisexcludedfromdecryption.
havedisableddecryption.
Thesesettingareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdisablesdecryptionfor
certaintraffic.
Step6
(Optional)BlockandcontrolSSHtraffic SelectSSH Proxyandconfiguresettingstoenforcesupported

undergoingSSHProxydecryption.
protocolversionsand
Thesesettingsareactiveonlywhenthedecryptionprofileis
attachedtoadecryptionpolicyrulethatdecryptsSSHtraffic.
Step7
Addthedecryptionprofileruletoa
1.
decryptionpolicyrule.
Trafficthatthepolicyrulesmatchestois 2.
enforcedbasedontheadditionalprofile
rulesettings.
3.
Step8
SelectPolicies > DecryptionandCreateaDecryptionPolicy

Ruleormodifyanexistingrule.
SelectOptions andselectaDecryption Profiletoblockand
controlvariousaspectsofthetrafficmatchedtotherule.
Theprofilerulesettingsthatareappliedtomatchingtraffic
dependonthepolicyruleAction(DecryptorNoDecrypt)and
thepolicyruleType(SSLForwardProxy,SSLInbound
Inspection,orSSHProxy).Thisallowsyoutousethedefault
decryptionprofile,standarddecryptionprofilecustomizedfor
yourorganization,withdifferenttypesofdecryptionpolicy
rules.
ClickOK.
Decryption
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step1
SelectPolicies > DecryptionandAddanewdecryptionpolicyrule.
Step2
GivethepolicyruleadescriptiveName.
Step3
Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4
Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:
matchingtraffic:therulecaneither
Decryptmatchingtraffic:
decryptmatchingtrafficorexclude
1. SelectDecrypt.
matchingtrafficfromdecryption.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Excludematchingtrafficfromdecryption:
SelectNo Decrypt.
Step5
(Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea
DecryptionProfile,selectObjects > Decryption Profile).
Decryption
ConfigureaDecryptionPolicyRule
Step6
ClickOKtosavethepolicy.
NextSteps...
Fullyenablethefirewalltodecrypttraffic:
ConfigureSSHProxy
Decryption
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
ViewconfiguredinterfacesontheNetwork > Interfaces > Ethernet

tab.TheInterface Typecolumndisplaysifaninterfaceisconfigured
tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
aninterfacetomodifyitsconfiguration,includingwhattypeof
interfaceitis.
Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise
CAsignedcertificateastheforward
trustcertificate.
1.
GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAtosignandvalidate:
a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2.
ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3.
ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4.
ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5.
Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6.
ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
Decryption
Useaselfsignedcertificateasthe
forwardtrustcertificate.
Step3
Distributetheforwardtrustcertificateto
clientsystemcertificatestores.
Ifyoudonotinstalltheforward
trustcertificateonclient
systems,userswillseecertificate
warningsforeachSSLsitethey
visit.
Ifyouareusingan
enterpriseCAsignedcertificate
astheforwardtrustcertificate
forSSLForwardProxy
decryption,andtheclient
systemsalreadyhavethe
enterpriseCAaddedtothelocal
trustedrootCAlist,youcanskip
thisstep.
1.
Generateanewcertificate:
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2.
Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3.
ClickOKtosavetheselfsignedforwardtrustcertificate.
OnafirewallconfiguredasaGlobalProtectportal:
ThisoptionissupportedwithWindowsandMacclientOS
versions,andrequiresGlobalProtectagent3.0.0orlaterto
beinstalledontheclientsystems.
1.
SelectNetwork > GlobalProtect > Portalsandthenselectan

existingportalconfigurationorAddanewone.
2.
SelectAgent andthenselectanexistingagentconfigurationor
Addanewone.
3.
AddtheSSLForwardProxyforwardtrustcertificatetothe
TrustedRootCAsection.
4.
Install in Local Root Certificate Storesothatthe

GlobalProtectportalautomaticallydistributesthecertificate
andinstallsitinthecertificatestoreonGlobalProtectclient
systems.
5.
ClickOKtwice.
WithoutGlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).
Decryption
Step4
Configuretheforwarduntrust
certificate.
1.
ClickGenerateatthebottomofthecertificatespage.
2.
EnteraCertificate Name,suchasmyfwduntrust.
3.
SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4.
ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5.
ClickGeneratetogeneratethecertificate.
6.
ClickOKtosave.
7.
Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8.
ClickOKtosave.
ConfiguretheKeySizeforSSLForwardProxyServerCertificates.
Step5
(Optional)SetthekeysizeoftheSSL
ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step7
Step8
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
SelectPolicies > Decryption,Addormodifyanexistingrule,

anddefinetraffictobedecrypted.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
SelectDevice > Virtual Systems.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Decryption
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
Decryption
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
Step1

tobeaVirtual WireorLayer 2,or Layer 3interface.Youcanselect
interfaceitis.
Step2
Ensurethatthetargetedserver
certificateisinstalledonthefirewall.
Onthewebinterface,selectDevice > Certificate Management >

Certificates > Device Certificatestoviewcertificatesinstalledon
thefirewall.
Toimportthetargetedservercertificateontothefirewall:
Step3
1.
OntheDevice Certificatestab,selectImport.
2.
Enteradescriptive Certificate Name.
3.
BrowseforandselectthetargetedserverCertificate File.
4.
ClickOK.

2.
SelectOptions and:
SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Decryption
Step4
Step5
Onasinglefirewall:
1.
2.
Decrypted Content.
3.
ClickOK.
1.
2.
3.
ClickOK.
NextSteps...
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
ConfigureSSHProxy
Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1
Decryptioncanonlybeperformedon
virtualwire,Layer 2,orLayer3
interfaces.
Step2
Step3
Step4

tobeaVirtual WireorLayer 2,orLayer 3interface.Youcanselect
interfaceitis.
2.
SelectOptions and:
SettheruleTypetoSSH Proxy.
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
Decrypted Content.
3.
ClickOK.
1.
2.
3.
ClickOK.
NextStep...
ConfigureDecryptionExceptionstodisabledecryptionforcertain
typesoftraffic.
Decryption
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1
Step2
Excludetrafficfromdecryptionbased
matchcriteria.
Thisexampleshowshowtoexclude
trafficcategorizedasfinancialor
healthrelatedfromSSLForwardProxy
decryption.
1.
SelectPolicies > Decryptionandmodify or Create a

Decryption Policy rule.
2.
Definethetrafficthatyouwanttoexcludefromdecryption.
Inthisexample:
a. GivetheruleadescriptiveName,suchas
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestinedfor
anexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3.
SelectOptionsandsettheruletoNo Decrypt.
4.
(Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5.
ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
Placethedecryptionexclusionruleatthe OntheDecryption > Policiespage,selectthepolicy

topofyourdecryptionpolicy.
NoDecryptFinanceHealth,andclickMove Upuntilitappearsatthe
topofthelist(oryoucandraganddroptherule).
Decryptionrulesareenforcedagainst
incomingtrafficinsequenceandthefirst
ruletomatchtotrafficisenforced
movingtheNo Decryptruletothetopof
therulelistensuresthatthetraffic
matchedtotheruleremainsencrypted,
evenifthetrafficislatermatchedto
otherdecryptionrules.
Decryption
ExcludeTrafficfromaDecryptionPolicy
Step3
Commit theconfiguration.
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
Step1
Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2
SelectthetargetedservercertificateontheDevice CertificatestabandenableittobeanSSL Exclude

Certificate.
WhenthetargetedservercertificateisdesignatedasanSSLExcludeCertificate,thefirewalldoesnotdecrypt
theservertrafficevenifthetrafficmatchesdecryptionpolicyrule.
Decryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
Step1
(Optional)CustomizetheSSL
DecryptionOptoutPage.
1.
SelectDevice > Response Pages.
2.
SelecttheSSL Decryption Opt-out Pagelink.
3.
SelectthePredefinedpageandclickExport.
4.
UsingtheHTMLtexteditorofyourchoice,editthepage.
5.
Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6.
AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8.
Backonthefirewall,selectDevice > Response Pages.
9.
SelecttheSSL Decryption Opt-out Pagelink.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2
EnableSSLDecryptionOptOut.
1.
OntheDevice > Response Pagespage,clicktheDisabledlink.
2.
SelecttheEnable SSL Opt-out PageandclickOK.
3.
Committhechanges.
Decryption
Step3
VerifythattheOptOutpagedisplays
whenyouattempttobrowsetoasite.
Fromabrowser,gotoanencryptedsitethatmatchesyour
decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.
Decryption
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
Step1
Step2
Requestalicenseforeachfirewallon
whichyouwanttoenabledecryption
portmirroring.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite
andnavigatetotheAssetstab.
2.
Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3.
SelectDecryption Port Mirror.Alegalnoticedisplays.
4.
Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5.
ClickActivate.
InstalltheDecryptionPortMirrorlicense 1.
onthefirewall.
2.
Fromthefirewallwebinterface,selectDevice > Licenses.

ClickRetrieve license keys from license server.
3.
Verifythatthelicensehasbeenactivatedonthefirewall.
4.
Rebootthefirewall(Device > Setup > Operations).This

featureisnotavailableforconfigurationuntilPANOS
reloads.
Decryption
ConfigureDecryptionPortMirroring(Continued)
Step3
Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:
traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
Step4
Step5
Step6
Step7
1.
SelectDevice > Virtual System.
2.
SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3.
SelecttheAllow forwarding of decrypted contentcheckbox.
4.
ClickOKtosave.
EnableanEthernetinterfacetobeused 1.
fordecryptionmirroring.
2.
Enablemirroringofdecryptedtraffic.
Attachthedecryptionprofilerule(with
decryptionportmirroringenabled)toa
decryptionpolicyrule.Alltraffic
decryptedbasedonthepolicyruleis
mirrored.
SelectNetwork > Interfaces > Ethernet.

SelecttheEthernetinterfacethatyouwanttoconfigurefor
decryptionportmirroring.
3.
SelectDecrypt MirrorastheInterface Type.

ThisinterfacetypewillappearonlyiftheDecryptionPort
Mirrorlicenseisinstalled.
4.
ClickOKtosave.
1.
SelectObjects > Decryption Profile.
2.
SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3.
Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4.
ClickOKtosavethedecryptionprofile.
1.
SelectPolicies > Decryption.
2.
ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicytoedit.
3.
IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4.
ClickOKtosavethepolicy.
ClickCommit.
Decryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
DisableSSLDecryption
set system setting ssl-decrypt skip-ssl-decrypt yes
ReenableSSLDecryption
set system setting ssl-decrypt skip-ssl-decrypt no
Decryption
URLFiltering
ThePaloAltoNetworksURLfilteringsolutionallowsyoutomonitorandcontrolhowusersaccesstheweb
overHTTPandHTTPS.
URLFilteringOverview
URLFilteringConcepts
PANDBCategorization
EnableaURLFilteringVendor
DetermineURLFilteringPolicyRequirements
UseanExternalDynamicListinaURLFilteringProfile
MonitorWebActivity
CustomizetheURLFilteringResponsePages
ConfigureURLAdminOverride
EnableSafeSearchEnforcement
SetUpthePANDBPrivateCloud
URLFilteringUseCaseExamples
TroubleshootURLFiltering
URLFiltering
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintoapproximately6080categories.Youcanuse
theseURLcategoriesasamatchcriteriainpolicies(CaptivePortal,Decryption,Security,andQoS)orattach
themasURLfilteringprofilesinsecuritypolicy,tosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URLFilteringVendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C&C)communicationstoprotectyournetworkfromcyberthreats.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.andisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.
URLFiltering
InteractionBetweenAppIDandURLCategories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCaseExamples.
PANDBPrivateCloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
Internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveInternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.
URLFiltering
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
Differences
PANDBPublicCloud
Contentand
Database
Updates
Content(regularandcritical)updatesandfull ContentupdatesandfullURLdatabaseupdates
databaseupdatesarepublishedmultipletimes areavailableonceadayduringtheworkweek.
duringtheday.Thefirewallchecksforcritical
updateswheneveritqueriesthecloudservers
forURLlookups.
PANDBPrivateCloud
URLFiltering
Differences
PANDBPublicCloud
PANDBPrivateCloud
URL
Categorization
Requests
SubmitURLcategorizationchangerequests
usingthefollowingoptions:
PaloAltoNetworksTestASitewebsite.
URLfilteringprofilesetuppageonthe
firewall.
URLfilteringlogonthefirewall.
SubmitURLcategorizationchangerequestsonly
usingthePaloAltoNetworksTestASite
website.
UnresolvedURL
Queries
IfthefirewallcannotresolveaURLquery,the Ifthefirewallcannotresolveaquery,the
requestissenttotheserversinthepublic
requestissenttotheM500appliance(s)inthe
PANDBprivatecloud.Ifthereisnomatchfor
cloud.
theURL,thePANDBprivatecloudsendsa
categoryunknownresponsetothefirewall;the
requestisnotsenttothepubliccloudunlessyou
haveconfiguredtheM500appliancetoaccess
thePANDBpubliccloud.
IftheM500appliance(s)thatconstituteyour
PANDBprivatecloudisconfiguredtobe
completelyoffline,itdoesnotsendanydataor
analyticstothepubliccloud.
URLFiltering
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URLCategories
EachwebsitedefinedintheURLfilteringdatabaseisassignedoneofapproximately60differentURL
categories.TherearetwowaystomakeuseofURLcategorizationonthefirewall:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
MatchtrafficbasedonURLcategoryforpolicyenforcementIfyouwantaspecificpolicyruletoapply
onlytowebtraffictositesinaspecificcategory,youwouldaddthecategoryasmatchcriteriawhenyou
createthepolicyrule.Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicyto
applybandwidthcontrolstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryas
PolicyMatchCriteriaformoreinformation.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:
URLFiltering
Category
Description
notresolved
IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses
Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown
Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
ChangeRequestProcess
PaloAltoNetworkscustomerscansubmitURLcategorizationchangerequestsusingthePaloAltoNetworks
dedicatedwebportal(TestASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlog
onthefirewall.Eachchangerequestisautomaticallyprocessedeveryday,providedthewebsitesprovides
machinereadablecontentthatisinasupportedformatandlanguage.Sometimes,thecategorizationchange
requiresamemberofthePaloAltoNetworksengineeringstafftoperformamanualreview.Insuchcases,the
processmaytakealittlelonger.
URLFiltering
URLFilteringProfile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatareappliedtoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile
thatwillhaveallcategoriessettoallowforvisibilityintothetrafficonyournetwork.Youcanthencustomize
thenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowedfor
moregranularcontroloverURLcategories.Forexample,youmaywanttoblocksocialnetworkingsites,but
allowsomewebsitesthatarepartofthesocialnetworkingcategory.
BlockandAllowLists
ContainerPages
HTTPHeaderLogging
TheURLFilteringprofilespecifiesanactionforeachURLcategory.Bydefault,allURLcategoriesaresetto
allowwhenyouCreateanewURLFilteringprofile.Thismeansthattheuserswillbeabletobrowsetoall
sitesfreelyandthetrafficwillnotbelogged.ThefirewallalsocomespredefineddefaultURLfilteringprofile
thatallowsaccesstoallcategoriesexceptthefollowingthreatpronecategories,whichitblocks:
abuseddrugs,adult,gambling,hacking,malware,phishing,questionable,andweapons.
Asabestpractice,ifyouwanttocreateacustomURLFilteringcategory,clonethedefaultURL
filteringprofileandchangetheactioninallallowcategoriestoeitheralertorcontinuesothatyou
havevisibilityintothetraffic.Itisalsoabestpracticetosetthe
proxyavoidanceandanonymizerscategorytoblock.
Action
Description
alert
ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow
Thewebsiteisallowedandnologentryisgenerated.
block
Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
continue
Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
TheContinuepagewillnotbedisplayedproperlyonclientmachinesthatare
configuredtouseaproxyserver.
URLFiltering
Action
Description
override
Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeConfigureURLAdminOverride.
TheOverridepagedoesnotdisplayproperlyonclientmachinesthatare
configuredtouseaproxyserver.
none
ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
BlockandAllowLists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefinewebsitesthatshouldalwaysbeblockedorallowed.
WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningURLs.Forexample,enterwww.paloaltonetworks.com
orpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample:Ifyouwanttopreventauserfromaccessinganywebsitewithinthedomain
paloaltonetworks.com,youwouldalsoadd*.paloaltonetworks.com,sowhateverdomainprefix(http://,
www,orasubdomainprefixsuchasmail.paloaltonetworks.com)isaddedtotheaddress,thespecified
actionwillbetaken.Thesameappliestothesubdomainsuffix;ifyouwanttoblock
paloaltonetworks.com/en/US,youwouldneedtoaddpaloaltonetworks.com/*aswell.
Further,ifyouwanttolimitaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmust
adda/,sothatthematchrestrictsadotthatfollows.com.Inthiscase,youneedtoaddtheentryas
*.paloaltonetworks.com/
Thelistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
URLFiltering
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.Atokencanbeany
numberofASCIIcharactersthatdoesnotcontainanyseparatorcharacteror*.Forexample,thefollowing
patternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacterinthetoken.
ww*.yahoo.com
www.y*.com
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Onthefirewall,youcanEnableSafeSearchEnforcementsothatthefirewallwillblocksearch
resultsiftheenduserisnotusingthestrictestsafesearchsettingsinthesearchquery.Thefirewallcan
enforcesafesearchforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.Thisisa
besteffortsettingandisnotguaranteedbythesearchproviderstoworkwitheverywebsite.
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallwillthenblockanymatchingsearchqueryreturntrafficthatisnot
usingthestrictestsafesearchsettings.Therearetwomethodsforblockingthesearchresults:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettingsWhenanenduserattemptsto
performasearchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearch
queryresultsanddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovidea
URLtothesearchprovidersettingsforconfiguringsafesearch.
EnableTransparentSafeSearchEnforcementWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
URLFiltering
Also,becausemostsearchprovidersnowuseSSLtoreturnsearchresults,youmustalsoconfigurea
Decryptionpolicyruleforthesearchtraffictoenablethefirewalltoinspectthesearchtrafficandenforce
safesearch.
Safesearchenforcementenhancementsandsupportfornewsearchprovidersisperiodically
addedincontentreleases.ThisinformationisdetailedintheApplicationandThreatContent
ReleaseNotes.Howsitesarejudgedtobesafeorunsafeisperformedbyeachsearchprovider,
notbyPaloAltoNetworks.
SafesearchsettingsdifferbysearchproviderasdetailedinTable:SearchProviderSafeSearchSettings.
Table:SearchProviderSafeSearchSettings
SearchProvider
SafeSearchSettingDescription
Google/YouTube
OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
SafeSearchEnforcementforGoogleSearchesonIndividualComputers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
SafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddress
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo
Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
URLFiltering
SearchProvider
SafeSearchSettingDescription
Bing
OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
ContainerPages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
IfyouhaveenabledtheLog container page onlyoption,theremaynotalwaysbeacorrelated
URLlogentryforthreatsdetectedbyantivirusorvulnerabilityprotection.
HTTPHeaderLogging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute
Description
UserAgent
ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer
TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
URLFiltering
Attribute
Description
XForwardedFor(XFF)
TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
URLFilteringResponsePages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenSafeSearchEnforcementisenabled:
URLFilteringandCategoryMatchBlockPageAccessblockedbyaURLFilteringProfileorbecausethe
URLcategoryisblockedbyasecuritypolicy.
URLFilteringContinueandOverridePagePagewithinitialblockpolicythatallowsuserstobypassthe
blockbyclickingContinue.WithURLAdminOverrideenabled,(ConfigureURLAdminOverride),after
clickingContinue,theusermustsupplyapasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPageAccessblockedbyasecuritypolicywithaURLfilteringprofile
thathastheSafeSearchEnforcementoptionenabled(seeEnableSafeSearchEnforcement).Theuser
willseethispageifasearchisperformedusingGoogle,Bing,Yahoo,orYandexandtheirbrowseror
searchengineaccountsettingforSafeSearchisnotsettostrict.
URLFiltering
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneofthe
supportedResponsePageReferencestoexternalimages,sounds,orstylesheets.
URLFilteringResponsePageVariables
Variable
Usage
<user/>
Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/>
ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/>
ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/>
HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
break;
case 'kids':
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
URLFiltering
ResponsePageReferences
ReferenceType
ExampleHTMLCode
Image
<img
Sound
<embed src="http://simplythebest.net/sounds/WAV/WAV_files/
movie_WAV_files/ do_not_go.wav" volume="100" hidden="true"
autostart="true">
StyleSheet
<link href="http://example.com/style.css" rel="stylesheet"

type="text/css" />
Hyperlink
<a href="http://en.wikipedia.org/wiki/Acceptable_use_policy">View
Corporate
Policy</a>
src="http://virginiadot.org/images/Stop-Sign-gif.gif">
URLCategoryasPolicyMatchCriteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType
Description
CaptivePortal
Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionfortheCaptivePortalpolicy.
Decryption
DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.Inthis
case,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS
QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
URLFiltering
PolicyType
Description
Security
InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
AsecurityrulethatallowstheITSecuritygrouptoaccesscontentcategorizedas
hacking.ThesecurityrulereferencesthehackingcategoryintheServices/URL
CategorytabandITSecuritygroupintheUserstab.
Anothersecurityrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.
URLFiltering
PANDBCategorization
PANDBCategorization
PANDBURLCategorizationComponents
PANDBURLCategorizationWorkflow
PANDBURLCategorizationComponents
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component
Description
URLFilteringSeed
Database
Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
CloudService
SeeDifferencesBetween
thePANDBPublicCloud
andPANDBPrivate
Cloud,forinformationon
theprivatecloud.
ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
providesadistributed,highperformance,andstableenvironmentforseeddatabase
downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
mechanismtoupdatethefirewallslocalURLdatabaseiftheversiondoesnotmatch.
EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalsocheckfor
criticalupdates.Iftherehavebeennoqueriestothecloudserversformorethan30
minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
PANDBCategorization
URLFiltering
Component
Description
ManagementPlane(MP)
URLCache
WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothefirewallslocal
driveeveryeighthours,beforethefirewallisrebooted,orwhenthecloudupgrades
theURLdatabaseversiononthefirewall.Afterrebootingthefirewall,thefilethat
wassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecentlyused
(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheisfull.
Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbereplaced
bythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftimeandtheexpirationperiodcannotbechanged
bytheadministrator.
PANDBURLCategorizationWorkflow
WhenauserattemptstoaccessaURLandtheURLcategoryneedstobedetermined,thefirewallwill
comparetheURLwiththefollowingcomponents(inorder)untilamatchhasbeenfound:
IfaURLquerymatchesanexpiredentryintheURLDPcache,thecacherespondswiththeexpiredcategory,
butalsosendsaURLcategorizationquerytothemanagementplane.Thisisdonetoavoidunnecessary
delaysintheDP,assumingthatthefrequencyofchangingcategoriesislow.Similarly,intheURLMPcache,
ifaURLqueryfromtheDPmatchesanexpiredentryintheMP,theMPrespondstotheDPwiththeexpired
categoryandwillalsosendaURLcategorizationrequesttothecloudservice.Upongettingtheresponse
fromthecloud,thefirewallwillresendtheupdatedresponsetotheDP.
URLFiltering
PANDBCategorization
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabasewillbeupdated.
EachtimethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30
minutes,thedatabaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdate
willbeperformed.
URLFiltering
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
Step1
ObtainandinstallaPANDBURL
1.
filteringlicenseandconfirmthatitis
installed.
Ifthelicenseexpires,PANDB
URLFilteringcontinuestowork
basedontheURLcategory
2.
informationthatexistsinthe
dataplaneandmanagement
planecaches.However,URL
cloudlookupsandother
cloudbasedupdateswillnot
functionuntilyouinstallavalid
license.
SelectDevice > Licensesand,intheLicenseManagement

section,selectthelicenseinstallationmethod:
Retrieve license keys from license server
Activate feature using authorization code
Manually upload license key
Afterinstallingthelicense,confirmthatthePANDBURL
Filteringsection,Date Expiresfield,displaysavaliddate.
URLFiltering
EnablePANDBURLFiltering(Continued)
Step2
Step3
Downloadtheinitialseeddatabaseand
activatePANDBURLFiltering.
ThefirewallmusthaveInternet
access;youcannotmanually
uploadthePANDBseed
database.
1.
InthePANDBURLFilteringsection,Download Statusfield,
clickDownload Now.
2.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3.
Afterthedownloadcompletes,clickActivate.
IfPANDBisalreadytheactiveURLfilteringvendor
andyouclickRe-Download,thiswillreactivate
PANDBbyclearingthedataplaneandmanagement
planecachesandreplacingthemwiththecontentsof
thenewseeddatabase.Youshouldavoiddoingthis
unlessitisnecessary,asyouwillloseyourcache,
whichiscustomizedbasedonthewebtrafficthathas
previouslypassedthroughthefirewallbasedonuser
activity.
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
Threats.
AThreatPreventionlicenseis
requiredtoreceivecontent
updates,whichcoversAntivirus
andApplicationsandThreats.

IntheSchedulefieldintheApplicationsandThreatssection,
clicktheNonelinktoscheduleperiodicupdates.
Youcanonlyscheduledynamicupdatesifthefirewall
hasdirectInternetaccess.Ifupdatesarealready
scheduledinasection,thelinktextdisplaysthe
schedulesettings.
TheApplicationsandThreatsupdatessometimescontain
updatesforURLfilteringrelatedtotheSafe Search
EnforcementoptionintheURLfilteringprofile(Objects >
Security Profiles > URL Filtering).Forexample,ifPaloAlto
Networksaddssupportforanewsearchprovidervendororif
themethodusedtodetecttheSafeSearchsettingforan
existingvendorchanges,theApplicationandThreatsupdates
willincludethatupdate.
Step1
ObtainandinstallaBrightCloudURL
1.
filteringlicenseandconfirmthatitis
installed.
BrightCloudhasanoptioninthe
URLfilteringprofile(Objects >
Security Profiles > URL
2.
Filtering)toeitherallowall
categoriesorblockallcategories
ifthelicenseexpires.
SelectDevice > Licensesand,intheLicense Management

section,selectthelicenseinstallationmethod:
Activate feature using authorization code
Retrieve license keys from license server
Manually upload license key
Afterinstallingthelicense,confirmthattheBrightCloudURL
Filteringsection,Date Expiresfield,displaysavaliddate.
URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step2
Step3
InstalltheBrightClouddatabase.
Thewayyoudothisdependsonwhether
ornotthefirewallhasdirectInternet
access.
FirewallwithDirectInternetAccess
SelectDevice > LicensesandintheBrightCloudURLFiltering
section,Activefield,clicktheActivatelinktoinstallthe
BrightClouddatabase.Thisoperationautomaticallyinitiatesa
systemreset.
FirewallwithoutDirectInternetAccess
1.
DownloadtheBrightClouddatabasetoahostthathas
Internetaccess.Thefirewallmusthaveaccesstothehost:
a. OnahostwithInternetaccess,gotothePaloAlto
NetworksCustomerSupportwebsite,
www.paloaltonetworks.com/support/tabs/overview.html,
andlogin.
b. IntheResourcessection,clickDynamic Updates.
c. IntheBrightCloudDatabasesection,clickDownloadand
savethefiletothehost.
2.
Uploadthedatabasetothefirewall:
a. Logintothefirewall,selectDevice > Dynamic Updatesand
clickUpload.
b. FortheType,selectURL Filtering.
c. EnterthepathtotheFileonthehostorclickBrowseto
findit,thenclickOK.WhentheStatusisCompleted,click
Close.
3.
Installthedatabase:
a. SelectDevice > Dynamic UpdatesandclickInstall From
File.
b. FortheType,selectURL Filtering.Thefirewall
automaticallyselectsthefileyoujustuploaded.
c. ClickOKand,whentheResultisSucceeded,clickClose.
Enablecloudlookupsfordynamically
1.
categorizingaURLifthecategoryisnot 2.
availableonthelocalBrightCloud
database.
AccessthePANOSCLI.
EnterthefollowingcommandstoenabledynamicURL
filtering:
configure
set deviceconfig setting url dynamic-url yes
commit
URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step4
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
ThreatssignaturesandURLfiltering.
Youcanonlyscheduledynamicupdates
3.
ifthefirewallhasdirectInternetaccess.
TheApplicationsandThreatsupdates
mightcontainupdatesforURLfiltering
relatedtotheSafe Search Enforcement
optionintheURLfilteringprofile.For
example,ifPaloAltoNetworksadds
supportforanewsearchprovider
vendororifthemethodusedtodetect
theSafeSearchsettingforanexisting
vendorchanges,theApplicationand
Threatsupdateswillincludethatupdate.
BrightCloudupdatesincludeadatabase
ofapproximately20millionwebsites
thatarestoredlocallyonthefirewall.
YoumustscheduleURLfilteringupdates
toreceiveBrightClouddatabase
updates.
AThreatPreventionlicenseis
requiredtoreceiveAntivirusand
ApplicationsandThreats
updates.

IntheApplicationsandThreatssection,Schedulefield,click
theNonelinktoscheduleperiodicupdates.
IntheURLFilteringsection,Schedulefield,clicktheNonelink
toscheduleperiodicupdates.
Ifupdatesarealreadyscheduledinasection,thelink
textdisplaystheschedulesettings.
URLFiltering
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
Step1
Step2
Step3
CreateanewURLFilteringprofile.
1.
2.
willbenameddefault-1.
3.
Selectthedefault-1profileandrenameit.Forexample,
renameittoURLMonitoring.
Configuretheactionforallcategoriesto 1.
alert,exceptforthreatpronecategories, 2.
whichshouldremainblocked.
Toselectallitemsinthecategory
listfromaWindowssystem,click
thefirstcategory,thenhold
downtheshiftkeyandclickthe
lastcategorythiswillselectall
categories.Holdthecontrolkey
(ctrl)downandclickitemsthat
shouldbedeselected.OnaMac,
dothesameusingtheshiftand
commandkeys.Youcouldalso
justsetallcategoriestoalertand
manuallychangethe
recommendedcategoriesbackto
3.
block.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsweb
trafficforusers.
InthesectionthatlistsallURLcategories,selectallcategories.
TotherightoftheActioncolumnheading,mouseoverand
selectthedownarrowandthenselectSet Selected Actions
andchoosealert.
Toensurethatyoublockaccesstothreatpronesites,select
thefollowingcategoriesandthensettheactiontoblock:
abuseddrugs,adult,gambling,hacking,malware.phishing,
questionable,weapons.
4.
1.
SelectPolicies > Security andselecttheappropriatesecurity

policytomodifyit.
2.
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselectthenewprofile.
3.
ClickOKtosave.
URLFiltering
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
Step4
Step5
ViewtheURLfilteringlogstodetermine SelectMonitor > Logs > URL Filtering.Alogentrywillbecreated

allofthewebsitecategoriesthatyour
foranywebsitethatexistsintheURLfilteringdatabasethatisina
usersareaccessing.Inthisexample,
categorythatissettoanyactionotherthanallow.
somecategoriesaresettoblock,so
thosecategorieswillalsoappearinthe
logs.
Forinformationonviewingthelogsand
generatingreports,seeMonitorWeb
Activity.
ClickCommit.
URLFiltering
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenyouupdatethelistonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicListandEnforcePolicyonEntriesinanExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
Step1
Createtheexternaldynamiclistfor
URLsandhostitonawebserver.
CreateatextfileandentertheURLsinthefile;eachURLmustbe
onaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-fo
r-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeeBlockandAllowListsforformattingguidelines.
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
1.
SelectObjects > External Dynamic Lists.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
IntheTypedropdown,selectURL List.Ensurethatthelist
doesnotincludeIPaddressesordomainnames;thefirewall
skipsnonURLentries.
5.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2016.
6.
ClickTest Source URLtoverifythatthefirewallcanconnect

tothewebserver.
Ifthewebserverisunreachableaftertheconnection
isestablished,thefirewallusesthelastsuccessfully
retrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.
7.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhour.
8.
ClickOK.
URLFiltering
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
Step3
Step4
Step5
UsetheexternaldynamiclistinaURL
Filteringprofile.
Verifywhetherentriesintheexternal
dynamiclistwereignoredorskipped.
InalistoftypeURL,thefirewallskips
nonURLentriesasinvalidandignores
entriesthatexceedthemaximumlimit
fortheplatform.
1.
SelectObjects > Security Profiles > URL Filtering.
2.
AddormodifyanexistingURLFilteringprofile.
3.
Nametheprofileand,intheCategoriestab,selectthe
externaldynamiclistfromtheCategorylist.
4.
ClickActiontoselectamoregranularactionfortheURLsin
theexternaldynamiclist.
IfaURLthatisincludedinanexternaldynamiclistis
alsoincludedinacustomURLcategory,orBlockand
AllowLists,theactionspecifiedinthecustomcategory
ortheblockandallowlistwilltakeprecedenceover
theexternaldynamiclist.
5.
ClickOK.
6.
AttachtheURLFilteringprofiletoaSecuritypolicyrule.
a. SelectPolicies > Security.
b. SelecttheActionstaband,intheProfileSettingsection,
selectthenewprofileintheURL Filteringdropdown.
c. ClickOKandCommit.
1.
AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
2.
Verifythattheactionyoudefinedisenforcedinthebrowser.
3.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
b. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
UsethefollowingCLIcommandonafirewalltoreviewthedetails
foralist.
request system external-list show type url list_name
For example:
request system external-list show type url
EBL_ISAC_Alert_List
MonitorWebActivity
URLFiltering
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
MonitorWebActivityofNetworkUsers
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostwidgetsintheNetworkActivitytab,allowsyoutosortonURLs.Forexample,intheApplicationUsage
widget,youcanseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencrypted
tunnel,andssl.YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
FromtheACC,youcandirectly Jump to the LogsoryoucannavigatetoMonitor > Logs > URL filtering toview
theURLfilteringlogs.ThefollowingbulletpointsshowexamplesoftheURLfilteringlogs().
AlertlogInthislog,thecategoryisshoppingandtheactionisalert.
URLFiltering
MonitorWebActivity
BlocklogInthislog,thecategorymalwarewassettoblock,sotheactionisblockurlandtheuserwill
seearesponsepageindicatingthatthewebsitewasblocked.
AlertlogonencryptedwebsiteInthisexample,thecategoryissocialnetworkingandtheapplicationis
facebookbase,whichisrequiredtoaccesstheFacebookwebsiteandotherFacebookapplications.
Becausefaceboook.comisalwaysencryptedusingSSL,thetrafficwasdecryptedbythefirewall,which
allowsthewebsitetoberecognizedandcontrolledifneeded.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarebasedona24hourperiodandthedayisselectedbychoosingadayinthecalendar
section.YoucanalsoexportthereporttoPDF,CSV,orXML.
MonitorWebActivity
URLFiltering
ViewtheUserActivityReport
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1
ConfigureaUserActivityReport.
1.
SelectMonitor > PDF Reports > User Activity Report.
2.
EnterareportNameandselectthereporttype.SelectUserto
generateareportforoneperson,orselectGroupforagroup
ofusers.
YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,you
canselectthetypeUserandentertheIPaddressofthe
userscomputer.
3.
EntertheUsername/IPaddressforauserreportorenterthe
groupnameforausergroupreport.
4.
Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
5.
SelecttheInclude Detailed Browsingcheckbox,sobrowsing

informationisincludedinthereport.
URLFiltering
MonitorWebActivity
GenerateaUserActivityReport(Continued)
Step2
Runtheuseractivityreportandthen
downloadthereport.
1.
ClickRun Now.
2.
Afterthereportisgenerated,clicktheDownload User Activity

Reportlink.
3.
Afterthereportisdownloaded,clickCancelandthenclickOK
tosavethereport.
Step3
ViewtheuseractivityreportbyopeningthePDFfilethatwasdownloaded.Thetopofthereportwillcontain
atableofcontentssimilartothefollowing:
Step4
Clickaniteminthetableofcontentstoviewdetails.Forexample,clickTraffic Summary by URL Categoryto

viewstatisticsfortheselecteduserorgroup.
MonitorWebActivity
URLFiltering
ConfigureCustomURLFilteringReports
Togenerateadetailedreportthatcanalsobescheduled,youcanconfigureacustomreportandselectfrom
alistofallavailableURLfilteringlogfields.
ConfigureaCustomURLFilteringReport
Step1
Step2
Step3
Step4
Addanewcustomreport.
Configurereportoptions.
1.
SelectMonitor > Manage Custom ReportsandclickAdd.
2.
EnterareportName,forexample,MyURLCustomReport.
3.
FromtheDatabasedropdown,selectURL Log.
1.
SelecttheTime Framedropdownandselectarange.
2.
(Optional)Tocustomizehowthereportissortedandgrouped,
selectSort Byandchosethenumberofitemstodisplay(top
25forexample)andthenselectGroup Byandselectanoption
suchasCategory,andthenselecthowmanygroupswillbe
defined.
3.
IntheAvailable Columnslist,selectthefieldstoincludethe
report.ThefollowingcolumnsaretypicallyusedforaURL
report:
Action
Category
DestinationCountry
SourceUser
URL
Runthereporttochecktheresults.Ifthe 1.
resultsaresatisfactory,setascheduleto
runthereportautomatically.
2.
ClicktheRun Nowicontoimmediatelygeneratethereport
thatwillappearinanewtab.
(Optional)ClicktheSchedulecheckboxtorunthereportonce
perday.Thiswillgenerateadailyreportthatdetailsweb
activityoverthelast24hours.Toaccessthereport,select
Monitor > ReportandthenexpandCustom Reportsonthe
rightcolumnandselectthereport.
ClickCommit.
URLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
ConfigureWebsiteControls
Step1
CreateaURLFilteringprofileorselect 1.
anexistingone.
BecausethedefaultURLfiltering
profileblocksriskyand
2.
threatpronecontent,itisabest
practicetoclonethisprofileto
preservethesedefaultsettings,
ratherthancreatinganew
profile.
Step2
Definehowtocontrolaccesstoweb
content.
Step3
Definewebsitesthatshouldalwaysbe 1.
blockedorallowed.
Forexample,toreduceURLfilteringlogs,
youmaywantaddyoucorporate
websitesintheallowlist,sonologswill
begeneratedforthosesites.Or,ifthere
isawebsitethisisbeingoverlyusedand
isnotworkrelatedinanyway,youcan
addittotheblocklist.
Itemsintheblocklistwillalwaysbe
blockedregardlessoftheactionforthe 2.
associatedcategory,andURLsinthe
allowlistwillalwaysbeallowed.
3.
Formoreinformationontheproper
formatandwildcardsusage,seeBlock
andAllowLists.

willbenameddefault1.
IntheCategoriestab,foreachcategorythatyouwantvisibility
intoorcontrolover,selectavaluefromtheAction columnas
follows:
Ifyoudonotcareabouttraffictoaparticularcategory(thatis
youneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Todenyaccesstotrafficthatmatchesthecategoryandto
enableloggingoftheblockedtraffic, selectblock.
TorequireuserstoclickContinuetoproceedtoaquestionable
site,selectcontinue.
Toonlyallowaccessifusersprovideaconfiguredpassword,
selectoverride.Formoredetailsonthissetting,seeConfigure
URLAdminOverride.
IntheURLfilteringprofile,enterURLsorIPaddressesinthe
Block List andselectanaction:
blockBlocktheURL.
continuePromptusersclickContinue toproceedtothe
webpage.
overrideTheuserwillbeapromptedforapasswordto
continuetothewebsite.
alertAllowtheusertoaccessthewebsiteandaddanalert
logentryintheURLlog.
FortheAllow list,enterIPaddressesorURLsthatshould
alwaysbeallowed.Eachrowmustbeseparatedbyanewline.
(Optional)EnableSafeSearchEnforcement.
URLFiltering
ConfigureWebsiteControls
Step4
ModifythesettingtologContainer
Pagesonly.
Step5
EnableHTTPHeaderLoggingforoneor TologanHTTPheaderfield,selectoneormoreofthefollowing
moreofthesupportedHTTPheader
fieldstolog:
fields.
User-Agent
Referer
X-Forwarded-For
Step6
SavetheURLfilteringprofile.
The Log container page only optionisenabledbydefaultsothat

onlythemainpagethatmatchesthecategoryislogged,not
subsequentpages/categoriesthatmaybeloadedwithinthe
containerpage.Toenableloggingforallpages/categories,clear
theLog container page onlycheckbox.
1.
ClickOK.
2.
(Optional)CustomizetheURLFilteringResponsePages.
3.
ClickCommit.
TotesttheURLfilteringconfiguration,simplyaccessa
websiteinacategorythatissettoblockorcontinueto
seeiftheappropriateactionisperformed.
URLFiltering
ThefirewallprovidesthreepredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser
attemptstobrowsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFiltering
Profile(block,continue,oroverride)orwhenSafeSearchEnforcementblocksasearchattempt.However,
youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableusepolicies,links
toyourinternalresourcesasfollows:
Step1
Step2
Step3
Exportthedefaultresponsepage(s).
Edittheexportedpage.
Importthecustomizedresponsepage.
1.
2.
SelectthelinkfortheURLfilteringresponsepageyouwantto
modify.
3.
Clicktheresponsepage(predefinedorshared)andthenclick
theExportlinkandsavethefiletoyourdesktop.
1.
UsingtheHTMLtexteditorofyourchoice,editthepage:
Ifyouwanttheresponsepagetodisplaycustom
informationaboutthespecificuser,URL,orcategorythat
wasblocked,addoneormoreofthesupportedURL
FilteringResponsePageVariables.
Ifyouwanttoincludecustomimages(suchasyour
corporatelogo),asound,orstylesheet,orlinktoanother
URL,forexampletoadocumentdetailingyouracceptable
webusepolicy,includeoneormoreofthesupported
ResponsePageReferences.
2.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.Forexample,inNotepadyou
wouldselectUTF-8fromtheEncodingdropdownintheSave
Asdialog.
1.
2.
SelectthelinkthatcorrespondstotheURLFilteringresponse
pageyouedited.
3.
ClickImportandthenenterthepathandfilenameinthe
4.
(Optional)Selectthevirtualsystemonwhichthisloginpage
5.
ClickOKtoimportthefile.
Step4
Savethenewresponsepage(s).
Committhechanges.
Step5
Verifythatthenewresponsepage
displays.
Fromabrowser,gototheURLthatwilltriggertheresponsepage.
Forexample,toseeamodifiedURLFilteringandCategoryMatch
responsepage,browsetoURLthatyourURLfilteringpolicyisset
toblock.
URLFiltering
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
Step1
Step2
SettheURLadminoverridepassword.
1.
SelectDevice > Setup > Content ID.
2.
IntheURL Admin Overridesection,clickAdd.
3.
IntheLocationfield,selectthevirtualsystemtowhichthis
passwordapplies.
4.
EnterthePasswordandConfirm Password.
5.
SelectanSSL/TLS Service Profile.Theprofilespecifiesthe

certificatethatthefirewallpresentstotheuserifthesitewith
theoverrideisanHTTPSsite.Fordetails,seeConfigurean
SSL/TLSServiceProfile.
6.
SelecttheModeforpromptingtheuserforthepassword:
TransparentThefirewallinterceptsthebrowsertraffic
destinedforsiteinaURLcategoryyouhavesettooverride
andimpersonatestheoriginaldestinationURL,issuingan
HTTP401topromptforthepassword.Notethattheclient
browserwilldisplaycertificateerrorsifitdoesnottrustthe
certificate.
RedirectThefirewallinterceptsHTTPorHTTPStrafficto
aURLcategorysettooverrideandredirectstherequestto
aLayer3interfaceonthefirewallusinganHTTP302
redirectinordertopromptfortheoverridepassword.If
youselectthisoption,youmustprovidetheAddress(IP
addressorDNShostname)towhichtoredirectthetraffic.
7.
ClickOK.
(Optional)Setacustomoverrideperiod. 1.
EdittheURLFilteringsection.
2.
Tochangetheamountoftimeuserscanbrowsetoasiteina
categoryforwhichtheyhavesuccessfullyenteredthe
overridepassword,enteranewvalueintheURL Admin
Override Timeout field.Bydefault,userscanaccesssites
withinthecategoryfor15minuteswithoutreenteringthe
password.
3.
Tochangetheamountoftimeusersareblockedfrom
accessingasitesettooverrideafterthreefailedattemptsto
entertheoverridepassword,enteranewvalueintheURL
Admin Lockout Timeoutfield.Bydefault,usersareblocked
for30minutes.
4.
ClickOK.
URLFiltering
ConfigureURLAdminOverride(Continued)
Step3
1.
(Redirectmodeonly)CreateaLayer3
interfacetowhichtoredirectweb
requeststositesinacategoryconfigured
foroverride.
2.
Step4
Step5
Step6
(Redirectmodeonly)Totransparently
redirectuserswithoutdisplaying
certificateerrors,installacertificatethat
matchestheIPaddressoftheinterface
towhichyouareredirectingweb
requeststoasiteinaURLcategory
configuredforoverride.Youcaneither
generateaselfsignedcertificateor
importacertificatethatissignedbyan
externalCA.
CreatetheLayer3interface.Besuretoattachthe
managementprofileyoujustcreated(ontheAdvanced >
Other InfotaboftheEthernetInterfacedialog).
Touseaselfsignedcertificate,youmustfirstcreatearootCA
certificateandthenusethatCAtosignthecertificateyouwilluse
forURLadminoverrideasfollows:
1.
TocreatearootCAcertificate,selectDevice > Certificate

Management > Certificates > Device Certificates andthen
clickGenerate.EnteraCertificate Name,suchasRootCA.Do
notselectavalueintheSigned Byfield(thisiswhatindicates
thatitisselfsigned).MakesureyouselecttheCertificate
AuthoritycheckboxandthenclickGeneratethecertificate.
2.
TocreatethecertificatetouseforURLadminoverride,click
Generate.EnteraCertificate NameandentertheDNS
hostnameorIPaddressoftheinterfaceastheCommon
Name.IntheSigned Byfield,selecttheCAyoucreatedinthe
previousstep.AddanIPaddressattributeandspecifytheIP
addressoftheLayer 3interfacetowhichyouwillbe
redirectingwebrequeststoURLcategoriesthathavethe
overrideaction.
3.
Generatethecertificate.
4.
Toconfigureclientstotrustthecertificate,selecttheCA
certificateontheDevice CertificatestabandclickExport.
YoumustthenimportthecertificateasatrustedrootCAinto
allclientbrowsers,eitherbymanuallyconfiguringthebrowser
orbyaddingthecertificatetothetrustedrootsinanActive
DirectoryGroupPolicyObject(GPO).
SpecifywhichURLcategoriesrequirean 1.
overridepasswordtoenableaccess.
SelectObjects > URL Filteringandeitherselectanexisting

URLfilteringprofileorAddanewone.
2.
OntheCategoriestab,settheActiontooverrideforeach
categorythatrequiresapassword.
3.
CompleteanyremainingsectionsontheURLfilteringprofile
andthenclickOKtosavetheprofile.
1.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsaccess
tothesitesrequiringpasswordoverride 2.
foraccess.
SelectPolicies > Security andselecttheappropriatesecurity

policytomodifyit.
3.
Step7
Createamanagementprofiletoenabletheinterfacetodisplay
theURLFilteringContinueandOverridePageresponsepage:
a. SelectNetwork > Interface MgmtandclickAdd.
b. EnteraNamefortheprofile,selectResponse Pages,and
thenclickOK.
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselecttheprofile.
ClickOKtosave.
ClickCommit.
URLFiltering
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosforsearchquery
returntraffic.YoucanconfigureSafeSearchEnforcementthePaloAltoNetworksnextgenerationfirewall
topreventsearchrequeststhatdonothavethestrictestsafesearchsettingsenabled.
TheSafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddressisnot
compatiblewithSafeSearchEnforcementonthefirewall.
TherearetwowaystoenforceSafeSearchonthefirewall:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
EnableTransparentSafeSearchEnforcement
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.SeeTable:SearchProviderSafeSearchSettingsfordetailsonhoweachsearchprovider
implementssafesearch.ThedefaultURLFilteringSafeSearchBlockPageprovidesalinktothesearch
settingsforthecorrespondingsearchprovider.YoucanoptionallyCustomizetheURLFilteringResponse
Pages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoEnableTransparentSafeSearchEnforcement.
URLFiltering
Step1
Step2
Step3
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewprofile.
3.
OntheSettingstab,selecttheSafe Search Enforcement

checkboxtoenableit.
4.
(Optional)Restrictuserstospecificsearchengines:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
1.
SelectPolicies > Securityandselectaruletowhichtoapply

theURLfilteringprofilethatyoujustenabledforSafeSearch
Enforcement.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
AddacustomURLcategoryforthesearchsites:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
SearchEngineDecryption.
c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
URLFiltering
EnableSafeSearchEnforcement(Continued)
Step4
Step5
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
acustomcategory.
EnableBingSafeSearch.
www.bing.com/images/*
www.bing.com/videos/*
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. LocatethecustomcategoryintheCategorylistandsetitto
block.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocolandsettheDestination Portto
443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
ClickCommit.
URLFiltering
EnableSafeSearchEnforcement(Continued)
Step6
VerifytheSafeSearchEnforcement
1.
configuration.
Thisverificationsteponlyworks
ifyouareusingblockpagesto
enforcesafesearch.Ifyouare
usingtransparentsafesearch
enforcement,thefirewallblock
pagewillinvokeaURLrewrite
withthesafesearchparameters 2.
inthequerystring.
3.
Fromacomputerthatisbehindthefirewall,disablethestrict
searchsettingsforoneofthesupportedsearchproviders.For
example,onbing.com,clickthePreferencesiconontheBing
menubar.
4.
Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5.
PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
SettheSafeSearchoptiontoModerateorOffandclickSave.
PerformaBingsearchandverifythattheURLFilteringSafe
SearchBlockpagedisplaysinsteadofthesearchresults:
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
Step1
Makesurethefirewallisrunning
ContentReleaseversion475orlater.
1.
2.
ChecktheApplications and Threatssectiontodetermine

whatupdateiscurrentlyrunning.
3.
Ifthefirewallisnotrunningtherequiredupdateorlater,click
Check Nowtoretrievealistofavailableupdates.
4.
LocatetherequiredupdateandclickDownload.
5.
Afterthedownloadcompletes,clickInstall.
URLFiltering
EnableTransparentSafeSearchEnforcement(Continued)
Step1
Step2
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewone.
3.
OntheSettingstab,selecttheSafe Search Enforcement

checkboxtoenableit.
4.
(Optional)Allowaccesstospecificsearchenginesonly:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
1.
SelectPolicies > Securityandselectaruletowhichtoapply

theURLfilteringprofilethatyoujustenabledforSafeSearch
Enforcement.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
URLFiltering
Step3
Step4
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
acustomcategory.
EnableBingSafeSearch.
www.bing.com/images/*
www.bing.com/videos/*
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. Locatethecustomcategoryyoujustcreatedinthe
Categorylistandsetittoblock.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocol,settheDestination Portto443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
EdittheURLFilteringSafeSearchBlock 1.
Page,replacingtheexistingcodewith
theJavaScriptforrewritingsearchquery 2.
URLstoenforcesafesearch
3.
transparently.
Forascriptthatyoucancopyandpaste,
gohere.
SelectDevice > Response Pages > URL Filtering Safe Search

Block Page.
SelectPredefinedandthenclickExporttosavethefilelocally.
UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththefollowingtextandthensavethefile:
URLFiltering
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<h1>Search Blocked</h1>
<p><b>User:</b> <user/> </p>
<p>Your search results have been blocked because your search settings are not in accordance with company
policy. In order to continue, please update your search settings so that Safe Search is set to the strictest
setting. If you are currently logged into your account, please also lock Safe Search and try your search
again.</p>
<p>For more information, please refer to: <a href="<ssurl/>"><ssurl/></a></p>
<p id="java_off"> Please enable JavaScript in your browser.<br></p>
<p><b>Please contact your system administrator if you believe this message is in error.</b></p>
</body>
<script>
// Grab the URL that's in the browser.
var s_u = location.href;
//bing
// Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non
greedy slash. Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
s_u = s_u + "&adlt=strict";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
//google
// Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non
var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);
if (g_a) {
s_u = s_u.replace(/&safe=off/ig,"");
s_u = s_u + "&safe=active";
}
//yahoo
// Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
URLFiltering
Step5
Step6
Step7
ImporttheeditedURLFilteringSafe
SearchBlockpageontothefirewall.
1.
Toimporttheeditedblockpage,selectDevice > Response

Pages > URL Filtering Safe Search Block Page.
2.
ClickImportandthenenterthepathandfilenameinthe
3.
(Optional)Selectthevirtualsystemonwhichthisloginpage
4.
ClickOKtoimportthefile.
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
AddacustomURLcategoryforthesearchsites:
acustomcategory.
SearchEngineDecryption.
www.bing.*
www.google.*
search.yahoo.*
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
ClickCommit.
URLFiltering
UsethefollowingsectiontodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyour
networkordatacenterandConfiguretheFirewallstoAccessthePANDBPrivateCloud.
SetupthePANDBPrivateCloud
Step1
RackmounttheM500appliance. RefertotheM500HardwareReferenceGuideforinstructions.
Step2
RegistertheM500appliance.
Step3
PerformInitialConfigurationof
1.
theM500Appliance.
TheM500appliancein
PANDBmodeusestwo
portsMGT(Eth0)and
Eth1;Eth2isnotusedin
PANDBmode.The
managementportisused
foradministrativeaccess
totheapplianceandfor
2.
obtainingthelatest
contentupdatesfromthe
PANDBpubliccloud.For
communicationbetween 3.
theappliance(PANDB
server)andthefirewallson
thenetwork,youcanuse
theMGTportorEth1.
ForinstructionsonregisteringtheM500appliance,seeRegisterthe
Firewall.
4.
ConnecttotheM500applianceinoneofthefollowingways:
AttachaserialcablefromacomputertotheConsoleporton
theM500applianceandconnectusingaterminalemulation
software(96008N1).
AttachanRJ45EthernetcablefromacomputertotheMGT
portontheM500appliance.Fromabrowser,goto
https://192.168.1.1.EnablingaccesstothisURLmightrequire
changingtheIPaddressonthecomputertoanaddressinthe
192.168.1.0network(forexample,192.168.1.2).
Whenprompted,logintotheappliance.Loginusingthedefault
usernameandpassword(admin/admin).Theappliancewillbegin
toinitialize.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theMGTinterface:
set deviceconfig system ip-address <server-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothe
managementinterfaceoftheserver,<netmask>isthesubnet
mask,<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheprimaryDNSserver.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theEth1interface:
set deviceconfig system eth1 ip-address <server-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothedata
interfaceoftheserver,<netmask>isthesubnetmask,
<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheDNSserver.
5.
SaveyourchangestothePANDBserver.
commit
URLFiltering
Step4
SwitchtoPANDBprivatecloud
mode.
1.
ToswitchtoPANDBmode,usetheCLIcommand:
requestsystemsystemmodepanurldb
YoucanswitchfromPanoramamodetoPANDBmode
andback;andfromPanoramamodetoLogCollectormode
andback.SwitchingdirectlyfromPANDBmodetoLog
Collectormodeorviceversaisnotsupported.When
switchingoperationalmode,adataresetistriggered.With
theexceptionofmanagementaccesssettings,allexisting
configurationandlogswillbedeletedonrestart.
2.
Usethefollowingcommandtoverifythatthemodeischanged:
show pan-url-cloud-status
hostname: M-500
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
time: Mon Apr 27 13:43:59 2015
uptime: 10 days, 1:51:28
family: m
model: M-500
serial: 0073010000xxx
sw-version: 7.0.0
app-version: 492-2638
app-release-date: 2015/03/19 20:05:33
av-version: 0
av-release-date: unknown
wf-private-version: 0
wf-private-release-date: unknown
logdb-version: 7.0.9
platform-family: m
pan-url-db: 20150417-220
system-mode: Pan-URL-DB
operational-mode: normal
3.
Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status:
Up
URL database version:
20150417-220
URLFiltering
Step5
Installcontentanddatabase
Pickoneofthefollowingmethodsofinstallingthecontentand
updates.
databaseupdates:
Theapplianceonlystores IfthePANDBserverhasdirectInternetaccessusethefollowing
thecurrentlyrunning
commands:
versionofthecontentand
a. Tocheckwhetheranewversionispublisheduse:
oneearlierversion.
request pan-url-db upgrade check
b. Tochecktheversionthatiscurrentlyinstalledonyourserver
use:
request pan-url-db upgrade info
c. Todownloadandinstallthelatestversion:
request pan-url-db upgrade download latest
request pan-url-db upgrade install <version latest
| file>
d. ToscheduletheM500appliancetoautomaticallycheckfor
updates:
set deviceconfig system update-schedule pan-url-db
recurring weekly action download-and-install
day-of-week <day of week> at <hr:min>
IfthePANDBserverisoffline,accessthePaloAltoNetworks
CustomerSupportwebsitetodownloadandsavethecontent
updatestoanSCPserveronyournetwork.Youcanthenimportand
installtheupdatesusingthefollowingcommands:
scp import pan-url-db remote-port <port-number> from
username@host:path
request pan-url-db upgrade install file <filename>
URLFiltering
Step6
Setupadministrativeaccesstothe TosetupalocaladministrativeuseronthePANDBserver:
PANDBprivatecloud.
a. configure
b. set mgt-config users <username> permissions
Theappliancehasadefault
role-based <superreader | superuser> yes
adminaccount.Any
c. set mgt-config users <username> password
additionaladministrative
Enter password:xxxxx
usersthatyoucreatecan
eitherbesuperusers(with
Confirm password:xxxxx
fullaccess)orsuperusers
d. commit
withreadonlyaccess.
TosetupanadministrativeuserwithRADIUSauthentication:
PANDBprivatecloud
a. CreateRADIUSserverprofile.
doesnotsupporttheuseof
set shared server-profile radius
RADIUSVSAs.IftheVSAs
<server_profile_name> server <server_name>
usedonthefirewallor
ip-address <ip_address> port <port_no> secret
Panoramaareusedfor
<shared_password>
enablingaccesstothe
b. Createauthenticationprofile.
PANDBprivatecloud,an
set shared authentication-profile
authenticationfailurewill
<auth_profile_name> user-domain
occur.
<domain_name_for_authentication> allow-list <all>
method radius server-profile <server_profile_name>
c. Attachtheauthenticationprofiletotheuser.
set mgt-config users <username>
authentication-profile <auth_profile_name>
d. Committhechanges.
commit
Toviewthelistofusers:.
show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
Step7
ConfiguretheFirewallstoAccess
thePANDBPrivateCloud.
URLFiltering
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
a. ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
setdeviceconfigsettingpanurldbcloudstaticlist<IPaddresses>enable
Or,inthewebinterfaceforeachfirewall,
1. SelectDevice > Setup >Content-ID, edittheURLFilteringsection.
2. EnterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
b. ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstotheprivate
cloud:
debugdeviceserverpanurldbcloudstaticlistenable<IPaddresses>enable
Step2
Step3
Commityourchanges.
Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status:
URL database version:
Up
20150417-220
TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothePANDBpubliccloud,usethe
command:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthefirewall.Thefirewallfirstchecks
forthelistofPANDBprivatecloudserversandwhenitcannotfindone,thefirewallaccessesthePANDBserversinthe
AWScloudtodownloadthelistofeligibleserverstowhichitcanconnect.
URLFiltering
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
TheUserIDfeatureisrequiredtoimplementpoliciesbasedonusersandgroupsanda
DecryptionpolicyisrequiredtoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
Thissectionincludestwousescases:
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
UseCase:ControlWebAccess
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstsecurityrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
Step1
ConfirmthatURLfilteringislicensed.
1.
SelectDevice > Licensesandconfirmthatavaliddateappears

fortheURLfilteringdatabasethatwillused.Thiswilleitherbe
PANDBorBrightCloud.
2.
Ifavalidlicenseisnotinstalled,seeEnablePANDBURL
Filtering.
URLFiltering
ControlWebAccess(Continued)
Step2
Step3
Step4
Step5
ConfirmthatUserIDisworking.UserID 1.
isrequiredtocreatepoliciesbasedon
usersandgroups.
SetupaURLfilteringprofilebycloning
thedefaultprofile.
ConfiguretheURLfilteringprofileto
blocksocialnetworkingandallow
Facebook.
2.
TocheckUserMappingfromtheCLI,enterthefollowing
command:
showuseripusermappingmpall
3.
Ifstatisticsdonotappearand/orIPaddresstousermapping
informationisnotdisplayed,seeUserID.
1.
SelectObjects > Security Profiles > URL Filteringandselect

thedefaultprofile.
2.
ClicktheCloneicon.Anewprofileshouldappearnamed
default-1.
3.
1.
ModifythenewURLfilteringprofileandintheCategorylist
scrolltosocial-networkingandintheActioncolumnclickon
allowandchangetheactiontoblock.
2.
IntheAllow List,enterfacebook.com,pressentertostarta
newlineandthentype*.facebook.com.Bothofthese
formatsarerequired,soallURLvariantsausermayusewillbe
identified,suchasfacebook.com,www.facebook.com,and
https://facebook.com.
3.
ApplythenewURLfilteringprofiletothe 1.
securitypolicyrulethatallowsweb
accessfromtheusernetworktothe
2.
Internet.
3.
TocheckGroupMappingfromtheCLI,enterthefollowing
command:
showusergroupmappingstatistics
SelectPolicies > Security andclickonthepolicyrulethat

allowswebaccess.
OntheActionstab,selecttheURLprofileyoujustcreated
fromtheURL Filteringdropdown.
ClickOKtosave.
URLFiltering
Step6
Createthesecuritypolicyrulethatwill
allowmarketingaccesstheFacebook
websiteandallFacebookapplications.
Thisrulemustprecedeotherrules
because:
Itisaspecificrule.Morespecificrules
mustprecedeotherrules.
Allowrulewillterminatewhena
trafficmatchoccurs.
1.
SelectPolicies > Security andclickAdd.
2.
EnteraNameandoptionallyaDescriptionandTag(s).
3.
OntheSourcetabaddthezonewheretheusersare
connected.
4.
OntheUsertabintheSource UsersectionclickAdd.
5.
Selectthedirectorygroupthatcontainsyourmarketingusers.
6.
OntheDestinationtab,selectthezonethatisconnectedto
theInternet.
7.
OntheApplicationstab,clickAddandaddthefacebook
AppIDsignature.
8.
OntheActionstab,addthedefaultprofilesforAntivirus,
Vulnerability Protection,andAnti-Spyware.
9.
ClickOKtosavethesecurityprofile.
ThefacebookAppIDsignatureusedinthispolicyrule
encompassesallFacebookapplications,suchas
facebookbase,facebookchat,andfacebookmail,sothisis
theonlyAppIDsignaturerequiredinthisrule.
Withthisruleinplace,whenamarketingemployeeattempts
toaccesstheFacebookwebsiteoranyFacebookapplication,
therulematchesbasedontheuserbeingpartofthemarketing
group.Fortrafficfromanyuseroutsideofmarketing,therule
willbeskippedbecausetherewouldnotbeatrafficmatchand
ruleprocessingwouldcontinue.
URLFiltering
Step7
Configurethesecuritypolicytoblockall 1.
otherusersfromusinganyFacebook
applicationsotherthansimpleweb
browsing.Theeasiestwaytodothisisto 2.
clonethemarketingallowpolicyand
3.
thenmodifyit.
FromPolicies > Security clickthemarketingFacebookallow

policyyoucreatedearliertohighlightitandthenclickthe
Cloneicon.
EnteraNameandoptionallyenteraDescriptionandTag(s).
OntheUsertabhighlightthemarketinggroupanddeleteit
andinthedropdownselectany.
4.
OntheApplicationstab,clickthefacebookAppIDsignature
anddeleteit.
5.
ClickAddandaddthefollowingAppIDsignatures:
facebookapps
facebookchat
facebookfilesharing
facebookmail
facebookposting
facebooksocialplugin
6.
OntheActionstabintheAction Settingsection,selectDeny.
Theprofilesettingsshouldalreadybecorrectbecausethisrule
wascloned.
7.
ClickOKtosavethesecurityprofile.
8.
Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.
URLFiltering
UseCase:UseURLCategoriesforPolicyMatching
URLcategoriescanalsobeusedasmatchcriteriainthefollowingpolicytypes:CaptivePortal,Decryption,
Security,andQoS.Inthisusecase,URLcategorieswillbeusedinDecryptionpolicyrulestocontrolwhich
webcategoriesshouldbedecryptedornotdecrypted.Thefirstruleisanodecryptrulethatwillnotdecrypt
usertrafficifthewebsitecategoryisfinancialservicesorhealthandmedicineandthesecondrulewilldecrypt
allothertraffic.Thedecryptionpolicytypeissslforwardproxy,whichisusedforcontrollingdecryptionfor
alloutboundconnectionsperformedbyusers.
ConfigureaDecryptionPolicyBasedonURLCategory
Step1
Createthenodecryptrulethatwillbe
listedfirstinthedecryptionpolicieslist.
Thiswillpreventanywebsitethatisin
thefinancialservicesor
healthandmedicineURLcategoriesfrom
beingdecrypted.
1.
SelectPolicies > Decryption andclickAdd.
2.
EnteraNameandoptionallyenteraDescription andTag(s).
3.
OntheSourcetab,addthezonewheretheusersare
connected.
4.
OntheDestinationtab,enterthezonethatisconnectedtothe
Internet.
5.
OntheURL Categorytab,clickAddandselectthe
financialservicesandhealthandmedicineURLcategories.
6.
OntheOptionstab,settheactiontoNo Decrypt.
7.
(Optional)Althoughthefirewalldoesnotdecryptandinspect
thetrafficforthesession,youcanattachaDecryption profile
ifyouwanttoenforcetheservercertificatesusedduringthe
session.Thedecryptionprofileallowsyoutoconfigurethe
firewalltoterminatetheSSLconnectioneitherwhenthe
servercertificatesareexpiredorwhentheservercertificates
areissuesbyanuntrustedissuer.
8.
URLFiltering
ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
Step2
Createthedecryptionpolicyrulethat
willdecryptallothertraffic.
1.
Selectthenodecryptpolicyyoucreatedpreviouslyandthen
clickClone.
2.
EnteraNameandoptionallyenteraDescriptionandTag(s).
3.
OntheURL Categorytab,selectfinancialservicesand
healthandmedicineandthenclicktheDeleteicon.
4.
OntheOptionstab,settheactiontoDecryptandtheTypeto
SSL Forward Proxy.
5.
(Optional)AttachaDecryption profiletospecifytheserver
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
Step3
Step4
6.
Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
7.
(BrightCloudonly)Enablecloudlookups 1.
fordynamicallycategorizingaURLwhen 2.
thecategoryisnotavailableonthelocal
databaseonthefirewall.
AccesstheCLIonthefirewall.
EnterthefollowingcommandstoenableDynamicURL
Filtering:
a. configure
b. setdeviceconfigsettingurldynamicurlyes
c. commit
ClickCommit.
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesorhealthandmedicine
URLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.
URLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
ThefollowingtabledescribesproceduresthatyoucanusetoresolveissueswithactivatingPANDB.
TroubleshootPANDBActivationIssues
Step1
AccessthePANOSCLI.
Step2
VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
admin@PA-200> show system setting url-database
Iftheresponseispaloaltonetworks,thenPANDBistheactivevendor.
Step3
VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
admin@PA-200> request license info
YoushouldseethelicenseentryFeature:PAN_DBURLFiltering.Ifthelicenseisnotinstalled,youwillneed
toobtainandinstallalicense.SeeConfigureURLFiltering.
Step4
Afterthelicenseisinstalled,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region>
3.
Checkthedownloadstatusbyrunningthefollowingcommand:
admin@PA-200> request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloudConnectivity
Issues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedtheURL
seeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
4.
Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.
URLFiltering
PANDBCloudConnectivityIssues
Tocheckcloudconnectivity,runthefollowingcommand:
admin@pa-200> show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License :
valid
Current cloud server :
Cloud connection :
connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
Ifthecloudisnoteaccessible,theexpectedresponseissimilartothefollowing:
PAN-DB URL Filtering
License :
valid
Cloud connection :
not connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
URLFiltering
Thefollowingtabledescribesproceduresthatyoucanusetoresolveissuesbasedontheoutputoftheshow
url-cloud statuscommand,howtopingtheURLcloudservers,andwhattocheckifthefirewallisina
HighAvailability(HA)configuration.
TroubleshootCloudConnectivityIssues
PANDBURLFilteringlicensefieldshowsinvalidObtainandinstallavalidPANDBlicense.
URLdatabasestatusisoutofdateDownloadanewseeddatabasebyrunningthefollowingcommand:
admin@pa-200> request url-filtering download paloaltonetworks region <region>
URLprotocolversionshowsnotcompatibleUpgradePANOStothelatestversion.
AttempttopingthePANDBcloudserverfromthefirewallbyrunningthefollowingcommand:
admin@pa-200> ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
admin@pa-200> ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IfthefirewallisinanHAconfiguration,verifythattheHAstateofthefirewallssupportsconnectivitytothecloud
systems.YoucandeterminetheHAstatebyrunningthefollowingcommand:
admin@pa-200> show high-availability state
Connectiontothecloudwillbeblockedifthefirewallisnotinoneofthefollowingstates:
active
activeprimary
activesecondary
Iftheproblempersists,contactPaloAltoNetworkssupport.
URLsClassifiedasNotResolved
ThefollowingtabledescribesproceduresyoucanusetoresolveissueswheresomeoralloftheURLsbeing
identifiedbyPANDBareclassifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1
CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2
Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
admin@PA-200> showsystemresources
YoucanalsoviewsystemresourcesfromthefirewallswebinterfacesbyclickingtheDashboard tab
andviewingtheSystem Resources section.
Step3
Iftheproblempersist,contactPaloAltoNetworkssupport.
URLFiltering
IncorrectCategorization
ThefollowingstepsdescribetheproceduresyoucanuseifyouidentifyaURLthatdoesnothavethecorrect
categorization.Forexample,iftheURLpaloaltonetworks.comwascategorizedasalcoholandtobacco,the
categorizationisnotcorrect;thecategoryshouldbecomputerandinternetinfo.
TroubleshootIncorrectCategorizationIssues
Step1
Verifythecategoryinthedataplanebyrunningthefollowingcommand:
admin@PA-200> show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
admin@PA-200> show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
Step2
Verifyifthecategoryinthemanagementplanebyrunningthecommand:
admin@PA-200> test url-info-host <URL>
Forexample:
admin@PA-200> test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
admin@PA-200> clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3
Verifythecategoryinthecloudbyrunningthefollowingcommand:
admin@PA-200> test url-info-cloud <URL>
Step4
IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
admin@PA-200> clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
admin@PA-200> delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5
Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
Step6
ClicktheRequest Categorizationchangelinkandfollowinstructions.Youcanalsorequestacategorychange
fromthePaloAltoNetworksTestASitewebsitebysearchingfortheURLandthenclickingtheRequest
Changeicon.Toviewalistofallavailablecategorieswithdescriptionsofeachcategory,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Ifyourchangerequestisapproved,youwillreceiveanemailnotification.Youthenhavetwooptionstoensure
thattheURLcategoryisupdatedonthefirewall:
WaituntiltheURLinthecacheexpiresandthenexttimetheURLisaccessedbyauser,thenew
categorizationupdatewillbeputinthecache.
Runthefollowingcommandtoforceanupdateinthecache:
admin@PA-200> request url-filtering update url <URL>
URLFiltering
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltotheURLCloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewallis
tooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youwillneedtoredownloadaninitialseeddatabasefromthe
cloud(thisoperationisnotblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
Fromthewebinterface,selectDevice > LicensesandinthePAN-DB URL Filtering sectionclickthe

Re-Downloadlink.
FromtheCLI,runthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region_name>
RedownloadingtheseeddatabasecausestheURLcacheinthemanagementplaneanddataplane
tobepurged.Themanagementplanecachewillthenberepopulatedwiththecontentsofthe
newseeddatabase.
URLFiltering
QualityofService
QualityofService(QoS)isasetoftechnologiesthatworkonanetworktoguaranteeitsabilitytodependably
runhighpriorityapplicationsandtrafficunderlimitednetworkcapacity.QoStechnologiesaccomplishthis
byprovidingdifferentiatedhandlingandcapacityallocationtospecificflowsinnetworktraffic.Thisenables
thenetworkadministratortoassigntheorderinwhichtrafficishandled,andtheamountofbandwidth
affordedtotraffic.
PaloAltoNetworksApplicationQualityofService(QoS)providesbasicQoSappliedtonetworksand
extendsittoprovideQoStoapplicationsandusers.
UsethefollowingtopicstolearnaboutandconfigurePaloAltoNetworksapplicationbasedQoS:
QoSOverview
QoSConcepts
ConfigureQoS
ConfigureQoSforaVirtualSystem
EnforceQoSBasedonDSCPClassification
QoSUseCases
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
PA3000Series,andPA2000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.
QoSOverview
QualityofService
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureQoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwithQoS
enabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheQoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoSpolicy
ruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.The
matchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.
QualityofService
QoSOverview
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.
QoSConcepts
QualityofService
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoSforApplicationsandUsers
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoSPolicy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.
QualityofService
QoSConcepts
QoSProfile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoSClasses
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
QoSPriorityQueuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil
QoSConcepts
QualityofService
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoSBandwidthManagement
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.
QualityofService
QoSConcepts
QoSEgressInterface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoSforClearTextandTunneledTraffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.
ConfigureQoS
QualityofService
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Step1
Identifythetrafficyouwanttomanage
withQoS.
ThisexampleshowshowtouseQoSto
limitwebbrowsing.
Select ACC toviewtheApplication Command Centerpage.Usethe

settingsandchartsontheACCpagetoviewtrendsandtraffic
relatedtoApplications,URLfiltering,ThreatPrevention,Data
Filtering,andHIPMatches.
Clickanyapplicationnametodisplaydetailedapplication
information.
Step2
Identifytheegressinterfacefor
applicationsthatyouwanttoreceive
QoStreatment.
Theegressinterfacefortraffic
dependsonthetrafficflow.Ifyou
areshapingincomingtraffic,the
egressinterfaceisthe
internalfacinginterface.Ifyou
areshapingoutgoingtraffic,the
egressinterfaceisthe
externalfacinginterface.
SelectMonitor > Logs > TraffictoviewtheTrafficlogs.

Tofilterandonlyshowlogsforaspecificapplication:
Ifanentryisdisplayedfortheapplication,clicktheunderlined
linkintheApplicationcolumnthenclicktheSubmiticon.
Ifanentryisnotdisplayedfortheapplication,clicktheAddLog
iconandsearchfortheapplication.
TheEgress I/Finthetrafficlogsdisplayseachapplicationsegress
interface.TodisplaytheEgress I/F columnifitisnotdisplayedby
default:
Clickanycolumnheadertoaddacolumntothelog:
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:
QualityofService
ConfigureQoS
ConfigureQoS(Continued)
Step3
AddaQoSpolicyrule.
AQoSpolicyruledefinesthetrafficto
receiveQoStreatment.Thefirewall
assignsaQoSclassofservicetothe
trafficmatchedtothepolicyrule.
1.
SelectPolicies > QoS andAddanewpolicyrule.
2.
OntheGeneral tab,givetheQoSPolicyRuleadescriptive
Name.
3.
SpecifytraffictoreceiveQoStreatmentbasedonSource,
Destination,Application,Service/URL Category, and
DSCP/ToS values(theDSCP/ToS settingsallowyoutoEnforce
QoSBasedonDSCPClassification).
Forexample,selecttheApplication,clickAdd,andselect
webbrowsingtoapplyQoStowebbrowsingtraffic.
4.
(Optional)Continuetodefineadditionalparameters.For
example,selectSourceandAdd asourceusertoprovideQoS
foraspecificuserswebtraffic.
5.
SelectOther SettingsandassignaQoS Class totraffic

matchingthepolicyrule.Forexample,assignClass2tothe
user1swebtraffic.
6.
ClickOK.
ConfigureQoS
QualityofService
Step4
AddaQoSprofilerule.
1.
AQoSprofileruleallowsyoutodefine
theeightclassesofservicethattraffic
2.
canreceive,includingpriority,and
3.
enablesQoSBandwidthManagement.
YoucaneditanyexistingQoSprofile,
includingthedefault,byclickingtheQoS
profilename.
4.
SelectNetwork > Network Profiles > QoS Profile andAdda

newprofile.
EnteradescriptiveProfile Name.
SettheoverallbandwidthlimitsfortheQoSprofilerule:
EnteranEgress Maxvaluetosettheoverallbandwidth
allocationfortheQoSprofilerule.
EnteranEgress Guaranteed valuetosettheguaranteed
bandwidthfortheQoSProfile.
AnytrafficthatexceedstheEgressGuaranteed
valueisbesteffortandnotguaranteed.Bandwidth
thatisguaranteedbutisunusedcontinuestoremain
availableforalltraffic.
IntheClassessection,specifyhowtotreatuptoeight
individualQoSclasses:
a. AddaclasstotheQoSProfile.
b. SelectthePriority fortheclass:realtime,high,medium,
andlow.
c. EntertheEgress Max andEgress Guaranteedbandwidth
fortrafficassignedtoeachQoSclass.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.
QualityofService
ConfigureQoS
Step5
EnableQoSonaphysicalinterface.
1.
Partofthisstepincludestheoptionto 2.
selectcleartextandtunneledtrafficfor
uniqueQoStreatment.
Checkiftheplatformyoureusing
supportsenablingQoSona
3.
subinterfacebyreviewinga
summaryoftheProduct
Specifications.
SelectNetwork > QoSandAdd aQoSinterface.

SelectPhysical Interface andchoose theInterface Nameof
theinterfaceonwhichtoenableQoS.
Intheexample,Ethernet1/1istheegressinterfacefor
webbrowsingtraffic(seeStep 2).
SettheEgress Maxbandwidthforalltrafficexitingthis
interface.
ItisabestpracticetoalwaysdefinetheEgressMax
valueforaQoSinterface.Ensurethatthecumulative
guaranteedbandwidthfortheQoSprofilerules
attachedtotheinterfacedoesnotexceedthetotal
bandwidthallocatedtotheinterface.
4.
SelectTurn on QoS feature on this interface.
5.
IntheDefaultProfilesection,selectaQoSprofileruletoapply
toallClear Text trafficexitingthephysicalinterface.
6.
(Optional)SelectadefaultQoSprofileruletoapplytoall
tunneledtrafficexitingtheinterface.
Forexample,enableQoSonethernet1/1andapplythebandwidth
andprioritysettingsyoudefinedfortheQoSprofileruleLimitWeb
Browsing(Step 4)tobeusedasthedefaultsettingsforcleartext
egresstraffic.
Step6
7.
(Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8.
ClickOK.
ConfigureQoS
QualityofService
Step7
VerifyaQoSconfiguration.
SelectNetwork > QoSandthenStatistics toviewQoSbandwidth,

activesessionsofaselectedQoSclass,andactiveapplicationsfor
theselectedQoSclass.
Forexample,seethestatisticsforethernet1/1withQoSenabled:
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.
QualityofService
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertotheVirtualSystems(VSYS)technoteforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
Step1
Confirmthattheappropriateinterfaces, Toviewconfiguredinterfaces,selectNetwork > Interface.

virtualrouters,andsecurityzonesare
Toviewconfiguredzones,selectNetwork > Zones.
associatedwitheachvirtualsystem.
Toviewinformationondefinedvirtualrouters,selectNetwork >
Virtual Routers.
QualityofService
Step2
IdentifytraffictoapplyQoSto.
Select ACC toviewtheApplication Command Centerpage.Usethe

settingsandchartsontheACCpagetoviewtrendsandtraffic
relatedtoApplications,URLfiltering,ThreatPrevention,Data
Filtering,andHIPMatches.
Toviewinformationforaspecificvirtualsystem,selectthevirtual
systemfromtheVirtual Systemdropdown:
Clickanyapplicationnametodisplaydetailedapplication
information.
Step3
Identifytheegressinterfacefor
applicationsthatyouidentifiedas
needingQoStreatment.
Inavirtualsystemenvironment,QoSis
appliedtotrafficonthetrafficsegress
pointonthevirtualsystem.Depending
theconfigurationandQoSpolicyfora
virtualsystem,theegresspointofQoS
trafficcouldbeassociatedwitha
physicalinterfaceorcouldbeazone.
Thisexampleshowshowtolimit
webbrowsingtrafficonvsys1.
SelectMonitor > Logs > Traffictoviewtrafficlogs.Eachentryhas

theoptiontodisplaycolumnswithinformationnecessaryto
configureQoSinavirtualsystemenvironment:
virtualsystem
egressinterface
ingressinterface
sourcezone
destinationzone
Todisplayacolumnifitisnotdisplayedbydefault:
Clickanycolumnheadertoaddacolumntothelog:
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.
QualityofService
Step4
CreateaQoSProfile.
YoucaneditanyexistingQoSProfile,
includingthedefault,byclickingthe
profilename.
1.
SelectNetwork > Network Profiles > QoS Profile andclickAdd

toopentheQoSProfiledialog.
2.
EnteradescriptiveProfile Name.
3.
EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4.
EnteranEgress Guaranteed tosettheguaranteedbandwidth

fortheQoSprofile.
AnytrafficthatexceedstheQoSprofilesegress
guaranteedlimitisbesteffortbutisnotguaranteed.
5.
IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6.
ClickOKtosavetheQoSprofile.
QualityofService
Step5
CreateaQoSpolicy.
1.
Inanenvironmentwithmultiplevirtual 2.
systems,trafficspansmorethanone
virtualsystem.Becauseofthis,whenyou
3.
areenablingQoSforavirtualsystem,
youmustdefinetraffictoreceiveQoS
treatmentbasedonsourceand
destinationzones.Thisensuresthatthe
trafficisprioritizedandshapedonlyfor
thatvirtualsystem(andnotforother
virtualsystemsthroughwhichthetraffic
mightflow).
SelectPolicies > QoS andAddaQoSPolicyRule.

SelectGeneral andgivetheQoSPolicyRuleadescriptive
Name.
SpecifythetraffictowhichtheQoSpolicyrulewillapply.Use
theSource,Destination,Application,andService/URL
Categorytabstodefinematchingparametersforidentifying
traffic.
Forexample,selectApplicationandAddwebbrowsingto
applytheQoSpolicyruletothatapplication:
4.
SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5.
SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
6.
SelectOther SettingsandselectaQoS Classtoassigntothe

QoSpolicyrule.Forexample,assignClass2towebbrowsing
trafficonvsys1:
7.
ClickOKtosavetheQoSpolicyrule.
QualityofService
Step6
EnabletheQoSProfileonaphysical
1.
interface.
Itisabestpracticetoalways
2.
definetheEgress Max valuefora
QoSinterface.
SelectNetwork > QoSandclickAdd toopentheQoSInterface

dialog.
EnableQoSonthephysicalinterface:
a. OnthePhysical Interfacetab,selecttheInterface Nameof
theinterfacetoapplytheQoSProfileto.
Inthisexample,ethernet1/1istheegressinterfacefor
webbrowsingtrafficonvsys1(seeStep 2).
b. SelectTurn on QoS feature on this interface.
Step7
VerifyQoSconfiguration.
3.
OnthePhysical Interfacetab,selectthedefaultQoSprofileto
applytoallClear Texttraffic.
(Optional)UsetheTunnel Interfacefieldtoapplyadefault
QoSprofiletoalltunneledtraffic.
4.
(Optional)OntheClear Text Traffictab,configureadditional

QoSsettingsforcleartexttraffic:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
cleartexttraffic.
ClickAddtoapplyaQoSProfiletoselectedcleartexttraffic,
furtherselectingthetrafficforQoStreatmentaccordingto
sourceinterfaceandsourcesubnet(creatingaQoSnode).
5.
(Optional)Onthe Tunneled Traffic tab,configureadditional

QoSsettingsfortunnelinterfaces:
SettheEgress GuaranteedandEgress Maxbandwidthsfor
tunneledtraffic.
ClickAddtoassociateaselectedtunnelinterfacewithaQoS
Profile.
6.
ClickOK tosavechanges.
7.
Committhechanges.
SelectNetwork > QoStoviewthe QoSPoliciespage.TheQoS

Policies pageverifiesthatQoSisenabledandincludesa
Statisticslink.ClicktheStatisticslinktoviewQoSbandwidth,
activesessionsofaselectedQoSnodeorclass,andactive
applicationsfortheselectedQoSnodeorclass.
Inamultivsysenvironment,sessionscannotspanmultiple
systems.Multiplesessionsarecreatedforonetrafficflowifthe
trafficpassesthroughmorethanonevirtualsystem.Tobrowse
sessionsrunningonthefirewallandviewappliedQoSRulesand
QoSClasses,selectMonitor > Session Browser.
QualityofService
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
Expedited Forwarding (EF):Canbeusedtorequestlowloss,lowlatencyandguaranteedbandwidthfor

traffic.PacketswithEFcodepointsaretypicallyguaranteedhighestprioritydelivery.
Assured Forwarding (AF):Canbeusedtoprovidereliabledeliveryforapplications.PacketswithAF
codepointindicatearequestforthetraffictoreceivehigherprioritytreatmentthanbesteffortservice
provides(thoughpacketswithanEFcodepointwillcontinuetotakeprecedenceoverthosewithanAF
codepoint).
Class Selector (CS):CanbeusedtoprovidebackwardcompatibilitywithnetworkdevicesthatusetheIP
precedencefieldtomarkprioritytraffic.
IP Precedence (ToS):Canbeusedbylegacynetworkdevicestomarkprioritytraffic(theIPPrecedence
headerfieldwasusedtoindicatethepriorityforapacketbeforetheintroductionoftheDSCP
classification).
Custom Codepoint:CreateacustomcodepointtomatchtotrafficbyenteringaCodepoint NameandBinary
Value.
Forexample,selecttheAssured Forwarding (AF)toensuretrafficmarkedwithanAFcodepointvaluehas

higherpriorityforreliabledeliveryoverapplicationsmarkedtoreceivelowerpriority.Usethefollowingsteps
toenableSessionBasedDSCPClassification.StartbyconfiguringQoSbasedonDSCPmarkingdetectedat
thebeginningofasession.Youcanthencontinuetoenablethefirewalltomarkthereturnflowforasession
withthesameDSCPvalueusedtoenforceQoSfortheinitialoutboundflow.
QualityofService
ApplyQoSBasedonDSCP/ToSMarking
BeforeYouBegin
Makesurethatyouhaveperformedthepreliminarystepsto
ConfigureQoS.
Step1
1.
SelectPolicies > QoS andAddormodifyanexistingQoSrule

andpopulaterequiredfields.
2.
Select DSCP/ToS and select Codepoints.
3.
AddaDSCP/ToScodepointsforwhichyouwanttoenforce
QoS.
4.
SelecttheTypeofDSCP/ToSmarkingfortheQoSruleto
matchtotraffic:
ItisabestpracticetouseasingleDSCPtypetomanage
andprioritizeyournetworktraffic.
5.
MatchtheQoSpolicytotrafficonamoregranularscaleby
specifyingtheCodepoint value.Forexample,withAssured
Forwarding(AF)selectedastheTypeofDSCPvalueforthe
policytomatch,furtherspecifyanAFCodepoint valuesuchas
AF11.
WhenExpeditedForwarding(EF)isselectedasthe
TypeofDSCPmarking,agranularCodepointvalue
cannotbespecified.TheQoSpolicyrulematchesto
trafficmarkedwithanyEFcodepointvalue.
6.
SelectOther SettingsandassignaQoS Classtotraffic

matchedtotheQoSrule.Inthisexample,assignClass1to
sessionswhereaDSCPmarkingofAF11isdetectedforthe
firstpacketinthesession.
7.
ClickOKtosavetheQoSrule.
Step2
DefinethetraffictoreceiveQoS
treatmentbasedonDSCPvalue.
DefinetheQoSpriorityfortrafficto
1.
receivewhenitismatchedtoaQoSrule
basedtheDSCPmarkingdetectedatthe
beginningofasession.
2.
Step3
EnableQoSonaninterface.
SelectNetwork > Network Profiles > QoS Profile andAddor

modifyanexistingQoSprofile.Fordetailsonprofileoptions
tosetpriorityandbandwidthfortraffic,seeQoSConcepts
andConfigureQoS.
Add ormodifyaprofileclass.Forexample,because Step 1
showedstepstoclassifyAF11trafficasClass1traffic,you
couldaddormodifyaclass1entry.
3.
SelectaPriority fortheclassoftraffic,suchashigh.
4.
ClickOKtosavetheQoSProfile.
SelectNetwork > QoSandAdd ormodifyanexistinginterfaceand

Turn on QoS feature on this interface.
Inthisexample,trafficwithanAF11DSCPmarkingismatchedto
theQoSruleandassignedClass1.TheQoSprofileenabledonthe
interfaceenforceshighprioritytreatmentforClass1trafficasit
egressesthefirewall(thesessionoutboundtraffic).
QualityofService
ApplyQoSBasedonDSCP/ToSMarking
Step4
EnableDSCPMarking.
1. SelectPolicies > SecurityandAddormodifyasecuritypolicy.
MarkreturntrafficwithaDSCPvalue, 2. SelectActionsandintheQoS Markingdropdown,choose
enablingtheinboundflowforasession
Follow-Client-to-Server-Flow.
tobemarkedwiththesameDSCPvalue
3. ClickOKtosaveyourchanges.
detectedfortheoutboundflow.
Completingthisstepenablesthefirewalltomarktrafficwiththe
sameDSCPvaluethatwasdetectedatthebeginningofasession
(inthisexample,thefirewallwouldmarkreturntrafficwiththe
DSCPAF11value).WhileconfiguringQoSallowsyoutoshape
trafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewall
andtheclienttocontinuetoenforcepriorityforDSCPmarked
traffic.
Step5
Commityourchanges.
QualityofService
QoSUseCases
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
UseCase:QoSforaSingleUser
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1
TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.
QoSUseCases
QualityofService
ApplyQoStoaSingleUser(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
TheadminassociatestheCEOstrafficwithClass1(Other Settings tab)andthencontinuestopopulatethe

remainingrequiredpolicyfields;theadmingivesthepolicyadescriptiveName(Generaltab)andselectsAny
fortheSource Zone(Sourcetab)andDestination Zone(Destination tab):
Step3
NowthatClass1isassociatedwiththeCEOstraffic,theadminenablesQoSbycheckingTurn on QoS feature

on interface andselectingthetrafficflowsegressinterface.TheegressinterfacefortheCEOstrafficflowis
theexternalfacinginterface,inthiscase,ethernet1/2:
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.
QualityofService
QoSUseCases
ApplyQoStoaSingleUser(Continued)
Step4
AftercommittingtheQoSconfiguration,theadminnavigatestotheNetwork > QoSpagetoconfirmthatthe

QoSprofileCEO_trafficisenabledontheexternalfacinginterface,ethernet1/2:
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation,asshowninStep 2)and
thenenableQoSonthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadofthe
externalfacinginterface,asshowninStep 3.)
UseCase:QoSforVoiceandVideoApplications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.
QoSUseCases
QualityofService
Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1
TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.
QualityofService
QoSUseCases
EnsureQualityforVoiceandVideoApplications(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:
QoSUseCases
QualityofService
EnsureQualityforVoiceandVideoApplications(Continued)
Step3
BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreatedinStep 1,ensurevoicevideotraffic(Class2inthis
profileisassociatedwithpolicycreatedinStep 2,VoiceVideo)ontheexternalfacinginterface,inthiscase,
ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
Step4
TheadminselectsNetwork > QoStoconfirmthatQoSisenabledforbothincomingandoutgoingvoiceand

videotraffic:
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.
VPNs
Virtualprivatenetworks(VPNs)createtunnelsthatallowusers/systemstoconnectsecurelyoverapublic
network,asiftheywereconnectingoveralocalareanetwork(LAN).TosetupaVPNtunnel,youneedapair
ofdevicesthatcanauthenticateeachotherandencrypttheflowofinformationbetweenthem.Thedevices
canbeapairofPaloAltoNetworksfirewalls,oraPaloAltoNetworksfirewallalongwithaVPNcapable
devicefromanothervendor.
VPNDeployments
SitetoSiteVPNOverview
SitetoSiteVPNConcepts
SetUpSitetoSiteVPN
SitetoSiteVPNQuickConfigs
VPNDeployments
VPNs
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments
VPNs
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN
VPNs
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.Eachtunnelinterfacecanhaveamaximumof10IPSectunnels;this
meansthatupto10networkscanbeassociatedwiththesametunnelinterfaceonthefirewall.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.
VPNs
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
Thedefaultmonitoringprofileisconfiguredtowaitforthetunneltorecover;thepollingintervalis3seconds
andthefailurethresholdis5.
SeeSetUpTunnelMonitoringforconfigurationdetails.
VPNs
InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes
VPNs
IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP
AH
DiffieHellman(DH)exchangeoptionssupported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryptionalgorithmssupported
3des
TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc
AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc
AESusingCBCwithasecuritystrengthof192bits
aes256cbc
AESusingCBCwithasecuritystrengthof256bits
aes128ccm
AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm
AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm
AESusingGCMwithasecuritystrengthof256bits
des
DataEncryptionStandard(DES)withasecuritystrengthof56bits
ESP
VPNs
AH
Authenticationalgorithmssupported
md5
md5
sha1
sha1
sha256
sha256
sha384
sha384
sha512
sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.
VPNs
ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
TheCookie Activation Threshold isaglobalVPNsessionsettingthatlimitsthenumberofsimultaneous

halfopenedIKESAs(defaultis500).WhenthenumberofhalfopenedIKESAsexceedstheCookie
Activation Threshold,theResponderwillrequestacookie,andtheInitiatormustrespondwithan
IKE_SA_INITcontainingacookietovalidatetheconnection.Ifthecookievalidationissuccessful,another
SAcanbeinitiated.Avalueof0meansthatcookievalidationisalwayson.
TheResponderdoesnotmaintainastateoftheInitiator,nordoesitperformaDiffieHellmankey
exchange,untiltheInitiatorreturnsthecookie.IKEv2cookievalidationmitigatesaDoSattackthatwould
trytoleavenumerousconnectionshalfopen.
TheCookie Activation ThresholdmustbelowerthantheMaximum Half Opened SAsetting.IfyouChangethe
CookieActivationThresholdforIKEv2toaveryhighnumber(forexample,65534)andtheMaximum Half
Opened SAsettingremainedatthedefaultvalueof65535,cookievalidationisessentiallydisabled.
VPNs
YoucanenableStrict Cookie ValidationifyouwantcookievalidationperformedforeverynewIKEv2SAa

gatewayreceives,regardlessoftheglobalthreshold.Strict Cookie ValidationaffectsonlytheIKEgateway
beingconfiguredandisdisabledbydefault.IfStrict Cookie Validation isdisabled,thesystemusesthe
Cookie Activation Threshold todeterminewhetheracookieisneededornot.
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.
VPNs
HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
InIKEv2,twoIKEcryptoprofilevalues,Key LifetimeandIKEv2 Authentication Multiple,controlthe
establishmentofIKEv2IKESAs.ThekeylifetimeisthelengthoftimethatanegotiatedIKESAkeyis
effective.Beforethekeylifetimeexpires,theSAmustberekeyed;otherwise,uponexpiration,theSAmust
beginanewIKEv2IKESArekey.Thedefaultvalueis8hours.
ThereauthenticationintervalisderivedbymultiplyingtheKey LifetimebytheIKEv2Authentication Multiple.
Theauthenticationmultipledefaultsto0,whichdisablesthereauthenticationfeature.
Therangeoftheauthenticationmultipleis050.So,ifyouweretoconfigureanauthenticationmultipleof
20,forexample,thesystemwouldperformreauthenticationevery20rekeys,whichisevery160hours.
ThatmeansthegatewaycouldperformChildSAcreationfor160hoursbeforethegatewaymust
reauthenticatewithIKEtorecreatetheIKESAfromscratch.
InIKEv2,theInitiatorandRespondergatewayshavetheirownkeylifetimevalue,andthegatewaywiththe
shorterkeylifetimeistheonethatwillrequestthattheSAberekeyed.
SetUpSitetoSiteVPN
VPNs
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
SetUpanIKEGateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
Step1
DefinetheIKEGateway.
1.
SelectNetwork > Network Profiles > IKE Gateways,clickAdd,

andontheGeneraltab,entertheNameofthegateway.
2.
ForVersion,selectIKEv1 only mode,IKEv2 only mode,or

IKEv2 preferred mode.TheIKEgatewaybeginsits
negotiationwithitspeerinthemodespecifiedhere.Ifyou
selectIKEv2 preferred mode,thetwopeerswilluseIKEv2if
theremotepeersupportsit;otherwisetheywilluseIKEv1.
(TheVersionselectionalsodetermineswhichoptionsare
availableontheAdvanced Optionstab.)
VPNs
SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step2
Step3
Establishthelocalendpointofthetunnel 1.
(gateway).
2.
Establishthepeeratthefarendofthe
tunnel(gateway).
ForAddress Type,clickIPv4orIPv6.
Selectthephysical,outgoingInterface onthefirewallwhere
thelocalgatewayresides.
3.
FromtheLocal IP Address dropdown,selecttheIPaddress

thatwillbeusedastheendpointfortheVPNconnection.This
istheexternalfacinginterfacewithapubliclyroutableIP
addressonthefirewall.
1.
SelectthePeer IP TypetobeaStaticorDynamicaddress
assignment.
2.
IfthePeer IP Addressisstatic,entertheIPaddressofthe
peer.
Step4
Specifyhowthepeerisauthenticated.
SelecttheAuthenticationmethod:Pre-Shared KeyorCertificate.
IfyouchoosePreSharedKey,proceedtoStep 5.Ifyouchoose
Certificate,proceedtoStep 6.
Step5
Configureapresharedkey.
1.
EnteraPre-shared Key,whichisthesecuritykeytousefor
authenticationacrossthetunnel.Reenterthevalueto
Confirm Pre-shared Key.
Generateakeythatisdifficulttocrackwithdictionary
attacks;useapresharedkeygenerator,ifnecessary.
2.
ForLocal Identification,choosefromthefollowingtypesand
enteravaluethatyoudetermine:FQDN (hostname),IP
address,KEYID (binary format ID string in HEX),User FQDN
(email address).Localidentificationdefinestheformatand
identificationofthelocalgateway.Ifnovalueisspecified,the
localIPaddresswillbeusedasthelocalidentificationvalue.
3.
ForPeer Identification,choosefromthefollowingtypesand
enterthevalue:FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), User FQDN (email address). Peer
identificationdefinestheformatandidentificationofthepeer
gateway.Ifnovalueisspecified,thepeerIPaddresswillbe
usedasthepeeridentificationvalue.
4.
ProceedtoStep 7andcontinuefromthere.
SetUpSitetoSiteVPN
VPNs
Step6
Configurecertificatebased
authentication.Performtheremaining
stepsinthisprocedureifyouselected
Certificateasthemethodof
authenticatingthepeergatewayatthe
oppositeendofthetunnel.
1.
SelectaLocal Certificatethatisalreadyonthefirewallfrom
thedropdown,orImportacertificate,orGeneratetocreate
anewcertificate.
IfyouwanttoImportacertificate,ImportaCertificatefor
IKEv2GatewayAuthenticationandthenreturntothistask.
IfyouwanttoGenerateanewcertificate,generatea
certificateonthefirewallandthenreturntothistask.
2.
ClicktheHTTP Certificate Exchange checkboxifyouwantto

configureHashandURL(IKEv2only).ForanHTTPcertificate
exchange,entertheCertificate URL.Formoreinformation,
seeHashandURLCertificateExchange.
3.
SelecttheLocal Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Localidentificationdefinestheformatandidentificationof
thelocalgateway.
4.
SelectthePeer Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Peeridentificationdefinestheformatandidentificationofthe
peergateway.
5.
SelectonetypeofPeer ID Check:
ExactCheckthistoensurethatthelocalsettingandpeer
IKEIDpayloadmatchexactly.
WildcardCheckthistoallowthepeeridentificationto
matchaslongaseverycharacterbeforethewildcard(*)
matches.Thecharactersafterthewildcardneednotmatch.
6.
ClickPermit peer identification and certificate payload

identification mismatchifyouwanttoallowasuccessfulIKE
SAevenwhenthepeeridentificationdoesnotmatchthepeer
identificationinthecertificate.
7.
ChooseaCertificate Profilefromthedropdown.A
certificateprofilecontainsinformationabouthowto
authenticatethepeergateway.
8.
ClickEnable strict validation of peers extended key useif

youwanttostrictlycontrolhowthekeycanbeused.
VPNs
SetUpSitetoSiteVPN
Step7
Step8
Configureadvancedoptionsforthe
gateway.
Savethechanges.
1.
SelecttheAdvanced Optionstab.
2.
IntheCommonOptionssection,Enable Passive Modeifyou

wantthefirewalltoonlyrespondtoIKEconnectionrequests
andneverinitiatethem.
3.
Enable NAT TraversalifyouhaveadeviceperformingNAT

betweenthegateways,tohaveUDPencapsulationusedon
IKEandUDPprotocols,enablingthemtopassthrough
intermediateNATdevices.
4.
IfyouchoseIKEv1 only mode earlier,ontheIKEv1tab:

Chooseauto,aggressive,ormainfortheExchange Mode.
Whenadeviceissettouseautoexchangemode,itcan
acceptbothmainmodeandaggressivemodenegotiation
requests;however,wheneverpossible,itinitiates
negotiationandallowsexchangesinmainmode.
Iftheexchangemodeisnotsettoauto,youmust
configurebothpeerswiththesameexchangemode
toalloweachpeertoacceptnegotiationrequests.
Selectanexistingprofileorkeepthedefaultprofilefrom
IKE Crypto Profiledropdown.Fordetailsondefiningan
IKECryptoprofile,seeDefineIKECryptoProfiles.
(Onlyifusingcertificatebasedauthenticationandthe
exchangemodeisnotsettoaggressivemode)ClickEnable
Fragmentation toenablethefirewalltooperatewithIKE
Fragmentation.
ClickDead Peer DetectionandenteranInterval(rangeis
2100seconds).ForRetry, definethetimetodelay(range
is2100seconds)beforeattemptingtorecheck
availability.Deadpeerdetectionidentifiesinactiveor
unavailableIKEpeersbysendinganIKEphase1
notificationpayloadtothepeerandwaitingforan
acknowledgment.
5.
IfyouchoseIKEv2 only mode orIKEv2 preferred mode in

Step 1,ontheIKEv2tab:
SelectanIKE Crypto Profilefromthedropdown,which
configuresIKEPhase1optionssuchastheDHgroup,hash
algorithm,andESPauthentication.Forinformationabout
IKEcryptoprofiles,seeIKEPhase1.
EnableStrict Cookie Validationifyouwanttoalways
enforcecookievalidationonIKEv2SAsforthisgateway.
SeeCookieActivationThresholdandStrictCookie
Validation.
Enable Liveness CheckandenteranInterval (sec) (default
is5) ifyouwanttohavethegatewaysendamessage
requesttoitsgatewaypeer,requestingaresponse.If
necessary,theInitiatorattemptsthelivenesscheckupto
10times.Ifitdoesntgetaresponse,theInitiatorclosesand
deletestheIKE_SAandCHILD_SA.TheInitiatorwillstart
overbysendingoutanotherIKE_SA_INIT.
ClickOKandCommit.
SetUpSitetoSiteVPN
VPNs
ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
ExportacertificateforapeertoaccessusingHash 1.
andURLcertificateexchange.
2.
SelectDevice > Certificates,andifyourplatformsupports

multiplevirtualsystems,forLocation,selecttheappropriate
virtualsystem.
OntheDevice Certificatestab,selectthecertificatetoExport
totheserver.
Thestatusofthecertificateshouldbevalid,notexpired.
Thefirewallwillnotstopyoufromexportinganinvalid
certificate.
3.
ForFile Format,selectBinary Encoded Certificate (DER).
4.
LeaveExport private keyclear.Exportingtheprivatekeyis

unnecessaryforHashandURL.
5.
ClickOK.
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.
VPNs
SetUpSitetoSiteVPN
Step1
Step2
Importacertificate.
1.
SelectNetwork > IKE Gateways,Addagateway,andonthe

Generaltab,forAuthentication,selectCertificate.ForLocal
Certificate,clickImport.
2.
IntheImportCertificatewindow,enteraCertificate Namefor
thecertificateyouareimporting.
3.
SelectSharedifthiscertificateistobesharedamongmultiple
virtualsystems.
4.
ForCertificate File,Browsetothecertificatefile.Clickonthe
filenameandclickOpen,whichpopulatestheCertificate File
field.
5.
ForFile Format,selectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthe
certificate,butnotthekey.Itiscleartext.
Encrypted Private Key and Certificate (PKCS12)
Containsboththecertificateandthekey.
6.
SelectImport private keyifthekeyisinadifferentfilefrom

thecertificatefile.Thekeyisoptional,withthefollowing
exception:
YoumustimportakeyifyousettheFile FormattoPEM.
EnteraKey filebyclickingBrowseandnavigatingtothe
keyfiletoimport.
EnteraPassphraseandConfirm Passphrase.
7.
ClickOK.
Afteryouperformthistask,returnto
ConfigureanIKEv2Gatewayandresume
Step 6.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
Step1
ChangetheSAkeylifetimeor
1.
authenticationintervalforanIKECrypto
profile.
2.
3.
Step2
SelectNetwork > Network Profiles > IKE Cryptoandselect

theIKECryptoprofilethatappliestothelocalgateway.
FortheKey Lifetime,selectaunit(Seconds,Minutes,Hours,
orDays)andenteravalue.Theminimumisthreeminutes.
ForIKE Authentication Multiple,enteravalue,whichis
multipliedbythelifetimetodeterminethereauthentication
interval.
ClickOKandCommit.
SetUpSitetoSiteVPN
VPNs
ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
Step1
Step2
ChangetheCookieActivation
Threshold.
Savetheconfiguration
1.
SelectDevice > Setup> SessionandedittheVPNSession

Settings.ForCookie Activation Threshold,enterthe
maximumnumberofhalfopenedSAsthatareallowedbefore
theresponderrequestsacookiefromtheinitiator(rangeis
065535;default:is500).
2.
ClickOK.
ClickOKandCommit.
ConfigureIKEv2TrafficSelectors
ConfigureTrafficSelectorsforIKEv2
Step1
ConfigureTrafficSelectors.
1.
SelectNetwork > IPSec Tunnels > Proxy IDs.
2.
SelecttheIPv4orIPv6tab.
3.
ClickAddandentertheNameintheProxy IDfield.
4.
IntheLocalfield,entertheSource IP Address.
5.
IntheRemotefield,entertheDestination IP Address.
6.
IntheProtocolfield,selectthetransportprotocol(TCPor
UDP)fromthedropdown.
7.
ClickOK.
DefineCryptographicProfiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatisreadyforuse.
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
VPNs
SetUpSitetoSiteVPN
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1
CreateanewIKEprofile.
1.
SelectNetwork > Network Profiles > IKE Crypto andselect

Add.
2.
EnteraName forthenewprofile.
Step2
SpecifytheDHGroup(DiffieHellman
group)forkeyexchange,andthe
AuthenticationandEncryption
algorithms.
ClickAddinthecorrespondingsections(DHGroup,
Authentication,andEncryption)andselectfromthedropdowns.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsoralgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupportedgroupor
algorithmtoestablishthetunnel:
DHGroupgroup20,group19,group14,group5,group2,and
group1.
Authenticationsha512,sha384,sha256,sha1,md5.
Encryptionaes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
des.
DESisavailabletoprovidebackwardcompatibilitywith
legacydevicesthatdonotsupportstrongerencryption,
butasabestpracticealwaysuseastrongerencryption
algorithm,suchas3DESorAESifthepeercansupport
it.
Step3
Specifythedurationforwhichthekeyis 1.
validandthereauthenticationinterval.
Fordetails,seeSAKeyLifetimeand
ReAuthenticationInterval.
IntheKey Lifetimefields,specifytheperiod(inseconds,
minutes,hours,ordays)forwhichthekeyisvalid.(Rangeis3
minutesto365days;defaultis8hours.)Whenthekey
expires,thefirewallrenegotiatesanewkey.Alifetimeisthe
periodbetweeneachrenegotiation.
2.
FortheIKEv2 Authentication Multiple,specifyavalue(range

is050)thatismultipliedbytheKey Lifetimetodeterminethe
authenticationcount.Thedefaultvalueof0disablesthe
reauthenticationfeature.
Step4
SaveyourIKECryptoprofile.
Step5
AttachtheIKECryptoprofiletotheIKE SeeStep 7inSetUpanIKEGateway.

Gatewayconfiguration.
ClickOKandclickCommit.
SetUpSitetoSiteVPN
VPNs
DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1
CreateanewIPSecprofile.
1.
SelectNetwork > Network Profiles > IPSec Crypto andselect

Add.
2.
EnteraName forthenewprofile.
3.
SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4.
ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
Step2
SelecttheDHGrouptousefortheIPSec SelectthekeystrengththatyouwanttousefromtheDH Group

SAnegotiationsinIKEphase2.
dropdown.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsintheorderofmosttoleastsecureasfollows;thepeers
negotiatethestrongestsupportedgrouptoestablishthetunnel:
group20,group19,group14,group5,group2,andgroup1.
Selectno-pfsifyoudonotwanttorenewthekeythatwascreated
atphase1;thecurrentkeyisreusedfortheIPSECSAnegotiations.
Step3
Specifythedurationofthekeytimeand Usingacombinationoftimeandtrafficvolumeallowsyouto
volumeoftraffic.
ensuresafetyofdata.
SelecttheLifetimeortimeperiodforwhichthekeyisvalidin
seconds,minutes,hours,ordays(rangeis3minutesto365days).
Whenthespecifiedtimeexpires,thefirewallwillrenegotiateanew
setofkeys.
SelecttheLifesizeorvolumeofdataafterwhichthekeysmustbe
renegotiated.
Step4
SaveyourIPSecprofile.
ClickOKandclickCommit.
Step5
AttachtheIPSecProfiletoanIPSec
tunnelconfiguration.
SeeStep 4inSetUpanIPSecTunnel.
VPNs
SetUpSitetoSiteVPN
SetUpanIPSecTunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
Step1
SelectNetwork > IPSec Tunnels> General andenteraName forthenewtunnel.
Step2
SelecttheTunnel interfacethatwillbeusedtosetuptheIPSectunnel.
Tocreateanewtunnelinterface:
1. SelectNetwork > Interfaces > Tunnel andclickAdd.
2. IntheInterface Name field,specifyanumericsuffix,suchas.2.
3. OntheConfig tab,expandtheSecurity Zone dropdowntodefinethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthetunnel,selectthezonefromthedropdown.
Associatingthetunnelinterfacewiththesamezone(andvirtualrouter)astheexternalfacinginterfaceon
whichthepacketsenterthefirewall,mitigatestheneedtocreateinterzonerouting.
(Recommended)TocreateaseparatezoneforVPNtunneltermination,clickNew Zone.IntheZonedialog,
defineaName fornewzone(forexamplevpncorp),andclickOK.
4. IntheVirtual Router dropdown,selectdefault.
5. (Optional)IfyouwanttoassignanIPv4addresstothetunnelinterface,selecttheIPv4 tab,clickAdd inthe
IPsection,andentertheIPaddressandnetworkmasktoassigntotheinterface,forexample10.31.32.1/32.
6. IfyouwanttoassignanIPv6addresstothetunnelinterface,seeStep 3.
7. Tosavetheinterfaceconfiguration,clickOK.
SetUpSitetoSiteVPN
VPNs
SetUpanIPSecTunnel(Continued)
Step3
Step4
(Optional)EnableIPv6onthetunnel
interface.
1.
SelecttheIPv6tabonNetwork > Interfaces > Tunnel > IPv6.
2.
SelectthecheckboxtoEnable IPv6 on the interface.

ThisoptionallowsyoutorouteIPv6trafficoveranIPv4IPSec
tunnelandwillprovideconfidentialitybetweenIPv6networks.
TheIPv6trafficisencapsulatedbyIPv4andthenESP.Toroute
IPv6traffictothetunnel,youcanuseastaticroutetothe
tunnel,oruseOSPFv3,oruseaPolicyBasedForwarding(PBF)
ruletodirecttraffictothetunnel.
3.
Enterthe64bitextendeduniqueInterface IDinhexadecimal
format,forexample,00:26:08:FF:FE:DE:4E:29.Bydefault,the
firewallwillusetheEUI64generatedfromthephysical
interfacesMACaddress.
4.
ToenteranIPv6Address,clickAddandenteranIPv6address
andprefixlength,forexample2001:400:f00::1/64.IfPrefixis
notselected,theIPv6addressassignedtotheinterfacewillbe
whollyspecifiedintheaddresstextbox.
a. SelectUse interface ID as host portiontoassignanIPv6
addresstotheinterfacethatwillusetheinterfaceIDasthe
hostportionoftheaddress.
b. SelectAnycasttoincluderoutingthroughthenearestnode.
Selectthetypeofkeythatwillbeusedto Continuetooneofthefollowingsteps,dependingonwhattypeof
securetheIPSectunnel.
keyexchangeyouareusing:
SetupAutoKeyexchange.
SetupaManualKeyexchange.
SetupAutoKeyexchange.
SetupaManualKeyexchange.
1.
SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2.
(Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
1.
Setuptheparametersforthelocalfirewall:
a. SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
b. SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
c. SelecttheprotocoltobeusedAHorESP.
d. ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
e. ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
2.
SetuptheparametersthatpertaintotheremoteVPNpeer.
a. SpecifytheSPIfortheremotepeer.
b. EntertheRemote Address,theIPaddressoftheremote
peer.
VPNs
SetUpSitetoSiteVPN
SetUpanIPSecTunnel(Continued)
Step5
SelecttheShow Advanced Optionscheckbox,selectEnable

Protectagainstareplayattack.
Areplayattackoccurswhenapacketis Replay Protectiontodetectandneutralizeagainstreplayattacks.
maliciouslyinterceptedand
retransmittedbytheinterceptor.
Step6
(Optional)PreservetheTypeofService IntheShow Advanced Options section,selectCopy TOS Header.

headerforthepriorityortreatmentofIP ThiscopiestheTypeofService(TOS)headerfromtheinnerIP
packets.
headertotheouterIPheaderoftheencapsulatedpacketsinorder
topreservetheoriginalTOSinformation.
Iftherearemultiplesessionsinsidethetunnel(eachwitha
differentTOSvalue),copyingtheTOSheadercancausethe
IPSecpacketstoarriveoutoforder.
Step7
EnableTunnelMonitoring.
Toalertthedeviceadministratortotunnelfailuresandtoprovide
YouneedtoassignanIPaddress automaticfailovertoanothertunnelinterface:
tothetunnelinterfacefor
1. SpecifyaDestination IPaddressontheothersideofthetunnel
monitoring.
todetermineifthetunnelisworkingproperly.
2.
Step8
Step9
(RequiredonlyiftheVPNpeeruses
1.
policybasedVPN).CreateaProxyIDto 2.
identifytheVPNpeers.
3.
Saveyourchanges.
SelectaProfiletodeterminetheactionontunnelfailure.To
createanewprofile,seeDefineaTunnelMonitoringProfile.
Select Network > IPSec Tunnels andclickAdd.
SelecttheProxy IDstab.
4.
ClickAddandentertheProxy IDname.
5.
EntertheLocalIPaddressorsubnetfortheVPNgateway.
6.
EntertheRemoteaddressfortheVPNgateway.
7.
SelecttheProtocolfromthedropdown:
NumberSpecifytheprotocolnumber(usedfor
interoperabilitywiththirdpartydevices).
AnyAllowsTCPand/orUDPtraffic.
TCPSpecifytheLocalPortandRemotePortnumbers.
UDPSpecifytheLocalPortandRemotePortnumbers.
8.
ClickOK.
ClickOKandCommit.
SetUpSitetoSiteVPN
VPNs
SetUpTunnelMonitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
Step1
SelectNetwork > Network Profiles > Monitor.Adefaulttunnelmonitoringprofileisavailableforuse.
Step2
ClickAdd,andenteraNamefortheprofile.
Step3
SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4
SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5
AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.
VPNs
SetUpSitetoSiteVPN
ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
Step1
SelectNetwork > IPSec Tunnels.
Step2
ViewtheTunnel Status.
GreenindicatesavalidIPSecSAtunnel.
RedindicatesthatIPSecSAisnotavailableorhasexpired.
Step3
ViewtheIKE Gateway Status.

GreenindicatesavalidIKEphase1SA.
RedindicatesthatIKEphase1SAisnotavailableorhasexpired.
Step4
Viewthe Tunnel Interface Status.

Greenindicatesthatthetunnelinterfaceisup.
Redindicatesthatthetunnelinterfaceisdown,becausetunnelmonitoringisenabledandthestatusis
down.
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorTunnel
EnableordisableanIKEgateway.
EnableordisableanIPSectunnel.
1.
SelectNetwork > Network Profiles > IKE Gateways andselect

thegatewayyouwanttoenableordisable.
2.
Atthebottomofthescreen,clickEnableorDisable.
1.
SelectNetwork > IPSec Tunnels andselectthetunnelyou

wanttoenableordisable.
2.
Atthebottomofthescreen,clickEnableorDisable.
SetUpSitetoSiteVPN
VPNs
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Phase
Refresh
Restart
IKEGateway
(IKEPhase1)
Updatestheonscreenstatisticsfortheselected
IKEgateway.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheselectedIKEgateway.
IKEv2:AlsorestartsanyassociatedchildIPSec
securityassociations(SAs).
IKEv1:DoesnotrestarttheassociatedIPSecSAs.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
IPSecTunnel
(IKEPhase2)
Updatestheonscreenstatisticsfortheselected
IPSectunnel.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheIPSectunnel.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
Asthetableaboveindicates,restartinganIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1
gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorrestartanIKEgateway.
1.
SelectNetwork > IPSec Tunnels andselectthetunnelforthe

gatewayyouwanttorefreshorrestart.
2.
Intherowforthattunnel,undertheStatuscolumn,clickIKE
Info.
3.
AtthebottomoftheIKEInfoscreen,clicktheactionyouwant:
RefreshUpdatesthestatisticsonthescreen.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
RefreshorrestartanIPSectunnel.
1.
Youmightdeterminethatthetunnelneedstobe
refreshedorrestartedbecauseyouusethetunnel 2.
monitortomonitorthetunnelstatus,oryouuse
anexternalnetworkmonitortomonitornetwork
3.
connectivitythroughtheIPSectunnel.
SelectNetwork > IPSec Tunnels andselectthetunnelyou

wanttorefreshorrestart.
Intherowforthattunnel,undertheStatuscolumn,click
Tunnel Info.
AtthebottomoftheTunnelInfoscreen,clicktheactionyou
want:
RefreshUpdatestheonscreenstatistics.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
VPNs
SetUpSitetoSiteVPN
TestVPNConnectivity
TestConnectivity
InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLIcommand:
test vpn ipsec-sa tunnel <tunnel_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
admin@PA-500> show vpn flow
total tunnels configured:
filter - type IPSec, state any
total IPSec tunnel configured:
total IPSec tunnel shown:
1
1
1
name
id
state
local-ip
peer-ip
tunnel-i/f
----------------------------------------------------------------------------vpn-to-siteB
5
active
100.1.1.1
200.1.1.1
tunnel.41
InterpretVPNErrorMessages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis:
Trythis:
IKE phase-1 negotiation

is failed as initiator,
main mode. Failed SA:
x.x.x.x[500]-y.y.y.y[50
0]
cookie:84222f276c2fa2e9
:0000000000000000 due to
timeout.
VerifythatthepublicIPaddressforeachVPNpeerisaccurateintheIKEGateway
configuration.
VerifythattheIPaddressescanbepingedandthatroutingissuesarenotcausing
theconnectionfailure.
or
IKE phase 1 negotiation
is failed. Couldnt find
configuration for IKE
phase-1 request for peer
IP x.x.x.x[1929]
SetUpSitetoSiteVPN
Iferroristhis:
VPNs
Trythis:
Received unencrypted
ChecktheIKECryptoprofileconfigurationtoverifythattheproposalsonbothsides
notify payload (no
haveacommonencryption,authentication,andDHGroupproposal.
proposal chosen) from IP
x.x.x.x[500] to
y.y.y.y[500], ignored...
or
is failed. Unable to
process peers SA
payload.
pfs group mismatched:my:
2peer: 0
or
ChecktheIPSecCryptoprofileconfigurationtoverifythat:
pfsiseitherenabledordisabledonbothVPNpeers
theDHGroupsproposedbyeachpeerhasatleastoneDHGroupincommon

failed when processing
SA payload. No suitable
proposal found in peers
SA payload.
failed when processing
Proxy ID. Received local
id x.x.x.x/x type IPv4
address protocol 0 port
0, received remote id
y.y.y.y/y type IPv4
address protocol 0 port
0.
TheVPNpeerononeendisusingpolicybasedVPN.YoumustconfigureaProxyID
onthePaloAltoNetworksfirewall.SeeStep 8.
VPNs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
SitetoSiteVPNwithStaticRouting
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting
Step1
ConfigureaLayer3interface.
1.
ThisinterfaceisusedfortheIKEphase1
tunnel.
2.
SelectNetwork > Interfaces > Ethernetandthenselectthe

interfaceyouwanttoconfigureforVPN.
SelectLayer3 fromtheInterface Typedropdown.
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
192.168.210.26/24.
6.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.26/24
TheconfigurationforVPNPeerBis:
IPv4192.168.210.120/24
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step2
Step3
Step4
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
Configureastaticroute,onthevirtual
router,tothedestinationsubnet.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
SelectNetwork > Interfaces > Tunnel andclickAdd.

IntheInterface Namefield,specifyanumericsuffix,suchas.1.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
(Optional)AssignanIPaddresstothetunnelinterface,select
theIPv4orIPv6tab,clickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface.
Withstaticroutes,thetunnelinterfacedoesnotrequireanIP
address.Fortrafficthatisdestinedtoaspecifiedsubnet/IP
address,thetunnelinterfacewillautomaticallybecomethe
nexthop.ConsideraddinganIPaddressifyouwanttoenable
tunnelmonitoring.
6.
Interfacetunnel.11
Security Zonevpn_tun
IPv4172.19.9.2/24
Interfacetunnel.12
IPv4192.168.69.2/24
1.
SelectNetwork > Virtual Routerandclicktherouteryou

definedinthepriorstep.
2.
SelectStatic Route,clickAdd,andenteranewroutetoaccess
thesubnetthatisattheotherendofthetunnel.
Destination192.168.69.0/24
Interfacetunnel.11
Destination172.19.9.0/24
Interfacetunnel.12
1.
SelectNetwork > Network Profiles > IKE Crypto.Inthis

example,weusethedefaultprofile.
2.
SelectNetwork > Network Profiles > IPSec Crypto.Inthis

VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step5
Step6
Step7
SetuptheIKEGateway.
SetuptheIPSecTunnel.
1.
SelectNetwork > Network Profiles > IKE Gateway.
2.
Click Add andconfiguretheoptionsintheGeneraltab.

Local IP address192.168.210.26/24
Peer IP type/addressstatic/192.168.210.120
Preshared keysenteravalue
Local identificationNone;thismeansthatthelocalIP
addresswillbeusedasthelocalidentificationvalue.
Peer IP type/addressstatic/192.168.210.26
Preshared keysentersamevalueasonPeerA
Local identificationNone
3.
SelectAdvanced Phase 1 OptionsandselecttheIKECrypto

profileyoucreatedearliertouseforIKEphase1.
1.
2.

Tunnel Interfacetunnel.11
TypeAutoKey
IKE GatewaySelecttheIKEGatewaydefinedabove.
IPSec Crypto ProfileSelecttheIPSecCryptoprofile
definedinStep 4.
TypeAutoKey
IPSec Crypto ProfileSelecttheIPSecCryptodefined
inStep 4.
3.
(Optional)SelectShow Advanced Options,selectTunnel

Monitor,andspecifyaDestinationIPaddresstopingfor
verifyingconnectivity.Typically,thetunnelinterfaceIP
addressfortheVPNPeerisused.
4.
(Optional)Todefinetheactiononfailuretoestablish
connectivity,seeDefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.

Createrulestoallowtrafficbetweentheuntrustandthe
vpntunzoneandthevpntunandtheuntrustzonefortraffic
originatingfromspecifiedsourceanddestinationIPaddresses.
Step8
Saveanypendingconfigurationchanges. ClickCommit.
Step9
TestVPNconnectivity.
SeeViewtheStatusoftheTunnels.
VPNs
SitetoSiteVPNwithOSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
Step1
ConfiguretheLayer3interfacesoneach 1.
firewall.

2.
3.
interfacebelongs:
zoneandthenclickOK.
4.
5.
192.168.210.26/24.
6.
IPv4100.1.1.1/24
IPv4200.1.1.1/24
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step2
Step3
2.
profileforphase2).

IntheInterface Namefield,specifyanumericsuffix,say,.11.
3.
4.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedasthenexthopIPaddresstoroute
traffictothetunnelandcanalsobeusedtomonitorthestatus
ofthetunnel.
6.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.40
IPv42.1.1.140/24
1.

2.

VPNs
Step4
Step5
SetuptheOSPFconfigurationonthe
1.
virtualrouterandattachtheOSPFareas
withtheappropriateinterfacesonthe
2.
firewall.
3.
FormoreinformationontheOSPF
optionsthatareavailableonthefirewall,
seeConfigureOSPF.
UseBroadcastasthelinktypewhen
therearemorethantwoOSPFrouters
thatneedtoexchangerouting
information.
SetuptheIKEGateway.
1.
ThisexamplesusesstaticIPaddresses 2.
forbothVPNpeers.Typically,the
corporateofficeusesastatically
configuredIPaddress,andthebranch
sidecanbeadynamicIPaddress;
dynamicIPaddressesarenotbestsuited
forconfiguringstableservicessuchas
VPN.
3.
SelectNetwork > Virtual Routers,andselectthedefault

routeroraddanewrouter.
SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
Inthisexample,theOSPFconfigurationforVPNPeerAis:
Router ID:192.168.100.141
Area ID:0.0.0.0thatisassignedtothetunnel.1interface
withLinktype:p2p
Area ID:0.0.0.10thatisassignedtotheinterface
Ethernet1/1andLinkType:Broadcast
TheOSPFconfigurationforVPNPeerBis:
Router ID:192.168.100.140
Area ID:0.0.0.0thatisassignedtothetunnel.1interface
withLinktype:p2p
Area ID:0.0.0.20thatisassignedtotheinterface
Peer IP address200.1.1.1/24
Peer IP address100.1.1.1/24
SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.
VPNs
Step6
Step7
1.
2.

TypeAutoKey
IPSec Crypto ProfileSelecttheIKEGatewaydefined
above.
TypeAutoKey
above.
3.
SelectShow Advanced Options,selectTunnel Monitor,and

specifyaDestinationIPaddresstopingforverifying
connectivity.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
thesites(subnets).
2.

VPNs
Step8
VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
show routing route type ospf
Step9
TestVPNconnectivity.
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
VPNs
SitetoSiteVPNwithStaticandDynamicRouting
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
Step1
Step2
ConfiguretheLayer3interfacesoneach 1.
firewall.
profileforphase2).

2.
3.
interfacebelongs:
zoneandthenclickOK.
4.
5.
192.168.210.26/24.
6.
IPv4100.1.1.1/24
IPv4200.1.1.1/24
1.

2.

VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step3
SetuptheIKEGateway.
1.
Withpresharedkeys,toadd
2.
authenticationscrutinywhensettingup
theIKEphase1tunnel,youcansetup
LocalandPeerIdentificationattributes
andacorrespondingvaluethatis
matchedintheIKEnegotiationprocess.
3.

Peer IP typedynamic
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerA.
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerB
Peer IP addressdynamic
Local identificationselectFQDN(hostname)and
enterthevalueforVPNPeerB
Peer identificationselectFQDN(hostname)andenter
thevalueforVPNPeerA
SelecttheIKECryptoprofileyoucreatedearliertouseforIKE
phase1.
VPNs
Step4
Step5
Step6
2.
IntheInterface Namefield,specifyanumericsuffix,say,.41.
3.
4.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedtoroutetraffictothetunnelandto
monitorthestatusofthetunnel.
6.
Interfacetunnel.41
IPv42.1.1.141/24
Interfacetunnel.42
IPv42.1.1.140/24
Specifytheinterfacetoroutetraffictoa 1.
destinationonthe192.168.x.xnetwork. 2.
SetupthestaticrouteandtheOSPF
configurationonthevirtualrouterand
attachtheOSPFareaswiththe
appropriateinterfacesonthefirewall.
OnVPNPeerA,selectthevirtualrouter.
SelectStatic Routes,andAddtunnel.41astheInterfacefor
routingtrafficwithaDestinationinthe192.168.x.xnetwork.
1.
OnVPNPeerB,selectNetwork > Virtual Routers,andselect

thedefaultrouteroraddanewrouter.
2.
SelectStatic Routes andAddthetunnelIPaddressasthenext

hopfortrafficinthe172.168.x.x.network.
Assignthedesiredroutemetric;usingalowerthevaluemakes
theahigherpriorityforrouteselectionintheforwardingtable.
3.
SelectOSPF (forIPv4) or OSPFv3 (forIPv6) andselectEnable.
4.
Inthisexample,theOSPFconfigurationforVPNPeerBis:
RouterID:192.168.100.140
AreaID:0.0.0.0isassignedtotheinterfaceEthernet1/12
Linktype:Broadcast
AreaID:0.0.0.10thatisassignedtotheinterface
AreaID:0.0.0.20isassignedtotheinterfaceEthernet1/15
andLinkType:Broadcast
VPNs
Step7
Step8
Step9
Createaredistributionprofiletoinject
thestaticroutesintotheOSPF
autonomoussystem.
1.
CreatearedistributionprofileonVPNPeerB.
a. SelectNetwork > Virtual Routers,andselecttherouteryou
usedabove.
b. SelectRedistribution Profiles, andclick Add.
c. EnteraNamefortheprofileandselectRedistandassigna
Priorityvalue.Ifyouhaveconfiguredmultipleprofiles,the
profilewiththelowestpriorityvalueismatchedfirst.
d. SetSource Type as static,andclickOK.Thestaticroute
definedinStep 62willbeusedfortheredistribution.
2.
InjectthestaticroutesintotheOSPFsystem.
a. SelectOSPF> Export Rules (forIPv4) or OSPFv3> Export
Rules (forIPv6).
b. ClickAdd,andselecttheredistributionprofilethatyoujust
created.
c. SelecthowtheexternalroutesarebroughtintotheOSPF
system.Thedefaultoption,Ext2 calculatesthetotalcostof
therouteusingonlytheexternalmetrics.Touseboth
internalandexternalOSPFmetrics,use Ext1.
d. AssignaMetric (costvalue)fortheroutesinjectedintothe
OSPFsystem.Thisoptionallowsyoutochangethemetric
fortheinjectedrouteasitcomesintotheOSPFsystem.
e. ClickOKtosavethechanges.
1.
2.

TypeAutoKey
above.
TypeAutoKey
above.
3.
SelectShow Advanced Options,selectTunnel Monitor,and

specifyaDestinationIPaddresstopingforverifying
connectivity.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
thesites(subnets).
2.

VPNs
Step10 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
Step11 TestVPNconnectivity.
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
LargeScaleVPN(LSVPN)
TheGlobalProtectLargeScaleVPN(LSVPN)featureonthePaloAltoNetworksnextgenerationfirewall
simplifiesthedeploymentoftraditionalhubandspokeVPNs,enablingyoutoquicklydeployenterprise
networkswithseveralbranchofficeswithaminimumamountofconfigurationrequiredontheremote
satellites.ThissolutionusescertificatesforfirewallauthenticationandIPSectosecuredata.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
LSVPNOverview
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
Step1
1.
Theportalandeachgatewayand
satelliteallrequireaLayer3interfaceto 2.
enabletraffictoberoutedbetweensites.
3.
Ifthegatewayandportalareonthesame
firewall,youcanuseasingleinterfacefor
bothcomponents.
IPv6addressesarenotsupported
withLSVPN.

interfaceyouwanttoconfigureforGlobalProtectLSVPN.
interfacebelongs:
zoneandthenclickOK.
4.
5.
203.0.11.100/24.
6.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
MakesuretoenableUserIDin
thezonewheretheVPNtunnels
terminate.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas.2.
3.
Namefornewzone(forexamplelsvpntun),selectthe
Enable User Identificationcheckbox,andthenclickOK.
4.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample203.0.11.33/24.
6.
Step3
Ifyoucreatedaseparatezonefortunnel Forexample,apolicyruleenablestrafficbetweenthelsvpntun
terminationofVPNconnections,create zoneandtheL3Trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.
Step4
ClickCommit.
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:
DeploySSLServerCertificatestotheGlobalProtectComponents
Step1
Step2
Onthefirewallhostingthe
CreateaSelfSignedRootCACertificate:
GlobalProtectportal,createtherootCA 1. SelectDevice > Certificate Management > Certificates >
certificateforsigningthecertificatesof
Device Certificates andclickGenerate.
theGlobalProtectcomponents.
2. EnteraCertificate Name,suchasLSVPN_CA.
3.
DonotselectavalueintheSigned Byfield(thisiswhat
indicatesthatitisselfsigned).
4.
SelecttheCertificate AuthoritycheckboxandthenclickOK
togeneratethecertificate.
CreateSSL/TLSserviceprofilesforthe 1.
GlobalProtectportalandgateways.
Fortheportalandeachgateway,you
mustassignanSSL/TLSserviceprofile
thatreferencesauniqueselfsigned
servercertificate.
Thebestpracticeistoissueallof
therequiredcertificatesonthe
portal,sothatthesigning
certificate(withtheprivatekey)
doesnthavetobeexported.
IftheGlobalProtectportaland
gatewayareonthesamefirewall
interface,youcanusethesame
servercertificateforboth
components.
UsetherootCAontheportaltoGenerateaCertificatefor
eachgatewayyouwilldeploy:
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickGenerate.
b. EnteraCertificate Name.
c. EntertheFQDN(recommended)orIPaddressofthe
interfacewhereyouplantoconfigurethegatewayinthe
Common Namefield.
d. IntheSigned Byfield,selecttheLSVPN_CAcertificateyou
justcreated.
e. IntheCertificateAttributessection,clickAddanddefine
theattributestouniquelyidentifythegateway.Ifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustexactlymatchthevalueyoudefinedfor
theCommon Name.
f. Generatethecertificate.
2.
ConfigureanSSL/TLSServiceProfilefortheportalandeach
gateway:
a. SelectDevice > Certificate Management > SSL/TLS
Service ProfileandclickAdd.
b. EnteraNametoidentifytheprofileandselecttheserver
Certificateyoujustcreatedfortheportalorgateway.
c. DefinetherangeofTLSversions(Min VersiontoMax
Version)allowedforcommunicatingwithsatellitesand
clickOK.
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step3
Step4
Deploytheselfsignedservercertificates
tothegateways.
BestPractices:
Exporttheselfsignedserver
certificatesissuedbytherootCA
fromtheportalandimportthem
ontothegateways.
Besuretoissueauniqueserver
certificateforeachgateway.
TheCommonName(CN)and,if
applicable,theSubject
AlternativeName(SAN)fieldsof
thecertificatemustmatchtheIP
addressorfullyqualifieddomain
name(FQDN)oftheinterface
whereyouconfigurethe
gateway.
1.
Ontheportal,selectDevice > Certificate Management >

Certificates > Device Certificates,selectthegateway
certificateyouwanttodeploy,andclickExport.
2.
SelectEncrypted Private Key and Certificate (PKCS12)from

theFile Formatdropdown.
3.
Enter(andreenter)aPassphrasetoencrypttheprivatekey
associatedwiththecertificateandthenclickOKtodownload
thePKCS12filetoyourcomputer.
4.
Onthegateway,selectDevice > Certificate Management >

Certificates > Device CertificatesandclickImport.
5.
EnteraCertificate Name.
6.
EnterthepathandnametotheCertificate Fileyoujust
downloadedfromtheportal,orBrowsetofindthefile.
7.
SelectEncrypted Private Key and Certificate (PKCS12)asthe

File Format.
8.
EnterthepathandnametothePKCS12fileintheKey File
fieldorBrowsetofindit.
9.
EnterandreenterthePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportalandthen
clickOKtoimportthecertificateandkey.
1.
ImporttherootCAcertificateusedto
issueservercertificatesfortheLSVPN
components.
YoumustimporttherootCAcertificate
ontoallgatewaysandsatellites.For
securityreasons,makesureyouexport
thecertificateonly,andnotthe
associatedprivatekey.
2.
DownloadtherootCAcertificatefromtheportal.
b. SelecttherootCAcertificateusedtoissuecertificatesfor
theLSVPNcomponentsandclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Donotexporttheprivatekey.)
Onthefirewallshostingthegatewaysandsatellites,import
therootCAcertificate.
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
g. Committhechanges.
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step5
Step6
Createacertificateprofile.
1.
TheGlobalProtectLSVPNportaland
eachgatewayrequireacertificateprofile 2.
thatspecifieswhichcertificatetouseto
3.
authenticatethesatellites.
SelectDevice > Certificate Management > Certificate Profile

andclickAddandenteraprofileName.
MakesureUsername FieldissettoNone.
IntheCA Certificatesfield,clickAdd,selecttheTrustedRoot
CAcertificateyouimportedinStep 4.
4.
(Optional,butrecommended)EnableuseofCRLand/orOCSP
toenablecertificatestatusverification.
5.
ClickCommit.
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
Step1
Step2
CreateaSCEPprofile.
(Optional)TomaketheSCEPbased
certificategenerationmoresecure,
configureaSCEPchallengeresponse
mechanismbetweenthePKIandportal
foreachcertificaterequest.
Afteryouconfigurethismechanism,its
operationisinvisible,andnofurther
inputfromyouisnecessary.
TocomplywiththeU.S.Federal
InformationProcessingStandard(FIPS),
useaDynamicSCEPchallengeand
specifyaServer URLthatusesHTTPS
(seeStep 7).
1.
SelectDevice > Certificate Management > SCEPandthenAdd

anewprofile.
2.
EnteraNametoidentifytheSCEPprofile.
3.
Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Selectoneofthefollowingoptions:
None(Default)TheSCEPserverdoesnotchallengetheportal
beforeitissuesacertificate.
FixedObtaintheenrollmentchallengepasswordfromthe
SCEPserver(forexample,
http://10.200.101.1/CertSrv/mscep_admin/)inthePKI
infrastructureandthencopyorenterthepasswordintothe
Passwordfield.
DynamicEntertheSCEPServer URLwheretheportalclient
submitsthesecredentials(forexample,
http://10.200.101.1/CertSrv/mscep_admin/),anda
usernameandOTPofyourchoice.Theusernameandpassword
canbethecredentialsofthePKIadministrator.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step3
Specifythesettingsfortheconnection 1.
betweentheSCEPserverandtheportal
toenabletheportaltorequestand
receiveclientcertificates.
2.
Toidentifythesatellite,theportal
automaticallyincludesthedeviceserial
3.
numberintheCSRrequesttotheSCEP
server.BecausetheSCEPprofile
requiresavalueintheSubjectfield,you
canleavethedefault$USERNAMEtoken
eventhoughthevalueisnotusedin
clientcertificatesforLSVPN.
ConfiguretheServer URLthattheportalusestoreachthe
SCEPserverinthePKI(forexample,
http://10.200.101.1/certsrv/mscep/).
Enterastring(upto255charactersinlength)intheCA-IDENT
NamefieldtoidentifytheSCEPserver.
SelecttheSubject Alternative Name Type:
RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4
(Optional)Configurecryptographic
settingsforthecertificate.
Selectthekeylength(Number of Bits)forthecertificate.Ifthe
firewallisinFIPSCCmodeandthekeygenerationalgorithmis
RSA.TheRSAkeysmustbe2048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):SHA1,SHA256,SHA384,or
SHA512.
Step5
(Optional)Configurethepermitteduses Tousethiscertificateforsigning,selecttheUse as digital

ofthecertificate,eitherforsigningor
signature checkbox.Thisenablestheendpointusetheprivate
encryption.
keyinthecertificatetovalidateadigitalsignature.
Tousethiscertificateforencryption,selecttheUse for key
enciphermentcheckbox.Thisenablestheclientusetheprivate
keyinthecertificatetoencryptdataexchangedovertheHTTPS
connectionestablishedwiththecertificatesissuedbytheSCEP
server.
Step6
(Optional)Toensurethattheportalis
1.
connectingtothecorrectSCEPserver,
entertheCA Certificate Fingerprint.
ObtainthisfingerprintfromtheSCEP
2.
serverinterfaceintheThumbprintfield.
EntertheURLfortheSCEPserversadministrativeUI(for
example,http://<hostname or
IP>/CertSrv/mscep_admin/).
CopythethumbprintandenteritintheCA Certificate
Fingerprintfield.
Step7
SelecttheSCEPserversrootCA Certificate.Optionally,youcan
EnablemutualSSLauthentication
enablemutualSSLauthenticationbetweentheSCEPserverand
betweentheSCEPserverandthe
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicated
onthefirewallloginpageandin
itsstatusbar.
Step8
Saveandcommittheconfiguration.
1.
ClickOKtosavethesettingsandclosetheSCEPconfiguration.
2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step9
1.
(Optional)IfaftersavingtheSCEP
profile,theportalfailstoobtainthe
certificate,youcanmanuallygeneratea 2.
certificatesigningrequest(CSR)fromthe
3.
portal.
4.

Device Certificates andthenclickGenerate.
EnteraCertificate Name.Thisnamecannotcontainspaces.
SelecttheSCEP ProfiletousetosubmitaCSRtoyour
enterprisePKI.
ClickOKtosubmittherequestandgeneratethecertificate.
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.
SetUpSatelliteAuthentication
Step1
(Externalauthenticationonly)Createa
serverprofileontheportal.
Theserverprofiledefineshowthe
firewallconnectstoanexternal
authenticationservicetovalidatethe
authenticationcredentialsthatthe
satelliteadministratorenters.
Ifyouuselocalauthentication,
skipthisstepandinsteadadda
localuserforthesatellite
administrator:seeConfigurethe
useraccount.
Step2
1.
Theauthenticationprofiledefineswhich 2.
serverprofiletousetoauthenticate
satellites.
Configureaserverprofilefortheauthenticationservicetype:
ConfigureanLDAPServerProfile.IfyouuseLDAPtoconnect
toActiveDirectory(AD),createaseparateLDAPserverprofile
foreveryADdomain.
3.
SelectDevice > Authentication ProfileandclickAdd.

EnteraNamefortheprofileandthenselectthe
authenticationType.IftheTypeisanexternalservice,select
theServer ProfileyoucreatedinStep 1.Ifyouaddedalocal
userinstead,settheTypetoLocal Database.
ClickOKandCommit.
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
PrerequisiteTasks
ConfiguretheGateway
PrerequisiteTasks
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfiguretheGateway
AfteryouhavecompletedthePrerequisiteTasks,configureeachGlobalProtectgatewaytoparticipateinthe
LSVPNasfollows:
ConfiguretheGatewayforLSVPN
Step1
Step2
Addagateway.
1.
SelectNetwork > GlobalProtect > GatewaysandclickAdd.
2.
IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3.
(Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Specifythenetworkinformationthat
1.
enablessatellitedevicestoconnectto
thegateway.
2.
Ifyouhaventcreatedthenetwork
3.
interfaceforthegateway,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
SelecttheInterfacethatsatelliteswilluseforingressaccess
tothegateway.
SelecttheIP Addressforgatewayaccess.
ClickOKtosavechanges.
ConfiguretheGatewayforLSVPN(Continued)
Step3
Specifyhowthegatewayauthenticates
satellitesattemptingtoestablishtunnels.
IfyouhaventyetcreatedanSSL/TLS
Serviceprofileforthegateway,see
DeployServerCertificatestothe
GlobalProtectLSVPNComponents.
Ifyouhaventsetuptheauthentication
profilesorcertificateprofiles,see
ConfigurethePortaltoAuthenticate
Satellitesforinstructions.
Ifyouhavenotyetsetupthecertificate
profile,seeEnableSSLBetween
GlobalProtectLSVPNComponentsfor
instructions.
OntheGlobalProtectGatewayConfigurationdialog,select
Authenticationandthenconfigureanyofthefollowing:
Tosecurecommunicationbetweenthegatewayandthe
satellites,selecttheSSL/TLS Service Profileforthegateway.
Tospecifytheauthenticationprofiletousetoauthenticate
satellites,AddaClientAuthentication.Then,enteraNameto
identifytheconfiguration,selectOS:Satellitetoapplythe
configurationtoallsatellites,andspecifytheAuthentication
Profiletousetoauthenticatethesatellite.Youcanalsoselecta
Certificate Profileforthegatewaytousetoauthenticate
satellitedevicesattemptingtoestablishtunnels.
Step4
Configurethetunnelparametersand
enabletunneling.
1.
Satellite > Tunnel Settings.
2.
SelecttheTunnel Configurationcheckboxtoenable
tunneling.
3.
SelecttheTunnel InterfaceyoudefinedinStep 2inCreate

InterfacesandZonesfortheLSVPN.
4.
(Optional)IfyouwanttopreservetheTypeofService(ToS)
informationintheencapsulatedpackets,selectCopy TOS.
Iftherearemultiplesessionsinsidethetunnel(each
withadifferentTOSvalue),copyingtheTOSheader
cancausetheIPSecpacketstoarriveoutoforder.
Step5
Step6
(Optional)Enabletunnelmonitoring.
1.
Tunnelmonitoringenablessatellitesto 2.
monitoritsgatewaytunnelconnection,
allowingittofailovertoabackup
gatewayiftheconnectionfails.Failover
toanothergatewayistheonlytypeof
tunnelmonitoringprofilesupportedwith
3.
LSVPN.
SelecttheIPSecCryptoprofiletouse
whenestablishingtunnelconnections.
TheprofilespecifiesthetypeofIPSec
encryptionandtheauthentication
methodforsecuringthedatathatwill
traversethetunnel.Becausebothtunnel
endpointsinanLSVPNaretrusted
firewallswithinyourorganization,you
cantypicallyusethedefault(predefined)
profile,whichusesESPastheIPSec
protocol,group2fortheDHgroup,
AES128CBCforencryption,and
SHA1forauthentication.
SelecttheTunnel Monitoringcheckbox.
SpecifytheDestination IPaddressthesatellitesshoulduseto
determineifthegatewayisactive.Alternatively,ifyou
configuredanIPaddressforthetunnelinterface,youcan
leavethisfieldblankandthetunnelmonitorwillinsteaduse
thetunnelinterfacetodetermineiftheconnectionisactive.
SelectFailoverfromtheTunnel Monitor Profiledropdown
(thisistheonlysupportedtunnelmonitorprofileforLSVPN).
IntheIPSec Crypto Profiledropdown,selectdefaulttousethe

predefinedprofileorselectNew IPSec Crypto Profiletodefinea
newprofile.Fordetailsontheauthenticationandencryption
options,seeDefineIPSecCryptoProfiles.
ConfiguretheGatewayforLSVPN(Continued)
Step7
Step8
Step9
Configurethenetworksettingstoassign 1.
thesatellitesduringestablishmentofthe
IPSectunnel.
2.
Youcanalsoconfigurethe
satellitetopushtheDNSsettings
toitslocalclientsbyconfiguringa
DHCPserveronthefirewall
hostingthesatellite.Inthis
configuration,thesatellitewill
pushDNSsettingsitlearnsfrom
thegatewaytotheDHCPclients.
(Optional)Ifclientslocaltothesatelliteneedtoresolve
FQDNsonthecorporatenetwork,configurethegatewayto
pushDNSsettingstothesatellitesinoneofthefollowing
ways:
Ifthegatewayhasaninterfacethatisconfiguredasa
DHCPclient,youcansettheInheritance Sourcetothat
interfaceandassignthesamesettingsreceivedbythe
DHCPclienttoGlobalProtectsatellites.Youcanalsoinherit
theDNSsuffixfromthesamesource.
ManuallydefinethePrimary DNS,Secondary DNS,and
DNS Suffixsettingstopushtothesatellites.
3.
TospecifytheIP Poolofaddressestoassignthetunnel
interfaceonthesatelliteswhentheVPNisestablished,click
AddandthenspecifytheIPaddressrange(s)touse.
4.
Todefinewhatdestinationsubnetstoroutethroughthe
tunnelclickAddintheAccess Routeareaandthenenterthe
routesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthrough
thetunnel,leavethisfieldblank.Notethatinthiscase,all
trafficexcepttrafficdestinedforthelocalsubnetwillbe
tunneledtothegateway.
Torouteonlysometrafficthroughthegateway(calledsplit
tunneling),specifythedestinationsubnetsthatmustbe
tunneled.Inthiscase,thesatellitewillroutetrafficthatis
notdestinedforaspecifiedaccessrouteusingitsown
routingtable.Forexample,youmaychoosetoonlytunnel
trafficdestinedforyourcorporatenetwork,andusethe
localsatellitetosafelyenableInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthe
summaryrouteforthenetworkprotectedbyeachsatellite.
(Optional)Definewhatroutes,ifany,the 1.
gatewaywillacceptfromsatellites.
Bydefault,thegatewaywillnotaddany 2.
routessatellitesadvertisetoitsrouting
3.
table.Ifyoudonotwantthegatewayto
acceptroutesfromsatellites,youdonot
needtocompletethisstep.
Savethegatewayconfiguration.
Satellite > Network Settings.
Toenablethegatewaytoacceptroutesadvertisedby
satellites,selectSatellite > Route Filter.
SelecttheAccept published routescheckbox.
Tofilterwhichoftheroutesadvertisedbythesatellitestoadd
tothegatewayroutingtable,clickAddandthendefinethe
subnetstoinclude.Forexample,ifallthesatellitesare
configuredwithsubnet192.168.x.0/24ontheLANside,
configuringapermittedrouteof192.168.0.0/16toenablethe
gatewaytoonlyacceptroutesfromthesatelliteifitisinthe
192.168.0.0/16subnet.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
GatewayConfigurationdialog.
2.
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
PrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedthePrerequisiteTasks,configuretheGlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
Step1
Step2
Addtheportal.
1.
SelectNetwork > GlobalProtect > PortalsandclickAdd.
2.
OntheGeneral tab,enteraNamefortheportal.Theportal
nameshouldnotcontainanyspaces.
3.
(Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Specifythenetworkinformationto
1.
enablesatellitestoconnecttotheportal.
Ifyouhaventyetcreatedthenetwork 2.
interfacefortheportal,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
SelecttheInterfacethatsatelliteswilluseforingressaccess
totheportal.
SelecttheIP Addressforsatelliteaccesstotheportal.
ConfigurethePortalforLSVPN(Continued)
Step3
SpecifyanSSL/TLSServiceprofiletouse 1.
toenablethesatellitetoestablishan
SSL/TLSconnectiontotheportal.
2.
IfyouhaventyetcreatedanSSL/TLS
serviceprofilefortheportalandissued
gatewaycertificates,seeDeployServer
CertificatestotheGlobalProtectLSVPN
Components.
OntheGlobalProtectPortalConfigurationdialog,select
Authentication.
SelecttheSSL/TLS Service Profile.
Step4
Specifyanauthenticationprofileand
optionalcertificateprofilefor
authenticatingsatellites.
Iftheportalcantvalidatethe
serialnumbersofconnecting
satellites,itwillfallbacktothe
authenticationprofile.Therefore,
beforeyoucansavetheportal
configuration(byclickingOK),
youmustConfigurean
AddaClientAuthentication,andthenenteraNametoidentifythe
configuration,selectOS:Satellitetoapplytheconfigurationtoall
satellites,andspecifytheAuthentication Profiletouseto
authenticatesatellitedevices.YoucanalsospecifyaCertificate
Profilefortheportaltousetoauthenticatesatellitedevices.
Step5
Continuewithdefiningthe
configurationstopushtothesatellites
or,ifyouhavealreadycreatedthe
satelliteconfigurations,savetheportal
configuration.
ClickOKtosavetheportalconfigurationorcontinuetoDefinethe
SatelliteConfigurations.
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
Step1
Step2
Addasatelliteconfiguration.
Thesatelliteconfigurationspecifiesthe
GlobalProtectLSVPNconfiguration
settingstodeploytotheconnecting
satellites.Youmustdefineatleastone
satelliteconfiguration.
1.
SelectNetwork > GlobalProtect > Portalsandselectthe

portalconfigurationforwhichyouwanttoaddasatellite
configurationandthenselecttheSatellitetab.
2.
IntheSatellitesection,clickAdd
3.
EnteraNamefortheconfiguration.
Ifyouplantocreatemultipleconfigurations,makesurethe
nameyoudefineforeachisdescriptiveenoughtoallowyou
todistinguishthem.
4.
Tochangehowoftenasatelliteshouldchecktheportalfor
configurationupdatesspecifyavalueintheConfiguration
Refresh Interval (hours)field(rangeis148;defaultis24).
Specifythesatellitestowhichtodeploy Specifythematchcriteriaforthesatelliteconfigurationasfollows:
thisconfiguration.
Torestrictthisconfigurationtosatelliteswithspecificserial
numbers,selecttheDevicestab,clickAdd,andenterserial
TheportalusestheEnrollment
number(youdonotneedtoenterthesatellitehostname;itwill
User/User Groupsettingsand/or
beautomaticallyaddedwhenthesatelliteconnects).Repeatthis
Devicesserialnumberstomatcha
stepforeachsatelliteyouwanttoreceivethisconfiguration.
satellitetoaconfiguration.Therefore,if
youhavemultipleconfigurations,besure SelecttheEnrollment User/User Grouptab,clickAdd,andthen
toorderthemproperly.Assoonasthe
selecttheuserorgroupyouwanttoreceivethisconfiguration.
portalfindsamatch,itwilldeliverthe
Satellitesthatdonotmatchonserialnumberwillberequiredto
configuration.Therefore,morespecific
authenticateasauserspecifiedhere(eitheranindividualuseror
configurationsmustprecedemore
groupmember).
generalones.SeeStep 5forinstructions
Beforeyoucanrestricttheconfigurationtospecific
onorderingthelistofsatellite
groups,youmustMapUserstoGroups.
configurations.
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step3
Step4
Step5
Specifythegatewaysthatsatelliteswith
thisconfigurationcanestablishVPN
tunnelswith.
Routespublishedbythegateway
areinstalledonthesatelliteas
staticroutes.Themetricforthe
staticrouteis10xtherouting
priority.Ifyouhavemorethan
onegateway,makesuretoalso
settheroutingprioritytoensure
thatroutesadvertisedbybackup
gatewayshavehighermetrics
comparedtothesameroutes
advertisedbyprimarygateways.
Forexample,ifyousetthe
routingpriorityfortheprimary
gatewayandbackupgatewayto
1and10respectively,the
satellitewilluse10asthemetric
fortheprimarygatewayand100
asthemetricforthebackup
gateway.
Savethesatelliteconfiguration.
1.
OntheGatewaystab,clickAdd.
2.
EnteradescriptiveNameforthegateway.Thenameyou
enterhereshouldmatchthenameyoudefinedwhenyou
configuredthegatewayandshouldbedescriptiveenough
identifythelocationofthegateway.
3.
EntertheFQDNorIPaddressoftheinterfacewherethe
gatewayisconfiguredintheGatewaysfield.Theaddressyou
specifymustexactlymatchtheCommonName(CN)inthe
gatewayservercertificate.
4.
(Optional)Ifyouareaddingtwoormoregatewaystothe
configuration,theRouting Priorityhelpsthesatellitepickthe
preferredgateway.Enteravalueintherangeof125,with
lowernumbershavingthehigherpriority(thatis,thegateway
thesatellitewillconnecttoifallgatewaysareavailable).The
satellitewillmultiplytheroutingpriorityby10todetermine
theroutingmetric.
1.
ClickOKtosavethesatelliteconfiguration.
2.
Ifyouwanttoaddanothersatelliteconfiguration,repeat
Step 1throughStep 4.
Arrangethesatelliteconfigurationsso
Tomoveasatelliteconfigurationuponthelistofconfigurations,
thattheproperconfigurationisdeployed
selecttheconfigurationandclickMove Up.
toeachsatellite.
Tomoveasatelliteconfigurationdownonthelistof
configurations,selecttheconfigurationandclickMove Down.
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step6
Step7
Specifythecertificatesrequiredto
enablesatellitestoparticipateinthe
LSVPN.
Savetheportalconfiguration.
1.
IntheTrusted Root CAfield,clickAddandthenselecttheCA

certificateusedtoissuethegatewayservercertificates.The
portalwilldeploytherootCAcertificateyouaddheretoall
satellitesaspartoftheconfigurationtoenablethesatelliteto
establishanSSLconnectionwiththegateways.Asabest
practice,allofyourgatewaysshouldusethesameissuer.
2.
SelectthemethodofClient Certificatedistribution:
TostoretheclientcertificatesontheportalselectLocal
andselecttheRootCAcertificatethattheportalwilluseto
issueclientcertificatestosatellitesuponsuccessfully
authenticatingthemfromtheIssuing Certificate
dropdown.
IftherootCAcertificateusedtoissueyourgateway
servercertificatesisnotontheportal,youcan
Importitnow.SeeEnableSSLBetween
GlobalProtectLSVPNComponentsfordetailson
howtoimportarootCAcertificate.
ToenabletheportaltoactasaSCEPclienttodynamically
requestandissueclientcertificatesselectSCEPandthen
selecttheSCEPprofileusedtogenerateCSRstoyourSCEP
server.
Iftheyouhavenotyetsetuptheportaltoactasa
SCEPclient,youcanaddaNewSCEPprofilenow.
SeeDeployClientCertificatestotheGlobalProtect
SatellitesUsingSCEPfordetails.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
PortalConfigurationdialog.
2.
Commityourchanges.
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
Step1
Step2
Configurethelogicaltunnelinterfacefor
thetunneltousetoestablishVPN
tunnelswiththeGlobalProtect
gateways.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
Step3
Thisisthephysicalinterfacethesatellitewillusetoconnecttothe
portalandthegateway.Thisinterfacemustbeinazonethatallows
accessoutsideofthelocaltrustnetwork.Asabestpractice,create
adedicatedzoneforVPNconnectionsforvisibilityandcontrol
overtrafficdestinedforthecorporategateways.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas
.2.
3.
selectanexistingzoneorcreateaseparatezoneforVPN
tunneltrafficbyclickingNew ZoneanddefiningaNamefor
newzone(forexamplelsvpnsat).
4.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample2.2.2.11/24.
6.
1.
Ifyougeneratedtheportalserver
certificateusingaRootCAthatisnot
trustedbythesatellites(forexample,if
youusedselfsignedcertificates),import
therootCAcertificateusedtoissuethe
portalservercertificate.
TherootCAcertificateisrequiredto
enablethesatellitetoestablishtheinitial
connectionwiththeportaltoobtainthe
LSVPNconfiguration.
DownloadtheCAcertificatethatwasusedtogeneratethe
portalservercertificates.Ifyouareusingselfsigned
certificates,exporttherootCAcertificatefromtheportalas
follows:
b. SelecttheCAcertificate,andclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Youdonotneedtoexporttheprivatekey.)
2.
ImporttherootCAcertificateyoujustexportedontoeach
satelliteasfollows.
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step4
Step5
Step6
Step7
ConfiguretheIPSectunnel
configuration.
1.
SelectNetwork > IPSec TunnelsandclickAdd.
2.
OntheGeneraltab,enteradescriptiveNamefortheIPSec
configuration.
3.
SelecttheTunnel Interfaceyoucreatedforthesatellite.
4.
SelectGlobalProtect SatelliteastheType.
5.
EntertheIPaddressorFQDNoftheportalasthePortal
Address.
6.
SelecttheLayer3Interfaceyouconfiguredforthesatellite.
7.
SelecttheLocal IP Addresstouseontheselectedinterface.
1.
(Optional)Configurethesatelliteto
publishlocalroutestothegateway.
Pushingroutestothegatewayenables
traffictothesubnetslocaltothesatellite
viathegateway.However,youmustalso
configurethegatewaytoacceptthe
routesasdetailedinStep 8inConfigure
theGateway.
Toenablethesatellitetopushroutestothegateway,onthe
AdvancedtabselectPublish all static and connected routes
to Gateway.
Ifyouselectthischeckbox,thefirewallwillforwardallstatic
andconnectedroutesfromthesatellitetothegateway.
However,topreventthecreationofroutingloops,thefirewall
willapplysomeroutefilters,suchasthefollowing:
Defaultroutes
Routeswithinavirtualrouterotherthanthevirtualrouter
associatedwiththetunnelinterface
Routesusingthetunnelinterface
Routesusingthephysicalinterfaceassociatedwiththe
tunnelinterface
2.
(Optional)Ifyouonlywanttopushroutesforspecificsubnets
ratherthanallroutes,clickAddintheSubnetsectionand
specifywhichsubnetroutestopublish.
1.
ClickOKtosavetheIPSectunnelsettings.
2.
ClickCommit.
Savethesatelliteconfiguration.
Ifrequired,providethecredentialsto
1.
allowthesatellitetoauthenticatetothe
portal.
Thisstepisonlyrequirediftheportal
2.
wasunabletofindaserialnumbermatch
initsconfigurationoriftheserialnumber
didntwork.Inthiscase,thesatellitewill
notbeabletoestablishthetunnelwith
thegateway(s).
SelectNetwork > IPSec TunnelsandclicktheGateway Info

linkintheStatuscolumnofthetunnelconfigurationyou
createdfortheLSVPN.
Clicktheenter credentialslinkinthePortal Statusfieldand
usernameandpasswordrequiredtoauthenticatethesatellite
totheportal.
Aftertheportalsuccessfullyauthenticatestotheportal,itwill
receiveitssignedcertificateandconfiguration,whichitwill
usetoconnecttothegateway(s).Youshouldseethetunnel
establishandtheStatuschangetoActive.
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
Step1
Verifysatelliteconnectivitywithportal.
Fromthefirewallhostingtheportal,verifythatsatellitesare
successfullyconnectingbyselectingNetwork > GlobalProtect >
PortalandclickingSatellite InfointheInfocolumnoftheportal
configurationentry.
Step2
Verifysatelliteconnectivitywiththe
gateway(s).
Oneachfirewallhostingagateway,verifythatsatellitesareableto
establishVPNtunnelsbyselectingNetwork > GlobalProtect >
GatewaysandclickSatellite InfointheInfocolumnofthegateway
configurationentry.Satellitesthathavesuccessfullyestablished
tunnelswiththegatewaywilldisplayontheActive Satellitestab.
Step3
VerifyLSVPNtunnelstatusonthe
satellite.
Oneachfirewallhostingasatellite,verifythetunnelstatusby
selectingNetwork > IPSec Tunnels andverifyactiveStatusas
indicatedbyagreenicon.
LSVPNQuickConfigs
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step1
Inthisexample,theLayer3interfaceontheportal/gateway
requiresthefollowingconfiguration:
Security Zonelsvpnunt
IPv4203.0.113.11/24
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
Toenablevisibilityintousersand
groupsconnectingovertheVPN,
enableUserIDinthezone
wheretheVPNtunnels
terminate.
Inthisexample,theTunnelinterfaceontheportal/gateway
requiresthefollowingconfiguration:
Interfacetunnel.1
Security Zonelsvpntun
Step3
Createthesecuritypolicyruletoenable
trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step4
AssignanSSL/TLSServiceprofiletothe 1.
portal/gateway.Theprofilemust
referenceaselfsignedservercertificate.
Thecertificatesubjectnamemustmatch
theFQDNorIPaddressoftheLayer3
interfaceyoucreateforthe
portal/gateway.
2.
OnthefirewallhostingtheGlobalProtectportal,createthe
rootCAcertificateforsigningthecertificatesofthe
GlobalProtectcomponents.Inthisexample,therootCA
certificate,lsvpn-CA,willbeusedtoissuetheserver
certificatefortheportal/gateway.Inaddition,theportalwill
usethisrootCAcertificatetosigntheCSRsfromthesatellites.
CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.
Becausetheportalandgatewayareonthesameinterfacein
thisexample,theycanshareanSSL/TLSServiceprofilethat
usesthesameservercertificate.Inthisexample,theprofileis
namedlsvpnserver.
Step5
Createacertificateprofile.
Inthisexample,thecertificateprofilelsvpn-profile,references
therootCAcertificatelsvpn-CA.Thegatewaywillusethis
certificateprofiletoauthenticatesatellitesattemptingtoestablish
VPNtunnels.
Step6
Configureanauthenticationprofilefor
theportaltouseifthesatelliteserial
numberisnotavailable.
1.
Createonetypeofserverprofileontheportal:
ConfigureanLDAPServerProfile.IfyouuseLDAPto
connecttoActiveDirectory(AD),createaseparateLDAP
serverprofileforeveryADdomain.
2.
Configureanauthenticationprofile.Inthisexample,the
profilelsvpn-satisusedtoauthenticatesatellites.
Step7
ConfiguretheGatewayforLSVPN.
SelectNetwork > GlobalProtect > GatewaysandAdda

configuration.Thisexamplerequiresthefollowinggateway
configuration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Certificate Profilelsvpnprofile
Primary DNS/Secondary DNS4.2.2.1/4.2.2.2
IP Pool2.2.2.1112.2.2.120
Access Route10.2.10.0/24
Step8
ConfigurethePortalforLSVPN.
SelectNetwork > GlobalProtect > PortalandAddaconfiguration.

Thisexamplerequiresthefollowingportalconfiguration:
IP Address203.0.113.11/24
SSL/TLS Server Profilelsvpnserver
Authentication Profilelsvpnsat
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step9
CreateaGlobalProtectSatellite
Configuration.
Step10 PreparetheSatellitetoJointheLSVPN.
OntheSatellite tabintheportalconfiguration,AddaSatellite
configurationandaTrustedRootCAandspecifytheCAtheportal
willusetoissuecertificatesforthesatellites.Inthisexamplethe
requiredsettingsareasfollowing:
Gateway203.0.113.11
Issuing CertificatelsvpnCA
Trusted Root CAlsvpnCA
Thesatelliteconfigurationinthisexamplerequiresthefollowing
settings:
InterfaceConfiguration
Layer3interfaceethernet1/1,203.0.113.13/24
Tunnelinterfacetunnel.2
Zonelsvpnsat
RootCACertificatefromPortal
lsvpnCA
IPSecTunnelConfiguration
Portal Address203.0.113.11
Local IP Address203.0.113.13/24
Publish all static and connected routes to Gatewayenabled
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.
QuickConfig:LSVPNwithDynamicRouting
Step1
Step2
Step3
AddanIPaddresstothetunnelinterface Completethefollowingstepsoneachgatewayandeachsatellite:
configurationoneachgatewayandeach 1. SelectNetwork > Interfaces > Tunnelandselectthetunnel
satellite.
configurationyoucreatedfortheLSVPNtoopentheTunnel
Interfacedialog.
Ifyouhavenotyetcreatedthetunnelinterface,seeStep 2in
QuickConfig:BasicLSVPNwithStaticRouting.
2.
OntheIPv4tab,clickAddandthenenteranIPaddressand
subnetmask.Forexample,toaddanIPaddressforthe
gatewaytunnelinterfaceyouwouldenter2.2.2.100/24.
3.
ClickOKtosavetheconfiguration.
Configurethedynamicroutingprotocol ToconfigureOSPFonthegateway:
onthegateway.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachsatellite,forexample2.2.2.111.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewsatellitetothe
LSVPN.
Configurethedynamicroutingprotocol ToconfigureOSPFonthesatellite:
onthesatellite.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachGlobalProtectgateway,for
example2.2.2.100.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewgateway.
QuickConfig:LSVPNwithDynamicRouting(Continued)
Step4
Verifythatthegatewaysandsatellites
areabletoformrouteradjacencies.
Oneachsatelliteandeachgateway,confirmthatpeer
adjacencieshaveformedandthatroutingtableentrieshave
beencreatedforthepeers(thatis,thesatelliteshaveroutesto
thegatewaysandthegatewayshaveroutestothesatellites).
SelectNetwork > Virtual RouterandclicktheMore Runtime
StatslinkforthevirtualrouteryouareusingfortheLSVPN.On
theRoutingtab,verifythattheLSVPNpeerhasaroute.
OntheOSPF > Interfacetab,verifythattheTypeisp2mp.
OntheOSPF > Neighbortab,verifythatthefirewallshosting
yourgatewayshaveestablishedrouteradjacencieswiththe
firewallshostingyoursatellitesandviceversa.Alsoverifythat
theStatusisFull,indicatingthatfulladjacencieshavebeen
established.
Networking
AllPaloAltoNetworksnextgenerationfirewallsprovideaflexiblenetworkingarchitecturethatincludes
supportfordynamicrouting,switching,andVPNconnectivity,andenablesyoutodeploythefirewallinto
nearlyanynetworkingenvironment.WhenconfiguringtheEthernetportsonyourfirewall,youcanchoose
fromvirtualwire,Layer2,orLayer3interfacedeployments.Inaddition,toallowyoutointegrateintoa
varietyofnetworksegments,youcanconfiguredifferenttypesofinterfacesondifferentports.The
InterfaceDeploymentssectionprovidesbasicinformationoneachtypeofdeployment.Formoredetailed
deploymentinformation,refertoDesigningNetworkswithPaloAltoNetworksFirewalls.
ThefollowingtopicsdescribenetworkingconceptsandhowtointegratePaloAltoNetworks
nextgenerationfirewallsintoyournetwork.
InterfaceDeployments
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
VirtualRouters
StaticRoutes
RIP
OSPF
BGP
SessionSettingsandTimeouts
DHCP
NAT
NPTv6
ECMP
LLDP
BFD
Forinformationonroutedistribution,refertoUnderstandingRouteRedistributionandFiltering.
Networking
APaloAltoNetworksfirewallcanoperateinmultipledeploymentsatoncebecausethedeploymentsoccur
attheinterfacelevel.Thefollowingsectionsdescribethesupporteddeployments.
VirtualWireDeployments
Layer2Deployments
Layer3Deployments
TapModeDeployments
VirtualWireDeployments
Inavirtualwiredeployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwo
portstogetherandshouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeploymentallowsthefollowingconveniences:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
Networking
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
Step1
ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
Step2
CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethat
theVLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisis
essentialbecauseavirtualwiredoesnotswitchVLANtags.
Step3
CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoadd
additionalsubinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthe
combinationofVLANtagsandaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewith
thevlantag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Networking
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
Customer
Vsys
Vwire
Subinterfaces
Zone
VLANTag
IPClassifier
e1/1.1(ingress)
e1/2.1(egress)
Zone3
Zone4
100
100
None
e1/1.2(ingress)
e1/2.2(egress)
Zone5
Zone6
100
100
IPsubnet
192.1.0.0/16
e1/1.3(ingress)
e1/2.3(egress)
Zone7
Zone8
100
100
IPsubnet
192.2.0.0/16
e1/1.4(ingress)
e1/2.4(egress)
Zone9
Zone10
200
200
None
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
Networking
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Layer2Deployments
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Youmustassigna
groupofinterfacestoaVLANobjectinorderforthefirewalltoswitchbetweenthem.Thefirewallperforms
VLANtagswitchingwhenLayer2subinterfacesareattachedtoacommonVLANobject.Choosethisoption
whenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
TheCiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
Layer3Deployments
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.Thisdeploymentrequiresthat
youassignanIPaddresstoeachinterfaceandconfigureVirtualRouterstoroutethetraffic.Choosethis
optionwhenroutingisrequired.
Figure:Layer3Deployment
Networking
ThefollowingLayer3interfacedeploymentsarealsosupported:
PointtoPointProtocoloverEthernetSupport
DHCPClient
PointtoPointProtocoloverEthernetSupport
YoucanconfigurethefirewalltobeaPointtoPointProtocoloverEthernet(PPPoE)terminationpointto
supportconnectivityinaDigitalSubscriberLine(DSL)environmentwherethereisaDSLmodembutno
otherPPPoEdevicetoterminatetheconnection.
YoucanchoosethePPPoEoptionandconfiguretheassociatedsettingswhenaninterfaceisdefinedasa
Layer 3interface.
PPPoEisnotsupportedinHAactive/activemode.
DHCPClient
YoucanconfigurethefirewallinterfacetoactasaDHCPclientandreceiveadynamicallyassignedIP
address.ThefirewallalsoprovidesthecapabilitytopropagatesettingsreceivedbytheDHCPclientinterface
intoaDHCPserveroperatingonthefirewall.ThisismostcommonlyusedtopropagateDNSserversettings
fromanInternetserviceprovidertoclientmachinesoperatingonthenetworkprotectedbythefirewall.
DHCPclientisnotsupportedinHAactive/activemode.
Formoreinformation,seeDHCP.
TapModeDeployments
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.
Networking
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
Networking
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesplatformssupportaggregategroups.Youcanadduptoeightaggregategroups
perfirewallandeachgroupcanhaveuptoeightinterfaces.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,
PA4000Series,andPA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
Step1
Configurethegeneralinterfacegroup
parameters.
1.
SelectNetwork > Interfaces > EthernetandAdd Aggregate

Group.
2.
InthefieldadjacenttothereadonlyInterface Name,entera
number(18)toidentifytheaggregategroup.
3.
FortheInterface Type,selectHA,Virtual Wire,Layer2,or

Layer3.
4.
ConfiguretheremainingparametersfortheInterface Type
youselected.
Networking
ConfigureanAggregateInterfaceGroup(Continued)
Step2
ConfiguretheLACPsettings.
Performthissteponlyifyouwantto
enableLACPfortheaggregategroup.
YoucannotenableLACPfor
virtualwireinterfaces.
1.
SelecttheLACPtabandEnable LACP.
2.
SettheModeforLACPstatusqueriestoPassive(thefirewall
justrespondsthedefault)orActive(thefirewallqueriespeer
devices).
Asabestpractice,setoneLACPpeertoactiveandthe
othertopassive.LACPcannotfunctionifbothpeers
arepassive.Thefirewallcannotdetectthemodeofits
peerdevice.
3.
SettheTransmission RateforLACPqueryandresponse
exchangestoSlow(every30secondsthedefault)orFast
(everysecond).BaseyourselectiononhowmuchLACP
processingyournetworksupportsandhowquicklyLACP
peersmustdetectandresolveinterfacefailures.
4.
SelectFast Failoverifyouwanttoenablefailovertoastandby
interfaceinlessthanonesecond.Bydefault,theoptionis
disabledandthefirewallusestheIEEE802.1axstandardfor
failoverprocessing,whichtakesatleastthreeseconds.
Asabestpractice,useFast Failoverindeployments
whereyoumightlosecriticaldataduringthestandard
failoverinterval.
5.
EntertheMax Ports(numberofinterfaces)thatareactive
(18)intheaggregategroup.Ifthenumberofinterfacesyou
assigntothegroupexceedstheMax Ports,theremaining
interfaceswillbeinstandbymode.ThefirewallusestheLACP
Port Priorityofeachinterfaceyouassign(Step 3)to
determinewhichinterfacesareinitiallyactiveandto
determinetheorderinwhichstandbyinterfacesbecome
activeuponfailover.IftheLACPpeershavenonmatching
portpriorityvalues,thevaluesofthepeerwiththelower
System Prioritynumber(defaultis32,768;rangeis165,535)
willoverridetheotherpeer.
6.
(Optional)Foractive/passivefirewallsonly,selectEnable in
HA Passive StateifyouwanttoenableLACPprenegotiation
forthepassivefirewall.LACPprenegotiationenablesquicker
failovertothepassivefirewall(fordetails,seeLACPandLLDP
PreNegotiationforActive/PassiveHA).
Ifyouselectthisoption,youcannotselectSame
System MAC Address for Active-Passive HA;
prenegotiationrequiresuniqueinterfaceMAC
addressesoneachHAfirewall.
7.
(Optional)Foractive/passivefirewallsonly,selectSame
System MAC Address for Active-Passive HAandspecifya
singleMAC AddressforbothHAfirewalls.Thisoption
minimizesfailoverlatencyiftheLACPpeersarevirtualized
(appearingtothenetworkasasingledevice).Bydefault,the
optionisdisabled:eachfirewallinanHApairhasaunique
MACaddress.
IftheLACPpeersarenotvirtualized,useuniqueMAC
addressestominimizefailoverlatency.
Networking
ConfigureanAggregateInterfaceGroup(Continued)
Step3
Step4
Step5
Assigninterfacestotheaggregategroup. Performthefollowingstepsforeachinterface(18)thatwillbea
memberoftheaggregategroup.
Ifthefirewallshaveanactive/active
configurationandyouareaggregating
HA3interfaces,enablepacket
forwardingfortheaggregategroup.
Commityourchangesandverifythe
aggregategroupstatus.
1.
SelectNetwork > Interfaces > Ethernetandclicktheinterface

nametoeditit.
2.
SettheInterface TypetoAggregate Ethernet.
3.
SelecttheAggregate Groupyoujustdefined.
4.
SelecttheLink Speed,Link Duplex,andLink State.

Asabestpractice,setthesamelinkspeedandduplex
valuesforeveryinterfaceinthegroup.For
nonmatchingvalues,thefirewalldefaultstothe
higherspeedandfullduplex.
5.
(Optional)EnteranLACP Port Priority(defaultis32,768;

rangeis165,535)ifyouenabledLACPfortheaggregate
group.IfthenumberofinterfacesyouassignexceedstheMax
Portsvalueofthegroup,theportprioritiesdeterminewhich
interfacesareactiveorstandby.Theinterfaceswiththelower
numericvalues(higherpriorities)willbeactive.
6.
ClickOK.
1.
SelectDevice > High Availability > Active/Active Configand

editthePacketForwardingsection.
2.
SelecttheaggregategroupyouconfiguredfortheHA3
InterfaceandclickOK.
1.
ClickCommit.
2.
SelectNetwork > Interfaces > Ethernet.
3.
VerifythattheLinkStatecolumndisplaysagreeniconforthe
aggregategroup,indicatingthatallmemberinterfacesareup.
Iftheiconisyellow,atleastonememberisdownbutnotall.If
theiconisred,allmembersaredown.
4.
IfyouconfiguredLACP,verifythattheFeaturescolumn
displaystheLACPenabledicon fortheaggregategroup.
Networking
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
Step1
ConfiguretheInterfaceManagement
profile.
1.

clickAdd.
2.
Selecttheprotocolsthattheinterfacepermitsfor
managementtraffic:Ping,Telnet,SSH,HTTP,HTTP OCSP,
HTTPS,orSNMP.
3.
Selecttheservicesthattheinterfacepermitsformanagement
traffic:
Response PagesUsetoenableresponsepagesfor:
CaptivePortalToserveCaptivePortalresponsepages,
thefirewallleavesportsopenonLayer3interfaces:port
6080forNTLANManager(NTLM),6081forCaptive
Portalintransparentmode,and6082forCaptivePortal
inredirectmode.Fordetails,seeConfigureCaptive
Portal.
URLAdminOverrideFordetails,seeConfigureURL
AdminOverride.
User-IDUsetoConfigureFirewallstoRedistributeUser
MappingInformation.
User-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPUsetoConfigureUserIDtoReceiveUser
MappingsfromaSyslogSenderoverSSLorUDP.
4.
(Optional)AddthePermittedIPAddressesthatcanaccessthe
interface.Ifyoudontaddentriestothelist,theinterfacehas
noIPaddressrestrictions.
5.
ClickOK.
Networking
ConfigureandAssignanInterfaceManagementProfile(Continued)
Step2
AssigntheInterfaceManagementprofile 1.
toaninterface.
SelectNetwork > Interfaces,selectthetypeofinterface

(Ethernet,VLAN,Loopback,orTunnel),andselectthe
interface.
2.
SelectAdvanced > Other infoandselecttheInterface

Management Profileyoujustadded.
3.
ClickOKandCommit.
Networking
VirtualRouters
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningaroute(staticroutes)
orthroughparticipationinLayer3routingprotocols(dynamicroutes).Thebestroutesobtainedthrough
thesemethodsareusedtopopulatethefirewallsIProutetable.Whenapacketisdestinedforadifferent
subnet,theVirtualRouterobtainsthebestroutefromthisIProutetableandforwardsthepackettothenext
hoprouterdefinedinthetable.
TheEthernetinterfacesandVLANinterfacesdefinedonthefirewallreceiveandforwardtheLayer3traffic.
Thedestinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andpolicyrules
areconsultedtoidentifythesecuritypoliciestobeapplied.Inadditiontoroutingtoothernetworkdevices,
virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthopisspecifiedtopointto
anothervirtualrouter.
Youcanconfigurethevirtualroutertoparticipatewithdynamicroutingprotocols(BGP,OSPF,orRIP)as
wellasaddingstaticroutes.Youcanalsocreatemultiplevirtualrouters,eachmaintainingaseparatesetof
routesthatarenotsharedbetweenvirtualrouters,enablingyoutoconfiguredifferentroutingbehaviorsfor
differentinterfaces.
EachLayer3interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociated
withavirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,multipleroutingprotocols
andstaticroutescanbeconfiguredforavirtualrouter.Regardlessofthestaticroutesanddynamicrouting
protocolsconfiguredforavirtualrouter,acommongeneralconfigurationisrequired.Thefirewalluses
EthernetswitchingtoreachotherdevicesonthesameIPsubnet.
ThefollowingLayer3routingprotocolsaresupportedfromVirtualRouters:
RIP
OSPF
OSPFv3
BGP
DefineaVirtualRouterGeneralConfiguration
Step1
Gathertherequiredinformationfrom
yournetworkadministrator.
Interfacesthatyouwanttoroute
Administrativedistancesforstatic,OSPFinternal,OSPF
external,IBGP,EBGPandRIP
Step2
Createthevirtualrouterandnameit.
1.
SelectNetwork > Virtual Routers.
2.
ClickAddandenteranameforthevirtualrouter.
3.
Selectinterfacestoapplytothevirtualrouter.
4.
ClickOK.
1.
ClickAddintheInterfacesbox.
Step3
Selectinterfacestoapplytothevirtual
router.
2.
Selectanalreadydefinedinterfacefromthedropdown.
3.
RepeatStep2forallinterfacesthatyouwanttoaddtothe
virtualrouter.
VirtualRouters
Networking
DefineaVirtualRouterGeneralConfiguration(Continued)
Step4
SetAdministrativeDistancesforstatic
anddynamicrouting.
SetAdministrativeDistancesasrequired.
StaticRangeis10240;defaultis10.
OSPF InternalRangeis10240;defaultis30.
OSPF ExternalRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
Step5
Savevirtualroutergeneralsettings.
ClickOKtosaveyoursettings.
Step6
Commityourchanges.
ClickCommit.Thefirewallcantakeupto90secondstosaveyour
changes.
Networking
StaticRoutes
StaticRoutes
Thefollowingprocedureshowshowtointegratethefirewallintothenetworkusingstaticrouting.
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.

2.
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
SelecttheIP AddressradiobuttonintheNext Hopfieldand

thenentertheIPaddressandnetmaskforyourInternet
gateway(forexample,208.80.56.1).
4.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).

wanttoconfigure.Inthisexample,weareconfiguring
Ethernet1/3astheexternalinterface.
2.
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
4.
OntheConfigtab,selectNew ZonefromtheSecurity Zone

dropdown.IntheZonedialog,defineaNamefornewzone,
forexampleUntrust,andthenclickOK.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
Staticradiobutton.ClickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface,for
example208.80.56.100/24.
6.
Toenableyoutopingtheinterface,selectAdvanced > Other

Info,expandtheManagement Profiledropdown,andselect
New Management Profile.EnteraNamefortheprofile,select
PingandthenclickOK.
7.
StaticRoutes
Networking
Step3
Step4
Configuretheinterfacethatconnectsto
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment
thatusesprivateIPaddresses.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.See
ConfigureNATfordetails.
1.
SelectNetwork > Interfacesandselecttheinterfaceyouwant

toconfigure.Inthisexample,weareconfiguringEthernet1/4
astheinternalinterface.
2.
SelectLayer3fromtheInterface Typedropdown.
3.
zone,forexampleTrust,andthenclickOK.
4.
SelectthesameVirtualRouteryouusedinStep 2,defaultin
thisexample.
5.
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example192.168.1.4/24.
6.
7.
Configuretheinterfacethatconnectsto 1.
theDMZ.
2.
Selecttheinterfaceyouwanttoconfigure.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/13astheDMZ
interface.
3.
zone,forexampleDMZ,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example10.1.1.1/24.
6.
7.
Step5
Savetheinterfaceconfiguration.
ClickCommit.
Step6
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step7
Verifythattheinterfacesareactive.
Fromthewebinterface,selectNetwork > Interfacesandverify

thaticonintheLinkStatecolumnisgreen.Youcanalsomonitorlink
statefromtheInterfaceswidgetontheDashboard.
Networking
RIP
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfiguregeneralRIPconfiguration
settings.
1.
SelecttheRIPtab.
2.
SelectEnabletoenabletheRIPprotocol.
3.
SelectReject Default Routeifyoudonotwanttolearnany

defaultroutesthroughRIP.Thisistherecommendeddefault
setting.
4.
DeselectReject Default Routeifyouwanttopermit

redistributionofdefaultroutesthroughRIP.
1.
OntheInterfaces tab,selectaninterfacefromthedropdown
intheInterfaceconfigurationsection.
Step3
Step4
ConfigureinterfacesfortheRIP
protocol.
ConfigureRIPtimers.
2.
Selectanalreadydefinedinterface.
3.
SelectEnable.
4.
SelectAdvertisetoadvertiseadefaultroutetoRIPpeerswith
thespecifiedmetricvalue.
5.
(Optional)SelectaprofilefromtheAuth Profiledropdown.
SeeStep 5fordetails.
6.
Selectnormal,passiveorsendonlyfromtheModedropdown.
7.
ClickOK.
1.
OntheTimerstab,enteravalueforInterval Seconds (sec).

ThissettingdefinesthelengthofthefollowingRIPtimer
intervalsinseconds(rangeis160;defaultis1).
2.
SpecifytheUpdate Intervalstodefinethenumberofintervals
betweenrouteupdateannouncements(rangeis13600;
defaultis30).
3.
SpecifytheDelete Intervalstodefinethenumberofintervals
betweenthetimethattherouteexpirestoitsdeletion(range
is13600;defaultis180).
4.
SpecifytheExpire Intervals todefinethenumberofintervals

betweenthetimethattheroutewaslastupdatedtoits
expiration(rangeis13600;defaultis120).
RIP
Networking
ConfigureRIP(Continued)
Step5
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseRIPauthenticationforthe
exchangebetweenRIPneighbors.Optionally,youcanconfigure
RIPauthenticationbetweenRIPneighborsbyeitherasimple
passwordorusingMD5authentication.
SimplePasswordRIPauthentication
1.
SelectAuth ProfilesandclickAdd.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
SelectSimple Password asthePassword Type.
4.
Enterasimplepasswordandthenconfirm.
MD5RIPauthentication
1.
SelectAuth Profiles andclickAdd.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
SelectMD5 asthePassword Type.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
6.
(Optional)SelectPreferred status.
7.
ClickOKtospecifythekeytobeusedtoauthenticateoutgoing
message.
8.
ClickOKagainintheVirtualRouterRIPAuthProfiledialog
box.
Networking
OSPF
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
AlsorefertoHowtoConfigureOSPFTechNote.
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes
OSPF
Networking
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType
Description
BackboneArea
Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.
Networking
OSPF
OSPFAreaType
Description
NormalOSPFArea
InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
StubOSPFArea
Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSAArea
TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF
Step1
Step2
EnableOSPF.
1.
SelecttheOSPFtab.
2.
SelectEnabletoenabletheOSPFprotocol.
3.
(Optional)EntertheRouter ID.
4.
SelectReject Default Route ifyoudonotwanttolearnany

defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
redistributionofdefaultroutesthroughOSPF.
OSPF
Networking
ConfigureOSPF(Continued)
Step3
Step4
ConfigureAreasTypefortheOSPF
protocol.
ConfigureAreasRangefortheOSPF
protocol
1.
OntheAreas tab,clickAdd.
2.
EnteranAreaIDfortheareainx.x.x.xformat.Thisisthe
identifierthateachneighbormustaccepttobepartofthe
samearea.
3.
OntheTypetab,selectoneofthefollowingfromtheareaType
dropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanleavethe
areaonlybyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
4.
PriorityEntertheOSPFpriorityforthisinterface(0255).
Thisisthepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)accordingtotheOSPF
protocol.Whenthevalueiszero,therouterwillnotbeelected
asaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
NeighborsForp2pmpinterfaces,entertheneighborIP
addressforallneighborsthatarereachablethroughthis
interface.
5.
Selectnormal,passiveorsend-onlyastheMode.
6.
ClickOK.
1.
OntheRangetab,clickAddtoaggregateLSAdestination
addressesintheareaintosubnets.
2.
AdvertiseorSuppressadvertisingLSAsthatmatchthe
subnet,andclickOK.Repeattoaddadditionalranges.
Networking
OSPF
Step5
ConfigureAreasInterfacesforthe
OSPFprotocol
1.
OntheInterfacetab,clickAddandenterthefollowing
informationforeachinterfacetobeincludedinthearea:
InterfaceSelectaninterfacefromthedropdown.
EnableSelectingthisoptioncausestheOSPFinterface
settingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfaceto
sendorreceiveOSPFpackets.AlthoughOSPFpacketsare
notsentorreceivedifyouchoosethisoption,theinterface
isincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthat
areaccessiblethroughtheinterfacetobediscovered
automaticallybymulticastingOSPFhellomessages,suchas
anEthernetinterface.Choosep2p(pointtopoint)to
automaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefined
manually.Definingneighborsmanuallyisallowedonlyfor
p2mpmode.
MetricEnteranOSPFmetricforthisinterface(rangeis
065535;defaultis10).
PriorityEnteranOSPFpriorityforthisinterface.Thisis
thepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)(rangeis0255;default
is1).Ifzeroisconfigured,therouterwillnotbeelectedasa
DRorBDR.
profile.
TimingThefollowingOSPFtimingsettingscanbeset.Palo
AltoNetworksrecommendsthatyouretainthedefault
timingsettings.
Hello Interval (sec)Interval(inseconds)atwhichthe
OSPFprocesssendshellopacketstoitsdirectly
connectedneighbors(rangeis03600;defaultis10).
Dead CountsNumberoftimesthehellointervalcan
occurforaneighborwithoutOSPFreceivingahello
packetfromtheneighbor,beforeOSPFconsidersthat
neighbordown(rangeis320;defaultis4).TheHello
Interval multipliedbytheDead Countsequalsthevalueof
thedeadtimer.
Retransmit Interval (sec)Lengthoftime(inseconds)
thatOSPFwaitstoreceivealinkstateadvertisement
(LSA)fromaneighborbeforeOSPFretransmitstheLSA
(rangeis03600;defaultis10).
Transit Delay (sec)Lengthoftime(inseconds)thatan
LSAisdelayedbeforeitissentoutofaninterface(range
is03600;defaultis1).
OSPF
Networking
Graceful Restart Hello Delay (sec)AppliestoanOSPF
interfacewhenActive/PassiveHighAvailabilityis
configured.Graceful Restart Hello Delayisthelengthof
time(inseconds)duringwhichthefirewallsendsGrace
LSApacketsat1secondintervals(rangeis110;defaultis
10).Duringthistime,nohellopacketsaresentfromthe
restartingfirewall.Duringtherestart,thedeadtimer
(whichistheHello IntervalmultipliedbytheDead
Counts)isalsocountingdown.Ifthedeadtimeristoo
short,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itis
recommendedthatthedeadtimerbeatleastfourtimes
thevalueoftheGraceful Restart Hello Delay.For
example,aHello Intervalof10secondsandaDead
Countsof4yieldadeadtimerof40seconds.Ifthe
Graceful Restart Hello Delayissetto10seconds,that
10seconddelayofhellopacketsiscomfortablywithinthe
40seconddeadtimer,sotheadjacencywillnottimeout
duringagracefulrestart.
Ifp2mpisselectedforLink Typeinterfaces,enterthe
neighborIPaddressesforallneighborsthatarereachable
throughthisinterface.
Step6
ConfigureAreasVirtualLinks.
2.
ClickOK
1.
OntheVirtual Linktab,clickAddandenterthefollowing
informationforeachvirtuallinktobeincludedinthebackbone
area:
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)on
theothersideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathat
physicallycontainsthevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
profile.
2.
ClickOK.
Networking
OSPF
Step7
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseOSPFauthenticationforthe
exchangebetweenOSPFneighbors.Optionally,youcanconfigure
OSPFauthenticationbetweenOSPFneighborsbyeitherasimple
passwordorusingMD5authentication.
SimplePasswordOSPFauthentication
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3.
SelectSimple Passwordasthe Password Type.
4. Enterasimplepasswordandthenconfirm.
MD5OSPFauthentication
Step8
ConfigureAdvancedOSPFoptions.
1.
OntheAuth Profiles tab,clickAdd.
2.
OSPFmessages.
3.
SelectMD5asthe Password Type.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
SelectthePreferredoptiontospecifythatthekeybeused
toauthenticateoutgoingmessages.
6.
ClickOK.
7.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog
box.
1.
OntheAdvancedtab,selectRFC 1583 Compatibility toensure

compatibilitywithRFC1583.
2.
ConfigureavaluefortheSPF Calculation Delay(sec)timer.

Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3.
ConfigureavaluefortheLSA Interval (sec) time.Thistimer

specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.
OSPF
Networking
ConfigureOSPFv3
ConfigureOSPFv3
Step1
Step2
ConfiguregeneralOSPFconfiguration
settings.
1.
SelecttheOSPFtab.
2.
3.
SelectReject Default Route ifyoudonotwanttolearnany

defaultroutesthroughOSPF.Thisistherecommendeddefault
setting.
4.
ClearReject Default Routeifyouwanttopermitredistribution

ofdefaultroutesthroughOSPF.
Step3
ConfiguregeneralOSPFv3configuration 1.
settings.
2.
3.
Step4
ConfigureAuthProfilefortheOSPFv3
protocol.
WhileOSPFv3doesn'tincludeany
authenticationcapabilitiesofitsown,it
reliesentirelyonIPsectosecure
communicationsbetweenneighbors.
SelecttheOSPFv3tab.
SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughOSPFv3Thisistherecommended
defaultsetting.
redistributionofdefaultroutesthroughOSPFv3.
Whenconfiguringanauthenticationprofile,youmustuse
EncapsulatingSecurityPayload(ESP)orIPv6Authentication
Header(AH).
ESPOSPFv3authentication
1.
2.
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectESPforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youcanenternoneoroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
IfaCrypto Algorithmotherthannonewasselected,entera
valueforKeyandthenconfirm.
Networking
OSPF
ConfigureOSPFv3(Continued)
AHOSPFv3authentication
Step5
ConfigureAreasTypefortheOSPF
protocol.
1.
2.
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectAHforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
EnteravalueforKeyandthenconfirm.
7.
ClickOK.
8.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.
1.
OntheAreastab,clickAdd.
2.
EnteranAreaID.Thisistheidentifierthateachneighbormust
accepttobepartofthesamearea.
3.
OntheGeneraltab,selectoneofthefollowingfromthearea
Typedropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanonlyleave
theareabyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
OSPF
Networking
ConfigureOSPFv3(Continued)
Step6
AssociateanOSPFv3authentication
profiletoanareaoraninterface.
ToanArea
1.
OntheAreastab,selectanexistingareafromthetable.
2.
OntheGeneraltab,selectapreviouslydefinedAuthentication
ProfilefromtheAuthenticationdropdown.
3. ClickOK.
ToanInterface
1.
Step7
Step8
(Optional)ConfigureExportRules
ConfigureAdvancedOSPFv3options.
OntheAreastab,selectanexistingareafromthetable.
2.
SelecttheInterfacetabandclickAdd.
3.
Selecttheauthenticationprofileyouwanttoassociatewith
theOSPFinterfacefromtheAuth Profiledropdown.
1.
OntheExporttab,clickAdd.
2.
SelectAllow Redistribute Default Routetopermit

redistributionofdefaultroutesthroughOSPFv3.
3.
Selectthenameofaredistributionprofile.Thevaluemustbe
anIPsubnetorvalidredistributionprofilename.
4.
SelectametrictoapplyforNew Path Type.
5.
SpecifyaNew Tagforthematchedroutethathasa32bit
value.
6.
Assignametricforthenewrule(rangeis165535).
7.
ClickOK.
1.
OntheAdvancedtab,selectDisable Transit Routing for SPF

CalculationifyouwantthefirewalltoparticipateinOSPF
topologydistributionwithoutbeingusedtoforwardtransit
traffic.
2.
ConfigureavaluefortheSPF Calculation Delay(sec)timer.

Thistimerallowsyoutotunethedelaytimebetweenreceiving
newtopologyinformationandperforminganSPFcalculation.
LowervaluesenablefasterOSPFreconvergence.Routers
peeringwiththefirewallshouldbetunedinasimilarmannerto
optimizeconvergencetimes.
3.
ConfigureavaluefortheLSA Interval (sec) time.Thistimer

specifiestheminimumtimebetweentransmissionsoftwo
instancesofthesameLSA(samerouter,sametype,sameLSA
ID).ThisisequivalenttoMinLSIntervalinRFC2328.Lower
valuescanbeusedtoreducereconvergencetimeswhen
topologychangesoccur.
4.
(Optional)ConfigureOSPFGracefulRestart.
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
Networking
OSPF
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGracePeriod.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMaxNeighborRestartTime.Whenthefirewall
receivestheGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborand
advertiseroutesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.
Ifneitherexpiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithout
networkdisruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexit
helpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypass
theneighbor.
1.
SelectNetwork > Virtual Routersandselectthevirtualrouteryouwanttoconfigure.
2.
SelectOSPF > Advanced.
3.
Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
4.
ConfigureaGrace Periodinseconds.
5.
ConfigureaMax Neighbor Restart Timeinseconds.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
OSPF
Networking
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
show routing route
show routing fib
Thefollowingproceduredescribeshowtousethewebinterfacetoviewtheroutingtable.
ViewtheRoutingTable
1.
SelectNetwork > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2.
SelectRouting > Route TableandexaminetheFlagscolumnoftheroutingtableforroutesthatwerelearnedby

OSPF.
ConfirmOSPFAdjacencies
ByviewingtheNeighbortabasdescribedinthefollowingprocedure,youcanconfirmthatOSPFadjacencies
havebeenestablished.
ViewtheNeighborTabtoConfirmOSPFAdjacencies
1.
Select Network > Virtual Routersandinthesamerowasthevirtualrouteryouareinterestedin,clicktheMore

Runtime Statslink.
2.
SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished.
ConfirmthatOSPFConnectionsareEstablished
Byviewingthesystemlog,youcanconfirmthatOSPFconnectionshavebeenestablished,asdescribedin
thefollowingprocedure:
ExaminetheSystemLog
1.
SelectMonitor > System andlookformessagestoconfirmthatOSPFadjacencieshavebeenestablished.
2.
SelectOSPF > NeighborandexaminetheStatuscolumntodetermineifOSPFadjacencieshavebeenestablished

(arefull).
Networking
BGP
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
Intheroutingprocess,connectionsareestablishedbetweenBGPpeers(orneighbors).Ifarouteispermitted
bythepolicy,itisstoredintheroutinginformationbase(RIB).EachtimethelocalfirewallRIBisupdated,
thefirewalldeterminestheoptimalroutesandsendsanupdatetotheexternalRIB,ifexportisenabled.
ConditionaladvertisementisusedtocontrolhowBGProutesareadvertised.TheBGProutesmustsatisfy
conditionaladvertisementrulesbeforebeingadvertisedtopeers.
BGPsupportsthespecificationofaggregates,whichcombinemultipleroutesintoasingleroute.Duringthe
aggregationprocess,thefirststepistofindthecorrespondingaggregationrulebyperformingalongest
matchthatcomparestheincomingroutewiththeprefixvaluesforotheraggregationrules.
FormoreinformationonBGP,refertoHowtoConfigureBGPTechNote.
ThefirewallprovidesacompleteBGPimplementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
Routingpoliciesbasedonroutemaptocontrolimport,exportandadvertisement,prefixbasedfiltering,
andaddressaggregation.
AdvancedBGPfeaturesthatincluderoutereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
BGPconfigurationconsistsofthefollowingelements:
Perroutinginstancesettings,whichincludebasicparameterssuchaslocalrouteIDandlocalASand
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflap,anddampening
profiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteASandadvancedoptions
suchasneighborattributesandconnections.
Routingpolicy,whichspecifiesrulesetsthatpeergroupsandpeersusetoimplementimports,exports,
conditionaladvertisements,andaddressaggregationcontrols.
PerformthefollowingproceduretoconfigureBGP.
ConfigureBGP
Step1
Step2
ConfigurestandardBGPconfiguration
settings.
1.
SelecttheBGPtab.
2.
SelectEnabletoenabletheBGPprotocol.
3.
ForRouter ID,assignanIPaddresstothevirtualrouter.
4.
ForAS Number,enterthenumberoftheAStowhichthe
virtualrouterbelongs,basedontherouterID.Rangeis
14294967295.
BGP
Networking
ConfigureBGP(Continued)
Step3
ConfiguregeneralBGPconfiguration
settings.
1.
SelectBGP> General.
2.
SelectReject Default Routetoignoreanydefaultroutesthat

areadvertisedbyBGPpeers.
3.
SelectInstall Route toinstallBGProutesintheglobalrouting

table.
4.
SelectAggregate MED toenablerouteaggregationevenwhen

routeshavedifferentMultiExitDiscriminator(MED)values.
5.
EnteravaluefortheDefault Local Preferencethatspecifiesa

valuethancanbeusedtodeterminepreferencesamong
differentpaths.
6.
SelectoneofthefollowingvaluesfortheASformatfor
interoperabilitypurposes:
2Byte(defaultvalue)
4Byte
7.
EnableordisableeachofthefollowingvaluesforPath
Selection:
Always Compare MEDEnablethiscomparisontochoose
pathsfromneighborsindifferentautonomoussystems.
Deterministic MED ComparisonEnablethiscomparison
tochoosebetweenroutesthatareadvertisedbyIBGPpeers
(BGPpeersinthesameautonomoussystem).
8.
ClickAddtoincludeanewauthenticationprofileandconfigure
thefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphrasefor
BGPpeercommunications.
Networking
BGP
Step4
(Optional)ConfigureBGPAdvanced
settings.
1.
OntheAdvancedtab,selectGraceful Restart andconfigure

thefollowingtimers:
Stale Route Time (sec)Specifiesthelengthoftimein
secondsthataroutecansayinthestalestate(rangeis1
3600;defaultis120).
Local Restart Time (sec)Specifiesthelengthoftimein
secondsthatthelocaldevicewaitstorestart.Thisvalueis
advertisedtopeers(rangeis13600defaultis120).
Max Peer Restart Time (sec)Specifiesthemaximum
lengthoftimeinsecondsthatthelocaldeviceacceptsasa
graveperiodrestarttimeforpeerdevices(rangeis13600;
defaultis120).
2.
SpecifyanIPv4identifiertorepresentthereflectorclusterin
theReflector Cluster ID box.
3.
SpecifytheidentifierfortheASconfederationtobepresented
asasingleAStoexternalBGPpeersintheConfederation
Member AS box.
4.
ClickAddandenterthefollowinginformationforeach
DampeningProfilethatyouwanttoconfigure,selectEnable,
andclickOK:
Profile NameEnteranametoidentifytheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicha
routeadvertisementissuppressed(rangeis0.01000.0;
defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhicha
suppressedrouteisusedagain(rangeis0.01000.0;default
is 5).
Max Hold Time (sec)Specifythemaximumlengthoftime
insecondsthataroutecanbesuppressed,regardlessof
howunstableithasbeen(rangeis03600seconds;default
is900).
Decay Half Life Reachable (sec)Specifythelengthoftime
insecondsafterwhicharoutesstabilitymetricishalvedif
therouteisconsideredreachable(rangeis03600seconds;
defaultis300).
Decay Half Life Unreachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredunreachable(rangeis
03600;defaultis300).
5.
ClickOK.
BGP
Networking
Step5
Step6
ConfiguretheBGPpeergroup.
1.
SelectthePeer GrouptabandclickAdd.
2.
EnteraNameforthepeergroupandselectEnable.
3.
SelectAggregated Confed AS Pathtoincludeapathtothe

configuredaggregatedconfederationAS.
4.
SelectSoft Reset with Stored Infotoperformasoftresetof

thefirewallafterupdatingthepeersettings.
5.
SpecifythetypeofpeerorgroupfromtheTypedropdown
andconfiguretheassociatedsettings(seebelowinthistable
fordescriptionsofImportNextHopandExportNextHop).
IBGPExport Next Hop: SpecifyOriginalorUse self
EBGP ConfedExport Next Hop:Specify OriginalorUse
self
EBGP ConfedExport Next Hop:SpecifyOriginalorUse
self
EBGPImport Next Hop:SpecifyOriginalorUse self,
Export Next Hop:SpecifyResolveorUse self.Select
Remove Private AS ifyouwanttoforceBGPtoremove
privateASnumbers.
6.
ClickOKtosave.
1.
ConfigureImportandExportrules.
Theimport/exportrulesareusedto
import/exportroutesfrom/toother
2.
routers.Forexample,importingthe
defaultroutefromyourInternetService
3.
Provider.
SelecttheImporttabandthenclickAddandenteranamein
theRulesfieldandselectEnable.
ClickAdd andselectthePeer Grouptowhichtherouteswillbe
importedfrom.
ClicktheMatchtabanddefinetheoptionsusedtofilter
routinginformation.YoucanalsodefinetheMultiExit
Discriminator(MED)valueandanexthopvaluetoroutersor
subnetsforroutefiltering.TheMEDoptionisanexternal
metricthatletsneighborsknowaboutthepreferredpathinto
anAS.Alowervalueispreferredoverahighervalue.
4.
ClicktheActiontabanddefinetheactionthatshouldoccur
(allow/deny)basedonthefilteringoptionsdefinedinthe
Matchtab.IfDenyisselected,nofurtheroptionsneedtobe
defined.IftheAllowactionisselected,definetheother
attributes.
5.
ClicktheExporttabanddefineexportattributes,whichare
similartotheImportsettings,butareusedtocontrolroute
informationthatisexportedfromthefirewalltoneighbors.
6.
ClickOKtosave.
Networking
BGP
Step7
Step8
Step9
Configureconditionaladvertising,which
allowsyoutocontrolwhatrouteto
advertiseintheeventthatadifferent
routeisnotavailableinthelocalBGP
routingtable(LocRIB),indicatinga
peeringorreachabilityfailure.
Thisisusefulincaseswhereyouwantto
trytoforceroutestooneASover
another,forexampleifyouhavelinksto
theInternetthroughmultipleISPsand
youwanttraffictoberoutedtoone
providerinsteadoftheotherunless
thereisalossofconnectivitytothe
preferredprovider.
Configureaggregateoptionsto
summariesroutesintheBGP
configuration.
BGProuteaggregationisusedtocontrol
howBGPaggregatesaddresses.Each
entryinthetableresultsinoneaggregate
addressbeingcreated.Thiswillresultin
anaggregateentryintheroutingtable
whenatleastoneormorespecificroute
matchingtheaddressspecifiedis
learned.
1.
SelecttheConditional Advtab,clickAddandenteranamein
thePolicyfield.
2.
SelectEnable.
3.
ClickAddandintheUsed By sectionenterthepeergroup(s)
thatwillusetheconditionaladvertisementpolicy.
4.
SelecttheNon Exist Filtertabanddefinethenetwork

prefix(es)ofthepreferredroute.Thisspecifiestheroutethat
youwanttoadvertise,ifitisavailableinthelocalBGProuting
table.IfaprefixisgoingtobeadvertisedandmatchesaNon
Existfilter,theadvertisementwillbesuppressed.
5.
SelecttheAdvertise Filterstabanddefinetheprefix(es)ofthe
routeintheLocalRIBroutingtablethatshouldbeadvertised
intheeventthattherouteinthenonexistfilterisnotavailable
inthelocalroutingtable.Ifaprefixisgoingtobeadvertised
anddoesnotmatchaNonExistfilter,theadvertisementwill
occur.
1.
SelecttheAggregatetab,clickAddandenteranameforthe
aggregateaddress.
2.
InthePrefixfield,enterthenetworkprefixthatwillbethe
primaryprefixfortheaggregatedprefixes.
3.
SelecttheSuppress Filters tabanddefinetheattributesthat

willcausethematchedroutestobesuppressed.
4.
SelecttheAdvertise Filters tabanddefinetheattributesthat

willcausethematchedroutestoalwaysbeadvertisedtopeers.
Configureredistributionrules.
1.
Thisruleisusedtoredistributehost
2.
routesandunknownroutesthatarenot
onthelocalRIBtothepeersrouters.
SelecttheRedist RulestabandclickAdd.
IntheNamefield,enteranIPsubnetorselectaredistribution
profile.Youcanalsoconfigureanewredistributionprofile
fromthedropdownifneeded.
3.
ClickEnabletoenabletherule.
4.
IntheMetricfield,entertheroutemetricthatwillbeusedfor
therule.
5.
IntheSet Origindropdown,selectincomplete,igp,oregp.
6.
(Optional)SetMED,localpreference,ASpathlimitand
communityvalues.
Networking
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andcaptiveportalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TransportLayerSessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
Networking
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.
Networking
TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.
Networking
ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit Handshake optioninaZoneProtectionprofilewillpreventaTCPsessionfrombeingestablishedif
thesessionestablishmentproceduredoesnotusethewellknownthreewayhandshake,butinsteadusesa
variation,suchasafourwayorfivewaysplithandshakeorasimultaneousopen.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessionsandallLayer7processesforsplit
handshakeandsimultaneousopensessionestablishmentwithoutenablingtheSplit Handshakeoption.
Nevertheless,theSplit Handshake option(whichcausesaTCPsplithandshakedrop) ismadeavailable.When
theSplit Handshake optionisconfiguredforaZoneProtectionprofileandthatprofileisappliedtoazone,
TCPsessionsforinterfacesinthatzonemustbeestablishedusingthestandardthreewayhandshake;
variationsarenotallowed.
TheSplit Handshake optionisdisabledbydefault.
ThefollowingillustratesthestandardthreewayhandshakeusedtoestablishaTCPsessionwithaPANOS
firewallbetweentheinitiator(typicallyaclient)andthelistener(typicallyaserver).
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.
Networking
YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
Networking
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 8inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AlthoughUDPusesachecksumfordataintegrity,itperformsnoerrorcheckingatthenetworkinterface
level.ErrorcheckingisassumedtobeunnecessaryorisperformedbytheapplicationratherthanUDPitself.
UDPhasnomechanismtohandleflowcontrolofpackets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.ICMPv4andICMPv6errorpacketscanbe
controlledbyconfiguringasecuritypolicyforazone,andselectingtheicmporipv6-icmpapplicationinthe
policy.Additionally,theICMPv6errorpacketratecanbecontrolledthroughthesessionsettings,as
describedinthesectionConfigureSessionSettings.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdonotfloodthenetworksegmentsprotectedbythefirewall.
Networking
FirsttheglobalICMPv6errorpacketratecontrolstherateatwhichICMPerrorpacketsareallowedthrough
thefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.Ifthe
firewallreachestheICMPerrorpacketrate,thenthetokenbucketcomesintoplayandthrottlingoccurs,as
follows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPmessagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPmessageissent;whenthebucketreacheszero
tokens,nomoreICMPmessagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsizeof
thetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ConfigureSessionTimeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
Step1
AccesstheSessionSettings.
SelectDevice > Setup > SessionandedittheSessionTimeouts.
Networking
ChangeSessionTimeouts(Continued)
Step2
(Optional)Changemiscellaneous
timeouts.
DefaultMaximumlengthoftimethatanonTCP/UDPornonICMP
sessioncanbeopenwithoutaresponse(rangeis11599999;default
is30).
Discard DefaultMaximumlengthoftimethatanonTCP/UDP
sessionremainsopenafterPANOSdeniesasessionbasedonsecurity
policiesconfiguredonthefirewall(rangeis11599999;defaultis60).
ScanMaximumlengthoftimethatanysessionremainsopenafterit
isconsideredinactive;anapplicationisregardedasinactivewhenit
exceedstheapplicationtricklingthresholddefinedfortheapplication
Captive PortalAuthenticationsessiontimeoutfortheCaptivePortal
webform.Toaccesstherequestedcontent,theusermustenterthe
authenticationcredentialsinthisformandbesuccessfully
authenticated(rangeis11599999;defaultis30).
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,select
Device > User Identification > Captive Portal Settings.SeeConfigure
CaptivePortalinUserID.
Step3
(Optional)ChangeTCPtimeouts.
Discard TCPMaximumlengthoftimethataTCPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:90.Range:11599999.
TCPMaximumlengthoftimethataTCPsessionremainsopen
withoutaresponse,afteraTCPsessionisintheEstablishedstate(after
thehandshakeiscompleteand/ordataisbeingtransmitted).
Default: 3600.Range:11599999.
TCP HandshakeMaximumlengthoftimepermittedbetween
receivingtheSYNACKandthesubsequentACKtofullyestablishthe
session.Default:10.Range:160.
TCP initMaximumlengthoftimepermittedbetweenreceivingthe
SYNandSYNACKpriortostartingtheTCPhandshaketimer.Default:
5.Range:160.
TCP Half ClosedMaximumlengthoftimebetweenreceivingthefirst
FINandreceivingthesecondFINoraRST.Default:120.
Range: 1604800.
TCP Time WaitMaximumlengthoftimeafterreceivingthesecond
FINoraRST.Default:15.Range:1600.
Unverified RSTMaximumlengthoftimeafterreceivingaRSTthat
cannotbeverified(theRSTiswithintheTCPwindowbuthasan
unexpectedsequencenumber,ortheRSTisfromanasymmetricpath).
Default:30.Range:1600.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step4
(Optional)ChangeUDPtimeouts.
Discard UDPMaximumlengthoftimethataUDPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:60.Range:11599999.
UDPMaximumlengthoftimethataUDPsessionremainsopen
withoutaUDPresponse.Default:30.Range:11599999.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Networking
ChangeSessionTimeouts(Continued)
Step5
(Optional)ChangeICMPtimeouts. ICMPMaximumlengthoftimethatanICMPsessioncanbeopen
withoutanICMPresponse.Default:6.Range:11599999.
SeealsotheDiscard Default andScantimeoutinthesection(Optional)
Changemiscellaneoustimeouts.
Step6
Committhechanges.
ClickOKandCommitthechanges.
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
Step1
Changethesessionsettings.
SelectDevice > Setup > SessionandedittheSessionSettings.
Step2
Specifywhethertoapply
newlyconfiguredSecurity
policyrulestosessionsthat
areinprogress.
SelectRematch all sessions on config policy change to applynewly

configuredSecuritypolicyrulestosessionsthatarealreadyinprogress.This
capabilityisenabledbydefault.Ifyouclearthischeckbox,anypolicyrule
changesyoumakeapplyonlytosessionsinitiatedafteryoucommitthepolicy
change.
Forexample,ifaTelnetsessionstartedwhileanassociatedpolicyrulewas
configuredthatallowedTelnet,andyousubsequentlycommittedapolicy
changetodenyTelnet,thefirewallappliestherevisedpolicytothecurrent
sessionandblocksit.
Step3
ConfigureIPv6settings.
ICMPv6 Token Bucket SizeDefault:100tokens.SeethesectionICMPv6

RateLimiting.
ICMPv6 Error Packet Rate (per sec)Default:100.SeethesectionICMPv6
RateLimiting.
Enable IPv6 FirewallingEnablesfirewallcapabilitiesforIPv6.All
IPv6basedconfigurationsareignoredifIPv6isnotenabled.EvenifIPv6is
enabledforaninterface,theIPv6 Firewallingsettingmustalsobeenabled
forIPv6tofunction.
Step4
Enablejumboframesandset 1.
theMTU.
SelectEnable Jumbo FrametoenablejumboframesupportonEthernet

interfaces.Jumboframeshaveamaximumtransmissionunit(MTU)of
9216bytesandareavailableoncertainplatforms.
2.
SettheGlobal MTU,dependingonwhetherornotyouenabledjumbo
frames:
Ifyoudidnotenablejumboframes,theGlobal MTUdefaultsto1500
bytes;therangeis576to1500 bytes.
Ifyouenabledjumboframes,theGlobal MTUdefaultsto9192 bytes;
therangeis9192to9216 bytes.
Ifyouenablejumboframesandyouhaveinterfaceswherethe
MTUisnotspecificallyconfigured,thoseinterfaceswill
automaticallyinheritthejumboframesize.Therefore,beforeyou
enablejumboframes,ifyouhaveanyinterfacethatyoudonot
wanttohavejumboframes,youmustsettheMTUforthat
interfaceto1500bytesoranothervalue.
Networking
ConfigureSessionSettings(Continued)
Step5
TuneNATsessionsettings.
NAT64 IPv6 Minimum Network MTUSetstheglobalMTUforIPv6

translatedtraffic.Thedefaultof1280 bytesisbasedonthestandard
minimumMTUforIPv6traffic.
NAT Oversubscription RateIfNATisconfiguredtobeDynamicIPand
Port(DIPP)translation,anoversubscriptionratecanbeconfiguredto
multiplythenumberoftimesthatthesametranslatedIPaddressandport
paircanbeusedconcurrently.Therateis1,2,4,or8.Thedefaultsettingis
basedonthefirewallplatform.
Arateof1meansnooversubscription;eachtranslatedIPaddressand
portpaircanbeusedonlyonceatatime.
IfthesettingisPlatform Default,userconfigurationoftherateis
disabledandthedefaultoversubscriptionratefortheplatformapplies.
Reducingtheoversubscriptionratedecreasesthenumberofsourcedevice
translations,butprovideshigherNATrulecapacities.
Step6
Tuneacceleratedaging
settings.
SelectAccelerated Aging to enablefasteragingoutofidlesessions.Youcan

alsochangethethreshold(%)andscalingfactor:
Accelerated Aging ThresholdPercentageofthesessiontablethatis
fullwhenacceleratedagingbegins.Thedefaultis80%.Whenthe
sessiontablereachesthisthreshold(%full),PANOSappliesthe
AcceleratedAgingScalingFactortotheagingcalculationsforall
sessions.
Accelerated Aging Scaling FactorScalingfactorusedinthe
acceleratedagingcalculations.Thedefaultscalingfactoris2,meaning
thattheacceleratedagingoccursataratetwiceasfastasthe
configuredidletime.Theconfiguredidletimedividedby2resultsina
fastertimeoutofonehalfthetime.Tocalculatethesessions
acceleratedaging,PANOSdividestheconfiguredidletime(forthat
typeofsession)bythescalingfactortodetermineashortertimeout.
Forexample,ifthescalingfactoris10,asessionthatwouldnormally
timeoutafter3600secondswouldtimeout10timesfaster(in1/10of
thetime),whichis360seconds.
3.
ClickOK.
Networking
ConfigureSessionSettings(Continued)
Step7
Step8
Step9
Enablebufferingofmulticast 1.
routesetuppackets.
SelectMulticast Route Setup Bufferingtoenablethefirewalltopreserve

thefirstpacketinamulticastsessionwhenthemulticastrouteor
forwardinginformationbase(FIB)entrydoesnotyetexistforthe
correspondingmulticastgroup.Bydefault,thefirewalldoesnotbufferthe
firstmulticastpacketinanewsession;instead,itusesthefirstpacketto
setupthemulticastroute.Thisisexpectedbehaviorformulticasttraffic.
Youonlyneedtoenablemulticastroutesetupbufferingifyourcontent
serversaredirectlyconnectedtothefirewallandyourcustomapplication
cannotwithstandthefirstpacketinthesessionbeingdropped.This
optionisdisabledbydefault.
2.
Ifyouenablebuffering,youcanalsotunetheBuffer Size,whichspecifies
thebuffersizeperflow.Thefirewallcanbufferamaximumof5,000
packets.
Youcanalsotunetheduration,inseconds,forwhichamulticast
routeremainsintheroutingtableonthefirewallafterthesession
endsbyconfiguringthemulticastsettingsonthevirtualrouter
thathandlesyourvirtualrouter(settheMulticast Route Age Out
Time (sec)ontheMulticast > Advancedtabinthevirtualrouter
configuration.
TunetheMaximumSegment 1.
Size(MSS)adjustmentsize
settingsforaLayer3
2.
interface.
3.
Savethechanges.
SelectNetwork > Interfaces,selectEthernet,VLAN,orLoopback,and

selectaLayer3interface.
SelectAdvanced.
SelectOther Info.
4.
SelectAdjust TCP MSS andenteravalueforoneorbothofthefollowing:

IPv4 MSS Adjustment Size (rangeis40300bytes;defaultis40 bytes).
IPv6 MSS Adjustment Size(rangeis60300 bytes;defaultis60bytes).
5.
ClickOK.
ClickCommit.
PreventTCPSplitHandshakeSessionEstablishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step1
ConfigureaZoneProtectionprofileto 1.
preventTCPsessionsthatuseanything
otherthanathreewayhandshaketo
2.
establishasession.
SelectNetwork > Network Profiles > Zone Protectionand

clickAddtocreateanewprofile(orselectanexistingprofile).
Ifcreatinganewprofile,enteraNamefortheprofileandan
optionalDescription.
3.
SelectPacket Based Attack Protection > TCP Dropandselect

Split Handshake.
4.
ClickOK.
Networking
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step2
Step3
Applytheprofiletooneormoresecurity 1.
zones.
SelectNetwork > Zonesandselectthezonewhereyouwant

toassignthezoneprotectionprofile.
2.
IntheZonewindow,fromtheZone Protection Profile

dropdown,selecttheprofileyouconfiguredinStep 1.
Alternatively,youcouldstartcreatinganewprofilehereby
clickingZone Protection Profile,inwhichcaseyouwould
continueaccordingly.
3.
ClickOK.
4.
(Optional)Repeatsteps13toapplytheprofiletoadditional
zones.
ClickOKandCommit.
DHCP
Networking
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCPOverview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallsinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.
Networking
DHCP
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
FirewallasaDHCPServerandClient
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCPMessages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.
DHCP
Networking
DHCPMessage
Description
DHCPDISCOVER
ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER
ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST
Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK
Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK
Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE
Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE
Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM
Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCPAddressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.
Networking
DHCP
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface value expired-only commandtoclearexpiredleases,
makingthoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface
value ipip commandtoreleaseaparticularIPaddress.Usetheclear dhcp lease interface
value mac mac_address commandtoreleaseaparticularMACaddress.
DHCP
Networking
DHCPOptions
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption
DHCPOptionName
51
Leaseduration
Gateway
IPPoolSubnet(mask)
DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44
WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41
NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42
NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70
PostOfficeProtocolVersion3(POP3)serveraddress
69
SimpleMailTransferProtocol(SMTP)serveraddress
Networking
DHCP
DHCPOption
DHCPOptionName
15
DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
YoucanentermultipleoptionvaluesforanOption CodewiththesameOption Name,butallvaluesfora
particularcodeandnamecombinationmustbethesametype(IPaddress,ASCII,orhexadecimal).Ifonetype
isinheritedorentered,andlateradifferenttypeisenteredforthesamecodeandnamecombination,the
secondtypewilloverwritethefirsttype.
YoucanenteranOption CodemorethanoncebyusingadifferentOption Name.Inthiscase,theOption Type
fortheOptionCodecandifferamongthemultipleoptionnames.Forexample,ifoptionCoastalServer
(optioncode6)isconfiguredwithIPaddresstype,optionServerXYZ(optioncode6)withASCIItypeisalso
allowed.
Thefirewallsendsmultiplevaluesforanoption(strungtogether)toaclientinorderfromtoptobottom.
Therefore,whenenteringmultiplevaluesforanoption,enterthevaluesintheorderofpreference,orelse
movetheoptionstoachieveyourpreferredorderinthelist.Theorderofoptionsinthefirewallconfiguration
determinestheorderthattheoptionsappearinDHCPOFFERandDHCPACKmessages.
Youcanenteranoptioncodethatalreadyexistsasapredefinedoptioncode,andthecustomizedoption
codewilloverridethepredefinedDHCPoption;thefirewallissuesawarning.
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
Option OptionName
Code
OptionDescription/Behavior
43
VendorSpecific
Information
Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55
ParameterRequestList
Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.
DHCP
Networking
Option OptionName
Code
OptionDescription/Behavior
60
Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
VendorClassIdentifier
(VCI)
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
Step1
SelectaninterfacetobeaDHCPServer. 1.
SelectNetwork > DHCP > DHCP ServerandclickAdd.
2.
EnteranInterfacenameorselectonefromthedropdown.
3.
ForMode,selectenabledorautomode.Automodeenables
theserveranddisablesitifanotherDHCPserverisdetected
onthenetwork.Thedisabledsettingdisablestheserver.
4.
(Optional)SelectPing IP when allocating new IPifyouwant

theservertopingtheIPaddressbeforeitassignsthataddress
toitsclient.
Ifthepingreceivesaresponse,thatmeansadifferent
devicealreadyhasthataddress,soitisnotavailable.
Theserverassignsthenextaddressfromthepool
instead.ThisbehaviorissimilartoOptimistic
DuplicateAddressDetection(DAD)forIPv6,RFC
4429.
AfteryousetoptionsandreturntotheDHCPserver
tab,theProbe IPcolumnfortheinterfaceindicatesif
Ping IP when allocating new IPwasselected.
Networking
DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step2
ConfigurethepredefinedDHCPOptions IntheOptionssection,selectaLeasetype:
thattheserversendstoitsclients.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIP Pools andassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionallythenumberof
Minutes.
Inheritance SourceLeaveNoneorselectasourceDHCPclient
interfaceorPPPoEclientinterfacetopropagatevariousserver
settingsintotheDHCPserver.IfyouspecifyanInheritance
Source,selectoneormoreoptionsbelowthatyouwant
inheritedfromthissource.
Specifyinganinheritancesourceallowsthefirewalltoquickly
addDHCPoptionsfromtheupstreamserverreceivedbythe
DHCPclient.Italsokeepstheclientoptionsupdatedifthe
sourcechangesanoption.Forexample,ifthesourcereplacesits
NTPserver(whichhadbeenidentifiedasthePrimary NTP
server),theclientwillautomaticallyinheritthenewaddressasits
Primary NTPserver.
WheninheritingDHCPoption(s)thatcontainmultipleIP
addresses,thefirewallusesonlythefirstIPaddress
containedintheoptiontoconservecachememory.If
yourequiremultipleIPaddressesforasingleoption,
configuretheDHCPoptionsdirectlyonthatfirewall
ratherthanconfigureinheritance.
Check inheritance source statusIfyouselectedanInheritance
Source,clickingthislinkopenstheDynamic IP Interface Status
window,whichdisplaystheoptionsthatwereinheritedfromthe
DHCPclient.
GatewayIPaddressofthenetworkgateway(aninterfaceon
thefirewall)thatisusedtoreachanydevicenotonthesameLAN
asthisDHCPserver.
Subnet MaskNetworkmaskusedwiththeaddressesintheIP
Pools.
DHCP
Networking
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
Step3
(Optional)Configureavendorspecificor 1.
customDHCPoptionthattheDHCP
serversendstoitsclients.
2.
IntheCustomDHCPOptionssection,clickAddandentera
descriptiveNametoidentifytheDHCPoption.
EntertheOption Code youwanttoconfiguretheserverto
offer(rangeis1254).(SeeRFC2132foroptioncodes.)
3.
IftheOption Codeis43,theVendor Class Identifierfield

appears.EnteraVCI,whichisastringorhexadecimalvalue
(with0xprefix)usedasamatchagainstavaluethatcomes
fromtheclientRequestcontainingoption60.Theserverlooks
uptheincomingVCIinitstable,findsit,andreturnsOption43
andthecorrespondingoptionvalue.
4.
Inherit from DHCP server inheritance sourceSelectitonly

ifyouspecifiedanInheritance Source fortheDHCPServer
predefinedoptionsandyouwantthevendorspecificand
customoptionsalsotobeinheritedfromthissource.
5.
Check inheritance source statusIfyouselectedan

Inheritance Source,clickingthislinkopensDynamic IP
Interface Status,whichdisplaystheoptionsthatwere
inheritedfromtheDHCPclient.
6.
IfyoudidnotselectInherit from DHCP server inheritance

source,selectanOption Type:IP Address,ASCII,or
Hexadecimal.Hexadecimalvaluesmuststartwiththe0x
prefix.
7.
EntertheOption ValueyouwanttheDHCPservertoofferfor
thatOption Code.Youcanentermultiplevaluesonseparate
lines.
8.
ClickOK.
Networking
DHCP
Step4
Step5
(Optional)Addanothervendorspecific
orcustomDHCPoption.
1.
RepeatStep 3toenteranothercustomDHCPOption.
YoucanentermultipleoptionvaluesforanOption Code
withthesameOption Name,butallvaluesforanOption
Codemustbethesametype(IP Address,ASCII,or
Hexadecimal).Ifonetypeisinheritedorenteredanda
differenttypeisenteredforthesameOption Codeandthe
sameOption Name,thesecondtypewilloverwritethefirst
type.
Whenenteringmultiplevaluesforanoption,enterthe
valuesintheorderofpreference,orelsemovetheCustom
DHCPOptionstoachievethepreferredorderinthelist.
SelectanoptionandclickMove Up orMove Down.
YoucanenteranOption Codemorethanoncebyusinga
differentOption Name.Inthiscase,theOption Typeforthe
OptionCodecandifferamongthemultipleoptionnames.
2.
ClickOK.
IdentifythestatefulpoolofIPaddresses 1.
fromwhichtheDHCPserverchoosesan
addressandassignsittoaDHCPclient.
Ifyouarenotthenetwork
administratorforyournetwork,
askthenetworkadministratorfor
avalidpoolofIPaddressesfrom
thenetworkplanthatcanbe
designatedtobeassignedby
yourDHCPserver.
2.
Step6
Step7
(Optional)SpecifyanIPaddressfromthe
IPpoolsthatwillnotbeassigned
dynamically.IfyoualsospecifyaMAC
Address,theReserved Addressis
assignedtothatdevicewhenthedevice
requestsanIPaddressthroughDHCP.
SeetheDHCPAddressing
sectionforanexplanationof
allocationofaReserved
Address.
IntheIP Poolsfield,clickAddandentertherangeofIP
addressesfromwhichthisserverassignsanaddresstoaclient.
EnteranIPsubnetandsubnetmask(forexample,
192.168.1.0/24)orarangeofIPaddresses(forexample,
192.168.1.10192.168.1.20).
AnIPPooloraReserved Addressismandatoryfor
dynamicIPaddressassignment.
AnIPPoolisoptionalforstaticIPaddressassignmentas
longasthestaticIPaddressesthatyouassignfallintothe
subnetthatthefirewallinterfaceservices.
(Optional)RepeatStep 1tospecifyanotherIPaddresspool.
1.
IntheReserved Address field,clickAdd.
2.
EnteranIPaddressfromtheIP Pools(formatx.x.x.x)thatyou
donotwanttobeassigneddynamicallybytheDHCPserver.
3.
(Optional)SpecifytheMAC Address(formatxx:xx:xx:xx:xx:xx)
ofthedevicetowhichyouwanttopermanentlyassigntheIP
addressspecifiedinStep 2.
4.
(Optional)RepeatStep 2andStep 3toreserveanother

address.
ClickOKandCommitthechange.
DHCP
Networking
BeforeconfiguringafirewallinterfaceasaDHCPClient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
ToconfigurethemanagementinterfaceasaDHCPclient,seeConfiguretheManagementInterfaceasa
DHCPClient.
Step1
ConfigureaninterfaceasaDHCPclient. 1.
SelectNetwork>Interfaces.
2.
OntheEthernettabortheVLANtab,clickAddandenteran
interface,orclickaconfiguredinterface,thatyouwanttobea
DHCPclient.
3.
ClicktheIPv4tab;forType,selectDHCP Client.
4.
SelectEnable.
5.
(Optional)SelectAutomatically create default route pointing

to default gateway provided by server.Thiscausesthe
firewalltocreateastaticroutetoadefaultgatewaythatwill
beusefulwhenclientsaretryingtoaccessmanydestinations
thatdonotneedtohaveroutesmaintainedinaroutingtable
onthefirewall.
6.
(Optional)EnteraDefault Route Metric(prioritylevel)forthe

routebetweenthefirewallandtheDHCPserver(rangeis
165535;thereisnodefaultmetric).Aroutewithalower
numberhashigherpriorityduringrouteselection.For
example,aroutewithametricof10isusedbeforearoute
withametricof100.
7.
(Optional)SelectShow DHCP Client Runtime Infotoseeallof

thesettingstheclienthasinheritedfromitsDHCPserver.
Step2
NowtheEthernetinterfaceindicatesDynamic-DHCP Clientinits
IP AddressfieldontheEthernettab.
Step3
(Optional)Seewhichinterfacesonthe
firewallareconfiguredasDHCPclients.
1.
SelectNetwork > Interfaces > EthernetandlookintheIP

AddressfieldtoseewhichinterfacesindicateDHCPClient.
2.
SelectNetwork > Interfaces > VLANandlookintheIP

AddressfieldtoseewhichinterfacesindicateDHCPClient.
Networking
DHCP
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramaplatformsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallplatforms(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingtworestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
Step1
ConfiguretheManagementinterfaceas 1.
aDHCPclientsothatitcanreceiveits
IPaddress(IPv4),netmask(IPv4),and
2.
defaultgatewayfromaDHCPserver.
3.
Optionally,youcanalsosendthe
hostnameandclientidentifierofthe
managementinterfacetotheDHCP
serveriftheorchestrationsystemyou
useacceptsthisinformation.
4.
SelectDevice > Setup > ManagementandeditManagement

InterfaceSettings.
ForIP Type,selectDHCP Client.
(Optional)Selectoneorbothoptionsforthefirewalltosend
totheDHCPserverinDHCPDiscoverorRequestmessages:
Send HostnameSendstheHostname(asdefinedin
Device > Setup > Management)aspartofDHCPOption12.
Send Client IDSendstheclientidentifieraspartofDHCP
Option61.AclientidentifieruniquelyidentifiesaDHCP
client,andtheDHCPServerusesittoindexits
configurationparameterdatabase.
ClickOK.
DHCP
Networking
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
Step2
(Optional)Configurethefirewallto
1.
acceptthehostnameanddomainfrom
theDHCPserver.
2.
3.
SelectDevice > Setup > ManagementandeditGeneral

Settings.
Selectoneorbothoptions:
Accept DHCP server provided HostnameAllowsthe
firewalltoacceptthehostnamefromtheDHCPserver(if
valid).Whenenabled,thehostnamefromtheDHCPserver
overwritesanyexistingHostnamespecifiedinDevice >
Setup > Management.Donotselectthisoptionifyouwant
tomanuallyconfigureahostname.
Accept DHCP server provided DomainAllowsthefirewall
toacceptthedomainfromtheDHCPServer.Thedomain
(DNSsuffix)fromtheDHCPServeroverwritesanyexisting
DomainspecifiedinDevice > Setup > Management.Donot
selectthisoptionifyouwanttomanuallyconfigurea
domain.
ClickOK.
Step3
ClickCommit.
Step4
ViewDHCPclientinformation.
1.
SelectDevice > Setup > ManagementandManagement

InterfaceSettings.
2.
ClickShow DHCP Client Runtime Info.
Step5
Step6
(Optional)RenewtheDHCPleasewith 1.
theDHCPserver,regardlessofthelease
term.
2.
Thisoptionisconvenientifyouare
3.
testingortroubleshootingnetwork
issues.
SelectDevice > Setup > ManagementandeditManagement

InterfaceSettings.
ClickShow DHCP Client Runtime Info.
ClickRenew.
(Optional)ReleasethefollowingDHCP UsetheCLIoperationalcommandrequest dhcp client

management-interface release.
optionsthatcamefromtheDHCP
server:
IPAddress
Netmask
DefaultGateway
DNSServer(primaryandsecondary)
NTPServer(primaryandsecondary)
Domain(DNSSuffix)
AreleasefreestheIPaddress,
whichdropsyournetwork
connectionandrendersthe
firewallunmanageableifno
otherinterfaceisconfiguredfor
managementaccess.
Networking
DHCP
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
Step1
SelectDHCPRelay.
Step2
SpecifytheIPaddressofeachDHCP
1.
serverwithwhichtheDHCPrelayagent
willcommunicate.
2.
Step3
SelectNetwork>DHCP > DHCP Relay.

IntheInterfacefield,selectfromthedropdowntheinterface
youwanttobetheDHCPrelayagent.
SelecteitherIPv4orIPv6,indicatingthetypeofDHCPserver
addressyouwillspecify.
3.
IfyoucheckedIPv4,intheDHCP Server IP Address field,click

Add.EntertheaddressoftheDHCPservertoandfromwhich
youwillrelayDHCPmessages.
4.
IfyoucheckedIPv6,intheDHCP Server IPv6 Address field,

clickAdd.EntertheaddressoftheDHCPservertoandfrom
whichyouwillrelayDHCPmessages.Ifyouspecifyamulticast
address,alsospecifyanoutgoingInterface.
5.
(Optional)RepeatSteps24toenteramaximumofeight
DHCPserveraddressesperIPaddressfamily.
MonitorandTroubleshootDHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheserverhasassigned,thecorrespondingMACaddress,state
anddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all
DHCP
Networking
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip
mac
state
duration
lease_time
192.168.3.11
f0:2f:af:42:70:cf committed 0
Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface
GW
DNS1
DNS2
DNS-Suffix
Inherit source
------------------------------------------------------------------------------------ethernet1/2
192.168.3.1
10.43.2.10
10.44.2.10
ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state interface_namecommandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface
State
IP
Gateway
Leased-until
--------------------------------------------------------------------------ethernet1/1
Bound
10.43.14.80
10.43.14.1
70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd
Networking
NAT
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyRules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.
NAT
Networking
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destinationDestination IP address
+ destination-portDestination port
+ fromFrom zone
+ ha-device-idHA Active/Active device ID
+ protocolIP protocol value
+ sourceSource IP address
+ source-portSource port
+ toTo Zone
+ to-interfaceEgress interface to use
|Pipe through a command
<Enter>Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443
Networking
NAT
NATAddressPoolsIdentifiedasAddressObjects
WhenconfiguringaDynamic IPorDynamic IP and PortNATaddresspoolinaNATpolicyrule,itistypicalto
configurethepooloftranslatedaddresseswithaddressobjects.EachaddressobjectcanbeahostIP
address,IPaddressrange,orIPsubnet.
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.
NAT
Networking
SourceNATandDestinationNAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.
Networking
NAT
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NATRuleCapacities
ThenumberofNATrulesallowedisbasedonthefirewallplatform.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
platformspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,eveniftheplatformsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
DynamicIPandPortNATOversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedontheplatform.Theoversubscriptionrateisglobal;
itappliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionratefortheplatformapplies,asshowninthetablebelow.ThePlatform Defaultsetting
allowsforanupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachplatform.
Platform
DefaultOversubscriptionRate
PA200
PA500
PA2020
NAT
Networking
Platform
DefaultOversubscriptionRate
PA2050
PA3020
PA3050
PA3060
PA4020
PA4050
PA4060
PA5020
PA5050
PA5060
PA7050
PA7080
VM100
VM200
VM300
VM1000HV
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachplatformsupports
amaximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesfortheplatform,thecommitwillfail.
Networking
NAT
DataplaneNATMemoryStatistics
Theshow running global-ippoolcommanddisplaysstatisticsrelatedtoNATmemoryconsumptionfora
pool.TheSizecolumndisplaysthenumberofbytesofmemorythattheresourcepoolisusing.TheRatio
columndisplaystheoversubscriptionratio(forDIPPpoolsonly).Thelinesofpoolandmemorystatisticsare
explainedinthefollowingsampleoutput:
ForNATpoolstatisticsforavirtualsystem,theshow running ippoolcommandhascolumnsindicating

thememorysizeusedperNATruleandtheoversubscriptionratioused(forDIPPrules).Thefollowingis
sampleoutputforthecommand.
Afieldintheoutputoftheshow running nat-rule-ippool rulecommandshowsthememory

(bytes)usedperNATrule.Thefollowingissampleoutputforthecommand,withthememoryusageforthe
ruleencircled.
NAT
Networking
ConfigureNAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology,whichwasalsousedinGettingStarted
forsettingupinterfacesandzones:
BasedonthetopologyinitiallyusedinGettingStartedtocreatetheinterfacesandzones,therearethree
NATpoliciesweneedtocreateasfollows:
Networking
NAT
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).
NAT
Networking
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
Step1
Step2
Step3
Createanaddressobjectfortheexternal 1.
IPaddressyouplantouse.
2.
CreatetheNATpolicy.
SelectObjects > AddressesandthenclickAdd.

EnteraNameandoptionalDescriptionfortheobject.
3.
SelectIP NetmaskfromtheTypedropdownandthenenter
theIPaddressoftheexternalinterfaceonthefirewall,
203.0.113.100inthisexample.
4.
Tosavetheaddressobject,clickOK.
Althoughyoudonothavetouseaddressobjectsin
yourpolicies,itisabestpracticebecauseitsimplifies
administrationbyallowingyoutomakeupdatesinone
placeratherthanhavingtoupdateeverypolicywhere
theaddressisreferenced.
1.
2.
OntheGeneraltab,enteradescriptiveNameforthepolicy.
3.
(Optional)Enteratag,whichisakeywordorphrasethatallows
youtosortorfilterpolicies.
4.
5.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
6.
OntheTranslated Packettab,selectDynamic IP And Port

fromtheTranslation TypedropdownintheSourceAddress
Translationsectionofthescreen.
7.
ForAddress Type,therearetwochoices.Youcouldselect
Translated AddressandthenclickAdd.Selecttheaddress
objectyoujustcreated.
AnalternativeAddress TypeisInterface Address,inwhich
casethetranslatedaddresswillbetheIPaddressofthe
interface.Forthischoice,youwouldselectanInterfaceand
optionallyanIP AddressiftheinterfacehasmorethanoneIP
address.
8.
ClickOKtosavetheNATpolicy.
ClickCommit.
Networking
NAT
ConfigureSourceNAT(Continued)
Step4
(Optional)AccesstheCLItoverifythe
translation.
1.
Usetheshow session all commandtoviewthesession

table,whereyoucanverifythesourceIPaddressandportand
thecorrespondingtranslatedIPaddressandport.
2.
Usetheshow session id <id_number> toviewmoredetails

aboutasession.
3.
IfyouconfiguredDynamicIPNAT,usetheshow counter
global filter aspect session severity drop | match
nat commandtoseeifanysessionsfailedduetoNATIP
allocation.IfalloftheaddressesintheDynamicIPNATpool
areallocatedwhenanewconnectionissupposedtobe
translated,thepacketwillbedropped.
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
Step1
Step1
Step2
Createanaddressobjectfortheweb
server.
CreatetheNATpolicy.
1.
SelectObjects > AddressesandclickAdd.
2.
3.
SelectIP NetmaskfromtheTypedropdownandenterthe
publicIPaddressofthewebserver,203.0.113.11inthis
example.
4.
ClickOK.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
4.
IntheDestination Addresssection,clickAddandselectthe
addressobjectyoucreatedforyourpublicwebserver.
5.
OntheTranslated Packettab,selectDestination Address

Translation andthenentertheIPaddressthatisassignedto
thewebserverinterfaceontheDMZnetwork,10.1.1.11in
thisexample.
6.
ClickCommit.
NAT
Networking
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
Step1
Step2
Step3
Createanaddressobjectfortheweb
serversinternalIPaddress.
CreatetheNATpolicy.
1.
SelectObjects > AddressesandclickAdd.
2.
3.
SelectIP NetmaskfromtheTypedropdownandentertheIP
addressofthewebserverontheDMZnetwork,10.1.1.11in
thisexample.
4.
ClickOK.
Ifyoudidnotalreadycreateanaddressobjectforthe
publicaddressofyourwebserver,youshouldcreate
thatobjectnow.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
yourDMZintheSource Zonesection(clickAddandthen
selectthezone)andthezoneyoucreatedfortheexternal
networkfromtheDestination Zonedropdown.
4.
IntheSource Addresssection,clickAddandselecttheaddress
objectyoucreatedforyourinternalwebserveraddress.
5.
OntheTranslated Packettab,selectStatic IPfromthe

Translation TypedropdownintheSource Address
Translationsectionandthenselecttheaddressobjectyou
createdforyourexternalwebserveraddressfromthe
Translated Addressdropdown.
6.
IntheBi-directionalfield,selectYes.
7.
ClickCommit.
Networking
NAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1
ViewtheDIPPNAToversubscription
rate.
1.
Step2
SettheDIPPNAToversubscriptionrate. 1.
SelectDevice > Setup > Session > Session Settings.Viewthe

NAT Oversubscription Ratesetting.
EdittheSessionSettingssection.
2.
IntheNAT Oversubscription Ratedropdown,select1x,2x,

4x,or8x, dependingonwhichratioyouwant.
ThePlatform Default settingappliesthedefault
oversubscriptionsettingfortheplatform.Ifyouwant
nooversubscription,select1x.
3.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
Step1
Step2
CreatetheNATpolicy.
1.
2.
EnteradescriptiveNameforthepolicy.
3.
4.
ForSource Address,clickAddandenterthehostaddress.
ClickOK.
5.
OntheTranslated Packettab,selectNonefromthe
Translation TypedropdownintheSourceAddress
Translationsectionofthescreen.
6.
ClickCommit.
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.
NAT
Networking
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddressesforaFirewall
Step1
user@device1# set setting nat reserve-ip yes
Step2
user@device1# set setting nat reserve-time <1-604800 secs>
ReserveDynamicIPNATAddressesforaVirtualSystem
Step1
user@device1# set vsys <vsysid> setting nat reserve-ip yes
Step2
user@device1# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
commandoryouchangethenat reserve-timetoadifferentvalue.
setting nat reserve-ip no
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.
Networking
NAT
NATConfigurationExamples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).
NAT
Networking
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:
Networking
NAT
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
Usetheshow session allCLIcommandtoverifythetranslation.
NAT
Networking
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:
Networking
NAT
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.
NAT
Networking
Toverifythetranslations,usetheCLIcommandshow session all filter destination 80.80.80.80. Note

thataclientaddress192.168.1.11anditsportnumberaretranslatedto10.16.1.103andaportnumber.The
destinationaddress80.80.80.80istranslatedto10.2.133.15.
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination
NextHop
3.1.1.0/24
2.1.1.2
Networking
NAT
RouteonR2:
Destination
NextHop
1.1.1.0/24
2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination
NextHop
2.1.1.8/29
2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
NAT
Networking
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
Networking
NPTv6
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
PlatformSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6
NPTv6
Networking
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
PlatformSupportforNPTv6
NPTv6issupportedonthefollowingplatforms(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5000Series,PA4000Series,PA3050firewall,andPA2000Series.Platforms
supportedwithnoabilitytohavehardwareperformasessionlookup:PA3020firewall,PA500firewall,
PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivate
network,andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavethe
convenienceofprivateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.
Networking
NPTv6
HowNPTv6Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping
NPTv6
Networking
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDPProxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.
Networking
NPTv6
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).
NPTv6
Networking
NPTv6andNDPProxyExample
ThefollowingfigureandtextillustratehowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
Networking
NPTv6
TheNPTv6TranslationinNPTv6Example
Inthisexample,theOriginal PacketisconfiguredwithaSource AddressofFDD4:7A3E::0andaDestinationof
Any.TheTranslated PacketisconfiguredwiththeTranslated Addressof2001:DB8::0.
Therefore,outgoingpacketswithasourceofFDD4:7A3E::0aretranslatedto2001:DB8::0.Incoming
packetswithadestinationprefixinthenetwork2001:DB8::0aretranslatedtoFDD4:7A3E::0.
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanNPTv6Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
Step1
CreateanewNPTv6policy.
1.
SelectPolicies>NATandclickAdd.
2.
OntheGeneraltab,enteradescriptiveNamefortheNPTv6
policyrule.
3.
(Optional)EnteraDescriptionandTag.
4.
ForNAT Type,selectNPTv6.
NPTv6
Networking
ConfigureanNPTv6Policy(Continued)
Step2
Step3
Specifythematchcriteriaforincoming
packets;packetsthatmatchallofthe
criteriaaresubjecttotheNPTv6
translation.
Zonesarerequiredforbothtypesof
translation.
Specifythetranslatedpacket.
1.
OntheOriginal Packet tab,forSource Zone,leaveAnyorclick

Addtoenterthesourcezonetowhichthepolicyapplies.
2.
EntertheDestination Zonetowhichthepolicyapplies.
3.
(Optional)SelectaDestination Interface.
4.
(Optional)SelectaService torestrictwhattypeofpacketsare
translated.
5.
Ifyouaredoingsourcetranslation,enteraSource Addressor
selectAny.Theaddresscouldbeanaddressobject.The
followingconstraintsapplytoSource Address andDestination
Address:
PrefixesofSource AddressandDestination Addressfor
theOriginal Packet andTranslated Packetmustbeinthe
formatxxxx:xxxx::/yy,althoughleadingzerosintheprefix
canbedropped.
TheIPv6addresscannothaveaninterfaceidentifier(host)
portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TheSource AddressandDestination Addresscannotboth
besettoAny.
6.
Ifyouaredoingsourcetranslation,youcanoptionallyentera
Destination Address.Ifyouaredoingdestinationtranslation,
theDestination Addressisrequired.Seetheconstraintslisted
inthepriorstep.
1.
OntheTranslated Packettab,ifyouwanttodosource
translation,intheSourceAddressTranslationsection,for
Translation Type,selectStatic IP.Ifyoudonotwanttodo
sourcetranslation,selectNone.
2.
IfyouchoseStatic IP,theTranslated Addressfieldappears.

EnterthetranslatedIPv6prefixoraddressobject.Seethe
constraintslistedinStep 5.
ItisabestpracticetoconfigureyourTranslated
Addresstobetheprefixoftheuntrustinterface
addressofyourfirewall.Forexample,ifyouruntrust
interfacehastheaddress2001:1a:1b:1::99/64,make
yourTranslated Address 2001:1a:1b:1::0/64.
3.
(Optional)SelectBi-directional ifyouwantthefirewallto
createacorrespondingNPTv6translationintheopposite
directionofthetranslationyouconfigure.
IfyouenableBi-directionaltranslation,itisvery
importanttomakesureyouhaveSecuritypolicyrules
inplacetocontrolthetrafficinbothdirections.
Withoutsuchpolicyrules,Bi-directionaltranslation
allowspacketstobeautomaticallytranslatedinboth
directions,whichyoumightnotwant.
4.
Ifyouwanttododestinationtranslation,selectDestination
Address Translation.IntheTranslated Addressfield,choose
anaddressobjectfromthedropdownorenteryourinternal
destinationaddress.
5.
ClickOK.
Networking
NPTv6
ConfigureanNPTv6Policy(Continued)
Step4
ConfigureNDPProxy.
1.
Whenyouconfigurethefirewalltoactas
anNDPProxyforaddresses,itallowsthe 2.
firewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoND
3.
solicitationsfrompeersthatareasking
forMACaddressesofIPv6prefixes
assignedtodevicesbehindthefirewall.
4.
Step5
SelectNetwork > Interfaces > Ethernet andselectan

interface.
OntheAdvanced>NDP Proxytab,selectEnable NDP Proxy
andclickAdd.
EntertheIP Address(es)forwhichNDPProxyisenabled.It
canbeanaddress,arangeofaddresses,oraprefixandprefix
length.TheorderofIPaddressesdoesnotmatter.These
addressesareideallythesameastheTranslatedAddresses
thatyouconfiguredinanNPTv6policy.
Iftheaddressisasubnet,theNDPProxywillrespond
toalladdressesinthesubnet,soyoushouldlistthe
neighborsinthatsubnetwithNegateselected,as
describedinthenextstep.
(Optional)Enteroneormoreaddressesforwhichyoudonot
wantNDPProxyenabled,andselectNegate.Forexample,
fromanIPaddressrangeorprefixrangeconfiguredintheprior
step,youcouldnegateasmallersubsetofaddresses.Itis
recommendedthatyounegatetheaddressesoftheneighbors
ofthefirewall.
ClickOKandCommit.
ECMP
Networking
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPPlatform,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMPLoadBalancingAlgorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
HashbasedalgorithmsprioritizesessionstickinessTheIP ModuloandIP Hashalgorithmsusehashes

basedoninformationinthepacketheader,suchassourceanddestinationaddress.Becausetheheader
ofeachflowinagivensessioncontainsthesamesourceanddestinationinformation,theseoptions
Networking
ECMP
prioritizesessionstickiness.IfyouchoosetheIP Hashalgorithm,youcanoptionallysetaHash Seedvalue

tofurtherrandomizeloadbalancingifyouhavealargenumberofsessionstothesamedestinationand
theyrenotbeingdistributedevenlyovertheECMPlinks.
BalancedalgorithmprioritizesloadbalancingTheBalanced Round Robinalgorithmdistributesincoming

sessionsequallyacrossthelinks,favoringloadbalancingoversessionstickiness.(Roundrobinindicates
asequenceinwhichtheleastrecentlychosenitemischosen.)Inaddition,ifnewroutesareaddedor
removedfromanECMPgroup(forexampleifapathinthegroupgoesdown),thevirtualrouterwill
rebalancethesessionsacrosslinksinthegroup.Additionally,iftheflowsinasessionhavetoswitch
routesduetoanoutage,whentheoriginalrouteassociatedwiththesessionbecomesavailableagain,the
flowsinthesessionwillreverttotheoriginalroutewhenthevirtualrouteronceagainrebalancesthe
load.
Weightedalgorithmprioritizeslinkcapacityand/orspeedAsanextensiontotheECMPprotocol
standard,thePaloAltoNetworksimplementationprovidesforaWeighted Round Robinloadbalancing
optionthattakesintoaccountdifferinglinkcapacitiesandspeedsontheegressinterfacesofthefirewall.
Withthisoption,youcanassignECMP Weights(rangeis1255;defaultis100)totheinterfacesbasedon
linkperformanceusingfactorssuchaslinkcapacity,speed,andlatencytoensurethatloadsarebalanced
tofullyleveragetheavailablelinks.
Forexample,supposethefirewallhasredundantlinkstoanISP:ethernet1/1(100Mbps)and
ethernet1/8(200Mbps).Althoughtheseareequalcostpaths,thelinkviaethernet1/8providesgreater
bandwidthandthereforecanhandleagreaterloadthantheethernet1/1link.Therefore,toensurethat
theloadbalancingfunctionalitytakesintoaccountlinkcapacityandspeed,youmightassignethernet1/8
aweightof200andethernet1/1aweightof100.The2:1weightratiocausesthevirtualroutertosend
twiceasmanysessionstoethernet1/8asitsendstoethernet1/1.However,becausetheECMPprotocol
isinherentlysessionbased,whenusingtheWeighted Round Robinalgorithm,thefirewallwillbeableto
loadbalanceacrosstheECMPlinksonlyonabesteffortbasis.
Assignlowerspeedorlowercapacitylinkswithalowerweight.Assignhigherspeedor
highercapacitylinkswithahigherweight.Inthismanner,thefirewallcandistributesessions
basedontheseratios,ratherthanoverdrivealowcapacitylinkthatisoneoftheequalcostpaths.
KeepinmindthatECMPweightsareassignedtointerfacestodetermineloadbalancing(toinfluence
whichequalcostpathischosen),notforrouteselection(aroutechoicefromroutesthatcouldhave
differentcosts).
ECMPPlatform,Interface,andIPRoutingSupport
ECMPissupportedonallPaloAltoNetworksfirewallplatforms,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.
ECMP
Networking
ECMPhasthefollowingrestrictions:
PA2000SeriesfirewallsandPA4000SeriesfirewallswithECMPenabledmightnotbeabletooffload
sessionstohardwareforforwarding.PacketsmatchingECMProuteswillbesenttosoftware,while
packetsmatchingnonECMProutescanstillbeforwardedbyhardware.
ForthePA4000Seriesfirewalls,packetstobeforwardedbyECMProuteswillbesenttosoftwarefor
routelookupandforwarding,eventhoughthesessionisinoffloadedstate.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
Step1
EnableECMPforavirtualrouter.
1.
SelectNetwork > Virtual Routersandselectthevirtualrouter

onwhichtoenableECMP.
2.
SelectRouter Settings > ECMPandselectEnable.
Step2
(Optional)Enablesymmetricreturnof
packetsfromservertoclient.
(Optional)SelectSymmetric Return tocausereturnpacketsto

egressoutthesameinterfaceonwhichtheassociatedingress
packetsarrived.Thatis,thefirewallwillusetheingressinterfaceon
whichtosendreturnpackets,ratherthanusetheECMPinterface.
TheSymmetric Returnsettingoverridesloadbalancing.This
behavioroccursonlyfortrafficflowsfromtheservertotheclient.
Step3
Specifythemaximumnumberof
equalcostpaths(toadestination
network)thatcanbecopiedfromthe
RoutingInformationBase(RIB)tothe
ForwardingInformationBase(FIB).
ForMax Pathallowed,enter2,3,or4.Default:2.
Step4
Selecttheloadbalancingalgorithmfor ForLoad Balance,selectoneofthefollowingoptionsfromthe

thevirtualrouter.Formoreinformation Methoddropdown:
onloadbalancingmethodsandhowthey IP Modulo (default)Usesahashofthesourceanddestination
differ,seeECMPLoadBalancing
IPaddressesinthepacketheadertodeterminewhichECMP
Algorithms.
routetouse.
IP HashUsesahashofthesourceanddestinationIPaddresses
andoptionallythesourceanddestinationportnumbersinthe
packetheadertodeterminewhichECMProutetouse.Specify
optionsinStep 5below.
Balanced Round RobinUsesroundrobinamongtheECMP
pathsandrebalancespathswhenthenumberofpathschanges.
Weighted Round RobinUsesroundrobinandarelativeweight
toselectfromamongECMPpaths.SpecifytheweightsinStep 6
below.
Networking
ECMP
ConfigureECMPonaVirtualRouter(Continued)
Step5
Step6
(IP Hashonly)ConfigureIPHashoptions. IfyouselectedIP HashastheMethod:
(Weighted Round Robinonly)Definea

weightforeachinterfaceintheECMP
group.
1.
SelectUse Source/Destination Portsifyouwanttousesource

ordestinationportnumbersintheIP Hashcalculation.
2.
EnteraHash Seed value(anintegerwithamaximumofnine

digits).SpecifyaHash Seedvaluetofurtherrandomizeload
balancing.Specifyingahashseedvalueisusefulifyouhavea
largenumberofsessionswiththesametupleinformation.
IfyouselectedWeighted Round RobinastheMethod,definea

weightforeachoftheinterfacesthataretheegresspointsfor
traffictoberoutedtothesamedestinations(thatis,interfacesthat
arepartofanECMPgroup,suchastheinterfacesthatprovide
redundantlinkstoyourISPorinterfacestothecorebusiness
applicationsonyourcorporatenetwork).
Thehighertheweight,themoreoftenthatequalcostpathwillbe
selectedforanewsession.
Givehigherspeedlinksahigherweightthanaslower
linkssothatmoreoftheECMPtrafficgoesoverthe
fasterlink.
1.
Step7
Step8
CreateanECMPgroupbyclickingAddandselectingan
Interfacefromthedropdown.
2.
AddtheotherinterfacesintheECMPgroup.
3.
ClickonWeightandspecifytherelativeweightforeach
interface(rangeis1255;defaultis100).
1.
Click OK.
2.
AttheECMPConfigurationChangeprompt,clickYestorestart
thevirtualrouter.Restartingthevirtualroutermightcause
existingsessionstobeterminated.
Thismessagedisplaysonlyifyouaremodifyingan
existingvirtualrouterwithECMP.
EnableECMPforMultipleBGPAutonomousSystems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.
ECMP
Networking
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
Step1
ConfigureECMP.
SeeConfigureECMPonaVirtualRouter.
Networking
ECMP
EnableECMPforBGPAutonomousSystems(Continued)
Step2
Step3
ForBGProuting,enableECMPover
multipleautonomoussystems.
1.
SelectNetwork > Virtual Routersandselectthevirtualrouter

onwhichtoenableECMPformultipleBGPautonomous
systems.
2.
SelectBGP > AdvancedandselectECMP Multiple AS Support.
ClickOKandCommittheconfiguration.
VerifyECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.
ConfirmThatRoutesAreEqualCostMultiplePaths
LookattheFIBandconfirmthatsomeroutesare 1.
equalcostmultiplepaths.
2.
3.
SelectNetwork > Virtual Routers.

IntherowofthevirtualrouterforwhichyouenabledECMP,
clickMore Runtime Stats.
SelectRouting>Forwarding TabletoseetheFIB.Inthe
table,notethatmultipleroutestothesameDestination(outa
differentInterface)havetheEflag.
Anasterisk*denotesthepreferredpathfortheECMPgroup.
LLDP
Networking
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDPOverview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
ThePA2000SeriesplatformisnotsupportedduetothehardwarelimitationofhowAggregatedEthernet
interfacesfunction.Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireapplianceare
alsonotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:
Networking
LLDP
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
SupportedTLVsinLLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
MandatoryTLVs
TLVType
Description
ChassisIDTLV
Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksplatformswill
usetheMACaddressofEth0toensureuniqueness.
PortIDTLV
IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Timetolive(TTL)
TLV
Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
EndofLLDPDU
TLV
IndicatestheendoftheTLVsintheLLDPEthernetframe.
LLDP
Networking
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
OptionalTLVs
TLVType
PurposeandNotesRegardingFirewallImplementation
PortDescriptionTLV 4
Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
SystemNameTLV
Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
SystemDescription
TLV
Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
SystemCapabilities
Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management
Address
OneormoreIPaddressesusedforfirewallmanagement,asfollows:
IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDPSyslogMessagesandSNMPTraps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.
Networking
LLDP
ConfigureLLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
Step1
EnableLLDPonthefirewall.
Step2
(Optional)ChangeLLDPglobalsettings. 1.
ForTransmit Interval (sec),specifytheinterval(inseconds)at

whichLLDPDUsaretransmitted.Default:30seconds.Range:
13600seconds.
2.
ForTransmit Delay (sec),specifythedelaytime(inseconds)

betweenLLDPtransmissionssentafterachangeismadeina
TLVelement.Thedelayhelpstopreventfloodingthesegment
withLLDPDUsifmanynetworkchangesspikethenumberof
LLDPchanges,oriftheinterfaceflaps.TheTransmit Delay
mustbelessthantheTransmit Interval.Default:2seconds.
Range:1600seconds.
3.
ForHold Time Multiple,specifyavaluethatismultipliedby

theTransmit IntervaltodeterminethetotalTTLHoldTime.
Default:4.Range:1100.ThemaximumTTLHoldTimeis
65535seconds,regardlessofthemultipliervalue.
4.
ForNotification Interval,specifytheinterval(inseconds)at
whichLLDPSyslogMessagesandSNMPTrapsaretransmitted
whenMIBchangesoccur.Default:5seconds.Range:13600
seconds.
5.
ClickOK.
SelectNetwork > LLDP andedittheLLDPGeneralsection;select

Enable.
LLDP
Networking
ConfigureLLDP(Continued)
Step3
CreateanLLDPprofile.
FordescriptionsoftheoptionalTLVs,
seeSupportedTLVsinLLDP.
1.
SelectNetwork > Network Profiles > LLDP Profile andclick

Add.
2.
EnteraNamefortheLLDPprofile.
3.
ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
4.
SelectSNMP Syslog Notification toenableSNMPnotifications

andsyslogmessages.Ifenabled,theglobalNotification
Intervalisused.ThefirewallwillsendbothanSNMPtrapand
asyslogeventasconfiguredintheDevice > Log Settings >
System > SNMP Trap ProfileandSyslog Profile.
5.
ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
6.
(Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
7.
SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
8.
SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
9.
ClickOK.
10. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
11. ClickOK.
Step4
Step5
AssignanLLDPprofiletoaninterface.
1.
SelectNetwork > Interfaces andselecttheinterfacewhere

youwillassignanLLDPprofile.
2.
SelectAdvanced > LLDP.
3.
SelectEnable LLDPtoassignanLLDPprofiletotheinterface.
4.
ForProfile,selecttheprofileyoucreated.SelectingNone
enablesLLDPwithbasicfunctionality:sendsthethree
mandatoryTLVsandenablestransmit-receivemode.
Ifyouwanttocreateanewprofile,clickLLDP Profileand
followtheinstructionsinStep 4.
5.
ClickOK.
ClickCommit.
Networking
LLDP
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
Step1
ViewLLDPglobalsettings.
1.
SelectNetwork > LLDP.

OntheLLDPGeneralscreen,Enableindicateswhether
LLDPisenabledornot.
IfLLDPisenabled,theconfiguredglobalsettings
(TransmitInterval,TransmitDelay,HoldTimeMultiple,
andNotificationInterval)aredisplayed.
IfLLDPisnotenabled,thedefaultvaluesoftheglobal
settingsaredisplayed.
Fordescriptionsofthesevalues,see(Optional)Change
LLDPglobalsettings.
Step2
ViewtheLLDPstatusinformation.
1.
SelecttheStatustab.
2.
(Optional)Enterafiltertorestricttheinformationthatis
displayed.
InterfaceInformation:
InterfaceNameoftheinterfacesthathaveLLDPprofiles
assignedtothem.
LLDPLLDPstatus:enabledordisabled.
ModeLLDPmodeoftheinterface:Tx/Rx,TxOnly,orRx
Only.
ProfileNameoftheprofileassignedtotheinterface.
TransmissionInformation:
Total TransmittedCountofLLDPDUstransmittedoutthe
interface.
Dropped TransmitCountofLLDPDUsthatwerenot
transmittedouttheinterfacebecauseofanerror.For
example,alengtherrorwhenthesystemisconstructingan
LLDPDUfortransmission.
ReceivedInformation:
Total ReceivedCountofLLDPframesreceivedonthe
interface.
Dropped TLVCountofLLDPframesdiscardedupon
receipt.
ErrorsCountofTLVsthatwerereceivedontheinterface
andcontainederrors.TypesofTLVerrorsinclude:oneor
moremandatoryTLVsmissing,outoforder,containing
outofrangeinformation,orlengtherror.
UnrecognizedCountofTLVsreceivedontheinterface
thatarenotrecognizedbytheLLDPlocalagent.For
example,theTLVtypeisinthereservedTLVrange.
Aged OutCountofitemsdeletedfromtheReceiveMIB
duetoproperTTLexpiration.
LLDP
Networking
ViewLLDPSettingsandStatus(Continued)
Step3
ViewsummaryLLDPinformationfor
eachneighborseenonaninterface.
1.
SelectthePeerstab.
2.
(Optional)Enterafiltertorestricttheinformationbeing
displayed.
LocalInterfaceInterfaceonthefirewallthatdetectedthe
neighboringdevice.
RemoteChassisIDChassisIDofthepeer.TheMAC
addresswillbeused.
PortIDPortIDofthepeer.
NameNameofpeer.
MoreinfoProvidesthefollowingremotepeerdetails,
whicharebasedontheMandatoryandOptionalTLVs:
ChassisType:MACaddress.
MACAddress:MACaddressofthepeer.
SystemName:Nameofthepeer.
SystemDescription:Descriptionofthepeer.
PortDescription:Portdescriptionofthepeer.
PortType:Interfacename.
PortID:Thefirewallusestheinterfacesifname.
SystemCapabilities:Capabilitiesofthesystem.O=Other,
P=Repeater,B=Bridge,W=WirelessLAN,R=Router,
T=Telephone
EnabledCapabilities:Capabilitiesenabledonthepeer.
ManagementAddress:Managementaddressofthepeer.
ClearLLDPStatistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
Step1
ClearLLDPstatisticsforspecific
interfaces.
1.
SelectNetwork > LLDP > Statusandinthelefthandcolumn,

selectoneormoreinterfacesforwhichyouwanttoclearLLDP
statistics.
2.
ClickClear LLDP Statistics atthebottomofthescreen.
Networking
BFD
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFDOverview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDPlatform,Interface,andClientSupport
BFD
Networking
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDPlatform,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA7000Series,andVMSeriesfirewalls.Each
platformsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.
Networking
BFD
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
BFD
Networking
ConfigureBFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
Configuredavirtualrouter.
ConfiguredoneormorestaticroutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.
Networking
BFD
ConfigureBFD
Step1
CreateaBFDprofile.
1.
IfyouchangeasettinginaBFD
profilethatanexistingBFD
sessionisusingandyoucommit
thechange,beforethefirewall 2.
deletesthatBFDsessionand
recreatesitwiththenewsetting,
thefirewallsendsaBFDpacket
withthelocalstatesettoadmin
down.Thepeerdevicemayor
maynotflaptheroutingprotocol
orstaticroute,dependingonthe 3.
peersimplementationof
RFC 5882,Section3.2.
SelectNetwork > Network Profiles > BFD Profile andAdda

NamefortheBFDprofile.Thenameiscasesensitiveand
mustbeuniqueonthefirewall.Useonlyletters,numbers,
spaces,hyphens,andunderscores.
SelecttheMode inwhichBFDoperates:
ActiveBFDinitiatessendingcontrolpacketstopeer
(default).AtleastoneoftheBFDpeersmustbeActive;
bothcanbeActive.
PassiveBFDwaitsforpeertosendcontrolpacketsand
respondsasrequired.
EntertheDesired Minimum Tx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichyouwanttheBFD
protocol(referredtoasBFD)tosendBFDcontrolpackets;you
arethusnegotiatingthetransmitintervalwiththepeer.
MinimumonPA7000andPA5000Seriesfirewallsis50;
minimumonPA3000Seriesfirewallis100;minimumon
VMSeriesfirewallis200.Maximumis2000;defaultis1000.
Ifyouhavemultipleroutingprotocolsthatuse
differentBFDprofilesonthesameinterface,configure
theBFDprofileswiththesameDesired Minimum Tx
Interval.
4.
EntertheRequired Minimum Rx Interval (ms).Thisisthe

minimuminterval,inmilliseconds,atwhichBFDcanreceive
BFDcontrolpackets.MinimumonPA7000andPA5000
Seriesfirewallsis50;minimumonPA3000Seriesfirewallis
100;minimumonVMSeriesfirewallis200.Maximumis
2000;defaultis1000.
5.
EntertheDetection Time Multiplier.Thetransmitinterval

(negotiatedfromtheDesired Minimum Tx Interval)multiplied
bytheDetection Time Multiplierequalsthedetectiontime.If
BFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.
Rangeis250;defaultis3.
Forexample,atransmitintervalof300msx3(DetectionTime
Multiplier)=900msdetectiontime.
WhenconfiguringaBFDprofile,takeinto
considerationthatthefirewallisasessionbased
devicetypicallyattheedgeofanetworkordatacenter
andmayhaveslowerlinksthanadedicatedrouter.
Therefore,thefirewalllikelyneedsalongerinterval
andahighermultiplierthanthefastestsettings
allowed.Adetectiontimethatistooshortcancause
falsefailuredetectionswhentheissueisreallyjust
trafficcongestion.
BFD
Networking
ConfigureBFD(Continued)
Step2
6.
EntertheHold Time (ms).Thisisthedelay,inmilliseconds,

afteralinkcomesupbeforeBFDtransmitsBFDcontrol
packets.Hold Time appliestoBFDActivemodeonly.IfBFD
receivesBFDcontrolpacketsduringtheHold Time,itignores
them.Rangeis0120000.Thedefaultis0,whichmeansno
transmitHold Time isused;BFDsendsandreceivesBFD
controlpacketsimmediatelyafterthelinkisestablished.
7.
(Optional)ForaBGPIPv4implementationonly,configure
hoprelatedsettingsfortheBFDprofile:
SelectMultihoptoenableBFDoverBGPmultihop.
EntertheMinimum Rx TTL.Thisistheminimum
TimetoLivevalue(numberofhops)BFDwillaccept
(receive)inaBFDcontrolpacketwhenBGPsupports
multihopBFD.(Rangeis1254;thereisnodefault).
ThefirewalldropsthepacketifitreceivesasmallerTTL
thanitsconfiguredMinimum Rx TTL.Forexample,ifthe
peeris5hopsaway,andthepeertransmitsaBFDpacket
withaTTLof100tothefirewall,andiftheMinimum Rx
TTLforthefirewallissetto96orhigher,thefirewalldrops
thepacket.
8.
ClickOK.
(Optional)EnableBFDforastaticroute. 1.
Boththefirewallandthepeeratthe
oppositeendofthestaticroutemust
2.
supportBFDsessions.
3.
SelectNetwork > Virtual Routers andselectthevirtualrouter

wherethestaticrouteisconfigured.
SelecttheStatic Routestab.
4.
SelectthestaticroutewhereyouwanttoapplyBFD.
5.
SelectanInterface(evenifyouareusingaDHCPaddress).
TheInterfacesettingcannotbeNone.
6.
ForNext Hop,selectIP AddressandentertheIPaddressifnot

alreadyspecified.
7.
ForBFD Profile,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforthis
staticroute.
8.ClickOK.
ABFDcolumnontheIPv4orIPv6tabindicatestheBFDprofile
configuredforthestaticroute.
Networking
BFD
Step3
(Optional)EnableBFDforallBGP
interfacesorforasingleBGPpeer.
IfyouenableordisableBFD
globally,allinterfacesrunning
BGPwillbetakendownand
broughtbackupwiththeBFD
function.ThiscandisruptallBGP
traffic.WhenyouenableBFDon
theinterface,thefirewallstops
theBGPconnectiontothepeer
toprogramBFDontheinterface.
ThepeerdeviceseestheBGP
connectiondrop,whichcan
resultinareconvergence.Enable
BFDforBGPinterfacesduringan
offpeaktimewhena
reconvergencewillnotimpact
productiontraffic.
1.

whereBGPisconfigured.
2.
SelecttheBGPtab.
3.
(Optional)ToapplyBFDtoallBGPinterfacesonthevirtual
router,intheBFDdropdown,selectoneofthefollowingand
clickOK:
SelectingNone (Disable BFD) disablesBFDforallBGP
interfacesonthevirtualrouter;youcannotenableBFD
forasingleBGPinterface.
4.
(Optional)ToenableBFDforasingleBGPpeerinterface
(therebyoverridingtheBFD settingforBGPaslongasitisnot
disabled),performthefollowingtasks:
a. SelectthePeer Group tab.
b. Selectapeergroup.
c. Selectapeer.
d. IntheBFD dropdown,selectoneofthefollowing:
Inherit-vr-global-setting(default)TheBGPpeer
inheritstheBFDprofilethatyouselectedgloballyforBGP
forthevirtualrouter.
SelectingDisable BFD disablesBFDfortheBGPpeer.
e. ClickOK.
5. ClickOK.
ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
profileconfiguredfortheinterface.
BFD
Networking
Step4
(Optional)EnableBFDforOSPFor
OSPFv3globallyorforanOSPF
interface.
1.

whereOSPForOSPFv3isconfigured.
2.
SelecttheOSPForOSPFv3 tab.
3.
(Optional)IntheBFDdropdown,selectoneofthefollowing
toenableBFDforallOSPForOSPFv3interfacesandclickOK:
SelectingNone (Disable BFD) disablesBFDforall
OSPFinterfacesonthevirtualrouter;youcannot
enableBFDforasingleOSPFinterface.
4.
(Optional)ToenableBFDonasingleOSPFpeerinterface(and
therebyoverridetheBFDsettingforOSPF,aslongasitisnot
a. SelecttheAreastabandselectanarea.
b. OntheInterfacetab,selectaninterface.
c. IntheBFD dropdown,selectoneofthefollowingto
configureBFDforthespecifiedOSPFpeer:
Inherit-vr-global-setting(default)OSPFpeerinherits
theBFDsettingforOSPForOSPFv3forthevirtual
router.
SelectingDisable BFDdisablesBFDfortheOSPFor
OSPFv3interface.
d. ClickOK.
5. ClickOK.
ABFDcolumnontheOSPFInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Networking
BFD
Step5
(Optional)EnableBFDforRIPgloballyor 1.
forasingleRIPinterface.

whereRIPisconfigured.
2.
SelecttheRIP tab.
3.
(Optional)IntheBFD dropdown,selectoneofthefollowing
toenableBFDforallRIPinterfacesonthevirtualrouterand
clickOK:
SelectingNone (Disable BFD) disablesBFDforallRIP
interfacesonthevirtualrouter;youcannotenable
BFDforasingleRIPinterface.
4.
(Optional)ToenableBFDforasingleRIPinterface(and
therebyoverridetheBFDsettingforRIP,aslongasitisnot
a. SelecttheInterfacestabandselectaninterface.
b. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings).
Inherit-vr-global-setting(default)RIPinterface
inheritstheBFDprofilethatyouselectedforRIPglobally
forthevirtualrouter.
SelectingNone (Disable BFD)disablesBFDfortheRIP
interface.
c. ClickOK.
5. ClickOK.
TheBFDcolumnontheInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Step6
ClickCommit.
Step7
ViewBFDsummaryanddetails.
1.
SelectNetwork > Virtual Routers,findthevirtualrouteryou

areinterestedin,andclickMore Runtime Stats.
2.
SelecttheBFD Summary Information tabtoseesummary

information,suchasBFDstateandruntimestatistics.
3.
(Optional)Selectdetailsintherowoftheinterfaceyouare
interestedintoviewReference:BFDDetails.
Step8
MonitorBFDprofilesreferencedbya
routingconfiguration;monitorBFD
statistics,status,andstate.
UsethefollowingCLIoperationalcommands:
show routing bfd active-profile [<name>]
show routing bfd details [interface <name>] [local-ip
<ip>] [multihop] [peer-ip <ip>] [session-id]
[virtual-router <name>]
show routing bfd drop-counters session-id

<session-id>
show counter global | match bfd

Step9
(Optional)ClearBFDtransmit,receive,
anddropcounters.
clear routing bfd counters session-id all | <1-1024>
BFD
Networking
Step10 (Optional)ClearBFDsessionsfor
debugging.
clear routing bfd session-state session-id all |

<1-1024>
Networking
Toseethefollowinginformationforavirtualrouter,youcanViewBFDsummaryanddetails.
Name
Value(Example)
Description
SessionID
IDnumberoftheBFDsession.
Interface
ethernet1/12
InterfaceyouselectedwhereBFDisrunning.
Protocol
STATIC(IPV4)OSPF
Staticroute(IPaddressfamilyofstaticroute)and/ordynamic
routingprotocolthatisrunningBFDontheinterface.
LocalIPAddress
10.55.55.2
IPaddressofinterface.
NeighborIPAddress
10.55.55.1
IPaddressofBFDneighbor.
BFDProfile
default*(ThisBFD
sessionhasmultiple
BFDprofiles.Lowest
DesiredMinimumTx
Interval(ms)isusedto
selecttheeffective
profile.)
NameofBFDprofileappliedtotheinterface.
BecausethesampleinterfacehasbothastaticrouteandOSPF
runningBFDwithdifferentprofiles,thefirewallusestheprofile
withthelowestDesired Minimum Tx Interval.Inthisexample,
theprofileusedisthedefaultprofile.
State(local/remote)
up/up
BFDstatesofthelocalandremoteBFDpeers.Possiblestates
areadmindown,down,init,andup.
UpTime
2h36m21s419ms
LengthoftimeBFDhasbeenup(hours,minutes,seconds,and
milliseconds).
Discriminator
(local/remote)
1391591427/
1
DiscriminatorsforlocalandremoteBFDpeers.
Mode
Active
ModeinwhichBFDisconfiguredontheinterface:Activeor
Passive.
DemandMode
Disabled
PANOSdoesnotsupportBFDDemandMode,soitisalwaysin
Disabledstate.
Multihop
Disabled
BFDmultihop:EnabledorDisabled.
MultihopTTL
LocalDiagCode
TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
0(NoDiagnostic)
Diagnosticcodesindicatingthereasonforthelocalsystemslast
changeinstate:
0NoDiagnostic
1ControlDetectionTimeExpired
2EchoFunctionFailed
3NeighborSignaledSessionDown
4ForwardingPlaneReset
5PathDown
6ConcatenatedPathDown
7AdministrativelyDown
8ReverseConcatenatedPathDown
Name
Networking
Value(Example)
Description
LastReceivedRemoteDiag 0(NoDiagnostic)
Code
DiagnosticcodelastreceivedfromBFDpeer.
TransmitHoldTime
0ms
Holdtime(inmilliseconds)afteralinkcomesupbeforeBFD
transmitsBFDcontrolpackets.Aholdtimeof0msmeansto
transmitimmediately.Rangeis0120000ms.
ReceivedMinRxInterval
1000ms
MinimumRxintervalreceivedfromthepeer;theintervalat
whichtheBFDpeercanreceivecontrolpackets.Maximumis
2000ms.
NegotiatedTransmit
Interval
1000ms
Transmitinterval(inmilliseconds)thattheBFDpeershave
agreedtosendBFDcontrolpacketstoeachother.Maximumis
2000ms.
ReceivedMultiplier
DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
DetectTime(exceeded)
3000ms(0)
Calculateddetectiontime(NegotiatedTransmitInterval
multipliedbyMultiplier)andthenumberofmillisecondsthe
detectiontimeisexceeded.
TxControlPackets(last)
9383(420msago)
NumberofBFDcontrolpacketstransmitted(andlengthoftime
sinceBFDtransmittedthemostrecentcontrolpacket).
RxControlPackets(last)
9384(407msago)
NumberofBFDcontrolpacketsreceived(andlengthoftime
sinceBFDreceivedthemostrecentcontrolpacket).
AgentDataPlane
Slot1DP0
OnPA7000Seriesfirewalls,thedataplaneCPUthatisassigned
tohandlepacketsforthisBFDsession.
Errors
NumberofBFDerrors.
LastPacketCausingStateChange
Version
BFDversion.
PollBit
BFDpollbit;0indicatesnotset.
DesiredMinTxInterval
1000ms
Desiredminimumtransmitintervaloflastpacketcausingstate
change.
RequiredMinRxInterval
1000ms
Requiredminimumreceiveintervaloflastpacketcausingstate
change.
DetectMultiplier
DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator
Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
YourDiscriminator
1391591427
Localdiscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
DiagnosticCode
0(NoDiagnostic)
Diagnosticcodeoflastpacketcausingstatechange.
Networking
Name
Value(Example)
Description
Length
24
LengthofBFDcontrolpacketinbytes.
DemandBit
PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit
PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit
Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1
Bit
Ifsetto1,thetransmittingsystemsBFDimplementationdoes
notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0
PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
RequiredMinEchoRx
Interval
PANOSdoesnotsupporttheBFDEchofunction,sothiswill
alwaysbe0ms.
0ms
Networking
Policy
Policiesallowyoutoenforcerulesandtakeaction.Thedifferenttypesofpolicyrulesthatyoucancreateon
thefirewallare:Security,NAT,QualityofService(QoS),PolicyBasedForwarding(PBF),Decryption,
ApplicationOverride,CaptivePortal,DenialofService(DoS),andZoneprotectionpolicies.Allthese
differentpoliciesworktogethertoallow,deny,prioritize,forward,encrypt,decrypt,makeexceptions,
authenticateaccess,andresetconnectionsasneededtohelpsecureyournetwork.Thefollowingtopics
describehowtoworkwithpolicy:
PolicyTypes
SecurityPolicy
PolicyObjects
SecurityProfiles
BestPracticeInternetGatewaySecurityPolicy
EnumerationofRulesWithinaRulebase
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
UseTagstoGroupandVisuallyDistinguishObjects
UseanExternalDynamicListinPolicy
RegisterIPAddressesandTagsDynamically
MonitorChangesintheVirtualEnvironment
CLICommandsforDynamicIPAddressesandTags
IdentifyUsersConnectedthroughaProxyServer
PolicyBasedForwarding
DoSProtectionAgainstFloodingofNewSessions
PolicyTypes
Policy
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
PolicyType
Description
Security
Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT
Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS
IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption
Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
ApplicationOverride
IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
CaptivePortal
Identifytrafficthatrequirestheusertobeknown.Thecaptiveportalpolicyisonly
triggeredifotherUserIDmechanismsdidnotidentifyausertoassociatewiththe
sourceIPaddress.Formoredetails,seeCaptivePortal.
DoSProtection
Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.
Policy
SecurityPolicy
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualsecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
securitypolicy.Whenasessionmatchoccurs,thesecuritypolicyisappliedtobidirectionaltraffic(clientto
serverandservertoclient)inthatsession.Fortrafficthatdoesntmatchanydefinedrules,thedefaultrules
apply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebasearepredefinedtoallowall
intrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.Althoughtheserulesare
partofthepredefinedconfigurationandarereadonlybydefault,youcanoverridethemandchangea
limitednumberofsettings,includingthetags,action(alloworblock),logsettings,andsecurityprofiles.
Securitypoliciesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirstrule
thatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.Therefore,
themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatchcriteria.Traffic
thatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,ifloggingisenabledfor
thatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfiguredtologatthe
startofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
Thesecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields
SecurityPolicy
Policy
RequiredFields
RequiredField
Description
Name
Alabelthatsupportsupto31characters,usedtoidentifytherule.
Rule Type
Specifieswhethertheruleappliestotrafficwithinazone,betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzoneandintrazonetrafficinthe
specifiedsourceanddestinationzones.Forexample,ifyoucreateauniversalrolewith
sourcezonesAandBanddestinationzonesAandB,therulewouldapplytoalltraffic
withinzoneA,alltrafficwithinzoneB,andalltrafficfromzoneAtozoneBandalltraffic
fromzoneBtozoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthespecifiedsourcezones(you
cannotspecifyadestinationzoneforintrazonerules).Forexample,ifyousetthesource
zonetoAandB,therulewouldapplytoalltrafficwithinzoneAandalltrafficwithin
zoneB,butnottotrafficbetweenzonesAandB.
interzoneAppliestheruletoallmatchingtrafficbetweenthespecifiedsourceand
destinationzones.Forexample,ifyousetthesourcezonetoA,B,andCandthe
destinationzonetoAandB,therulewouldapplytotrafficfromzoneAtozoneB,from
zoneBtozoneA,fromzoneCtozoneA,andfromzoneCtozoneB,butnottraffic
withinzonesA,B,orC.
Source Zone
Thezonefromwhichthetrafficoriginates.
Destination Zone
Thezoneatwhichthetrafficterminates.IfyouuseNAT,makesuretoalwaysreferencethe
postNATzone.
Application
Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action
SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField
Description
Tag
Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description
Atextfield,upto255characters,usedtodescribetherule.
Source IP Address
DefinehostIPorFQDN,subnet,namedgroups,orcountrybasedenforcement.Ifyouuse
NAT,makesuretoalwaysrefertotheoriginalIPaddressesinthepacket(i.e.thepreNAT
IPaddress).
Destination IP Address
Thelocationordestinationforthetraffic.IfyouuseNAT,makesuretoalwaysrefertothe
originalIPaddressesinthepacket(i.e.thepreNATIPaddress).
Policy
SecurityPolicy
OptionalField
Description(Continued)
User
Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
URL Category
UsingtheURLCategoryasmatchcriteriaallowsyoutocustomizesecurityprofiles
(Antivirus,AntiSpyware,Vulnerability,FileBlocking,DataFiltering,andDoS)ona
perURLcategorybasis.Forexample,youcanprevent.exefiledownload/uploadforURL
categoriesthatrepresenthigherriskwhileallowingthemforothercategories.This
functionalityalsoallowsyoutoattachschedulestospecificURLcategories(allow
socialmediawebsitesduringlunch&afterhours),markcertainURLcategorieswithQoS
(financial,medical,andbusiness),andselectdifferentlogforwardingprofilesona
perURLcategorybasis.
AlthoughyoucanmanuallyconfigureURLcategoriesonyourfirewall,totakeadvantageof
thedynamicURLcategorizationupdatesavailableonthePaloAltoNetworksfirewalls,you
mustpurchaseaURLfilteringlicense.
ToblockorallowtrafficbasedonURLcategory,youmustapplyaURLFiltering
profiletothesecuritypolicyrules.DefinetheURLCategoryasAnyandattacha
URLFilteringprofiletothesecuritypolicy.SeeDefineBasicSecurityPolicyRules
forinformationonusingthedefaultprofilesinyoursecuritypolicyandseeControl
AccesstoWebContentformoredetails.
Service
AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsand
protocols.Applicationdefaultisthedefaultoption;whilethefirewallstillchecksfor
allapplicationsonallports,withthisconfiguration,applicationsareonlyallowedon
theirstandardports/protocols.
Security Profiles
Provideadditionalprotectionfromthreats,vulnerabilities,anddataleaks.Securityprofiles
areonlyevaluatedforrulesthathaveanallowaction.
HIP Profile(for
GlobalProtect)
AllowsyoutoidentifyclientswithHostInformationProfile(HIP)andthenenforceaccess
privileges.
Options
Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.
SecurityPolicy
Policy
SecurityPolicyActions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action
Description
Allow(defaultaction)
Allowsthetraffic.
Deny
BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthatis
beingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop
Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client
SendsaTCPresettotheclientsidedevice.
Reset server
SendsaTCPresettotheserversidedevice.
Reset both
SendsaTCPresettoboththeclientsideandserversidedevices.
Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbefore
a3wayhandshakeiscompleted,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMP
Unreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheck
boxisselected,thefirewallsendsanICMPmessagetotheclient.
Step1
(Optional)Deletethedefaultsecurity
policyrule.
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2
Addarule.
1.
2.
3.
SelectaRule Type.
1.
IntheSourcetab,selectaSource Zone.
2.
SpecifyaSource IP Addressorleavethevaluesettoany.
3.
SpecifyaSourceUserorleavethevaluesettoany.
Step3
Definethematchingcriteriaforthe
sourcefieldsinthepacket.
Policy
SecurityPolicy
CreateaSecurityPolicyRule(Continued)
Step4
Step5
Definethematchingcriteriaforthe
destinationfieldsinthepacket.
4.
IntheDestinationtab,settheDestination Zone.
5.
SpecifyaDestination IP Addressorleavethevaluesettoany.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
Specifytheapplicationtherulewillallow 1.
orblock.
Asabestpractice,alwaysuse
applicationbasedsecuritypolicy 2.
rulesinsteadofportbasedrules
andalwayssettheServiceto
applicationdefaultunlessyou
areusingamorerestrictivelistof
portsthanthestandardportsfor
anapplication.
IntheApplicationstab,AddtheApplicationtosafelyenable.
Youcanselectmultipleapplications,oruseapplicationgroups
orapplicationfilters.
application-defaulttoensurethatanyapplicationstherule
allowsareonlyallowedontheirstandardports.
Step6
(Optional)SpecifyaURLcategoryas
matchcriteriafortherule.
Step7
Definewhatactionyouwantthefirewall IntheActionstab,selectanAction.SeeSecurityPolicyActionsfor
totakefortrafficthatmatchestherule. adescriptionofeachaction.
Step8
Configurethelogsettings.
Bydefault,theruleissettoLog at Session End.Youcanclear

thissettingifyoudontwantanylogsgeneratedwhentraffic
matchesthisrule,orselectLog at Session Startformore
detailedlogging.
SelectaLog Forwardingprofile.
Step9
Attachsecurityprofilestoenablethe
firewalltoscanallallowedtrafficfor
threats.
SeeCreateBestPracticeSecurity
Profilestolearnhowtocreate
securityprofilesthatprotect
yournetworkfrombothknown
andunknownthreats.
IntheActionstab,selectProfilesfromtheProfile Typedropdown
andthenselecttheindividualsecurityprofilestoattachtotherule.
Alternatively,selectGroupfromtheProfile Typedropdownand
selectasecurityGroup Profiletoattach.
Step10 Savethepolicyruletotherunning
IntheService/URL Categorytab,selecttheURL Category.

IfyouselectaURLcategory,onlywebtrafficwillmatchtherule
andonlyifthetrafficistothespecifiedcategory.
ClickCommit.
SecurityPolicy
Policy
CreateaSecurityPolicyRule(Continued)
Step11 Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
testsecuritypolicymatchsource<IP_address>destination
<IP_address>destinationport<port_number>protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedfora
serverinthedatacenterwiththeIPaddress208.90.56.11whenit
accessestheMicrosoftupdateserver:
test security-policy-match source 208.80.56.11
destination 176.9.45.70 destination-port 80 protocol 6
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;
Policy
PolicyObjects
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddressgroup
policyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject
Description
Address/AddressGroup,
Region
Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/UserGroup
Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
ApplicationGroupand
ApplicationFilter
AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/ServiceGroups
Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.
SecurityProfiles
Policy
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,spyware,
andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurityprofile(s)
thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecksanddata
filtering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeScanTrafficforThreatsformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup
Policy
SecurityProfiles
AntivirusProfiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action
Description
Default
ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow
Permitstheapplicationtraffic.
Alert
Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop
Dropstheapplicationtraffic.
Reset Client
ForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset Server
ForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset Both
ForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
AntiSpywareProfiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasInternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.
SecurityProfiles
Policy
StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionformedium
andinformationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
VulnerabilityProtectionProfiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URLFilteringProfiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.
Policy
SecurityProfiles
DataFilteringProfiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
Youcanusedefaultprofiles,orcreatecustomdatapatterns.Therearetwodefaultprofiles:
CC#(CreditCard)Identifiescreditcardnumbersusingahashalgorithm.Thecontentmustmatchthe
hashalgorithminorderfordatatobedetectedasacreditcardnumber.Thismethodwillreducefalse
positives.
SSN#(SocialSecurityNumber)Usesanalgorithmtodetectninedigitnumbers,regardlessofformat.
Therearetwofields:SSN#andSSN#(nodash).
WeightandThresholdValues
Itisimportanttounderstandhowtheweightofanobject(SSN,CC#,pattern)iscalculatedinordertosetthe
appropriatethresholdforaconditionyouaretryingtofilter.Eachoccurrencemultipliedbytheweightvalue
willbeaddedtogetherinordertoreachanactionthreshold(alertorblock).
Example:FilterforSocialSecurityNumbersOnly
Forsimplicity,ifyouonlywanttofilterfileswithSocialSecurityNumbers(SSN)andyoudefineaweightof
3forSSN#,youwouldusethefollowingformula:eachinstanceofaSSNxweight=thresholdincrement.In
thiscase,ifaWorddocumenthas10socialsecuritynumbersyoumultiplythatbytheweightof3,so10x
3=30.Inordertotakeactionforafilethatcontains10socialsecuritynumbersyouwouldsetthethreshold
to30.Youmaywanttosetanalertat30andthenblockat60.Youmayalsowanttosetaweightinthefield
SSN#(nodash)forSocialSecurityNumbersthatdonotcontaindashes.Ifmultiplesettingsareused,they
willaccumulatetoreachagiventhreshold.
Example:FilterforSocialSecurityNumbersandaCustomPattern
Inthisexample,wewillfilteronfilesthatcontainSocialSecurityNumbersandthecustompattern
confidential.Inotherwords,ifafilehasSocialSecurityNumbersinadditiontothewordconfidentialandthe
combinedinstancesofthoseitemshitthethreshold,thefilewilltriggeranalertorblock,dependingonthe
actionsetting.
SSN#weight=3
CustomPatternconfidentialweight=20
Thecustompatterniscasesensitive.
Ifthefilecontains20SocialSecurityNumbersandaweightof3isconfigured,thatis20x3=60.Ifthefile
alsocontainsoneinstanceofthetermconfidentialandaweightof20isconfigured,thatis1x20=20for
atotalof80.Ifyourthresholdforblockissetto80,thisscenariowouldblockthefile.Thealertorblock
actionwillbetriggeredassoonasthethresholdishit.
SecurityProfiles
Policy
FileBlockingProfiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
WildFireAnalysisProfiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoSProtectionProfiles
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
Policy
SecurityProfiles
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.Formoreinformation,refertotheThreatPreventionTechNote.
ZoneProtectionProfiles
Zoneprotectionprofilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.Formoreinformation,refertothe
ThreatPreventionTechNote.
SecurityProfileGroup
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup
SecurityProfiles
Policy
Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
Step1
Step2
Step3
Createasecurityprofilegroup.
Ifyounamethegroupdefault,
thefirewallwillautomatically
attachittoanynewrulesyou
create.Thisisatimesaverifyou
haveapreferredsetofsecurity
profilesthatyouwanttomake
suregetattachedtoeverynew
rule.
1.
SelectObjects > Security Profile GroupsandAddanew

securityprofilegroup.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.
5.
ClickOKtosavetheprofilegroup.
Addasecurityprofilegrouptoasecurity 1.
policy.
Saveyourchanges.
SelectPolicies > Security andAddormodifyasecuritypolicy

rule.
2.
SelecttheActionstab.
3.
IntheProfileSettingsection,selectGroup fortheProfile Type.
4.
IntheGroup Profile dropdown,selectthegroupyoucreated

(forexample,selectthebestpracticegroup):
5.
ClickOK tosavethepolicyandCommityourchanges.
Click Commit.
Policy
SecurityProfiles
Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
Createasecurityprofilegroup.
1.
SelectObjects > Security Profile GroupsandAddanew

securityprofilegroup.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.Fordetailsoncreating
profiles,seeSecurityProfiles.
5.
ClickOKtosavetheprofilegroup.
6.
Addthesecurityprofilegrouptoasecuritypolicy.
7.
AddormodifyasecuritypolicyruleandselecttheActionstab.
8.
SelectGroup fortheProfile Type.
9.
IntheGroup Profile dropdown,selectthegroupyoucreated

(forexample,selecttheThreatsgroup):
10. ClickOK tosavethepolicyandCommityourchanges.
SecurityProfiles
Policy
Setupadefaultsecurityprofilegroup.
1.
SelectObjects > Security Profile Groupsandaddanew

securityprofilegroupormodifyanexistingsecurityprofile
group.
2.
Namethesecurityprofilegroupdefault:
3.
ClickOKandCommit.
4.
Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup.
Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).
Policy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheInternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeInternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
ThefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeInternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
AbestpracticeInternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateither
blockeverythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,
abestpracticesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeInternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeInternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:
Policy
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology
Whyisthisimportant?
InspectAllTrafficforVisibility
Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
ReducetheAttackSurface
Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,attachFileBlockingandURLFilteringprofiles
toallrulesthatallowapplicationtraffictopreventusersfromvisitingthreatprone
websitesandpreventthemfromuploadingordownloadingdangerousfiletypes
(eitherknowinglyorunknowingly).
PreventKnownThreats
Enablethefirewalltoscanallallallowedtrafficforknownthreatsbyattaching
securityprofilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
Policy
BestPracticeMethodology
Whyisthisimportant?
DetectUnknownThreats
ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithinfiles
bydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWF500appliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifmalwareisfound,itautomaticallydevelopsa
signatureanddeliversittoyouinaslittleas5minutes(andnowthatunknownthreat
isaknownthreat).
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.
Policy
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeInternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateanInternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,APTsarealldeliveredvialegitimateapplications.Toprotectagainstknownand
unknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallowrules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincludetemporaryrules
Policy
topreventotherapplicationsyoumightnothaveknownaboutfrombreakingandtoidentifypolicygaps
andsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeInternetGatewaySecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
IdentifyWhitelistApplications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceInternetGatewaySecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess
Policy
(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.
Policy
ApplicationType
BestPracticeforSecuring
SanctionedApplications
ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inanInternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionand
administerforyourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
GeneralTypesof
Applications
Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,and
webservices,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
CustomApplications
SpecifictoYour
Environment
Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.
Policy
CreateUserGroupsforAccesstoWhitelistApplications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
DecryptTrafficforFullVisibilityandThreatInspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:
Policy
BestPracticeDecryptionProfile
ConfiguretheSSL Decryption > SSL Forward ProxysettingstoblockexceptionsduringSSLnegotiationand
blocksessionsthatcantbedecrypted:
ConfiguretheSSL Decryption > SSL Protocol SettingstoblockuseofvulnerableSSL/TLSversions(TLS1.0

andSSLv3)andtoavoidweakalgorithms(MD5,RC4,and3DES):
Policy
BestPracticeDecryptionProfile(Continued)
Fortrafficthatyouarenotdecrypting,configuretheNo Decryption settingstotoblockencryptedsessions
tositeswithexpiredcertificatesoruntrustedissuers:
CreateBestPracticeSecurityProfiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.
Policy
SecurityProfile
BestPracticeSettings
FileBlocking
CreateaFileBlockingprofilethatblocksfilesthatarecommonlyincludedinmalwareattack
campaignsorthathavenorealusecaseforupload/download.Currently,theseincludebatch
files,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfilesaswellas
WindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,.ocx,.sys,.scr,.drv,.efi,.fon,
and.piffiles.Youcanallowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),but
forceuserstoclickcontinuebeforetransferringafiletogivethempause.Finally,alertonall
otherfiletypesforvisibilityintowhatotherfiletransfersarehappeningsothatyoucan
determineifyouneedtomakepolicychanges.
WhydoIneedthisprofile?
Therearemanywaysforattackerstodelivermaliciousfiles:Asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.AttachingaFileBlockingprofile
reducesyourattacksurfacebypreventingthesetypesofattacks.
WhatifIcantblockalloftherecommendedfiletypes?
IfyoucannotblockallPEfilespertherecommendation,makesureyousendallunknownfiles
toWildFireforanalysis.Additionally,settheActiontocontinuetopreventdrivebydownloads.
Adrivebydownloadiswhenanenduserdownloadscontentthatinstallsmaliciousfiles,such
asJavaappletsorexecutables,withoutknowingtheyaredoingit.Drivebydownloadscan
occurwhenusersvisitwebsites,viewemailmessages,orclickintopopupwindowsmeantto
deceivethem.Educateyourusersthatiftheyarepromptedtocontinuewithafiletransferthey
didntknowinglyinitiate,theymaybesubjecttoamaliciousdownload.
Antivirus
AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.
Policy
SecurityProfile
Vulnerability
Protection
AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.
AntiSpyware
AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNS
sinkholeandpacketcapturetohelpyoutrackdowntheendpointthatattemptedto
resolvethemaliciousdomain.Forthebestpossibleprotection,enablepassiveDNS
monitoring,whichenablesthefirewalltoactasapassiveDNSsensorandsendselect
DNSinformationtoPaloAltoNetworksforanalysisinordertoimprovethreat
intelligenceandthreatpreventioncapabilities.
Policy
SecurityProfile
URLFiltering
Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,andparked.Failuretoblockthesedangerouscategoriesputsyouatriskfor
exploitinfiltration,malwaredownload,commandandcontrolactivity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
WhatifIcantblockalloftherecommendedcategories?
Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Allowingtraffictoarecommended
blockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatinfringesoncopyrightsor
thatallowsillegaldownloadofsoftwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.
Policy
SecurityProfile
WildFire
Analysis
Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
DefinetheInitialInternetGatewaySecurityPolicy
TheoverallgoalofabestpracticeInternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockbadapplicationsaswellassometemporaryallowrulesthatare
designedtohelpyourefineyourpolicyandpreventapplicationsyourusersmayneedfrombreakingwhile
youtransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreatetheApplicationWhitelistRules
Step2:CreatetheApplicationBlockRules
Step3:CreatetheTemporaryTuningRules
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Policy
Step1:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethefirstpartofthebestpracticeInternet
GatewaySecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1
AllowaccesstoyourcorporateDNSservers.
WhydoIneedthisrule?
RuleHighlights
AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly
rulebase.
exploitedbyattackers.
Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS
ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface.
center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2
AllowaccesstootherrequiredITinfrastructureresources.
RuleHighlights
WhydoIneedthisrule?
Becausetheseapplicationsrunonthedefaultport,allowaccess
Enabletheapplicationsthatprovideyour
toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
networkinfrastructureandmanagement
theseservicesareneeded),andallhaveadestinationaddressof
functions,suchasNTP,OCSP,STUN,and
any,containtheminasingleapplicationgroupandcreatea
ping.
singleruletoenableaccesstoallofthem.
WhileDNStrafficallowedinthepreceding
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot
totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore
accesstoanyuser.
requireaseparaterule.
Policy
CreatetheApplicationWhitelistRules(Continued)
Step3
AllowaccesstoITsanctionedSaaSapplications.
WhydoIneedthisrule?
WithSaaSapplications,yourproprietarydata
isinthecloud.Thisruleensuresthatonly
yourknownusershaveaccesstothese
applications(andtheunderlyingdata).
ScanallowedSaaStrafficforthreats.
Step4
AllowaccesstoITprovisionedonpremiseapplications.
WhydoIneedthisrule?
Businesscriticaldatacenterapplicationsare
oftenleveragedinattacksduringthe
exfiltrationstage,usingapplicationssuchas
FTP,orinthelateralmovementstageby
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5
RuleHighlights
GroupallsanctionedSaaSapplicationsinanapplicationgroup.
SaaSapplicationsshouldalwaysrunontheapplicationdefault
port.
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
RuleHighlights
Groupalldatacenterapplicationsinanapplicationgroup.
Createanaddressgroupforyourdatacenterserveraddresses.
Allowaccesstoapplicationsyouradministrativeusersneed.
WhydoIneedthisrule?
Toreduceyourattacksurface,CreateUser
GroupsforAccesstoWhitelistApplications.
Becauseadministratorsoftenneedaccessto
sensitiveaccountdataandremoteaccessto
othersystems(forexampleRDP),youcan
greatlyreduceyourattacksurfacebyonly
allowingaccesstotheadministratorswho
haveabusinessneed.
RuleHighlights
ThisrulerestrictsaccesstousersintheIT_adminsgroup.
Createcustomapplicationsforinternalapplicationsor
applicationsthatrunonnonstandardportssothatyoucan
enforcethemontheirdefaultportsratherthanopening
additionalportsonyournetwork.
Ifyouhavedifferentusergroupsfordifferentapplications,
createseparaterulesforgranularcontrol.
Policy
Step6
Allowaccesstogeneralbusinessapplications.
WhydoIneedthisrule?
Beyondtheapplicationsyousanctionforuse
andadministerforyourusers,therearea
varietyofapplicationsthatusersmay
commonlyuseforbusinesspurposes,for
exampletointeractwithpartners,suchas
WebEx,Adobeonlineservices,orEvernote,
butwhichyoumaynotofficiallysanction.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.
Step7
RuleHighlights
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Attachthebestpracticesecurityprofilestoensurethatalltraffic
isfreeofknownandunknownthreats.SeeCreateBestPractice
SecurityProfiles.
(Optional)Allowaccesstopersonalapplications.
WhydoIneedthisrule?
Asthelinesblurbetweenworkandpersonal
devices,youwanttoensurethatall
applicationsyourusersaccessaresafely
enabledandfreeofthreats.
Byusingapplicationfilters,youcansafely
enableaccesstopersonalapplicationswhen
youcreatethisinitialrulebase.Afteryou
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.
RuleHighlights
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Scanalltrafficforthreatsbyattachingyourbestpractice
securityprofilegroup.SeeCreateBestPracticeSecurity
Profiles.
Policy
Step8
Allowgeneralwebbrowsing.
WhydoIneedthisrule?
Whilethepreviousruleallowedaccessto
personalapplications(manyofthem
browserbased),thisruleallowsgeneralweb
browsing.
Generalwebbrowsingismoreriskprone
thanothertypesofapplicationtraffic.You
mustCreateBestPracticeSecurityProfiles
andattachthemtothisruleinordertosafely
enablewebbrowsing.
Becausethreatsoftenhideinencrypted
traffic,youmustDecryptTrafficforFull
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.
RuleHighlights
Thisruleusesthesamebestpracticesecurityprofilesastherest
oftherules,exceptfortheFileBlockingprofile,whichismore
stringentbecausegeneralwebbrowsingtrafficismore
vulnerabletothreats.
Thisruleallowsonlyknownuserstopreventdeviceswith
malwareorembeddeddevicesfromreachingtheInternet.
Useapplicationfilterstoallowaccesstogeneraltypesof
applications.
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsites.
thatareexcludedfromdecryption.
Step2:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep3:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
Policy
CreatetheApplicationBlockRules
Step1
Blockapplicationsthatdonothavealegitimateusecase.
WhydoIneedthisrule?
Blocknefariousapplicationssuchas
encryptedtunnelsandpeertopeerfile
sharing,aswellaswebbasedfilesharing
applicationsthatarenotITsanctioned.
Becausethetuningrulesthatfolloware
designedtoallowtrafficwithmaliciousintent
orlegitimatetrafficthatisnotmatchingyour
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2
RuleHighlights
UsetheDropActiontosilentlydropthetrafficwithoutsending
asignaltotheclientortheserver.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigatemisuseofapplicationsandpotentialthreatsonyour
network.
Becausethisruleisintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
BlockpublicDNSandSMTPapplications.
WhydoIneedthisrule?
RuleHighlights
BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
messagetoboththeclientsideandserversidedevices.
DNStunneling,commandandcontroltraffic,
andremoteadministration.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.
Step3:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
Policy
CreateTemporaryTuningRules
Step1
AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
WhydoIneedthisrule?
Thisrulehelpsyoudetermineifyouhaveany
gapsinyourpolicywhereusersareunableto
accesslegitimateapplicationsbecausethey
arerunningonnonstandardports.
Youmustmonitoralltrafficthatmatchesthis
rule.Foranytrafficthatislegitimate,you
shouldtunetheappropriateallowruleto
includetheapplication,perhapscreatinga
customapplicationwhereappropriate.
Step2
AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
WhydoIneedthisrule?
Thisrulehelpsyoudeterminewhetheryou
havegapsinyourUserIDcoverage.
Thisrulealsohelpsyouidentifycompromised
orembeddeddevicesthataretryingtoreach
theInternet.
Itisimportanttoblocknonstandardport
usage,evenforwebbrowsingtraffic,
becauseitisusuallyanevasiontechnique.
Step3
RuleHighlights
Unlikethewhitelistrulesthatallowapplicationsonthedefault
portonly,thisruleallowswebbrowsingandSSLtrafficonany
portsothatyoucanfindgapsinyourwhitelist.
Becausethisruleisintendedtofindgapsinpolicy,limititto
knownusersonyournetwork.SeeCreateUserGroupsfor
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
RuleHighlights
Whilethemajorityoftheapplicationwhitelistrulesapplyto
knownusersorspecificusergroups,thisruleexplicitlymatches
trafficfromunknownusers.
Notethatthisrulemustgoabovetheapplicationblockrulesor
trafficwillneverhitit.
Becauseitisanallowrule,youmustattachthebestpractice
securityprofilestoscanforthreats.
Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
RuleHighlights
WhydoIneedthisrule?
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
theapplicationblockrulestopreventbadapplicationsfrom
thatyouwerentawarewererunningonyour
runningonyournetwork.
networksothatyoucanfinetuneyour
applicationwhitelist.
IfyouarerunningPANOS7.0.xorearlier,toappropriately
identifyunexpectedapplications,youmustuseanapplication
Monitoralltrafficmatchingthisruleto
determinewhetheritrepresentsapotential
filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour
allowanyapplication.
whitelistrulestoallowthetraffic.
Policy
CreateTemporaryTuningRules
Step4
Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
WhydoIneedthisrule?
RuleHighlights
Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
fromanyuseronanyport,itmustcomeattheendofyour
applicationsrunningonunknownports.
rulebase.
Thisrulealsohelpsyouidentifyunknown
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateformisuseofapplicationsandpotentialthreatson
customapplicationtoaddtoyourapplication
whitelist.
yournetworkoridentifylegitimateapplicationsthatrequirea
customapplication.
Anytrafficmatchingthisruleisactionable
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1
SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2
Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step3
OntheActionstab,selectLog at Session EndandclickOK.
Step4
Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5
Committhechangesyoumadetotherulebase.
Policy
MonitorandFineTunethePolicyRulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.
IdentifyPolicyGaps
Step1
Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
Policy
IdentifyPolicyGaps(Continued)
Step2
Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
AfterseveralmonthsofmonitoringyourinitialInternetGatewaybestpracticeSecuritypolicy,youshould
seelessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
Step1
Step2
SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3
Committhechanges.
Policy
MaintaintheRulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1
Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2
DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3
TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.
Policy
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
Policy
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step1
Selectthepolicytype(forexample,Policy > Security)orobjecttype(forexample,Objects > Addresses).
Step2
SelecttheVirtual System andselectoneormorepolicyrulesorobjects.
Step3
Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4
IntheDestinationdropdown,selectthenewvirtualsystemorShared.ThedefaultistheVirtual System
selectedinStep 2.
Step5
(Policyrulesonly)SelecttheRule order:
Move top(default)Therulewillcomebeforeallotherrules.
Move bottomTherulewillcomeafterallotherrules.
Before ruleIntheadjacentdropdown,selecttherulethatcomesaftertheSelectedRules.
After ruleIntheadjacentdropdown,selecttherulethatcomesbeforetheSelectedRules.
Step6
TheError out on first detected error in validationcheckboxisselectedbydefault.Thefirewallstops

performingthechecksforthemoveorcloneactionwhenitfindsthefirsterror,anddisplaysjustthiserror.
Forexample,ifanerroroccurswhentheDestinationvsysdoesnthaveanobjectthatthepolicyruleyouare
movingreferences,thefirewallwilldisplaytheerrorandstopanyfurthervalidation.Whenyoumoveorclone
multipleitemsatonce,selectingthischeckboxwillallowyoutofindoneerroratatimeandtroubleshootit.
Ifyouclearthecheckbox,thefirewallcollectsanddisplaysalistoferrors.Ifthereareanyerrorsinvalidation,
theobjectisnotmovedorcloneduntilyoufixalltheerrors.
Step7
ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.
Policy
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
CreateandApplyTags
CreateandApplyTags
Step1
Createtags.
1.
Totagazone,youmustcreatea 2.
tagwiththesamenameasthe
zone.Whenthezoneisattached
inpolicyrules,thetagcolor
3.
automaticallydisplaysasthe
backgroundcoloragainstthe
zonename.
4.
SelectObjects > Tags.

OnPanoramaoramultiplevirtualsystemfirewall,selectthe
Device GrouportheVirtual Systemtotomakethetag
available.
ClickAddandenteraNametoidentifythetag,orselecta
zonenamefromthedropdowntocreateatagforazone.The
maximumlengthis127characters.
(Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
5.
(Optional)Assignoneofthe17predefinedcolorstothetag.
Bydefault,ColorisNone.
6.
ClickOKandCommittosavethechanges.
Policy
CreateandApplyTags(Continued)
Step2
Step3
Applytagstopolicy.
1.
SelectPoliciesandanyrulebaseunderit.
2.
ClickAddtocreateapolicyruleandusethetaggedobjects
youcreatedinStep1.
3.
Verifythatthetagsareinuse.
Applytagstoanaddressobject,address 1.
group,service,orservicegroup.
2.
Createtheobject.
Forexampletocreateaservicegroup,selectObjects >
Service Groups > Add.
SelectatagfromtheTagsdropdownorenteranameinthe
fieldtocreateanewtag.
Toeditatagoraddcolortothetag,see ModifyTags.
ModifyTags
ModifyTags
SelectObjects > Tagstoperformanyofthefollowingoperationswithtags:
ClickthelinkintheNamecolumntoeditthepropertiesofatag.
Selectataginthetable,andclickDeletetoremovethetagfromthefirewall.
ClickClone tocreateaduplicatetagwiththesameproperties.Anumericalsuffixisaddedtothetagname.
Forexample,FTP1.
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
UsetheTagBrowser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orInternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.
Policy
Policy
UsetheTagBrowser
Explorethetagbrowser.
1.
AccesstheTag BrowserontheleftpaneofthePolicies > tab.

Thetagbrowserdisplaysthetagsthathavebeenusedinthe
rulesfortheselectedrulebase,forexamplePolicies >
Security.
2.
Tag (#)Displaysthelabelandtherulenumberorrangeof
numbersinwhichthetagisusedcontiguously.Hoveroverthe
labeltoseethelocationwheretherulewasdefined,itcanbe
inheritedfromasharedlocation,adevicegroup,oravirtual
system.
3.
RuleListstherulenumberorrangeofnumbersassociated
withthetags.
4.
Sortthetags.
Filter by first tag in ruleSortsrulesusingthefirsttag
appliedtoeachruleintherulebase.Thisviewisparticularly
usefulifyouwanttonarrowthelistandviewrelatedrules
thatmightbespreadaroundtherulebase.Forexampleif
thefirsttagineachruledenotesitsfunctionbest
practices,administration,webaccess,datacenteraccess,
proxyyoucannarrowtheresultandscantherulesbased
onfunction.
Rule OrderSortsthetagsintheorderofappearance
withintheselectedrulebase.Whendisplayedinorderof
appearance,tagsusedincontiguousrulesaregrouped.The
rulenumberwithwhichthetagisassociatedisdisplayed
alongwiththetagname.
AlphabeticalSortsthetagsinalphabeticalorderwithin
theselectedrulebase.Thedisplayliststhetagnameand
color(ifacolorisassigned)andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoes
notdisplayrulenumbersforuntaggedrules.Whenyou
selectNone,therightpaneisfilteredtodisplayrulesthat
havenotagsassignedtothem.
5.
ClearClearsthefilteronthecurrentlyselectedtagsinthe
searchbar.
6.
Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7.
Expandorcollapsethetagbrowser.
Policy
UsetheTagBrowser(Continued)
Tagarule.
1.
Selectaruleontherightpane.
2.
Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
3.
Committhechanges.
Viewrulesthatmatchtheselectedtags.
ORfilter:Toviewrulesthathavespecifictags,selectoneormore
tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
YoucanfilterrulesbasedontagswithanAND
includeanyofthecurrentlyselectedtags.
oranORoperator.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags.
Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule.
HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.
Policy
UsetheTagBrowser(Continued)
Reorderrulesusingtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag.
Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.
Policy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouhostonanexternalweb
serversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforcepolicyontheentries
inthelist.Asyouupdatethelist,thefirewalldynamicallyimportsthelistattheconfiguredintervaland
enforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthefirewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
ExternalDynamicList
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.Toretrievetheexternaldynamiclist,thefirewallusestheinterfaceattached
totheserviceroutethatitusestoaccessthePaloAltoUpdatesservice.
Thefirewallsupportsthreetypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall.IfyouneedagilityinenforcingpolicyforalistofsourceordestinationIP
addressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIPaddressasasourceor
destinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyorallowaccesstotheIP
addresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.Thefirewalltreatsan
externaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddressesincludedinalistare
handledasoneaddressobject.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule.
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligenceandwanttoprotectyournetworkfromnewsourcesofthreatormalware
assoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamiclist,the
firewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.The
Policy
DNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallplatform,youcanconfigureamaximumof30uniquesourcesforexternaldynamiclists;
theselimitsarenotapplicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledfor
multiplevirtualsystems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.A
sourceisaURLthatincludestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamic
list.ThefirewallmatchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000SeriesandthePA7000Seriesfirewallssupportamaximumof150,000total
IPaddresses;allotherplatformssupportamaximumof50,000totalIPaddresses.Nolimitsareenforced
forthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitisreachedonthe
firewall,thefirewallgeneratesasyslogmessage.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachplatform,with
nolimitsenforcedonthenumberofentriesperlist.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedfortheplatform.
FormattingGuidelinesforanExternalDynamicList
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Ifyouadd
comments,thecommentmustbeonthesamelineastheIPaddress/range/subnet.Thespaceattheendof
theIPaddressisthedelimiterthatseparatesacommentfromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
Policy
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
Step1
Createtheexternaldynamiclistand
hostitonawebserversothatthe
firewallcanretrievethelistforpolicy
evaluation.
CreateatextfileandentertheURLs,domains,orIPaddressesin
thefile.
Topreventcommiterrorsandinvalidentries,donotprefix
http://orhttps://toanyoftheentries.SeeFormatting
GuidelinesforanExternalDynamicList.
Policy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
1.
SelectObjects > External Dynamic Lists.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
(Panoramaonly)SelectDisable overridetoensurethata
firewalladministratorcannotoverridesettingslocallyona
firewallthatinheritsthisconfigurationthroughaDevice
GroupcommitfromPanorama.
5.
IntheTypedropdown,selectthelisttype,forexample,URL
List.
Ensurethatthelistonlyincludesentriesforthelisttype.See
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
6.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2015.
7.
ClickTest Source URLtoverifythatthefirewall(notavailable

onPanorama)canconnecttothewebserver.
Ifthewebserverisunreachableaftertheconnection
isestablished,thefirewallusesthelastsuccessfully
retrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.
8.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhourandcommitsthechanges.
Theintervalisrelativetothelastcommit.So,forthe
fiveminuteinterval,thecommitoccursin5minutesif
thelastcommitwasanhourago.Toretrievethelist
immediately,seeRetrieveanExternalDynamicList
fromtheWebServer.
9.
ClickOK.
10. Usetheexternaldynamiclistinasecurityprofileordirectlyin
apolicyrule,assupported.Seethefollowing:
UseanExternalDynamicListinaURLFilteringProfile.
UseanExternalDynamicListofTypeURLasMatchCriteria
inaSecurityPolicyRule.
UseanExternalDynamicListofTypeIPasaSourceor
DestinationAddressObjectinaSecurityPolicyRule.
Policy
UseanExternalDynamicListofTypeURLas
MatchCriteriainaSecurityPolicyRule.
1.
2.
ClickAddandenteradescriptiveNamefortherule.
YoucanalsoUseanExternalDynamicListina 3.
URLFilteringProfile.
IntheSourcetab,selecttheSource Zone.
4.
IntheDestinationtab,selecttheDestination Zone.
5.
IntheService/URL Categorytab,clickAddtoselectthe
appropriateexternaldynamiclistfromtheURLCategorylist.
6.
IntheActionstab,settheAction SettingtoAlloworDeny.
7.
ClickOKandCommit.
8.
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
UsethefollowingCLIcommandonafirewalltoreviewthe
detailsforalist.
request system external-list show type <domain | ip
| url>name_of_ list
For example:
request system external-list show type url
EBL_ISAC_Alert_List
9.
a. AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
b. Verifythattheactionyoudefinedisenforcedinthe
browser.
c. Tomonitortheactivityonthefirewall:
d. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
e. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
Policy
UseanExternalDynamicListofTypeIPasa
1.
SourceorDestinationAddressObjectina
2.
SecurityPolicyRule.
Thiscapabilityisusefulifyoudeploynewservers
3.
andwanttoallowaccesstothenewlydeployed
serverswithoutrequiringafirewallcommit.
4.

ClickAdd andgivetheruleadescriptivenameintheGeneral
tab.
IntheSource tab,selecttheSource Zoneandoptionallyselect
theexternaldynamiclistastheSourceAddress.
IntheDestination tab,selecttheDestination Zone and
optionallyselecttheexternaldynamiclistastheDestination
Address.
5.
IntheService/ URL Category tab,makesuretheService isset

toapplication-default.
6.
IntheActions tab,settheAction Setting toAlloworDeny.

Createseparateexternaldynamiclistsifyouwantto
specifyallowanddenyactionsforspecificIPaddresses.
7.
Leavealltheotheroptionsatthedefaultvalues.
8.
ClickOKtosavethechanges.
9.
Committhechanges.
10. Testthatthepolicyactionisenforced.
a. AccessaIPaddressthatisincludedintheexternaldynamic
listandverifythatactionyoudefinedisenforced.
b. SelectMonitor > Logs > Traffic andviewthelogentryfor
thesession.
c. Toverifythepolicyrulethatmatchesaflow,usethe
followingCLIcommand:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
protocol <protocol_number>
ToviewthelistofentriesthatthefirewallhasretrievedfromthewebserverenterthefollowingCLIcommand:
request system external-list show name <name>

Forexample,foralistnamedcaseDBL_2014oftypeIPaddress,theoutputis:
vsys1/DBL_2014:
Next update at: Wed Aug 27 16:00:00 2014
IPs:
1.1.1.1
1.2.2.2/20 #test China
192.168.255.0; test internal
192.168.254.0/24 test internal range
Policy
RetrieveanExternalDynamicListfromtheWebServer
YoucanconfigurethefirewalltoretrievetheExternalDynamicListfromthewebserveronanhourly,daily,
weekly,ormonthlybasis.IfyouhaveaddedordeletedIPaddressesonthelistandneedtotriggeran
immediaterefresh,usethefollowingprocess:
RetrieveanExternalDynamicList
1.
Toretrievethelistondemand,selectObjects > External Dynamic Lists.
2.
Selectthelistthatyouwanttorefresh,andclickImport Now.Thejobtoimportthelistwillbeaddedtoqueue.
ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.
Policy
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedplatformsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowing
options:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPC
toretrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.
Policy
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.
Policy
SetuptheVMMonitoringAgent
Step1
EnabletheVMMonitoringAgent.
1.
Youcanconfigureupto10VM 2.
informationsourcesforeach
firewall,orforeachvirtual
systemonamultiplevirtual
systemscapablefirewall.
Ifyourfirewallsareconfiguredinahigh
availabilityconfiguration:
Inanactive/passivesetup,onlythe
activefirewallmonitorstheVM
sources.
Inanactive/activesetup,onlythe
firewallwiththepriorityvalueof
primarymonitorstheVMsources.
SelectDevice > VM Information Sources.

ClickAddandenterthefollowinginformation:
A NametoidentifytheVMwareESX(i)orvCenterServer
thatyouwanttomonitor.
Enterthe Host information for the serverhostname orIP
addressandthePortonwhichitislistening.
SelecttheTypetoindicatewhetherthesourceisaVMware
ESX(i)serveroraVMware vCenterServer.
Addthecredentials(UsernameandPassword)to
authenticatetotheserverspecifiedabove.
Usethecredentialsofanadministrativeusertoenable
access.
(Optional)ModifytheUpdate intervaltoavaluebetween
5600seconds.Bydefault,thefirewallpollsevery5
seconds.TheAPIcallsarequeuedandretrievedwithin
every60seconds,soupdatesmaytakeupto60seconds
plustheconfiguredpollinginterval.
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatus displaysasconnected .
Policy
SetuptheVMMonitoringAgent(Continued)
Step2
Verifytheconnectionstatus.
VerifythattheconnectionStatus displaysas
connected.
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource Interface fortheVM
Monitor service).
AttributesMonitoredintheAWSandVMwareEnvironments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource
AttributesMonitoredontheAWSVPC
UUID
Architecture
Name
GuestOS
GuestOS
ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation
InstanceState
Version
InstanceType
NetworkVirtualSwitchName,PortGroup
Name,andVLANID
KeyName
ContainerNamevCenterName,DataCenter
PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress.
PublicDNSName
SubnetID
Tag(key,value)(upto5tagssupportedperinstance
VPCID
Policy
Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachplatformisdifferent.Usethefollowing
tableforspecificsonyourplatform:
Platform
MaximumnumberofdynamicallyregisteredIP addresses
PA7000Series,PA5060,VM1000HV
100,000
PA5050
50,000
PA5020
25,000
PA4000Series,PA3000Series
5,000
PA2000Series,PA500,PA200,VM300,
VM200,VM100
1,000
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
Policy
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
Step1
EnableVMSourceMonitoring.
Step2
Createdynamicaddressgroupsonthe
firewall.
Viewthetutorialtoseeabig
pictureviewofthefeature.
SeeEnableVMMonitoringtoTrackChangesontheVirtual
Network.
1.
Logintothewebinterfaceofthefirewall.
2.
SelectObject > Address Groups.
3.
Click AddandenteraNameandaDescriptionfortheaddress
group.
4.
SelectType as Dynamic.
5.
Definethematchcriteria.Youcanselectdynamicandstatic
tagsasthematchcriteriatopopulatethemembersofthe
group.ClickAdd Match Criteria,andselecttheAndorOr
operatorandselecttheattributesthatyouwouldliketofilter
forormatchagainst.andthenclickOK.
6.
ClickCommit.
Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.UbuntuLinux64bit'
and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthenameofthe
serverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or'black')
Policy
UseDynamicAddressGroupsinPolicy(Continued)
Step3
Usedynamicaddressgroupsinpolicy.
Viewthetutorial.
1.
2.
ClickAddandenteraNameandaDescriptionforthepolicy.
3.
AddtheSource Zone tospecifythezonefromwhichthetraffic

originates.
4.
AddtheDestination Zone atwhichthetrafficisterminating.
5.
FortheDestination Address,selecttheDynamicaddress
groupyoucreatedinStep 2above.
6.
SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilestotherule.
7.
RepeatsSteps1through6abovetocreateanotherpolicyrule.
8.
ClickCommit.
Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccesstoweb
servers.
Step4
Validatethatthemembersofthe
1.
dynamicaddressgrouparepopulatedon 2.
thefirewall.
3.
SelectPolicies > Security,andselecttherule.

Selectthedropdownarrownexttotheaddressgrouplink,and
selectInspect.Youcanalsoverifythatthematchcriteriais
accurate.
ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongto
thisaddressgroup,andaredisplayedhere.
Policy
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example
CLICommand
ViewallregisteredIPaddressesthatmatchthe
show log iptag tag_name equal state.poweredOn
tag,state.poweredOnorthatarenottaggedas show log iptag tag_name not-equal
vSwitch0
switch.vSwitch0
ViewalldynamicallyregisteredIPaddressesthat show vm-monitor source source-name vmware1 tag
weresourcedbyVMInformationSourcewith
state.poweredOn registered-ip all
namevmware1andtaggedaspoweredOn
registered IP
Tags
----------------------------- ----------------fe80::20c:29ff:fe69:2f76
"state.poweredOn"
10.1.22.100
"state.poweredOn"
2001:1890:12f2:11:20c:29ff:fe69:2f76
"state.poweredOn"
fe80::20c:29ff:fe69:2f80
"state.poweredOn"
192.168.1.102
"state.poweredOn"
10.1.22.105
"state.poweredOn"
2001:1890:12f2:11:2cf8:77a9:5435:c0d
"state.poweredOn"
fe80::2cf8:77a9:5435:c0d
"state.poweredOn"
ClearallIPaddressesandtagslearnedfroma
specificVMMonitoringsourcewithout
disconnectingthesource.
debug vm-monitor clear source-name <name>
DisplayIPaddressesregisteredfromallsources.
show object registered-ip all
DisplaythecountforIPaddressesregisteredfrom show object registered-ip all option count

allsources.
ClearIPaddressesregisteredfromallsources
debug object registered-ip clear all
AddordeletetagsforagivenIPaddressthatwas debug object test registered-ip

registeredusingtheXMLAPI.
[<register/unregister>] <ip/netmask> <tag>
Example
Policy
CLICommand
Viewalltagsregisteredfromaspecificinformation show vm-monitor source source-name vmware1

source.
tag all
vlanId.4095
vswitch.vSwitch1
host-ip.10.1.5.22
portgroup.TOBEUSED
hostname.panserver22
portgroup.VM Network 2
datacenter.ha-datacenter
vlanId.0
state.poweredOn
vswitch.vSwitch0
vmname.Ubuntu22-100
vmname.win2k8-22-105
resource-pool.Resources
vswitch.vSwitch2
guestos.Ubuntu Linux 32-bit
guestos.Microsoft Windows Server 2008 32-bit
annotation.
version.vmx-08
portgroup.VM Network
vm-info-source.vmware1
uuid.564d362c-11cd-b27f-271f-c361604dfad7
uuid.564dd337-677a-eb8d-47db-293bd6692f76
Total: 22
Viewalltagsregisteredfromaspecificdata
source,forexamplefromtheVMMonitoring
Agentonthefirewall,theXMLAPI,Windows
UserIDAgentortheCLI.
ToviewtagsregisteredfromtheCLI:
show log iptag datasource_type equal unknown

ToviewtagsregisteredfromtheXMLAPI:
show log iptag datasource_type equal xml-api

ToviewtagsregisteredfromVMInformationsources:
show log iptag datasource_type equal vm-monitor

ToviewtagsregisteredfromtheWindowsUserIDagent:
show log iptag datasource_type equal xml-api

datasource_subtype equal user-id-agent
ViewalltagsthatareregisteredforaspecificIP
address(acrossallsources).
debug object registered-ip show tag-source ip

ip_address tag all
Policy
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoMapIPAddressestoUsers,MapUserstoGroups(ifyouhave
groupbasedpolicies),andconfigurepoliciesbasedonusersorgroups.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
Step1
EnablethefirewalltouseXFFvaluesin
policiesandinthesourceuserfieldsof
logs.
1.
SelectDevice > Setup > Content-IDandeditthe

XForwardedForHeaderssettings.
2.
SelecttheUse X-Forwarded-For Header in User-ID check

box.
Policy
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
Step2
Step3
RemoveXFFvaluesfromoutgoingweb 1.
requests.
2.
SelecttheStrip X-Forwarded-For Headercheckbox.
Verifythefirewallispopulatingthe
sourceuserfieldsoflogs.
1.
Selectalogtypethathasasourceuserfield(forexample,
Monitor > Logs > Traffic).
2.
VerifythattheSourceUsercolumndisplaystheusernamesof
userswhoaccesstheweb.
ClickOKandCommit.
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
Step1
Step2
Step3
ConfigureaURLFilteringprofile.
AttachtheURLFilteringprofiletoa
policyrule.
1.
2.
SelectanexistingprofileorAddanewprofileandentera
descriptiveName.
YoucantenableXFFlogginginthedefaultURLFiltering
profile.
3.
IntheCategoriestab,Definehowtocontrolaccesstoweb
content.
4.
SelecttheSettingstabandselecttheX-Forwarded-Forcheck
box.
5.
1.
SelectPolicies > Securityandclicktherule.
2.
SelecttheActionstab,settheProfile TypetoProfiles,and
selecttheURL Filteringprofileyoujustcreated.
3.
ClickOKandCommit.
VerifythefirewallisloggingXFFvalues. 1.
2.
SelectMonitor > Logs > URL Filtering.

DisplaytheXFFvaluesinoneofthefollowingways:
TodisplaytheXFFvalueforasinglelogClickthe icon
forthelogtodisplaysitsdetails.TheHTTPHeaderssection
displaystheXForwardedForvalue.
TodisplaytheXFFvaluesforalllogsOpenthedropdown
inanycolumnheader,selectColumns,andselectthe
X-Forwarded-Forcheckbox.Thepagethendisplaysan
XForwardedForcolumn.
Policy
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
UseCase:PBFforRoutingTrafficThroughVirtualSystems
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperInternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheInternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,
connectivityissuesoccurwhentrafficarrivesatoneinterfaceonthe
firewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsare
different,thefirewallisunabletotrackthestateoftheentiresession
andthiscausesaconnectionfailure.Toensurethatthetrafficusesa
symmetricalpath,whichmeansthatthetrafficarrivesatandleaves
fromthesameinterfaceonwhichthesessionwascreated,youcan
enabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupfor
returntrafficandinsteaddirectstheflowbacktotheMACaddressfrom
whichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egress
interfacesIPaddress,aroutelookupisperformedandsymmetricreturn
isnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
Policy
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.
PathMonitoring
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
Behaviorofasessionona
monitoringfailure
Iftherulestaysenabledwhenthe
monitoredIPaddressisunreachable
IfruleisdisabledwhenthemonitoredIP
addressisunreachable
Foranestablishedsession
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overUsepathdeterminedbyrouting
table(noPBF)
Foranewsession
wait-recoverUsepathdeterminedby wait-recoverChecktheremainingPBF
routingtable(noPBF)
rules.Ifnomatch,usetheroutingtable
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overChecktheremainingPBFrules.If
nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
Policy
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
PBFrulescannotbebasedondomainnames;onlyIPaddressesarevalid;also,youcannotusecustomapplications,
applicationfiltersorapplicationgroupsinPBFrules.
Policy
CreateaPolicyBasedForwardingRule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
Step1
CreateaPBFrule.
1.
WhencreatingaPBFruleyoumust
2.
specifyanamefortherule,asourcezone
3.
orinterface,andanegressinterface.All
othercomponentsareeitheroptionalor
haveadefaultvalueprovided.
SelectPolicies > Policy Based ForwardingandclickAdd.

GivetheruleadescriptivenameintheGeneraltab.
IntheSourcetab,selectthefollowing:
a. SelecttheTypeZone or Interfacetowhichthe
forwardingpolicywillbeapplied,andtherelevantzoneor
interface.
PBFisonlysupportedonLayer3interfaces.
b. (Optional)SpecifytheSource AddresstowhichPBFwill
apply.Forexample,aspecificIPaddressorsubnetIP
addressfromwhichyouwanttoforwardtraffictothe
interfaceorzonespecifiedinthisrule.
UsetheNegateoptiontoexcludeaoneormore
sourceIPaddressesfromthePBFrule.Forexample,if
yourPBFruledirectsalltrafficfromthespecifiedzone
totheInternet,Negateallowsyoutoexcludeinternal
IPaddressesfromthePBFrule.
Theevaluationorderistopdown.Apacketismatched
againstthefirstrulethatmeetsthedefinedcriteria;
afteramatchistriggeredthesubsequentrulesarenot
evaluated.
c. (Optional)AddandselecttheSource Userorgroupsof
userstowhomthepolicyapplies.
4.
IntheDestination/Application/Service tab,selectthe
following:
a. Destination Address.BydefaulttheruleappliestoAnyIP
address.UsetheNegateoptiontoexcludeoneormore
destinationIPaddressesfromthePBFrule.
b. SelecttheApplication(s)orService(s)thatyouwantto
controlusingPBF.
Applicationspecificrulesarenotrecommendedfor
usewithPBF.Wheneverpossible,useaserviceobject,
whichistheLayer4port(TCPorUDP)usedbythe
protocolorapplication.Formoredetails,seeService
VersusApplicationsinPBF.
Policy
CreateaPBFRule(Continued)
5.
Step2
Savethepoliciestotherunning
IntheForwardingtab,selectthefollowing:
a. SettheAction. Theoptionsareasfollows:
ForwardDirectsthepackettoaspecificEgress
Interface.EntertheNext Hop IPaddressforthepacket.
Forward To VSYS(Onafirewallenabledformultiple
virtualsystems)Selectthevirtualsystemtowhichto
forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattachaSchedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheInternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheInternet.
ClickCommit.
ThePBFruleisineffect.
UseCase:PBFforOutboundAccesswithDualISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantInternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantInternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
Policy
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.
PBFforOutboundAccesswithDualISPs
Step1
Configuretheingressandtheegress
interfacesonthefirewall.
Egressinterfacescanbeinthesame
zone.Inthisexampleweassignthe
egressinterfacestodifferentzones.
1.

wanttoconfigure,forexample,Ethernet1/1andEthernet1/3.
Theinterfaceconfigurationonthefirewallusedinthisexample
isasfollows:
Ethernet1/1connectedtotheprimaryISP:
Zone:ISPEast
IPAddress:1.1.1.2/30
VirtualRouter:Default
Ethernet1/3connectedtothebackupISP:
Zone:ISPWest
IPAddress:2.2.2.2/30
Ethernet1/2istheingressinterface,usedbythenetwork
clientstoconnecttotheInternet:
Zone:Trust
IPAddress:192.168.54.1/24
2.
Policy
PBFforOutboundAccesswithDualISPs(Continued)
Step2
Onthevirtualrouter,addastaticroute
tothebackupISP.
1.

2.
therouteandspecifytheDestinationIPaddressforwhichyou
aredefiningthestaticroute.Inthisexample,weuse0.0.0.0/0
foralltraffic.
3.
SelecttheIP AddressradiobuttonandsettheNext HopIP

addressforyourrouterthatconnectstothebackupInternet
gateway.Inthisexample,2.2.2.1.
4.
Specifyacostmetricfortheroute.Inthisexample,weuse10.
5.
Policy
Step3
CreateaPBFrulethatdirectstrafficto
theinterfacethatisconnectedtothe
primaryISP.
Makesuretoexcludetrafficdestinedto
internalservers/IPaddressesfromPBF.
Defineanegaterulesothattraffic
destinedtointernalIPaddressesisnot
routedthroughtheegressinterface
definedinthePBFrule.
1.
SelectPolicies > Policy Based Forwarding andclickAdd.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
IntheSourcetab,settheSource Zone toTrust.
4.
IntheDestination/Application/Servicetab,setthefollowing:
a. IntheDestinationAddresssection,AddtheIPaddressesor
addressrangeforserversontheinternalnetworkorcreate
anaddressobjectforyourinternalservers.SelectNegateto
excludetheIPaddressesoraddressobjectlistedabovefrom
usingthisrule.
b. IntheServicesection,Addtheservice-httpand
service-httpsservicestoallowHTTPandHTTPStrafficto
usethedefaultports.Forallothertrafficthatisallowedby
securitypolicy,thedefaultroutewillbeused.
ToforwardalltrafficusingPBF,settheServicetoAny.
5.
IntheForwardingtab,specifytheinterfacetowhichyouwant
toforwardtrafficandenablepathmonitoring.
a. Toforwardtraffic,settheActiontoForward,andselectthe
Egress Interface andspecifytheNext Hop.Inthisexample,
theegressinterfaceisethernet1/1,andthenexthopIP
addressis1.1.1.1.
Policy
b. EnableMonitorandattachthedefaultmonitoringprofile,to
triggerafailovertothebackupISP.Inthisexample,wedo
notspecifyatargetIPaddresstomonitor.Thefirewallwill
monitorthenexthopIPaddress;ifthisIPaddressis
unreachablethefirewallwilldirecttraffictothedefault
routespecifiedonthevirtualrouter.
c. (Requiredifyouhaveasymmetricroutes).SelectEnforce
Symmetric Returntoensurethatreturntrafficfromthe
TrustzonetotheInternetisforwardedoutonthesame
interfacethroughwhichtrafficingressedfromtheInternet.
NATensuresthatthetrafficfromtheInternetisreturnedto
thecorrectinterface/IPaddressonthefirewall.
d. ClickOKtosavethechanges.
Step4
1.
CreateNATrulesbasedontheegress
interfaceandISP.Theserulesensure
2.
thatthecorrectsourceIPaddressisused
foroutboundconnections.

Inthisexample,theNATrulewecreateforeachISPisas
follows:
NATforPrimaryISP
IntheOriginal Packettab,
Source Zone:Trust
Destination Zone:ISPWest
IntheTranslated Packettab,underSourceAddress
Translation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/1
IP Address:1.1.1.2/30
NATforBackupISP
IntheOriginal Packet tab,
Source Zone:Trust
Destination Zone:ISPEast
IntheTranslated Packet tab,underSourceAddress
Translation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/3
IP Address:2.2.2.2/30
Policy
Step5
Step6
Createsecuritypolicytoallowoutbound Tosafelyenableapplications,createasimplerulethatallowsaccess
accesstotheInternet.
totheInternetandattachthesecurityprofilesavailableonthe
firewall.
Savethepoliciestotherunning
1.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
IntheSourcetab,settheSource Zone toTrust.
4.
IntheDestinationtab,SettheDestination ZonetoISPEast
andISPWest.
5.
IntheService/ URL Categorytab,leavethedefault

6.
IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. AttachthedefaultprofilesforAntivirus,AntiSpyware,
VulnerabilityProtectionandURLFiltering,underProfile
Setting.
7.
UnderOptions,verifythatloggingisenabledattheendofa
session.Onlytrafficthatmatchesasecurityruleislogged.
ClickCommit.
Policy
Step7
VerifythatthePBFruleisactiveandthat 1.
theprimaryISPisusedforInternet
access.
2.
Launchawebbrowserandaccessawebserver.Onthefirewall
checkthetrafficlogforwebbrowsingactivity.
Fromaclientonthenetwork,usethepingutilitytoverify
connectivitytoawebserverontheInternet.andcheckthe
trafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3.
ToconfirmthatthePBFruleisactive,usetheCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1
Active
Forward ethernet1/1
1.1.1.1
Step8
VerifythatthefailovertothebackupISP 1.
occursandthattheSourceNATis
2.
correctlyapplied.
UnplugtheconnectiontotheprimaryISP.
ConfirmthatthePBFruleisinactivewiththeCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1
Disabled
Forward
ethernet1/1
1.1.1.1
3.
Accessawebserver,andcheckthetrafficlogtoverifythat
trafficisbeingforwardedthroughthebackupISP.
Policy
4.
ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
--------------------------------------------------------ID Application
State
Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
--------------------------------------------------------87212 ssl ACTIVE FLOW NS
192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5.
Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session
87212
c2s flow:
source:
dst:
proto:
sport:
state:
src user:
dst user:
192.168.54.56 [Trust]
204.79.197.200
6
53236
dport:
ACTIVE
type:
unknown
unknown
443
FLOW
s2c flow:
source:
204.79.197.200 [ISP-East]
dst:
2.2.2.2
proto:
6
sport:
443
dport:
12896
state:
ACTIVE
type:
FLOW
src user:
unknown
dst user:
unknown
start time
: Wed Nov5 11:16:10 2014
timeout
: 1800 sec
time to live
: 1757 sec
total byte count(c2s)
: 1918
total byte count(s2c)
: 4333
layer7 packet count(c2s)
: 10
layer7 packet count(s2c)
: 7
vsys
: vsys1
application
: ssl
rule
: Trust2ISP
session to be logged at end
: True
session in session ager
: True
session synced from HA peer
: False
address/port translation
: source
nat-rule
: NAT-Backup ISP(vsys1)
layer7 processing
: enabled
URL filtering enabled
: True
URL category
: search-engines
session via syn-cookies
: False
session terminated on host
: False
session traverses tunnel
: False
captive portal session
: False
ingress interface
: ethernet1/2
egress interface
: ethernet1/3
session QoS rule
: N/A (class 4)
Policy
ThefollowingtopicsdescribehowtoconfigureDoSprotectiontobetterblockIPaddressesinorderto
handlehighvolumeattacksmoreefficiently.
ConfigureDoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsonlyagainstDoSattacksofnewsessions,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
MultipleSessionDoSAttack
SingleSessionDoSAttack
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheprotectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheMaxRateallowed,thefirewalltakes
theactionspecifiedintheDoSProtectionpolicyrule.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.
Policy
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port 53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamicallyputtheDoS
ProtectionProfilesettingsintoeffect.TheDoSProtectionProfilespecifiesthataMaxRateof3000packets
persecondisallowed.WhenincomingpacketsmatchtheDoSrule,newconnectionspersecondarecounted
towardtheAlert,Activate,andMaxRatethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMaxRatethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlockDurationisspecified,and
ClassifiedissettoincludessourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
Policy
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheBlockListsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdonotmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheBlockListwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrulesuntiltheBlock
Durationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
validation.YoumustconfigureaSecuritypolicyrulebecausewithoutone,animplicitdenyruledeniesall
traffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatexactlymatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlock
Durationexpires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblocked
again.
Policy
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyrulein
place.Hence,asinglesessionattackrequiresaSecuritypolicydenyruleinorderforeachpacket
tocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivity.QuarantiningtheIPaddress
fromallactivityprotectsagainstamodernattackerwhoattemptsarotatingapplicationattack,inwhichthe
attackersimplychangesapplicationstostartanewattackorusesacombinationofdifferentattacksina
hybridDoSattack.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
totheSecuritypolicyrules.TheattacktrafficthatmatchedtheDoSProtectionprofileandDoS
ProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyUsetheCLItoEndaSingleAttackingSession.
Step1
(Requiredforsinglesessionattack
mitigationorattacksthathavenot
triggeredtheDoSProtectionpolicy
threshold;optionalformultiplesession
attackmitigation)
ConfigureSecuritypolicyrulestodeny
trafficfromtheattackersIPaddressand
allowothertrafficbasedonyour
networkneeds.Youcanspecifyanyof
thematchcriteriainaSecuritypolicy
rule,suchassourceIPaddress.
Thisstepisoneofthesteps
typicallyperformedtostopan
existingattack.SeeUsetheCLIto
EndaSingleAttackingSession.
Policy
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step2
ConfigureaDoSProtectionprofilefor 1.
floodprotection.
Becausefloodattackscanoccur
2.
overmultipleprotocols,asabest
3.
practice,activateprotectionforall
ofthefloodtypesintheDoS
Protectionprofile.
SelectObjects > Security Profiles > DoS ProtectionandAdda

profileName.
SelectClassified astheType.
ForFlood Protection,selectalltypesoffloodprotection:
SYN Flood
UDP Flood
ICMP Flood
ICMPv6 Flood
Other IP Flood
4.
(Optional)Oneachofthefloodtabs,changethefollowing
thresholdstosuityourenvironment:
Alarm Rate (packets/s)Specifythethresholdrate
(packetspersecond[pps])abovewhichaDoSalarmis
generated.(Rangeis02000000;defaultis10000.)
Activate Rate (packets/s)Specifythethresholdrate(pps)
abovewhichaDoSresponseisactivated.TheDoS
responseisconfiguredintheActionfieldoftheDoSpolicy
wherethisprofileisreferenced.WhentheActivate Rate
thresholdisreached,Random Early Dropoccurs.(Rangeis
02000000;defaultis10000.)
Max Rate (packets/s)Specifythethresholdrateof
incomingpacketspersecondthatthefirewallallows.When
thethresholdisexceeded,newpacketsthatarriveare
droppedandtheActionspecifiedintheDoSPolicyruleis
triggered.(Rangeis22000000;defaultis40000.)
Thedefaultthresholdvaluesinthisstepareonlystarting
pointsandmightnotbeappropriateforyournetwork.
Youmustanalyzethebehaviorofyournetworkto
properlysetinitialthresholdvalues.
5.
Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121600;defaultis300.)
SetalowBlockDurationvalueifyouareconcernedthat
packetsyouincorrectlyidentifiedasattacktrafficwillbe
blockedunnecessarily.
SetahighBlockDurationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarenotpartof
anattack.
6.
ClickOK.
Policy
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step3
ConfigureaDoSProtectionpolicyrule
thatspecifiesthecriteriaformatching
theincomingtraffic.
1.
SelectPolicies > DoS ProtectionandAddaName onthe

Generaltab.Thenameiscasesensitiveandcanbea
maximumof31characters,includingletters,numbers,spaces,
hyphens,andunderscores.
2.
OntheSourcetab,choosetheTypetobeaZoneorInterface,
andthenAddthezone(s)orinterface(s).
3.
(Optional)ForSource Address,selectAnyforanyincomingIP
addresstomatchtheruleorAddanaddressobjectsuchasa
geographicalregion.
4.
(Optional)ForSource User,selectanyorspecifyauser.
5.
(Optional)SelectNegatetomatchanysourcesexceptthose
youspecify.
6.
(Optional)OntheDestinationtab,choosetheTypetobea
ZoneorInterface,andthenAddthedestinationzone(s)or
interface(s).Forexample,enterthesecurityzoneyouwantto
protect.
7.
(Optional)ForDestination Address,selectAnyorentertheIP
addressofthedeviceyouwanttoprotect.
8.
(Optional)OntheOption/Protection tab,AddaService.Select
aserviceorclickServiceandenteraName.SelectTCPor
UDP.EnteraDestination Port.Notspecifyingaparticular
serviceallowstheruletomatchafloodofanyprotocoltype
withoutregardtoanapplicationspecificport.
9.
OntheOption/Protection tab,forAction,selectProtect.
10. SelectClassified.
11. ForProfile,selectthenameoftheDoS Protectionprofileyou
created.
12. ForAddress,selectsource-ip-onlyorsrc-dest-ip-both,
whichdeterminesthetypeofIPaddresstowhichtherule
applies.Choosethesettingbasedonhowyouwantthe
firewalltoidentifyoffendingtraffic.
Specifysource-ip-onlyifyouwantthefirewalltoclassify
onlyonthesourceIPaddress.Becauseattackersoftentest
theentirenetworkforhoststoattack,source-ip-onlyisthe
typicalsettingforawiderexamination.
Specifysrc-dest-ip-bothifyouwanttoprotectonly
againstDoSattacksontheserverthathasaspecific
destinationaddressandalsoensurethateverysourceIP
addresswillnotsurpassaspecificconnectionspersecond
thresholdtothatserver.
13. ClickOK.
Step4
ClickCommit.
Policy
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
Step1
IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,inPANOS7.0andlater,youcanuseACCtofilteron
destinationaddresstoviewtheactivitytothetargethostbeingattacked.
Step2
CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3
CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Step4
EndanyexistingattacksfromtheattackingsourceIPaddressbyexecutingtheclear session all filter

source <ip-address>operationalcommand.
Alternatively,ifyouknowthesessionID,youcanexecutetheclear session id <value> commandto

endthatsessiononly.
Ifyouusetheclear session all filter source <ip-address> command,allsessionsmatching
thesourceIPaddressarediscarded,whichcanincludebothgoodandbadsessions.
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallplatform(notaVMSeriesfirewall)toidentify,
foreachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.
Policy
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1
Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> showrunningresourcemonitoringressbacklogs
-- SLOT:s1, DP:dp1 -USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:
SESS-ID
PCT
6
92%
GRP-ID
1
7
COUNT
156
1732
SESSION DETAILS
SESS-ID PROTO SZONE SRC
SPORT
6
6
trust 192.168.2.35 55653
DST
DPORT IGR-IF
EGR-IF
APP
10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesplatform,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1dpdp1
OnaPA5000Seriesplatform,youcanlimitoutputtoadataplane.Forexample:
admin@PA-5060> showrunningresourcemonitoringressbacklogsdpdp1
Policy
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step2
UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanUsetheCLIto
EndaSingleAttackingSession.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNew
Sessions.
Onahardwareplatformthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstrafficto
theFPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthe
sessiondoesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshould
insteadDiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usethe show session id <session-id> operational
commandintheCLIasshowninthefollowingexample.The layer7 processing valueindicates completed
forsessionsoffloadedor enabled forsessionsnotoffloaded.
Policy
Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
Step1
IntheCLI,executethefollowingoperationalcommandonanyhardwareplatform:
admin@PA-7050> requestsessiondiscard[timeout<seconds>][reason<reasonstring>]id<sessionid>
Thedefaulttimeoutis3600seconds.
Step2
Verifythatsessionshavebeendiscarded.
admin@PA-7050> showsessionallfilterstatediscard
VirtualSystems
Thistopicdescribesvirtualsystems,theirbenefits,typicalusecases,andhowtoconfigurethem.Italso
provideslinkstoothertopicswherevirtualsystemsaredocumentedastheyfunctionwithotherfeatures.
VirtualSystemsOverview
CommunicationBetweenVirtualSystems
SharedGateway
ConfigureVirtualSystems
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
ServiceRoutesforVirtualSystems
CustomizeServiceRoutesforaVirtualSystem
DNSResolutionThreeUseCases
VirtualSystemFunctionalitywithOtherFeatures
VirtualSystems
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(security,NAT,QoS,policybasedforwarding,decryption,application
override,captiveportal,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement
VirtualSystems
Serverprofiles
Logging,reporting,andvisibilityfunctions
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.
VirtualSystems
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA2000,PA3000,PA4000,PA5000,andPA7000Seriesfirewalls.
Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.AVirtual
Systemslicenseisrequiredinthefollowingcases:
TosupportmultiplevirtualsystemsonPA2000orPA3000Seriesfirewalls.
Tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA500orVMSeriesfirewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.
VirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
InterVSYSTrafficThatMustLeavetheFirewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.
VirtualSystems
InterVSYSTrafficThatRemainsWithintheFirewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.
VirtualSystems
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.
VirtualSystems
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
InterVSYSCommunicationUsesTwoSessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.
VirtualSystems
SharedGateway
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
SharedGateway
VirtualSystems
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportsecurity,DoSpolicies,QoS,decryption,applicationoverride,orcaptiveportalpolicies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.
VirtualSystems
ThefirewallusestheMGTinterface(bydefault)toaccessexternalservices,suchasDNSservers,software
updates,andsoftwarelicenses.AnalternativetousingtheMGTinterfaceistoconfigureadataport(a
regularinterface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknown
asaserviceroute.Serviceroutescanbeconfiguredforthefirewallorforindividualvirtualsystems.Each
serviceallowsredirectionofmanagementservicestotherespectivevirtualsystemownerthroughoneofthe
interfacesassociatedwiththatvirtualsystem.
Theabilitytoconfigureserviceroutespervirtualsystemprovidestheflexibilitytocustomizeserviceroutes
fornumeroustenantsordepartmentsonasinglefirewall.Theservicepacketsexitthefirewallonaportthat
isassignedtoaspecificvirtualsystem,andtheserversendsitsresponsetotheconfiguredsourceinterface
andsourceIPaddress.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticular
serviceinheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
UseCasesforServiceRoutesforaVirtualSystem
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
Toconfigureserviceroutesforavirtualsystem,seeCustomizeServiceRoutesforaVirtualSystem.
UseCasesforServiceRoutesforaVirtualSystem
Oneusecaseforconfiguringserviceroutesatthevirtualsystemleveliswhenalargecustomer(suchasan
ISP)needstosupportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.TheISPhas
configuredvirtualsystemsonthefirewall,andwantstohaveseparateserviceroutesforeachvirtualsystem,
ratherthanservicesroutesconfiguredatthegloballevel.Eachtenantrequiresserviceroutecapabilitiesso
thatitcancustomizeservicerouteparametersforDNS,email,Kerberos,LDAP,NetFlow,RADIUS,SNMP
trap,syslog,TACACS+,UserIDAgent,andVMMonitor.
AnotherusecaseisanITorganizationthatwantstoprovidefullautonomytogroupsthatsetserversfor
services.Eachgroupcanhaveavirtualsystemanddefineitsownserviceroutes.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Anorganizationcanhavemultiplevirtualsystems,butuseaglobalservicerouteforaserviceratherthan
differentserviceroutesforeachvirtualsystem.Forexample,thefirewallcanuseasharedemailserverto
originateemailalertstoitsvirtualsystems.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.
ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.
Afteryouselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewall
selectstheegressinterfacebasedonthedestinationIPaddress.Therefore:
VirtualSystems
Ifavirtualsystemhasmultiplevirtualrouters,packetstoalloftheserversforaservicemustegressout
ofonlyonevirtualrouter.
Apacketwithaninterfacesourceaddressmayegressadifferentinterface,butthereturntrafficwould
beontheinterfacethathasthesourceIPaddress,creatingasymmetrictraffic.
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathsto
LoggingServers
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.
ToconfiguretheLPCforpervirtualsystemloggingservices,seeConfigureaPA7000SeriesFirewallfor
LoggingPerVirtualSystem.ForinformationabouttheLPCitself,seethePA7000SeriesHardware
ReferenceGuide.
DNSProxyObject
DomainNameSystem(DNS)serversperformtheserviceofresolvingadomainnametoanIPaddress,and
viceversa.DNSproxyisaroleinwhichthefirewallisanintermediarybetweenDNSclientsandservers;it
actsasaDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifthedomainnameisnotfound
intheDNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthe
specificDNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived),andforwardsthequerytoa
DNSserverbasedonthematchresults.Ifnomatchisfound,thedefaultDNSserversareused.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
WhenconfiguringtenantswithDNSservices,eachtenantshouldhaveitsownDNSproxy
defined,whichkeepsthetenantsDNSserviceseparatefromothertenantsservices.
VirtualSystems
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
YoucansupplytheDNSproxywithstaticFQDNtoaddressmappings.YoucancreateDNSproxyrulesthat
controltowhichDNSserverthespecifieddomainnamequeriesaredirected.ADNSproxyhasother
options;toconfigureaDNSproxy,seeConfigureaDNSProxyObject.Amaximumof256DNSproxy
objectscanbeconfiguredonafirewall.
DNSServerProfile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutingtableofthevirtualrouterwherethesourceinterfaceisassigned.Itispossiblethat
theresultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegress
outofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddress
wouldbetheaddressconfigured.Thesourceaddressisusedasthedestinationaddressinthereplyfromthe
DNSserver.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
ADNSserverprofileisforavirtualsystemonly;itisnotforaglobalSharedlocation.ToconfigureaDNS
serverprofile,seeConfigureaDNSServerProfile.
FormoreinformationonDNSserverprofiles,seeDNSResolutionThreeUseCases.
MultiTenantDNSDeployments
TherearethreeusecasesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,whentherequestiscomingfromthemanagementplanetoresolveanFQDNinasecurity
policy.ThefirewallusestheserviceroutetogettoaDNSserverbecausethereisnoincomingvirtual
router.TheDNSserverisconfiguredinDevice > Setup > Services > Global,andServersareconfiguredby
enteringaprimaryandsecondaryDNSserver.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesthatneedtoberesolved
fromasecuritypolicyorareport,youcanspecifyasetofDNSserversspecifictothevirtualsystem
(tenant)oryoucandefaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNS
serverspervirtualsystem,theDNSserverisconfiguredinDevice > Virtual Systems > General > DNS Proxy.
TheDNSproxyobjectisconfiguredinNetwork > DNS Proxy.Theresolutionisspecifictothevirtualsystem
towhichtheDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtual
systemandwanttousetheglobalDNSsetting,theglobalDNSserverstakeprecedence.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
VirtualSystems
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoitsDNS
servers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryandsecondary
DNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethedefaultDNS
settings.
FormoreinformationonDNSdeployments,seeDNSResolutionThreeUseCases.
VirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA2000orPA3000Seriesfirewall,orifyouare
creatingmorethanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupport
andLicensingforVirtualSystems.
ConfigureaVirtualSystem
Step1
Step2
Enablevirtualsystems.
Createavirtualsystem.
1.

Settings.
2.
SelecttheMulti Virtual System Capabilitycheckboxandclick

OK.Thisactiontriggersacommitifyouapproveit.
OnlyafterenablingvirtualsystemswilltheDevicetabdisplay
theVirtual Systems andShared Gatewaysoptions.
1.
SelectDevice > Virtual Systems,clickAddandenteravirtual

systemID,whichisappendedtovsys(rangeis1255).
ThedefaultIDis1,whichmakesthedefaultvirtual
systemvsys1.Thisdefaultappearsevenonplatforms
thatdonotsupportmultiplevirtualsystems.
2.
ChecktheAllow forwarding of decrypted contentcheckbox

ifyouwanttoallowthefirewalltoforwarddecryptedcontent
toanoutsideservice.Forexample,youmustenablethis
optionforthefirewalltobeabletosenddecryptedcontentto
WildFireforanalysis.
3.
EnteradescriptiveNameforthevirtualsystem.Amaximum
of31alphanumeric,space,andunderscorecharactersis
allowed.
VirtualSystems
Step3
Step4
Assigninterfacestothevirtualsystem.
1.
Thevirtualrouters,vwires,orVLANscan
eitherbeconfiguredalreadyoryoucan 2.
configurethemlater,atwhichpointyou
specifythevirtualsystemassociated
witheach.Theproceduretoconfigurea
3.
virtualrouter,forexample,isinStep6
below.
OntheGeneraltab,selectaDNS Proxy objectifyouwantto

applyDNSproxyrulestotheinterface.
4.
IntheVisible Virtual System field,checkallvirtualsystems

thatshouldbemadevisibletothevirtualsystembeing
configured.Thisisrequiredforvirtualsystemsthatneedto
communicatewitheachother.
Inamultitenancyscenariowherestrictadministrative
boundariesarerequired,novirtualsystemswouldbechecked.
5.
ClickOK.
(Optional)Limittheresourceallocations 1.
forsessions,rules,andVPNtunnels
allowedforthevirtualsystem.The
flexibilityofbeingabletoallocatelimits
pervirtualsystemallowsyouto
effectivelycontrolfirewallresources.
2.
Step5
Step6
Createatleastonevirtualrouterforthe 1.
virtualsysteminordertomakethe
virtualsystemcapableofnetworking
2.
functions,suchasstaticanddynamic
routing.
3.
Alternatively,yourvirtualsystemmight
useaVLANoravirtualwire,depending
onyourdeployment.
Step7
Configureasecurityzoneforeach
interfaceinthevirtualsystem.
IntheInterfacesfield,clickAddtoentertheinterfacesor
subinterfacestoassigntothevirtualsystem.Aninterfacecan
belongtoonlyonevirtualsystem.
Doanyofthefollowing,basedonthedeploymenttype(s)you
needinthevirtualsystem:
IntheVLANsfield,clickAddtoentertheVLAN(s)toassign
tothevsys.
IntheVirtual Wires field,clickAddtoenterthevirtual
wire(s)toassigntothevsys.
IntheVirtual Routers field,clickAddtoenterthevirtual
router(s)toassigntothevsys.
OntheResourcetab,optionallysetlimitsforavirtualsystem.
Therearenodefaultvalues.
Sessions LimitRangeis1262144.
Security RulesRangeis02500.
NAT RulesRangeis03000.
Decryption RulesRangeis0250.
QoS RulesRangeis01000.
Application Override RulesRangeis0250.
Policy Based Forwarding RulesRangeis0500.
Captive Portal RulesRangeis01000.
DoS Protection RulesRangeis01000.
Site to Site VPN TunnelsRangeis01024.
Concurrent SSL VPN TunnelsRangeis01024.
ClickOK.
ClickCommitandOK.Thevirtualsystemisnowanobject
accessiblefromtheObjectstab.
SelectNetwork > Virtual RoutersandAddavirtualrouterby
Name.
ForInterfaces,clickAddandfromthedropdown,selectthe
interfacesthatbelongtothevirtualrouter.
ClickOK.
Foratleastoneinterface,createaLayer3securityzone.See
ConfigureInterfacesandZones.
VirtualSystems
Step8
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtraffictoandfromthezones
inthevirtualsystem.
Step9
ClickCommitandOK.
Aftercreatingavirtualsystem,youcanusetheCLIto
commitaconfigurationforonlyaspecificvirtualsystem:
commit partial vsys vsys<id>
Step10 (Optional)Viewthesecuritypolicies
configuredforavirtualsystem.
OpenanSSHsessiontousetheCLI.Toviewthesecuritypolicies
foravirtualsystem,inoperationalmode,usethefollowing
commands:
set system setting target-vsys <vsys-id>
show running security-policy
VirtualSystems
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
Step1
Configureanexternalzoneforeach
virtualsystem.
1.
SelectNetwork > Zones andAddanewzonebyName.
2.
ForLocation,selectthevirtualsystemforwhichyouare
creatinganexternalzone.
3.
ForType,selectExternal.
4.
ForVirtual Systems,clickAddandenterthevirtualsystem
thattheexternalzonecanreach.
5.
Zone Protection ProfileOptionallyselectazoneprotection

profile(orconfigureonelater)thatprovidesflood,
reconnaissance,orpacketbasedattackprotection.
6.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
7.
OptionallyselecttheEnable User Identificationcheckboxto

enableUserIDfortheexternalzone.
8.
ClickOK.
Step2
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtrafficfromtheinternalzones SeeInterVSYSTrafficThatRemainsWithintheFirewall.
totheexternalzoneofthevirtual
system,andviceversa.
Step3
ClickCommit.
VirtualSystems
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
Step1
Step2
Step3
ConfigureaSharedGateway.
Configurethezonefortheshared
gateway.
Whenaddingobjectssuchas
zonesorinterfacestoashared
gateway,thesharedgateway
itselfwillbelistedasanavailable
vsysintheVSYSdropdown
menu.
1.
SelectDevice > Shared Gateway,clickAdd andenteranID.
2.
EnterahelpfulName,preferablyincludingtheIDofthe
gateway.
3.
IntheDNS Proxy field,selectaDNSproxyobjectifyouwant

toapplyDNSproxyrulestotheinterface.
4.
AddanInterfacethatconnectstotheoutsideworld.
5.
ClickOK.
1.
SelectNetwork > Zones andAddanewzonebyName.
2.
ForLocation,selectthesharedgatewayforwhichyouare
creatingazone.
3.
ForType,selectLayer3.
4.
Zone Protection ProfileOptionallyselectazoneprotection

profile(orconfigureonelater)thatprovidesflood,
reconnaissance,orpacketbasedattackprotection.
5.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
6.
OptionallyselecttheEnable User Identificationcheckboxto

enableUserIDforthesharedgateway.
7.
ClickOK.
ClickCommit.
VirtualSystems
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
Priortoperformingthistask,inordertoseetheGlobalandVirtual Systemstabs,youmustenableMulti
Virtual System Capability.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes

configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Thefirewallsupportssyslogforwardingonavirtualsystembasis.Whenmultiplevirtualsystems
onafirewallareconnectingtoasyslogserverusingSSLtransport,thefirewallcangenerateonly
onecertificateforsecurecommunication.Thefirewalldoesnotsupporteachvirtualsystem
havingitsowncertificate.
Inthefollowingusecase,youareconfiguringindividualservicesroutesforafirewallwithmultiplevirtual
systems.
VirtualSystems
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1
Step2
Customizeserviceroutesforavirtual
system.
1.
SelectDevice > Setup > Services > Virtual Systems,andselect

thevirtualsystemyouwanttoconfigure.
2.
ClicktheService Route Configurationlink.
3.
Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4.
IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5.
ClickOK.
6.
Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7.
ClickOK.
ClickCommitandOK.
Ifyouareconfiguringpervirtualsystemserviceroutesforlogging
servicesforaPA7000Seriesfirewall,continuetothetask
ConfigureaPA7000SeriesFirewallforLoggingPerVirtual
System.
VirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
YoumusthaveenabledMulti Virtual System Capability(Device > Setup > Management)inordertoaccessthe
LPCsubinterfaceconfiguration.
PerformthistaskonyourPA7000Seriesfirewalltoconfigureloggingfordifferentvirtualsystems.Formore
information,seePA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
Step1
Step2
Step3
CreateaLogCardsubinterface.
Addasubinterfaceforeachtenanton
theLPCsphysicalinterface.
Entertheaddressesassignedtothe
subinterface,andconfigurethedefault
gateway.
1.
SelectNetwork > Interfaces > Ethernetandselectthe

interfacethatwillbetheLogCardinterface.
2.
EntertheInterface Name.
3.
ForInterface Type,selectLog Cardfromthedropdown.
4.
ClickOK.
1.
HighlighttheEthernetinterfacethatisaLogCardinterface
typeandclickAdd Subinterface.
2.
ForInterface Name,aftertheperiod,enterthesubinterface
assignedtothetenantsvirtualsystem.
3.
ForTag,enteraVLANtagvalue.
Makethetagthesameasthesubinterfacenumberfor
easeofuse,butitcouldbeadifferentnumber.
4.
(Optional)EnteraComment.
5.
OntheConfigtab,intheAssign Interface to Virtual System

field,selectthevirtualsystemtowhichtheLPCsubinterface
isassigned(fromthedropdown).Alternatively,youcanclick
Virtual Systemstoaddanewvirtualsystem.
6.
ClickOK.
1.
SelecttheLog Card Forwardingtab,anddooneorbothofthe

following:
FortheIPv4section,entertheIP Address and
Netmask assignedtothesubinterface.Enterthe
Default Gateway(thenexthopwherepacketswillbe
sentthathavenoknownnexthopaddressinthe
RoutingInformationBase[RIB]).
FortheIPv6section,entertheIPv6 Addressassigned
tothesubinterface.EntertheIPv6 Default Gateway.
2.
ClickOK.
Step4
Step5
Ifyouhaventalreadydoneso,configure CustomizeServiceRoutesforaVirtualSystem.
theremainingserviceroutesforthe
virtualsystem.
ClickOK and Commit.
VirtualSystems
IfyourfirewallistoactasaDNSproxyforavirtualsystem,performthistasktoconfigureaDNSProxy
Object.Theproxyobjectcaneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtual
system.
Step1
Step2
Step3
ConfigurethebasicsettingsforaDNS
Proxyobject.
(Optional)SpecifyDNSProxyrules.
1.
SelectNetwork > DNS ProxyandAddanewobject.
2.
VerifythatEnableisselected.
3.
EnteraNamefortheobject.
4.
ForLocation,selectthevirtualsystemtowhichtheobject
applies.IfyouselectShared,youmustspecifyatleasta
PrimaryDNSserveraddress.,andoptionallyaSecondary
address.
5.
Ifyouselectedavirtualsystem,forServer Profile,selecta
DNSServerprofileorelseclickDNS Server Profileto
configureanewprofile.seeConfigureaDNSServerProfile.
6.
ForInterface,clickAddandspecifytheinterfacestowhichthe
DNSProxyobjectapplies.
IfyouusetheDNSProxyobjectforperformingDNS
lookups,aninterfaceisrequired.Thefirewallwilllistenfor
DNSrequestsonthisinterface,andthenproxythem.
IfyouusetheDNSProxyobjectforaserviceroute,the
interfaceisoptional.
1.
OntheDNS Proxy Rulestab,clickAddandenteraNamefor

therule.
2.
Turn on caching of domains resolved by this mappingifyou

wantthefirewalltocachetheresolveddomains.
3.
ForDomain Name,clickAddandenteroneormoredomains,
oneentryperrow.Eachdomainnamecancontain*asa
wildcard.Thenumberoftokensinawildcardstringmust
matchthenumberoftokensintherequesteddomain.For
example,*.engineering.localwillnotmatch
engineering.local.Bothentriesmustbespecifiedifyouwant
both.
4.
InStep 4above,forLocation:
Ifyouchoseavirtualsystem,selectaDNS Server profile
here.
IfyouchoseShared,enteraPrimaryaddresshere.
5.
ClickOK.
(Optional)SupplytheDNSProxywith
1.
staticFQDNtoaddressentries.Static 2.
DNSentriesallowthefirewalltoresolve
theFQDNtoanIPaddresswithoutgoing 3.
outtotheDNSserver.
4.
5.
OntheStatic Entriestab,clickAddandenteraName.
EntertheFullyQualifiedDomainName(FQDN).
ForAddress,clickAddandentertheIPaddresstowhichthe
FQDNshouldbemapped.
Repeatsteps13toprovideadditionalstaticentries.
ClickOK.
VirtualSystems
ConfigureaDNSProxyObject(Continued)
Step4
Step5
(Optional)Enablecachingandconfigure 1.
otheradvancedsettingsfortheDNS
Proxy.
OntheAdvancedtab,clickCachetoenablethefirewallto
cacheFQDNtoaddressmappingsthatthefirewalllearns.
SizeEnterthemaximumnumberofentriesthefirewall
cancache(rangeis102410240;defaultis1024).
TimeoutEnterthenumberofhoursafterwhichallcached
entriesareremoved(rangeis424;defaultis4).DNS
timetolivevaluesareusedtoremovecacheentrieswhen
theyhavebeenstoredforlessthantheconfiguredtimeout
period.Afteratimeout,newDNSrequestsmustbe
resolvedandcachedagain.
2.
SelectTCP QueriestoenableDNSqueriesusingTCP.
Max Pending RequestsEnterthemaximumnumberof
concurrent,pendingTCPDNSrequeststhatthefirewallwill
support(rangeis64256;defaultis64).
3.
ForUDP Queries Retries,enterthefollowing:

IntervalEnterthelengthoftime(inseconds)afterwhich
anotherrequestissentifnoresponsehasbeenreceived.
AttemptsEnterthemaximumnumberofUDPquery
attempts(excludingthefirstattempt)afterwhichthenext
DNSserverisqueried(rangeis130;defaultis5.)
ClickOKandCommit.
VirtualSystems
PerformthistasktoconfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.The
Primary DNSorSecondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstothe
DNSserver.
Step1
Step2
Step3
NametheDNSserverprofile,selectthe 1.
virtualsystemtowhichitapplies,and
2.
specifytheprimaryandsecondaryDNS
3.
serveraddresses.
SelectDevice > Server Profiles > DNSandclickAdd.

EnteraNamefortheDNSserverprofile.
ForLocation,selectthevirtualsystemtowhichtheprofile
applies.
4.
ForInheritance Source,fromthedropdown,selectNoneif
theDNSserveraddressesarenotinherited.Otherwise,
specifytheDNSserverfromwhichtheprofileshouldinherit
settings.IfyouchooseaDNSserver,clickCheck inheritance
source statustoseethatinformation.
5.
SpecifytheIPaddressofthePrimary DNSserver,orleaveas
inheritedifyouchoseanInheritance Source.
KeepinmindthatifyouspecifyanFQDNinstead
ofanIPaddress,theDNSforthatFQDNis
resolvedinDevice > Virtual Systems > DNS
Proxy.
6.
SpecifytheIPaddressoftheSecondary DNSserver,orleave
asinheritedifyouchoseanInheritance Source.
Configuretheserviceroutethatthe
1.
firewallautomaticallyuses,basedon
whetherthetargetDNSServerhasanIP
addressfamilytypeofIPv4orIPv6.
2.
ClickService Route IPv4toenablethesubsequentinterface

andIPv4addresstobeusedastheserviceroute,ifthetarget
DNSaddressisanIPv4address.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
3.
SpecifytheIPv4Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
4.
ClickService Route IPv6toenablethesubsequentinterface

andIPv6addresstobeusedastheserviceroute,ifthetarget
DNSaddressisanIPv6address.
5.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
6.
SpecifytheIPv6Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
7.
ClickOK.
ClickOKandCommit.
VirtualSystems
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,younowhavetheabilitytocreateandconfiguremore
granularpermissionsforavsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
Step1
CreateanAdminRoleProfilethatgrants 1.
ordisablespermissiontoan
2.
Administratortoconfigureorreadonly
3.
variousareasofthewebinterface.
SelectDevice > Admin RolesandAddanAdmin Role Profile.

EnteraNameandoptionalDescriptionoftheprofile.
ForRole,specifywhichlevelofcontroltheprofileaffects:
DeviceTheprofileallowsthemanagementoftheglobal
settingsandanyvirtualsystems.
Virtual SystemTheprofileallowsthemanagementofonly
thevirtualsystem(s)assignedtotheadministrator(s)who
havethisprofile.(Theadministratorwillbeabletoaccess
Device > Setup > Services > Virtual Systems,butnotthe
Globaltab.)
4.
OntheWeb UItabfortheAdminRoleProfile,scrolldownto
Device,andleavethegreencheckmark(Enable).
UnderDevice,enableSetup.UnderSetup,enabletheareas
towhichthisprofilewillgrantconfigurationpermissionto
theadministrator,asshownbelow.(TheReadOnlylockicon
appearsintheEnable/DisablerotationifReadOnlyis
allowedforthatsetting.)
ManagementAllowsanadminwiththisprofileto
configuresettingsontheManagementtab.
OperationsAllowsanadminwiththisprofileto
configuresettingsontheOperationstab.
ServicesAllowsanadminwiththisprofiletoconfigure
settingsontheServicestab.Anadminmusthave
ServicesenabledinordertoaccesstheDevice > Setup
Services > Virtual Systemstab.IftheRolewasspecified
asVirtual Systeminthepriorstep,Servicesistheonly
settingthatcanbeenabledunderDevice > Setup.
Content-IDAllowsanadminwiththisprofileto
configuresettingsontheContent-IDtab.
WildFireAllowsanadminwiththisprofiletoconfigure
settingsontheWildFiretab.
SessionAllowsanadminwiththisprofiletoconfigure
settingsontheSessiontab.
HSMAllowsanadminwiththisprofiletoconfigure
settingsontheHSMtab.
5.
ClickOK.
6.
(Optional)RepeattheentiresteptocreateanotherAdminRole
profilewithdifferentpermissions,asnecessary.
VirtualSystems
CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
Step2
Step3
ApplytheAdminroleprofiletoan
administrator.
1.
SelectDevice > Administrators,clickAddandentertheName

toaddanAdministrator.
2.
(Optional)SelectanAuthentication Profile.
3.
(Optional)Select Use only client certificate authentication

(Web)tohavebidirectionalauthentication;togettheserver
toauthenticatetheclient.
4.
EnteraPasswordandConfirm Password.
5.
(Optional)SelectUse Public Key Authentication (SSH) ifyou

wanttouseamuchstronger,keybasedauthentication
methodusinganSSHpublickeyratherthanjustapassword.
6.
ForAdministrator Type,selectRole Based.
7.
ForProfile,selecttheprofilethatyoujustcreated.
8.
(Optional)SelectaPassword Profile.
9.
ClickOK.
ClickCommitandOK.
VirtualSystems
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.Thissection
illustratesthreetypesofDNSresolution,whicharelistedinthefollowingtable.Thebindinglocation
determineswhichDNSproxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshow
howaserviceprovidermightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueries
requiredonthefirewallandfortenant(subscriber)virtualsystems.
ResolutionType
Location:Shared
Location:SpecificVsys
FirewallDNSresolutionperformed Binding:Global
bymanagementplane
IllustratedinUseCase1
N/A
Securityprofile,reporting,andserver Binding:Global
profileresolutionperformedby
SamebehaviorasUseCase1
managementplane
Binding:Specificvsys
DNSproxyresolutionforDNSclient
hostsconnectedtointerfaceon
firewall,goingthroughthefirewallto
aDNSServerperformedby
dataplane
Binding:Interface
ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequestwas
received.
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.
VirtualSystems
ConfigureDNSServicesfortheFirewall
Step1
Step2
1.
Configuretheprimaryandsecondary
DNSserversyouwantthefirewallto
useforitsmanagementDNS
resolutions.
2.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
3.
resolvehostnames;itwillnotuse
DNSserversettingsfrom
anothersource,suchasanISP.
Alternatively,youcanconfigureaDNS
ProxyObjectifyouwanttoconfigure
advancedDNSfunctionssuchassplit
DNS,DNSproxyoverrides,DNSproxy
rules,staticentries,orDNSinheritance.
SelectDevice > Setup > Services > Global andEdit.(For

firewallsthatdonotsupportmultiplevirtualsystems,thereis
noGlobaltab;simplyedittheServices.)
OntheServicestab,forDNS,clickServersandenterthe
Primary DNS ServeraddressandSecondary DNS Server
address.
ClickOKandCommit.
1.
OntheServicestab,forDNS,clickDNS Proxy Object.
2.
FromtheDNS Proxydropdown,selecttheDNSproxy that

youwanttousetoconfigureglobalDNSservices,orclickDNS
ProxytoconfigureanewDNSproxyobject,asshowninthe
subsequentsteps.
3.
Tocreateanewproxyobject,clickEnableandenteraName
fortheDNSproxyobject.
4.
ForLocation,selectSharedforglobal,firewallwideDNS
proxyservices.
SharedDNSproxyobjectsdonotuseDNSserver
profilesbecausetheydonotrequireaspecificservice
routebelongingtoatenantvirtualsystem.
5.
ForPrimary,entertheprimaryDNSserverIPaddress.
OptionallyenteraSecondaryDNSserverIPaddress.Inthe
ISPexampleinthescreenshotabove,theDNSproxydefines
theprimaryandsecondaryDNSserversthatareusedto
resolvethefirewallmanagementservices.
6.
ClickOKandCommit.
VirtualSystems
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
objecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Anyservice
withaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminetheprimary(or
secondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.
VirtualSystems
ConfigureaDNSProxyforaVirtualSystem
Step1
Step2
Foreachvirtualsystem,specifytheDNS 1.
Proxytouse.
2.
ConfigureaDNSProxyandaserver
profiletosupportDNSresolutionfora
virtualsystem.
SelectDevice > Virtual Systems andclickAdd.

EntertheIDofthevirtualsystem(rangeis1255),andan
optionalName,inthisexample,Corp1Corporation.
3.
OntheGeneraltab,chooseaDNS Proxyorcreateanewone.
Inthisexample,Corp1DNSProxyisselectedastheproxyfor
Corp1Corporationsvirtualsystem.
(IfyouneedtocreateanewDNSProxy,Step 2belowshows
howtocreateaDNSProxyandaServerProfile.)
4.
ForInterfaces,clickAdd.Inthisexample,Ethernet1/20is
dedicatedtothistenant.
5.
ForVirtual Routers,clickAdd.AvirtualrouternamedCorp1
VRisassignedtothevirtualsysteminordertoseparate
routingfunctions.
6.
ClickOKtosavetheconfiguration.
1.
SelectNetwork > DNS ProxyandclickAdd.
2.
ClickEnableandenteraNamefortheDNSProxy.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).(Youcouldchoosethe
SharedDNSProxyresourceinstead.)
4.
ForServer Profile,chooseorcreateaprofiletocustomize
DNSserverstouseforDNSresolutionsforthistenants
securitypolicy,reporting,andserverprofileservices.
Iftheprofileisnotalreadyconfigured,intheServer Profile
field,clickDNS Server ProfiletoConfigureaDNSServer
Profile.
TheDNSserverprofileidentifiestheIPaddressesofthe
primaryandsecondaryDNSservertouseformanagement
DNSresolutionsforthisvirtualsystem.
5.
Alsoforthisserverprofile,optionallyconfigureaService
Route IPv4 and/oraService Route IPv6 toinstructthefirewall
whichSource InterfacetouseinitsDNSrequests.Ifthat
interfacehasmorethanoneIPaddress,configuretheSource
Addressalso.
6.
ClickOK tosavetheDNSServerProfile.
7.
ClickOK and Commit tosavetheDNSProxy.
OptionaladvancedfeaturessuchassplitDNScanbeconfiguredusingDNS Proxy Rules.A

separateDNSserverprofilecanbeusedtoredirectDNSresolutionsmatchingtheDomain
NameinaDNS Proxy RuletoanothersetofDNSservers,ifrequired.UseCase3illustrates
splitDNS.
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
VirtualSystems
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
ThisscenariohappenstousesplitDNS,aconfigurationwhereDNS Proxy RulesareconfiguredtoredirectDNS

requeststoasetofDNSserversbasedonadomainnamematch.Ifthereisnomatch,theServer Profile
determinestheDNSserverstowhichtherequestissent,hencethetwo,splitDNSresolutionmethods.
FordataplaneDNSresolutions,thesourceIPaddressfromtheDNSproxyinPANOStothe
outsideDNSserverwouldbetheaddressoftheproxy(thedestinationIPoftheoriginalrequest).
AnyserviceroutesdefinedintheDNSServerProfilearenotused.Forexample,iftherequestis
fromhost1.1.1.1totheDNSproxyat2.2.2.2,thentherequesttotheDNSserver(at3.3.3.3)
woulduseasourceof2.2.2.2andadestinationof3.3.3.3.
VirtualSystems
ConfigureaDNSProxyandDNSProxyRules
Step1
ConfigureaDNSProxyandDNSproxy 1.
rules.
2.
SelectNetwork > DNS ProxyandclickAdd.

ClickEnableandenteraNamefortheDNSProxy.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).
4.
ForInterface,selecttheinterfacethatwillreceivetheDNS
requestsfromthetenantshosts,inthisexample,
Ethernet1/20.
5.
ChooseorcreateaServer ProfiletocustomizeDNSservers
toresolveDNSrequestsforthistenant.
6.
OntheDNS Proxy Rulestab,clickAddandenteraNamefor

therule.
7.
OptionallyselectTurn on caching of domains resolved by this

mapping.
8.
ClickAddandenteroneormoreDomain Name(s),oneentry
perrow.
Eachdomainnamecancontain*asawildcard.Thenumberof
charactersinawildcardstringmustequalthenumberof
charactersintherequesteddomaintomatch.Forexample,
*.engineering.localdoesnotmatchengineering.local.Both
domainnamesmustbespecifiedinorderforbothtobe
matched.
9.
ForDNS Server profile,selectaprofilefromthedropdown.

ThefirewallcomparesthedomainnameintheDNSrequestto
thedomainname(s)definedintheDNS Proxy Rules.Ifthereis
amatch,theDNS Server profiledefinedintheruleisusedto
determinetheDNSserver.
Inthisexample,ifthedomainintherequestmatches
myweb.corp1.com,theDNSserverdefinedinthemywebDNS
ServerProfileisused.Ifthereisnomatch,theDNSserver
definedintheServer Profile(Corp1DNSServerProfile)is
used.
10. ClickOKtosavetherule.
11. ClickOKtosavetheDNSProxy.
VirtualSystems
Manyofthefirewallsfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreported
pervirtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthe
documentationandthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seetheVirtualWireSubinterfacesinInterfaceDeployments.
Certifications
ThefollowingtopicsdescribehowtoconfigurethefirewalltosupporttheCommonCriteriaandtheFederal
InformationProcessingStandard1402(FIPS1402),whicharesecuritycertificationsthatensureastandard
setofsecurityassurancesandfunctionalities.ThesecertificationsareoftenrequiredbycivilianU.S.
governmentagenciesandgovernmentcontractors.
EnableFIPSandCommonCriteriaSupport
FIPSCCSecurityFunctions
Certifications
UsethefollowingproceduretoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
EnableFIPSCCMode
Step1
Bootthefirewallintomaintenancemodeasfollows:
1. Establishaserialconnectiontotheconsoleportonthefirewall.
2. EnterthefollowingCLIcommand:
debug system maintenance-mode
3. PressEntertocontinue.
Youcanalsorebootthefirewallandenter maint atthemaintenancemode
prompt.
Step2
SelectSet FIPS-CC Modefromthemenu.
Step3
SelectEnable FIPS-CC Modefromthemenu.
Step4
Whenprompted,selectReboot.
AftersuccessfullyswitchingtoFIPSCCmode,thefollowingstatusdisplays:FIPS-CC mode
enabled successfully.Inaddition,thefollowingchangeswilltakeplace:
FIPS-CCwilldisplayatalltimesinthestatusbaratthebottomofthewebinterface.
Theconsoleportfunctionsasastatusoutputportonly.
Thedefaultadminlogincredentialschangetoadmin/paloalto.
Certifications
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforced:
Tologintothefirewall,thebrowsermustbeTLS1.0(orlater)compatible.OnaWF500appliance,you
managetheapplianceusingtheCLIonlyandyoumustconnectusinganSSHv2compatibleclient
application.
Allpasswordsonthefirewallmustbeatleastsixcharacters.
YoumustenforceaFailed AttemptsandLockout Time (min) valuethatisgreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustenforceanIdle Timeoutvaluegreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedvalue,theaccountisautomaticallyloggedout.
Thefirewallautomaticallydeterminestheappropriatelevelofselftestingandenforcestheappropriate
levelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPS/CCalgorithmsarenotdecryptedandarethusignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2048bits(or
more)orECDSA256bits(ormore)andyoumustuseadigestofSHA256orgreater.
TheserialconsoleportisonlyavailableasastatusoutputportwhenFIPSCCmodeisenabled.
Telnet,TFTP,andHTTPmanagementconnectionsareunavailable.
Highavailability(HA)portencryptionisrequired.
Certifications

Administrator Guide PAN-OS 7.1

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Administrator Guide PAN-OS 7.1

Încărcat de

Drepturi de autor:

Formate disponibile

PANOS

Monitoring ........................................................ 249

ManageReporting ................................................................ 307

AppID ........................................................... 429

ThreatPrevention .................................................. 449

QualityofService .................................................. 575

VPNs ............................................................. 601

TunnelMonitoring ............................................................ 605

LLDP ........................................................................... 774

ConfigureVirtualSystems ......................................................... 899

SelectDevice > Setup > Managementandeditthe

SelectDevice > Setup > Services.

SelectDevice > Setup > Services.

(Optional)EnteraSecondary NTP Serveraddress.

SelectDevice > Setup > ManagementandedittheGeneral

EntertheLatitude andLongitude toenableaccurate

SelectDevice > Administrators.

Todeletethedefaultvirtualwire,selectNetwork > Virtual

SelectNetwork > Interfacesandselecttheinterfacethat

SelectAdvanced > Other Info,expandtheManagement

SelectDevice > Setup > Services > Global andclickService

SelectNetwork > Interfacesandthenselectthe

Locateyourserialnumberandcopyitto OntheDashboard,locateyourSerial NumberintheGeneral

SelectAssets > Devices.

ClickRegister New Device.

SelectRegister device using Serial Number or Authorization

(Optional)EntertheDevice NameandDevice Tag.

LogintothewebinterfaceandthenselectDevice > Support.

ClickActivate support using authorization code.

SelectDevice > Licensesandthenactivateyourlicensesand

OntheDevice > Licenses page,verifythatthelicensewas

(Optional)ClickVerify Update Server Identityforanextra

SelectDevice > Dynamic UpdatesandclickCheck Now(locatedin

SpecifywhetheryouwantthesystemtoDownload Only or,as

SelectNetwork > Virtual Routerandthenselectthedefault

SelecttheIP AddressradiobuttonintheNext Hopfieldand

SelectNetwork > Interfacesandthenselecttheinterfaceyou

OntheConfigtab,selectNew ZonefromtheSecurity Zone

Toenableyoutopingtheinterface,selectAdvanced > Other

SelectNetwork > Interfacesandselecttheinterfaceyouwant

SelectObjects > TagsandAdd.

SelectPolicies > SecurityandclickAdd.

IntheSourcetab,settheSource Zone toUsers.

VerifythatLog at Session Endisenabled.Onlytrafficthat

SelectPolicies > SecurityandclickAdd.

IntheSourcetab,settheSource Zone toUsers.

VerifythatLog at Session Endisenabled.Onlytrafficthat

SelectPolicies > SecurityandclickAdd.

IntheSourcetab,settheSource Zone toUsers.

VerifythatLog at Session Endisenabled.Onlytrafficthat

Specifically,viewthetrafficandthreatlogs(Monitor > Logs).

SelectDevice > Setup > WildFireandedittheGeneral

SettheWildFire Public Cloudfieldto:

(Optional)Setthe File Size LimitforPEsthatthefirewallcan

SelectObjects > Security Profiles > WildFire Analysis and

IntheFile Types column,addpefilestotheforwardingrule.

SelectPolicies > Securityandeitherselectanexistingpolicy

SelecttheWildFire Analysis profileyoucreatedinStep 2to

VerifythatthefirewallisforwardingPE SelectMonitor > Logs > WildFire Submissionstoviewlogentries

SelectDevice > Dynamic Updates.

SelectDevice > Dynamic UpdatesandclickCheck Nowatthe

FromDevice > Dynamic Updates,clickthetexttotherightof

SelectPolicies > Security,selectthedesiredpolicytomodify

SelectObjects > Security Profiles > File Blockingandclick