Documente Academic
Documente Profesional
Documente Cultură
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May19,2016
2 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................19
SetUpNetworkAccessforExternalServices......................................23
RegistertheFirewall ...............................................................27
ActivateLicensesandSubscriptions .................................................28
InstallContentandSoftwareUpdates................................................30
SegmentYourNetworkUsingInterfacesandZones ...................................34
NetworkSegmentationforaReducedAttackSurface..............................34
ConfigureInterfacesandZones..................................................35
SetUpaBasicSecurityPolicy .......................................................38
AssessNetworkTraffic ............................................................42
EnableBasicThreatPreventionFeatures .............................................44
EnableBasicWildFireForwarding ...............................................44
ScanTrafficforThreats.........................................................46
ControlAccesstoWebContent.................................................50
EnableAutoFocusThreatIntelligence............................................53
BestPracticesforCompletingtheFirewallDeployment................................55
FirewallAdministration ............................................... 57
ManagementInterfaces ............................................................58
UsetheWebInterface .............................................................59
LaunchtheWebInterface ......................................................59
ConfigureBanners,MessageoftheDay,andLogos ................................60
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............62
ManageandMonitorAdministrativeTasks ........................................64
Commit,Validate,andPreviewFirewallConfigurationChanges......................64
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............66
ManageLocksforRestrictingConfigurationChanges...............................67
ManageConfigurationBackups .....................................................69
BackUpaConfiguration ........................................................69
RestoreaConfiguration ........................................................70
ManageFirewallAdministrators .....................................................72
AdministrativeRoles...........................................................72
AdministrativeAuthentication ...................................................73
ConfigureAdministrativeAccountsandAuthentication .............................74
ConfigureanAdministrativeAccount.............................................74
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......75
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication .......78
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 3
TableofContents
Reference:WebInterfaceAdministratorAccess....................................... 80
WebInterfaceAccessPrivileges ................................................. 80
PanoramaWebInterfaceAccess ................................................120
Reference:PortNumberUsage.....................................................124
PortsUsedforManagementFunctions ..........................................124
PortsUsedforHA ............................................................125
PortsUsedforPanorama ......................................................125
PortsUsedforUserID ........................................................126
ResettheFirewalltoFactoryDefaultSettings ........................................128
BootstraptheFirewall.............................................................129
USBFlashDriveSupport .......................................................129
Sampleinitcfg.txtFiles ........................................................130
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................131
BootstrapaFirewallUsingaUSBFlashDrive .....................................134
Authentication..................................................... 137
ConfigureanAuthenticationProfileandSequence ....................................138
ConfigureKerberosSingleSignOn .................................................141
ConfigureLocalDatabaseAuthentication ............................................142
ConfigureExternalAuthentication ..................................................143
ConfigureAuthenticationServerProfiles.........................................143
ConfigureaRADIUSServerProfile ..............................................143
RADIUSVendorSpecificAttributesSupport .....................................144
ConfigureaTACACS+ServerProfile ............................................145
ConfigureanLDAPServerProfile ...............................................146
ConfigureaKerberosServerProfile.............................................148
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................148
EnableExternalAuthenticationforUsersandServices .............................149
TestAuthenticationServerConnectivity.............................................150
RuntheTestAuthenticationCommand ..........................................150
TestaLocalDatabaseAuthenticationProfile.....................................151
TestaRADIUSAuthenticationProfile ...........................................152
TestaTACACS+AuthenticationProfile ..........................................154
TestanLDAPAuthenticationProfile ............................................155
TestaKerberosAuthenticationProfile...........................................156
TroubleshootAuthenticationIssues .................................................158
CertificateManagement............................................ 159
KeysandCertificates..............................................................160
CertificateRevocation.............................................................162
CertificateRevocationList(CRL) ................................................162
OnlineCertificateStatusProtocol(OCSP) ........................................163
CertificateDeployment............................................................164
SetUpVerificationforCertificateRevocationStatus ..................................165
ConfigureanOCSPResponder .................................................165
ConfigureRevocationStatusVerificationofCertificates ...........................166
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption.166
4 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
ConfiguretheMasterKey......................................................... 168
ObtainCertificates ............................................................... 169
CreateaSelfSignedRootCACertificate ........................................ 169
GenerateaCertificate ......................................................... 170
ImportaCertificateandPrivateKey............................................. 171
ObtainaCertificatefromanExternalCA ........................................ 172
ExportaCertificateandPrivateKey ................................................ 174
ConfigureaCertificateProfile...................................................... 175
ConfigureanSSL/TLSServiceProfile ............................................... 177
ReplacetheCertificateforInboundManagementTraffic.............................. 178
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 179
RevokeandRenewCertificates .................................................... 180
RevokeaCertificate .......................................................... 180
RenewaCertificate ........................................................... 180
SecureKeyswithaHardwareSecurityModule....................................... 181
SetupConnectivitywithanHSM ............................................... 181
EncryptaMasterKeyUsinganHSM ............................................ 186
StorePrivateKeysonanHSM.................................................. 187
ManagetheHSMDeployment ................................................. 188
HighAvailability....................................................189
HAOverview.................................................................... 190
HAConcepts .................................................................... 191
HAModes ................................................................... 191
HALinksandBackupLinks..................................................... 192
DevicePriorityandPreemption ................................................ 195
Failover ..................................................................... 195
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 196
FloatingIPAddressandVirtualMACAddress.................................... 196
ARPLoadSharing ............................................................ 198
RouteBasedRedundancy ..................................................... 200
HATimers................................................................... 200
SessionOwner............................................................... 203
SessionSetup................................................................ 203
NATinActive/ActiveHAMode ................................................ 205
ECMPinActive/ActiveHAMode ............................................... 206
SetUpActive/PassiveHA ......................................................... 207
PrerequisitesforActive/PassiveHA............................................. 207
ConfigurationGuidelinesforActive/PassiveHA.................................. 208
ConfigureActive/PassiveHA................................................... 210
DefineHAFailoverConditions ................................................. 215
VerifyFailover ............................................................... 216
SetUpActive/ActiveHA .......................................................... 217
PrerequisitesforActive/ActiveHA.............................................. 217
ConfigureActive/ActiveHA ................................................... 218
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy.............. 224
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses .................. 225
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 5
TableofContents
UseCase:ConfigureA/AHAwithARPLoadSharing ..............................226
UseCase:ConfigureA/AHAwithFloatingIPAddressBoundtoAPFirewall.........227
UseCase:ConfigureA/AHAwithSourceDIPPNATUsingFloatingIPAddresses .....231
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforA/AHAFirewalls ....234
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNAT ...........235
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNATinLayer3 ..238
HAFirewallStates................................................................241
Reference:HASynchronization.....................................................243
WhatSettingsDontSyncinActive/PassiveHA?..................................243
WhatSettingsDontSyncinActive/ActiveHA?...................................245
SynchronizationofSystemRuntimeInformation..................................247
6 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
UserID ...........................................................369
UserIDOverview ................................................................ 370
UserIDConcepts................................................................ 372
GroupMapping............................................................... 372
UserMapping ................................................................ 372
EnableUserID................................................................... 376
MapUserstoGroups............................................................. 377
MapIPAddressestoUsers........................................................ 380
ConfigureUserMappingUsingtheWindowsUserIDAgent....................... 380
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent.............. 386
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender ................. 389
MapIPAddressestoUsernamesUsingCaptivePortal ............................. 398
ConfigureUserMappingforTerminalServerUsers ............................... 405
SendUserMappingstoUserIDUsingtheXMLAPI............................... 412
EnableUserandGroupBasedPolicy ............................................... 413
EnablePolicyforUserswithMultipleAccounts ...................................... 415
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 7
TableofContents
VerifytheUserIDConfiguration ...................................................417
DeployUserIDinaLargeScaleNetwork............................................419
DeployUserIDforNumerousMappingInformationSources .......................419
ConfigureFirewallstoRedistributeUserMappingInformation......................423
8 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
Decryption .........................................................485
DecryptionOverview ............................................................. 486
DecryptionConcepts ............................................................. 487
KeysandCertificatesforDecryptionPolicies..................................... 487
SSLForwardProxy............................................................ 488
SSLInboundInspection........................................................ 489
SSHProxy................................................................... 490
DecryptionExceptions ........................................................ 491
DecryptionMirroring.......................................................... 492
DefineTraffictoDecrypt.......................................................... 493
CreateaDecryptionProfile.................................................... 493
CreateaDecryptionPolicyRule................................................ 495
ConfigureSSLForwardProxy ...................................................... 497
ConfigureSSLInboundInspection .................................................. 502
ConfigureSSHProxy ............................................................. 504
ConfigureDecryptionExceptions................................................... 505
ExcludeTrafficfromDecryption ................................................ 505
ExcludeaServerfromDecryption .............................................. 506
EnableUserstoOptOutofSSLDecryption ......................................... 507
ConfigureDecryptionPortMirroring................................................ 509
TemporarilyDisableSSLDecryption ................................................ 511
URLFiltering.......................................................513
URLFilteringOverview ........................................................... 514
URLFilteringVendors ......................................................... 514
InteractionBetweenAppIDandURLCategories................................. 515
PANDBPrivateCloud........................................................ 515
URLFilteringConcepts............................................................ 518
URLCategories............................................................... 518
URLFilteringProfile .......................................................... 520
URLFilteringProfileActions ................................................... 520
BlockandAllowLists.......................................................... 521
ExternalDynamicListforURLs ................................................. 522
SafeSearchEnforcement ...................................................... 522
ContainerPages .............................................................. 524
HTTPHeaderLogging ......................................................... 524
URLFilteringResponsePages .................................................. 525
URLCategoryasPolicyMatchCriteria .......................................... 527
PANDBCategorization ........................................................... 529
PANDBURLCategorizationComponents ....................................... 529
PANDBURLCategorizationWorkflow ......................................... 530
EnableaURLFilteringVendor ..................................................... 532
EnablePANDBURLFiltering.................................................. 532
EnableBrightCloudURLFiltering............................................... 533
DetermineURLFilteringPolicyRequirements........................................ 536
UseanExternalDynamicListinaURLFilteringProfile ................................ 538
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 9
TableofContents
MonitorWebActivity .............................................................540
MonitorWebActivityofNetworkUsers .........................................540
ViewtheUserActivityReport..................................................542
ConfigureCustomURLFilteringReports .........................................544
ConfigureURLFiltering ...........................................................545
CustomizetheURLFilteringResponsePages.........................................547
ConfigureURLAdminOverride.....................................................548
EnableSafeSearchEnforcement ...................................................550
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................550
EnableTransparentSafeSearchEnforcement ....................................553
SetUpthePANDBPrivateCloud..................................................558
URLFilteringUseCaseExamples...................................................563
UseCase:ControlWebAccess .................................................563
UseCase:UseURLCategoriesforPolicyMatching ................................567
TroubleshootURLFiltering ........................................................569
ProblemsActivatingPANDB...................................................569
PANDBCloudConnectivityIssues..............................................570
URLsClassifiedasNotResolved ................................................571
IncorrectCategorization.......................................................572
URLDatabaseOutofDate .....................................................573
10 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
LargeScaleVPN(LSVPN)............................................645
LSVPNOverview................................................................. 646
CreateInterfacesandZonesfortheLSVPN.......................................... 647
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 649
AboutCertificateDeployment.................................................. 649
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 649
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 652
ConfigurethePortaltoAuthenticateSatellites ....................................... 655
ConfigureGlobalProtectGatewaysforLSVPN....................................... 657
PrerequisiteTasks ............................................................ 657
ConfiguretheGateway ........................................................ 657
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 660
PrerequisiteTasks ............................................................ 660
ConfigurethePortal .......................................................... 660
DefinetheSatelliteConfigurations.............................................. 661
PreparetheSatellitetoJointheLSVPN ............................................. 665
VerifytheLSVPNConfiguration.................................................... 667
LSVPNQuickConfigs ............................................................. 668
BasicLSVPNConfigurationwithStaticRouting ...................................... 669
AdvancedLSVPNConfigurationwithDynamicRouting ............................... 672
Networking ........................................................675
InterfaceDeployments ............................................................ 676
VirtualWireDeployments ..................................................... 676
Layer2Deployments ......................................................... 679
Layer3Deployments ......................................................... 679
TapModeDeployments ....................................................... 680
ConfigureanAggregateInterfaceGroup ............................................ 682
UseInterfaceManagementProfilestoRestrictAccess................................ 685
VirtualRouters ................................................................... 687
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 11
TableofContents
StaticRoutes .....................................................................689
RIP .............................................................................691
OSPF ...........................................................................693
OSPFConcepts ...............................................................693
ConfigureOSPF ..............................................................695
ConfigureOSPFv3............................................................700
ConfigureOSPFGracefulRestart ...............................................702
ConfirmOSPFOperation ......................................................703
BGP.............................................................................705
SessionSettingsandTimeouts .....................................................710
TransportLayerSessions.......................................................710
TCP.........................................................................710
UDP.........................................................................715
ICMP ........................................................................715
ConfigureSessionTimeouts ....................................................716
ConfigureSessionSettings.....................................................718
PreventTCPSplitHandshakeSessionEstablishment ..............................720
DHCP ...........................................................................722
DHCPOverview ..............................................................722
FirewallasaDHCPServerandClient ............................................723
DHCPMessages ..............................................................723
DHCPAddressing .............................................................724
DHCPOptions................................................................726
ConfigureanInterfaceasaDHCPServer ........................................728
ConfigureanInterfaceasaDHCPClient .........................................732
ConfiguretheManagementInterfaceasaDHCPClient ............................733
ConfigureanInterfaceasaDHCPRelayAgent ...................................735
MonitorandTroubleshootDHCP...............................................735
NAT ............................................................................737
NATPolicyRules..............................................................737
SourceNATandDestinationNAT ...............................................740
NATRuleCapacities...........................................................741
DynamicIPandPortNATOversubscription ......................................741
DataplaneNATMemoryStatistics ..............................................743
ConfigureNAT ...............................................................744
NATConfigurationExamples ...................................................751
NPTv6 ..........................................................................759
NPTv6Overview .............................................................759
HowNPTv6Works ...........................................................761
NDPProxy ...................................................................762
NPTv6andNDPProxyExample ................................................764
CreateanNPTv6Policy........................................................765
ECMP ...........................................................................768
ECMPLoadBalancingAlgorithms ...............................................768
ECMPPlatform,Interface,andIPRoutingSupport ................................769
ConfigureECMPonaVirtualRouter ............................................770
EnableECMPforMultipleBGPAutonomousSystems.............................771
VerifyECMP .................................................................773
12 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
Policy..............................................................795
PolicyTypes ..................................................................... 796
SecurityPolicy................................................................... 797
ComponentsofaSecurityPolicyRule........................................... 797
SecurityPolicyActions........................................................ 800
CreateaSecurityPolicyRule ................................................... 800
PolicyObjects ................................................................... 803
SecurityProfiles.................................................................. 804
AntivirusProfiles ............................................................. 805
AntiSpywareProfiles......................................................... 805
VulnerabilityProtectionProfiles................................................ 806
URLFilteringProfiles.......................................................... 806
DataFilteringProfiles......................................................... 807
FileBlockingProfiles .......................................................... 808
WildFireAnalysisProfiles ...................................................... 808
DoSProtectionProfiles........................................................ 808
ZoneProtectionProfiles ....................................................... 809
SecurityProfileGroup ......................................................... 809
BestPracticeInternetGatewaySecurityPolicy....................................... 813
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 813
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 815
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 816
IdentifyWhitelistApplications.................................................. 817
CreateUserGroupsforAccesstoWhitelistApplications .......................... 820
DecryptTrafficforFullVisibilityandThreatInspection ............................ 820
CreateBestPracticeSecurityProfiles ........................................... 822
DefinetheInitialInternetGatewaySecurityPolicy ................................ 826
MonitorandFineTunethePolicyRulebase...................................... 834
RemovetheTemporaryRules.................................................. 835
MaintaintheRulebase......................................................... 836
EnumerationofRulesWithinaRulebase ............................................ 837
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem .................... 838
UseTagstoGroupandVisuallyDistinguishObjects .................................. 839
CreateandApplyTags ........................................................ 839
ModifyTags ................................................................. 840
UsetheTagBrowser .......................................................... 840
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 13
TableofContents
UseanExternalDynamicListinPolicy ..............................................845
ExternalDynamicList .........................................................845
FormattingGuidelinesforanExternalDynamicList ...............................846
EnforcePolicyonEntriesinanExternalDynamicList ..............................847
ViewtheListofEntriesinanExternalDynamicList ...............................850
RetrieveanExternalDynamicListfromtheWebServer ...........................851
RegisterIPAddressesandTagsDynamically .........................................852
MonitorChangesintheVirtualEnvironment .........................................853
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................853
AttributesMonitoredintheAWSandVMwareEnvironments ......................855
UseDynamicAddressGroupsinPolicy..........................................856
CLICommandsforDynamicIPAddressesandTags...................................859
IdentifyUsersConnectedthroughaProxyServer.....................................861
UseXFFValuesforPoliciesandLoggingSourceUsers .............................861
AddXFFValuestoURLFilteringLogs ...........................................862
PolicyBasedForwarding ..........................................................863
PBF.........................................................................863
CreateaPolicyBasedForwardingRule..........................................866
UseCase:PBFforOutboundAccesswithDualISPs ...............................867
DoSProtectionAgainstFloodingofNewSessions....................................875
DoSProtectionAgainstFloodingofNewSessions ................................875
ConfigureDoSProtectionAgainstFloodingofNewSessions.......................878
UsetheCLItoEndaSingleAttackingSession ....................................881
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............881
DiscardaSessionWithoutaCommit ............................................884
VirtualSystems.................................................... 885
VirtualSystemsOverview .........................................................886
VirtualSystemComponentsandSegmentation ...................................886
BenefitsofVirtualSystems .....................................................887
UseCasesforVirtualSystems..................................................887
PlatformSupportandLicensingforVirtualSystems ...............................888
AdministrativeRolesforVirtualSystems .........................................888
SharedObjectsforVirtualSystems ..............................................888
CommunicationBetweenVirtualSystems............................................889
InterVSYSTrafficThatMustLeavetheFirewall..................................889
InterVSYSTrafficThatRemainsWithintheFirewall ..............................890
InterVSYSCommunicationUsesTwoSessions ...................................892
SharedGateway ..................................................................893
ExternalZonesandSharedGateway.............................................893
NetworkingConsiderationsforaSharedGateway.................................894
ServiceRoutesforVirtualSystems ..................................................895
UseCasesforServiceRoutesforaVirtualSystem.................................895
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.896
DNSProxyObject ............................................................896
DNSServerProfile ............................................................897
MultiTenantDNSDeployments ................................................897
14 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
Certifications .......................................................919
EnableFIPSandCommonCriteriaSupport .......................................... 920
FIPSCCSecurityFunctions........................................................ 921
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 15
TableofContents
16 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 17
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
DetermineYourManagementStrategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
18 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
PerformInitialConfiguration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
Step1
Gathertherequiredinformationfrom
yournetworkadministrator.
Step2
Connectyourcomputertothefirewall.
Youcanconnecttothefirewallinoneofthefollowingways:
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.
Step3
Whenprompted,logintothefirewall.
Youmustloginusingthedefaultusernameandpassword
(admin/admin).Thefirewallwillbegintoinitialize.
Step4
ConfiguretheMGTinterface.
1.
2.
ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP.Tousethismethod,you
mustConfiguretheManagementInterfaceasaDHCP
Client.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
PaloAltoNetworks,Inc.
IPaddressforMGTport
Netmask
Defaultgateway
DNSserveraddress
3.
SettheSpeedtoauto-negotiate.
4.
Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5.
ClickOK.
PANOS7.1AdministratorsGuide 19
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
Step5
Step6
ConfigureDNS,updateserver,and
1.
proxyserversettings.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
resolvehostnames;itwillnotuse
2.
DNSserversettingsfrom
anothersource,suchasanISP.
Configuredateandtime(NTP)settings.
20 PANOS7.1AdministratorsGuide
3.
ClickOK.
1.
2.
OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthePrimary
NTP ServerorentertheIPaddressofyourprimaryNTP
server.
3.
4.
(Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5.
ClickOK.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccesstotheFirewall(Continued)
Step7
Step8
Step9
(Optional)Configuregeneralfirewall
settingsasneeded.
Setasecurepasswordfortheadmin
account.
1.
2.
EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3.
EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4.
5.
ClickOK.
1.
2.
Selectthe adminrole.
3.
Enterthecurrentdefaultpasswordandthenewpassword.
4.
ClickOKtosaveyoursettings.
Commityourchanges.
ClickCommitatthetoprightofthewebinterface.Thefirewallcan
Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivity
tothewebinterfacebecausethe
IPaddresshaschanged.
Step10 Connectthefirewalltoyournetwork.
Step11 OpenanSSHmanagementsessionto
thefirewall.
PaloAltoNetworks,Inc.
1.
Disconnectthefirewallfromyourcomputer.
2.
ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.
Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH
sessiontothefirewallusingthenewIPaddressyouassignedtoit.
PANOS7.1AdministratorsGuide 21
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
Step12 Verifynetworkaccesstoexternal
servicesrequiredforfirewall
management,suchasthePaloAlto
NetworksUpdateServer.
Youcandothisinoneofthefollowing
ways:
Ifyoudonotwanttoallowexternal
networkaccesstotheMGTinterface,
youwillneedtosetupadataportto
retrieverequiredserviceupdates.
ContinuetoSetUpNetworkAccess
forExternalServices.
Ifyoudoplantoallowexternal
networkaccesstotheMGTinterface,
verifythatyouhaveconnectivityand
thenproceedtoRegistertheFirewall
andActivateLicensesand
Subscriptions.
22 PANOS7.1AdministratorsGuide
IfyoucabledyourMGTportforexternalnetworkaccess,verify
thatyouhaveaccesstoandfromthefirewallbyusingtheping
utilityfromtheCLI.Makesureyouhaveconnectivitytothedefault
gateway,DNSserver,andthePaloAltoNetworksUpdateServer
asshowninthefollowingexample:
admin@PA-200> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252 : icmp_seq=1 ttl=243 time=79.5 ms
Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
thepings.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccessforExternalServices
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
Step1
Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.
accesstoexternalservicesandconnect
ittoyourswitchorrouterport.
Step2
Logintothewebinterface.
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.
Step3
(Optional)Thefirewallcomes
preconfiguredwithadefaultvirtualwire
interfacebetweenportsEthernet1/1
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou
donotplantousethisvirtualwire
configuration,youmustmanuallydelete
theconfigurationtopreventitfrom
interferingwithotherinterfacesettings
youdefine.
Youmustdeletetheconfigurationinthefollowingorder:
PaloAltoNetworks,Inc.
1.
Todeletethedefaultsecuritypolicy,selectPolicies >
Security,selecttherule,andclickDelete.
2.
3.
Todeletethedefaulttrustanduntrustzones,selectNetwork
> Zones,selecteachzoneandclickDelete.
4.
Todeletetheinterfaceconfigurations,selectNetwork >
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5.
Committhechanges.
PANOS7.1AdministratorsGuide 23
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
Step4
Configuretheinterfaceyouplantouse
forexternalaccesstomanagement
services.
24 PANOS7.1AdministratorsGuide
1.
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4.
IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5.
SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6.
7.
EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices(Continued)
Step5
Step6
Configuretheserviceroutes.
1.
Bydefault,thefirewallusestheMGT
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice
routes.
Thisexampleshowshowtoset
upglobalserviceroutes.For
informationonsettingup
networkaccesstoexternal
2.
servicesonavirtualsystembasis
ratherthanaglobalbasis,see
PerVirtualSystemService
Routes.
Forthepurposesofactivatingyourlicensesand
gettingthemostrecentcontentandsoftwareupdates,
youwillwanttochangetheservicerouteforDNS,
Palo Alto Updates,URL Updates,WildFire,and
AutoFocus.
ClicktheCustomizeradiobutton,andselectoneofthe
following:
Forapredefinedservice,selectIPv4orIPv6andclickthe
linkfortheserviceforwhichyouwanttomodifythe
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,the Source Address dropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3.
ClickOKtosavethesettings.
4.
Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5.
Commityourchanges.
Configureanexternalfacinginterface
1.
andanassociatedzoneandthencreatea
securitypolicyruletoallowthefirewall
tosendservicerequestsfromthe
internalzonetotheexternalzone.
2.
Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 25
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
Step7
Step8
CreateaNATpolicyrule.
Verifythatyouhaveconnectivityfrom
thedataporttotheexternalservices,
includingthedefaultgateway,andthe
PaloAltoNetworksUpdateServer.
Afteryouverifyyouhavetherequired
networkconnectivity,continueto
RegistertheFirewallandActivate
LicensesandSubscriptions.
1.
IfyouareusingaprivateIPaddressontheinternalfacing
interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
2.
Commityourchanges.
LaunchtheCLIandusethepingutilitytoverifythatyouhave
connectivity.Keepinmindthatbydefaultpingsaresentfromthe
MGTinterface,sointhiscaseyoumustspecifythesource
interfaceforthepingrequestsasfollows:
admin@PA-500> ping source 192.168.1.254 host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) from
192.168.1.254 : 56(84) bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=242 time=56.7 ms
64 bytes from 67.192.236.252: icmp_seq=2 ttl=242 time=47.7 ms
64 bytes from 67.192.236.252: icmp_seq=3 ttl=242 time=47.6 ms
^C
Afteryouhaveverifiedconnectivity,pressCtrl+Ctostop
thepings.
26 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
Step1
Logintothewebinterface.
Step2
Step3
GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto
Supportportalandlogin.
https://www.paloaltonetworks.com/support/tabs/overview.html.
Step4
Registerthefirewall.
Youmusthaveasupportaccount
toregisterafirewall.Ifyoudonot
yethaveasupportaccount,click
theRegisterlinkonthesupport
loginpageandfollowthe
instructionstogetyouraccount
setupandregisterthefirewall.
PaloAltoNetworks,Inc.
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Ifyoualreadyhaveasupportaccount,loginandregisterthe
hardwarebasedfirewallasfollows:
1.
2.
3.
4.
EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5.
6.
Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7.
Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.
PANOS7.1AdministratorsGuide 27
ActivateLicensesandSubscriptions
GettingStarted
ActivateLicensesandSubscriptions
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
ActivateLicensesandSubscriptions
Step1
Locatetheactivationcodesforthe
licensesyoupurchased.
Step2
ActivateyourSupportlicense.
Youwillnotbeabletoupdateyour
PANOSsoftwareifyoudonothavea
validSupportlicense.
28 PANOS7.1AdministratorsGuide
Whenyoupurchasedyoursubscriptionsyoushouldhavereceived
anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.
1.
2.
3.
EnteryourAuthorization CodeandthenclickOK.
PaloAltoNetworks,Inc.
GettingStarted
ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions(Continued)
Step3
Activateeachlicenseyoupurchased.
Step4
Verifythatthelicensewassuccessfully
activated
Step5
(WildFiresubscriptionsonly)Performa
committocompleteWildFire
subscriptionactivation.
AfteractivatingaWildFiresubscription,acommitisrequiredfor
thefirewalltobeginforwardingadvancedfiletypes.Youshould
either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 29
InstallContentandSoftwareUpdates
GettingStarted
InstallContentandSoftwareUpdates
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.
30 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates
Step1
Ensurethatthefirewallhasaccesstothe 1.
updateserver.
PaloAltoNetworks,Inc.
Bydefault,thefirewallaccessestheUpdate Serverat
updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2.
3.
(Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.
PANOS7.1AdministratorsGuide 31
InstallContentandSoftwareUpdates
GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step2
Checkforthelatestcontentupdates.
Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
Step3
Installthecontentupdates.
ClicktheInstalllinkintheActioncolumn.Whentheinstallation
completes,acheckmarkdisplaysintheCurrently Installed
Installationcantakeupto20
minutesonaPA200,PA500,or column.
PA2000Seriesfirewallandupto
twominutesonaPA3000
Series,PA4000Series,PA5000
Series,PA7000Series,or
VMSeriesfirewall.
32 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
Step4
Step5
Scheduleeachcontentupdate.
1.
Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
2.
becausethefirewallcanonly
downloadoneupdateatatime.If
youscheduletheupdatesto
downloadduringthesametime
interval,onlythefirstdownload
willsucceed.
Specifyhowoftenyouwanttheupdatestooccurbyselecting
avaluefromtheRecurrencedropdown.Theavailablevalues
varybycontenttype(WildFireupdatesareavailableEvery
Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
whereasApplicationsandThreatsupdatescanbescheduled
forDailyorWeeklyupdateandAntivirusupdatescanbe
scheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3.
SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4.
5.
Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6.
ClickOKtosavetheschedulesettings.
7.
ClickCommittosavethesettingstotherunning
configuration.
UpdatePANOS.
1.
Alwaysupdatecontentbefore
2.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.
PaloAltoNetworks,Inc.
SetthescheduleofeachupdatetypebyclickingtheNonelink.
ReviewtheReleaseNotes.
UpdatethePANOSsoftware.
PANOS7.1AdministratorsGuide 33
SegmentYourNetworkUsingInterfacesandZones
GettingStarted
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
NetworkSegmentationforaReducedAttackSurface
Thefollowingdiagramshowsaverybasicexampleofhowyoucancreatezonestosegmentyournetwork.
Themoregranularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstraffic
betweenzones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflow
freelywithinazone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyou
defineaSecuritypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhave
assignedittoazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontrolover
accesstosensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishinga
communicationchannelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyour
network.
34 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
SegmentYourNetworkUsingInterfacesandZones
ConfigureInterfacesandZones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.EachinterfaceonthefirewallsupportsallInterfaceDeploymentsandthe
deploymentyouwillusedependsonthetopologyofeachpartofthenetworkyouareconnectingto.The
followingworkflowshowshowtoconfigureLayer3interfacesandassignthemtozones.Fordetailson
integratingthefirewallusingadifferenttypeofinterfacedeployments(forexampleVirtualWire
DeploymentsorLayer2Deployments),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
4.
ClickOKtwicetosavethevirtualrouterconfiguration.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3.
4.
IntheVirtual Routerdropdown,selectdefault.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6.
7.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 35
SegmentYourNetworkUsingInterfacesandZones
GettingStarted
SetUpInterfacesandZones(Continued)
Step3
Step4
Step5
Step6
Configuretheinterfacethatconnectsto 1.
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment 2.
thatusesprivateIPaddresses.
3.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.
4.
Configuretheinterfacethatconnectsto
yourdatacenterapplications.
Althoughthisbasicsecurity
policyexampleconfiguration
depictsusingasinglezoneforall
ofyourdatacenterapplications,
asabestpracticeyouwould
wanttodefinemoregranular
zonestopreventunauthorized
accesstosensitiveapplications
ordataandeliminatethe
possibilityofmalwaremoving
laterallywithinyourdatacenter.
(Optional)Createtagsforeachzone.
Savetheinterfaceconfiguration.
36 PANOS7.1AdministratorsGuide
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.1.4/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
1.
Selecttheinterfaceyouwanttoconfigure.
2.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/1astheinterfacethat
providesaccesstoyourdatacenterapplications.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleDataCenterApplications,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
10.1.1.1/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Tagsallowyoutovisuallyscanpolicyrules.
1.
2.
SelectazoneName.
3.
SelectatagColorandclickOK.
ClickCommit.
PaloAltoNetworks,Inc.
GettingStarted
SegmentYourNetworkUsingInterfacesandZones
SetUpInterfacesandZones(Continued)
Step7
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step8
Verifythattheinterfacesareactive.
SelectDashboardandverifythattheinterfacesyouconfigured
showasgreenintheInterfaceswidget.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 37
SetUpaBasicSecurityPolicy
GettingStarted
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.
DefineBasicSecurityPolicyRules
Step1
(Optional)Deletethedefaultsecurity
policyrule.
Step2
CreatetheFileBlockingprofilesyouwill 1.
needtopreventupload/downloadof
maliciousfilesandfordrivebydownload
protection.
ConfigureaFileBlockingprofileforgeneraluse.Youwill
attachthisprofiletomostofyoursecurityprofilestoblock
filesknowntocarrythreatsorthathavenorealbusinessuse
forupload/download.
2.
ConfigureaFileBlockingprofileforriskytraffic.Youwill
attachthisprofiletosecuritypolicyrulesthatallowgeneral
webaccesstopreventusersfromunknowinglydownloading
maliciousfilesfromtheInternet.
38 PANOS7.1AdministratorsGuide
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
PaloAltoNetworks,Inc.
GettingStarted
SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step3
Allowaccesstoyournetwork
infrastructureresources.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoIT
Infrastructure.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectdns,ntp,ocsp,ping,smtp.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9.
10. ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 39
SetUpaBasicSecurityPolicy
GettingStarted
DefineBasicSecurityPolicyRules(Continued)
Step4
EnableaccesstogeneralInternet
applications.
Thisisatemporaryrulethat
allowsyoutogatherinformation
aboutthetrafficonyour
network.Afteryouhavemore
insightintowhatapplications
yourusersneedaccessto,you
canmakeinformeddecisions
aboutwhatapplicationstoallow
andcreatemoregranular
applicationbasedrulesforeach
usergroup.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoInternet.
5.
IntheApplicationstab,AddanApplication Filterandentera
Name.Tosafelyenableaccesstolegitimatewebbased
applications,settheCategoryintheapplicationfilterto
general-internetandthenclickOK.Toenableaccessto
encryptedsites,Addthesslapplication.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingstrictprofileyouconfiguredforriskytraffic.
9.
10. ClickOK.
Step5
Enableaccesstodatacenter
applications.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoData
CenterApplications.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectactivesync,imap,kerberos,ldap,
ms-exchange,and ms-lync.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9.
10. ClickOK.
40 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step6
Saveyourpoliciestotherunning
configurationonthefirewall.
ClickCommit.
Step7
Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
admin@PA-3050>test security-policy-match
source 10.35.14.150 destination 10.43.2.2
application dns protocol 53
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 41
AssessNetworkTraffic
GettingStarted
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine.
applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare
Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges.
users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.
WorkwithLogs.
42 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
AssessNetworkTraffic
MonitorNetworkTraffic
ViewAutoFocusThreatDataforLogs.
ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers.
ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 43
EnableBasicThreatPreventionFeatures
GettingStarted
EnableBasicThreatPreventionFeatures
ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.
Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.
Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
EnableBasicWildFireForwarding
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,grayware,orbenign.WithWildFireenabled,aPaloAlto
NetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscoveredmalware,
WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactiveWildFire
licenses.Thisenablesglobalfirewallstodetectandpreventmalwarefoundbyasinglefirewall.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifdonothaveaWildFiresubscription,butyoudohaveaThreat
Preventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448hours(as
partoftheantivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
44 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
EnableBasicWildFireForwarding
BeforeYouBegin:
Confirmthatyourfirewallisregisteredandthat
youhaveavalidsupportaccountaswellasany
subscriptionsyourequire.
Step1
Step2
Step3
SettheWildFireforwardingsettings.
EnablethefirewalltoforwardPEsfor
analysis.
1.
GotothePaloAltoNetworksCustomerSupportwebsite,log
in,andselectMy Devices.
2.
Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
theFirewall.
3.
(Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
1.
2.
3.
4.
ClickOKtosaveyourchanges.
1.
2.
Namethenewprofilerule.
3.
ClickAddtocreateaforwardingruleandenteraname.
4.
5.
IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6.
ClickOK.
ApplythenewWildFireAnalysisprofile 1.
totrafficthatthefirewallallows.
2.
SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3.
4.
ClickOK.
Step4
ClickCommittosaveyourconfigurationupdates.
Step5
Step6
(ThreatPreventionsubscriptiononly)If 1.
youhaveaThreatPrevention
2.
subscription,butdonothaveaWildFire
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 45
EnableBasicThreatPreventionFeatures
GettingStarted
ScanTrafficforThreats
SecurityProfilesprovidethreatprotectioninsecuritypolicies.Forexample,youcanapplyanantivirusprofile
toasecuritypolicyandalltrafficthatmatchesthesecuritypolicywillbescannedforviruses.
Thefollowingsectionsprovidestepsforsettingupabasicthreatpreventionconfiguration:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionlicensebundlestheAntivirus,
license.
AntiSpyware,andtheVulnerabilityProtectionfeaturesinone
license.
SelectDevice > LicensestoverifythattheThreat Prevention
licenseisinstalledandvalid(checktheexpirationdate).
Step2
Downloadthelatestantivirusthreat
signatures.
46 PANOS7.1AdministratorsGuide
1.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
Antivirus,andApplicationsandThreatssignatures.
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3
Schedulesignatureupdates.
1.
Performadownload-and-install
onadailybasisforantivirus
updatesandweeklyfor
2.
applicationsandthreatsupdates.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
RecommendationsforHAConfigurations:
Active/PassiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewallso
thateachfirewalldownloadsandinstallscontentindependently.Ifthefirewallsareusingadataportforcontent
updates,thepassivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscasesetaschedule
oneachpeerandenableSync To Peertoensurethatcontentupdatesontheactivepeersynctothepassivepeer.
Active/ActiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewall,but
donotenableSync To Peer.Ifthefirewallsareusingadataportforcontentupdates,schedulecontentupdateson
eachfirewallandselectSync To Peertoenabletheactiveprimaryfirewalltodownloadandinstallthecontent
updatesandthenpushthecontentupdatetotheactivesecondarypeer.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 47
EnableBasicThreatPreventionFeatures
GettingStarted
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step4
Step5
Attachthesecurityprofilestoasecurity 1.
policy.
Attachacloneofapredefined
2.
securityprofiletoyourbasic
Securitypolicyrules.Thatway,if
youwanttocustomizetheprofileyou
candosowithoutdeletingthereadonly
predefinedstrictordefaultprofileand
attachingacustomizedprofile.
Savetheconfiguration.
ClickCommit.
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
48 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
ConfigureFileBlocking
Step6
ConfigureaFileBlockingprofilefor
generaluse.
1.
2.
EnteraNameforthefileblockingprofile,forexample
generalfileblocking.
3.
OptionallyenteraDescription,suchasblockriskyapps.Click
Addtodefinetheprofilesettings.
4.
EnteraName,suchasblockrisky.
5.
6.
LeavetheDirectionsettoboth.
7.
SettheActiontoblock.
8.
AddasecondruleandenteraName,forexamplecontinueexe
andarchive.
9.
10. LeavetheDirectionsettoboth.
11. SettheActiontoblock.
12. ClickOKtosavetheprofile.
Step7
Step8
ConfigureaFileBlockingprofileforrisky
traffic.
Whenusersarewebbrowsingit
ismuchmorelikelythattheywill
downloadamaliciousfile
unintentionally.Therefore,itis
importanttoattachastricterfile
blockingpolicythanyouwould
attachtoSecuritypolicyrules
thatallowaccesstoless
riskproneapplicationtraffic.
1.
2.
Selecttheclonedprofileandgiveitanew Name,suchas
strictblockriskyapps.
3.
ClickintheFileTypessectionoftheblockruleandAddthePE
filetype.
4.
ClickintheFileTypessectionofthecontinuerule,selectPE
andclickDelete.
5.
ClickOKtosavetheprofile.
Attachthefileblockingprofiletothe
securitypoliciesthatallowaccessto
content.
1.
PaloAltoNetworks,Inc.
2.
ClicktheActionstabwithinthesecuritypolicy.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyoucreated.
Ifyoudontseedropdownsforselectingprofiles,
selectProfiles fromtheProfileTypedropdown.
PANOS7.1AdministratorsGuide 49
EnableBasicThreatPreventionFeatures
GettingStarted
ConfigureFileBlocking(Continued)
Step9
Enableresponsepagesinthe
1.
managementprofileforeachinterface
onwhichyouareattachingfileblocking
profilewithacontinueaction.
2.
3.
ClickOKtosavetheinterfacemanagementprofile.
4.
5.
6.
ClickOKtosavetheinterfacesettings.
Step10 Savetheconfiguration.
1.
ClickCommit.
Step11 Testthefileblockingconfiguration.
FromaclientPCinthetrustzoneofthefirewall,attemptto
downloadan.exefilefromawebsiteintheInternetzone.Make
surethefileisblockedasexpectedbasedontheactionyoudefined
inthefileblockingprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedblockastheaction,theFileBlockingBlockPage
responsepageshoulddisplay.
Ifyouselectedthecontinueaction,theFileBlockingContinue
Pageresponsepageshoulddisplay.ClickContinuetodownload
thefile.ThefollowingshowsthedefaultFileBlockingContinue
Page.
ControlAccesstoWebContent
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormore(fromapproximately60)categories.Youcanthen
createpoliciesthatspecifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichit
belongs.ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,
andattachthemtosecuritypoliciestoenforceabasicURLfilteringpolicy.
50 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
ConfigureURLFiltering
Step1
Step2
Step3
ConfirmlicenseinformationforURL
Filtering.
Downloadtheseeddatabaseand
activatethelicense.
1.
ObtainandinstallaURLFilteringlicense.SeeActivate
LicensesandSubscriptionsfordetails.
2.
1.
Todownloadtheseeddatabase,clickDownloadnextto
Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3.
Afterthedownloadcompletes,clickActivate.
1.
CreateaURLfilteringprofile.
BecausethedefaultURLfiltering 2.
profileblocksriskyand
threatpronecontent,clonethis
3.
profilewhencreatinganew
profileinordertopreservethe
defaultsettings.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 51
EnableBasicThreatPreventionFeatures
GettingStarted
ConfigureURLFiltering(Continued)
Step4
Step5
Definehowtocontrolaccesstoweb
1.
content.
Ifyouarenotsurewhattrafficyouwant
tocontrol,considersettingthe
categories(exceptforthoseblockedby
default)toalert.Youcanthenusethe
visibilitytoolsonthefirewall,suchasthe
ACCandAppScope,todeterminewhich
webcategoriestorestricttospecific
groupsortoblockentirely.Youcanthen
gobackandmodifytheprofiletoblock
andallowcategoriesasdesired.
Youcanalsodefinespecificsitesto
alwaysalloworalwaysblockregardless
ofcategoryandenablethesafesearch
optiontofiltersearchresultswhen
definingtheURLFilteringprofile.
AttachtheURLfilteringprofiletoa
securitypolicy.
52 PANOS7.1AdministratorsGuide
Foreachcategorythatyouwantvisibilityintoorcontrolover,
selectavaluefromtheActioncolumnasfollows:
Ifyoudonotcareabouttraffictoaparticularcategory(that
isyouneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Topresentaresponsepagetousersattemptingtoaccessa
particularcategorytoalertthemtothefactthatthe
contenttheyareaccessingmightnotbeworkappropriate,
selectcontinue.
Topreventaccesstotrafficthatmatchestheassociated
policy,selectblock(thisalsogeneratesalogentry).
2.
ClickOKtosavetheURLfilteringprofile.
1.
2.
Selectthedesiredpolicytomodifyitandthenclickthe
Actionstab.
3.
Ifthisisthefirsttimeyouaredefiningasecurityprofile,select
ProfilesfromtheProfile Typedropdown.
4.
IntheProfile Settingslist,selecttheprofileyoujustcreated
fromtheURL Filteringdropdown.(Ifyoudontsee
dropdownsforselectingprofiles,selectProfiles fromthe
ProfileTypedropdown.)
5.
ClickOKtosavetheprofile.
6.
Committheconfiguration.
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
ConfigureURLFiltering(Continued)
Step6
Enableresponsepagesinthe
managementprofileforeachinterface
onwhichyouarefilteringwebtraffic.
1.
2.
SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3.
ClickOKtosavetheinterfacemanagementprofile.
4.
5.
6.
ClickOKtosavetheinterfacesettings.
Step7
Savetheconfiguration.
ClickCommit.
Step8
TesttheURLfilteringconfiguration.
AccessaclientPCinthetrustzoneofthefirewallandattemptto
accessasiteinablockedcategory.MakesureURLfilteringis
appliedbasedontheactionyoudefinedintheURLfilteringprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedthecontinueaction,theURLFilteringContinue
andOverridePageresponsepageshoulddisplay.Continueto
thesite.
Ifyouselectedblockastheaction,theURLFilteringand
CategoryMatchBlockPageresponsepageshoulddisplayas
follows:
EnableAutoFocusThreatIntelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 53
EnableBasicThreatPreventionFeatures
GettingStarted
EnableAutoFocusThreatIntelligenceontheFirewall
Step1
Step2
VerifythattheAutoFocuslicenseisactivatedon 1.
thefirewall.
2.
Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.
1.
2.
EntertheAutoFocus URL:
ConnectthefirewalltoAutoFocus.
https://autofocus.paloaltonetworks.com:1
0443
Step3
Step4
ConnectAutoFocustothefirewall.
Testtheconnectionbetweenthefirewalland
AutoFocus.
54 PANOS7.1AdministratorsGuide
3.
UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4.
SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5.
ClickOK.
6.
CommityourchangestoretaintheAutoFocus
settingsuponreboot.
1.
LogintotheAutoFocusportal:
https://autofocus.paloaltonetworks.com
2.
SelectSettings.
3.
Add newremotesystems.
4.
EnteradescriptiveNametoidentifythefirewall.
5.
SelectPanOSastheSystemType.
6.
EnterthefirewallIPAddress.
7.
ClickSave changestoaddtheremotesystem.
8.
ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.
1.
2.
VerifythatyoucanViewAutoFocusThreatDatafor
Logs.
PaloAltoNetworks,Inc.
GettingStarted
BestPracticesforCompletingtheFirewallDeployment
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 55
BestPracticesforCompletingtheFirewallDeployment
56 PANOS7.1AdministratorsGuide
GettingStarted
PaloAltoNetworks,Inc.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 57
ManagementInterfaces
FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
58 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
LaunchtheWebInterface
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
LaunchtheWebInterface
Step1
LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.
Step2
EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.
Step3
Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.
Step4
Logintothewebinterface.
Step5
ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 59
UsetheWebInterface
FirewallAdministration
ConfigureBanners,MessageoftheDay,andLogos
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
ConfigureBanners,MessageoftheDay,andLogos
Step1
Step2
Configuretheloginbanner.
Setthemessageoftheday.
60 PANOS7.1AdministratorsGuide
1.
2.
EntertheLogin Banner(upto3,200characters).
3.
4.
ClickOK.
1.
2.
3.
4.
5.
(Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
ConfigureBanners,MessageoftheDay,andLogos(Continued)
Step3
Step4
Configuretheheaderandfooter
banners.
Abrightbackgroundcolorand
contrastingtextcolorcan
increasethelikelihoodthat
administratorswillnoticeand
readabanner.Youcanalsouse
colorsthatcorrespondto
classificationlevelsinyour
organization.
1.
EntertheHeader Banner(upto3,200characters).
2.
3.
EntertheFooter Banner(upto3,200characters)iftheheader
andfooterbannersdiffer.
4.
ClickOK.
Replacethelogosontheloginpageand 1.
intheheader.
Themaximumsizeforanylogo 2.
imageis128KB.
3.
Step5
Verifythatthebanners,messageofthe 1.
day,andlogosdisplayasexpected.
PaloAltoNetworks,Inc.
2.
Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktheright orleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3.
4.
Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.
PANOS7.1AdministratorsGuide 61
UsetheWebInterface
FirewallAdministration
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
Step1
Viewtheloginactivityindicatorsto
1.
monitorrecentactivityonyouraccount.
LogintothewebinterfaceonyourfirewallorPanorama
managementserver.
2.
Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.
3.
Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.
62 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
4.
Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.
Step2
Takethefollowingactionsifyoudetect 1.
anaccountcompromise.
2.
3.
Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.For
example,theconfigurationthatyoureverttomaynot
containrecentchanges,soapplythosechangesafter
youcommitthebackupconfiguration.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 63
UsetheWebInterface
FirewallAdministration
ManageandMonitorAdministrativeTasks
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
ManageandMonitorAdministrativeTasks
Step1
ClickTasksatthebottomofthewebinterface.
Step2
ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3
Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit,Validate,andPreviewFirewallConfigurationChanges
Acommitistheprocessofactivatingchangesthatyoumadetothefirewallconfiguration.Thefirewall
queuescommitoperationsintheorderyouandotheradministratorsinitiatethem.Ifthequeuealreadyhas
themaximumnumberofcommits(whichvariesbyplatform),youmustwaitforthefirewalltoprocessa
pendingcommitbeforeinitiatinganewcommit.Tocancelpendingcommitsorviewdetailsaboutcommits
ofanystatus,seeManageandMonitorAdministrativeTasks.Tocheckwhichchangesacommitwillactivate,
youcanrunacommitpreview.
Fordetailsoncandidateandrunningconfigurations,seeManageConfigurationBackups.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
64 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.
Preview,Validate,orCommitFirewallConfigurationChanges
Step1
Step2
Step3
Configurethecommit,validation,or
previewoptions.
1.
ClickCommitatthetopofthewebinterface.
2.
(Optional)Excludecertaintypesofconfigurationchanges.
Theseoptionsareincluded(enabled)bydefault.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,ifyourchangesintroduceanewLog
Forwardingprofile(anobject)thatreferencesanew
Syslogserverprofile(adevicesetting),thecommit
mustincludeboththepolicyandobjectconfiguration
andthedeviceandnetworkconfiguration.
Include Device and Network configuration
Include Policy and Object configurationThisisavailable
onlyonfirewallsforwhichmultiplevirtualsystems
capabilityisdisabled.
Include Shared Object configurationThisisavailableonly
onfirewallswithmultiplevirtualsystems.
Include Virtual System configurationThisisavailable
onlyonfirewallswithmultiplevirtualsystems.Select All
virtual systems(default)orSelect one or more virtual
systemsinthelist.
3.
(Optional)EnteraDescriptionforthecommit.Abrief
summaryofwhatchangedintheconfigurationisusefulto
otheradministratorswhowanttoknowwhatchangeswere
madewithoutperformingaconfigurationaudit.
(Optional)Previewthechangesthatthe 1.
commitwillactivate.Thiscanbeuseful 2.
if,forexample,youdontrememberall
yourchangesandyourenotsureyou
wanttoactivateallofthem.
Thefirewalldisplaysthechangesina
newwindowthatshowstherunningand
candidateconfigurationssidebyside
usingcolorstohighlightthedifferences
linebyline.
(Optional)Validatethechangesbefore
youcommittoensurethecommitwill
succeed.
PaloAltoNetworks,Inc.
ClickPreview Changes.
SelecttheLines of Context,whichisthenumberoflinesfrom
thecomparedconfigurationfilestodisplaybeforeandafter
eachhighlighteddifference.Theseadditionallineshelpyou
correlatethepreviewoutputtosettingsinthewebinterface.
Becausethepreviewresultsdisplayinanewwindow,
yourbrowsermustallowpopupwindows.Ifthe
previewwindowdoesnotopen,refertoyourbrowser
documentationforthestepstounblockpopup
windows.
3.
Closethepreviewwindowwhenyoufinishreviewingthe
changes.
1.
ClickValidate Changes.Theresultsdisplayalltheerrorsand
warningsthatanactualcommitwoulddisplay.
2.
Resolveanyerrorsthatthevalidationresultsidentify.
PANOS7.1AdministratorsGuide 65
UsetheWebInterface
FirewallAdministration
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
Step4
Commityourconfigurationchanges.
ClickCommit.
Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,orapplicationname.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
66 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UseGlobalFind(Continued)
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
ManageLocksforRestrictingConfigurationChanges
Lockingthecandidateorrunningconfigurationpreventsotheradministratorsfromchangingthe
configurationuntilyoumanuallyremovethelock,asuperuserremovesthelock,orthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
ManageLocksforRestrictingConfigurationChanges
Viewdetailsaboutcurrentlocks.
Forexample,youcancheckwhetherother
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.
PaloAltoNetworks,Inc.
Clickthelock atthetopofthewebinterface.Anadjacent
numberindicatesthenumberofcurrentlocks.
PANOS7.1AdministratorsGuide 67
UsetheWebInterface
FirewallAdministration
ManageLocksforRestrictingConfigurationChanges(Continued)
Lockaconfiguration.
1.
Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2.
Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3.
(Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4.
(Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5.
ClickOKandClose.
Unlockaconfiguration.
1.
Onlyasuperuserortheadministratorwho
2.
lockedtheconfigurationcanmanuallyunlockit.
3.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
Clickthelock
Configurethefirewalltoautomaticallylockthe 1.
runningconfigurationwhenyouchangethe
candidateconfiguration.Thissettingappliesto 2.
alladministrators.
68 PANOS7.1AdministratorsGuide
atthetopofthewebinterface.
Selectthelockentryinthelist.
ClickRemove Lock,OK,andClose.
PaloAltoNetworks,Inc.
FirewallAdministration
ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.
BackUpaConfiguration
RestoreaConfiguration
BackUpaConfiguration
CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 69
ManageConfigurationBackups
FirewallAdministration
BackUpaConfiguration
Step1
Savealocalbackupsnapshotofthe
candidateconfigurationifitcontains
changesthatyouwanttopreservein
theeventthefirewallreboots.
Thesearechangesyouarenotreadyto
commitforexample,changesyou
cannotfinishinthecurrentloginsession.
Performoneofthefollowingtasksbasedonwhetheryouwantto
overwritethedefaultsnapshot(.snapshot.xml)orcreateasnapshot
withacustomname:
OverwritethedefaultsnapshotClickSaveatthetopofthe
webinterface.
Createacustomnamedsnapshot:
a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. EnteraNameforthesnapshotorselectanexisting
snapshottooverwrite.
c. ClickOKandClose.
Step2
Exportacandidateconfiguration,a
runningconfiguration,orthefirewall
stateinformationtoahostexternalto
thefirewall.
RestoreaConfiguration
Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).
RestoreaConfiguration
Restorethecurrentrunningconfiguration.
1.
Thisoperationundoesallthechangesyoumade
tothecandidateconfigurationsincethelast
2.
commit.
70 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageConfigurationBackups
RestoreaConfiguration(Continued)
Restorethedefaultsnapshotofthecandidate 1.
configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2.
whenyouclickSaveatthetoprightoftheweb
3.
interface.
Restoreapreviousversionoftherunning
configurationthatisstoredonthefirewall.
Thefirewallcreatesaversionwheneveryou
commitconfigurationchanges.
1.
2.
SelectaconfigurationVersionandclickOK.
3.
(Optional)ClickCommittooverwritetherunning
configurationwiththeversionyoujustrestored.
Restoreoneofthefollowing:
1.
Currentrunningconfiguration(named
runningconfig.xml)
2.
Customnamedversionoftherunning
3.
configurationthatyoupreviouslyimported
Customnamedcandidateconfiguration
snapshot(insteadofthedefaultsnapshot)
Restorearunningorcandidateconfiguration
thatyoupreviouslyexportedtoanexternal
host.
ClickYestoconfirmtheoperation.
(Optional)ClickCommittooverwritetherunning
configurationwiththesnapshot.
1.
2.
3.
(Optional)ClickCommittooverwritetherunning
configurationwiththesnapshotyoujustimported.
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall.
1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate
Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 71
ManageFirewallAdministrators
FirewallAdministration
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
AdministrativeRoles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole
Privileges
Superuser
Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser(readonly)
Readonlyaccesstothefirewall.
Virtualsystemadministrator
Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.
Deviceadministrator
Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Deviceadministrator(readonly)
Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
72 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.
ConfigureanAdminRoleProfile
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
ConfigureanAdminRoleProfile
Step1
Step2
EnteraNametoidentifytherole.
Step3
ForthescopeoftheRole,selectDeviceorVirtual System.
Step4
Step5
SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:
Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone
Step6
ClickOKtosavetheprofile.
Step7
Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.
AdministrativeAuthentication
Youcanconfigurethefollowingtypesofadministratorauthentication:
AccountType Authentication Description
Method
Local
Local(no
database)
PaloAltoNetworks,Inc.
Theadministratoraccountcredentialsandtheauthenticationmechanismsarelocal
tothefirewall.Youcanfurthersecurelocalaccountsbysettingglobalpassword
complexityandexpirationsettingsforallaccountsorbycreatingapasswordprofile
thatdefinespasswordexpirationsettingsforspecificaccounts.Fordetails,see
ConfigureanAdministrativeAccount.
PANOS7.1AdministratorsGuide 73
ManageFirewallAdministrators
FirewallAdministration
Localdatabase
Thefirewallusesalocaldatabasetostoretheadministratoraccountcredentialsand
toperformauthentication.IfyournetworksupportsKerberossinglesignon(SSO),
youcanconfigurelocalauthenticationasafallbackincaseSSOfails.Fordetails,see
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators.
Local
SSLbased
Theadministratoraccountsarelocaltothefirewall,butauthenticationisbasedon
SSHcertificates(forCLIaccess)orclientcertificates(forwebinterfaceaccess).For
details,seeConfigureSSHKeyBasedAdministratorAuthenticationtotheCLIand
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface.
Local
Externalservice Theadministratoraccountsarelocaltothefirewall,butexternalservices(LDAP,
Kerberos,TACACS+,orRADIUS)handletheauthenticationfunctions.Ifyour
networksupportsKerberossinglesignon(SSO),youcanconfigureexternal
authenticationasafallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSO
andExternalorLocalAuthenticationforAdministrators.
External
Externalservice AnexternalRADIUSserverhandlesaccountmanagementandauthentication.You
mustdefineVendorSpecificAttributes(VSAs)onyourRADIUSserverthatmapto
theadministratorrole,accessdomain,usergroup(ifapplicable),andvirtualsystem(if
applicable).Fordetails,seeConfigureRADIUSVendorSpecificAttributesfor
AdministratorAuthentication.
ConfigureAdministrativeAccountsandAuthentication
IfyouhavealreadyconfiguredAdministrativeRolesandexternalauthenticationservices(ifapplicable),you
canConfigureanAdministrativeAccount.Otherwise,performoneoftheotherprocedureslistedbelowto
configureadministrativeaccountsforspecifictypesofauthentication.
Administrativeaccountsspecifyhowadministratorsauthenticatetothefirewall.Toconfigurehowthefirewall
authenticatestoadministrators,seeReplacetheCertificateforInboundManagementTraffic.
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication
ConfigureanAdministrativeAccount
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.
74 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
ConfigureanAdministrativeAccount
Step1
Step2
(Optional)Definepasswordcomplexity 1.
andexpirationsettingsforadministrator
accountsthatarelocaltothefirewall.
Thesesettingscanhelpprotectthe
firewallagainstunauthorizedaccessby
makingitharderforattackerstoguess
passwords.
2.
Youcannotconfigurethese
settingsforlocalaccountsthat
usealocaldatabaseorexternal
serviceforauthentication.
Addanadministrativeaccount.
Defineglobalpasswordcomplexityandexpirationsettingsfor
alllocaladministrators.
a. SelectDevice > Setup > Managementandeditthe
MinimumPasswordComplexitysettings.
b. SelectEnabled.
c. DefinethepasswordsettingsandclickOK.
DefineaPasswordProfileifyouwantcertainlocal
administratorstohavepasswordexpirationsettingsthat
overridetheglobalsettings.
a. SelectDevice > Password Profiles andAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.
1.
2.
EnterauserName.
3.
SelectanAuthentication Profileorsequenceifyou
configuredeitherfortheuser.
Thedefaultoption(None)specifiesthatthefirewallwilllocally
manageandauthenticatetheaccountwithoutalocal
database.Inthiscase,youmustenterandconfirma
Password.
4.
SelecttheAdministrator Type.Ifyouconfiguredacustomrole
fortheuser,selectRole BasedandselecttheAdminRole
Profile.Otherwise,selectDynamic(default)andselecta
dynamicrole.Ifthedynamicroleisvirtual system
administrator,addoneormorevirtualsystemsthatthe
virtualsystemadministratorisallowedtomanage.
5.
(Optional)SelectaPassword Profileforlocaladministrators.
ThisoptionisavailableonlyifyousettheAuthentication
ProfiletoNone.
6.
ClickOKandCommit.
ConfigureKerberosSSOandExternalorLocalAuthenticationfor
Administrators
YoucanconfigurethefirewalltofirsttryKerberossinglesignon(SSO)authenticationand,ifthatfails,fall
backtoExternalserviceorLocaldatabaseauthentication.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
Step1
ConfigureaKerberoskeytabforthe
firewall.
RequiredforKerberosSSO
authentication.
PaloAltoNetworks,Inc.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
accountinformation(principalnameandhashedpassword)forthe
firewall.
PANOS7.1AdministratorsGuide 75
ManageFirewallAdministrators
FirewallAdministration
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)
Step2
Configurealocaldatabaseorexternal
serverprofile.
Requiredforlocaldatabaseorexternal
authentication.
LocaldatabaseauthenticationPerformthefollowingtasks:
a. Configuretheuseraccount.
b. (Optional)Configureausergroup.
ExternalauthenticationPerformoneofthefollowingtasks:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
Step3
Configureanauthenticationprofile.
Ifyourusersareinmultiple
Kerberosrealms,createan
authenticationprofileforeach
realmandassignalltheprofiles
toanauthenticationsequence.
Youcanthenassignthesame
authenticationsequencetoall
useraccounts(Step 4).
ConfigureanAuthenticationProfileandSequence.
Step4
Configureanadministratoraccount.
ConfigureanAdministrativeAccount.
Forlocaldatabaseauthentication,specifytheNameoftheuser
youdefinedinStep 2.
AssigntheAuthentication ProfileorsequenceandtheAdmin
RoleProfilethatyoujustcreated.
ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface
AsamoresecurealternativetopasswordbasedauthenticationtothewebinterfaceofaPaloAltoNetworks
firewall,youcanconfigurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothe
firewall.Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinstead
ofapassword.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
Step1
Generateacertificateauthority(CA)
certificateonthefirewall.
YouwillusethisCAcertificatetosign
theclientcertificateofeach
administrator.
76 PANOS7.1AdministratorsGuide
CreateaSelfSignedRootCACertificate.
Alternatively,ImportaCertificateandPrivateKeyfrom
yourenterpriseCA.
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
Step2
Configureacertificateprofilefor
securingaccesstothewebinterface.
ConfigureaCertificateProfile.
SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.
Step3
Configurethefirewalltousethe
certificateprofileforauthenticating
administrators.
1.
2.
SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.
Step4
Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,
useclientcertificateauthentication.
ConfigureanAdministrativeAccountandselectUse only client
certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.
Step5
Generateaclientcertificateforeach
administrator.
Step6
Exporttheclientcertificate.
GenerateaCertificate.IntheSigned Bydropdown,selecta
selfsignedrootCAcertificate.
1.
ExportaCertificateandPrivateKey.
2.
Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.
Step7
Refertoyourwebbrowserdocumentation.
Importtheclientcertificateintothe
clientsystemofeachadministratorwho
willaccessthewebinterface.
Step8
Verifythatadministratorscanaccessthe 1.
webinterface.
2.
PaloAltoNetworks,Inc.
OpenthefirewallIPaddressinabrowseronthecomputer
thathastheclientcertificate.
Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3.
Addthecertificatetothebrowserexceptionlist.
4.
ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.
PANOS7.1AdministratorsGuide 77
ManageFirewallAdministrators
FirewallAdministration
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
Step1
UseanSSHkeygenerationtoolto
createanasymmetrickeypaironthe
clientsystemoftheadministrator.
ThesupportedkeyformatsareIETF
SECSHandOpenSSH.Thesupported
algorithmsareDSA(1,024bits)andRSA
(7684,096bits).
Forthecommandstogeneratethekeypair,refertoyourSSHclient
documentation.
Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
locationthatthefirewallcanaccess.Foraddedsecurity,entera
passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
administratorforthispassphraseduringlogin.
Step2
Configuretheadministratoraccountto
usepublickeyauthentication.
1.
ConfigureanAdministrativeAccount.
Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
2.
Commityourchanges.
Step3
ConfiguretheSSHclienttousethe
privatekeytoauthenticatetothe
firewall.
Performthistaskontheclientsystemoftheadministrator.Forthe
steps,refertoyourSSHclientdocumentation.
Step4
Verifythattheadministratorcanaccess 1.
thefirewallCLIusingSSHkey
authentication.
2.
Useabrowserontheclientsystemoftheadministratortogo
tothefirewallIPaddress.
LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3.
Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.
ConfigureRADIUSVendorSpecificAttributesforAdministrator
Authentication
ThefollowingprocedureprovidesanoverviewofthetasksrequiredtouseRADIUSVendorSpecific
Attributes(VSAs)foradministratorauthenticationtoPaloAltoNetworksfirewalls.Fordetailedinstructions,
refertothefollowingKnowledgeBasearticles:
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA
78 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.
UseRADIUSVendorSpecificAttributesforAccountAuthentication
Step1
Step2
Configurethefirewall.
ConfiguretheRADIUSserver.
PaloAltoNetworks,Inc.
1.
ConfigureanAdminRoleProfileiftheadministratorwillusea
customrole.
2.
Configureanaccessdomainifthefirewallhasmorethanone
virtualsystem(vsys):
a. SelectDevice > Access Domain,Addanaccessdomain,and
enteraNametoidentifytheaccessdomain.
b. Addeachvsysthattheadministratorwillaccess,andthen
clickOK.
3.
ConfigureaRADIUSServerProfile.
4.
Configureanauthenticationprofile.Settheauthentication
TypetoRADIUSandassigntheRADIUSServer Profile.
5.
Configurethefirewalltousetheauthenticationprofilefor
administratoraccessSelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profile.
6.
ClickOKandCommit.
1.
AddthefirewallIPaddressorhostnameastheRADIUSclient.
2.
DefinetheVSAsforadministratorauthentication.Youmust
specifythevendorcode(25461forPaloAltoNetworks
firewalls)andtheVSAname,number,andvalue:seeRADIUS
VendorSpecificAttributesSupport.
PANOS7.1AdministratorsGuide 79
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccess
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual Systemlevel;thechoiceismadeintheAdminRole
ProfilebyclickingtheDeviceorVirtual Systemradiobutton.IftheVirtual Systembuttonisselected,theadmin
assignedthisprofileisrestrictedtothevirtualsystem(s)heorsheisassignedto.Furthermore,onlytheDevice
> Setup > Services > Virtual Systems tabisavailabletothatadmin,nottheGlobaltab.
Thefollowingtabledescribesthetablevelaccessprivilegesyoucanassigntotheadminroleprofileatthe
Devicelevel.Italsoprovidescrossreferencestoadditionaltablesthatdetailgranularprivilegeswithinatab.
YoucanalsoconfigureanAdminRoleprofileto:
DefineUserPrivacySettingsintheadministratorRoleProfile
RestrictAdministratorAccesstoCommitFunctions
RestrictAdministratorAccesstoValidateFunctions
ProvideGranularAccesstoGlobalSettings
AccessLevel
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
80 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
No
Yes
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
No
Yes
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 81
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
ReadOnly Disable
No
Yes
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
AccessLevel
Description
Monitor
Logs
Read
Only
Disable
Yes
EnablesordisablesaccesstotheMonitor Firewall:Yes
tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogsor DeviceGroup/Template:Yes
reports.
No
Yes
Enablesordisablesaccesstoalllogfiles. Firewall:Yes
Yes
Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.
No
Yes
82 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
Enable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
AdministratorRole
Availability
Traffic
Specifieswhethertheadministratorcan
seethetrafficlogs.
Threat
Read
Only
Disable
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Specifieswhethertheadministratorcan
seethethreatlogs.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
URLFiltering
Specifieswhethertheadministratorcan
seetheURLfilteringlogs.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
WildFire
Submissions
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire
DeviceGroup/Template:Yes
subscription.
No
Yes
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
seetheHIPMatchlogs.HIPMatchlogsare Panorama:Yes
onlyavailableifyouhaveaGlobalProtect DeviceGroup/Template:Yes
portallicenseandgatewaysubscription.
No
Yes
DataFiltering Specifieswhethertheadministratorcan
seethedatafilteringlogs.
HIPMatch
Enable
Configuration Specifieswhethertheadministratorcan
seetheconfigurationlogs.
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
System
Specifieswhethertheadministratorcan
seethesystemlogs.
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
Alarms
Specifieswhethertheadministratorcan
seesystemgeneratedalarms.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Automated
Correlation
Engine
Enablesordisablesaccesstothe
correlationobjectsandcorrelatedevent
logsgeneratedonthefirewall.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Correlation
Objects
Specifieswhethertheadministratorcan
viewandenable/disablethecorrelation
objects.
Yes
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Correlated
Events
Specifieswhethertheadministrator
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 83
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
Read
Only
Disable
Packet
Capture
Specifieswhethertheadministratorcan
Firewall:Yes
seepacketcaptures(pcaps)fromthe
Panorama:No
Monitortab.Keepinmindthatpacket
DeviceGroup/Template:No
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.
Yes
Yes
Yes
AppScope
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.
No
Yes
Session
Browser
Specifieswhethertheadministratorcan
Firewall:Yes
browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe
DeviceGroup/Template:No
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inthesessionbrowserandyoushould
thereforedisabletheSession Browser
privilegeifyouareconcernedaboutuser
privacy.
Yes
No
Yes
Botnet
Specifieswhethertheadministratorcan
Firewall:Yes
generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inscheduledbotnetreportsandyou
shouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.
Yes
Yes
Yes
PDFReports
Yes
EnablesordisablesaccesstoallPDF
Firewall:Yes
reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF
DeviceGroup/Template:Yes
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs And
Reportsoption.
No
Yes
84 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
ManagePDF
Summary
Reference:WebInterfaceAdministratorAccess
Read
Only
Disable
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the
DeviceGroup/Template:Yes
administratorcanseePDFsummaryreport
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
canneitherviewthereportdefinitionsnor
add/deletethem.
Yes
Yes
Yes
PDFSummary Specifieswhethertheadministratorcan
Firewall:Yes
Reports
seethegeneratedPDFSummaryreportsin Panorama:Yes
Monitor > Reports.Ifyoudisablethis
DeviceGroup/Template:Yes
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.
No
Yes
Yes
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:Yes
Yes
Yes
Yes
SaaS
Firewall:Yes
Specifieswhethertheadministratorcan
Application
view,addordeleteaSaaSapplication
Panorama:Yes
UsageReport usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotaddor
deletethem.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoraddordeletethem.
Yes
Yes
Report
Groups
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
view,addordeletereportgroup
Panorama:Yes
definitions.Withreadonlyaccess,the
DeviceGroup/Template:Yes
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
Yes
Yes
Email
Scheduler
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed
DeviceGroup/Template:Yes
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/ortheShow
User Names In Logs And Reportsoptions
andbecausetheymayalsoshowlogdata
towhichtheadministratordoesnothave
access,youshoulddisabletheEmail
Scheduleroptionifyouhaveuserprivacy
requirements.
Yes
Yes
UserActivity Specifieswhethertheadministratorcan
Report
view,addordeleteUserActivityreport
definitionsanddownloadthereports.
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
PANOS7.1AdministratorsGuide 85
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Manage
Custom
Reports
Application
Statistics
FirewallAdministration
Read
Only
Disable
Enablesordisablesaccesstoallcustom
Yes
Firewall:Yes
reportfunctionality.Youcanalsoleavethis Panorama:Yes
privilegeenabledandthendisablespecific DeviceGroup/Template:Yes
customreportcategoriesthatyoudonot
wanttheadministratortobeableto
access.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhilestill
providingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
option.
Reportsthatarescheduledtorun
ratherthanrunondemandwill
showIPaddressanduser
information.Inthiscase,besureto
restrictaccesstothe
correspondingreportareas.In
addition,thecustomreportfeature
doesnotrestricttheabilityto
generatereportsthatcontainlog
datacontainedinlogsthatare
excludedfromtheadministrator
role.
No
Yes
Yes
Firewall:Yes
Specifieswhethertheadministratorcan
createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase.
DeviceGroup/Template:Yes
No
Yes
DataFiltering Specifieswhethertheadministratorcan
Firewall:Yes
Yes
Log
createacustomreportthatincludesdata Panorama:Yes
fromtheDataFilteringlogs.
DeviceGroup/Template:Yes
No
Yes
ThreatLog
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheThreatlogs.
DeviceGroup/Template:Yes
No
Yes
Threat
Summary
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheThreatSummarydatabase.
DeviceGroup/Template:Yes
No
Yes
TrafficLog
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficlogs.
DeviceGroup/Template:Yes
No
Yes
Traffic
Summary
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficSummarydatabase.
DeviceGroup/Template:Yes
No
Yes
URLLog
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheURLFilteringlogs.
DeviceGroup/Template:Yes
No
Yes
86 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
Enable
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Hipmatch
Reference:WebInterfaceAdministratorAccess
AdministratorRole
Availability
Enable
Read
Only
Disable
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheHIPMatchlogs.
DeviceGroup/Template:Yes
No
Yes
WildFireLog
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheWildFirelogs.
DeviceGroup/Template:Yes
No
Yes
View
Scheduled
Custom
Reports
Specifieswhethertheadministratorcan
viewacustomreportthathasbeen
scheduledtogenerate.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
View
Predefined
Application
Reports
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
viewApplicationReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Threat
Reports
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
viewThreatReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
View
Predefined
URLFiltering
Reports
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
viewURLFilteringReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Traffic
Reports
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
viewTrafficReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 87
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
AccessLevel
Description
Security
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.
Yes
Yes
NAT
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.
Yes
Yes
QoS
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.
Yes
Yes
PolicyBased
Forwarding
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.
Yes
Yes
Decryption
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletedecryptionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.
Yes
Yes
ApplicationOverride
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingtheapplicationoverriderulebase,disablethis
privilege.
Yes
Yes
Yes
CaptivePortal
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteCaptivePortalrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheCaptive
Portalrulebase,disablethisprivilege.
Yes
Yes
88 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
DoSProtection
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeleteDoSprotectionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.
ReadOnly Disable
Yes
Yes
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
AccessLevel
Description
Addresses
Specifieswhethertheadministratorcanview,add,or Yes
deleteaddressobjectsforuseinsecuritypolicy.
Yes
Yes
AddressGroups
Specifieswhethertheadministratorcanview,add,or Yes
deleteaddressgroupobjectsforuseinsecuritypolicy.
Yes
Yes
Regions
Specifieswhethertheadministratorcanview,add,or Yes
deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.
Yes
Yes
Applications
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationobjectsforuseinpolicy.
Yes
Yes
ApplicationGroups
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationgroupobjectsforuseinpolicy.
Yes
Yes
ApplicationFilters
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationfiltersforsimplificationofrepeated
searches.
Yes
Yes
Services
Specifieswhethertheadministratorcanview,add,or Yes
deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.
Yes
Yes
ServiceGroups
Specifieswhethertheadministratorcanview,add,or Yes
deleteservicegroupobjectsforuseinsecuritypolicy.
Yes
Yes
Tags
Specifieswhethertheadministratorcanview,add,or Yes
deletetagsthathavebeendefinedonthefirewall.
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 89
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
GlobalProtect
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.
No
Yes
HIPObjects
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.
Yes
Yes
HIPProfiles
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.
Yes
Yes
DynamicBlockLists
Specifieswhethertheadministratorcanview,add,or Yes
deletedynamicblocklistsforuseinsecuritypolicy.
Yes
Yes
CustomObjects
Specifieswhethertheadministratorcanseethe
Yes
customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.
No
Yes
DataPatterns
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
Spyware
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.
Yes
Yes
Vulnerability
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
URLCategory
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomURLcategoriesforuseinpolicy.
Yes
Yes
SecurityProfiles
Specifieswhethertheadministratorcanseesecurity Yes
profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.
No
Yes
Antivirus
Specifieswhethertheadministratorcanview,add,or Yes
deleteantivirusprofiles.
Yes
Yes
AntiSpyware
Specifieswhethertheadministratorcanview,add,or Yes
deleteAntiSpywareprofiles.
Yes
Yes
Vulnerability
Protection
Specifieswhethertheadministratorcanview,add,or Yes
deleteVulnerabilityProtectionprofiles.
Yes
Yes
90 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
URLFiltering
Specifieswhethertheadministratorcanview,add,or Yes
deleteURLfilteringprofiles.
Yes
Yes
FileBlocking
Specifieswhethertheadministratorcanview,add,or Yes
deletefileblockingprofiles.
Yes
Yes
DataFiltering
Specifieswhethertheadministratorcanview,add,or Yes
deletedatafilteringprofiles.
Yes
Yes
DoSProtection
Specifieswhethertheadministratorcanview,add,or Yes
deleteDoSprotectionprofiles.
Yes
Yes
Yes
Yes
LogForwarding
Specifieswhethertheadministratorcanview,add,or Yes
deletelogforwardingprofiles.
Yes
Yes
DecryptionProfile
Specifieswhethertheadministratorcanview,add,or Yes
deletedecryptionprofiles.
Yes
Yes
Schedules
Specifieswhethertheadministratorcanview,add,or Yes
deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.
Yes
Yes
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
AccessLevel
Description
Interfaces
Specifieswhethertheadministratorcanview,add,or Yes
deleteinterfaceconfigurations.
Yes
Yes
Zones
Specifieswhethertheadministratorcanview,add,or Yes
deletezones.
Yes
Yes
VLANs
Specifieswhethertheadministratorcanview,add,or Yes
deleteVLANs.
Yes
Yes
VirtualWires
Specifieswhethertheadministratorcanview,add,or Yes
deletevirtualwires.
Yes
Yes
VirtualRouters
Specifieswhethertheadministratorcanview,add,
modifyordeletevirtualrouters.
Yes
Yes
Yes
IPSecTunnels
Specifieswhethertheadministratorcanview,add,
modify,ordeleteIPSecTunnelconfigurations.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 91
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
DHCP
Specifieswhethertheadministratorcanview,add,
modify,ordeleteDHCPserverandDHCPrelay
configurations.
Yes
Yes
Yes
DNSProxy
Specifieswhethertheadministratorcanview,add,
modify,ordeleteDNSproxyconfigurations.
Yes
Yes
Yes
GlobalProtect
Specifieswhethertheadministratorcanview,add,
Yes
modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.
No
Yes
Portals
Yes
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectportalconfigurations.
Yes
Yes
Gateways
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectgateway
configurations.
Yes
Yes
Yes
MDM
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectMDMserver
configurations.
Yes
Yes
Yes
DeviceBlockList
Specifieswhethertheadministratorcanview,add,
modify,ordeletedeviceblocklists.
Yes
Yes
Yes
QoS
Specifieswhethertheadministratorcanview,add,
modify,ordeleteQoSconfigurations.
Yes
Yes
Yes
LLDP
Specifieswhethertheadministratorcanviewadd,
modify,ordeleteLLDPconfigurations.
Yes
Yes
Yes
NetworkProfiles
Setsthedefaultstatetoenableordisableforallofthe Yes
Networksettingsdescribedbelow.
No
Yes
IKEGateways
Yes
Yes
GlobalProtectIPSec
Crypto
Yes
ControlsaccesstotheNetwork Profiles >
GlobalProtect IPSec Crypto node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethat node,orconfigurealgorithmsfor
authenticationandencryptioninVPNtunnels
betweenaGlobalProtectgatewayandclients.
Ifyousettheprivilegetoreadonly,theadministrator
canviewexistingGlobalProtectIPSecCryptoprofiles
butcannotaddoreditthem.
Yes
Yes
92 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
IPSecCrypto
Yes
Yes
IKECrypto
Controlshowdevicesexchangeinformationtoensure Yes
securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).
Yes
Yes
Monitor
Yes
Yes
InterfaceMgmt
Yes
Yes
ZoneProtection
Yes
ControlsaccesstotheNetwork Profiles >Zone
Protection node.Ifyoudisablethisprivilege,the
administratorwillnotseetheNetwork Profiles >
Zone Protection nodeorbeabletoconfigureaprofile
thatdetermineshowthefirewallrespondstoattacks
fromspecifiedsecurityzones.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentlyconfiguredZoneProtectionprofile
configurationbutcannotaddoreditaconfiguration.
Yes
Yes
QoSProfile
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 93
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
LLDPProfile
Yes
Yes
BFDProfile
Yes
Yes
ProvideGranularAccesstotheDeviceTab
AccessLevel
Description
Setup
ControlsaccesstotheSetupnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Management
Yes
ControlsaccesstotheManagementnode.Ifyou
disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panorama,managementinterface,banner,message,
andpasswordcomplexitysettings,andmore.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Operations
ControlsaccesstotheOperationsnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
manageconfigurationfiles,orrebootorshutdown
thefirewall,amongotherthings.
Yes
Yes
94 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Services
ControlsaccesstotheServicesnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
ContentID
Yes
Yes
WildFire
ControlsaccesstotheWildFirenode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
configureWildFiresettings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Session
Yes
ControlsaccesstotheSessionnode.Ifyoudisable
thisprivilege,theadministratorwillnotbeableto
configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
HSM
ControlsaccesstotheHSMnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
ConfigAudit
No
Yes
AdminRoles
No
ControlsaccesstotheAdmin Roles node.This
functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdmin Roles nodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 95
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Administrators
ControlsaccesstotheAdministrators node.This
No
functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdministrators nodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.
Yes
Yes
VirtualSystems
Yes
Yes
SharedGateways
Yes
Yes
UserIdentification
Yes
Yes
Yes
Yes
96 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
HighAvailability
Yes
Yes
Certificate
Management
Setsthedefaultstatetoenableordisableforallofthe Yes
Certificatesettingsdescribedbelow.
No
Yes
Certificates
ControlsaccesstotheCertificates node.Ifyou
Yes
disablethisprivilege,theadministratorwillnotseethe
Certificates nodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.
Yes
Yes
CertificateProfile
Yes
Yes
OCSPResponder
Yes
Yes
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 97
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
SCEP
ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingSCEPprofilesbutcannotcreateor
editthem.
Yes
Yes
ResponsePages
Yes
Yes
LogSettings
Setsthedefaultstatetoenableordisableforallofthe Yes
Logsettingsdescribedbelow.
No
Yes
System
Yes
Yes
Config
Yes
Yes
HIPMatch
Yes
Yes
98 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Alarms
Yes
Yes
ManageLogs
Yes
Yes
ServerProfiles
Setsthedefaultstatetoenableordisableforallofthe Yes
ServerProfilessettingsdescribedbelow.
No
Yes
SNMPTrap
Yes
Yes
Syslog
Yes
Yes
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 99
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Netflow
Yes
Yes
RADIUS
Yes
Yes
TACACS+
Yes
ControlsaccesstotheServer Profiles > TACACS+
node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.
Yes
Yes
LDAP
Yes
Yes
Kerberos
Yes
ControlsaccesstotheServer Profiles > Kerberos
node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > Kerberos nodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Kerberos information
butcannotconfiguresettingsforKerberosservers.
Yes
Yes
LocalUserDatabase
Setsthedefaultstatetoenableordisableforallofthe Yes
LocalUserDatabasesettingsdescribedbelow.
No
Yes
100 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Users
Yes
Yes
UserGroups
Yes
Yes
AuthenticationProfile
Yes
Yes
Authentication
Sequence
Yes
Yes
AccessDomain
Yes
ControlsaccesstotheAccess Domainnode.Ifyou
disablethisprivilege,theadministratorwillnotseethe
Access Domainnodeorbeabletocreateoreditan
accessdomain.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheAccess Domain informationbutcannot
createoreditanaccessdomain.
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 101
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
ScheduledLogExport
No
Yes
Software
Yes
Yes
GlobalProtectClient
ControlsaccesstotheGlobalProtectClientnode.If Yes
youdisablethisprivilege,theadministratorwillnot
seetheGlobalProtect Client nodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheavailableGlobalProtect Client releases
butcannotdownloadorinstalltheagentsoftware.
Yes
Yes
DynamicUpdates
Yes
Yes
Licenses
Yes
Yes
102 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
Support
ControlsaccesstotheSupportnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethe
Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheSupport nodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.
Yes
Yes
MasterKeyand
Diagnostics
Yes
Yes
DefineUserPrivacySettingsintheadministratorRoleProfile
AccessLevel
Description
Privacy
Setsthedefaultstatetoenableordisableforallofthe Yes
privacysettingsdescribedbelow.
N/A
Yes
N/A
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 103
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
ShowUserNamesin
LogsandReports
Whendisabled,usernamesobtainedbytraffic
Yes
runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreports
thataresentviatheemailschedulerwillstilldisplay
usernames.Becauseofthisexception,we
recommendthatthefollowingsettingswithinthe
Monitortabbesettodisable:CustomReports,
ApplicationReports,ThreatReports,URLFiltering
Reports,TrafficReportsandEmailScheduler.
N/A
Yes
ViewPCAPFiles
Whendisabled,packetcapturefilesthatarenormally Yes
availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.
N/A
Yes
RestrictAdministratorAccesstoCommitFunctions
AccessLevel
Description
Enable
ReadOnly Disable
Commit
Whendisabled,anadministratorcannotcommitany
changestoaconfiguration.
Yes
N/A
Yes
RestrictAdministratorAccesstoValidateFunctions
AccessLevel
Description
Enable
ReadOnly Disable
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
N/A
Enable
ReadOnly Disable
Yes
ProvideGranularAccesstoGlobalSettings
AccessLevel
Description
Global
Setsthedefaultstatetoenableordisableforallofthe Yes
globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.
N/A
Yes
SystemAlarms
Whendisabled,anadministratorcannotviewor
acknowledgealarmsthataregenerated.
N/A
Yes
104 PANOS7.1AdministratorsGuide
Yes
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.
AccessLevel
Description
Setup
AdministratorRole
Availability
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
vieworeditPanoramasetup
DeviceGroup/Template:No
information,suchasManagement,
Operations,Services,WildFire,or
HSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.
Yes
Yes
Yes
Yes
Yes
Yes
ConfigAudit
Yes
No
Yes
Specifieswhethertheadministratorcan Panorama:Yes
runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 105
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Administrators
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.
No
Yes
Yes
AdminRoles
Specifieswhethertheadministratorcan Panorama:Yes
viewPanoramaadministratorroles.
DeviceGroup/Template:No
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaadministratorroles.
No
Yes
Yes
AccessDomain
Specifieswhethertheadministratorcan Panorama:Yes
Yes
view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama
Youassignaccess
administrators.(Thisprivilegecontrols
domainstoDevice
accessonlytotheconfigurationof
GroupandTemplate
accessdomains,notaccesstothe
administratorssothey
devicegroups,templates,andfirewall
canaccessthe
contextsthatareassignedtoaccess
configurationand
domains.)
monitoringdatawithin
Ifyousetthisprivilegetoreadonly,the
thedevicegroups,
administratorcanviewPanorama
templates,andfirewall
accessdomainconfigurationsbutcant
contextsthatare
managethem.
assignedtothose
Ifyoudisablethisprivilege,the
accessdomains.
administratorcantseeormanage
Panoramaaccessdomain
configurations.
Yes
Yes
106 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Authentication
Profile
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
authenticationprofilesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationprofilesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationprofiles.
Yes
Yes
Yes
Authentication
Sequence
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
authenticationsequencesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationsequencesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationsequences.
Yes
Yes
Yes
Managed
Devices
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,tag,ordeletefirewallsas DeviceGroup/Template:Yes
manageddevices,andinstallsoftware
orcontentupdatesonthem.
Ifyousetthisprivilegetoreadonly,the
administratorcanseemanagedfirewalls
butcantadd,delete,tag,orinstall
updatesonthem.
Ifyoudisablethisprivilege,the
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
Thisprivilegeappliesonlytothe
Panorama > Managed Devices
page.Anadministratorwith
DeviceDeploymentprivileges
canstillusethePanorama >
Device Deploymentpagesto
installupdatesonmanaged
firewalls.
Yes
(Nofor
Device
Group
and
Templat
eroles)
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 107
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
Read Disable
Only
Templates
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes
templatestacks.
DeviceGroupand
Ifyousettheprivilegetoreadonly,the
Template
administratorcanseetemplateand
administratorscansee
stackconfigurationsbutcantmanage
onlythetemplatesand
them.
stacksthatarewithin
theaccessdomains
Ifyoudisablethisprivilege,the
administratorcantseeormanage
assignedtothose
templateandstackconfigurations.
administrators.
Yes
(Nofor
Device
Group
and
Templat
e
admins)
Yes
Yes
DeviceGroups
Specifieswhethertheadministratorcan Panorama:Yes
Yes
view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
Ifyousetthisprivilegetoreadonly,the
DeviceGroupand
administratorcanseedevicegroup
Template
configurationsbutcantmanagethem.
administratorscan
accessonlythedevice
Ifyoudisablethisprivilege,the
groupsthatarewithin
administratorcantseeormanage
theaccessdomains
devicegroupconfigurations.
assignedtothose
administrators.
Yes
Yes
Managed
Collectors
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeletemanaged
DeviceGroup/Template:No
collectors.
Ifyousetthisprivilegetoreadonly,the
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
Thisprivilegeappliesonlytothe
Panorama > Managed
Collectorspage.An
administratorwithDevice
Deploymentprivilegescanstill
usethePanorama > Device
Deploymentpagestoinstall
updatesonmanagedcollectors.
Yes
Yes
Yes
Collector
Groups
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeleteCollector
DeviceGroup/Template:No
Groups.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeCollectorGroups
butcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
CollectorGroups.
Yes
Yes
Yes
108 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Yes
Yes
Yes
Certificate
Management
Setsthedefaultstate,enabledor
disabled,forallofthePanorama
certificatemanagementprivileges.
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
Certificates
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,generate,delete,revoke,
DeviceGroup/Template:No
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
PanoramacertificatesorHAkeys.
Yes
Yes
Yes
Certificate
Profile
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,deleteorclone
DeviceGroup/Template:No
Panoramacertificateprofiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramacertificateprofiles.
Yes
Yes
Yes
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 109
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
AdministratorRole
Availability
Enable
Read Disable
Only
LogSettings
Setsthedefaultstate,enabledor
disabled,forallthelogsetting
privileges.
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
System
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofSystemlogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoSystemlogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoSystemlogs
thatPanoramageneratesandto
SystemlogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
SystemlogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofSystemlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
110 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Config
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofConfiglogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheConfiglog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoConfiglogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoConfiglogs
thatPanoramageneratesandto
ConfiglogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
ConfiglogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofConfiglogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
Read Disable
Only
Yes
Yes
Yes
PANOS7.1AdministratorsGuide 111
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
HIPMatch
Correlation
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
toexternalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofHIPMatchlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofHIPMatchlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofCorrelation
logstoexternalservices(syslog,email,
orSNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofCorrelationlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofCorrelationlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
112 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Traffic
Threat
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofTrafficlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofTrafficlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofTrafficlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Trafficlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofThreatlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofThreatlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofThreatlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Threatlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 113
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Wildfire
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofWildFirelogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofWildFirelogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofWildFirelogs
fromaPanoramaMSeries
appliance.TheObjects > Log
Forwardingpagecontrolsthe
forwardingofWildFirelogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
ServerProfiles
Setsthedefaultstate,enabledor
Panorama:Yes
disabled,foralltheserverprofile
DeviceGroup/Template:No
privileges.
Theseprivilegespertainonlyto
theserverprofilesthatareused
forforwardinglogsthat
Panoramageneratesorcollects
fromfirewallsandtheserver
profilesthatareusedfor
authenticatingPanorama
administrators.TheDevice >
Server Profilespagescontrol
theserverprofilesthatareused
forforwardinglogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama)andfor
authenticatingfirewall
administrators.
Yes
No
Yes
SNMPTrap
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureSNMPtrapserver
DeviceGroup/Template:No
profiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSNMPtrapserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
SNMPtrapserverprofiles.
Yes
Yes
Yes
114 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Syslog
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSyslogserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Syslogserverprofiles.
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureemailserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeemailserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanageemail
serverprofiles.
Yes
Yes
Yes
RADIUS
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
RADIUSserverprofiles.
Yes
Yes
Yes
TACACS+
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheTACACS+server DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyoudisablethisprivilege,the
administratorcantseethe nodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 115
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
LDAP
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheLDAPserver
DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheLDAPserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
LDAPserverprofiles.
Yes
Yes
Yes
Kerberos
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheKerberosserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheKerberos
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
Kerberosserverprofiles.
Yes
Yes
Yes
Scheduled
ConfigExport
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
scheduledPanoramaconfiguration
exports.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewthescheduled
exportsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
scheduledexports.
Yes
No
Yes
116 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Software
Dynamic
Updates
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
softwareupdates;download,upload,or
installtheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
softwareinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Softwarepage
controlsaccesstoPANOS
softwaredeployedonfirewalls
andPanoramasoftware
deployedonDedicatedLog
Collectors.
Yes
Yes
Yes
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
contentupdates(forexample,WildFire
updates);download,upload,install,or
reverttheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramacontentupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
contentupdatesinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Dynamic
Updatespagecontrolsaccessto
contentupdatesdeployedon
firewallsandDedicatedLog
Collectors.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 117
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Support
FirewallAdministration
Enable
Read Disable
Only
Panorama:Yes
Specifieswhethertheadministrator
can:viewPanoramasupportlicense
DeviceGroup/Template:No
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
Ifyoudisablethisprivilege,the
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.
Yes
Yes
Yes
Device
Deployment
Setsthedefaultstate,enabledor
Panorama:Yes
disabled,forallthedevicedeployment DeviceGroup/Template:Yes
privileges.
Theseprivilegepertainonlyto
softwareandcontentupdates
thatPanoramaadministrators
deployonfirewallsand
DedicatedLogCollectors.The
Panorama > Softwareand
Panorama > Dynamic Updates
pagescontrolthesoftwareand
contentupdatesinstalledona
Panoramamanagementserver.
Yes
No
Yes
Software
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutthe
DeviceGroup/Template:Yes
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
118 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
SSLVPNClient
GlobalProtect
Client
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutSSLVPN DeviceGroup/Template:Yes
clientsoftwareupdatesonfirewalls;
download,upload,oractivatethe
updates;andviewtheassociated
releasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
SSLVPNclientsoftwareupdatesand
viewtheassociatedreleasenotesbut
cantactivatetheupdatesonfirewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutSSLVPNclientsoftwareupdates,
seetheassociatedreleasenotes,or
activatetheupdatesonfirewalls.
Yes
Yes
Yes
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationabout
DeviceGroup/Template:Yes
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 119
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Dynamic
Updates
Licenses
FirewallAdministration
AdministratorRole
Availability
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
view,refresh,andactivatefirewall
DeviceGroup/Template:Yes
licenses.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
Ifyoudisablethisprivilege,the
administratorcantview,refresh,or
activatefirewalllicenses.
Yes
Yes
Yes
Yes
Yes
Yes
PanoramaWebInterfaceAccess
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
120 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
No
Yes
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 121
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
No
Yes
Panorama
ControlsaccesstothePanoramatab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethe
Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.
No
Yes
Privacy
Controlsaccesstotheprivacysettingsdescribedin Yes
DefineUserPrivacySettingsintheadministratorRole
Profile.
No
Yes
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
No
Yes
Commit
Setsthedefaultstate(enabledordisabled)forallthe Yes
commitsettingsdescribedbelow(Panorama,Device
Groups,Templates,ForceTemplateValues,Collector
Groups).
No
Yes
Panorama
Whendisabled,anadministratorcannotcommit
changestothePanoramaconfiguration.
Yes
No
Yes
DeviceGroups
Whendisabled,anadministratorcannotcommit
changestodevicegroups.
Yes
No
Yes
122 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
Templates
Whendisabled,anadministratorcannotcommit
changestotemplates.
Yes
No
Yes
No
Yes
CollectorGroups
Whendisabled,anadministratorcannotcommit
changestoCollectorGroups.
Yes
No
Yes
Global
Controlsaccesstotheglobalsettings(systemalarms) Yes
describedinProvideGranularAccesstoGlobal
Settings.
No
Yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 123
Reference:PortNumberUsage
FirewallAdministration
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforUserID
PortsUsedforManagementFunctions
DestinationPort Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80
TCP
TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
123
UDP
PortthefirewallusesforNTPupdates.
443
TCP
Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis
alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.
162
UDP
Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP
Manager.
ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)
managertolistenonthisport.Fordetails,refertothedocumentationof
yourSNMPmanagementsoftware.
161
UDP
Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP
manager.
514
TCP
514
UDP
6514
SSL
Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog
serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
authenticationsyslogmessagesifyouConfigureUserIDtoReceiveUser
MappingsfromaSyslogSender.
2055
UDP
DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif
youConfigureNetFlowExports,butthisisconfigurable.
124 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:PortNumberUsage
DestinationPort Protocol
Description
5008
TCP
PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom
theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.
6080
TCP
6081
TCP
6082
TCP
PortsusedforCaptivePortal:6080forNTLANManager(NTLM)authentication,
6081forCaptivePortalintransparentmode,and6082forCaptivePortalin
redirectmode.
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
DestinationPort Protocol
Description
28769
TCP
28260
TCP
UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer
firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.
28
TCP
UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
28770
TCP
ListeningportforHA1backuplinks.
28771
TCP
Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat
backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.
99
IP
29281
UDP
UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
DestinationPort
Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
443
TCP
UsedforcommunicationfromaclientsystemtothePanoramawebinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 125
Reference:PortNumberUsage
FirewallAdministration
DestinationPort
Protocol
Description
3978
TCP
UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged
collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors(MSeriesappliancesinLog
Collectormode).
28769(5.1andlater)
TCP
28260(5.0andlater)
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.
49160(5.0and
earlier)
TCP
28
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
28270(6.0andlater)
TCP
UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog
distribution.
TCP
UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.
49190(5.1and
earlier)
2049
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
DestinationPort Protocol
Description
389
TCP
PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport
LayerSecurity(StartTLS)toMapUserstoGroups.
3268
TCP
PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver
(plaintextorStartTLS)toMapUserstoGroups.
636
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap
UserstoGroups.
126 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:PortNumberUsage
DestinationPort Protocol
Description
3269
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory
globalcatalogservertoMapUserstoGroups.
514
TCP
514
UDP
6514
SSL
PortthePANOSintegratedUserIDagentorWindowsbasedUserIDagent
listensonforauthenticationsyslogmessagesifyouConfigureUserIDtoReceive
UserMappingsfromaSyslogSender.
5007
TCP
PortthefirewalllistensonforusermappinginformationfromtheUserIDor
TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.
5006
TCP
PorttheUserIDagentlistensonforPANOSXMLAPIrequests.Thesourcefor
thiscommunicationistypicallythesystemrunningascriptthatinvokestheAPI.
88
UDP/TCP
PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
1812
UDP
PorttheUserIDagentusestoauthenticatetoaRADIUSserver.
49
TCP
PorttheUserIDagentusestoauthenticatetoaTACACS+server.
135
TCP
PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe
MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.
139
TCP
PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe
ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).
445
TCP
PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using
TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 127
ResettheFirewalltoFactoryDefaultSettings
FirewallAdministration
ResettheFirewalltoFactoryDefaultSettings
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
ResettheFirewalltoFactoryDefaultSettings
Step1
Setupaconsoleconnectiontothe
firewall.
1.
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
Ifyourcomputerdoesnothavea9pinserialport,usea
USBtoserialportconnector.
2.
Enteryourlogincredentials.
3.
EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.
Step2
Resetthesystemtofactorydefault
settings.
128 PANOS7.1AdministratorsGuide
1.
Whenthefirewallreboots,pressEntertocontinuetothe
maintenancemodemenu.
2.
SelectFactory ResetandpressEnter.
3.
SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USBFlashDriveSupport
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston
KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk
SiliconPower
SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY
PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)
SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 129
BootstraptheFirewall
FirewallAdministration
Sampleinitcfg.txtFiles
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress)
Sampleinitcfg.txt(DHCPClient)
type=static
ip-address=10.5.107.19
default-gateway=10.5.107.1
netmask=255.255.255.0
ipv6-address=2001:400:f00::1/64
ipv6-default-gateway=2001:400:f00::2
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no
dhcp-send-client-id=no
dhcp-accept-server-hostname=no
dhcp-accept-server-domain=no
type=dhcp-client
ip-address=
default-gateway=
netmask=
ipv6-address=
ipv6-default-gateway=
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=yes
dhcp-send-client-id=yes
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field
Description
type
(Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress
(RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.
defaultgateway
(RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask
(RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address
(RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
ipv6defaultgateway
(RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
hostname
(Optional)Hostnameforthefirewall.
130 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
Fieldsintheinitcfg.txtFile
Field
Description
panoramaserver
(Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2
(Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname
(Recommended)Panoramatemplatename.
dgname
(Recommended)Panoramadevicegroupname.
dnsprimary
(Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary
(Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey
(VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes
(Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
PrepareaUSBFlashDriveforBootstrappingaFirewall
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
PrepareaUSBFlashDriveforBootstrappingaFirewall
Step1
Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.
Step2
RegisterS/Nsofnewfirewallsonthe
CustomerSupportportal.
PaloAltoNetworks,Inc.
1.
Gotosupport.paloaltonetworks.com,login,andselect
Assets > Register New Device > Register device using Serial
Number or Authorization Code.
2.
FollowthestepstoRegistertheFirewall.
3.
ClickSubmit.
PANOS7.1AdministratorsGuide 131
BootstraptheFirewall
FirewallAdministration
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step3
Activateauthorizationcodesonthe
1.
CustomerSupportportal,whichcreates
licensekeys.
2.
Gotosupport.paloaltonetworks.com,login,andselectthe
Assets tab.
ForeachS/Nyoujustregistered,clicktheActionlink.
3.
SelectActivate Auth-Code.
4.
Step4
AddtheS/NsinPanorama.
CompleteStep1inAddaFirewallasaManagedDeviceinthe
PanoramaAdministratorsGuide.
Step5
Createtheinitcfg.txtfile.
Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap
parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefault
configurationinthenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineach
field;donotaddspacesbecausetheycausefailuresduring
parsingonthemanagementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.
Step6
(Optional)Createthebootstrap.xmlfile.
Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration
thatyoucanexportfromanexistingproductionfirewall.
1.
132 PANOS7.1AdministratorsGuide
2.
SelecttheNameofthesavedortherunningconfiguration.
3.
ClickOK.
4.
Renamethefileasbootstrap.xml.
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step7
Createanddownloadthebootstrap
bundlefromtheCustomerSupport
portal.
Foraphysicalfirewall,thebootstrap
bundlerequiresonlythe/licenseand
/configdirectories.
Useoneofthefollowingmethodstocreateanddownloadthe
bootstrapbundle:
UseMethod1tocreateabootstrapbundlespecifictoaremote
site(youhaveonlyoneinitcfg.txtfile).
UseMethod2tocreateonebootstrapbundleformultiplesites.
Method1
1.
Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2.
SelectAssets.
3.
SelecttheS/Nofthefirewallyouwanttobootstrap.
4.
SelectBootstrap Container.
5.
ClickSelect.
6.
UploadandOpen theinitcfg.txtfileyoucreatedinStep 5.
7.
(Optional)Selectthebootstrap.xmlfileyoucreatedinStep 6
andUpload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.
8.
Method2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenamesasdescribed
inStep 5.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.
Step8
Importthetar.gzfile(thatyoucreatedin AccesstheCLIandenteroneofthefollowingcommands:
Step 7)toaPANOS7.1firewallusing tftp import bootstrap-bundle file <path and filename>
SecureCopy(SCP)orTFTP.
from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 133
BootstraptheFirewall
FirewallAdministration
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step9
PreparetheUSBflashdrive.
1.
InserttheUSBflashdriveintothefirewallthatyouusedin
Step 8.
2.
EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3.
Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
Step10 DelivertheUSBflashdrivetoyour
remotesite.
4.
RemovetheUSBflashdrivefromthefirewall.
5.
YoucanprepareasmanyUSBflashdrivesasneeded.
IfyouusedMethod2tocreatethebootstrapbundle,youcanuse
thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.
BootstrapaFirewallUsingaUSBFlashDrive
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
BootstrapaFirewallUsingaUSBFlashDrive
Step1
Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2
Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3
InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.
134 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
BootstrapaFirewallUsingaUSBFlashDrive
Step4
Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > System orbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > Licenses orbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 135
BootstraptheFirewall
136 PANOS7.1AdministratorsGuide
FirewallAdministration
PaloAltoNetworks,Inc.
Authentication
ManyoftheservicesthatPaloAltoNetworksfirewallsandPanoramaproviderequireauthentication,
includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,GlobalProtect
portals,andGlobalProtectgateways.Theauthenticationmethodsthatyoucanconfigurevarybyservice,
andcanincludeKerberossinglesignon(SSO),externalauthenticationservices,certificatesandcertificate
profiles,localdatabaseaccounts,RADIUSVendorSpecificAttributes(VSAs),andNTLANManager(NTLM).
ThefollowingtopicsdescribeauthenticationmethodsthatarecommontomostfirewallandPanorama
services,procedurestoconfigurethem,howtotestauthenticationprofiles,andhowtotroubleshoot
authenticationissues:
ConfigureanAuthenticationProfileandSequence
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
ConfigureExternalAuthentication
TestAuthenticationServerConnectivity
TroubleshootAuthenticationIssues
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 137
ConfigureanAuthenticationProfileandSequence
Authentication
ConfigureanAuthenticationProfileandSequence
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsofan
administratoraccountthatislocaltothefirewallorPanorama.Theauthenticationservicecanbealocal
database(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),orKerberos
singlesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatthefirewallorPanoramamatches
anadministratoragainstduringlogin.ThefirewallorPanoramachecksagainsteachprofileinsequenceuntil
onesuccessfullyauthenticatestheadministrator(thefirewallalwayschecksthelocaldatabasefirstifthe
sequenceincludesone).Anadministratorisdeniedaccessonlyifanauthenticationfailureoccursforallthe
profilesintheauthenticationsequence.
ConfigureanAuthenticationProfileandSequence
Step1
CreateaKerberoskeytab.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
RequiredifthefirewallorPanoramawill accountinformation(principalnameandhashedpassword)forthe
firewallorPanorama.
useKerberosSSOauthentication.
Step2
Configurealocaldatabase(firewallonly) LocaldatabaseauthenticationPerformthefollowingtasks:
orexternalserverprofile(firewallor
a. Configuretheuseraccount.
Panorama).
b. (Optional)Configureausergroup.
Requiredforlocaldatabaseorexternal ExternalauthenticationPerformoneofthefollowingtasks:
authentication.
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
138 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
Step3
Configureanauthenticationprofile.
Defineoneorbothofthefollowing:
KerberosSSOThefirewallor
PanoramafirsttriesSSO
authentication.Ifthatfails,itfallsback
toauthenticationoftheType
specifiedintheprofile.
Localdatabaseorexternal
authenticationThefirewallor
Panoramapromptstheusertoenter
logincredentials,andusesitslocal
database(firewallsonly)oranexternal
servicetoauthenticatetheuser.
1.
2.
EnteraNametoidentifytheauthenticationprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(avsysorShared)wheretheprofileisavailable.
4.
SelecttheauthenticationType.IfyouselectRADIUS,
TACACS+,LDAP,orKerberos,selecttheauthentication
Server Profilefromthedropdown.
IftheTypeisLDAP,definetheLogin Attribute.For
ActiveDirectory,entersAMAccountNameasthe
value.
5.
6.
IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
7.
SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.Youcanselectusersandgroups
fromthelocaldatabaseor,ifyouconfiguredanLDAPserver
profile,fromanLDAPbaseddirectoryservicesuchasActive
Directory.Selectingallallowseveryusertoauthenticate.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsocreateandallowcustomgroupsbasedon
LDAPfilters:seeMapUserstoGroups.
8.
EnterthenumberofFailed Attempts(010)tologinthatthe
firewallorPanoramaallowsbeforelockingouttheuser.The
defaultvalue0meansthereisnolimit.
9.
EntertheLockout Time(060),whichisthenumberof
minutesforwhichthefirewallorPanoramalocksouttheuser
afterreachingtheFailed Attemptslimit.Thedefaultvalue0
meansthelockoutappliesuntilanadministratorunlocksthe
useraccount.
10. ClickOKtosavetheauthenticationprofile.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 139
ConfigureanAuthenticationProfileandSequence
Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step4
Step5
Configureanauthenticationsequence. 1.
Requiredifyouwantthefirewallor
Panoramatotrymultipleauthentication 2.
profilestoauthenticateusers.The
3.
firewallorPanoramaevaluatesthe
profilesintoptobottomorder
applyingtheKerberosSSO,
authenticationservice,allowlist,and
accountlockoutvaluesforeachuntil
oneprofilesuccessfullyauthenticates
theuser.ThefirewallorPanorama
deniesaccessonlyifalltheprofilesinthe
sequencefailtoauthenticate.
Assigntheauthenticationprofileor
sequence.
140 PANOS7.1AdministratorsGuide
4.
Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
5.
ClickOKtosavetheauthenticationsequence.
Assigntheauthenticationprofileorsequencetoanadministrator
accountortoafirewallorPanoramaservice.
TestAuthenticationServerConnectivitytoverifythatan
authenticationprofilecancommunicatewiththebackend
authenticationserverandthattheauthenticationrequest
succeeded.
PaloAltoNetworks,Inc.
Authentication
ConfigureKerberosSingleSignOn
ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.
ConfigureKerberosSingleSignOn
Step1
CreateaKerberoskeytab.
1.
LogintotheKDCandopenacommandprompt.
2.
Enterthefollowingcommand,where<principal_name>,
<password>,and<algorithm>arevariables.TheKerberos
principalnameandpasswordareofthefirewallorPanorama,
nottheuser.
IfthefirewallisinFIPS/CCmode,thealgorithmmust
beaes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalso
usedes3-cbc-sha1orarcfour-hmac.Tousean
AdvancedEncryptionStandard(AES)algorithm,the
functionalleveloftheKDCmustbeWindowsServer
2008orlaterandyoumustenableAESencryptionfor
thefirewallorPanoramaaccount.
Thealgorithminthekeytabmustmatchthealgorithm
intheserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithms
theserviceticketsuse.
Step2
Importthekeytabintoanauthentication ConfigureanAuthenticationProfileandSequence:
profile.
1. EntertheKerberos Realm(usuallytheDNSdomainofthe
users,exceptthattherealmisuppercase).
2.
Step3
ImporttheKerberos Keytabthatyoucreatedforthefirewall
orPanorama.
Assigntheauthenticationprofiletothe Configureanadministratoraccount.
administratoraccountortotheCaptive ConfigureCaptivePortal.
Portalsettings.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 141
ConfigureLocalDatabaseAuthentication
Authentication
ConfigureLocalDatabaseAuthentication
Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.
IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.
ConfigureLocalDatabaseAuthentication
Step1
Step2
Configuretheuseraccount.
Configureausergroup.
Requiredifyourusersrequiregroup
membership.
1.
2.
EnterauserNamefortheadministrator.
3.
EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4.
Enabletheaccount(enabledbydefault)andclickOK.
1.
2.
EnteraNametoidentifythegroup.
3.
AddeachuserwhoisamemberofthegroupandclickOK.
Step3
Configureanauthenticationprofile.
Step4
AdministratorsConfigureanAdministrativeAccount:
Assigntheauthenticationprofiletoan
administratoraccountorfirewallservice.
SpecifytheNameofauseryoudefinedinStep 1.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForallservices,youmustassigntheAuthentication
Profilethatyouconfiguredfortheaccounts:
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Step5
Verifythatthefirewallcancommunicate TestaLocalDatabaseAuthenticationProfile.
withtheauthenticationserver.
142 PANOS7.1AdministratorsGuide
SettheauthenticationTypetoLocal Database.
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
ConfigureExternalAuthentication
PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices
ConfigureAuthenticationServerProfiles
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
ConfigureaRADIUSServerProfile
YoucanconfigurethefirewallorPanoramatouseaRADIUSserverformanagingadministratoraccounts(if
theyarenotlocal).YoucanalsoconfigurethefirewalltouseaRADIUSserverforauthenticatingendusers
andcollectingRADIUSVendorSpecificAttributes(VSAs)fromGlobalProtectclients.TouseaRADIUS
serverformanagingadministratoraccountsorcollectingGlobalProtectclientsVSAs,youmustdefineVSAs
ontheRADIUSserver.Fordetails,seethelistofsupportedRADIUSVendorSpecificAttributesSupport.
Bydefault,whenauthenticatingtotheRADIUSserver,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileis
assignedtoanauthenticationsequencefortheservicethatinitiatestheauthenticationprocess.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 143
ConfigureExternalAuthentication
Authentication
ConfigureaRADIUSServerProfile
Step1
Step2
AddaRADIUSserverprofile.
ImplementtheRADIUSserverprofile.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis130,defaultis3).
5.
EnterthenumberofautomaticRetriesfollowingaTimeout
beforetherequestfails(rangeis15,defaultis3).
6.
ForeachRADIUSserver,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(RADIUS
Serverfield),Secret/Confirm Secret(akeytoencrypt
passwords),andserverPortforauthenticationrequests
(defaultis1812).
7.
ClickOK.
1.
AssigntheRADIUSserverprofiletoanauthenticationprofile
orsequence.
2.
TestaRADIUSAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheRADIUSserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
4.
Commityourchanges.
RADIUSVendorSpecificAttributesSupport
PaloAltoNetworksfirewallsandPanoramasupportthefollowingRADIUSVendorSpecificAttributes
(VSAs).TodefineVSAsonaRADIUSserver,youmustspecifythevendorcode(25461forPaloAlto
NetworksfirewallsorPanorama)andtheVSAnameandnumber.SomeVSAsalsorequireavalue.
Name
Number Value
VSAsforadministratoraccountmanagementandauthentication
PaloAltoAdminRole
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain
Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4
ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup
Thenameofausergroupthatanauthenticationprofile
references.
144 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
Name
ConfigureExternalAuthentication
Number Value
VSAsforwardedfromGlobalProtectclientstotheRADIUSserver
PaloAltoUserDomain
PaloAltoClientSourceIP
PaloAltoClientOS
PaloAltoClientHostname
PaloAltoGlobalProtectClientVersion
10
DontspecifyavaluewhenyoudefinetheseVSAs.
ConfigureaTACACS+ServerProfile
TerminalAccessControllerAccessControlSystemPlus(TACACS+)protocolprovidesbetterAuthentication
securitythanRADIUSbecauseitencryptsusernamesandpasswords(insteadofjustpasswords),andisalso
morereliable(itusesTCPinsteadofUDP).
Bydefault,whenauthenticatingtotheTACACS+server,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
ConfigureaTACACS+ServerProfile
Step1
AddaTACACS+serverprofile.
PaloAltoNetworks,Inc.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis120,defaultis3).
5.
6.
ForeachTACACS+server,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(TACACS+
Serverfield),Secret/Confirm Secret(akeytoencrypt
usernamesandpasswords),andserverPortforauthentication
requests(defaultis49).
7.
ClickOK.
PANOS7.1AdministratorsGuide 145
ConfigureExternalAuthentication
Authentication
ConfigureaTACACS+ServerProfile(Continued)
Step2
ImplementtheTACACS+serverprofile.
1.
AssigntheTACACS+serverprofiletoanauthentication
profileorsequence.
2.
TestaTACACS+AuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheTACACS+server.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
4.
Commityourchanges.
ConfigureanLDAPServerProfile
AnLDAPserverprofileenablesyouto:
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.
146 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
ConfigureanLDAPServerProfile
Step1
AddanLDAPserverprofile.
PaloAltoNetworks,Inc.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
ForeachLDAPserver(uptofour),clickAddandenteraName
(toidentifytheserver),serverIPaddress(LDAP Serverfield),
andserverPort(default389).
5.
SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6.
IfyouwantthefirewallorPanoramatouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(itisselected
bydefault).TheprotocolthatthefirewallorPanoramauses
dependsontheserverPort:
389(default)TLS(Specifically,thefirewallorPanorama
usestheStartTLSoperation,whichupgradestheinitial
plaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallorPanoramafirsttriestouse
TLS.IfthedirectoryserverdoesntsupportTLS,thefirewall
orPanoramafallsbacktoSSL.
7.
Toimprovesecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthefirewallorPanoramaverifiesthecertificate
thatthedirectoryserverpresentsforSSL/TLSconnections.If
theverificationfails,theconnectionfails.Toenable
verification,youmustalsoselecttheRequire SSL/TLS
secured connectioncheckbox.ThefirewallorPanorama
verifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewallor
Panoramatotrustthecertificate,itsrootcertificate
authority(CA)andanyintermediatecertificatesmustbein
thecertificatestoreunderDevice > Certificate
Management > Certificates > Device Certificates.Import
thecertificateifnecessary:seeImportaCertificateand
PrivateKey.
ThecertificatenamemustmatchthehostNameofthe
LDAPserver.ThefirewallorPanoramafirstchecksthe
certificateattributeSubjectAltNameformatching,then
triestheattributeSubjectDN.Ifthecertificateusesthe
FQDNofthedirectoryserver,youmustenterthatFQDN
intheLDAP Serverfieldforthenamematchingtosucceed.
8.
ClickOK.
PANOS7.1AdministratorsGuide 147
ConfigureExternalAuthentication
Authentication
ConfigureanLDAPServerProfile(Continued)
Step2
ImplementtheLDAPserverprofile.
1.
AssigntheLDAPserverprofiletoanauthenticationprofileor
sequence.
2.
TestanLDAPAuthenticationProfiletoverifythatthefirewall
orPanoramacanconnecttotheLDAPserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
4.
Commityourchanges.
ConfigureaKerberosServerProfile
AKerberosserverprofileenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleror
aKerberosV5compliantauthenticationserver.Thisauthenticationmethodisinteractive,requiringusersto
enterusernamesandpasswords,incontrastwithKerberossinglesignon(SSO),whichinvolvestransparent
authentication.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.
IPv6addressesarenotsupported.
ConfigureaKerberosServerProfile
Step1
Step2
AddaKerberosserverprofile.
ImplementtheKerberosserverprofile.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
ForeachKerberosserver,clickAddandenteraName(to
identifytheserver),serverIPv4addressorFQDN(Kerberos
Serverfield),andanoptionalPortnumberforcommunication
withtheserver(default88).
5.
ClickOK.
1.
AssigntheKerberosserverprofiletoanauthenticationprofile
orsequence.
2.
TestaKerberosAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheKerberosserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallorPanoramaservice.
4.
Commityourchanges.
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
WhenyouconfigureaPaloAltoNetworksfirewallorPanoramatouseRADIUSorTACACS+server
authenticationforaparticularservice(suchasCaptivePortal),itfirsttriestoauthenticatetotheserverusing
ChallengeHandshakeAuthenticationProtocol(CHAP).ThefirewallorPanoramafallsbacktoPassword
148 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]
WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.
EnableExternalAuthenticationforUsersandServices
PaloAltoNetworksfirewallsandPanoramacanuseexternalservicestoauthenticateadministrators,end
users,andotherdevices.
EnableExternalAuthentication
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
Step1
Configureanexternalserverprofile.
Step2
Assigntheserverprofiletoan
authenticationprofile.
Optionally,youcanassignmultiple
authenticationprofilestoan
authenticationsequence.
1.
ConfigureanAuthenticationProfileandSequence.
2.
TestAuthenticationServerConnectivity.
Step3
Assigntheauthenticationprofileor
Administrators:ConfigureanAdministrativeAccount.
sequencetoanadministratoraccountor Endusers:
toafirewallorPanoramaservice.
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Firewall/Panoramaservices:
ConfigureRoutingInformationProtocol(RIP).
ConfigureOpenShortestPathFirst(OSPF).
ConfigureBorderGatewayProtocol(BGP).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 149
TestAuthenticationServerConnectivity
Authentication
TestAuthenticationServerConnectivity
AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile
RuntheTestAuthenticationCommand
RuntheTestAuthenticationCommand
Step1
OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
150 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
RuntheTestAuthenticationCommand
Step4
Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.
Step5
Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.
TestaLocalDatabaseAuthenticationProfile
ThefollowingexampleshowshowtotestaLocalDatabaseauthenticationprofilenamedLocalDBforauser
namedUser1LocalDBandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LocalDatabaseAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 151
TestAuthenticationServerConnectivity
Authentication
LocalDatabaseAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password
Step5
Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.
Step6
Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"
TestaRADIUSAuthenticationProfile
ThefollowingexampleshowshowtotestaRADIUSprofilenamedRADIUSProfileforausernamed
User2RADIUSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
RADIUSAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
152 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
RADIUSAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> set system setting target-vsys <vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> set system setting target-vsys vsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password
Step5
Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.
Step6
Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 153
TestAuthenticationServerConnectivity
Authentication
TestaTACACS+AuthenticationProfile
ThefollowingexampleshowshowtotestaTACACS+profilenamedTACACSProfileforausernamed
User3TACACSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
TACACS+AuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password
Step5
Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
154 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
TACACS+AuthenticationProfileTestExample
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"
TestanLDAPAuthenticationProfile
ThefollowingexampleshowshowtotestaLDAPauthenticationprofilenamedLDAPProfileforauser
namedUser4LDAPandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LDAPAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 155
TestAuthenticationServerConnectivity
Authentication
LDAPAuthenticationProfileTestExample
Step5
Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"
TestaKerberosAuthenticationProfile
ThefollowingexampleshowshowtotestaKerberosprofilenamedKerberosProfileforausernamed
User5Kerberosandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
KerberosAuthenticationProfileTestExample
Step1
OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
156 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
KerberosAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password
Step5
Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 157
TroubleshootAuthenticationIssues
Authentication
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task
Command
debug authentication
Usethedebug authenticationcommandto
{
troubleshootauthenticationevents.
on {debug | dump | error | info | warn} |
show |
Usetheshowoptionstodisplayauthenticationrequest
show-active-requests |
statisticsandthecurrentdebugginglevel:
show-pending-requests |
connection-show |
showdisplaysthecurrentdebugginglevelforthe
{
authenticationservice(authd).
connection-id |
protocol-type
show-active-requestsdisplaysthenumberofactive
{
checksforauthenticationrequests,allowlists,and
Kerberos connection-id <value> |
lockeduseraccounts.
LDAP connection-id <value> |
RADIUS connection-id <value> |
show-pending-requests displaysthenumberof
TACACS+ connection-id <value> |
pendingchecksforauthenticationrequests,allowlists,
}
connection-debug-on |
andlockeduseraccounts.
{
connection-showdisplaysauthenticationrequestand
connection-id |
debug-prefix |
responsestatisticsforallauthenticationserversorfora
protocol-type
specificprotocoltype.
{
Kerberos connection-id <value> |
Usetheconnection-debugoptionstoenableordisable
LDAP connection-id <value> |
authenticationdebugging:
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
Usetheonoptiontoenableortheoffoptiontodisable
}
debuggingforauthd.
connection-debug-off |
{
Usetheconnection-debug-onoptiontoenableorthe
connection-id |
connection-debug-offoptiontodisabledebugging
protocol-type
forallauthenticationserversorforaspecificprotocol
{
Kerberos connection-id <value> |
type.
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on
}
158 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 159
KeysandCertificates
CertificateManagement
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage
Description
AdministrativeAccess
SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
CaptivePortal
IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,
designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
ForwardTrust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
ForwardUntrust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSLInboundInspection
ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.
160 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
KeysandCertificates
Key/CertificateUsage
Description
SSLExcludeCertificate
CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.
GlobalProtect
AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
SitetoSiteVPNs(IKE)
InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
MasterKey
Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
SecureSyslog
Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
TrustedRootCA
ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 161
CertificateRevocation
CertificateManagement
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.
162 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
CertificateRevocation
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 163
CertificateDeployment
CertificateManagement
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).
164 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SetUpVerificationforCertificateRevocationStatus
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfigureanOCSPResponder
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
ConfigureanOCSPResponder
Step1
Step2
DefineanOCSPresponder.
EnableOCSPcommunicationonthe
firewall.
PaloAltoNetworks,Inc.
1.
2.
EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
4.
IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.Fromthisvalue,
PANOSautomaticallyderivesaURLandaddsittothe
certificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices(specifiedinStep 3).
5.
ClickOK.
1.
2.
IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.
PANOS7.1AdministratorsGuide 165
SetUpVerificationforCertificateRevocationStatus
CertificateManagement
ConfigureanOCSPResponder
Step3
(Optional)Toconfigurethefirewallitself 1.
asanOCSPresponder,addanInterface 2.
ManagementProfiletotheinterface
usedforOCSPservices.
3.
4.
5.
6.
ClickOKandCommit.
ConfigureRevocationStatusVerificationofCertificates
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
ConfigureRevocationStatusVerificationofCertificates
Step1
ConfigureaCertificateProfileforeach
application.
AssignoneormorerootCAcertificatestotheprofileandselect
howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates
Step2
Assignthecertificateprofilestothe
relevantapplications.
Thestepstoassignacertificateprofiledependontheapplication
thatrequiresit.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.
166 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SetUpVerificationforCertificateRevocationStatus
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
Step1
Definetheservicespecifictimeout
intervalsforrevocationstatusrequests.
1.
2.
Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.
Step2
Definethetotaltimeoutintervalfor
revocationstatusrequests.
Step3
Definetheblockingbehaviorfor
unknowncertificatestatusora
revocationstatusrequesttimeout.
IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP
orCRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.
Step4
Saveandapplyyourentries.
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 167
ConfiguretheMasterKey
CertificateManagement
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsprivatekeysand
othersecrets(suchaspasswordsandsharedkeys).Theprivatekeysauthenticateuserswhentheyaccess
administrativeinterfacesonthefirewall.Asabestpracticetosafeguardthekeys,configurethemasterkey
oneachfirewalltobeuniqueandperiodicallychangeit.Foraddedsecurity,useawrappingkeystoredona
hardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,seeEncryptaMasterKeyUsingan
HSM.
Inahighavailability(HA)configuration,ensurebothfirewallsorPanoramamanagementservers
inthepairusethesamemasterkeytoencryptprivatekeysandcertificates.Ifthemasterkeys
differ,HAconfigurationsynchronizationwillnotworkproperly.
WhenyouexportafirewallorPanoramaconfiguration,themasterkeyencryptsthepasswords
ofusersmanagedonexternalservers.Forlocallymanagedusers,thefirewallorPanoramahashes
thepasswordsbutthemasterkeydoesnotencryptthem.
ConfigureaMasterKey
Step1
Step2
Step3
Step4
(Optional)TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekey
willexpire.Ifyousetalifetime,createanewmasterkeybeforetheoldkeyexpires.
Step5
Step6
(Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7
ClickOKandCommit.
168 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
CreateaSelfSignedRootCACertificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
ClickGenerate.
Step4
EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31
characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step6
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step7
LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.
Step8
(Required)SelecttheCertificate Authoritycheckbox.
Step9
LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.
Step10 ClickGenerateandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 169
ObtainCertificates
CertificateManagement
GenerateaCertificate
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
GenerateaCertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
ClickGenerate.
Step4
SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect
clients.
Step5
EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand
useonlyletters,numbers,hyphens,andunderscores.
Step6
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step7
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step8
IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.
Step9
(Optional)SelectanOCSP Responder.
170 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
GenerateaCertificate(Continued)
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslog checkbox.
Step17 ClickOKandCommit.
ImportaCertificateandPrivateKey
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
ImportaCertificateandPrivateKey
Step1
FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step2
Step3
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step4
ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It
mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step6
EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.
Step7
SelectaFile Format:
Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security ModulecheckboxandskipStep8.Otherwise,selecttheImport Private Keycheck
box,entertheKey FileorBrowsetoit,thenperformStep8.
Step8
Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 171
ObtainCertificates
CertificateManagement
ImportaCertificateandPrivateKey
Step9
ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
ObtainaCertificatefromanExternalCA
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.
ObtainaCertificatefromanExternalCA
Step1
Requestthecertificatefromanexternal 1.
CA.
2.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
3.
ClickGenerate.
4.
EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5.
IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6.
Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7.
8.
Ifapplicable,selectanOCSP Responder.
9.
(Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatory
forGlobalProtect).Thehostnamepopulatesthe
SubjectAlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.
Step2
SubmittheCSRtotheCA.
172 PANOS7.1AdministratorsGuide
1.
SelecttheCSRandclickExporttosavethe.csrfiletoalocal
computer.
2.
Uploadthe.csrfiletotheCA.
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
ObtainaCertificatefromanExternalCA
Step3
Step4
Importthecertificate.
Configurethecertificate.
PaloAltoNetworks,Inc.
1.
AftertheCAsendsasignedcertificateinresponsetotheCSR,
returntotheDevice CertificatestabandclickImport.
2.
EntertheCertificate NameusedtogeneratetheCSRin
Step 14.
3.
EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4.
ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.
1.
ClickthecertificateName.
2.
Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.
3.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 173
ExportaCertificateandPrivateKey
CertificateManagement
ExportaCertificateandPrivateKey
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step3
Selectthecertificate,clickExport,andselectaFile Format:
Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.
Step4
Step5
ClickOKandsavethecertificate/keyfiletoyourcomputer.
174 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ConfigureaCertificateProfile
ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
ConfigureaCertificateProfile
Step1
Obtainthecertificateauthority(CA)
certificatesyouwillassign.
PerformoneofthefollowingstepstoobtaintheCAcertificates
youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).
Step2
Identifythecertificateprofile.
1.
2.
EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
Step3
Assignoneormorecertificates.
PaloAltoNetworks,Inc.
PerformthefollowingstepsforeachCAcertificate:
1.
IntheCACertificatestable,clickAdd.
2.
SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3.
(Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4.
ClickOK.TheCACertificatestabledisplaystheassigned
certificate.
PANOS7.1AdministratorsGuide 175
ConfigureaCertificateProfile
CertificateManagement
ConfigureaCertificateProfile
Step4
Step5
Definethemethodsforverifying
certificaterevocationstatusandthe
associatedblockingbehavior.
Saveandapplyyourentries.
176 PANOS7.1AdministratorsGuide
1.
2.
Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3.
4.
IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5.
Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.
ClickOKandCommit.
PaloAltoNetworks,Inc.
CertificateManagement
ConfigureanSSL/TLSServiceProfile
ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
ConfigureanSSL/TLSServiceProfile
Step1
Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notcertificateauthority(CA)certificates,forSSL/TLSservices.
Step2
Step3
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4
ClickAddandenteraNametoidentifytheprofile.
Step5
SelecttheCertificateyoujustobtained.
Step6
Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
Step7
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 177
ReplacetheCertificateforInboundManagementTraffic
CertificateManagement
ReplacetheCertificateforInboundManagementTraffic
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.
ReplacetheCertificateforInboundManagementTraffic
Step1
Obtainthecertificatethatwill
YoucansimplifyyourCertificateDeploymentbyusingacertificate
authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators.
thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetheroot
CAcertificateisnotinthetrustedrootcertificatestoreof
clientsystems.Topreventthis,deploytheselfsignedroot
CAcertificatetoallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.
Step2
ConfigureanSSL/TLSServiceProfile.
SelecttheCertificateyoujustobtained.
Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.
Step3
ApplytheSSL/TLSServiceProfileto
inboundmanagementtraffic.
1.
2.
3.
ClickOKandCommit.
178 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step1
Step2
SelectaKey Size:
Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.
Step3
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 179
RevokeandRenewCertificates
CertificateManagement
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step1
Step2
Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3
Selectthecertificatetorevoke.
Step4
ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
SelectacertificatetorenewandclickRenew.
Step4
Step5
ClickOKandCommit.
180 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SetupConnectivitywithanHSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 181
SecureKeyswithaHardwareSecurityModule
CertificateManagement
SetupaConnectivitywithaSafeNetNetworkHSM
Step1
Step2
Step3
Configurethefirewallto
communicatewiththeSafeNet
NetworkHSM.
(Optional)Configureaservice
routetoenablethefirewallto
connecttotheHSM.
Bydefault,thefirewallusesthe
ManagementInterfaceto
communicatewiththeHSM.To
useadifferentinterface,you
mustconfigureaserviceroute.
Configurethefirewallto
authenticatetotheHSM.
182 PANOS7.1AdministratorsGuide
1.
2.
EdittheHardwareSecurityModuleProvidersectionandselect
Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3.
ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4.
5.
(Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
6.
ClickOKandCommit.
1.
2.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
7.
ClickOKandCommit.
1.
2.
3.
SelecttheHSMServer Namefromthedropdown.
4.
5.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6.
ClickOK.
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
Step4
Registerthefirewall(theHSM 1.
client)withtheHSMandassign 2.
ittoapartitionontheHSM.
IftheHSMalreadyhasa
firewallwiththesame
<cl-name>registered,
youmustremovethe
3.
duplicateregistration
usingthefollowing
commandbefore
registrationwillsucceed:
client delete -client
<cl-name>
LogintotheHSMfromaremotesystem.
Registerthefirewallusingthefollowingcommand:
client register -c <cl-name> -ip <fw-ip-addr>
where<cl-name>isanamethatyouassigntothefirewallforuseon
theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
beingconfiguredasanHSMclient.
Assignapartitiontothefirewallusingthefollowingcommand:
client assignpartition -c <cl-name> -p <partition-name>
where<cl-name>isthenameassignedtothefirewallintheclient
register commandand<partition-name>isthenameofa
previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.
Step5
Step6
Step7
Configurethefirewalltoconnect 1.
totheHSMpartition.
2.
(Optional)Configurean
additionalHSMforhigh
availability(HA).
Verifyconnectivitywiththe
HSM.
PaloAltoNetworks,Inc.
3.
4.
5.
ClickOK.
1.
2.
IfyouremoveanHSMfromyourconfiguration,repeatStep 5.
ThiswillremovethedeletedHSMfromtheHAgroup.
1.
2.
ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.
PANOS7.1AdministratorsGuide 183
SecureKeyswithaHardwareSecurityModule
CertificateManagement
SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
Step1
Step2
Step3
ConfiguretheThales
1.
nShieldConnectserveras
thefirewallsHSM
2.
provider.
3.
(Optional)Configurea
serviceroutetoenable
thefirewalltoconnectto
theHSM.
Bydefault,thefirewall
usestheManagement
Interfacetocommunicate
withtheHSM.Tousea
differentinterface,you
mustconfigureaservice
route.
Registerthefirewall(the
HSMclient)withtheHSM
server.
Thisstepbrieflydescribes
theprocedureforusing
thefrontpanelinterface
oftheThalesnShield
ConnectHSM.Formore
details,consulttheThales
documentation.
4.
EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5.
6.
ClickOKandCommit.
1.
2.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
IfyouselectadataplaneconnectedportforHSM,issuingtheclear
session allCLIcommandwillclearallexistingHSMsessions,
causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
7.
ClickOKandCommit.
1.
LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.
2.
Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
System > System configuration > Client config > New client.
3.
EntertheIPaddressofthefirewall.
4.
SelectSystem > System configuration > Client config > Remote file system
andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
filesystem.
184 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
Step4
Setuptheremote
filesystemtoaccept
connectionsfromthe
firewall.
1.
Logintotheremotefilesystem(RFS)fromaLinuxclient.
2.
Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
KNETIkeyauthenticatesthemoduletoclients:
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3.
Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4.
UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.
Step5
Step6
Step7
Configurethefirewallto 1.
authenticatetotheHSM. 2.
3.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4.
ClickOK.
Synchronizethefirewall
withtheremote
filesystem.
1.
2.
Verifythatthefirewall
canconnecttotheHSM.
1.
2.
ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
Name:ThenameoftheHSMattemptingtobeauthenticated.
IP address:TheIPaddressoftheHSMthatwasassignedonthefirewall.
Module State:ThecurrentoperatingstateoftheHSM:Authenticated orNot
Authenticated.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 185
SecureKeyswithaHardwareSecurityModule
CertificateManagement
EncryptaMasterKeyUsinganHSM
AmasterkeyisconfiguredonaPaloAltoNetworksfirewalltoencryptallprivatekeysandpasswords.Ifyou
havesecurityrequirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkey
usinganencryptionkeythatisstoredonanHSM.ThefirewallthenrequeststheHSMtodecryptthemaster
keywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSMislocated
inahighlysecurelocationthatisseparatefromthefirewallforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,thisencryptionkeymust
occasionallybechanged.Forthisreason,acommandisprovidedonthefirewalltorotatethewrappingkey
whichchangesthemasterkeyencryption.Thefrequencyofthiswrappingkeyrotationdependsonyour
application.
MasterkeyencryptionusinganHSMisnotsupportedonfirewallsconfiguredinFIPS/CCmode.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
EncryptaMasterKeyUsinganHSM
Step1
Step2
Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3
Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4
SelecttheHSMcheckbox.
Life Time:Thenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for Reminder:Thenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5
ClickOK.
186 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
RefreshtheMasterKeyEncryption
Asabestpractice,refreshthemasterkeyencryptiononaregularbasisbyrotatingthemasterkeywrapping
keyontheHSM.ThiscommandisthesameforboththeSafeNetNetworkandThalesnShieldConnect
HSMs.
RefreshtheMasterKeyEncryption
Step1
UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
StorePrivateKeysonanHSM
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLforwardproxyTheHSMcanstoretheprivatekeyoftheCAcertificatethatisusedtosign
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthemtotheclient.
SSLinboundinspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
StorePrivateKeysonanHSM
Step1
OntheHSM,importorgenerate ForinstructionsonimportingorgeneratingaprivatekeyontheHSM,refer
theprivatekeyusedinyourSSL toyourHSMdocumentation.
forwardproxyorSSLinbound
inspectiondeployment.
Step2
(ThalesnShieldConnectonly)
Synchronizethekeydatafrom
theHSMremotefilesystemto
thefirewall.
Step3
1.
2.
Importthecertificatethat
1.
correspondstotheHSMstored
keyontothefirewall.
2.
PaloAltoNetworks,Inc.
3.
EnterthefilenameoftheCertificate FileyouimportedtotheHSM.
4.
SelectaFile Format.
5.
6.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 187
SecureKeyswithaHardwareSecurityModule
CertificateManagement
StorePrivateKeysonanHSM(Continued)
Step4
Step5
(Forwardtrustcertificatesonly) 1.
Enablethecertificateforusein
SSL/TLSForwardProxy.
2.
3.
4.
ClickOKandCommit.
Verifythatyousuccessfully
1.
importedthecertificateontothe
firewall.
2.
ManagetheHSMDeployment
ManageHSM
ViewtheHSMconfiguration
settings.
DisplaydetailedHSM
information.
ExportSupportfile.
ResetHSMconfiguration.
188 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 189
HAOverview
HighAvailability
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.
190 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HAModes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 191
HAConcepts
HighAvailability
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HALinksandBackupLinks
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA3000Series,PA4000Series,PA5000Series,and
PA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethededicatedHAportsto
managecommunicationandsynchronizationbetweenthefirewalls.ForfirewallswithoutdedicatedHA
portssuchasthePA200,PA500,andPA2000Seriesfirewalls,asabestpracticeusethemanagementport
fortheHA1linktoallowforadirectconnectionbetweenthemanagementplanesonthefirewalls,andan
inbandportfortheHA2link.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.
192 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
HALinksand
BackupLinks
Description
ControlLink
TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
DataLink
TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
BackupLinks
ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
PacketForwardingLink
InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 193
HAConcepts
HighAvailability
HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
HALinksand
BackupLinks
PortsontheSMC
Description
ControlLink
HA1A
Speed:Ethernet
10/100/1000
UsedforHAcontrolandsynchronizationinbothHAModes.Connect
thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
HA1Aonthesecondfirewallinthepair,orconnectthemtogether
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.
ControlLink
Backup
HA1B
Speed:Ethernet
10/100/1000port
UsedforHAcontrolandsynchronizationasabackupforHA1Ain
bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
thefirstfirewalltotheHA1Bonthesecondfirewallinthepair,or
connectthemtogetherthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.
DataLink
HSCIA
DataLink
Backup
HSCIB
TheHighSpeedChassisInterconnect(HSCI)portsareQuadPortSFP
(QSFP)interfaceswhichareusedtoconnecttwoPA7000Series
firewallsinanHAconfiguration.Eachportiscomprisedoffour10
gigabitlinksinternallyforacombinedspeedof40gigabits.
TheHSCIportsarenotroutableandmustbeconnecteddirectlyto
eachother.TheHSCIAonthefirstchassisconnectsdirectlyto
HSCIAonthesecondchassisandHSCIBonthefirstchassis
connectstoHSCIBonthesecondchassis.Thiswillprovidefull80
gigabittransferrates.Insoftware,bothports(HSCIAandHSCIB)
aretreatedasoneHAinterface.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link;theHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmustusetheHSCI
port.TheHA2linkandHA2backuplinkscanusetheHSCIportor
dataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.
194 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
DevicePriorityandPreemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.FordetailsontheHA
timersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 195
HAConcepts
HighAvailability
LACPandLLDPPreNegotiationforActive/PassiveHA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,andPA7000Seriesfirewallssupportaprenegotiationconfiguration
dependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,orvirtualwiredeployment.An
HApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
FloatingIPAddressandVirtualMACAddress
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)
196 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 197
HAConcepts
HighAvailability
ARPLoadSharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.
198 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
PaloAltoNetworks,Inc.
HAConcepts
PANOS7.1AdministratorsGuide 199
HAConcepts
HighAvailability
RouteBasedRedundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HATimers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.
200 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Timers
HAConcepts
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500Series
PA4000Series
PA200Series
Panorama
MSeries
0/0
0/0
0/0
Preemptionhold
time
1/1
Timethatapassiveor
activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.
1/1
1/1
Heartbeatinterval
FrequencyatwhichtheHA
peersexchangeheartbeat
messagesintheformofan
ICMP(ping).
2000/1000
2000/1000
2000/500
2000/500
PA3000Series
VMSeries
Monitorfailholdup Intervalduringwhichthe
time
firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.
1000/1000
2000/1000(only
forVMSeriesin
AWS)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 201
HAConcepts
Timers
HighAvailability
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500Series
PA4000Series
PA200Series
Panorama
MSeries
PA3000Series
VMSeries
Additionalmaster
holduptime
Timeintervalthatisappliedto 500/500
thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.
500/500
7000/5000
Hellointerval
Intervalinmilliseconds
8000/8000
betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.
8000/8000
8000/8000
Maximumno.of
flaps
3/3
Aflapiscountedwhenthe
firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).
3/3
NotApplicable
202 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
SessionOwner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
SessionSetup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption
Description
IP Modulo
ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash
ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Primary Device
Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall
sessionsetupresponsibilities.
First Packet
Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 203
HAConcepts
HighAvailability
Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.
204 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NATinActive/ActiveHAMode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 205
HAConcepts
HighAvailability
ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMPinActive/ActiveHAMode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.
206 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
PrerequisitesforActive/PassiveHA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 207
SetUpActive/PassiveHA
HighAvailability
ConfigurationGuidelinesforActive/PassiveHA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingtableliststhesettingsthatyoumustconfigureidenticallyonbothfirewalls:
IdenticalConfigurationSettings
HAmustbeenabledonbothfirewalls.
BothfirewallsmusthavethesameGroupIDvalue.TheGroupIDvalueisusedtocreateavirtualMACaddressfor
alltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMACAddressforinformationaboutvirtualMAC
addresses.
Whenanewactivefirewalltakesover,GratuitousARPmessagesaresentfromeachoftheconnectedinterfaces
ofthenewactivemembertoinformtheconnectedLayer2switchesofthevirtualMACaddressnewlocation.
Ifusinginbandports,theinterfacesfortheHA1andHA2linksmustbesettotypeHA.
TheHAModemustbesettoActive Passive.
Ifrequired,preemptionmustbeenabledonbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onbothfirewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowingrecommendationsto
decidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
HA1Backup:Inbandport
Recommendation:DonotenableHeartbeatBackup
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
Independent
PeerA
ConfigurationSettings
PeerB
ControlLink
IPaddressoftheHA1linkconfiguredon
thisfirewall(PeerB).
IPaddressoftheHA1linkconfiguredonthis
firewall(PeerA).
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
208 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
Independent
PeerA
ConfigurationSettings
PeerB
DataLink
Bydefault,theHA2linkusesEthernet/Layer2.
Thedatalink
IfusingaLayer3connection,configuretheIP
addressforthedatalinkonthisfirewall(PeerA).
informationis
synchronizedbetween
thefirewallsafterHA
isenabledandthe
controllinkis
establishedbetween
thefirewalls.
Bydefault,theHA2linkuses
Ethernet/Layer2.
IfusingaLayer3connection,configure
theIPaddressforthedatalinkonthis
firewall(PeerB).
DevicePriority
Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority
lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
(required,if
preemptionisenabled) istofunctionastheactivefirewall,keepthe
onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.
LinkMonitoring
Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat
Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
condition(allorany)totriggerafailover.
anddefinethefailurecondition(allorany)
physicalinterfaces
totriggerafailover.
thathandlevitaltraffic
onthisfirewalland
definethefailure
condition.
PathMonitoring
Monitoroneormore
destinationIP
addressesthatthe
firewallcanuseICMP
pingstoascertain
responsiveness.
Definethefailurecondition(allorany),ping
intervalandthepingcount.Thisisparticularly
usefulformonitoringtheavailabilityofother
interconnectednetworkingdevices.Forexample,
monitortheavailabilityofarouterthatconnects
toaserver,connectivitytotheserveritself,or
someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.
PaloAltoNetworks,Inc.
Pickasimilarsetofdevicesordestination
IPaddressesthatcanbemonitoredfor
determiningthefailovertriggerforPeerB.
Definethefailurecondition(allorany),
pingintervalandthepingcount.
PANOS7.1AdministratorsGuide 209
SetUpActive/PassiveHA
HighAvailability
ConfigureActive/PassiveHA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
ConnectandConfiguretheFirewalls
Step1
ConnecttheHAportstosetupa
physicalconnectionbetweenthe
firewalls.
ForfirewallswithdedicatedHAports,useanEthernetcableto
connectthededicatedHA1portsandtheHA2portsonpeers.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
Pickafirewallinthepairandcompletethefollowingsteps:
Step2
Step3
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
continuetothenextstep.
210 PANOS7.1AdministratorsGuide
1.
2.
SelectPingasaservicethatispermittedontheinterface.
1.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step4
Step5
Step6
Step7
SettheHAmodeandgroupID.
1.
2.
SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3.
SetthemodetoActive Passive.
1.
Setupthecontrollinkconnection.
Thisexampleshowsaninbandportthat
issettointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
1.
(Optional)Enableencryptionforthe
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
Setupthebackupcontrollink
connection.
PaloAltoNetworks,Inc.
2.
3.
SelectEncryption Enabled.
1.
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.
PANOS7.1AdministratorsGuide 211
SetUpActive/PassiveHA
HighAvailability
ConnectandConfiguretheFirewalls(Continued)
Step8
Step9
Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
1.
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
6.
7.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
inbandport.
2.
Youdonotneedtoenableheartbeat
backupifyouareusingthemanagement
portforthecontrollink.
212 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step10 Setthedevicepriorityandenable
1.
preemption.
Thissettingisonlyrequiredifyouwishto 2.
makesurethataspecificfirewallisthe
preferredactivefirewall.For
information,seeDevicePriorityand
Preemption.
3.
Step11 (Optional)ModifytheHATimers.
1.
Bydefault,theHAtimerprofileissetto
theRecommendedprofileandissuited 2.
formostHAdeployments.
Step12 (Optional,onlyconfiguredonthepassive
firewall)ModifythelinkstatusoftheHA
portsonthepassivefirewall.
Thepassivelinkstateis
shutdown,bydefault.Afteryou
enableHA,thelinkstateforthe
HAportsontheactivefirewall
willbegreenandthoseonthe
passivefirewallwillbedownand
displayasred.
PaloAltoNetworks,Inc.
SettingthelinkstatetoAutoallowsforreducingtheamountoftime
ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
anditallowsyoutomonitorthelinkstate.
Toenablethelinkstatusonthepassivefirewalltostayupand
reflectthecablingstatusonthephysicalinterface:
1.
2.
PANOS7.1AdministratorsGuide 213
SetUpActive/PassiveHA
HighAvailability
ConnectandConfiguretheFirewalls(Continued)
Step13 EnableHA.
Step14 (Optional)EnableLACPandLLDP
PreNegotiationforActive/PassiveHA
forfasterfailoverifyournetworkuses
LACPorLLDP.
EnableLACPandLLDPbefore
configuringHAprenegotiation
fortheprotocolifyouwant
prenegotiationtofunctionin
activemode.
Step15 Saveyourconfigurationchanges.
1.
2.
SelectEnable HA.
3.
4.
EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5.
1.
EnsurethatinStep 12yousetthelinkstatetoAuto.
2.
3.
ToenableLACPactiveprenegotiation:
a. SelectanAEinterfaceinaLayer2orLayer3deployment.
b. SelecttheLACPtab.
c. SelectEnable in HA Passive State.
d. ClickOK.
YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequires
uniqueinterfaceMACaddressesontheactiveand
passivefirewalls.
4.
ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5.
ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
IfyouwanttoallowLLDPpassiveprenegotiationfor
avirtualwiredeployment,performStep 5butdonot
enableLLDPitself.
ClickCommit.
214 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step17 Afteryoufinishconfiguringboth
firewalls,verifythatthefirewallsare
pairedinactive/passiveHA.
Onthepassivefirewall:thestateofthelocal
firewallshoulddisplaypassive andtheRunning
Configshouldshowassynchronized.
1.
AccesstheDashboardonbothfirewalls,andviewtheHigh
Availabilitywidget.
2.
Ontheactivefirewall,clicktheSync to peerlink.
3.
Confirmthatthefirewallsarepairedandsynced,asshown
below:
Ontheactivefirewall:Thestateofthelocalfirewallshoulddisplay
active andtheRunningConfigshouldshowassynchronized.
DefineHAFailoverConditions
ConfiguretheFailoverTriggers
Step1
Step2
Step3
Toconfigurelinkmonitoring,definethe 1.
interfacesyouwanttomonitor.A
changeinthelinkstateofthese
2.
interfaceswilltriggerafailover.
(Optional)Modifythefailurecondition 1.
fortheLinkGroupsthatyouconfigured 2.
(intheprecedingstep)onthefirewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.
SelecttheLink Monitoringsection.
Toconfigurepathmonitoring,definethe 1.
destinationIPaddressesthatthefirewall
shouldpingtoverifynetwork
connectivity.
2.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
SelecttheappropriateitemfromthedropdownfortheName
and Add theIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
the Path Group section.
Step4
(Optional)Modifythefailurecondition
forallPathGroupsconfiguredonthe
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
Step5
Saveyourchanges.
ClickCommit.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 215
SetUpActive/PassiveHA
HighAvailability
VerifyFailover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1
Suspendtheactivefirewall.
Step2
Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall
overasactive.
changestoactiveintheHighAvailabilitywidget.
Step3
1.
Restorethesuspendedfirewalltoa
functionalstate.Waitforacoupleof
minutes,andthenverifythatpreemption
hasoccurred,ifPreemptiveisenabled. 2.
216 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
PrerequisitesforActive/ActiveHA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsshouldberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 217
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHA
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,
orARPLoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ConfigureActive/ActiveHA
Step1
ConnecttheHAportstosetupa
ForfirewallswithdedicatedHAports,useanEthernetcableto
physicalconnectionbetweenthe
connectthededicatedHA1portsandtheHA2portsonpeers.
firewalls.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
Foreachusecase,thefirewalls
couldbeanyhardwareplatform; ForfirewallswithoutdedicatedHAports,selecttwodata
choosetheHA3stepthat
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
correspondswithyourplatform.
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.
Pickafirewallinthepairandcompletethefollowingsteps:
Step2
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
218 PANOS7.1AdministratorsGuide
1.
2.
SelectPingasaservicethatispermittedontheinterface.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
Step3
Step4
Step5
Step6
Step7
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
continuetothenextstep.
Enableactive/activeHAandsetthe
groupID.
1.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
SettheDeviceID,enable
1.
synchronization,andidentifythecontrol 2.
linkonthepeerfirewall
3.
4.
5.
6.
ClickOK.
1.
2.
SelectPreemptivetocausethefirewallwiththelowerDevice
IDtoautomaticallyresumeactiveprimaryoperationafter
eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptive unselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
2.
inbandport.
Youneednotenableheartbeatbackupif
youareusingthemanagementportfor
thecontrollink.
Determinewhetherornotthefirewall
withthelowerDeviceIDpreemptsthe
activeprimaryfirewalluponrecovery
fromafailure.
PaloAltoNetworks,Inc.
SelectHeartbeat Backup.
Toallowtheheartbeatstobetransmittedbetweenthe
firewalls,youmustverifythatthemanagementportacross
bothpeerscanroutetoeachother.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.
PANOS7.1AdministratorsGuide 219
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHA(Continued)
Step8
Step9
1.
(Optional)ModifytheHA Timers.
Bydefault,theHAtimerprofileissetto 2.
theRecommendedprofileandissuited
formostHAdeployments.
Setupthecontrollinkconnection.
1.
Thisexampleusesaninbandportthatis
settointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
SelectAggressivetotriggerfasterfailover.SelectAdvanced
todefinecustomvaluesfortriggeringfailoverinyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
SelectthePortthatyouhavecabledforuseastheHA1link.
SettheIPv4/IPv6 AddressandNetmask.
IftheHA1interfacesareonseparatesubnets,entertheIP
addressoftheGateway.Donotaddagatewayaddressifthe
firewallsaredirectlyconnected.
Step10 (Optional)Enableencryptionforthe
1.
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
ExporttheHAkeyfromonefirewallandimportitintothepeer
firewall.
a. SelectDevice > Certificate Management > Certificates.
b. SelectExport HA key. SavetheHAkeytoanetwork
locationthatthepeercanaccess.
c. Onthepeerfirewall,select Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2.
3.
SelectEncryption Enabled.
1.
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
Address andNetmask.
Step11 Setupthebackupcontrollink
connection.
220 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
Step12 Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
Step13 ConfiguretheHA3linkforpacket
forwarding.
Step14 (Optional)ModifytheTentativeHold
time.
PaloAltoNetworks,Inc.
1.
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
6.
7.
8.
ClickOK.
1.
2.
ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3.
4.
SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.
1.
2.
PANOS7.1AdministratorsGuide 221
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHA(Continued)
Step15 ConfigureSessionOwnerandSession
Setup.
Step16 ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
AddressorARPLoadSharing.
Step17 ConfigurethefloatingIPaddress.
222 PANOS7.1AdministratorsGuide
1.
2.
3.
ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4.
ClickOK.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandproceedtoStep 18.
1.
2.
3.
4.
ClickOK.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
Step18 ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
Step19 Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
SwitchportsthatconnecttheHA3link
mustsupportjumboframestohandle
theoverheadassociatedwiththe
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.
2.
ClickOK.
1.
2.
3.
ClickOK.
4.
Repeatonanyintermediarynetworkingdevices.
Step20 DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step21 Savetheconfiguration.
ClickCommit.
Step22 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 223
SetUpActive/ActiveHA
HighAvailability
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step1
Step2
ConfigureOSPF.
SeeOSPF.
Step3
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step4
Savetheconfiguration.
ClickCommit.
Step5
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
224 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses
Step1
Step2
ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
Address.
Step3
ConfigurethefloatingIPaddress.
PaloAltoNetworks,Inc.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.
1.
2.
3.
4.
ClickOK.
PANOS7.1AdministratorsGuide 225
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step4
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step5
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step6
Savetheconfiguration.
ClickCommit.
Step7
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing
Step1
226 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2
Step3
ConfigureanHAvirtualaddress.
ThevirtualaddressisthesharedIP
addressthatallowsARPLoadSharing.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
2.
ClickOK.
Step4
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step5
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step6
Savetheconfiguration.
ClickCommit.
Step7
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper
metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 227
SetUpActive/ActiveHA
HighAvailability
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
228 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
Step1
Step2
(Optional)Disablepreemption.
1.
Disablingpreemptionallowsyou
fullcontroloverwhenthe
2.
recoveredfirewallbecomesthe
3.
activeprimaryfirewall.
Step3
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 229
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)
Step4
Step5
Step6
ConfigureSessionOwnerandSession
Setup.
ConfigureanHAvirtualaddress.
BindthefloatingIPaddresstothe
activeprimaryfirewall.
1.
2.
3.
4.
ClickOK.
1.
2.
EnterorselectanInterface.
3.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5.
ClickOK.
1.
2.
3.
ClickOK.
Step7
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
230 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
OnPA30502(DeviceID1),completethefollowingsteps:
Step1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 231
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step2
Enableactive/activeHA.
Step3
Step4
ConfigureSessionOwnerandSession
Setup.
Step5
Step6
ConfigureanHAvirtualaddress.
ConfigurethefloatingIPaddress.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
ForMode,selectActive Active.
5.
SelectDevice ID1.
6.
7.
8.
9.
ClickOK.
1.
2.
3.
4.
ClickOK.
1.
2.
SelectInterfaceeth1/1.
3.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
1.
2.
3.
ClickOK.
Step7
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step8
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step9
Savetheconfiguration.
ClickCommit.
232 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step10 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
Step11 StillonPA30501,createthesource
NATruleforDeviceID0.
1.
2.
EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3.
ForNAT Type,selectipv4(default).
4.
5.
ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6.
7.
8.
9.
OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID0.
10. ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 233
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step12 CreatethesourceNATrulefor
Device ID 1.
Step13 Savetheconfiguration.
1.
2.
EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
3.
ForNAT Type,selectipv4(default).
4.
5.
6.
7.
8.
OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID1.
9.
ClickOK.
ClickCommit.
UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
Step1
OnoneHAfirewall,createaddress
objects.
234 PANOS7.1AdministratorsGuide
1.
2.
ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3.
ClickOK.
4.
Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
Step2
Step3
Step4
CreatethesourceNATrulefor
Device ID 0.
CreatethesourceNATrulefor
Device ID 1.
Savetheconfiguration.
1.
2.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6.
ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7.
ClickOK.
1.
2.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6.
ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7.
ClickOK.
SelectCommit.
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 235
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
OnPA30502(DeviceID1),completethefollowingsteps:
Step1
Step2
Enableactive/activeHA.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
6.
SelectDevice IDtobe1.
7.
8.
9.
10. ClickOK.
Step3
236 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
Step4
Step5
ConfigureanHAvirtualaddress.
1.
2.
SelectInterfaceeth1/1.
3.
4.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
2.
sharing.
Step6
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step7
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATrulesothatthe
2.
activeprimaryfirewallrespondstoARP
requests.
3.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 237
SetUpActive/ActiveHA
HighAvailability
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
OnPA30502(DeviceID1),completethefollowingsteps:
Step1
238 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2
Enableactive/activeHA.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
6.
SelectDevice IDtobe1.
7.
8.
9.
10. ClickOK.
Step3
Step4
ConfigureanHAvirtualaddress.
Step5
1.
2.
SelectInterfaceeth1/2.
3.
4.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
2.
Step6
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step7
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 239
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATruleforbothDevice 2.
ID0andDeviceID1.
3.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
240 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
HighAvailability
HAFirewallStates
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
HAFirewallState
OccursIn
Description
Initial
A/PorA/A
TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis
stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.
Active
A/P
Stateoftheactivefirewallinanactive/passiveconfiguration.
Passive
A/P
Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive
firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.
ActivePrimary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.
ActiveSecondary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 241
HAFirewallStates
HighAvailability
HAFirewallState
OccursIn
Description
Tentative
A/A
Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe
following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.
Nonfunctional
A/PorA/A
Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly
onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.
Suspended
A/PorA/A
Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein
theHAelectionprocess.
242 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Passive?
ManagementInterface
Settings
Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 243
Reference:HASynchronization
HighAvailability
ConfigurationItem
WhatDoesntSyncinActive/Passive?
Administrator
AuthenticationSettings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings
SNMP
StatisticsCollection
Services
GlobalServiceRoutes
DataProtection
JumboFrames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer
CertificateSettings
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
MasterKeySecuredby
HSM
Device > Setup > HSM > Hardware Security Module Provider > Master Key
Secured by HSM
LogExportSettings
SoftwareUpdates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
Licenses/Subscriptions
SupportSubscription
MasterKey
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and
DashboardSettings
Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HAsettings
244 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Active?
ManagementInterface
Settings
Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator
AuthenticationSettings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
PanoramaSettings
SNMP
StatisticsCollection
Services
GlobalServiceRoutes
DataProtection
JumboFrames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer
CertificateSettings
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
HSMConfiguration
LogExportSettings
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 245
Reference:HASynchronization
HighAvailability
ConfigurationItem
WhatDoesntSyncinActive/Active?
SoftwareUpdates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
Licenses/Subscriptions
SupportSubscription
EthernetInterfaceIP
Addresses
AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
> Interface > Ethernet).
LoopbackInterfaceIP
Addresses
AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
(Network > Interface > Loopback).
TunnelInterfaceIP
Addresses
AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >
Interface > Tunnel).
LACPSystemPriority
EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >
High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.
IPSecTunnels
IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtectPortal
Configuration
GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
GlobalProtectGateway
Configuration
GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
246 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
ConfigurationItem
WhatDoesntSyncinActive/Active?
QoS
LLDP
NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD
NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKEGateways
IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
MasterKey
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and
DashboardSettings
Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HAsettings
SynchronizationofSystemRuntimeInformation
RuntimeInformation
ConfigSynced?
HALink
A/P
A/A
UsertoGroupMappings
Yes
Yes
HA1
DHCPLease(asserver)
Yes
Yes
HA1
DNSCache
No
No
N/A
FQDNRefresh
No
No
N/A
IKEKeys(phase2)
Yes
Yes
HA1
BrightCloudURLDatabase No
No
N/A
BrightCloudURLCache
No
N/A
Details
ManagementPlane
PaloAltoNetworks,Inc.
No
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
PANOS7.1AdministratorsGuide 247
Reference:HASynchronization
RuntimeInformation
HighAvailability
ConfigSynced?
HALink
Details
A/P
A/A
BrightCloudBloomFilter
No
No
N/A
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
PANDBURLCache
Yes
No
HA1
Thisissynchronizedupondatabase
backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.
Content(manualsync)
Yes
Yes
HA1
PPPoE,PPPoELease
Yes
Yes
HA1
DHCPClientSettingsand Yes
Lease
Yes
HA1
SSLVPNLoggedinUser
List
Yes
Yes
HA1
ForwardInformationBase Yes
(FIB)
Yes
HA1
Dataplane
SessionTable
Yes
Yes
HA2
Active/passivepeersdonotsyncICMP
orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.
ARPTable
Yes
No
HA2
UponupgradetoPANOS7.1,theARP
tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.
NeighborDiscovery(ND)
Table
Yes
No
HA2
MACTable
Yes
No
HA2
IPSecSequenceNumber
(antireplay)
Yes
Yes
HA2
DoSProtection
Yes
Yes
HA2
UsertoIPAddress
Mappings
Yes
Yes
HA2
VirtualMAC
Yes
Yes
HA2
248 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Inordertoforestallpotentialissues,andaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceontrafficanduserpatternsandcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Youcan,forexample,usethepredefinedtemplatestogeneratereportsonuseractivities,
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtablesthatyoucaninteractwithtofindinformationthatyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
AppScope
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
MonitorandManageLogs
ManageReporting
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
NetFlowMonitoring
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 249
UsetheDashboard
Monitoring
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts
Descriptions
TopApplications
Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
GeneralInformation
Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
InterfaceStatus
Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
ThreatLogs
DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
ConfigLogs
Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
DataFilteringLogs
Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URLFilteringLogs
Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
SystemLogs
Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
SystemResources
DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
LoggedInAdmins
DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
ACCRiskFactor
Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
HighAvailability
Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks
Showsconfigurationlockstakenbyadministrators.
250 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 251
UsetheApplicationCommandCenter
Monitoring
ACCFirstLook
TakeaquicktouroftheACC.
ACCFirstLook
Tabs
TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets
Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.
252 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
ACCFirstLook(Continued)
Time
Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Global Filters
TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The
charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.
Risk Factor
Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe
applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.
Source
Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData Source asPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export
YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACCTabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab
Description
Network Activity
Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:
Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 253
UsetheApplicationCommandCenter
Monitoring
Tab
Description
Threat Activity
Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.
Blocked Activity
Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin
thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.
ACCWidgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.
254 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
Widgets
View
Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.
Graph
Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table
Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Actions
MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs > Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
WidgetDescriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget
Description
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 255
UsetheApplicationCommandCenter
Monitoring
Widget
Description
Application Usage
Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining
applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)
User Activity
Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe
largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source IP Activity
DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated
activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Destination IP Activity
DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere
accessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source Regions
Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld
fromwhereusersinitiatedactivityonyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar
Destination Regions
Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe
worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar
GlobalProtect Host
Information
Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis
running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall. IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar
Rule Usage
Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis
widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
256 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
Widget
Description
Ingress Interfaces
Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe
network.
Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line
Egress Interfaces
Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.
Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line
Source Zones
Displaysthezonesthataremostusedforallowingtrafficintothenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
Destination Zones
Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork
Compromised Hosts
Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget
summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA7000Series,andPanorama.
Sortattributes:severity(bydefault)
Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork
haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Chartsavailable:line
Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature
matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column
WildFire Activity by
Application
DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget
usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 257
UsetheApplicationCommandCenter
Monitoring
Widget
Description
Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat
generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If
youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line
Rules Allowing
Applications On Non
Standard Ports
Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The
graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork
Blocked Application
Activity
Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview
thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column
Displaysuserrequeststhatwereblockedbyamatchonanantivirus,antispyware,
fileblockingorurlfilteringprofileattachedtosecuritypolicy.
Sortattributes:threats,content,URLs
Chartsavailable:bar,area,column
Blocked Threats
Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats
werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Chartsavailable:bar,area,column
Blocked Content
Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent
wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data
Chartsavailable:bar,area,column
258 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Widget
UsetheApplicationCommandCenter
Description
ACCFilters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 259
UsetheApplicationCommandCenter
Monitoring
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
InteractwiththeACC
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkwiththeTabsandWidgets
Addatab.
1.
Selectthe
2.
AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.
iconalongthelistoftabs.
Editatab.
Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample
.
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Seewhatwidgetsareincludedinatab.
1.
Selectthetab,andclickonthepencilicontoeditit.
2.
260 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
WorkwiththeTabsandWidgets(Continued)
Addawidgetorawidgetgroup.
Deleteataborawidgetgroup/widget.
1.
Addanewtaboreditapredefinedtab.
2.
SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3.
(Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
1.
Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2.
Resetthedefaultwidgetsinatab.
Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.
Onapredefinedtab,suchastheBlocked Activitytab,youcan
deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph.
youzoomintoalinegraph,ittriggersarequeryandthefirewall
fetchesthedatafortheselectedtimeperiod.Itisnotamere
Watchhowthezoomincapabilityworks.
magnification.
Usethetabledropdowntofindmore
informationonanattribute.
1.
Hoveroveranattributeinatabletoseethedropdown.
2.
Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
1.
Setawidgetfilter.
Youcanalsoclickanattributeinthe
2.
table(belowthegraph)toapplyitasa
3.
widgetfilter.
PaloAltoNetworks,Inc.
Selectawidgetandclickthe
Clickthe
icon.
icontoaddthefiltersyouwanttoapply.
ClickApply.Thesefiltersarepersistentacrossreboots.
Theactivewidgetfiltersareindicatednexttothe
widgetname.
PANOS7.1AdministratorsGuide 261
UsetheApplicationCommandCenter
Monitoring
WorkwiththeTabsandWidgets(Continued)
Negateawidgetfilter
Setaglobalfilterfromatable.
1.
Clickthe
2.
Addafilter,andthenclickthe
negateicon.
Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilterspane. 1.
Watchglobalfiltersinaction.
Promoteawidgetfiltertoaglobalfilter.
icontodisplaytheSetupLocalFiltersdialog.
LocatetheGlobal FilterspaneontheleftsideoftheACC.
2.
Clickthe
icontoviewthelistoffiltersyoucanapply.
1.
Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2.
Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Removeafilter.
Clickthe icontoremoveafilter.
Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.
Clearallfilters.
Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.
Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.
262 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
WorkwiththeTabsandWidgets(Continued)
Seewhatfiltersareinuse.
Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget.
Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
UseCase:ACCPathofInformationDiscovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activity tab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 263
UsetheApplicationCommandCenter
Monitoring
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
264 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
ToknowwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 265
UsetheApplicationCommandCenter
Monitoring
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
266 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 267
UsetheApplicationCommandCenter
Monitoring
Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).
268 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 269
AppScope
Monitoring
AppScope
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport
270 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
SummaryReport
TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,
losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 271
AppScope
Monitoring
ChangeMonitorReport
TheAppScopeChangeMonitorreport(Monitor > App Scope > Change Monitor)displayschangesovera
specifiedtimeperiod.Forexample,thefollowingchartdisplaysthetopapplicationsthatgainedinuseover
thelasthourascomparedwiththelast24hourperiod.Thetopapplicationsaredeterminedbysessioncount
andsortedbypercent.
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers
Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers
Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New
Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped
Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.
272 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
Button
Description
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort
Determineswhethertosortentriesbypercentageorrawgrowth.
Export
Exportsthegraphasa.pngimageorasaPDF.
Compare
Specifiestheperiodoverwhichthechangemeasurementsaretaken.
ThreatMonitorReport
TheAppScopeThreatMonitorreport(Monitor > App Scope > Threat Monitor)displaysacountofthetop
threatsovertheselectedtimeperiod.Forexample,thefollowingfigureshowsthetop10threattypesover
thelast6hours.
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Threats
Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 273
AppScope
Monitoring
Button
Description
Filter
Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export
Exportsthegraphasa.pngimageorasaPDF.
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheAppScopeThreatMapreport(Monitor > App Scope > Threat Map)showsageographicalviewofthreats,
includingseverity.Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.
Thefirewallusesgeolocationforcreatingthreatmaps.Thefirewallisplacedatthebottomofthethreatmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outdoing threats
Displaysoutgoingthreats.
Filer
Appliesafiltertodisplayonlytheselectedtypeofitems.
Zoominandzoomoutofthemap.
Export
Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthemeasurementsaretaken.
274 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
NetworkMonitorReport
TheAppScopeNetworkMonitorreport(Monitor > App Scope > Network Monitor)displaysthebandwidth
dedicatedtodifferentnetworkfunctionsoverthespecifiedperiodoftime.Eachnetworkfunctionis
colorcodedasindicatedinthelegendbelowthechart.Forexample,theimagebelowshowsapplication
bandwidthforthepast7daysbasedonsessioninformation.
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Export
Exportsthegraphasa.pngimageorasaPDF.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 275
AppScope
Monitoring
TrafficMapReport
TheAppScopeTrafficMap(Monitor > App Scope > Traffic Map)reportshowsageographicalviewoftraffic
flowsaccordingtosessionsorflows.
Thefirewallusesgeolocationforcreatingtrafficmaps.Thefirewallisplacedatthebottomofthetrafficmap
screen,ifyouhavenotspecifiedthegeolocationcoordinates(Device > Setup > Management, GeneralSettings
section)onthefirewall.
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outgoing threats
Displaysoutgoingthreats.
Determineswhethertodisplaysessionorbyteinformation.
Zoominandzoomoutofthemap.
Export
Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
276 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
PA5000Seriesfirewall
PA3000Seriesfirewall
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
AutomatedCorrelationEngineConcepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 277
UsetheAutomatedCorrelationEngine
Monitoring
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ViewtheCorrelatedObjects
ViewtheCorrelationObjectsAvailableontheFirewall
Step1
278 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
ViewtheCorrelationObjectsAvailableontheFirewall
Step2
Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
InterpretCorrelatedEvents
YoucanviewandanalyzethelogsgeneratedforeachcorrelatedeventintheMonitor > Automated Correlation
Engine > Correlated Events tab.
CorrelatedEventsincludesthefollowingdetails:
Field
Description
Match Time
Thetimethecorrelationobjecttriggeredamatch.
Update Time
Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthe
firewallcollectsevidenceonpatternorsequenceofeventsdefinedinacorrelation
object,thetimestamponthecorrelatedeventlogisupdated.
Object Name
Thenameofthecorrelationobjectthattriggeredthematch.
Source Address
TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.
Source User
Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 279
UsetheAutomatedCorrelationEngine
Monitoring
Field
Description
Severity
To
configure
the
firewallor
Panoramatosend
alertsusingemail,
SNMPorsyslog
messagesfora
desiredseverity
level,seeUse
ExternalServices
forMonitoring.
Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
indicatestheextentofdamageorescalationpattern,andthefrequencyof
occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
andtheseverityimpliesthefollowing:
CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
maliciousfile.
HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary
Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe
icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:
280 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
Tab
Description
Match
Information
ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Match
Evidence
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
evidencecollectedforeachsession.
UsetheCompromisedHostsWidgetintheACC
ThecompromisedhostswidgetonACC >Threat Activity,aggregatestheCorrelatedEventsandsortsthemby
severity.ItdisplaysthesourceIPaddress/userwhotriggeredtheevent,thecorrelationobjectthatwas
matchedandthenumberoftimestheobjectwasmatched.Usethematchcountlinktojumptothematch
evidencedetails.
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 281
TakePacketCaptures
Monitoring
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
TypesofPacketCaptures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoexternalservers(LDAPandRADIUSforexample),softwareand
contentupdates,logforwarding,communicationwithSNMPservers,andauthenticationrequestsfor
GlobalProtectandCaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.
282 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
DisableHardwareOffload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA2000Series,PA3050,PA4000Series,PA5000Series,
andPA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1
DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2
Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 283
TakePacketCaptures
Monitoring
TakeaCustomPacketCapture
Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
TakeaCustomPacketCapture
Step1
Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
Intheexamplethatfollows,wewilluseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.
284 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomPacketCapture(Continued)
Step2
Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Filterswillmakeiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreducethe
processingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId 1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId 2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3
SetFilteringtoOn.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 285
TakePacketCaptures
Monitoring
TakeaCustomPacketCapture(Continued)
Step4
Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
Step5
Step6
Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55
286 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomPacketCapture(Continued)
Step7
TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8
DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9
Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 287
TakePacketCaptures
Monitoring
TakeaThreatPacketCapture
Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
TakeaThreatPacketCapture
Step1
Enablethepacketcaptureoptioninthe 1.
securityprofile.
Somesecurityprofilesallowyoutodefine
asinglepacketcapture,or
extendedcapture.Ifyouchoose
extendedcapture,definethecapture
length.Thiswillallowthefirewallto
capturemorepacketstoprovide
additionalcontextrelatedtothethreat.
Thefirewallcanonlycapture
packetsiftheactionforagiven
threatissettoalloworalert.
2.
Step2
Addthesecurityprofile(withpacket
1.
captureenabled)toaSecurityPolicyrule. 2.
3.
288 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaThreatPacketCapture(Continued)
Step3
View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeanApplicationPacketCapture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1
Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 289
TakePacketCaptures
Monitoring
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2
Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
Step3
Clickthepacketcaptureicon toviewthepacketcaptureorExportittoyourlocalsystem.
290 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomApplicationPacketCapture
YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
TakeaCustomApplicationPacketCapture
Step1
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2
Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3
Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache
: yes
Supernode
: yes
Heuristics
: yes
Cache Threshold
: 16
Bypass when exceeds queue limit: no
Traceroute appid
: yes
Traceroute TTL threshold
: 30
Use cache for appid
: no
Unknown capture
: on
Max. unknown sessions
: 5000
Current unknown sessions
: 0
Application capture
: on
Max. application sessions
: 5000
Current application sessions : 0
Application filter setting:
Rule
: rule1
From
: any
To
: any
Source
: any
Destination
: any
Protocol
: any
Source Port
: any
Dest. Port
: any
Application
: facebook-base
Current APPID Signature
Signature Usage
: 21 MB (Max. 32
TCP 1 C2S
: 15503 states
TCP 1 S2C
: 5070
states
TCP 2 C2S
: 2426
states
TCP 2 S2C
: 702
states
UDP 1 C2S
: 11379 states
UDP 1 S2C
: 2967
states
UDP 2 C2S
: 755
states
UDP 2 S2C
: 224
states
Step4
MB)
AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 291
TakePacketCaptures
Monitoring
TakeaCustomApplicationPacketCapture(Continued)
Step5
View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaPacketCaptureontheManagementInterface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200,PA500,andPA2000Series
firewallscapture68bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA4000,
PA5000Series,thePA7000Seriesfirewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.To
definethenumberofpacketsthattcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).
Settingthesnaplento0willcausethefirewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step1
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2
TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3
AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.
292 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaManagementInterfacePacketCapture(Continued)
Step4
Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394
0x00 length: 89
09:55:29.144354
09:55:29.379290
0x00 length: 70
09:55:34.379262
Step5
(Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6
Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 293
MonitorApplicationsandThreats
Monitoring
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ViewAutoFocusThreatDataforLogstocheckwhetherloggedeventsonthefirewallposeasecurityrisk.
TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,activities,orbehaviorsassociated
withlogsinyournetworkandonaglobalscale,aswellastheWildFireverdictandAutoFocustagslinkedto
them.WithanactiveAutoFocussubscription,youcanusethisinformationtocreatecustomizedAutoFocus
Alertsthattrackspecificthreatsonyournetwork.
294 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
MonitorandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
WorkwithLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
LogTypesandSeverityLevels
YoucanseethefollowinglogtypesintheMonitor > Logspages.
TrafficLogs
ThreatLogs
URLFilteringLogs
WildFireSubmissionsLogs
DataFilteringLogs
CorrelationLogs
ConfigLogs
SystemLogs
HIPMatchLogs
AlarmsLogs
UnifiedLogs
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 295
MonitorandManageLogs
Monitoring
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click
packets.
besideanentrytoaccessthecaptured
ThefollowingtablesummarizestheThreatseveritylevels:
Severity
Description
Critical
Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High
Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium
Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low
Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
296 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludetheWildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Severity
Description
Benign
IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware
IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Malicious
IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Severity
Description
Critical
Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High
Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 297
MonitorandManageLogs
Monitoring
Severity
Description
Medium
Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low
Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplaysentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Severity
Description
Critical
Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High
Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium
Midlevelnotifications,suchasantiviruspackageupgrades.
Low
Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
298 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms(
)atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries(
)inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
WorkwithLogs
ViewLogs
FilterLogs
ExportLogs
ViewAutoFocusThreatDataforLogs
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 299
MonitorandManageLogs
Monitoring
ViewLogs
Step1
Step2
Step3
Selectalogtypetoview.
(Optional)Customizethelogcolumn
display.
Selectalogtypefromthelist.
Thefirewalldisplaysonlythelogsyouhavepermission
tosee.Forexample,ifyouradministrativeaccount
doesnothavepermissiontoviewWildFire
Submissionslogs,thefirewalldoesnotdisplaythatlog
typewhenyouaccessthelogspages.Administrative
Rolesdefinethepermissions.
1.
Clickthearrowtotherightofanycolumnheader,andselect
Columns.
2.
Selectcolumnstodisplayfromthelist.Thelogupdates
automaticallytomatchyourselections.
Viewadditionaldetailsaboutlogentries. Clickthespyglass(
)foraspecificlogentry.TheDetailedLog
Viewhasmoreinformationaboutthesourceanddestinationof
thesession,aswellasalistofsessionsrelatedtothelogentry.
(Threatlogonly)Click nexttoanentrytoaccesslocalpacket
capturesofthethreat.Toenablelocalpacketcaptures,seeTake
PacketCaptures.
NextSteps...
FilterLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
Step1
(Unifiedlogonly)Selectthelogtypesto 1.
includeintheUnifiedlogdisplay.
2.
3.
300 PANOS7.1AdministratorsGuide
ClickEffectiveQueries(
).
Selectoneormorelogtypesfromthelist(traffic,threat,url,
data,andwildfire).
ClickOK.TheUnifiedlogupdatestoshowonlyentriesfrom
thelogtypesyouhaveselected.
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
FilterLogs
Step2
Addafiltertothefilterfield.
Clickoneormoreartifacts(suchastheapplicationtype
associatedwithtrafficandtheIPaddressofanattacker)inalog
Ifthevalueoftheartifact
entry.Forexample,clicktheSource10.0.0.25andApplication
matchestheoperator(suchas
web-browsingofalogentrytodisplayonlyentriesthatcontain
hasorin),enclosethevaluein
bothartifactsinthelog(ANDsearch).
quotationmarkstoavoida
).
syntaxerror.Forexample,ifyou Tospecifyartifactstoaddtothefilterfield,clickAddFilter(
filterbydestinationcountryand Toaddapreviouslysavedfilter,clickLoadFilter(
).
useINasavaluetospecify
INDIA,enterthefilteras
( dstloc eq IN ).
Step3
Applythefiltertothelog.
ClickApplyFilter(
).Thelogwillrefreshtodisplayonlylog
entriesthatmatchthecurrentfilter.
Step4
(Optional)Savefrequentlyusedfilters.
1.
ClickSaveFilter(
2.
EnteraNameforthefilter.
3.
ClickOK.YoucanviewyoursavedfiltersbyclickingLoadFilter
(
).
NextSteps...
).
ViewLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
Step1
Step2
Setthenumberofrowstodisplayinthe 1.
report.
Downloadthelog.
NextStep...
PaloAltoNetworks,Inc.
2.
3.
4.
ClickOK.
1.
ClickExporttoCSV(
).Aprogressbarshowingthestatus
ofthedownloadappears.
2.
Whenthedownloadiscomplete,clickDownload filetosavea
copyofthelogtoyourlocalfolder.Fordescriptionsofthe
columnheadersinadownloadedlog,refertoSyslogField
Descriptions.
ScheduleLogExportstoanSCPorFTPServer.
PANOS7.1AdministratorsGuide 301
MonitorandManageLogs
Monitoring
ViewAutoFocusThreatDataforLogs
Traffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogsincludeAutoFocus
threatintelligencedatatoprovidecontextforthefollowingartifactsfoundinthelogentries:
IPaddress
URL
Useragent
Threatname
Filename
SHA256hash
YoucanalsoopenanAutoFocussearchforlogartifacts.
ViewAutoFocusThreatDataforLogs
Step1
ConnectthefirewalltoAutoFocustoEnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocusthreatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedtoAutoFocusand/orarerunningPANOS7.0andearlier
releaseversions(Panorama > Setup > Management > AutoFocus).
Step2
Selectalogtypetoview.
Step3
Step4
OpentheAutoFocusIntelligenceSummary
foranartifact.
1.
2.
Selectoneofthefollowinglogtypes:Traffic,Threat,URL
Filtering,WildFire Submissions,Data Filtering,or
Unified.
1.
Clickthedropdown(
)foranIPaddress,URL,user
agent,threatname,filename,orSHA256hashinanylog
entry.
2.
ClickAutoFocus.
ReviewthelogsandstatisticsintheAutoFocusIntelligenceSummarytoassessthepervasivenessandriskof
theartifact:
302 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
ViewAutoFocusThreatDataforLogs
ViewrecentpassiveDNShistoryforIPaddress,domain,and
URLartifacts.
Reviewthematchingtagsfortheartifact.AutoFocusTags
indicatewhetheranartifactislinkedtomalwareortargeted
attacks.
CreateAutoFocusAlertsfortagsissuedbyUnit42,the
PaloAltoNetworksthreatresearchteam.Alertsfor
Unit42tagshelpyoudetectadvancedsecuritythreats
andcampaignsastheyoccuronyournetwork.
Viewthenumberofsessionsloggedinyourfirewall(s)where
samplesassociatedwiththeartifactweredetected.
ComparetheWildFireverdicts(benign,malware,grayware)
forglobalandprivatesamplesthatcontaintheartifact.Global
referstosamplesfromallWildFiresubmissions,whileprivate
referstoonlysamplessubmittedtoWildFirebyyour
organization.
ViewthelatestprivatesampleswithwhichWildFirefoundthe
artifact.ArtifactsfoundwiththesamplesincludeSHA256
hash,thefiletype,thedatethatthesamplewasfirstanalyzed
byWildFire,theWildFireverdictforthesample,andthedate
thattheWildFireverdictwasupdated(ifapplicable).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 303
MonitorandManageLogs
Monitoring
ViewAutoFocusThreatDataforLogs
Step5
AddartifactsfromthefirewalltoanAutoFocusSearch.
Clickthelinkforthelogartifact.TheAutoFocussearcheditoropensinanewbrowsertab,withthelog
artifactaddedasasearchcondition.
ClickanylinkedartifactinthetablesorchartstoadditasasearchconditiontoanAutoFocussearch.
304 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
ViewAutoFocusThreatDataforLogs
NextStep...
LearnmoreaboutAutoFocusSearch.
ConfigureLogStorageQuotasandExpirationPeriods
Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
Ifyouwanttomanuallydeletelogs,selectDevice > Log Settingsand,intheManageLogs
section,clickthelinkstoclearlogsbytype.
ConfigureLogStorageQuotasandExpirationPeriods
Step1
Step2
Step3
EntertheMax Days(expirationperiod)foreachlogtype(rangeis12,000).Thefieldsareblankbydefault,
whichmeansthelogsneverexpire.
Thefirewallsynchronizesexpirationperiodsacrosshighavailability(HA)pairs.Becauseonlytheactive
HApeergenerateslogs,thepassivepeerhasnologstodeleteunlessfailoveroccursanditstarts
generatinglogs.
Step4
ClickOKandCommit.
ScheduleLogExportstoanSCPorFTPServer
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
ScheduleLogExportstoanSCPorFTPServer
Step1
Step2
EnteraNameforthescheduledlogexportandEnableit.
Step3
SelecttheLog Typetoexport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 305
MonitorandManageLogs
Monitoring
ScheduleLogExportstoanSCPorFTPServer
Step4
Step5
SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6
EntertheHostnameorIPaddressoftheserver.
Step7
EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
Step8
EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step9
EntertheUsernameand,ifnecessary,thePassword(andConfirm Password)toaccesstheserver.
306 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
ManageReporting
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheReportExpirationPeriod
DisablePredefinedReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroupsScheduleReportsforEmailDelivery
ReportTypes
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportonthe
applicationuseandURLactivityforaspecificuserorforausergroup.ThereportincludestheURL
categoriesandanestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/Group
ActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 307
ManageReporting
Monitoring
ViewReports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheReportExpirationPeriod:thefirewallwillautomaticallydeletereportsthatexceedthe
period.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolderreportsto
createspaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresourcesonthe
firewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthereports(as
describedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step1
Step2
Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
Step3
Toviewareportoffline,youcanexportthereporttoPDF,CSVortoXMLformats.ClickExport to PDF,
Export to CSV,orExport to XMLatthebottomofthepage,thenprintorsavethefile.
ConfiguretheReportExpirationPeriod
WhenyousettheReport Expiration Period,itappliestoallReportTypes.Thefirewallautomaticallydeletes
reportsthatexceedtheperiod.
ConfigureReportExpirationPeriods
Step1
Step2
Step3
ClickOKandCommit.
308 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
DisablePredefinedReports
Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
DisablePredefinedReports
Step1
Step2
SelectthePre-Defined Reportstabandclearthecheckboxforeachreportyouwanttodisable.Todisable
allpredefinedreports,clickDeselect All.
Step3
ClickOKandCommit.
GenerateCustomReports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection
Description
DataSource
Thedatafilethatisusedtogeneratethereport.Thefirewallofferstwotypesofdata
sourcesSummarydatabasesandDetailedlogs.
Summarydatabasesareavailablefortraffic,threat,andapplicationstatistics.The
firewallaggregatesthedetailedlogsontraffic,application,andthreatat15minute
intervals.Thedataiscondensedduplicatesessionsaregroupedtogetherand
incrementedwitharepeatcounter,andsomeattributes(orcolumns)arenotincluded
inthesummarytoallowfasterresponsetimewhengeneratingreports.
Detailedlogsareitemizedandareacompletelistingofalltheattributes(orcolumns)
thatpertaintothelogentry.Reportsbasedondetailedlogstakemuchlongertorun
andarenotrecommendedunlessabsolutelynecessary.
Attributes
Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
SortBy/GroupBy
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 309
ManageReporting
Selection
Monitoring
Description
ThefollowingexampleillustrateshowtheSelected ColumnsandSort By/Group By
criteriaworktogetherwhengeneratingreports:
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup By columnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.
310 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Selection
ManageReporting
Description
Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimePeriod
Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromlast15minutestothelast30days.Thereportscanbe
runondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder
Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 311
ManageReporting
Monitoring
GenerateCustomReports
Step1
Step2
ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Template andchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3
SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4
SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step5
Step6
(Optional)SelecttheQuery Builderattributesifyouwanttofurtherrefinetheselectioncriteria.Tobuilda
reportquery,specifythefollowingandclickAdd.Repeatasneededtoconstructthefullquery.
ConnectorChoosetheconnector(and/or)toprecedetheexpressionyouareadding.
NegateSelectthecheckboxtointerpretthequeryasanegation.If,forexample,youchoosetomatch
entriesinthelast24hoursand/orareoriginatingfromtheuntrustzone,thenegateoptioncausesamatch
onentriesthatarenotinthepast24hoursand/orarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthechoiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattributeapplies(suchas=).Theavailable
optionsdependonthechoiceofdatabase.
ValueSpecifytheattributevaluetomatch.
Forexample,thefollowingfigure(basedontheTraffic Logdatabase)showsaquerythatmatchesifthe
Trafficlogentrywasreceivedinthepast24hoursandisfromtheuntrustzone.
Step7
Totestthereportsettings,selectRun Now.Modifythesettingsasrequiredtochangetheinformationthatis
displayedinthereport.
Step8
ClickOKtosavethecustomreport.
312 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GenerateCustomReports
ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 313
ManageReporting
Monitoring
GenerateCustomReports
Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
GenerateBotnetReports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
ConfigureaBotnetReport
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.
314 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
ConfigureaBotnetReport
Step1
Step2
Definethetypesoftrafficthatindicate
possiblebotnetactivity.
1.
2.
EnableanddefinetheCountforeachtypeofHTTPTraffic
thatthereportwillinclude.
TheCountvaluesrepresenttheminimumnumberofeventsof
eachtraffictypethatmustoccurforthereporttolistthe
associatedhostwithahigherconfidencescore(higher
likelihoodofbotnetinfection).Ifthenumberofeventsisless
thantheCount,thereportwilldisplayalowerconfidence
scoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.Forexample,ifyousettheCounttothreeforMalware
URL visit,thenhoststhatvisitthreeormoreknownmalware
URLswillhavehigherscoresthanhoststhatvisitlessthan
three.Fordetails,seeInterpretBotnetReportOutput.
3.
Definethethresholdsthatdeterminewhetherthereportwill
includehostsassociatedwithtrafficinvolvingUnknownTCP
orUnknownUDPapplications.
4.
SelecttheIRCcheckboxtoincludetrafficinvolvingIRC
servers.
5.
ClickOKtosavethereportconfiguration.
Schedulethereportorrunitondemand. 1.
ClickReport Settingontherightsideofthepage.
2.
3.
4.
(Optional)AddqueriestotheQueryBuildertofilterthereport
outputbyattributessuchassource/destinationIPaddresses,
users,orzones.
Forexample,ifyouknowinadvancethattrafficinitiatedfrom
theIPaddress10.3.3.15containsnopotentialbotnetactivity,
youcanaddnot (addr.src in 10.0.1.35)asaqueryto
excludethathostfromthereportoutput.Fordetails,see
InterpretBotnetReportOutput.
5.
SelectScheduledtorunthereportdailyorclickRun Nowto
runthereportimmediately.
6.
ClickOKandCommit.
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 315
ManageReporting
Monitoring
NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
GeneratetheSaaSApplicationUsageReport
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications, allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(8pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,andthe
numberofusersusingtheseapplications.ThisfirstpartofthereportalsohighlightsthetopSaaS
applicationsubcategorieslistedinorderbymaximumnumberofapplicationsused,thenumberofusers,
andtheamountofdata(bytes)transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.
316 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GeneratetheSaaSApplicationUsageReport
Step1
Step2
Step3
Tagapplicationsthatyouapprovefor
1.
useonyournetworkasSanctioned.
2.
Theaccuracyofthereport
dependsonwhetheryouhave
3.
taggedanapplicationas
Sanctioned.Youcantagboth
SaaSandnonSaaSapplications
asSanctioned;thedetailed
browsingsectionoftheSaaS
ApplicationUsagereport
displayswhethertheapplication
isSaaSandwhetheritis
sanctioned.
ConfiguretheSaaSApplicationUsage
report.
ScheduleReportsforEmailDelivery.
PaloAltoNetworks,Inc.
4.
ClickOKandClosetoexitallopendialogs.
1.
2.
ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecounttoeightpages.
3.
Togeneratethereportondemand,clickRun Now.Makesure
thatthepopupblockerisdisabledonyourbrowserbecause
thereportopensinanewtab.
4.
ClickOKtosaveyourchanges.
OnthePA200,PA500,andPA2000Seriesfirewalls,theSaaS
ApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkthatyoumustclicktoopen
thereportinawebbrowser.
PANOS7.1AdministratorsGuide 317
ManageReporting
Monitoring
ManagePDFSummaryReports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
GeneratePDFSummaryReports
Step1
1.
2.
ClickAddandthenenteraNameforthereport.
3.
Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
318 PANOS7.1AdministratorsGuide
4.
ClickOK tosavethereport.
5.
Committhechanges.
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GeneratePDFSummaryReports
Step2
Viewthereport.
TodownloadandviewthePDFSummaryReport,seeView
Reports.
GenerateUser/GroupActivityReports
User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 319
ManageReporting
Monitoring
GenerateUser/GroupActivityReports
Step1
Step2
Configurethebrowsetimesandnumber 1.
oflogsforUser/GroupActivityreports.
Requiredonlyifyouwanttochangethe
defaultvalues.
2.
GeneratetheUser/GroupActivity
report.
320 PANOS7.1AdministratorsGuide
3.
4.
5.
ClickOKtosaveyourchanges.
1.
2.
ClickAddandthenenteraNameforthereport.
3.
Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4.
SelecttheTime Periodforthereport.
5.
6.
Torunthereportondemand,clickRun Now.
7.
Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
ManageReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
SetupReportGroups
Step1
Setupreportgroups.
1.
YoumustsetupaReport Group 2.
toemailreport(s).
CreateanEmailserverprofile.
DefinetheReport Group.Areportgroupcancompile
predefinedreports,PDFSummaryreports,customreports,
andLogViewreportintoasinglePDF.
a. SelectMonitor > Report Group.
b. ClickAddandthenenteraNameforthereportgroup.
c. (Optional)SelectTitle Page andaddaTitleforthePDF
output.
d. SelectreportsfromtheleftcolumnandclickAddtomove
eachreporttothereportgroupontheright.
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 321
ManageReporting
Monitoring
ScheduleReportsforEmailDelivery
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.
ScheduleReportsforEmailDelivery
Step1
Step2
EnteraNametoidentifytheschedule.
Step3
SelecttheReport Groupforemaildelivery.Tosetupareportgroup;seeManageReportGroups.
Step4
Step5
SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step6
Step7
ClickOKandCommit.
322 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseExternalServicesforMonitoring
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 323
ConfigureLogForwarding
Monitoring
ConfigureLogForwarding
TousePanoramaorUseExternalServicesforMonitoringthefirewall,youmustconfigurethefirewallto
forwarditslogs.Beforeforwardingtoexternalservices,thefirewallautomaticallyconvertsthelogstothe
necessaryformat:syslogmessages,SNMPtraps,oremailnotifications.Beforestartingthisprocedure,
ensurethatPanoramaortheexternalserverthatwillreceivethelogdataisalreadysetup.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservices.However,
whenyouusePanoramatomonitorlogsorgeneratereportsforadevicegroupthatincludesa
PA7000Seriesfirewall,PanoramaqueriesthePA7000Seriesfirewallinrealtimetodisplayits
logdata.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoManageReporting,butonlyonaperlogtype
basis,nottheentirelogdatabase.
ConfigureLogForwarding
Step1
Configureaserverprofileforeach
CreateanEmailserverprofile.
externalservicethatwillreceivelog
ConfigureanSNMPTrapserverprofile.ToenabletheSNMP
data.
manager(trapserver)tointerpretfirewalltraps,youmustload
thePaloAltoNetworksSupportedMIBsintotheSNMPmanager
Youcanuseseparateprofilesto
and,ifnecessary,compilethem.Fordetails,refertoyourSNMP
sendeachlogtypetoadifferent
managementsoftwaredocumentation.
server.Toincreaseavailability,
definemultipleserversinasingle ConfigureaSyslogserverprofile.Ifthesyslogserverrequires
profile.
clientauthentication,youmustalsoCreateacertificatetosecure
syslogcommunicationoverSSL.
Step2
Createalogforwardingprofile.
1.
Theprofiledefinesthedestinationsfor 2.
Traffic,Threat,andWildFireSubmission
logs.(ThreatlogsincludeURLFiltering
andDataFilteringlogs.)
3.
324 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ConfigureLogForwarding
ConfigureLogForwarding(Continued)
Step3
Step4
Step5
Assignthelogforwardingprofileto
securityrules.
Totriggerloggenerationandforwarding,
therulesrequirecertainSecurityProfiles
accordingtologtype:
TrafficlogsNosecurityprofileis
necessary;thetrafficonlyneedsto
matchaspecificsecurityrule.
ThreatlogsThetrafficmustmatch
anysecurityprofileassignedtoa
securityrule.
WildFirelogsThetrafficmustmatch
aWildFireAnalysisprofileassignedto
asecurityrule.
Performthefollowingstepsforeachrulethatwilltriggerlog
forwarding:
1.
2.
SelecttheActionstabandselecttheLog Forwardingprofile
youjustcreated.
3.
IntheProfile Typedropdown,selectProfilesorGroup,and
thenselectthesecurityprofilesorGroup Profilerequiredto
triggerloggenerationandforwarding.
4.
ConfigurethedestinationsforSystem, 1.
Config,HIPMatch,andCorrelationlogs. 2.
(PA7000Seriesfirewallsonly)
1.
Configurealogcardinterfacetoperform
logforwarding.
2.
PaloAltoNetworks,Inc.
3.
4.
5.
6.
ClickOKtosaveyourchanges.
PANOS7.1AdministratorsGuide 325
ConfigureLogForwarding
Monitoring
ConfigureLogForwarding(Continued)
Step6
Commitandverifyyourchanges.
326 PANOS7.1AdministratorsGuide
1.
ClickCommittocompletethelogforwardingconfiguration.
2.
Verifythelogdestinationsyouconfiguredarereceiving
firewalllogs:
PanoramaIfthefirewallforwardslogstoanMSeries
appliance,youmustconfigureaCollectorGroupbefore
Panoramawillreceivethelogs.Youcanthenverifylog
forwarding.
EmailserverVerifythatthespecifiedrecipientsare
receivinglogsasemailnotifications.
SyslogserverRefertothedocumentationforyoursyslog
servertoverifyitisreceivinglogsassyslogmessages.
SNMPmanagerUseanSNMPManagertoExploreMIBs
andObjectstoverifyitisreceivinglogsasSNMPtraps.
PaloAltoNetworks,Inc.
Monitoring
ConfigureEmailAlerts
ConfigureEmailAlerts
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
ConfigureEmailAlerts
Step1
Step2
CreateanEmailserverprofile.
Youcanuseseparateprofilesto
sendemailnotificationsforeach
logtypetoadifferentserver.To
increaseavailability,define
multipleservers(uptofour)ina
singleprofile.
1.
2.
ClickAddandthenenteraNamefortheprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
4.
ForeachSimpleMailTransportProtocol(SMTP)server(email
server),clickAddanddefinethefollowinginformation:
NameNametoidentifytheSMTPserver(131
characters).Thisfieldisjustalabelanddoesnthavetobe
thehostnameofanexistingemailserver.
Email Display NameThenametoshowintheFromfield
oftheemail.
FromTheemailaddressfromwhichthefirewallsends
emails.
ToTheemailaddresstowhichthefirewallsendsemails.
Additional RecipientIfyouwanttosendemailstoa
secondaccount,entertheaddresshere.Youcanaddonly
oneadditionalrecipient.Formultiplerecipients,addthe
emailaddressofadistributionlist.
Email GatewayTheIPaddressorhostnameoftheSMTP
gatewaytouseforsendingemails.
5.
6.
ClickOKtosavetheEmailserverprofile.
ConfigureemailalertsforTraffic,Threat, 1.
andWildFireSubmissionlogs.
2.
Step3
1.
ConfigureemailalertsforSystem,
Config,HIPMatch,andCorrelationlogs. 2.
PaloAltoNetworks,Inc.
Createalogforwardingprofile.
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheEmailserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
SelectDevice > Log Settings.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheEmailserverprofile,andclickOK.
3.
ForConfigandHIPMatchlogs,editthesection,selectthe
Emailserverprofile,andclickOK.
4.
ClickCommit.
PANOS7.1AdministratorsGuide 327
UseSyslogforMonitoring
Monitoring
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ConfigureSyslogMonitoring
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
ConfigureSyslogMonitoring
Step1
ConfigureaSyslogserverprofile.
Youcanuseseparateprofilesto
sendsyslogsforeachlogtypeto
adifferentserver.Toincrease
availability,definemultiple
servers(uptofour)inasingle
profile.
328 PANOS7.1AdministratorsGuide
1.
2.
ClickAddandenteraNamefortheprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
4.
Foreachsyslogserver,clickAddandentertheinformation
thatthefirewallrequirestoconnecttoit:
NameUniquenamefortheserverprofile.
Syslog ServerIPaddressorfullyqualifieddomainname
(FQDN)ofthesyslogserver.
TransportSelectTCP,UDP,orSSLasthemethodof
communicationwiththesyslogserver.
PortTheportnumberonwhichtosendsyslogmessages
(defaultisUDPonport514);youmustusethesameport
numberonthefirewallandthesyslogserver.
FormatSelectthesyslogmessageformattouse:BSD(the
default)orIETF.Traditionally,BSDformatisoverUDPand
IETFformatisoverTCPorSSL.
FacilitySelectasyslogstandardvalue(defaultis
LOG_USER)tocalculatethepriority(PRI)fieldinyour
syslogserverimplementation.Selectthevaluethatmapsto
howyouusethePRIfieldtomanageyoursyslogmessages.
5.
(Optional)Tocustomizetheformatofthesyslogmessages
thatthefirewallsends,selecttheCustom Log Formattab.For
detailsonhowtocreatecustomformatsforthevariouslog
types,refertotheCommonEventFormatConfiguration
Guide.
6.
ClickOKtosavetheserverprofile.
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
ConfigureSyslogMonitoring(Continued)
Step2
ConfiguresyslogforwardingforTraffic, 1.
Threat,andWildFireSubmissionlogs.
2.
Step3
Step4
ConfiguresyslogforwardingforSystem, 1.
Config,HIPMatch,andCorrelationlogs. 2.
Createalogforwardingprofile.
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheSyslogserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
SelectDevice > Log Settings.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheSyslogserverprofile,andclickOK.
3.
ForConfig,HIPMatch,andCorrelationlogs,editthesection,
selecttheSyslogserverprofile,andclickOK.
(Optional)Configuretheheaderformat 1.
ofsyslogmessages.
Thelogdataincludestheunique
2.
identifierofthefirewallthatgenerated
thelog.Choosingtheheaderformat
providesmoreflexibilityinfilteringand
reportingonthelogdataforsome
SecurityInformationandEvent
Management(SIEM)servers.
Thisisaglobalsettingandappliestoall
syslogserverprofilesconfiguredonthe
firewall.
3.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 329
UseSyslogforMonitoring
Monitoring
ConfigureSyslogMonitoring(Continued)
Step5
Step6
Createacertificatetosecuresyslog
communicationoverSSL.
Requiredonlyifthesyslogserveruses
clientauthentication.Thesyslogserver
usesthecertificatetoverifythatthe
firewallisauthorizedtocommunicate
withthesyslogserver.
Ensurethefollowingconditionsaremet:
Theprivatekeymustbeavailableon
thesendingfirewall;thekeyscant
resideonaHardwareSecurity
Module(HSM).
Thesubjectandtheissuerforthe
certificatemustnotbeidentical.
Thesyslogserverandthesending
firewallmusthavecertificatesthatthe
sametrustedcertificateauthority(CA)
signed.Alternatively,youcan
generateaselfsignedcertificateon
thefirewall,exportthecertificate
fromthefirewall,andimportitinto
thesyslogserver.
Commityourchangesandreviewthe
logsonthesyslogserver.
1.
2.
EnteraNameforthecertificate.
3.
IntheCommon Namefield,entertheIPaddressofthefirewall
sendinglogstothesyslogserver.
4.
InSigned by,selectthetrustedCAortheselfsignedCAthat
thesyslogserverandthesendingfirewallbothtrust.
ThecertificatecantbeaCertificate Authoritynoran
External Authority(certificatesigningrequest[CSR]).
5.
ClickGenerate.Thefirewallgeneratesthecertificateandkey
pair.
6.
ClickthecertificateNametoeditit,selecttheCertificate for
Secure Syslogcheckbox,andclickOK.
1.
ClickCommit.
2.
Toreviewthelogs,refertothedocumentationofyoursyslog
managementsoftware.YoucanalsoreviewtheSyslogField
Descriptions.
SyslogFieldDescriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionlogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogs
ThreatLogs
HIPMatchLogs
ConfigLogs
SystemLogs
CorrelatedEvents(Logs)
CustomLog/EventFormat
330 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
EscapeSequences
TrafficLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource
FieldName
Description
ReceiveTime(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(time_generated)
Timethelogwasgeneratedonthedataplane
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfSourceNATperformed,thepostNATSourceIPaddress
NATDestinationIP(natdst)
IfDestinationNATperformed,thepostNATDestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface(inbound_if)
Interfacethatthesessionwassourcedform
EgressInterface(outbound_if)
Interfacethatthesessionwasdestinedto
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 331
UseSyslogforMonitoring
Monitoring
FieldName
Description
LogForwardingProfile(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt)
NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptive
portal(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes(bytes)
Numberoftotalbytes(transmitandreceive)forthesession
BytesSent(bytes_sent)
Numberofbytesintheclienttoserverdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
BytesReceived(bytes_received)
Numberofbytesintheservertoclientdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
332 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
Packets(packets)
Numberoftotalpackets(transmitandreceive)forthesession
StartTime(start)
Timeofsessionstart
ElapsedTime(elapsed)
Elapsedtimeofthesession
Category(category)
URLcategoryassociatedwiththesession(ifapplicable)
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes
PacketsSent(pkts_sent)
Numberofclienttoserverpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
PacketsReceived(pkts_received)
Numberofservertoclientpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 333
UseSyslogforMonitoring
Monitoring
FieldName
Description
SessionEndReason
(session_end_reason)
Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
334 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
DeviceGroupHierarchy
(dg_hier_level_1todg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source)
Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
ThreatLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_id,Filedigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName,FUTURE_USE,
FieldName
Description
ReceiveTime(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 335
UseSyslogforMonitoring
Monitoring
FieldName
Description
Subtype(subtype)
Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,grayware,orbenign,
dependingonwhatyouarelogging)isloggedintheWildFireSubmissionslog.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfsourceNATperformed,thepostNATsourceIPaddress
NATDestinationIP(natdst)
IfdestinationNATperformed,thepostNATdestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface
(inbound_if)
Interfacethatthesessionwassourcedfrom
EgressInterface
(outbound_if)
Interfacethatthesessionwasdestinedto
LogForwardingProfile
(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt)
NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
336 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort
(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
Miscellaneous(misc)
Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 337
UseSyslogforMonitoring
Monitoring
FieldName
Description
ThreatID(threatid)
PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category(category)
ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,grayware,orbenign;Forothersubtypes,thevalueis
any.
Severity(severity)
Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical
Direction(direction)
Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype)
ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id)
Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest)
OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.
338 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
URLIndex(url_idx)
UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 339
UseSyslogforMonitoring
Monitoring
FieldName
Description
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
HIPMatchLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
User,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,FUTURE_USE,
FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
FieldName
Description
ReceiveTime
(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
SubtypeofHIPmatchlog;unused
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththeHIPmatchlog
MachineName
(machinename)
Nameoftheusersmachine
OS
Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem)
SourceAddress(src)
IPaddressofthesourceuser
HIP(matchname)
NameoftheHIPobjectorprofile
RepeatCount(repeatcnt)
NumberoftimestheHIPprofilematched
HIPType(matchtype)
WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile
340 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
FieldName
UseSyslogforMonitoring
Description
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
ConfigLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Host,
VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,ActionFlags,
BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel
2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime
(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthedevicethatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeofconfigurationlog;unused
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
Host(host)
HostnameorIPaddressoftheclientmachine
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
Command(cmd)
CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin)
UsernameoftheAdministratorperformingtheconfiguration
Client(client)
ClientusedbytheAdministrator;valuesareWebandCLI
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 341
UseSyslogforMonitoring
Monitoring
FieldName
Description
Result(result)
Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path)
Thepathoftheconfigurationcommandissued;upto512bytesinlength
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama.
BeforeChangeDetail
(before_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail
(after_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathaftertheconfigurationchange.
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
SystemLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn
342 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
EventID(eventid)
Stringshowingthenameoftheevent
Object(object)
Nameoftheobjectassociatedwiththesystemevent
Module(module)
ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description(opaque)
Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
CorrelatedEvents(Logs)
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
LogID(logid)
Timethelogwasreceivedatthemanagementplane
ID(id)
Serialnumberofthedevicethatgeneratedthelog
MatchOID(match_oid)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 343
UseSyslogforMonitoring
Monitoring
FieldName
Description
ObjectID(objectid)
Nameoftheobjectassociatedwiththesystemevent
Version(version)
TheversionoftheCorrelationobjectscontentupdate,aspushedbyPaloAltoNetworks.
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Window(window)
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedtheevent.
Source(src)
IPaddressoftheuserwhoinitiatedtheevent.
LastUpdateTime
(last_update_time)
Thelasttimetheeventsinthecorrelatedeventwereupdatedwithmoreinformation.
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
MatchTime(match_time)
Thetimethattheeventmatchwasrecorded.
ObjectName(objectname)
Nameofthecorrelationobjectthatwasmatchedon
Summary(summary)
Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity
SyslogSeverity
Traffic
Info
Config
Info
Threat/SystemInformational
Info
Threat/SystemLow
Notice
Threat/SystemMedium
Warning
Threat/SystemHigh
Error
Threat/SystemCritical
Critical
344 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 345
SNMPMonitoringandTraps
Monitoring
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSimpleNetworkManagementProtocol(SNMP),andtheprocedurestoconfigureSNMP
monitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMPSupport
YoucanuseaSimpleNetworkManagementProtocol(SNMP)managertomonitoreventdrivenalertsand
operationalstatisticsforthefirewall,Panorama,orWF500applianceandforthetraffictheyprocess.The
statisticsandtrapscanhelpyouidentifyresourcelimitations,systemchangesorfailures,andmalware
attacks.Youconfigurealertsbyforwardinglogdataastraps,andenablethedeliveryofstatisticsinresponse
toGETmessages(requests)fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).
RelatedOIDsareorganizedhierarchicallywithintheManagementInformationBases(MIBs)thatyouload
intotheSNMPmanagertoenablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
SNMP
Version
Authentication
MessagePrivacy
Message MIBAccessGranularity
Integrity
SNMPv2c
Communitystring
No(cleartext)
No
SNMPcommunityaccessforallMIBsona
device
SNMPv3
EngineID,username,and
authenticationpassword
(SHAhashingforthe
password)
Privacypasswordfor Yes
AES128encryption
ofSNMPmessages
Useraccessbasedonviewsthatincludeor
excludespecificOIDs
346 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
UseanSNMPManagertoExploreMIBsandObjects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IdentifyaMIBContainingaKnownOID
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 347
SNMPMonitoringandTraps
Monitoring
IdentifyaMIBContainingaKnownOID
Step1
LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2
SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3
Optionally,WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:
348 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1
ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
Step2
OpentheMIBinatexteditorandperformakeywordsearch.Forexample,usingHardware versionasa
searchstringinPANCOMMONMIBidentifiesthepanSysHwVersionobject:
panSysHwVersion OBJECT-TYPE
SYNTAX
DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 349
SNMPMonitoringandTraps
Monitoring
IdentifytheOIDforaStatisticorTrap(Continued)
Step3
InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.
350 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
EnableSNMPServicesforFirewallSecuredNetworkElements
IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
EnableSNMPServicesforFirewallSecuredNetworkElements
Step1
Step2
Createanapplicationgroup.
CreateasecurityruletoallowSNMP
services.
1.
2.
EnteraNametoidentifytheapplicationgroup.
3.
ClickAdd,typesnmp,andselectsnmpandsnmp-trapfrom
thedropdown.
4.
ClickOKtosavetheapplicationgroup.
1.
2.
IntheGeneraltab,enteraNamefortherule.
3.
IntheSourceandDestinationtabs,clickAddandentera
Source Zone andaDestination Zone forthetraffic.
4.
IntheApplicationstab,clickAdd,typethenameofthe
applicationsgroupyoujustcreated,andselectitfromthe
dropdown.
5.
IntheActionstab,verifythattheActionissettoAllow,and
thenclickOKandCommit.
MonitorStatisticsUsingSNMP
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 351
SNMPMonitoringandTraps
Monitoring
MonitorStatisticsUsingSNMP
Step1
Step2
ConfiguretheSNMPManagertoget
statisticsfromfirewalls.
Thefollowingstepsprovideanoverviewofthetasksyouperform
ontheSNMPmanager.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
1.
ToenabletheSNMPmanagertointerpretfirewallstatistics,
loadtheSupportedMIBsforPaloAltoNetworksfirewallsand,
ifnecessary,compilethem.
2.
ForeachfirewallthattheSNMPmanagerwillmonitor,define
theconnectionsettings(IPaddressandport)and
authenticationsettings(SNMPv2ccommunitystringor
SNMPv3EngineID/username/password)forthefirewall.
NotethatallPaloAltoNetworksfirewallsuseport161.
TheSNMPmanagercanusethesameordifferentconnection
andauthenticationsettingsformultiplefirewalls.Thesettings
mustmatchthoseyoudefinewhenyouconfigureSNMPon
thefirewall(seeStep 3).Forexample,ifyouuseSNMPv2c,the
communitystringyoudefinewhenconfiguringthefirewall
mustmatchthecommunitystringyoudefineintheSNMP
managerforthatfirewall.
3.
Determinetheobjectidentifiers(OIDs)ofthestatisticsyou
wanttomonitor.Forexample,tomonitorthesession
utilizationpercentageofafirewall,aMIBbrowsershowsthat
thisstatisticcorrespondstoOID1.3.6.1.4.1.25461.2.1.2.3.1.0
inPANCOMMONMIB.my.Fordetails,seeUseanSNMP
ManagertoExploreMIBsandObjects.
4.
ConfiguretheSNMPmanagertomonitorthedesiredOIDs.
Performthisstepinthefirewallwebinterface.
EnableSNMPtrafficonafirewall
interface.
ToenableSNMPtrafficontheMGTinterface,selectDevice >
Setup > Management,edittheManagementInterfaceSettings,
Thisistheinterfacethatwillreceive
selectSNMP,andthenclickOKandCommit.
statisticsrequestsfromtheSNMP
manager.
ToenableSNMPtrafficonanyotherinterface,createan
interfacemanagementprofileforSNMPservicesandassignthe
PANOSdoesntsynchronize
profiletotheinterfacethatwillreceivetheSNMPrequests.The
management(MGT)interface
interfacetypemustbeLayer3Ethernet.
settingsforfirewallsinahigh
availability(HA)configuration.
Youmustconfiguretheinterface
foreachHApeer.
352 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
MonitorStatisticsUsingSNMP(Continued)
Step3
Configurethefirewalltorespondto
1.
statisticsrequestsfromanSNMP
manager.
2.
PANOSdoesntsynchronize
SNMPresponsesettingsfor
firewallsinahighavailability(HA)
configuration.Youmust
configurethesesettingsforeach
HApeer.
3.
Step4
Monitorthefirewallstatisticsinan
SNMPmanager.
RefertothedocumentationofyourSNMPmanager.
Whenmonitoringstatisticsrelatedtofirewallinterfaces,
youmustmatchtheinterfaceindexesintheSNMP
managerwithinterfacenamesinthefirewallwebinterface.
Fordetails,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
ForwardTrapstoanSNMPManager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 353
SNMPMonitoringandTraps
Monitoring
ForwardFirewallTrapstoanSNMPManager
Step1
EnabletheSNMPmanagertointerpret
thetrapsitreceives.
LoadtheSupportedMIBsforPaloAltoNetworksfirewallsand,if
necessary,compilethem.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
Step2
ConfigureanSNMPTrapserverprofile.
Theprofiledefineshowthefirewall
accessestheSNMPmanagers(trap
servers).YoucandefineuptofourSNMP
managersforeachprofile.
Optionally,configureseparate
SNMPTrapserverprofilesfor
differentlogtypes,severity
levels,andWildFireverdicts.
1.
Logintothefirewallwebinterface.
2.
3.
ClickAddandenteraNamefortheprofile.
4.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
5.
SelecttheSNMPVersionandconfiguretheauthentication
valuesasfollows.Forversiondetails,seeSNMPSupport.
V2cForeachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),andCommunity String.The
communitystringidentifiesacommunityofSNMP
managersandmonitoreddevices,andservesasapassword
toauthenticatethecommunitymemberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3Foreachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),SNMPUseraccount(this
mustmatchausernamedefinedintheSNMPmanager),
EngineIDusedtouniquelyidentifythefirewall(youcan
leavethefieldblanktousethefirewallserialnumber),
authenticationpassword(Auth Password)usedto
authenticatetotheserver,andprivacypassword(Priv
Password)usedtoencryptSNMPmessagestotheserver.
6.
ClickOKtosavetheserverprofile.
1.
ConfigurethedestinationsofTraffic,Threat,andWildFire
traps:
a. Createalogforwardingprofile.Foreachlogtypeandeach
severitylevelorWildFireverdict,selecttheSNMP Trap
serverprofile.
b. Assignthelogforwardingprofiletosecurityrules.Therules
willtriggertrapgenerationandforwarding.
2.
ConfigurethedestinationsforSystem,Config,HIPMatch,and
Correlationlogs.Foreachlog(trap)typeandseveritylevel,
selecttheSNMP Trapserverprofile.
3.
ClickCommit.
Step3
Step4
Configurelogforwarding.
MonitorthetrapsinanSNMPmanager. RefertothedocumentationofyourSNMPmanager.
Whenmonitoringtrapsrelatedtofirewallinterfaces,you
mustmatchtheinterfaceindexesintheSNMPmanager
withinterfacenamesinthefirewallwebinterface.For
details,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
354 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
SupportedMIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType
SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF)
maintainsmoststandardMIBs.Youcandownloadthe
MIBsfromtheIETFwebsite.
PaloAltoNetworksfirewalls,Panorama,and
WF500appliancesdontsupporteveryobject
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe
supportedOIDs.
MIBII
IFMIB
HOSTRESOURCESMIB
ENTITYMIB
ENTITYSENSORMIB
ENTITYSTATEMIB
IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationsite.
PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup
Description
system
Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces
Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 355
SNMPMonitoringandTraps
Monitoring
IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
RFC2863definesthisMIB.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
ObjectGroup
Description
hrDevice
ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem
Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage
Providesinformationsuchastheamountofusedstorage.
RFC2790definesthisMIB.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object
Description
entPhysicalIndex
Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr
Thecomponentdescription.
356 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Object
Description
entPhysicalVendorType
ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn
ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass
Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos
Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName
Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev
Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev
Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev
Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum
Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName
Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate
Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName
Thediskmodelnumber.
entPhysicalAlias
Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID
Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU
Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris
TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
RFC4133definesthisMIB.
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 357
SNMPMonitoringandTraps
Monitoring
ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.
358 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Table
SNMPMonitoringandTraps
Description
AggregatorConfiguration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
Table(dot3adAggTable)
firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
AggregationPortList
Table
(dot3adAggPortListTable)
Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Eachaggregate
grouphasoneentry.
Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
AggregationPortTable
(dot3adAggPortTable)
ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan
LACPStatisticsTable
(dot3adAggPortStatsTable aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforportsthat
)
arenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName
Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap
Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap
LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap
Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap
Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap
Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap
Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 359
SNMPMonitoringandTraps
Monitoring
ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
RFC4957definesthisMIB.
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
RFC7331definesthisMIB.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
ObjectGroup
Description
panSys
Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis
ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession
Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt
StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect
GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector
LogCollectorinformationsuchastheloggingrate,logdatabasestorageduration(indays),
andRAIDdiskusage.
360 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my > panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 361
NetFlowMonitoring
Monitoring
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficthat
traversesitsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.The
NetFlowcollectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlow(Version9)exceptthePA4000Series
andPA7000Seriesfirewalls.ThefirewallssupportonlyunidirectionalNetFlow,notbidirectional.Youcan
enableNetFlowexportsonallinterfacetypesexceptHA,logcard,ordecryptmirror.Toidentifyfirewall
interfacesinaNetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
ConfigureNetFlowExports
NetFlowTemplates
ConfigureNetFlowExports
ConfigureNetFlowExports
Step1
Step2
Step3
CreateaNetFlowserverprofile.
1.
2.
EnteraNamefortheprofile.
3.
SpecifythefrequencyatwhichthefirewallrefreshesNetFlow
TemplatesinMinutes(defaultis30)orPackets(defaultis20),
accordingtotherequirementsofyourNetFlowcollector.
4.
FortheActive Timeout,specifythefrequencyinminutesat
whichthefirewallexportsrecords(defaultis5).
5.
6.
ForeachNetFlowcollector(uptotwoperprofile)thatwill
receivefields,clickAddandenteranidentifyingserverName,
hostnameorIPaddress(NetFlow Server),andaccessPort
(defaultis2055).
7.
ClickOKtosavetheprofile.
AssigntheNetFlowserverprofiletothe 1.
interfacesthatcarrythetrafficyouwant
toanalyze.
2.
Inthisexample,youassigntheprofileto
anexistingEthernetinterface.
3.
MonitorthefirewalltrafficinaNetFlow RefertothedocumentationforyourNetFlowcollector.
collector.
Whenmonitoringstatistics,youmustmatchtheinterface
indexesintheNetFlowcollectorwithinterfacenamesin
thefirewallwebinterface.Fordetails,seeFirewall
InterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.
362 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
NetFlowMonitoring
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,yousettherefreshfrequencyaccordingtothe
requirementsofyourNetFlowcollector.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template
ID
IPv4Standard
256
IPv4Enterprise
257
IPv6Standard
258
IPv6Enterprise
259
IPv4withNATStandard
260
IPv4withNATEnterprise
261
IPv6withNATStandard
262
IPv6withNATEnterprise
263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
Value Field
Description
IN_BYTES
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofbytesassociatedwithanIP
flow.Bydefault,Nis4.
IN_PKTS
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofpacketsassociatedwithanIP
glow.Bydefault,Nis4.
PROTOCOL
IPprotocolbyte.
TOS
TypeofServicebytesettingwhenentering Alltemplates
theingressinterface.
TCP_FLAGS
TotalofalltheTCPflagsinthisflow.
L4_SRC_PORT
TCP/UDPsourceportnumber(forexample, Alltemplates
FTP,Telnet,orequivalent).
IPV4_SRC_ADDR
IPv4sourceaddress.
PaloAltoNetworks,Inc.
Templates
Alltemplates
Alltemplates
IPv4standard
IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
PANOS7.1AdministratorsGuide 363
NetFlowMonitoring
Monitoring
Value Field
Description
10
INPUT_SNMP
Inputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
11
L4_DST_PORT
TCP/UDPdestinationportnumber(for
example,FTP,Telnet,orequivalent).
Alltemplates
12
IPV4_DST_ADDR
IPv4destinationaddress.
IPv4standard
IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
14
OUTPUT_SNMP
Outputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
21
LAST_SWITCHED
Systemuptimeinmillisecondswhenthelast Alltemplates
packetofthisflowwasswitched.
22
FIRST_SWITCHED
Systemuptimeinmillisecondswhenthefirst Alltemplates
packetofthisflowwasswitched.
27
IPV6_SRC_ADDR
IPv6sourceaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
IPv6withNATenterprise
28
IPV6_DST_ADDR
IPv6destinationaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
IPv6withNATenterprise
32
ICMP_TYPE
InternetControlMessageProtocol(ICMP)
packettype.Thisisreportedas:
ICMPType*256+ICMPcode
Alltemplates
61
DIRECTION
Flowdirection:
0=ingress
1=egress
Alltemplates
148
flowId
Anidentifierofaflowthatisuniquewithin Alltemplates
anobservationdomain.Youcanusethis
informationelementtodistinguishbetween
differentflowsifflowkeyssuchasIP
addressesandportnumbersarenot
reportedorarereportedinseparaterecords.
TheflowIDcorrespondstothesessionID
fieldinTrafficandThreatlogs.
364 PANOS7.1AdministratorsGuide
Templates
PaloAltoNetworks,Inc.
Monitoring
NetFlowMonitoring
Value Field
Description
Templates
233
firewallEvent
Indicatesafirewallevent:
0=Ignore(invalid)
1=Flowcreated
2=Flowdeleted
3=Flowdenied
4=Flowalert
5=Flowupdate(thesessionstate
changedfromactivetodeny)
Alltemplates
225
postNATSourceIPv4Address
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofsourceIPv4Address,
IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
226
postNATDestinationIPv4Address
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofdestinationIPv4Address, IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
227
postNAPTSourceTransportPort
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofsourceTransportPort,
IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addressporttranslationafterthepacket
traversedtheinterface.
228
281
postNATSourceIPv6Address
PaloAltoNetworks,Inc.
Thedefinitionofthisinformationelementis IPv6withNATstandard
identicaltothedefinitionofinformation
IPv6withNATenterprise
elementsourceIPv6Address,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringNAT64networkaddress
translationafterthepackettraversedthe
interface.SeeRFC2460forthedefinitionof
thesourceaddressfieldintheIPv6header.
SeeRFC6146forNAT64specification.
PANOS7.1AdministratorsGuide 365
NetFlowMonitoring
Monitoring
Value Field
Description
282
postNATDestinationIPv6Address
Thedefinitionofthisinformationelementis IPv6withNATstandard
identicaltothedefinitionofinformation
IPv6withNATenterprise
elementdestinationIPv6Address,except
thatitreportsamodifiedvaluethatthe
firewallproducedduringNAT64network
addresstranslationafterthepacket
traversedtheinterface.SeeRFC2460for
thedefinitionofthedestinationaddressfield
intheIPv6header.SeeRFC6146forNAT64
specification.
346
privateEnterpriseNumber
Thisisauniqueprivateenterprisenumber
thatidentifiesPaloAltoNetworks:25461.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
5670
1
AppID
ThenameofanapplicationthatAppID
identified.Thenamecanbeupto32bytes.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
5670
2
UserID
AusernamethatUserIDidentified.The
namecanbeupto64bytes.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
366 PANOS7.1AdministratorsGuide
Templates
PaloAltoNetworks,Inc.
Monitoring
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
FirewallPlatform
Calculation
ExampleInterfaceIndex
Nonchassisbased:
MGTport+physicalportoffset
PA5000Seriesfirewall,Eth1/4=
VMSeries,PA200,PA500,
MGTportThisisaconstantthat
2(MGTport)+4(physicalport)=6
PA2000Series,PA3000Series,
dependsontheplatform:
PA4000Series,PA5000Series
2forhardwarebasedfirewalls(for
example,thePA5000Series
ThePA4000Series
firewall)
platformsupportsSNMP
butnotNetFlow.
1fortheVMSeriesfirewall
PhysicalportoffsetThisisthephysical
portnumber.
Chassisbased:
PA7000Seriesfirewalls
Thisplatformsupports
SNMPbutnotNetFlow.
PaloAltoNetworks,Inc.
(Max.ports*slot)+physicalportoffset+ PA7000Seriesfirewall,Eth3/9=
MGTport
[64(max.ports)*3(slot)]+9(physical
MaximumportsThisisaconstantof
port)+5(MGTport)=206
64.
SlotThisisthechassisslotnumberof
thenetworkinterfacecard.
PhysicalportoffsetThisisthephysical
portnumber.
MGTportThisisaconstantof5for
PA7000Seriesfirewalls.
PANOS7.1AdministratorsGuide 367
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
Monitoring
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
InterfaceType
Range
Digit9 Digits78
Digits56
Digits14
Layer3
subinterface
101010001 Type:
19999999 1
9
Layer2
subinterface
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth1/5.22=100000000(type)+
suffix19999 100000(slot)+50000(port)+
(00019999) 22(suffix)=101050022
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth2/3.6=100000000(type)+
suffix19999 200000(slot)+30000(port)+6
(00019999) (suffix)=102030006
Vwire
subinterface
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth4/2.312=100000000(type)
suffix19999 +400000(slot)+20000(port)+
(00019999) 312(suffix)=104020312
VLAN
200000001 Type:
20000999 2
9
00
00
VLANsuffix:
19999
(00019999)
Loopback
300000001 Type:
30000999 3
9
00
00
Loopback
Loopback.55=300000000
suffix:19999 (type)+55(suffix)=300000055
(00019999)
Tunnel
400000001 Type:
40000999 4
9
00
00
Tunnelsuffix: Tunnel.55=400000000(type)+
19999
55(suffix)=400000055
(00019999)
Aggregategroup
500010001 Type:
50008999 5
9
00
368 PANOS7.1AdministratorsGuide
ExampleInterfaceIndex
VLAN.55=200000000(type)+
55(suffix)=200000055
PaloAltoNetworks,Inc.
UserID
UserIdentification(UserID)ofthePaloAltoNetworksfirewallenablesyoutocreatepoliciesandperform
reportingbasedonusersandgroupsratherthanindividualIPaddresses.
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 369
UserIDOverview
UserID
UserIDOverview
UserIDseamlesslyintegratesPaloAltoNetworksfirewallswitharangeofenterprisedirectoryandterminal
servicesofferings,enablingyoutotieapplicationactivityandpolicyrulestousersandgroupsnotjustIP
addresses.Furthermore,withUserIDenabled,theApplicationCommandCenter(ACC),AppScope,reports,
andlogsallincludeusernamesinadditiontouserIPaddresses.
PaloAltoNetworksfirewallssupportmonitoringofthefollowingenterpriseservices:
MicrosoftActiveDirectory
LightweightDirectoryAccessProtocol(LDAP)
NovelleDirectory
CitrixMetaframePresentationServerorXenApp
MicrosoftTerminalServices
Foruserandgroupbasedpolicies,thefirewallrequiresalistofallavailableusersandtheircorresponding
groupmappingsthatyoucanselectwhendefiningyourpolicies.ThefirewallcollectsGroupMapping
informationbyconnectingdirectlytoyourLDAPdirectoryserver.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforloginevents,probesclients,andlistensforsyslog
messagesfromauthenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,you
canconfigurethefirewalltoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheuser
mappingmechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsites.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
370 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDOverview
Figure:UserID
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 371
UserIDConcepts
UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.NextyoucreateagroupmappingconfigurationtoMapUserstoGroups.
ThenyoucanEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Havingthenamesoftheusersandgroupsisonlyonepieceofthepuzzle.Thefirewallalsoneedstoknow
whichIPaddressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserID
illustratesthedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshow
usermappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.
Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
ClientProbing
PortMapping
Syslog
CaptivePortal
GlobalProtect
PANOSXMLAPI
372 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,domaincontrollers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.
Becauseservermonitoringrequiresverylittleoverheadandbecausethemajorityofuserscangenerallybe
mappedusingthismethod,itisrecommendedasthebaseusermappingmethodformostUserID
deployments.SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMapping
UsingthePANOSIntegratedUserIDAgentfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI).TheWindowsbasedUserIDagentcanalsoperform
NetBIOSprobing(notsupportedonthePANOSintegratedUserIDagent).Probingisparticularlyusefulin
environmentswithahighIPaddressturnoverbecausechangeswillbereflectedonthefirewallmorequickly,
enablingmoreaccurateenforcementofuserbasedpolicies.However,ifthecorrelationbetweenIP
addressesandusersisfairlystatic,youprobablydonotneedtoenableclientprobing.Becauseprobingcan
generatealargeamountofnetworktraffic(basedonthetotalnumberofmappedIPaddresses),theagent
thatwillbeinitiatingtheprobesshouldbelocatedascloseaspossibletotheendclients.
Ifprobingisenabled,theagentwillprobeeachlearnedIPaddressperiodically(every20minutesbydefault,
butthisisconfigurable)toverifythatthesameuserisstillloggedin.Inaddition,whenthefirewallencounters
anIPaddressforwhichithasnousermapping,itwillsendtheaddresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 373
UserIDConcepts
UserID
Syslog
Inenvironmentswithexistingnetworkservicesthatauthenticateuserssuchaswirelesscontrollers,802.1x
devices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccessControl(NAC)mechanisms
thefirewallUserIDagent(eithertheWindowsagentorthePANOSintegratedagentonthefirewall)can
listenforauthenticationsyslogmessagesfromthoseservices.Syslogfilters,whichareprovidedbyacontent
update(integratedUserIDagentonly)orconfiguredmanually,allowtheUserIDagenttoparseandextract
usernamesandIPaddressesfromauthenticationsyslogeventsgeneratedbytheexternalservice,andadd
theinformationtotheUserIDIPaddresstousernamemappingsmaintainedbythefirewall.SeeConfigure
UserIDtoReceiveUserMappingsfromaSyslogSenderforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
CaptivePortal
IfthefirewallortheUserIDagentcantmapanIPaddresstoausernameforexample,iftheuserisnt
loggedinorusesanoperatingsystemsuchasLinuxthatyourdomainserversdontsupportyoucan
configureCaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalpolicyrulerequires
userauthentication.Youcanbasetheauthenticationonatransparentbrowserchallenge(KerberosSingle
SignOn(SSO)orNTLANManager(NTLM)authentication),webform(forRADIUS,TACACS+,LDAP,
Kerberos,orlocaldatabaseauthentication),orclientcertificates.Fordetails,seeMapIPAddressesto
UsernamesUsingCaptivePortal.
374 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDConcepts
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
PANOSXMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtotheUserIDagentordirectlytothefirewall.SeeSend
UserMappingstoUserIDUsingtheXMLAPIfordetails.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 375
EnableUserID
UserID
EnableUserID
Youmustcompletethefollowingtaskstosetupthefirewalltouserusersandgroupsinpolicyenforcement,
logging,andreporting:
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
VerifytheUserIDConfiguration
376 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapUserstoGroups
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Usethefollowing
proceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroupMapping
information.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1
AddanLDAPserverprofile.
Theprofiledefineshowthefirewall
connectstothedirectoryserversfrom
whichitcollectsgroupmapping
information.Youcanadduptofour
serverstotheprofilebuttheymustbe
thesameType.
PaloAltoNetworks,Inc.
ConfigureanLDAPServerProfile:
1.
2.
ForeachLDAPserver,clickAddandentertheserverName,
IPaddress(LDAP Server),andPort(defaultis389).
3.
BasedonyourTypeselection(forexample,active-directory),
thefirewallautomaticallypopulatesthecorrectLDAP
attributesinthegroupmappingsettings.However,ifyou
customizedyourLDAPschema,youmightneedtomodifythe
defaultsettings.
4.
IntheBase DNfield,entertheDistinguishedName(DN)of
theLDAPtreelocationwhereyouwantthefirewalltobegin
itssearchforuserandgroupinformation.
5.
EntertheauthenticationcredentialsforbindingtotheLDAP
treeintheBind DN,Password,andConfirm Passwordfields.
TheBind DNcanbeafullyqualifiedLDAPname(forexample,
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(forexample,administrator@acme.local).
6.
ClickOKtosavetheprofile.
PANOS7.1AdministratorsGuide 377
MapUserstoGroups
UserID
MapUserstoGroups(Continued)
Step2
Configuretheserversettingsinagroup 1.
mappingconfiguration.
2.
3.
378 PANOS7.1AdministratorsGuide
4.
SelecttheLDAPServer Profileyoujustcreated.
5.
(Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6.
(Optional)Tofilterthegroupsthatthefirewalltracksforgroup
mapping,intheGroupObjectssection,enteraSearch Filter
(LDAPquery),Object Class(groupdefinition),Group Name,
andGroup Member.
7.
(Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8.
(Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomainsin
yourorganizationintheMailDomainssection,Domain List
field.Usecommastoseparatemultipledomains(upto256
characters).AfteryouclickOK,PANOSautomatically
populatestheMail AttributesfieldbasedonyourLDAPserver
type(Sun/RFC,ActiveDirectory,orNovell).Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9.
MakesuretheEnabledcheckboxisselected.
PaloAltoNetworks,Inc.
UserID
MapUserstoGroups
MapUserstoGroups(Continued)
Step3
Limitwhichgroupswillbeavailablein
1.
policyrules.
Requiredonlyifyouwanttolimitpolicy
rulestospecificgroups.Bydefault,ifyou
dontspecifygroups,allgroupsare
2.
availableinpolicyrules.
Anycustomgroupsyoucreate
willalsobeavailableintheAllow
Listofauthenticationprofiles.
3.
PaloAltoNetworks,Inc.
Addexistinggroupsfromthedirectoryservice:
a. SelecttheGroup Include Listtab.
b. IntheAvailableGroupslist,selectthegroupsyouwantto
appearinpolicyrulesandclicktheAddicon.
Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.ThefirewalldoesntvalidateLDAPfilters,so
itsuptoyoutoensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
ClickOKandCommit.Acommitisnecessarybeforecustom
groupswillbeavailableinpoliciesandobjects.
PANOS7.1AdministratorsGuide 379
MapIPAddressestoUsers
UserID
MapIPAddressestoUsers
ThetasksyouperformtomapIPaddressestousernamesdependsonthetypeandlocationoftheclient
systemsonyournetwork.Completeasmanyofthefollowingtasksasnecessarytoenablemappingofyour
clientsystems:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
Windowsclients,youmustconfiguretheUserIDagenttomonitorserverlogsandprobeclientsystems.
YoucaneitherConfigureUserMappingUsingthePANOSIntegratedUserIDAgentorConfigureUser
MappingUsingtheWindowsUserIDAgent.TheWindowsbasedUserIDagentisastandaloneagent
thatyouinstallononeormorememberserversinthedomainthatcontainstheserversandclientsthat
theagentwillmonitor.Forguidanceonwhichagentisappropriateforyournetworkandtherequired
numberandplacementsofagents,refertoArchitectingUserIdentificationDeployments.
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.You
canuseeithertheWindowsagentortheagentlessusermappingfeatureonthefirewalltolistenfor
authenticationsyslogmessagesfromthenetworkservices.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.
Forotherclientsthatyoucantmapusingtheprecedingmethods,youcanSendUserMappingsto
UserIDUsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,youshouldlocateyourUserID
agentsnearyourmonitoredservers(thatis,themonitoredserversandtheWindowsUserIDagentshould
notbeacrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccurs
betweentheagentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofIPaddress
mappingssincethelastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheUserIDAgent
380 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfiguretheUserIDAgentforUserMapping
InstalltheUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertoOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
InstalltheWindowsUserIDAgent
Step1
DecidewheretoinstalltheUserID
agent.
TheUserIDagentqueriestheDomain
ControllerandExchangeserverlogs
usingMicrosoftRemoteProcedureCalls
(MSRPCs),whichrequireacomplete
transferoftheentirelogateachquery.
Therefore,alwaysinstalloneormore
UserIDagentsateachsitethathas
serverstobemonitored.
Formoredetailedinformationon
wheretoinstallUserIDagents,
refertoArchitectingUser
Identification(UserID)
Deployments.
YoumustinstalltheUserIDagentonasystemrunningoneof
thesupportedOSversions:seeOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentRelease
Notes.
MakesurethesystemthatwillhosttheUserIDagentisa
memberofthesamedomainastheserversitwillmonitor.
Asabestpractice,installtheUserIDagentclosetotheservers
itwillbemonitoring(thereismoretrafficbetweentheUserID
agentandthemonitoredserversthanthereisbetweenthe
UserIDagentandthefirewall,solocatingtheagentclosetothe
monitoredserversoptimizesbandwidthusage).
Toensurethemostcomprehensivemappingofusers,youmust
monitorallserversthatcontainuserlogininformation.Youmight
needtoinstallmultipleUserIDagentstoefficientlymonitorall
ofyourresources.
Step2
DownloadtheUserIDagentinstaller.
Asabestpractice,installtheUserID
agentversionthatisthesameasthe
PANOSversionrunningonthe
firewalls.
1.
Step3
Runtheinstallerasanadministrator.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
ScrolltotheUserIdentificationAgentsectionofthescreen
andDownloadtheversionoftheUserIDagentyouwantto
install.
4.
SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
whereyouplantoinstalltheagent.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
PaloAltoNetworks,Inc.
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4.
Whentheinstallationcompletes,Closethesetupwindow.
PANOS7.1AdministratorsGuide 381
MapIPAddressestoUsers
UserID
InstalltheWindowsUserIDAgent(Continued)
Step4
LaunchtheUserIDAgentapplication.
OpentheWindowsStartmenuandselectUser-ID Agent.
Step5
(Optional)Changetheserviceaccount
thattheUserIDagentusestologin.
Bydefault,theagentusestheadministratoraccountusedtoinstall
the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
Step6
1.
2.
SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3.
EnterthePasswordforthespecifiedaccount.
(Optional)Assignaccountpermissionsto 1.
theinstallationfolder.
Youonlyneedtoperformthisstepifthe
serviceaccountyouconfiguredforthe
UserIDagentisnotamemberofthe
administratorsgroupforthedomainora
memberofboththeServerOperators
andtheEventLogReadersgroups.
2.
Givetheserviceaccountpermissionstotheinstallationfolder:
a. FromtheWindowsExplorer,navigatetoC:\Program
Files\Palo Alto Networksandrightclickthefolderand
selectProperties.
b. OntheSecuritytab,AddtheUserIDagentserviceaccount
andassignitpermissionstoModify,Read & execute,List
folder contents,andReadandthenclickOKtosavethe
accountsettings.
GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3.
382 PANOS7.1AdministratorsGuide
Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfiguretheUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent
Step1
DefinetheserverstheUserIDagent
willmonitortocollectIPaddresstouser
mappinginformation.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog
senders.
Tocollectalloftherequired
mappings,theUserIDagent
mustconnecttoallserversthat
youruserslogintoinorderto
monitorthesecuritylogfileson
allserversthatcontainlogin
events.
PaloAltoNetworks,Inc.
1.
OpentheWindowsStartmenuandselectUser-ID Agent.
2.
3.
IntheServerssectionofthescreen,clickAdd.
4.
EnteraNameandServer Addressfortheservertobe
monitored.ThenetworkaddresscanbeaFQDNoranIP
address.
5.
6.
(Optional)Toenablethefirewalltoautomaticallydiscover
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
Theautodiscoverylocatesdomaincontrollersinthe
localdomainonly;youmustmanuallyaddExchange
servers,eDirectoryservers,andsyslogsenders.
7.
(Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Asabestpractice,you
shouldincreasethevalueinthisfieldto5secondsin
environmentswitholderDomainControllersorhighlatency
links.ClickOKtosavethechanges.
PANOS7.1AdministratorsGuide 383
MapIPAddressestoUsers
UserID
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step2
Step3
(Optional)Ifyouconfiguredtheagentto 1.
connecttoaNovelleDirectoryserver,
youmustspecifyhowtheagentshould 2.
searchthedirectory.
(Optional)Enableclientprobing.
1.
Clientprobingisusefulinenvironments
whereIPaddressesarenottightlybound
tousersbecauseitensuresthat
previouslymappedaddressesarestill
valid.However,asthetotalnumberof
learnedIPaddressesgrows,sodoesthe
amountoftrafficgenerated.Asabest
practice,enableprobingonlyonnetwork
segmentswhereIPaddressturnoveris
high.
Formoredetailsontheplacementof
UserIDagentsusingclientprobing,refer
toArchitectingUserIdentification
(UserID)Deployments.
2.
MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
ForNetBIOSprobingtoworkeffectively,eachprobed
clientPCmustallowport139intheWindowsfirewall
andmustalsohavefileandprintersharingservices
enabled.WMIprobingisalwayspreferredover
NetBIOSwheneverpossible.
384 PANOS7.1AdministratorsGuide
SelecttheeDirectorytabandthencompletethefollowing
fields:
Search BaseThestartingpointorrootcontextforagent
queries,forexample:dc=domain1, dc=example, dc=com.
Bind Distinguished NameTheaccounttousetobindto
thedirectory,forexample:cn=admin, ou=IT,
dc=domain1, dc=example, dc=com.
Bind PasswordThebindaccountpassword.Theagent
savestheencryptedpasswordintheconfigurationfile.
Search FilterThesearchqueryforuserentries(defaultis
objectClass=Person).
Server Domain PrefixAprefixtouniquelyidentifythe
user.Thisisonlyrequiredifthereareoverlappingname
spaces,suchasdifferentuserswiththesamenamefrom
twodifferentdirectories.
Use SSLSelectthecheckboxtouseSSLforeDirectory
binding.
Verify Server CertificateSelectthecheckboxtoverify
theeDirectoryservercertificatewhenusingSSL.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step4
Savetheconfiguration.
ClickOKtosavetheUserIDagentsetupsettingsandthenclick
CommittorestarttheUserIDagentandloadthenewsettings.
Step5
(Optional)Definethesetofusersfor
whichyoudonotneedtoprovideIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousethe
ignore-userlisttoidentify
userswhomyouwanttoforceto
authenticateusingCaptive
Portal.
Createanignore_user_list.txtfileandsaveittotheUserID
Agentfolderonthedomainserverwheretheagentisinstalled.
Listtheuseraccountstoignore;thereisnolimittothenumberof
accountsyoucanaddtothelist.Eachuseraccountnamemustbe
onaseparateline.Forexample:
Step6
SPAdmin
SPInstall
TFSReport
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\itadmin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
itadmin.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
UserIDagent.
totheUserIDagenttoreceiveusermappings:
1.
Step7
VerifythattheUserIDagentis
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
connecttotheagent.
PaloAltoNetworks,Inc.
2.
EnteraNamefortheUserIDagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
UserIDAgentisinstalled.
4.
EnterthePortnumber(165535)onwhichtheagentwill
listenforusermappingrequests.Thisvaluemustmatchthe
valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5.
MakesurethattheconfigurationisEnabled,thenclickOK.
6.
Committhechanges.
7.
1.
LaunchtheUserIDagentandselectUser Identification.
2.
VerifythattheagentstatusshowsAgent is running.Ifthe
Agentisnotrunning,clickStart.
3.
ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4.
ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5.
ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.
PANOS7.1AdministratorsGuide 385
MapIPAddressestoUsers
UserID
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
Step1
AddanActiveDirectoryaccountforthe Windows2008orlaterdomainserversAddtheaccounttothe
UserIDagenttoaccesstheservicesand
EventLogReadersgroup.IfyouareusingthePANOS
integratedUserIDagent,theaccountmustalsobeamemberof
hostsitwillmonitorforcollectinguser
theDistributedCOMUsersGroup.
mappinginformation.
WMIprobingMakesuretheaccounthasrightstoreadthe
CIMV2namespace;bydefault,DomainAdministratorandServer
Operatoraccountshavethispermission.
NTLMauthenticationBecausethefirewallmustjointhe
domainifyouareusingCaptivePortalNTLMauthenticationwith
aPANOSintegratedUserIDagent,theWindowsaccountyou
createforNTLMaccessmusthaveadministrativeprivileges.
NotethatduetoADrestrictionsonvirtualsystemsrunningon
thesamehost,ifthefirewallhasmultiplevirtualsystems,only
vsys1willbeabletojointhedomain.
386 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step2
Step3
Definetheserversthatthefirewallwill
monitortocollectusermapping
information.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Tocollectalltherequired
mappings,thefirewallmust
connecttoallserversthatyour
userslogintosoitcanmonitor
theSecuritylogfilesonall
serversthatcontainloginevents.
1.
2.
ClickAddintheServerMonitoringsection.
3.
EnteraNametoidentifytheserver.
4.
SelecttheTypeofserver.
5.
EntertheNetwork Address(anFQDNorIPaddress)ofthe
server.
6.
MakesuretheserverprofileisEnabledandclickOK
7.
(Optional)ClickDiscoverifyouwantthefirewallto
automaticallydiscoverdomaincontrollersonyournetwork
usingDNSlookups.
Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
g.
8.
(Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecified
frequency.
a. EditthePalo Alto Networks User ID Agent Setup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).
Asabestpractice,increasethevalueinthisfieldto
5secondsinenvironmentswitholderdomain
controllersorhighlatencylinks.
c. ClickOKtosavethechanges.
1.
Setthedomaincredentialsforthe
accountthefirewallwillusetoaccess
2.
Windowsresources.Thisisrequiredfor
monitoringExchangeserversanddomain
controllersaswellasforWMIprobing.
PaloAltoNetworks,Inc.
EditthePaloAltoNetworksUserIDAgentSetup.
SelecttheWMI AuthenticationtabandentertheUser Name
andPasswordfortheaccountthattheUserIDagentwilluse
toprobetheclientsandmonitorservers.Entertheusername
usingthedomain\usernamesyntax.
PANOS7.1AdministratorsGuide 387
MapIPAddressestoUsers
UserID
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step4
(Optional)EnableWMIprobing.
1.
ThePANOSintegratedUserID
agentdoesnotsupportNetBIOS 2.
probing;onlythe
WindowsbasedUserIDagent
supportsit.
3.
(Optional)EnableWMIprobingforpublicIPv4addressesif
desired.(PublicIPv4addressesarethoseoutsidethescopeof
RFC1918andRFC3927).Bydefault,WMIprobingexcludes
clientsystemswithpublicIPv4addresses.
Ifyouincludeanysubnetworksinthe
Include/Exclude Networkslist,thefirewallimplicitly
excludesallsubnetworksthatarenotinthelist.
Therefore,ifyouaddsubnetworksforpublicIPv4
addresses,youmustalsoaddalltheother
subnetworksthatWMIprobingshouldinclude.
a. SelectDevice > User Identification > User Mapping.
b. AddeachsubnetworkofpublicIPv4addressestothe
Include/Exclude Networkslist.
c. EnteraNametoidentifythesubnetwork.
d. SettheDiscoveryoptiontoInclude.
e. EntertheIPaddressrangeofthesubnetworkinthe
Network Addressfield.
f. EnsurethesubnetworkisEnabledandclickOK.
4.
MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
Step5
(Optional)Definethesetofusersfor
whichyoudontrequireIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousetheignoreuser
listtoidentifyuserswhomyou
wanttoforcetoauthenticate
usingCaptivePortal.
Step6
Activateyourconfigurationchanges.
ClickOKandCommit.
Step7
Verifytheconfiguration.
1.
AccessthefirewallCLI.
2.
Enterthefollowingoperationalcommand:
> show user server-monitor state all
3.
388 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender
ThefollowingtopicsdescribehowtoconfigurethePANOSintegratedUserIDagentorWindowsbased
UserIDagentasaSysloglistener:
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigurethePANOSintegratedUserIDagenttoreceivesyslog
messagesfromauthenticatingservices.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,you
mustusecautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocol
andassuchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.
AlthoughyoucanrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstill
spooftheIPaddress,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothe
firewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,ifyoumust
useUDP,makesurethatthesyslogserverandclientarebothonadedicated,secureVLANto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
CollectUserMappingsfromSyslogSenders
Step1
Determinewhetherthereisa
1.
predefinedsyslogfilterforyour
particularsyslogsenders.
PaloAltoNetworksprovidesseveral
predefinedsyslogfilters,whichare
deliveredasApplicationcontentupdates
andarethereforeupdateddynamically
2.
asnewfiltersaredeveloped.The
predefinedfiltersareglobaltothe
firewall,whereasmanuallydefinedfilters
applytoasinglevirtualsystemonly.
Anynewsyslogfiltersinagiven
contentreleasewillbe
documentedinthe
correspondingreleasenote
alongwiththespecificregex
usedtodefinethefilter.
PaloAltoNetworks,Inc.
VerifythatyourApplicationorApplicationandThreat
databaseisuptodate:
a. SelectDevice > Dynamic Updates.
b. ClickCheck Now(locatedinthelowerlefthandcornerof
thewindow)tocheckforthelatestupdates.
c. Ifanewupdateisavailable,DownloadandInstallit.
Checktoseewhatpredefinedfiltersareavailable:
a. SelectDevice > User Identification > User Mapping.
b. IntheServerMonitoringsectionofthescreen,clickAdd.
c. SelectSyslog SenderastheserverType.
d. SelecttheFilterdropdownandchecktoseeifthereisa
filterforthemanufacturerandproductyouplantoforward
syslogsfrom.Ifthefilteryouneedisavailable,skiptoStep 5
forinstructionsondefiningtheservers.Ifthefilteryou
needisnotavailable,continuetoStep 2.
PANOS7.1AdministratorsGuide 389
MapIPAddressestoUsers
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step2
Manuallydefinesyslogfiltersfor
extractingtheUserIDIP
addresstousernamemapping
informationfromsyslogmessages.
InordertobeparsedbytheUserID
agent,syslogmessagesmustmeetthe
followingcriteria:
Eachsyslogmessagemustbea
singlelinetextstring.Linebreaksare
delimitedbyacarriagereturnanda
newline(\r\n)oranewline(\n).
Themaximumallowedsizeofan
individualsyslogmessageis2048
bytes.
SyslogmessagessentoverUDPmust
becontainedinasinglepacket;
messagessentoverSSLcanspan
multiplepackets.
Asinglepacketmaycontainmultiple
syslogmessages.
390 PANOS7.1AdministratorsGuide
1.
Reviewthesyslogsgeneratedbytheauthenticatingserviceto
identifythesyntaxoftheloginevents.Thisenablesyouto
createthematchingpatternsthatwillallowthefirewallto
identifyandextracttheauthenticationeventsfromthe
syslogs.
Whilereviewingthesyslogs,alsodeterminewhether
thedomainnameisincludedinthelogentries.Ifthe
authenticationlogsdonotcontaindomain
information,considerdefiningadefaultdomainname
whenaddingthesyslogsendertothemonitored
serverslistinStep 5.
2.
3.
SelecttheSyslog FilterstabandAddaSyslogParseprofile.
4.
5.
SpecifytheTypeofparsingtousetofilterouttheuser
mappinginformation:
Regex IdentifierWiththistypeofparsing,youspecify
regularexpressionstodescribesearchpatternsfor
identifyingandextractingusermappinginformationfrom
syslogmessages.ContinuetoStep 3forinstructionson
creatingtheregexidentifiers.
Field IdentifierWiththistypeofparsing,youspecifya
stringtomatchtheauthenticationevent,andprefixand
suffixstringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CollectUserMappingsfromSyslogSenders(Continued)
Step3
IfyouselectedRegex Identifierasthe 1.
parsingType,createtheregexmatching
patternsforidentifyingthe
authenticationeventsandextractingthe
usermappinginformation.
Thisexampleshowshowtoconfigurea
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Jul 5 13:15:04 2005 CDT] Administrator
2.
Specifyhowtomatchsuccessfulauthenticationeventsinthe
syslogsbyenteringamatchingpatternintheEvent Regex
field.Forexample,whenmatchedagainsttheexamplesyslog
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
[Tue
authentication success User:johndoe1
Source:192.168.3.212
Entertheregexforidentifyingthebeginningoftheusername
intheauthenticationsuccessmessagesintheUsername
Regexfield.Forexample,theregex
User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe1intheexamplemessageandextract
acme\johndoe1astheUserID.
Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
Ifthesyslogcontainsa
standalonespaceortabasa
delimiter,youmustusean\s(for
aspace)anda\t(foratab)for
theagenttoparsethesyslog.
Step4
3.
EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
4.
ClickOK.
IfyouselectedField Identifierasthe
1.
parsingType,definethestringmatching
patternsforidentifyingthe
authenticationeventsandextractingthe
usermappinginformation.
Thisexampleshowshowtoconfigurea 2.
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Specifyhowtomatchsuccessfulauthenticationeventsinthe
syslogsbyenteringamatchingpatternintheEvent String
field.Forexample,whenmatchedagainstthesamplesyslog
message,youwouldenterthestringauthentication
successtoidentifyauthenticationeventsinthesyslog.
Enterthematchingstringforidentifyingthebeginningofthe
usernamefieldwithintheauthenticationsyslogmessageinthe
Username Prefixfield.Forexample,thestringUser:
identifiesthebeginningoftheusernamefieldinthesample
syslog.
Ifthesyslogcontainsa
3.
standalonespaceand/ortabasa
delimiter,youmustusean\s(for
aspace)and/or\t(foratab)in
orderfortheagenttoparsethe
syslog.
4.
EntertheUsername Delimitertomarktheendofthe
usernamefieldwithinanauthenticationsyslogmessage.For
example,iftheusernameisfollowedbyaspace,youwould
enter\s toindicatethattheusernamefieldisdelimitedbya
standalonespaceinthesamplelog.
5.
6.
ClickOK.
PaloAltoNetworks,Inc.
Enterthematchingstringforidentifyingthebeginningofthe
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
PANOS7.1AdministratorsGuide 391
MapIPAddressestoUsers
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step5
Definetheserversthatwillsendsyslog
messagestothefirewallforuser
mappingpurposes.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Thefirewallwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
392 PANOS7.1AdministratorsGuide
1.
2.
EnteraNametoidentifytheserver.
3.
MakesuretheserverprofileisEnabled(default).
4.
SelectSyslog SenderastheserverType.
5.
EntertheNetwork Addressofthesyslogserver(IPaddressor
FQDN).
6.
SelecttheSyslogParseprofileyouconfiguredasaFilter.
7.
SelectUDPorSSL(default)astheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogserver.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogserverandclientarebothon
adedicated,secureVLANtopreventuntrustedhosts
fromsendingUDPtraffictothefirewall.
ASyslogsenderusingSSLtoconnectwillonlyshowa
StatusofConnected whenthereisanactiveSSL
connection.SyslogsendersusingUDPwillnotshowa
Statusvalue.
8.
(Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
9.
ClickOKtosavethesettings.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CollectUserMappingsfromSyslogSenders(Continued)
Step6
Step7
Enablesysloglistenerservicesinthe
1.
managementprofileassociatedwiththe
interfaceusedforusermapping.
2.
3.
ClickOKtosavetheinterfacemanagementprofile.
EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfacewillonlyacceptsyslog
connectionsfromserversthathaveacorresponding
entryintheUserIDmonitoredserversconfiguration.
Thefirewalldiscardsconnectionsormessagesfrom
serversthatarenotonthelist.
4.
IfyoucreatedanewInterfaceManagementprofile,assignitto
theinterfaceusedforusermapping:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickCommittosavetheconfiguration.
PANOS7.1AdministratorsGuide 393
MapIPAddressestoUsers
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step8
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1)
Host: Syslog2(10.5.204.41)
number of log messages
:
number of auth. success messages
:
number of active connections
:
total connections made
:
1000
1000
0
4
Toseehowmanylogmessagescameinfromsyslogsendersandhowmanyentriesweresuccessfullymapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
ConfiguretheWindowsUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigureaWindowsbasedUserIDagenttolistenforsyslogs
fromauthenticatingservices.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogserverandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
394 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1
Manuallydefinesyslogfilter(s)for
extractingtheUserIDIPaddressto
usernamemappinginformationfrom
syslogmessages.
InordertobeparsedbytheUserID
agent,syslogmessagesmustmeetthe
followingcriteria:
Eachsyslogmessagemustbea
singlelinetextstring.Linebreaksare
delimitedbyacarriagereturnanda
newline(\r\n)oranewline(\n).
Themaximumallowedsizeofan
individualsyslogmessageis2048
bytes.
SyslogmessagessentoverUDPmust
becontainedinasinglepacket;
messagessentoverSSLcanspan
multiplepackets.
Asinglepacketmaycontainmultiple
syslogmessages.
PaloAltoNetworks,Inc.
1.
OpentheWindowsStartmenuandselectUser-ID Agent.
2.
Reviewthesyslogsgeneratedbytheauthenticatingserviceto
identifythesyntaxoftheloginevents.Thisenablesyouto
createthematchingpatternsthatwillallowthefirewallto
identifyandextracttheauthenticationeventsfromthe
syslogs.
Whilereviewingthesyslogs,alsodeterminewhether
thedomainnameisincludedinthelogentries.Ifthe
authenticationlogsdonotcontaindomain
information,considerdefiningadefaultdomainname
whenaddingthesyslogsendertothemonitored
serverslistinStep 5.
3.
4.
OntheSyslog tab,AddaSyslogParseprofile.
5.
EnteraProfile NameandDescription.
6.
SpecifytheTypeofparsingtousetofilterouttheuser
mappinginformationbyselectingoneofthefollowing
options:
RegexWiththistypeofparsing,youspecifyregular
expressionstodescribesearchpatternsforidentifyingand
extractingusermappinginformationfromsyslogmessages.
ContinuetoStep 3forinstructionsoncreatingtheregex
identifiers.
FieldWiththistypeofparsing,youspecifyastingto
matchtheauthenticationevent,andprefixandsuffix
stringstoidentifytheusermappinginformationinthe
syslogs.ContinuetoStep 4forinstructionsoncreatingthe
fieldidentifiers.
PANOS7.1AdministratorsGuide 395
MapIPAddressestoUsers
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step2
1.
IfyouselectedRegex astheparsing
Type,createtheregexmatchingpatterns
foridentifyingtheauthenticationevents
andextractingtheusermapping
information.
Thisexampleshowshowtoconfigurea
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Jul 5 13:15:04 2005 CDT] Administrator
2.
Specifyhowtomatchsuccessfulauthenticationeventsinthe
syslogsbyenteringamatchingpatternintheEvent Regex
field.Forexample,whenmatchedagainsttheexamplesyslog
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
[Tue
authentication success User:johndoe1
Source:192.168.3.212
Entertheregexforidentifyingthebeginningoftheusername
intheauthenticationsuccessmessagesintheUsername
Regexfield.Forexample,theregex
User:([a-zA-Z0-9\\\._]+)wouldmatchthestring
User:johndoe1intheexamplemessageandextract
acme\johndoe1astheUserID.
Ifthesyslogsdonotcontaindomaininformationand
yourequiredomainnamesinyourusermappings,be
suretoentertheDefault Domain Namewhendefining
themonitoredserverentryinStep 5.
Ifthesyslogcontainsa
standalonespaceortabasa
delimiter,youmustusean\s(for
aspace)and\t(foratab)forthe
agenttoparsethesyslog.
Step3
3.
EntertheregexforidentifyingtheIPaddressportionofthe
authenticationsuccessmessagesintheAddress Regexfield.
Forexample,thefollowingregularexpressionSource:([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})would
matchanIPv4address(Source:192.168.0.212 inthe
examplesyslog).
4.
ClickOKtosavetheprofile.
1.
IfyouselectedField Identifierasthe
parsingType,definethestringmatching
patternsforidentifyingthe
authenticationeventsandextractingthe
usermappinginformation.
Thisexampleshowshowtoconfigurea 2.
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Specifyhowtomatchsuccessfulauthenticationeventsinthe
syslogsbyenteringamatchingpatternintheEvent String
field.Forexample,whenmatchedagainstthesamplesyslog
message,youwouldenterthestringauthentication
successtoidentifyauthenticationeventsinthesyslog.
Enterthematchingstringforidentifyingthebeginningofthe
usernamefieldwithintheauthenticationsyslogmessagein
theUsername Prefixfield.Forexample,thestringUser:
identifiesthebeginningoftheusernamefieldinthesample
syslog.
Ifthesyslogcontainsa
3.
standalonespaceortabasa
delimiter,youmustusean\s(for
aspace)and\t(foratab)forthe
agenttoparsethesyslog.
EntertheUsername Delimitertomarktheendofthe
usernamefieldwithinanauthenticationsyslogmessage.For
example,iftheusernameisfollowedbyaspace,youwould
enter\s toindicatethattheusernamefieldisdelimitedbya
standalonespaceinthesamplelog.
4.
Enterthematchingstringforidentifyingthebeginningofthe
IPaddressfieldwithintheauthenticationeventloginthe
Address Prefixfield.Forexample,thestringSource:
identifiesthebeginningoftheaddressfieldintheexamplelog.
5.
6.
ClickOKtosavetheprofile.
396 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step4
Step5
Step6
Enablethesysloglisteningserviceonthe 1.
agent.
2.
Asabestpractice,makesurethat
thesyslogserverandclientare
3.
bothonadedicated,secure
VLANtopreventuntrustedhosts
fromsendingsyslogstothe
UserIDagent.
Definetheserversthatwillsendsyslog
messagestotheUserIDagent.
Withinthetotalmaximumof100servers
ofalltypesthattheUserIDagentcan
monitor,upto50canbesyslogsenders.
TheUserIDagentwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
IntheServerssectionofthescreen,clickAdd.
3.
EnteraNameandServer Addressfortheserverthatwillsend
syslogstotheagent.
4.
5.
SelectaFilteryoudefinedinStep 1.
6.
(Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
7.
ClickOKtosavethesettings.
ClickCommittosavetheconfiguration.
PANOS7.1AdministratorsGuide 397
MapIPAddressestoUsers
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step7
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Proxy: Syslog2(vsys: vsys1)
Host: Syslog2(10.5.204.41)
number of log messages
:
number of auth. success messages
:
number of active connections
:
total connections made
:
1000
1000
0
4
Toseehowmanylogmessagescameinfromsyslogsendersandhowmanyentriesweresuccessfullymapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
MapIPAddressestoUsernamesUsingCaptivePortal
IfthefirewallreceivesarequestfromasecurityzonethathasUserIDenabledandthesourceIPaddress
doesnothaveanyuserdataassociatedwithityet,thefirewallchecksitsCaptivePortalpolicyrulesfora
matchtodeterminewhethertoperformauthentication.Thisisusefulinenvironmentswhereyouhave
clientsthatarenotloggedintoyourdomainservers,suchasLinuxclients.Thefirewalltriggersthisuser
mappingmethodonlyforwebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalrulebuthasnotbeen
mappedusingadifferentmethod.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
398 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoobtainuserinformationfromtheclientwhenawebrequest
matchesaCaptivePortalrule:
AuthenticationMethod
Description
KerberosSSO
ThefirewallusesKerberosSingleSignOn(SSO)totransparentlyobtainuser
credentials.Tousethismethod,yournetworkrequiresaKerberosinfrastructure,
includingakeydistributioncenter(KDC)withanauthenticationserverandticket
grantingservice.ThefirewallmusthaveaKerberosaccount,includingaprincipal
nameandpassword.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourCaptivePortalconfiguration.
NTLANManager(NTLM)
Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourCaptivePortalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
WebForm
Thefirewallredirectswebrequeststoawebformforauthentication.Youcan
configureCaptivePortaltousealocaluserdatabase,RADIUSserver,TACACS+
server,LDAPserver,orKerberosservertoauthenticateusers.Althoughthe
firewallalwayspromptsusersforcredentials,thismethodworkswithallbrowsers
andoperatingsystems.
ClientCertificateAuthentication
Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 399
MapIPAddressestoUsers
UserID
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode
Description
Transparent
ThefirewallinterceptsthebrowsertrafficpertheCaptivePortalruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,youshouldonlyusethismodewhen
absolutelynecessary,suchasinLayer2orvirtualwiredeployments.
Redirect
ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtoconfigureCaptivePortalusingthePANOSintegratedUserIDagent
toredirectwebrequeststhatmatchaCaptivePortalruletoaredirecthost.Aredirecthostistheintranet
hostname(ahostnamewithnoperiodinitsname)thatresolvestotheIPaddressoftheLayer3interfaceon
thefirewalltowhichthefirewallwillredirectrequests.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
400 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1
Configuretheinterfacesthatthefirewall 1.
willuseforredirectingwebrequests,
authenticatingusers,and
communicatingwithdirectoryserversto 2.
mapusernamestoIPaddresses.
Thefirewallusesthemanagement(MGT)
interfaceforallthesefunctionsby
default,butyoucanconfigureother
interfaces.Inredirectmode,youmust
3.
useaLayer3interfaceforredirecting
requests.
4.
(Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2
MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:
isconfiguredtoresolveyourdomain
admin@PA-200> ping host dc1.acme.com
controlleraddresses.
Step3
CreateaKerberoskeytabfortheredirect
host.
RequiredforKerberosSSO
authentication.
PaloAltoNetworks,Inc.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
accountinformation(principalnameandhashedpassword)forthe
redirecthost(thefirewall).
TosupportKerberosSSO,yournetworkmusthaveaKerberos
infrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.
PANOS7.1AdministratorsGuide 401
MapIPAddressestoUsers
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step4
Step5
ConfigureclientstotrustCaptivePortal
certificates.
Requiredforredirectmodeto
transparentlyredirectuserswithout
displayingcertificateerrors.Youcan
generateaselfsignedcertificateor
importacertificatethatanexternal
certificateauthority(CA)signed.
Configureanauthenticationserver
profile.
Requiredforexternalauthentication.If
youenableKerberosSSOorNTLM
authentication,thefirewallusesthe
externalserviceonlyifthosemethods
fail.
402 PANOS7.1AdministratorsGuide
Touseaselfsignedcertificate,createarootCAcertificateanduse
ittosignthecertificateyouwilluseforCaptivePortal:
1.
2.
CreateaSelfSignedRootCACertificateorimportaCA
certificate(seeImportaCertificateandPrivateKey).
3.
GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4.
ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5.
Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
ThePANOSwebservertimeout(defaultis3seconds)must
bethesameasorgreaterthantheserverprofiletimeout
multipliedbythenumberofserversintheprofile.For
RADIUSandTACACS+,thedefaultserverprofileTimeout
is3seconds.ForLDAP,thetimeoutisthetotaloftheBind
Timeout(defaultis30seconds)andSearch Timeout
(defaultis30seconds)foreachserver.ForKerberos,the
nonconfigurabletimeoutcantakeupto17secondsfor
eachserver.Also,theCaptivePortalsessiontimeout
(defaultis30seconds)mustbegreaterthanthewebserver
timeout.
Tochangethewebservertimeout,enterthefollowing
firewallCLIcommand,where<value>is330seconds:set
deviceconfig setting l3-service timeout <value>.
TochangetheCaptivePortalsessiontimeout,selectDevice
> Setup > Session,edittheSessionTimeouts,andentera
newCaptive Portalvalueinseconds(rangeis11,599,999).
Keepinmindthatthemoreyouraisethewebserverand
CaptivePortalsessiontimeouts,theslowerCaptivePortal
willrespondtousers.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step6
Step7
Step8
Addtheusersandusergroupstothe
localdatabaseonthefirewall.
Requiredforlocaldatabase
authentication.IfyouenableKerberos
SSOand/orNTLMauthentication,the
firewallusesthelocaldatabaseonlyif
thosemethodsfail.
Addanauthenticationprofile
Theprofiledefinestheauthentication
methodstouse(KerberosSSO,external
service,orlocaldatabase)whena
CaptivePortalruleinvokesWebForm
authentication.Evenifyouenable
NTLM,youmustdefineasecondary
authenticationmethodincaseNTLM
authenticationfailsortheUserIDagent
doesntsupportNTLM.
Ifyousettheauthentication
TypetoRADIUS,specifya
RADIUSUser Domainincase
usersdontenterthedomainat
login.
(Optional)Addanauthentication
sequence
Ifthefirewallisconfiguredtouse
multipleauthenticationprofiles
inthesequenceforanyoneuser
(forexample,ifsomedirectory
serverconnectionsare
unreliable),thenthePANOS
webservertimeoutmustbethe
sameasorgreaterthanthe
timeoutforthesequence,which
isthetotalofthetimeoutsforall
itsauthenticationprofiles.Also,
thesessiontimeoutforCaptive
Portalmustbegreaterthanthe
webservertimeout.Tochange
thesetimeouts,seethenotein
Step 5.
PaloAltoNetworks,Inc.
1.
Configuretheuseraccount.
2.
(Optional)Configureausergroup.
Configureanauthenticationprofile:
1.
IftheauthenticationTypeisanexternalservice(RADIUS,
TACACS+,LDAP,orKerberos),selecttheauthentication
Server Profileyoucreated.
2.
IfyouuseKerberosSSO,entertheKerberos Realm(usually
theDNSdomainoftheusers,exceptthattherealmis
uppercase),andimporttheKerberos Keytabyoucreated.
3.
SelectAdvancedandAddtheusersandusergroupsthatcan
authenticateusingthisprofile.IftheauthenticationTypeis
Local Database,addtheCaptivePortalusersorusergroups
youcreated.Youcanselectalltoalloweveryuserto
authenticate.AftercompletingtheAllowList,clickOK.
IfyourusersareinmultipledomainsorKerberos
realms,youcancreateanauthenticationprofilefor
eachdomainorrealm,assignalltheprofilestothe
authenticationsequence(Step 8),andassignthe
sequencetotheCaptivePortalconfiguration.
Configureanauthenticationsequence:
1.
2.
3.
Addeachauthenticationprofile.
4.
ClickOKtosavetheauthenticationsequence.
PANOS7.1AdministratorsGuide 403
MapIPAddressestoUsers
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step9
ConfigureClientCertificate
Authentication.
RequiredifCaptivePortalwillusethis
authenticationmethod.
Youdontneedanauthentication
profileorsequenceforclient
certificateauthentication.Ifyou
configurebothanauthentication
profile/sequenceandcertificate
authentication,usersmust
authenticateusingboth.
Step10 EnableNTLANManager(NTLM)
authentication.
RequiredforNLTMauthentication.
WhenusingthePANOS
integratedUserIDagent,the
firewallmustsuccessfullyresolve
theDNSnameofyourdomain
controllertojointhedomain
(usingthecredentialsyouenter
inthisstep).
404 PANOS7.1AdministratorsGuide
1.
UsearootCAcertificatetogenerateaclientcertificatefor
eachuserwhowillauthenticatetoCaptivePortal.TheCAin
thiscaseisusuallyyourenterpriseCA,notthefirewall.
2.
ExporttheCAcertificateinPEMformattoasystemthatthe
firewallcanaccess.
3.
ImporttheCAcertificateontothefirewall:seeImporta
CertificateandPrivateKey.Aftertheimport,clickthe
importedcertificate,selectTrusted Root CA,andclickOK.
4.
ConfigureaCertificateProfile.
IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.
1.
Ifyouhaventalreadydoneso,createanActiveDirectory(AD)
accountfortheUserIDagent.
2.
3.
4.
EntertheNTLM DomainagainstwhichtheUserIDagenton
thefirewallwillcheckNTLMcredentials.
5.
6.
YoudontneedtoconfigureanyothersettingsfortheUserID
agent:clickOK.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step11 ConfiguretheCaptivePortalsettings.
1.
2.
3.
4.
SelecttheMode(inthisexample,Redirect).
5.
(Redirectmodeonly)SpecifytheRedirect Hostnamethat
resolvestotheIPaddressoftheLayer 3interfacefor
redirectedrequests.
6.
SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
TouseKerberosSSO,anexternalserver,orthelocal
database,selecttheAuthentication Profileor
authenticationsequenceyoucreated.
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
7.
ClickOKandCommittosavetheCaptivePortalconfiguration.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,referto
OperatingSystem(OS)CompatibilityTSAgentintheTerminalServicesAgentReleaseNotes.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 405
MapIPAddressestoUsers
UserID
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
Step1
DownloadtheTSagentinstaller.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
4.
SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.
Step2
Runtheinstallerasanadministrator.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-6.0.
0-1.msi
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4.
406 PANOS7.1AdministratorsGuide
Whentheinstallationcompletes,Closethesetupwindow.
IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,the
installationwizardpromptsyoutorebootthesystem
afterupgradinginordertousethenewdriver.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step3
Step4
Definetherangeofportsforthe
TS Agenttoallocatetoendusers.
TheSystem Source Port
Allocation RangeandSystem
Reserved Source Portsfields
specifytherangeofportsthat
willbeallocatedtononuser
sessions.Makesurethevalues
specifiedinthesefieldsdonot
overlapwiththeportsyou
designateforusertraffic.These
valuescanonlybechangedby
editingthecorresponding
Windowsregistrysettings.
1.
OpentheWindowsStartmenuandselectTerminal Server
AgenttolaunchtheTerminalServicesagentapplication.
2.
SelectConfigureinthesidemenu.
3.
4.
(Optional)Ifthereareports/portrangeswithinthesourceport
allocationthatyoudonotwanttheTSAgenttoallocateto
usersessions,specifythemasReserved Source Ports.To
includemultipleranges,usecommaswithnospaces,for
example:2000-3000,3500,4000-5000.
5.
Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6.
7.
Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
TerminalServicesagent.
totheTerminalServicesagenttoreceiveusermappings:
PaloAltoNetworks,Inc.
1.
2.
EnteraNamefortheTerminalServicesagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4.
EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5.
MakesurethattheconfigurationisEnabledandthenclickOK.
6.
Committhechanges.
7.
PANOS7.1AdministratorsGuide 407
MapIPAddressestoUsers
UserID
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step5
VerifythattheTerminalServicesagentis 1.
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
2.
connecttotheagent.
3.
Step6
(Windows2012R2serversonly)Disable
EnhancedProtectedModeinMicrosoft
InternetExplorerforeachuserwhouses
thatbrowser.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor
MozillaFirefox.
TodisableEnhancedProtected
Modeforallusers,useLocal
SecurityPolicy.
OpentheWindowsStartmenuandselectTerminal Server
Agent.
Verifythatthefirewallscanconnectbymakingsurethe
Connection StatusofeachfirewallintheConnectionListis
Connected.
VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
PerformthesestepsontheWindowsServer:
1.
StartInternetExplorer.
2.
3.
4.
ClickOK.
InInternetExplorer,PaloAltoNetworksrecommendsthat
youdonotdisableProtectedMode,whichdiffersfrom
EnhancedProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIisaRESTfulAPIthatusesstandardHTTPrequeststosendandreceivedata.APIcalls
canbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
408 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1
GeneratetheAPIkeythat
willbeusedtoauthenticate
theAPIcommunication
betweenthefirewallandthe
terminalserver.Togenerate
thekeyyoumustprovide
logincredentialsforan
administrativeaccount;the
APIisavailabletoall
administrators(including
rolebasedadministrators
withXMLAPIprivileges
enabled).
Anyspecial
charactersinthe
passwordmustbe
URL/
percentencoded.
PaloAltoNetworks,Inc.
Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe
firewall,openanewbrowserwindowandenterthefollowingURL:
https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
password=<password>
Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland
<username> and<password> arethecredentialsfortheadministrativeuser
accountonthefirewall.Forexample:
https://10.1.2.5/api/?type=keygen&user=admin&password=admin
Thefirewallrespondswithamessagecontainingthekey,forexample:
<response status="success">
<result>
<key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
</result>
</response>
PANOS7.1AdministratorsGuide 409
MapIPAddressestoUsers
UserID
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2
Step3
(Optional)Generateasetup
messagethattheterminal
serverwillsendtospecifythe
portrangeandblocksizeof
portsperuserthatyour
terminalservicesagentuses.
Iftheterminalservicesagent
doesnotsendasetup
message,thefirewallwill
automaticallycreatea
TerminalServicesagent
configurationusingthe
followingdefaultsettings
uponreceiptofthefirstlogin
message:
Defaultportrange:1025
to65534
Peruserblocksize:200
Maximumnumberof
multiusersystems:1,000
Thefollowingshowsasamplesetupmessage:
Createascriptthatwill
extractthelogineventsand
createtheXMLinputfileto
sendtothefirewall.
Makesurethescriptenforces
assignmentofportnumber
rangesatfixedboundaries
withnoportoverlaps.For
example,iftheportrangeis
10001999andtheblock
sizeis200,acceptable
blockstartvalueswouldbe
1000,1200,1400,1600,or
1800.Blockstartvaluesof
1001,1300,or1850would
beunacceptablebecause
someoftheportnumbersin
therangewouldbeleft
unused.
Theloginevent
payloadthatthe
terminalserversends
tothefirewallcan
containmultiplelogin
events.
ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:
<uid-message>
<payload>
<multiusersystem>
<entry ip="10.1.1.23" startport="20000"
endport="39999" blocksize="100">
</multiusersystem>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
startportandendportspecifytheportrangetousewhenassigningportsto
individualusers,andblocksizespecifiesthenumberofportstoassignto
eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
allocateamaximumof1000blocks.
Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
<uid-message>
<payload>
<login>
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
<entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
<entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
</login>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
requesttouserjparkerforpolicyenforcement.
Eachmultiusersystemcanallocateamaximumof1,000portblocks.
410 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step4
Step5
Step6
Createascriptthatwill
extractthelogouteventsand
createtheXMLinputfileto
sendtothefirewall.
Uponreceiptofalogout
eventmessagewitha
blockstartparameter,the
firewallremovesthe
correspondingIP
addressportusermapping.If
thelogoutmessagecontains
ausernameandIPaddress,
butnoblockstart
parameter,thefirewall
removesallmappingsforthe
user.Ifthelogoutmessage
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:
Makesurethatthescripts
youcreateincludeawayto
dynamicallyenforcethatthe
portblockrangeallocated
usingtheXMLAPImatches
theactualsourceport
assignedtotheuseronthe
terminalserverandthatthe
mappingisremovedwhen
theuserlogsoutortheport
allocationchanges.
OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions
behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
example,toensurethatauserwiththeuserIDjjasoismappedtoasource
networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
scriptyoucreateshouldincludethefollowing:
Definehowtopackagethe
XMLinputfilescontainingthe
setup,login,andlogout
eventsintowgetorcURL
messagesfortransmissionto
thefirewall.
Toapplythefilestothefirewallusingwget:
<uid-message>
<payload>
<logout>
<entry name="acme\jjaso" ip="10.1.1.23"
blockstart="20000">
<entry name="acme\ccrisp" ip="10.1.1.23">
<entry ip="10.2.5.4">
</logout>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
Youcanalsoclearthemultiusersystementryfromthefirewallusing
thefollowingCLIcommand:clear xml-api multiusersystem
Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
ortheportallocationchanges:
[root@ts1 ~]# iptables -t nat -D POSTROUTING 1
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 411
MapIPAddressestoUsers
UserID
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step7
Verifythatthefirewallis
successfullyreceivinglogin
eventsfromtheterminal
servers.
VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland
thenrunningthefollowingCLIcommands:
ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
admin@PA-5050> show user xml-api multiusersystem
Host
Vsys
Users
Blocks
---------------------------------------10.5.204.43
vsys1
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43
Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtotheUserIDagentordirectlytothefirewall.ThePANOSXMLAPIusesstandard
HTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommandlineutilitiessuchas
cURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGETrequests.
ToenableanexternalsystemtosendusermappinginformationtotheUserIDagentordirectlytothe
firewall,youcancreatescriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothe
PANOSXMLAPIrequest.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall
(usingcURL,forexample)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,
refertothePANOSXMLAPIUsageGuide.
412 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
EnableUserandGroupBasedPolicy
EnableUserandGroupBasedPolicy
Toenablesecuritypolicybasedonusersandusergroups,youmustenableUserIDforeachzonethat
containsusersyouwanttoidentify.Youcanthendefinepolicyrulesthatallowordenytrafficbasedon
usernameorgroupmembership.Additionally,youcancreateCaptivePortalrulestoenableidentificationfor
IPaddressesthatdontyethaveanyuserdataassociatedwiththem.
PA5060andPA7000Seriesfirewallsthathavethemultiplevirtualsystemscapabilitydisabledcanbase
policiesonupto3,200distinctusergroups.Iftheseplatformshavemultiplevirtualsystems,thelimitis640
groups.Allotherfirewallplatformssupportupto640groupspervirtualsystemorperfirewall(ifitdoesnt
havemultiplevirtualsystems).
Foruserswithmultipleusernames,seeEnablePolicyforUserswithMultipleAccounts.
EnableUserandGroupBasedPolicy
Step1
Step2
EnableUserIDonthesourcezonesthat 1.
containtheuserswhowillsendrequests 2.
thatrequireuserbasedaccesscontrols.
(Optional)Configurethefirewalltoread 1.
theIPaddressesofusersfromthe
XForwardedFor(XFF)headerinclient 2.
requestsforwebserviceswhenthe
firewallisbetweentheInternetanda
proxyserverthatwouldotherwisehide
theuserIPaddresses.
ThefirewallmatchestheIPaddresses
3.
withusernamesthatyourpolicyrules
referencesothatthoserulescancontrol
andlogaccessfortheassociatedusers
andgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 413
EnableUserandGroupBasedPolicy
UserID
EnableUserandGroupBasedPolicy(Continued)
Step3
Step4
Createsecurityrulesbasedonuserand 1.
usergroup.
Asabestpractice,createrules
basedongroupratherthanuser
wheneverpossible.Thisprevents
youfromhavingtocontinually
updateyourrules(whichrequires
acommit)wheneveryouruser
basechanges.
AfterconfiguringUserID,youwillbeabletochooseauser
nameorgroupnamewhendefiningthesourceordestination
ofasecurityrule:
a. SelectPolicies > SecurityandclickAddtocreateanewrule
orclickanexistingrulename.
b. SelecttheUsertabandspecifywhichusersandgroupsto
matchintheruleinoneofthefollowingways:
Ifyouwanttoselectspecificusers/groupsasmatching
criteria,clicktheAddbuttonintheSourceUsersectionto
displayalistofusersandgroupsdiscoveredbythe
firewallgroupmappingfunction.Selecttheusersand/or
groupstoaddtotherule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecific
userorgroupname,selectknown-userorunknownfrom
thedropdownabovetheSourceUserlist.
2.
ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
1.
2.
ClickAddandenteraNamefortherule.
3.
Definethematchingcriteriafortherulebycompletingthe
Source,Destination,andService/URL Categorytabsas
appropriatetomatchthetrafficyouwanttoauthenticate.The
matchingcriteriaonthesetabsisthesameasthecriteriayou
definewhencreatingasecurityrule.SeeSetUpaBasic
SecurityPolicyfordetails.
4.
DefinetheActiontotakeontrafficthatmatchestherule:
no-captive-portalAllowtraffictopasswithout
presentingaCaptivePortalpageforauthentication.
web-formPresentaCaptivePortalpagefortheuserto
explicitlyenterauthenticationcredentialsoruseclient
certificateauthentication.
browser-challengeTransparentlyobtainuser
authenticationcredentials.Ifyouselectthisaction,you
mustenableKerberosSingleSignOn(SSO)orNTLAN
Manager(NTLM)authenticationwhenyouConfigure
CaptivePortal.IfKerberosSSOauthenticationfails,the
firewallfallsbacktoNTLMauthentication.Ifyoudidnt
configureNTLM,orNTLMauthenticationfails,thefirewall
fallsbacktoweb-formauthentication.
5.
ClickOKandCommit.
CreateyourCaptivePortalrules.
414 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
EnablePolicyforUserswithMultipleAccounts
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1
Configureausergroupforeachservice
thatrequiresdistinctaccessprivileges.
Inthisexample,eachgroupisforasingle
service(emailorMySQLserver).
However,itiscommontoconfigureeach
groupforasetofservicesthatrequire
thesameprivileges(forexample,one
groupforallbasicuserservicesandone
groupforalladministrativeservices).
PaloAltoNetworks,Inc.
Ifyourorganizationalreadyhasusergroupsthatcanaccessthe
servicesthattheuserrequires,simplyaddtheusernamethatis
usedforlessrestrictedservicestothosegroups.Inthisexample,
theemailserverrequireslessrestrictedaccessthantheMySQL
server,andcorp_useristheusernameforaccessingemail.
Therefore,youaddcorp_usertoagroupthatcanaccessemail
(corp_employees)andtoagroupthatcanaccesstheMySQLserver
(network_services).
Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1.
2.
SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3.
SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4.
SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
5.
ClickOKandCommit.
Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmore
restrictedservices,youcanaddthoseusernamestothe
groupformorerestrictedservices.Thisscenarioismore
commonthantheinverse;auserwithaccesstomore
restrictedservicesusuallyalreadyhasaccesstoless
restrictedservices.
PANOS7.1AdministratorsGuide 415
EnablePolicyforUserswithMultipleAccounts
UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2
Step3
Step4
Configuretherulesthatcontroluser
accessbasedonthegroupsyoujust
configured.
ConfiguretheignorelistoftheUserID
agent.
ThisensuresthattheUserIDagent
mapstheclientIPaddressonlytothe
usernamethatisamemberofthegroups
assignedtotherulesyoujustconfigured.
Theignorelistmustcontainallthe
usernamesoftheuserthatarenot
membersofthosegroups.
Configureendpointauthenticationfor
therestrictedservices.
Thisenablestheendpointtoverifythe
credentialsoftheuserandpreservesthe
abilitytoenableaccessforuserswith
multipleusernames.
416 PANOS7.1AdministratorsGuide
EnableUserandGroupBasedPolicy:
1.
Configureasecurityrulethatallowsthecorp_employees
grouptoaccessemail.
2.
Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Inthisexample,youaddadmin_usertotheignorelistofthe
WindowsbasedUserIDagenttoensurethatitmapstheclientIP
addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
inascorp_useroradmin_user,thefirewallidentifiestheuseras
corp_userandappliesbothrulesthatyouconfiguredbecause
corp_userisamemberofthegroupsthattherulesreference.
1.
Createanignore_user_list.txtfile.
2.
Openthefileandaddadmin_user.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3.
SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
IfyouusethePANOSintegratedUserIDagent,perform
Step 5underConfigureUserMappingUsingthePANOS
IntegratedUserIDAgenttoconfiguretheignorelist.
Inthisexample,youhaveconfiguredafirewallrulethatallows
corp_user,asamemberofthenetwork_servicesgroup,tosenda
servicerequesttotheMySQLserver.Youmustnowconfigurethe
MySQLservertorespondtoanyunauthorizedusername(suchas
corp_user)bypromptingtheusertoenterthelogincredentialsof
anauthorizedusername(admin_user).
Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingfor
theadmin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.
PaloAltoNetworks,Inc.
UserID
VerifytheUserIDConfiguration
VerifytheUserIDConfiguration
AfteryouconfiguregroupmappingandusermappingandenableUserIDonyoursecurityrulesandCaptive
Portalrules,youshouldverifythatitisworkingproperly.
VerifytheUserIDConfiguration
Step1
Verifythatgroupmappingisworking.
FromtheCLI,enterthefollowingoperationalcommand:
> show user group-mapping statistics
Step2
Verifythatusermappingisworking.
IfyouareusingthePANOSintegratedUserIDagent,youcan
verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP
Vsys From User
Timeout (sec)
-----------------------------------------------------192.168.201.1
vsys1 UIA
acme\george
210
192.168.201.11 vsys1 UIA
acme\duane
210
192.168.201.50 vsys1 UIA
acme\betsy
210
192.168.201.10 vsys1 UIA
acme\administrator
210
192.168.201.100 vsys1 AD
acme\administrator
748
Total: 5 users
*: WMI probe succeeded
Step3
Testyoursecurityrule.
FromamachineinthezonewhereUserIDisenabled,attempt
toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 417
VerifytheUserIDConfiguration
UserID
VerifytheUserIDConfiguration(Continued)
Step4
TestyourCaptivePortalconfiguration. 1.
Fromthesamezone,gotoamachinethatisnotamemberof
yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2.
Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesaCaptivePortal
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3.
Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4.
YoucanalsotestyourCaptivePortalpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step5
Verifythatthelogfilesdisplay
usernames.
Step6
Verifythatreportsdisplayusernames.
1.
2.
Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.
418 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,
globaldatacenterapplications).
DeployUserIDforNumerousMappingInformationSources
ConfigureFirewallstoRedistributeUserMappingInformation
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 419
DeployUserIDinaLargeScaleNetwork
UserID
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersTheymustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersTheymustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
420 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureWindowsLogForwarding
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
ConfigureWindowsLogForwarding
Step1
Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2
ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3
ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources
Step1
ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires
thememberserversthatwillcollect
administrativeprivilegesforconfiguringgrouppolicieson
loginevents.
Windowsservers.
Step2
InstalltheWindowsbasedUserID
agent.
InstalltheUserIDAgentonaWindowsserverthatcanaccessthe
memberservers.TheWindowsservercanbeinsideoroutsidethe
ActiveDirectoryforest;itdoesntneedtobeamemberserver
itself.
Step3
ConfiguretheUserIDagenttocollect
usermappinginformationfromthe
memberservers.
1.
StarttheWindowsbasedUserIDagent.
2.
3.
ConfiguretheremainingUserIDagentsettings:see
ConfiguretheUserIDAgentforUserMapping.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 421
DeployUserIDinaLargeScaleNetwork
UserID
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step4
ConfigureanLDAPserverprofileto
1.
specifyhowthefirewallconnectstothe
GlobalCatalogservers(uptofour)for
2.
groupmappinginformation.
Toimproveavailability,useat
leasttwoGlobalCatalogservers
forredundancy.
Youcancollectgroupmapping
informationonlyforuniversal
groups,notlocaldomaingroups 3.
(subdomains).
4.
FortheType,selectactive-directory.
5.
Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile.
Step5
ConfigureanLDAPserverprofileto
specifyhowthefirewallconnectstothe
servers(uptofour)thatcontaindomain
mappinginformation.
UserIDusesthisinformationtomap
DNSdomainnamestoNetBIOSdomain
names.Thismappingensuresconsistent
domain/usernamereferencesinpolicy
rules.
Toimproveavailability,useat
leasttwoserversforredundancy.
ThestepsarethesameasfortheLDAPserverprofileyoucreated
forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
LDAP ServerEntertheIPaddressofthedomaincontroller
thatcontainsthedomainmappinginformation.
PortForaplaintextorStartTLSconnection,usePort389.For
anLDAPoverSSLconnection,usePort636.Iftheconnection
willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
secured connectioncheckbox.
Base DNSelecttheDNofthepointinthedomaincontroller
wherethefirewallwillstartsearchingfordomainmapping
information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).
Step6
Createagroupmappingconfiguration
foreachLDAPserverprofileyou
created.
1.
2.
ClickAddandenteraNametoidentifythegroupmapping
configuration.
3.
SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4.
Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5.
ClickOKandCommit.
422 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureFirewallstoRedistributeUserMappingInformation
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.However,alargescale
networkwherenumerousfirewallsdirectlyquerythemappinginformationsourcesrequiresboththe
firewallsandsourcestouseconsiderableresources.Toimproveresourceefficiency,youcanconfiguresome
firewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.Redistribution
alsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesforauthentication
(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,globaldata
centerapplications).
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
Youcanorganizetheredistributionsequenceinlayers,whereeachlayerhasoneormorefirewalls.Inthe
bottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsandWindowsbasedUserIDagents
runningonWindowsserversperformtheIPaddresstousernamemapping.Eachhigherlayerhasfirewalls
thatreceivethemappinginformationfromupto100UserIDagentsinthelayerbeneathit.Thetoplayer
firewallsaggregatethemappinginformationfromalllayers.Thisdeploymentprovidestheoptionto
configureglobalpoliciesforallusers(intoplayerfirewalls)andregionorfunctionspecificpoliciesfora
subsetofusersinthecorrespondingdomains(inlowerlayerfirewalls).
Figure:UserIDRedistributionshowsadeploymentwiththreelayersoffirewallsthatredistributemapping
informationfromlocalinformationsources(directoryservers,inthisexample)toregionalofficesandthen
toaglobaldatacenter.Thedatacenterfirewallthataggregatesallthemappinginformationsharesitwith
otherdatacenterfirewallssothattheycanallenforceglobalpolicy.Onlythebottomlayerfirewallsuse
PANOSintegratedUserIDagentsandWindowsbasedUserIDagentstoquerythedirectoryservers.
TheinformationsourcesfromwhichUserIDagentscollectmappinginformationdonotcounttowardsthe
maximumoftenhopsinthesequence.However,WindowsbasedUserIDagentsthatforwardmapping
informationtofirewallsdocount.Therefore,inthisexample,redistributionfromtheEuropeanregiontoall
thedatacenterfirewallsrequiresonlythreehops,whileredistributionfromtheNorthAmericanregion
requiresfourhops.Alsointhisexample,thetoplayerhastwohops:thefirsttoaggregatemapping
informationinonedatacenterfirewallandthesecondtosharetheinformationwithotherdatacenter
firewalls.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 423
DeployUserIDinaLargeScaleNetwork
UserID
Figure:UserIDRedistribution
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution
Step1
Plantheredistributionarchitecture.
424 PANOS7.1AdministratorsGuide
DecidewhichUserIDagentsandmethodstouseformapping
IPaddressestousernames.Youcanredistributeusermapping
informationcollectedthroughanymethodexceptTerminal
Services(TS)agents.YoucannotredistributeGroupMapping
orHIPmatchinformation.
DeterminethemostefficientFirewallDeploymentforUserID
Redistribution.Somefactorstoconsiderare:
Whichfirewallswillenforceglobalpoliciesforallusersand
whichfirewallswillenforceregionorfunctionspecific
policiesforasubsetofusers?
Howmanyhopsdoestheredistributionsequencerequireto
aggregatemappinginformationforfirewallsindifferent
functionalorregionallayerstoenforcepolicy?
Howcanyouminimizethenumberoffirewallsthatquery
theinformationsources?Thefewerthenumberofquerying
firewalls,thelowertheprocessingloadisonboththe
firewallsandsources.
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureUserIDRedistribution(Continued)
Step2
ConfiguretheUserIDagentstoperform ConfigureUserMappingUsingthePANOSIntegratedUserID
theusermapping.
Agent.
ConfigureUserMappingUsingtheWindowsUserIDAgent.
Step3
Enableeachbottomlayerfirewallto
1.
forwardmappinginformationtofirewalls
inthelayerabove.
ConfigurethefirewalltofunctionasaUserIDagent.
a. SelectDevice > User Identification > User Mapping.
b. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Location.YoumustconfiguretheUserIDsettingsforeach
virtualsystem.
Youcanredistributemappinginformationamong
virtualsystemsondifferentfirewallsoronthesame
firewall.Inbothcases,eachvirtualsystemcountsas
onehopintheredistributionsequence.
c. EditthePaloAltoNetworksUserIDAgentSetupand
selectRedistribution.
d. EnteraCollector NametoidentifythisfirewallasaUserID
agent.
e. EnterandconfirmaPre-Shared Keytosecure
communicationbetweenthisfirewallandthehigherlayer
firewalls.Onamultivsysfirewall,eachvsysrequiresa
uniquepresharedkey.
f. ClickOK.
2.
ConfigureanInterfaceManagementprofilewiththeUser-ID
serviceenabledandassigntheprofiletotheinterfaceyou
wantthefirewalltousewhenrespondingtomapping
informationqueriesfromfirewallsinthelayerabove.
3.
(Optional)Configurepoliciesthatarespecifictotheuser
accountsforwhichyouwantthisfirewalltocollectmapping
information.
4.
Commityourchanges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 425
DeployUserIDinaLargeScaleNetwork
UserID
ConfigureUserIDRedistribution(Continued)
Step4
Enableeachmiddlelayerfirewallto
1.
receivemappinginformationfromthe
layerbelowandforwardittothelayer
above.
Youmustalsoperformthistaskforany
firewallthatredistributesmapping
informationtootherfirewallsinthe
samelayer.Forexample,Figure:
UserIDRedistributionshowsonedata
centerfirewallthatredistributestoother
datacenterfirewalls.
Eachfirewallcanreceivemapping
informationfromupto100UserID
agents.
Figure:UserIDRedistribution
showsonlyonemiddlelayerof
firewallsbutyoucandeployas
manylayersastheredistribution
limitoftenhopsallows.
2.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
a. SelectDevice > User Identification > User-ID Agentsand
clickAdd.
b. EnteraNametoidentifythelowerlayerfirewall.
c. EntertheHostnameorIPaddressoftheinterfacethatyou
configuredonthelowerlayerfirewalltorespondto
mappinginformationqueries.
d. EnterthePortnumber(defaultis5007)onwhichthe
lowerlayerfirewallwilllistenforUserIDqueries.
e. EntertheCollector Nameyouspecifiedwhenconfiguring
thelowerlayerfirewalltoactasaUserIDagent.
f. EnterandconfirmtheCollector Pre-Shared Keyyou
specifiedonthelowerlayerfirewall.
g. EnsuretheconfigurationisEnabled(default)andclickOK.
h. ChecktheConnectedcolumntoconfirmthefirewallyou
).
justaddedasaUserIDagentisconnected(
3.
Enablethefirewalltoforwardthemappinginformationto
firewallsinthelayerabove.
a. ConfigurethefirewalltofunctionasaUserIDagent.
b. ConfigureanInterfaceManagementprofilewiththe
User-IDserviceenabledandassigntheprofiletothe
interfaceyouwantthefirewalltousewhenrespondingto
mappinginformationqueriesfromfirewallsinthelayer
above.
4.
(Optional)Configurepoliciesspecifictouseraccountsfor
whichyouwantthisfirewalltoaggregatemappinginformation
fromlowerlayers.
5.
Commityourchanges.
426 PANOS7.1AdministratorsGuide
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
a. SelectDevice > Setup > Services.
b. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
(forafirewallwideserviceroute)orVirtual Systems(fora
virtualsystemspecificserviceroute).Fordetails,referto
CustomizeServiceRoutestoServicesforVirtualSystems.
c. ClickService Route Configuration,selectCustomize,and
selectIPv4orIPv6dependingonyournetworkprotocols.
Configuretheservicerouteforbothprotocolsifyour
networkusesboth.
d. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
e. ClickOKtwicetosavetheserviceroute.
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureUserIDRedistribution(Continued)
Step5
Step6
Enableeachtoplayerfirewalltoreceive
mappinginformationfromallother
layers.
Youmustalsoperformthistaskforany
firewallthatisanendpointinthe
redistributionsequencewithinalayer.
IntheexampleofFigure:
UserIDRedistribution,youwould
performthistaskforthetwodatacenter
firewallsthatreceivemapping
informationfromanotherdatacenter
firewall.
1.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
2.
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
3.
(Optional)Configurepoliciesthatareglobaltoalluser
accounts.
4.
Commityourchanges.
Verifythatthetoplayerfirewallsare
1.
aggregatingmappinginformationfrom
allotherlayers.
Thisstepsamplesasingleusermapping 2.
thatiscollectedinabottomlayer
3.
firewallandforwardedtoatoplayer
firewall.Repeatthestepforseveraluser
mappingsandseveralfirewallstoensure
yourconfigurationissuccessful.
AccesstheCLIofabottomlayerfirewallandrunthefollowing
operationalcommand:
> show user ip-user-mapping all
RecordtheIPaddressassociatedwithanyusername.
AccesstheCLIofatoplayerfirewallandrunthefollowing
command,where<address> istheIPaddressyourecordedin
thepreviousstep:
> show user ip-user-mapping ip <address>
Ifthefirewallsuccessfullyreceivedtheusermappingfromthe
bottomlayerfirewall,itdisplaysoutputsimilartothe
followinganddisplaysthesameusernameasyourecordedin
thebottomlayerfirewall.
IP address:
192.0.2.0 (vsys1)
User:
corpdomain\username1
From:
AD
Idle Timeout:
2643s
Max. TTL:
2643s
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 427
DeployUserIDinaLargeScaleNetwork
428 PANOS7.1AdministratorsGuide
UserID
PaloAltoNetworks,Inc.
AppID
Tosafelyenableapplicationsonyournetwork,thePaloAltoNetworksnextgenerationfirewallsprovide
bothanapplicationandwebperspectiveAppIDandURLFilteringtoprotectagainstafullspectrumof
legal,regulatory,productivity,andresourceutilizationrisks.
AppIDenablesvisibilityintotheapplicationsonthenetwork,soyoucanlearnhowtheyworkand
understandtheirbehavioralcharacteristicsandtheirrelativerisk.Thisapplicationknowledgeallowsyouto
createandenforcesecuritypolicyrulestoenable,inspect,andshapedesiredapplicationsandblock
unwantedapplications.Whenyoudefinepolicyrulestoallowtraffic,AppIDbeginstoclassifytraffic
withoutanyadditionalconfiguration.
AppIDOverview
ManageCustomorUnknownApplications
ManageNewAppIDsIntroducedinContentReleases
UseApplicationObjectsinPolicy
ApplicationswithImplicitSupport
ApplicationLevelGateways
DisabletheSIPApplicationlevelGateway(ALG)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 429
AppIDOverview
AppID
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.
430 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ManageCustomorUnknownApplications
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 431
ManageNewAppIDsIntroducedinContentReleases
AppID
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesForPendingAppIDs
ReviewNewAppIDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules
432 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ManageNewAppIDsIntroducedinContentReleases
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step1
Step2
DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
Step3
ClicktheAppslinkintheFeatures columntoviewdetailsonnewlyidentifiedapplications:
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
NextSteps...
PaloAltoNetworks,Inc.
DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
PANOS7.1AdministratorsGuide 433
ManageNewAppIDsIntroducedinContentReleases
AppID
ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step1
Step2
Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step3
SelectanewAppIDfromtheApplication dropdowntoviewpolicyrulesthatcurrentlyenforcethe
application.Therulesdisplayedarebasedontheapplicationssignaturesthatmatchtotheapplicationbefore
thenewAppIDisinstalled(viewapplicationdetailstoseethelistofapplicationsignaturesthatanapplication
wasPreviously Identified As beforethenewAppID).
Step4
UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesForPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add
thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
NextSteps...
434 PANOS7.1AdministratorsGuide
DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
PaloAltoNetworks,Inc.
AppID
ManageNewAppIDsIntroducedinContentReleases
DisableorEnableAppIDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
DisableallAppIDsinacontentreleaseorfor
scheduledcontentupdates.
TodisableallnewAppIDsintroducedinacontentrelease,select
Device > Dynamic Updates andInstall anApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
Onthe Device > Dynamic Updatespage,selectSchedule.Choose
to Disable new apps in content updatefordownloadsand
installationsofcontentreleases.
DisableAppIDsforoneapplicationormultiple
applicationsatasingletime.
Toquicklydisableasingleapplicationormultipleapplicationsat
thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applications and
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
EnableAppIDs.
EnableAppIDsthatyoupreviouslydisabledbyselectingObjects >
Applications.Selectoneormoreapplicationcheckboxandclick
Enableoropenthedetailsforaspecificapplicationandclick
Enable App-ID.
PreparePolicyUpdatesForPendingAppIDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.
PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 435
ManageNewAppIDsIntroducedinContentReleases
AppID
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.
PerformSeamlessPolicyUpdatesforNewAppIDs
Toinstallthecontentreleaseversionnowandthen
updatepolicies:
Dothistobenefitfromnewthreatsignatures
immediately,whileyoureviewnewapplication
signaturesandupdateyourpolicies.
Toupdatepoliciesnowandtheninstallthecontent
releaseversion:
1.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
WhilereviewingthepolicyimpactfornewAppIDs,
youcanusethePolicy Review based on candidate
configurationtoaddanewAppIDtoexistingpolicy
rules:
.
1.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
Installthelatestcontentreleaseversion.Beforethe
contentreleaseisinstalled,youarepromptedto
4.
Disable new apps in content update.Selectthecheck
boxandcontinuetoinstallthecontentrelease.Threat
5.
signaturesincludedinthecontentreleasewillbe
installedandeffective,whileneworupdatedAppIDs
aredisabled.
4.
SelectPoliciesandupdateSecurity,QoS,andPolicy
Based Forwardingrulestomatchtoandenforcethe
6.
nowuniquelyidentifiedapplicationtraffic,usingthe
7.
pendingAppIDs.
5.
6.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
436 PANOS7.1AdministratorsGuide
ThenewAppIDisaddedtotheexistingrulesasa
disabledAppID.
ContinuetoreviewthepolicyimpactforallAppIDs
includedinthelatestcontentreleaseversionby
selectingAppIDsintheApplicationsdropdown.
AddthenewAppIDstoexistingpoliciesasneeded.
ClickOKtosaveyourchanges.
Installthelatestcontentreleaseversion.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
CreateanApplicationGroup
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.:insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
insteadupdateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
CreateanApplicationGroup
Step1
Step2
AddagroupandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 437
UseApplicationObjectsinPolicy
AppID
CreateanApplicationFilter
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
CreateanApplicationFilter
Step1
Step2
AddafilterandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.
Step5
Committheconfiguration.
438 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
CreateaCustomApplication
Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentupdate424:HTTP,
HTTPS,DNS,FTP,IMAPSMTP,Telnet,IRC(InternetRelayChat),Oracle,RTMP,RTSP,SSH,
GNUDebugger,GIOP(GlobalInterORBProtocol),MicrosoftRPC,MicrosoftSMB(alsoknown
asCIFS).
Thefollowingisabasicexampleofhowtocreateacustomapplication.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 439
UseApplicationObjectsinPolicy
AppID
CreateaCustomApplication
Step1
Gatherinformationaboutthe
Captureapplicationpacketssothatyoucanfindunique
applicationthatyouwillbeabletouse
characteristicsabouttheapplicationonwhichtobaseyour
towritecustomsignatures.
customapplicationsignature.Onewaytodothisistoruna
protocolanalyzer,suchasWireshark,ontheclientsystemto
Todothis,youmusthavean
capturethepacketsbetweentheclientandtheserver.Perform
understandingoftheapplicationand
differentactionsintheapplication,suchasuploadingand
howyouwanttocontrolaccesstoit.For
downloading,sothatyouwillbeabletolocateeachtypeof
example,youmaywanttolimitwhat
sessionintheresultingpacketcaptures(PCAPs).
operationsuserscanperformwithinthe
application(suchasuploading,
Becausethefirewallbydefaulttakespacketcapturesforall
downloading,orlivestreaming).Oryou
unknowntraffic,ifthefirewallisbetweentheclientandthe
serveryoucanviewthepacketcapturefortheunknowntraffic
maywanttoallowtheapplication,but
directlyfromtheTrafficlog.
enforceQoSpolicing.
Usethepacketcapturestofindpatternsorvaluesinthepacket
contextsthatyoucanusetocreatesignaturesthatwilluniquely
matchtheapplicationtraffic.Forexample,lookforstring
patternsinHTTPresponseorrequestheaders,URIpaths,or
hostnames.Forinformationonthedifferentstringcontextsyou
canusetocreateapplicationsignaturesandwhereyoucanfind
thecorrespondingvaluesinthepacket,refertoCreatingCustom
ThreatSignatures.
Step2
Addthecustomapplication.
440 PANOS7.1AdministratorsGuide
1.
2.
OntheConfigurationtab,enteraNameandaDescriptionfor
thecustomapplicationthatwillhelpotheradministrators
understandwhyyoucreatedtheapplication.
3.
(Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
4.
DefinetheapplicationPropertiesandCharacteristics.
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
CreateaCustomApplication(Continued)
Step3
Definedetailsabouttheapplication,
suchastheunderlyingprotocol,theport
numbertheapplicationrunson,the
timeoutvalues,andanytypesof
scanningyouwanttobeabletoperform
onthetraffic.
PaloAltoNetworks,Inc.
OntheAdvancedtab,definesettingsthatwillallowthefirewallto
identifytheapplicationprotocol:
Specifythedefaultportsorprotocolthattheapplicationuses.
Specifythesessiontimeoutvalues.Ifyoudontspecifytimeout
values,thedefaulttimeoutvalueswillbeused.
Indicateanytypeofadditionalscanningyouplantoperformon
theapplicationtraffic.
Forexample,tocreateacustomTCPbasedapplicationthatruns
overSSL,butusesport4443(insteadofthedefaultportforSSL,
443),youwouldspecifytheportnumber.Byaddingtheport
numberforacustomapplication,youcancreatepolicyrulesthat
usethedefaultportfortheapplicationratherthanopeningup
additionalportsonthefirewall.Thisimprovesyoursecurity
posture.
PANOS7.1AdministratorsGuide 441
UseApplicationObjectsinPolicy
AppID
CreateaCustomApplication(Continued)
Step4
Definethecriteriathatthefirewallwill 1.
usetomatchthetraffictothenew
application.
Youwillusetheinformationyou
2.
gatheredfromthepacketcapturesto
specifyuniquestringcontextvaluesthat
3.
thefirewallcanusetomatchpatternsin
theapplicationtraffic.
4.
442 PANOS7.1AdministratorsGuide
OntheSignaturestab,clickAddanddefineaSignature Name
andoptionallyaCommenttoprovideinformationabouthow
youintendtousethissignature.
SpecifytheScopeofthesignature:whetheritmatchestoafull
SessionorasingleTransaction.
SpecifyconditionstodefinesignaturesbyclickingAdd And
ConditionorAdd Or Condition.
SelectanOperatortodefinethetypeofmatchconditionsyou
willuse:Pattern MatchorEqual To.
IfyouselectedPattern Match,selecttheContextandthen
usearegularexpressiontodefinethePatterntomatchthe
selectedcontext.Optionally,clickAddtodefinea
qualifier/valuepair.TheQualifierlistisspecifictothe
Contextyouchose.
IfyouselectedEqual To,selecttheContextandthenusea
regularexpressiontodefinethePositionofthebytesinthe
packetheadertousematchtheselectedcontext.Choose
fromfirst-4bytesorsecond-4bytes.Definethe4bytehex
valuefortheMask(forexample,0xffffff00)andValue(for
example,0xaabbccdd).
Forexample,ifyouarecreatingacustomapplicationforone
ofyourinternalapplications,youcouldusethe
ssl-rsp-certificateContexttodefineapatternmatchforthe
certificateresponsemessageofaSSLnegotiationfromthe
serverandcreateaPatterntomatchthecommonNameofthe
serverinthemessageasshownhere:
5.
Repeatstep3and4foreachmatchingcondition.
6.
Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7.
ClickOKtosavethesignaturedefinition.
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
CreateaCustomApplication(Continued)
Step5
Step6
Savetheapplication.
1.
ClickOKtosavethecustomapplicationdefinition.
2.
ClickCommit.
Validatethattrafficmatchesthecustom 1.
applicationasexpected.
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 443
ApplicationswithImplicitSupport
AppID
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
557).
Table:ApplicationswithImplicitSupport
Application
ImplicitlySupports
360safeguardupdate
http
appleupdate
http
aptget
http
as2
http
avgupdate
http
aviraantivirupdate
http,ssl
blokus
rtmp
bugzilla
http
clubcooee
http
corba
http
cubby
http,ssl
dropbox
ssl
esignal
http
evernote
http,ssl
ezhelp
http
http,ssl
facebookchat
jabber
facebooksocialplugin
http
fastviewer
http,ssl
forticlientupdate
http
goodforenterprise
http,ssl
googlecloudprint
http,ssl,jabber
444 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ApplicationswithImplicitSupport
Application
ImplicitlySupports
googledesktop
http
googletalk
jabber
googleupdate
http
gotomypcdesktopsharing
citrixjedi
gotomypcfiletransfer
citrixjedi
gotomypcprinting
citrixjedi
hipchat
http
iheartradio
ssl,http,rtmp
infront
http
http,ssl
issuu
http,ssl
javaupdate
http
jepptechupdates
http
kerberos
rpc
kik
http,ssl
lastpass
http,ssl
logmein
http,ssl
mcafeeupdate
http
megaupload
http
metatrader
http
mochardp
t_120
mount
rpc
msfrs
msrpc
msrdp
t_120
msscheduler
msrpc
msservicecontroller
msrpc
nfs
rpc
oovoo
http,ssl
paloaltoupdates
ssl
panosglobalprotect
http
panoswebinterface
http
pastebin
http
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 445
ApplicationswithImplicitSupport
AppID
Application
ImplicitlySupports
pastebinposting
http
http,ssl
portmapper
rpc
prezi
http,ssl
rdp2tcp
t_120
renrenim
jabber
roboform
http,ssl
salesforce
http
stumbleupon
http
supremo
http
symantecavupdate
http
trendmicro
http
trillian
http,ssl
http
http,ssl
xmradio
rtsp
446 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ApplicationLevelGateways
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
AsofContentReleaseversion504,thePaloAltoNetworksfirewallprovidesNATALGsupportforthe
followingprotocols:FTP,H.225,H.248,MGCP,MySQL,Oracle/SQLNet/TNS,RPC,RTSP,SCCP,SIP,and
UNIStim.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefirewallprovidesIPv6toIPv6NetworkPrefixTranslation(NPTv6)ALGsupportforthefollowing
protocols:FTP,Oracle,andRTSP.TheSIPALGisnotsupportedforNPTv6orNAT64.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 447
DisabletheSIPApplicationlevelGateway(ALG)
AppID
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step1
Step2
Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3
SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step4
SelecttheDisable ALGcheckboxintheApplicationsipdialogboxandclickOK.
Step5
ClosetheApplicationdialogboxandCommitthechange.
448 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
ThePaloAltoNetworksnextgenerationfirewallprotectsanddefendsyournetworkfromcommodity
threatsandadvancedpersistentthreats(APTs).Thefirewallsmultiprongeddetectionmechanismsinclude
asignaturebased(IPS/CommandandControl/Antivirus)approach,heuristicsbased(botdetection)
approach,sandboxbased(WildFire)approach,andLayer7protocolanalysisbased(AppID)approach.
Commoditythreatsareexploitsthatarelesssophisticatedandmoreeasilydetectedandpreventedusinga
combinationoftheantivirus,antispyware,vulnerabilityprotectionandtheURLfiltering/Application
identificationcapabilitiesonthefirewall.
Advancedthreatsareperpetuatedbyorganizedcybercriminalsormaliciousgroupsthatusesophisticated
attackvectorstotargetyournetwork,mostcommonlyforintellectualpropertytheftandfinancialdatatheft.
Thesethreatsaremoreevasiveandrequireintelligentmonitoringmechanismsfordetailedhostandnetwork
forensicsonmalware.ThePaloAltoNetworksnextgenerationfirewallinconjunctionwithWildFireand
Panoramaprovidesacomprehensivesolutionthatinterceptsandbreaktheattackchainandprovides
visibilitytopreventsecurityinfringementonyournetworkincludingmobileandvirtualizedinfrastructure.
SetUpSecurityProfilesandPolicies
PreventBruteForceAttacks
CustomizetheActionandTriggerConditionsforaBruteForceSignature
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
EnableDNSProxy
EnablePassiveDNSCollectionforImprovedThreatIntelligence
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPreventionResources
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 449
SetUpSecurityProfilesandPolicies
ThreatPrevention
SetUpSecurityProfilesandPolicies
Thefollowingsectionsprovidebasicthreatpreventionconfigurationexamples:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpDataFiltering
SetUpFileBlocking
Forinformationoncontrollingwebaccessaspartofyourthreatpreventionstrategy,seeURLFiltering.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
ThefollowingdescribesthestepsneededtosetupthedefaultAntivirus,AntiSpyware,andVulnerability
ProtectionSecurityProfiles.
AllantispywareandvulnerabilityprotectionsignatureshaveadefaultactiondefinedbyPaloAlto
Networks.YoucanviewthedefaultactionbynavigatingtoObjects > Security Profiles >
Anti-SpywareorObjects > Security Profiles >Vulnerability Protectionandthen
selectingaprofile.ClicktheExceptionstabandthenclickShow all signaturesandyouwill
seealistofthesignatureswiththedefaultactionintheActioncolumn.Tochangethedefault
action,youmustcreateanewprofileandthencreateruleswithanondefaultaction,and/oradd
individualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionsubscriptionbundlestheantivirus,
license.
antispyware,andthevulnerabilityprotectionfeaturesinone
license.ToverifythatyouhaveanactiveThreatPrevention
subscription,selectDevice > LicensestoverifythattheThreat
Preventionlicenseisinstalledandchecktheexpirationdate.
Step2
Downloadthelatestantivirusthreat
signatures.
450 PANOS7.1AdministratorsGuide
1.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
AntivirusandApplicationsandThreatssignatures.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3
Schedulesignatureupdates.
1.
2.
Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
BestPracticesforAntivirusSchedules
Thegeneralrecommendationforantivirussignatureupdateschedulesistoperformadownload-and-installonadaily
basisforantivirusandweeklyforapplicationsandvulnerabilities.
RecommendationsforHAConfigurations:
Active/PassiveHAIftheMGTportisusedforantivirussignaturedownloads,youshouldconfigureascheduleon
bothfirewallsandbothfirewallswilldownload/installindependently.Ifyouareusingadataportfordownloads,the
passivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscaseyouwouldsetascheduleon
bothfirewallsandthenselecttheSync To Peeroption.Thiswillensurethatwhicheverfirewallisactive,theupdates
willoccurandwillthenpushtothepassivefirewall.
Active/ActiveHAIftheMGTportisusedforantivirussignaturedownloadsonbothfirewalls,thenschedulethe
download/installonbothfirewalls,butdonotselecttheSync To Peeroption.Ifyouareusingadataport,schedule
thesignaturedownloadsonbothfirewallsandselectSync To Peer.Thiswillensurethatifonefirewallinthe
active/activeconfigurationgoesintotheactivesecondarystate,theactivefirewallwilldownload/installthe
signatureandwillthenpushittotheactivesecondaryfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 451
SetUpSecurityProfilesandPolicies
ThreatPrevention
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step4
Step5
Attachthesecurityprofilestoasecurity 1.
policy.
2.
InProfile Settings,clickthedropdownnexttoeachsecurity
profileyouwouldliketoenable.Inthisexamplewechoose
defaultforAntivirus, Vulnerability Protection, and
Anti-Spyware.ThedefaultAntiSpywareruleenablesDNS
Sinkholing.
Ifnosecurityprofileshavebeenpreviouslydefined,
selectProfilesfromtheProfile Typedropdown.You
willthenseethelistofoptionstoselectthesecurity
profiles.
Savetheconfiguration.
452 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
SetUpDataFiltering
ThefollowingdescribesthestepsneededtoconfigureadatafilteringprofilethatwilldetectSocialSecurity
Numbersandacustompatternidentifiedin.docand.docxdocuments.
DataFilteringConfigurationExample
Step1
Step2
CreateaDataFilteringsecurityprofile.
1.
2.
EnteraNameandaDescriptionfortheprofile.Inthisexample
thenameisDF_Profile1withthedescriptionDetectSocial
SecurityNumbers.
3.
(Optional)Ifyouwanttocollectdatathatisblockedbythe
filter,selecttheData Capturecheckbox.
YoumustsetapasswordasdescribedinStep 2ifyou
areusingthedatacapturefeature.
1.
(Optional)Secureaccesstothedata
filteringlogstopreventother
2.
administratorsfromviewingsensitive
data.
3.
Whenyouenablethisoption,youwillbe
promptedforthepasswordwhenyou
viewlogsinMonitor > Logs > Data
Filtering.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 453
SetUpSecurityProfilesandPolicies
ThreatPrevention
DataFilteringConfigurationExample(Continued)
Step3
Step4
Definethedatapatternthatwillbeused 1.
intheDataFilteringProfile.
Inthisexample,wewillusethekeyword
confidentialandwillsettheoptionto
2.
searchforSSNnumberswithdashes
(Example9876544320).
Itishelpfultosettheappropriate 3.
thresholdsanddefinekeywords
withindocumentstoreducefalse
positives.
FromtheDataFilteringProfilepageclickAddandselectNew
fromtheData Patterndropdown.Youcanalsoconfiguredata
patternsfromObjects > Custom Signatures > Data Patterns.
4.
(Optional)YoucanalsosetCustom Patternsthatwillbe
subjecttothisprofile.Inthiscase,youspecifyapatterninthe
custompatternsRegexfieldandsetaweight.Youcanadd
multiplematchexpressionstothesamedatapatternprofile.In
thisexample,wewillcreateaCustom Patternnamed
SSN_Customwithacustompatternofconfidential(the
patterniscasesensitive)anduseaweightof20.Thereasonwe
usethetermconfidentialinthisexampleisbecauseweknow
thatoursocialsecurityWorddocscontainthisterm,sowe
definethatspecifically.
1.
SetApplicationstoAny.Thiswilldetectanysupported
applicationsuchas:webbrowsing,FTP,orSMTP.Ifyouwant
tonarrowdowntheapplication,youcanselectitfromthelist.
ForapplicationssuchasMicrosoftOutlookWebAppthatuses
SSL,youwillneedtoenabledecryption.Alsomakesureyou
understandthenamingforeachapplication.Forexample,
OutlookWebApp,whichistheMicrosoftnameforthis
applicationisidentifiedastheapplicationoutlookwebinthe
PANOSlistofapplications.Youcancheckthelogsforagiven
applicationtoidentifythenamedefinedinPANOS.
2.
SetFile Typestodocanddocxtoonlyscandocanddocxfiles.
Specifywhichapplicationstofilterand
setthefiletypes.
454 PANOS7.1AdministratorsGuide
Forthisexample,nametheDataPatternsignatureDetectSS
NumbersandaddthedescriptionDataPatterntodetect
SocialSecuritynumbers.
IntheWeightsectionforSSN#enter3.SeeWeightand
ThresholdValuesformoredetails.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
DataFilteringConfigurationExample(Continued)
Step5
Step6
Step7
Specifythedirectionoftraffictofilter
andthethresholdvalues.
AttachtheDataFilteringprofiletothe
securityrule.
1.
SettheDirectiontoBoth.Filesthatareuploadedor
downloadedwillbescanned.
2.
3.
SettheBlock Thresholdto50.Thefilewillbeblockedifthe
thresholdof50instancesofaSSNand/ortheterm
confidentialexistsinthefile.Inthiscase,ifthedoccontained
1instanceofthewordconfidentialwithaweightof20that
equals20towardthethreshold,andthedochas15Social
SecurityNumberswithaweightof3thatequals45.Add20
and45andyouhave65,whichwillexceedtheblockthreshold
of50.
1.
2.
Clickthesecuritypolicyruletomodifyitandthenclickthe
Actionstab.IntheData Filteringdropdown,selectthenew
datafilteringprofileyoucreatedandthenclickOKtosave.In
thisexample,thedatafilteringrulenameisDF_Profile1.
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 455
SetUpSecurityProfilesandPolicies
ThreatPrevention
DataFilteringConfigurationExample(Continued)
Step8
Testthedatafilteringconfiguration.
IfyouhaveproblemsgettingData
Filteringtowork,youcanchecktheData
FilteringlogortheTrafficlogtoverify
theapplicationthatyouaretestingwith
andmakesureyourtestdocumenthas
theappropriatenumberofuniqueSocial
SecurityNumberinstances.Forexample,
anapplicationsuchasMicrosoftOutlook
WebApp mayseemtobeidentifiedas
webbrowsing,butifyoulookatthelogs,
theapplicationisoutlook-web.Also
increasethenumberofSSNs,oryour
custompatterntomakesureyouare
hittingthethresholds.
Whentesting,youmustuserealSocialSecurityNumbersandeach
numbermustbeunique.Also,whendefiningCustomPatternsas
wedidinthisexamplewiththewordconfidential,thepatternis
casesensitive.Tokeepyourtestsimple,youmaywanttojusttest
usingadatapatternfirst,thentesttheSSNs.
1.
AccessaclientPCinthetrustzoneofthefirewallandsendan
HTTPrequesttouploada.docor.docxfilethatcontainsthe
exactinformationyoudefinedforfiltering.
2.
CreateaMicrosoftWorddocumentwithoneinstanceofthe
termconfidentialandfiveSocialSecuritynumberswith
dashes.
3.
Uploadthefiletoawebsite.UseanHTTPsiteunlessyouhave
decryptionconfigured,inwhichcaseyoucanuseHTTPS.
4.
5.
Locatethelogthatcorrespondstothefileyoujustuploaded.
Tohelpfilterthelogs,usethesourceofyourclientPCandthe
destinationofthewebserver.Theactioncolumninthelogwill
showreset-both.YoucannowincreasethenumberofSocial
SecurityNumbersinthedocumenttotesttheblockthreshold.
SetUpFileBlocking
Thisexamplewilldescribethebasicstepsneededtosetupfileblocking.Inthisconfiguration,wewill
configuretheoptionsneededtopromptuserstocontinuebeforedownloading.exefilesfromwebsites.
Whentestingthisexample,beawarethatyoumayhaveothersystemsbetweenyouandthesourcethatmay
beblockingcontent.
ConfigureFileBlocking
Step1
Step2
Createthefileblockingprofile.
Configurethefileblockingoptions.
456 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameforthefileblockingprofile,forexample
Block_EXE.OptionallyenteraDescription,suchasBlockusers
fromdownloadingexefilesfromwebsites.
1.
ClickAddtodefinetheprofilesettings.
2.
EnteraName,suchasBlockEXE.
3.
SettheApplicationsforfiltering,forexamplewebbrowsing.
4.
5.
SettheDirectiontodownload.
6.
SettheActiontocontinue.Bychoosingthecontinueoption,
userswillbepromptedwitharesponsepagepromptingthem
toclickcontinuebeforethefilewillbedownloaded.
7.
ClickOKtosavetheprofile.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
ConfigureFileBlocking(Continued)
Step3
Applythefileblockingprofiletoa
securitypolicy.
1.
2.
ClicktheActionstabwithinthepolicyrule.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyouconfigured.Inthiscase,theprofile
nameisBlock_EXE.
4. Committheconfiguration.
Ifnosecurityprofileshavebeenpreviouslydefined,selectthe
ProfileTypedropdownandselectProfiles.Youwillthenseethe
listofoptionstoselectthesecurityprofiles.
Step4
Totestyourfileblockingconfiguration,accessaclientPCinthetrustzoneofthefirewallandattemptto
downloadan.exefilefromawebsiteintheuntrustzone.Aresponsepageshoulddisplay.ClickContinueto
downloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichwillnotprovideacontinuepage
totheuser.ThefollowingshowsthedefaultresponsepageforFileBlocking:
Example:DefaultFileBlockingResponsePage
Step5
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 457
PreventBruteForceAttacks
ThreatPrevention
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,Severityandistriggeredwhenapatternisrecorded.The
patternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;some
signaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthepatternto
matchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthedefaultaction
forthesignature.
Toenforceprotection:
Attachthevulnerabilityprofiletoasecurityrule.SeeSetUpAntivirus,AntiSpyware,andVulnerability
Protection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.
458 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignatureandchildsignature.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinatimeintervaland
matchthetrafficpatterndefinedinthechildsignature.
Typically,achildsignatureisofdefaultactionallowbecauseasingleeventisnotindicativeofanattack.In
mostcases,theactionforachildsignatureissettoallowsothatlegitimatetrafficisnotblockedandthreat
logsarenotgeneratedfornonnoteworthyevents.Therefore,PaloAltoNetworksrecommendsthatyou
onlychangethedefaultactionaftercarefulconsideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventbecauseofitsrecurrentpattern.Ifyouwould
liketocustomizetheactionforabruteforcesignature,youcandooneofthefollowing:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcandefine
theactiontoallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforaCVEanddefinean
exceptionforit.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature
youcanmodifytheactiononly.
Toeffectivelymitigateanattack,theblockipaddressactionisrecommendedoverthedropor
resetactionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
Step1
CreateanewVulnerabilityProtection
profile.
PaloAltoNetworks,Inc.
1.
2.
ClickAddandenteraNamefortheVulnerabilityProtection
profile.
PANOS7.1AdministratorsGuide 459
CustomizetheActionandTriggerConditionsforaBruteForceSignature
ThreatPrevention
CustomizetheThresholdandActionforaSignature
Step2
Step3
Createarulethatdefinestheactionfor 1.
allsignaturesinacategory.
2.
(Optional)Customizetheactionfora
specificsignature.
460 PANOS7.1AdministratorsGuide
SelectRules,clickAddandenteraNamefortherule.
SettheAction.Inthisexample,itissettoBlock IP.
3.
SetCategorytobrute-force.
4.
(Optional)Ifblocking,specifywhethertoblockbasedonHost
Typeserverorclient,thedefaultisany.
5.
SeeStep 3tocustomizetheactionforaspecificsignature.
6.
SeeStep 4tocustomizethetriggerthresholdforaparent
signature.
7.
ClickOKtosavetheruleandtheprofile.
1.
2.
Toeditaspecificsignature,clickthepredefineddefaultaction
intheActioncolumn.
3.
Settheactiontoallow,alertorblock-ip.
4.
Ifyouselectblockip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. IntheTrack Byfield,definewhethertoblocktheIPaddress
byIP source orbyIP source and destination.
5.
ClickOK.
6.
Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
7.
ClickOK.
PaloAltoNetworks,Inc.
ThreatPrevention
CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheThresholdandActionforaSignature
Step4
Step5
Step6
Customizethetriggerconditionsfora
1.
parentsignature.
Aparentsignaturethatcanbeeditedis 2.
markedwiththisicon:
.
Inthisexample,thesearchcriteriawas 3.
bruteforcecategoryand
CVE20081447.
4.
ClickOK.
Attachthisnewprofiletoasecurityrule. 1.
Saveyourchanges.
PaloAltoNetworks,Inc.
Click toeditthetimeattributeandtheaggregationcriteria
forthesignature.
TomodifythetriggerthresholdspecifytheNumber of Hitsper
xseconds.
Specifywhethertoaggregatethenumberofhitsbysource,
destinationorbysource and destination.
2.
3.
SelectActions.
4.
IntheProfileSettingsection,settheProfile TypetoProfiles.
5.
SelectthenewlycreatedVulnerability Protectionprofile.
6.
ClickOK tosavechangestothesecuritypolicyrule.
1.
ClickCommit.
PANOS7.1AdministratorsGuide 461
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.Forevasionprevention,upgradetoPANOS7.1.1andApplicationsand
Threatscontentreleaseversion579.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
EnableDNSProxy.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcaches
hostnametoIPaddressmappingsinordertoquicklyandefficientlyresolvesfutureDNSqueries.
Enableevasionsignatures.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscanalertwhenaclientconnectstoa
domainotherthanthedomainspecifiedintheoriginalDNSrequest.MakesurethatDNSproxyis
configuredifyouchoosetoenableevasionsignatures.WithoutDNSproxyenabled,evasion
signaturescantriggerwhenaDNSserverinDNSloadbalancingconfigurationreturnsdifferentIP
addresses(forservershostingidenticalresources)tothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoonlyallowtheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserversettheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
youshouldcreateanewcustomservicethatonlyincludesport587andusethatnewserviceinyour
securitypolicyruleinsteadofusingapplicationdefault.Additionally,makesuretorestrictaccessto
specificsourceanddestinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection.
CreateaVulnerabilityProtectionprofiletoblockallvulnerabilitieswithseveritylowandhigher.
CreateanAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
CreateanAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
Blockallunknownapplications/trafficusingSecuritypolicy.Typically,theonlyapplicationsthatare
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetwork,orpotentialthreats.
Becauseunknowntrafficcanbeanoncompliantapplicationorprotocolthatisanomalousorabnormal,
oraknownapplicationthatisusingnonstandardports,unknowntrafficshouldbeblocked.SeeManage
CustomorUnknownApplications.
CreateaFileBlockingprofilethatblocksPortableExecutable(PE)filetypesforInternetbasedSMB
(ServerMessageBlock)trafficfromtraversingthetrusttountrustzones,(msdssmbapplications).
462 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
PaloAltoNetworks,Inc.
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
PANOS7.1AdministratorsGuide 463
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
RemoveTCPtimestampsonSYNpacketsbeforethefirewallforwardsthepacket.Whenyouselect
theRemove TCP TimestampoptioninaSYNpacket,theTCPstackonbothendsoftheTCP
connectionwillnotsupportTCPtimestamps.Therefore,bydisablingtheTCPtimestampforaSYN
packet,youcanpreventanattackthatusesdifferenttimestampsonmultiplepacketsforthesame
sequencenumber.(Packet Based Attack Protection > TCP Drop).
SelecttheoptiontodropMismatched overlapping TCP segment.Bydeliberatelyconstructing
connectionswithoverlappingbutdifferentdatainthem,attackerscanattempttocause
misinterpretationoftheintentoftheconnection.Thiscanbeusedtodeliberatelyinducefalse
positivesorfalsenegatives.AnattackercanuseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecthis/herowndataintotheconnection.Selectingthisoption
causesPANOStodiscardsuchframeswithmismatchedandoverlappingdata.Thescenarioswhere
thereceivedsegmentwillbediscardedarewhenthesegmentreceivediscontainedwithinanother
segment,thesegmentreceivedoverlapswithpartofanothersegment,orthesegmentcompletely
containsanothersegment.
464 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
VerifythatsupportforIPv6isenabled,ifyouhaveconfiguredIPv6addressesonyournetworkhosts
(Network > Interfaces > Ethernet> IPv6).
ThisallowsaccesstoIPv6hostsandfiltersIPv6packetsthatareencapsulatedin
IPv4packets.EnablingsupportforIPv6preventsIPv6overIPv4multicast
addressesfrombeingleveragedfornetworkreconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyon
multicasttraffic.(Network > Virtual Router > Multicast).
ManyhostsusetheurgentdataflagintheTCPheadertopromoteapacketforimmediateprocessing,
removingitfromtheprocessingqueueandexpeditingitthroughtheTCP/IPstack.Thisprocessiscalled
outofbandprocessing.However,theimplementationoftheurgentdataflagvariesfromhosttohost.
Configuringthefirewalltoclearthisflageliminatesambiguityinhowthepacketisprocessedonthe
firewallandthehost,allowingthefirewallseesthesamestreamintheprotocolstackasthehostfor
whichthepacketisdestined.Whenthefirewallclearsthisflag,itincludesitinthepayloadandprevents
thepacketfrombeingprocessedurgently.
EnabletheDrop segments without flagoption(Device > Setup > Session > TCP Settings).
IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontentinspection.Whenyouenable
thisoption,thefirewallwilldroppacketsthathavenoflagssetintheTCPheader.
EnabletheDrop segments with null timestampoption(Device > Setup > Session > TCP Settings).
TheTCPtimestamprecordswhenthesegmentwassentandallowsthefirewalltoverifythatthe
timestampisvalidforthatsession,preventingTCPsequencenumberwrapping.TheTCPtimestampis
alsousedtocalculateroundtriptime.WhenaTCPTimestampissetto0(null)itcouldconfuseeitherend
oftheconnection,resultinginanevasion.Thefirewalldropspacketswithnulltimestampswiththis
settingenabled.
DisabletheForward segments exceeding TCP out-of-order queueoption(Device > Setup > Session > TCP
Settings).
Bydefault,thefirewallforwardssegmentsthatexceedtheTCPoutoforderqueuelimitof64per
session.Bydisablingthisoption,thefirewallinsteaddropssegmentsthatexceedtheoutoforderqueue
limit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 465
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
DisabletheForward segments exceeding TCP App-ID inspection queueoption(Device > Setup > Content-ID >
Content-ID Settings).
Bydefault,whentheAppIDinspectionqueueisfullthefirewallskipsAppIDinspectionclassifyingthe
applicationasunknowntcpandforwardsthesegments.Bydisablingthisoption,thefirewallinstead
dropssegmentswhentheAppIDinspectionqueueisfull.
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding
TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfullthefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
DisabletheAllow HTTP Header Range Option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPRangeoptionallowsaclienttofetchpartofafileonly.Whenanextgenerationfirewallinthe
pathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithaRSTpacket.If
thewebbrowserimplementstheHTTPRangeoption,itcanstartanewsessiontofetchonlythe
remainingpartofthefile.Thispreventsthefirewallfromtriggeringthesamesignatureagainduetothe
lackofcontextintotheinitialsession,whileatthesametimeallowingthewebbrowsertoreassemble
thefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.
466 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
EnableDNSProxy
EnableDNSProxy
Domainnamesystem(DNS)serverstranslateuserfriendlydomainstotheassociatedIPaddresseswhich
locateandidentifythecorrespondingresources.APaloAltoNetworksfirewallintermediatetoclientsand
serverscanactasaDNSproxytoresolvedomainnamequeries.
TheDNSproxyfeatureenablesthefirewallto:
Quickly,efficiently,andlocallyresolvedomainnamequeriesbasedonstaticandcachedDNSentries.
ReachouttospecificDNSserverstoresolvecertaintypesofDNSrequests(forexample,thefirewall
canresolvecorporatedomainsbasedonacorporateDNSserverhostnametoIPaddressmappings,and
resolveotherdomainsusingapublicorISPDNSserver).
EnabletheFirewalltoActasaDNSProxy
Step1
Step2
Specifytheinterfacesonwhichyou
wantthefirewalltolistenforDNS
requests.
1.
2.
VerifythatEnableisselectedandNametheobject.
3.
Add oneormoreInterfaceonwhichthefirewalllistensfor
DNSrequests.
4.
(VirtualSystemsOnly)AllowtheDNSproxyobjecttobe
sharedacrossallvirtualsystems,orsettheLocationtoapply
theDNSproxyobjectsettingstoaspecificvirtualsystem.
DefinetheDNSserverwithwhichthe
firewallshouldcommunicatetoresolve
DNSrequests.
IfyouareenablingDNSproxyonavirtualsystem,youmust
select NewintheServerProfiledropdownfirst,andthen
continuewitheitherofthefollowingoptions.
SpecifyDNSServers
1.
2.
EnterathePrimaryDNSserverIPaddressoraddressobject.
3.
EntertheSecondary DNSserverIPaddressoraddressobject.
UseInheritedDNSServers
SelectanInheritance Sourcefromwhichthefirewallcanuse
existingDNSserversettingsfortheDNSproxyobject.
OnlyinterfacesconfiguredtobeDHCPclientinterfacesand
PPPoEclientinterfacesareavailableasinheritancesourcesfor
DNSserversettings.Inthiscase,theDNSserversettingstheclient
interfacedynamicallyreceivesfromaDHCPserverarealsousedto
populatethePrimaryandSecondaryDNSserversettings(just
continuetosetbothofthesefieldstoinherited).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 467
EnableDNSProxy
ThreatPrevention
EnabletheFirewalltoActasaDNSProxy(Continued)
Step3
Step4
Step5
Enablethefirewalltoreachoutto
certainDNSserverstoresolvespecific
domains.
Forexample,thefirewallcanforward
corporatedomainstoacorporateDNS
serverfordomainnameresolution.
1.
2.
3.
AddoneormoreDomain Name.
4.
EntertheIPaddressesoraddressobjectsforthePrimaryand
SecondaryDNSservers.Thefirewallcommunicateswith
theseserverstoresolveDNSrequestsforthelisteddomain
names.
IfyouareenablingDNSproxyonavirtualsystem,you
caninsteadconfigureaDNSServerProfiletodefine
DNSsettingsforthevirtualsystem,includingthe
primaryandsecondaryDNSserver.
SetupstaticFQDNtoIPaddressentries 1.
thatthefirewallcanresolvelocally,
2.
withouthavingtoreachouttoaDNS
3.
server.
4.
SelectStatic Entries.
AddandNameanewstaticmappingentry.
EntertheFQDN thatyouwantthefirewalltoresolve.
AddoneormoreIPAddresstomaptothedomainyou
enteredinthelaststep.
Enablecachingforresolved
SelectAdvanced andconfiguresettingsto:
hostnametoIPaddressmappings,and StorerecentlyresolvedhostnametoIPaddressmappings.
customizeadditionalDNSsettings.
SelectCacheandcontinuetospecifythenumberofentriesfor
thecachetoholdandthenumberofhoursafterwhichallcached
DNSentriesareremoved.
EnableDNSqueriesusingTCP.
SpecifysettingsforUDPqueryretries.
468 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
EnableDNSProxy
EnabletheFirewalltoActasaDNSProxy(Continued)
Step6
Step7
Enableevasionsignatures.
1.
WhenDNSproxyisenabled,
evasionsignaturesthatdetect
craftedHTTPorTLSrequests
canalerttoinstanceswherea
clientconnectstoadomainother
thanthedomainspecifiedinthe
originalDNSquery.
2.
InstalltheApplicationsandThreatscontentversion579or
later:
a. SelectDevice > Dynamic Updates.
b. Check NowtogetthelatestApplicationsandThreats
contentupdate.
c. DownloadandInstallApplicationsandThreatscontent
version579.
Definehowtrafficmatchedtoevasionsignaturesshouldbe
enforced:
a. SelectObjects > Security Profiles > Anti-SpywareandAdd
ormodifyanAntispywareprofile.
b. Select ExceptionsandselectShow all signatures.
c. Filtersignaturesbasedonthekeywordevasion.
d. Forallevasionsignatures,settheActiontoanysetting
otherthanalloworthedefaultaction(thedefaultactionis
forevasionsignaturesisallow).Forexample,settheaction
toalertonorblock.
e. ClickOK tosavetheupdatedAntispywareprofile.
f. AttachtheAntispywareprofiletoasecuritypolicyrule:
SelectPolicies > Security,selectthedesiredpolicyto
modifyandthenclicktheActions tab.InProfileSettings,
clickthedropdownnexttoAnti-Spyware andselectthe
antispywareprofileyoujustmodifiedtoenforceevasion
signatures.
Commit yourchanges.
LearnmoreaboutDNSfeatures...
PaloAltoNetworks,Inc.
UseDNSqueriestoidentifyinfectedhostsonthenetwork.
EnablepassiveDNScollectionforbetterthreatintelligence.
ToworkwithDNSfeaturesandvirtualsystems,seetheseDNS
usecasesforvirtualsystemsandlearnhowtoconfigureaDNS
proxyobjectandDNSserverprofilesforvirtualsystems.
PANOS7.1AdministratorsGuide 469
EnablePassiveDNSCollectionforImprovedThreatIntelligence
ThreatPrevention
EnablePassiveDNSCollectionforImprovedThreat
Intelligence
PassiveDNSisanoptinfeaturethatenablesthefirewalltoactasapassiveDNSsensorandsendselectDNS
informationtoPaloAltoNetworksforanalysisinordertoimprovethreatintelligenceandthreatprevention
capabilities.Thedatacollectedincludesnonrecursive(i.e.originatingfromthelocalrecursiveresolver,not
individualclients)DNSqueryandresponsepacketpayloads.DatasubmittedviathePassiveDNSMonitoring
featureconsistssolelyofmappingsofdomainnamestoIPaddresses.PaloAltoNetworksretainsnorecord
ofthesourceofthisdataanddoesnothavetheabilitytoassociateitwiththesubmitteratafuturedate.
ThePaloAltoNetworksthreatresearchteamusesthisinformationtogaininsightintomalwarepropagation
andevasiontechniquesthatabusetheDNSsystem.Informationgatheredthroughthisdatacollectionis
usedtoimproveaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrolsignatures,andWildFire.
DNSresponsesareonlyforwardedtothePaloAltoNetworksandwillonlyoccurwhenthefollowing
requirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
PassiveDNSmonitoringisdisabledbydefault,butitisrecommendedthatyouenableittofacilitate
enhancedthreatintelligence.UsethefollowingproceduretoenablePassiveDNS:
EnablePassiveDNS
Step1
Step2
Selectanexistingprofiletomodifyitorconfigureanewprofile.
TheAntiSpywareprofilemustbeattachedtoasecuritypolicythatgovernsyour
DNSserversexternalDNStraffic.
Step3
Step4
ClickOKandthenCommit.
470 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNSSinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 471
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
Figure:DNSSinkholingExample
472 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ConfigureDNSSinkholingforaListofCustomDomains
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanexternaldynamiclistthatincludes
thedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoasecuritypolicy
rule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthedestinationIP
addressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddressforsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallplatformsupportsamaximumof50,000domainnamestotalinoneormoreExternalDynamic
Listbutnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
Step1
EnableDNSsinkholingforthecustom
listofdomainsinanexternaldynamic
list.
PaloAltoNetworks,Inc.
1.
2.
Modifyanexistingprofile,orselectoneoftheexistingdefault
profilesandcloneit.
3.
NametheprofileandselecttheDNS Signaturestab.
4.
5.
ConfigureaccesstotheExternalDynamicList.
a. EnteradescriptiveNameforthelist.
b. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthe
list.Forexample,https://1.2.3.4/EDL_IP_2015.
c. Populatethelistwithdomainnames.SeeFormatting
GuidelinesforanExternalDynamicList.
d. ClickTest Source URLtoverifythatthefirewallcanconnect
tothelistonthewebserver.
Ifthewebserverisunreachableaftertheconnectionis
established,thefirewallorPanoramausesthelast
successfullyretrievedlistforenforcingpolicyuntilthe
connectionisrestoredwiththewebserver.
e. (Optional)SpecifytheRepeatfrequencyatwhichthe
firewallretrievesthelist.Bydefault,thelistisretrievedonce
everyhour.
f. ClickOK.
6.
(Optional)InthePacket Capturedropdown,select
single-packettocapturethefirstpacketofthesessionor
extended-capture tosetbetween150packets.Youcanthen
usethepacketcapturesforfurtheranalysis.
PANOS7.1AdministratorsGuide 473
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step2
Step3
Step4
Verifythesinkholingsettingsonthe
AntiSpywareprofile.
AttachtheAntiSpywareprofiletoa
Securitypolicyrule.
Testthatthepolicyactionisenforced.
474 PANOS7.1AdministratorsGuide
7.
8.
IntheSinkholesection,verifythatSinkholeisenabled.For
yourconvenience,thedefaultSinkholeIPaddressissetto
accessaPaloAltoNetworksserver.PaloAltoNetworkscan
automaticallyrefreshthisIPaddressthroughcontentupdates.
IfyouwanttomodifytheSinkhole IPv4orSinkhole IPv6
addresstoalocalserveronyournetworkortoaloopback
address,seeConfiguretheSinkholeIPAddresstoaLocal
ServeronYourNetwork.
9.
ClickOKtosavetheAntiSpywareprofile.
1.
2.
3.
IntheProfileSettingsection,clicktheProfile Typedropdown
toviewallProfiles.FromtheAnti-Spywaredropdownand
selectthenewprofile.
4.
ClickOKtosavethepolicyrule.
1.
Accessadomainintheexternaldynamiclist.
2.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theThreatActivityandBlockedActivityforthedomainyou
accessed.
b. SelectMonitor > Logs > Threat andfilterby(action eq
sinkhole)toviewlogsonsinkholeddomains.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step5
Verifywhetherentriesintheexternal
dynamiclistareignoredorskipped.
InalistoftypeURL,thefirewall
skipsentriesthatarenotURLsas
invalidandignoresentriesthat
exceedthemaximumlimitforthe
platform.
UsethefollowingCLIcommandonthefirewalltoreviewthedetails
aboutthelist.
request system external-list show type domain name
<list_name>
Forexample:
request system external-list show type domain name
My_List_of_Domains_2015
vsys1/EBLDomain:
Next update at : Thu May 21 10:15:39 2015
Source
:https://1.2.3.4/My_List_of_Domains_2015
Referenced : Yes
Valid
: Yes
Number of entries : 3
domains:
www.example.com
baddomain.com
qqq.abcedfg.com
Step6
(Optional)Retrievetheexternaldynamic Toforcethefirewalltoretrievetheupdatedlistondemandinstead
listondemand.
ofatthenextrefreshinterval(theRepeatfrequencyyoudefined
fortheexternaldynamiclist),usethefollowingCLIcommand:
request system external-list refresh type domain name
<list_name>
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 475
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureSinkholingtoaLocalServeronYourNetwork
Step1
Configurethesinkholeinterfaceand
zone.
Trafficfromthezonewheretheclient
hostsresidemustroutetothezone
wherethesinkholeIPaddressisdefined,
sotrafficwillbelogged.
Useadedicatedzonefor
sinkholetraffic,becausethe
infectedhostwillbesending
traffictothiszone.
1.
2.
IntheInterface Typedropdown,selectLayer3.
3.
ToaddanIPv4address,selecttheIPv4tabandselectStatic
andthenclickAdd.Inthisexample,add10.15.0.20astheIPv4
DNSsinkholeaddress.
4.
SelecttheIPv6tabandclickStaticandthenclickAddand
enteranIPv6addressandsubnetmask.Inthisexample,enter
fd97:3dec:4d27:e37c::/64astheIPv6sinkholeaddress.
5.
ClickOKtosave.
6.
7.
EnterzoneName.
8.
IntheTypedropdownselectLayer3.
9.
IntheInterfacessection,clickAddandaddtheinterfaceyou
justconfigured.
10. ClickOK.
Step2
EnableDNSsinkholing.
Step3
Editthesecuritypolicyrulethatallows
trafficfromclienthostsinthetrustzone
totheuntrustzonetoincludethe
sinkholezoneasadestinationandattach
theAntiSpywareprofile.
Editingthesecurityrule(s)thatallows
trafficfromclienthostsinthetrustzone
totheuntrustzoneensuresthatyouare
identifyingtrafficfrominfectedhosts.By
addingthesinkholezoneasadestination
ontherule,youenableinfectedclientsto
sendbogusDNSqueriestotheDNS
sinkhole.
476 PANOS7.1AdministratorsGuide
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNS
signatures.Tochangethesinkholeaddresstoyourlocalserver,see
step8inConfigureDNSSinkholingforaListofCustomDomains.
1.
2.
Selectanexistingrulethatallowstrafficfromtheclienthost
zonetotheuntrustzone.
3.
OntheDestinationtab,AddtheSinkholezone.Thisallows
clienthosttraffictoflowtothesinkholezone.
4.
5.
IntheProfile Settingsection,selecttheAnti-Spywareprofile
inwhichyouenabledDNSsinkholing.
6.
ClickOKtosavethesecurityruleandthenCommit.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
Step4
Toconfirmthatyouwillbeableto
1.
identifyinfectedhosts,verifythattraffic
goingfromtheclienthostintheTrust
zonetothenewSinkholezoneisbeing
logged.
Inthisexample,theinfectedclienthostis
192.168.2.10andtheSinkholeIPv4
addressis10.15.0.20.
Fromaclienthostinthetrustzone,openacommandprompt
andrunthefollowingcommand:
C:\>ping <sinkhole address>
Thefollowingexampleoutputshowsthepingrequesttothe
DNSsinkholeaddressat10.15.0.2andtheresult,whichis
Request timed out becauseinthisexamplethesinkholeIP
addressisnotassignedtoaphysicalhost:
C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 477
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureSinkholingtoaLocalServeronYourNetwork
Step5
TestthatDNSsinkholingisconfigured 1.
properly.
Youaresimulatingtheactionthatan
infectedclienthostwouldperformwhen
amaliciousapplicationattemptstocall
home.
Findamaliciousdomainthatisincludedinthefirewalls
currentAntivirussignaturedatabasetotestsinkholing.
a. SelectDevice > DynamicUpdatesandintheAntivirus
sectionclicktheRelease Noteslinkforthecurrently
installedantivirusdatabase.Youcanalsofindtheantivirus
releasenotesthatlisttheincrementalsignatureupdates
underDynamicUpdatesonthePaloAltoNetworkssupport
site.
b. Inthesecondcolumnofthereleasenote,locatealineitem
withadomainextension(forexample,.com,.edu,or.net).
Theleftcolumnwilldisplaythedomainname.Forexample,
Antivirusrelease11171560,includesanitemintheleft
columnnamed"tbsbana"andtherightcolumnlists"net".
Thefollowingshowsthecontentinthereleasenoteforthis
lineitem:
conficker:tbsbana1 variants: net
2.
Fromtheclienthost,openacommandprompt.
3.
PerformanNSLOOKUPtoaURLthatyouidentifiedasa
knownmaliciousdomain.
Forexample,usingtheURLtrack.bidtrk.com:
C:\>nslookup track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:5
10.15.0.20
Intheoutput,notethattheNSLOOKUPtothemalicious
domainhasbeenforgedusingthesinkholeIPaddressesthat
weconfigured(10.15.0.20).Becausethedomainmatcheda
maliciousDNSsignature,thesinkholeactionwasperformed.
478 PANOS7.1AdministratorsGuide
4.
5.
Performapingtotrack.bidtrk.com,whichwillgenerate
networktraffictothesinkholeaddress.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
IdentifyInfectedHosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
UseAppScopetoidentifyinfectedclienthosts. 1.
PaloAltoNetworks,Inc.
2.
ClicktheShow spywarebuttonalongthetopofthedisplay
page.
3.
Selectatimerange.
ThefollowingscreenshotshowsthreeinstancesofSuspicious
DNSqueries,whichweregeneratedwhenthetestclienthost
performedanNSLOOKUPonaknownmaliciousdomain.Click
thegraphtoseemoredetailsabouttheevent.
PANOS7.1AdministratorsGuide 479
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
DNSSinkholeVerificationandReporting(Continued)
Configureacustomreporttoidentifyallclient 1.
hoststhathavesenttraffictothesinkholeIP 2.
address,whichis10.15.0.20inthisexample.
3.
ForwardtoanSNMPmanager,Syslog
serverand/orPanoramatoenablealerts
ontheseevents.
Inthisexample,theinfectedclienthost
performedanNSLOOKUPtoaknown
maliciousdomainthatislistedinthePalo
AltoNetworksDNSSignaturedatabase.
Whenthisoccurred,thequerywassent
tothelocalDNSserver,whichthen
forwardedtherequestthroughthe
firewalltoanexternalDNSserver.The
firewallsecuritypolicywiththe
AntiSpywareprofileconfiguredmatched
thequerytotheDNSSignaturedatabase,
whichthenforgedthereplyusingthe
sinkholeaddressof10.15.0.20and
fd97:3dec:4d27:e37c:5:5:5:5.Theclient
attemptstostartasessionandthetraffic
logrecordstheactivitywiththesource
hostandthedestinationaddress,whichis
nowdirectedtotheforgedsinkhole
address.
Viewingthetrafficlogonthefirewall
allowsyoutoidentifyanyclienthostthat
issendingtraffictothesinkholeaddress.
Inthisexample,thelogsshowthatthe
sourceaddress192.168.2.10sentthe
maliciousDNSquery.Thehostcanthen
befoundandcleaned.WithouttheDNS
sinkholeoption,theadministratorwould
onlyseethelocalDNSserverasthe
systemthatperformedthequeryand
wouldnotseetheclienthostthatis
infected.Ifyouattemptedtorunareport 4.
onthethreatlogusingtheaction
Sinkhole,thelogwouldshowthelocal
DNSserver,nottheinfectedhost.
5.
480 PANOS7.1AdministratorsGuide
ClickRun Nowtorunthereport.Thereportwillshowallclient
hoststhathavesenttraffictothesinkholeaddress,which
indicatesthattheyaremostlikelyinfected.Youcannowtrack
downthehostsandcheckthemforspyware.
Toviewscheduledreportsthathaverun,selectMonitor >
Reports.
PaloAltoNetworks,Inc.
ThreatPrevention
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
Resource
URL
StaticAddresses(Ifastaticserveris
required)
ApplicationDatabase
updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
address199.167.52.15
Threat/AntivirusDatabase updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
downloads.paloaltonetworks.com:443 address199.167.52.15
Asabestpractice,settheupdateserver
toupdates.paloaltonetworks.com.This
allowsthePaloAltoNetworksfirewallto
receivecontentupdatesfromtheserver
closesttoitintheCDNinfrastructure.
PANDBURLFiltering
*.urlcloud.paloaltonetworks.com
ResolvestotheprimaryURL
s0000.urlcloud.paloaltonetworks.comand
isthenredirectedtotheregionalserver
thatisclosest:
s0100.urlcloud.paloaltonetworks.com
s0200.urlcloud.paloaltonetworks.com
s0300.urlcloud.paloaltonetworks.com
s0500.urlcloud.paloaltonetworks.com
StaticIPaddressesarenotavailable.
However,youcanmanuallyresolveaURLto
anIPaddressandallowaccesstotheregional
serverIPaddress.
BrightCloudURLFiltering
database.brightcloud.com:443/80
service.brightcloud.com:80
ContactBrightCloudCustomerSupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 481
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPrevention
Resource
URL
WildFire
beta.wildfire.paloaltonetworks.com:443/ mail.wildfire.paloaltonetworks.com:25or
80
theIPaddress54.241.16.83
betas1.wildfire.paloaltonetworks.com:4 wildfire.paloaltonetworks.com:443/80or
43/80
54.241.8.199
Betasitesareonlyaccessedbya TheregionalURL/IPaddressesareasfollows:
firewallrunningaBetarelease cas1.wildfire.paloaltonetworks.com:44or
version.
54.241.34.71
mail.wildfire.paloaltonetworks.com:25 vas1.wildfire.paloaltonetworks.com:443or
174.129.24.252
wildfire.paloaltonetworks.com:443/80
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443or
54.238.53.161
portal3.wildfire.paloaltonetworks.com:443/
80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443or
54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/80
or180.37.183.53
482 PANOS7.1AdministratorsGuide
StaticAddresses(Ifastaticserveris
required)
PaloAltoNetworks,Inc.
ThreatPrevention
ThreatPreventionResources
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofThreatsandApplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 483
ThreatPreventionResources
484 PANOS7.1AdministratorsGuide
ThreatPrevention
PaloAltoNetworks,Inc.
Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 485
DecryptionOverview
Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
486 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 487
DecryptionConcepts
Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage
Description
ForwardTrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
ForwardUntrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate
CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSLInboundInspection
ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
488 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
SSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 489
DecryptionConcepts
Decryption
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
490 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionExceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 491
DecryptionConcepts
Decryption
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
492 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1
Step2
Step3
(DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe
firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 493
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionProfileRule(Continued)
SelectSSL Decryption:
SelectSSL Forward Proxytoconfiguresettingstoverify
certificates,enforceprotocolversionsandciphersuites,and
performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step4
(Optional)BlockandcontrolSSL
tunneledand/orinboundtraffic
undergoingSSLForwardProxy
decryptionorSSLInboundInspection.
Step5
Step6
Step7
Addthedecryptionprofileruletoa
1.
decryptionpolicyrule.
Trafficthatthepolicyrulesmatchestois 2.
enforcedbasedontheadditionalprofile
rulesettings.
3.
Step8
Committheconfiguration.
494 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step1
Step2
GivethepolicyruleadescriptiveName.
Step3
Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4
Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:
matchingtraffic:therulecaneither
Decryptmatchingtraffic:
decryptmatchingtrafficorexclude
1. SelectDecrypt.
matchingtrafficfromdecryption.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Excludematchingtrafficfromdecryption:
SelectNo Decrypt.
Step5
(Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea
DecryptionProfile,selectObjects > Decryption Profile).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 495
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionPolicyRule
Step6
ClickOKtosavethepolicy.
NextSteps...
496 PANOS7.1AdministratorsGuide
Fullyenablethefirewalltodecrypttraffic:
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
ConfigureSSLForwardProxy
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 497
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise
CAsignedcertificateastheforward
trustcertificate.
498 PANOS7.1AdministratorsGuide
1.
GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAtosignandvalidate:
a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2.
ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3.
ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4.
ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5.
Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6.
ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
Useaselfsignedcertificateasthe
forwardtrustcertificate.
Step3
Distributetheforwardtrustcertificateto
clientsystemcertificatestores.
Ifyoudonotinstalltheforward
trustcertificateonclient
systems,userswillseecertificate
warningsforeachSSLsitethey
visit.
Ifyouareusingan
enterpriseCAsignedcertificate
astheforwardtrustcertificate
forSSLForwardProxy
decryption,andtheclient
systemsalreadyhavethe
enterpriseCAaddedtothelocal
trustedrootCAlist,youcanskip
thisstep.
1.
Generateanewcertificate:
a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2.
Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3.
ClickOKtosavetheselfsignedforwardtrustcertificate.
OnafirewallconfiguredasaGlobalProtectportal:
ThisoptionissupportedwithWindowsandMacclientOS
versions,andrequiresGlobalProtectagent3.0.0orlaterto
beinstalledontheclientsystems.
1.
2.
SelectAgent andthenselectanexistingagentconfigurationor
Addanewone.
3.
AddtheSSLForwardProxyforwardtrustcertificatetothe
TrustedRootCAsection.
4.
5.
ClickOKtwice.
WithoutGlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 499
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
Step4
Configuretheforwarduntrust
certificate.
1.
ClickGenerateatthebottomofthecertificatespage.
2.
EnteraCertificate Name,suchasmyfwduntrust.
3.
SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4.
ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5.
ClickGeneratetogeneratethecertificate.
6.
ClickOKtosave.
7.
Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8.
ClickOKtosave.
ConfiguretheKeySizeforSSLForwardProxyServerCertificates.
Step5
(Optional)SetthekeysizeoftheSSL
ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step7
Step8
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
500 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
NextSteps...
PaloAltoNetworks,Inc.
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PANOS7.1AdministratorsGuide 501
ConfigureSSLInboundInspection
Decryption
ConfigureSSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
ConfigureSSLInboundInspection
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Ensurethatthetargetedserver
certificateisinstalledonthefirewall.
Step3
1.
OntheDevice Certificatestab,selectImport.
2.
3.
BrowseforandselectthetargetedserverCertificate File.
4.
ClickOK.
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
502 PANOS7.1AdministratorsGuide
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLInboundInspection
ConfigureSSLInboundInspection
Step4
Step5
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
NextSteps...
PaloAltoNetworks,Inc.
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PANOS7.1AdministratorsGuide 503
ConfigureSSHProxy
Decryption
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Decryptioncanonlybeperformedon
virtualwire,Layer 2,orLayer3
interfaces.
Step2
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
Step3
Step4
(Optional)Allowthefirewalltoforward
decryptedtrafficforWildFireanalysis.
Thisoptionrequiresanactive
WildFirelicense.Getstartedwith
WildFiretodecidewhatWildFire
deploymentworksforyouandto
enablefileforwardingand
signatureprotection.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSH Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Onasinglefirewall:
1.
2.
EdittheURLFilteringoptionstoAllow Forwarding of
Decrypted Content.
3.
ClickOK.
Onafirewallwithvirtualsystemsconfigured:
1.
2.
Clickthevirtualsystemyouwanttomodify,andselectAllow
Forwarding of Decrypted Content.
3.
ClickOK.
Committheconfiguration.
NextStep...
504 PANOS7.1AdministratorsGuide
ConfigureDecryptionExceptionstodisabledecryptionforcertain
typesoftraffic.
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionExceptions
ConfigureDecryptionExceptions
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1
Step2
Excludetrafficfromdecryptionbased
matchcriteria.
Thisexampleshowshowtoexclude
trafficcategorizedasfinancialor
healthrelatedfromSSLForwardProxy
decryption.
1.
2.
Definethetrafficthatyouwanttoexcludefromdecryption.
Inthisexample:
a. GivetheruleadescriptiveName,suchas
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestinedfor
anexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3.
SelectOptionsandsettheruletoNo Decrypt.
4.
(Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5.
ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 505
ConfigureDecryptionExceptions
Decryption
ExcludeTrafficfromaDecryptionPolicy
Step3
Commit theconfiguration.
ExcludeaServerfromDecryption
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
ExcludeaServerfromDecryption
Step1
Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2
506 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
EnableUserstoOptOutofSSLDecryption
EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
EnableUserstoOptOutofSSLDecryption
Step1
(Optional)CustomizetheSSL
DecryptionOptoutPage.
1.
2.
3.
SelectthePredefinedpageandclickExport.
4.
UsingtheHTMLtexteditorofyourchoice,editthepage.
5.
Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6.
AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8.
9.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2
EnableSSLDecryptionOptOut.
PaloAltoNetworks,Inc.
1.
2.
3.
Committhechanges.
PANOS7.1AdministratorsGuide 507
EnableUserstoOptOutofSSLDecryption
Decryption
EnableUserstoOptOutofSSLDecryption
Step3
VerifythattheOptOutpagedisplays
whenyouattempttobrowsetoasite.
508 PANOS7.1AdministratorsGuide
Fromabrowser,gotoanencryptedsitethatmatchesyour
decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
ConfigureDecryptionPortMirroring
Step1
Step2
Requestalicenseforeachfirewallon
whichyouwanttoenabledecryption
portmirroring.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite
andnavigatetotheAssetstab.
2.
Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3.
4.
Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5.
ClickActivate.
InstalltheDecryptionPortMirrorlicense 1.
onthefirewall.
2.
PaloAltoNetworks,Inc.
3.
Verifythatthelicensehasbeenactivatedonthefirewall.
4.
PANOS7.1AdministratorsGuide 509
ConfigureDecryptionPortMirroring
Decryption
ConfigureDecryptionPortMirroring(Continued)
Step3
Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:
traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
Step4
Step5
Step6
Step7
1.
2.
SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3.
4.
ClickOKtosave.
EnableanEthernetinterfacetobeused 1.
fordecryptionmirroring.
2.
Enablemirroringofdecryptedtraffic.
Attachthedecryptionprofilerule(with
decryptionportmirroringenabled)toa
decryptionpolicyrule.Alltraffic
decryptedbasedonthepolicyruleis
mirrored.
Savetheconfiguration.
510 PANOS7.1AdministratorsGuide
3.
4.
ClickOKtosave.
1.
2.
SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3.
Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4.
ClickOKtosavethedecryptionprofile.
1.
2.
ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicytoedit.
3.
IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4.
ClickOKtosavethepolicy.
ClickCommit.
PaloAltoNetworks,Inc.
Decryption
TemporarilyDisableSSLDecryption
TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
TemporarilyDisableSSLDecryption
DisableSSLDecryption
ReenableSSLDecryption
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 511
TemporarilyDisableSSLDecryption
512 PANOS7.1AdministratorsGuide
Decryption
PaloAltoNetworks,Inc.
URLFiltering
ThePaloAltoNetworksURLfilteringsolutionallowsyoutomonitorandcontrolhowusersaccesstheweb
overHTTPandHTTPS.
URLFilteringOverview
URLFilteringConcepts
PANDBCategorization
EnableaURLFilteringVendor
DetermineURLFilteringPolicyRequirements
UseanExternalDynamicListinaURLFilteringProfile
MonitorWebActivity
ConfigureURLFiltering
CustomizetheURLFilteringResponsePages
ConfigureURLAdminOverride
EnableSafeSearchEnforcement
SetUpthePANDBPrivateCloud
URLFilteringUseCaseExamples
TroubleshootURLFiltering
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 513
URLFilteringOverview
URLFiltering
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintoapproximately6080categories.Youcanuse
theseURLcategoriesasamatchcriteriainpolicies(CaptivePortal,Decryption,Security,andQoS)orattach
themasURLfilteringprofilesinsecuritypolicy,tosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URLFilteringVendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C&C)communicationstoprotectyournetworkfromcyberthreats.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.andisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.
514 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringOverview
InteractionBetweenAppIDandURLCategories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCaseExamples.
PANDBPrivateCloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
Internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveInternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 515
URLFilteringOverview
URLFiltering
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
Differences
PANDBPublicCloud
Contentand
Database
Updates
Content(regularandcritical)updatesandfull ContentupdatesandfullURLdatabaseupdates
databaseupdatesarepublishedmultipletimes areavailableonceadayduringtheworkweek.
duringtheday.Thefirewallchecksforcritical
updateswheneveritqueriesthecloudservers
forURLlookups.
516 PANOS7.1AdministratorsGuide
PANDBPrivateCloud
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringOverview
Differences
PANDBPublicCloud
PANDBPrivateCloud
URL
Categorization
Requests
SubmitURLcategorizationchangerequests
usingthefollowingoptions:
PaloAltoNetworksTestASitewebsite.
URLfilteringprofilesetuppageonthe
firewall.
URLfilteringlogonthefirewall.
SubmitURLcategorizationchangerequestsonly
usingthePaloAltoNetworksTestASite
website.
UnresolvedURL
Queries
IfthefirewallcannotresolveaURLquery,the Ifthefirewallcannotresolveaquery,the
requestissenttotheserversinthepublic
requestissenttotheM500appliance(s)inthe
PANDBprivatecloud.Ifthereisnomatchfor
cloud.
theURL,thePANDBprivatecloudsendsa
categoryunknownresponsetothefirewall;the
requestisnotsenttothepubliccloudunlessyou
haveconfiguredtheM500appliancetoaccess
thePANDBpubliccloud.
IftheM500appliance(s)thatconstituteyour
PANDBprivatecloudisconfiguredtobe
completelyoffline,itdoesnotsendanydataor
analyticstothepubliccloud.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 517
URLFilteringConcepts
URLFiltering
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URLCategories
EachwebsitedefinedintheURLfilteringdatabaseisassignedoneofapproximately60differentURL
categories.TherearetwowaystomakeuseofURLcategorizationonthefirewall:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
MatchtrafficbasedonURLcategoryforpolicyenforcementIfyouwantaspecificpolicyruletoapply
onlytowebtraffictositesinaspecificcategory,youwouldaddthecategoryasmatchcriteriawhenyou
createthepolicyrule.Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicyto
applybandwidthcontrolstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryas
PolicyMatchCriteriaformoreinformation.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:
518 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Category
Description
notresolved
IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses
Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown
Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
ChangeRequestProcess
PaloAltoNetworkscustomerscansubmitURLcategorizationchangerequestsusingthePaloAltoNetworks
dedicatedwebportal(TestASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlog
onthefirewall.Eachchangerequestisautomaticallyprocessedeveryday,providedthewebsitesprovides
machinereadablecontentthatisinasupportedformatandlanguage.Sometimes,thecategorizationchange
requiresamemberofthePaloAltoNetworksengineeringstafftoperformamanualreview.Insuchcases,the
processmaytakealittlelonger.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 519
URLFilteringConcepts
URLFiltering
URLFilteringProfile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatareappliedtoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile
thatwillhaveallcategoriessettoallowforvisibilityintothetrafficonyournetwork.Youcanthencustomize
thenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowedfor
moregranularcontroloverURLcategories.Forexample,youmaywanttoblocksocialnetworkingsites,but
allowsomewebsitesthatarepartofthesocialnetworkingcategory.
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringProfileActions
TheURLFilteringprofilespecifiesanactionforeachURLcategory.Bydefault,allURLcategoriesaresetto
allowwhenyouCreateanewURLFilteringprofile.Thismeansthattheuserswillbeabletobrowsetoall
sitesfreelyandthetrafficwillnotbelogged.ThefirewallalsocomespredefineddefaultURLfilteringprofile
thatallowsaccesstoallcategoriesexceptthefollowingthreatpronecategories,whichitblocks:
abuseddrugs,adult,gambling,hacking,malware,phishing,questionable,andweapons.
Asabestpractice,ifyouwanttocreateacustomURLFilteringcategory,clonethedefaultURL
filteringprofileandchangetheactioninallallowcategoriestoeitheralertorcontinuesothatyou
havevisibilityintothetraffic.Itisalsoabestpracticetosetthe
proxyavoidanceandanonymizerscategorytoblock.
Action
Description
alert
ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow
Thewebsiteisallowedandnologentryisgenerated.
block
Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
continue
Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
TheContinuepagewillnotbedisplayedproperlyonclientmachinesthatare
configuredtouseaproxyserver.
520 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Action
Description
override
Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeConfigureURLAdminOverride.
TheOverridepagedoesnotdisplayproperlyonclientmachinesthatare
configuredtouseaproxyserver.
none
ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
BlockandAllowLists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefinewebsitesthatshouldalwaysbeblockedorallowed.
WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningURLs.Forexample,enterwww.paloaltonetworks.com
orpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample:Ifyouwanttopreventauserfromaccessinganywebsitewithinthedomain
paloaltonetworks.com,youwouldalsoadd*.paloaltonetworks.com,sowhateverdomainprefix(http://,
www,orasubdomainprefixsuchasmail.paloaltonetworks.com)isaddedtotheaddress,thespecified
actionwillbetaken.Thesameappliestothesubdomainsuffix;ifyouwanttoblock
paloaltonetworks.com/en/US,youwouldneedtoaddpaloaltonetworks.com/*aswell.
Further,ifyouwanttolimitaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmust
adda/,sothatthematchrestrictsadotthatfollows.com.Inthiscase,youneedtoaddtheentryas
*.paloaltonetworks.com/
Thelistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 521
URLFilteringConcepts
URLFiltering
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.Atokencanbeany
numberofASCIIcharactersthatdoesnotcontainanyseparatorcharacteror*.Forexample,thefollowing
patternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacterinthetoken.
ww*.yahoo.com
www.y*.com
ExternalDynamicListforURLs
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.
SafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Onthefirewall,youcanEnableSafeSearchEnforcementsothatthefirewallwillblocksearch
resultsiftheenduserisnotusingthestrictestsafesearchsettingsinthesearchquery.Thefirewallcan
enforcesafesearchforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.Thisisa
besteffortsettingandisnotguaranteedbythesearchproviderstoworkwitheverywebsite.
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallwillthenblockanymatchingsearchqueryreturntrafficthatisnot
usingthestrictestsafesearchsettings.Therearetwomethodsforblockingthesearchresults:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettingsWhenanenduserattemptsto
performasearchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearch
queryresultsanddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovidea
URLtothesearchprovidersettingsforconfiguringsafesearch.
EnableTransparentSafeSearchEnforcementWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
522 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Also,becausemostsearchprovidersnowuseSSLtoreturnsearchresults,youmustalsoconfigurea
Decryptionpolicyruleforthesearchtraffictoenablethefirewalltoinspectthesearchtrafficandenforce
safesearch.
Safesearchenforcementenhancementsandsupportfornewsearchprovidersisperiodically
addedincontentreleases.ThisinformationisdetailedintheApplicationandThreatContent
ReleaseNotes.Howsitesarejudgedtobesafeorunsafeisperformedbyeachsearchprovider,
notbyPaloAltoNetworks.
SafesearchsettingsdifferbysearchproviderasdetailedinTable:SearchProviderSafeSearchSettings.
Table:SearchProviderSafeSearchSettings
SearchProvider
SafeSearchSettingDescription
Google/YouTube
OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
SafeSearchEnforcementforGoogleSearchesonIndividualComputers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
SafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddress
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo
Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 523
URLFilteringConcepts
URLFiltering
SearchProvider
SafeSearchSettingDescription
Bing
OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
ContainerPages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
IfyouhaveenabledtheLog container page onlyoption,theremaynotalwaysbeacorrelated
URLlogentryforthreatsdetectedbyantivirusorvulnerabilityprotection.
HTTPHeaderLogging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute
Description
UserAgent
ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer
TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
524 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Attribute
Description
XForwardedFor(XFF)
TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
URLFilteringResponsePages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenSafeSearchEnforcementisenabled:
URLFilteringandCategoryMatchBlockPageAccessblockedbyaURLFilteringProfileorbecausethe
URLcategoryisblockedbyasecuritypolicy.
URLFilteringContinueandOverridePagePagewithinitialblockpolicythatallowsuserstobypassthe
blockbyclickingContinue.WithURLAdminOverrideenabled,(ConfigureURLAdminOverride),after
clickingContinue,theusermustsupplyapasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPageAccessblockedbyasecuritypolicywithaURLfilteringprofile
thathastheSafeSearchEnforcementoptionenabled(seeEnableSafeSearchEnforcement).Theuser
willseethispageifasearchisperformedusingGoogle,Bing,Yahoo,orYandexandtheirbrowseror
searchengineaccountsettingforSafeSearchisnotsettostrict.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 525
URLFilteringConcepts
URLFiltering
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneofthe
supportedResponsePageReferencestoexternalimages,sounds,orstylesheets.
URLFilteringResponsePageVariables
Variable
Usage
<user/>
Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/>
ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/>
ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/>
HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
document.getElementById("warningText").innerHTML = "Message 2";
break;
case 'kids':
document.getElementById("warningText").innerHTML = "Message 3";
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
526 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
ResponsePageReferences
ReferenceType
ExampleHTMLCode
Image
<img
Sound
<embed src="http://simplythebest.net/sounds/WAV/WAV_files/
movie_WAV_files/ do_not_go.wav" volume="100" hidden="true"
autostart="true">
StyleSheet
Hyperlink
<a href="http://en.wikipedia.org/wiki/Acceptable_use_policy">View
Corporate
Policy</a>
src="http://virginiadot.org/images/Stop-Sign-gif.gif">
URLCategoryasPolicyMatchCriteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType
Description
CaptivePortal
Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionfortheCaptivePortalpolicy.
Decryption
DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.Inthis
case,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS
QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 527
URLFilteringConcepts
URLFiltering
PolicyType
Description
Security
InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
AsecurityrulethatallowstheITSecuritygrouptoaccesscontentcategorizedas
hacking.ThesecurityrulereferencesthehackingcategoryintheServices/URL
CategorytabandITSecuritygroupintheUserstab.
Anothersecurityrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.
528 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
PANDBCategorization
PANDBCategorization
PANDBURLCategorizationComponents
PANDBURLCategorizationWorkflow
PANDBURLCategorizationComponents
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component
Description
URLFilteringSeed
Database
Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
CloudService
SeeDifferencesBetween
thePANDBPublicCloud
andPANDBPrivate
Cloud,forinformationon
theprivatecloud.
ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
providesadistributed,highperformance,andstableenvironmentforseeddatabase
downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
mechanismtoupdatethefirewallslocalURLdatabaseiftheversiondoesnotmatch.
EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalsocheckfor
criticalupdates.Iftherehavebeennoqueriestothecloudserversformorethan30
minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 529
PANDBCategorization
URLFiltering
Component
Description
ManagementPlane(MP)
URLCache
WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothefirewallslocal
driveeveryeighthours,beforethefirewallisrebooted,orwhenthecloudupgrades
theURLdatabaseversiononthefirewall.Afterrebootingthefirewall,thefilethat
wassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecentlyused
(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheisfull.
Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbereplaced
bythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftimeandtheexpirationperiodcannotbechanged
bytheadministrator.
PANDBURLCategorizationWorkflow
WhenauserattemptstoaccessaURLandtheURLcategoryneedstobedetermined,thefirewallwill
comparetheURLwiththefollowingcomponents(inorder)untilamatchhasbeenfound:
IfaURLquerymatchesanexpiredentryintheURLDPcache,thecacherespondswiththeexpiredcategory,
butalsosendsaURLcategorizationquerytothemanagementplane.Thisisdonetoavoidunnecessary
delaysintheDP,assumingthatthefrequencyofchangingcategoriesislow.Similarly,intheURLMPcache,
ifaURLqueryfromtheDPmatchesanexpiredentryintheMP,theMPrespondstotheDPwiththeexpired
categoryandwillalsosendaURLcategorizationrequesttothecloudservice.Upongettingtheresponse
fromthecloud,thefirewallwillresendtheupdatedresponsetotheDP.
530 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
PANDBCategorization
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabasewillbeupdated.
EachtimethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30
minutes,thedatabaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdate
willbeperformed.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 531
EnableaURLFilteringVendor
URLFiltering
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
EnablePANDBURLFiltering
EnablePANDBURLFiltering
Step1
ObtainandinstallaPANDBURL
1.
filteringlicenseandconfirmthatitis
installed.
Ifthelicenseexpires,PANDB
URLFilteringcontinuestowork
basedontheURLcategory
2.
informationthatexistsinthe
dataplaneandmanagement
planecaches.However,URL
cloudlookupsandother
cloudbasedupdateswillnot
functionuntilyouinstallavalid
license.
532 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
EnableaURLFilteringVendor
EnablePANDBURLFiltering(Continued)
Step2
Step3
Downloadtheinitialseeddatabaseand
activatePANDBURLFiltering.
ThefirewallmusthaveInternet
access;youcannotmanually
uploadthePANDBseed
database.
1.
InthePANDBURLFilteringsection,Download Statusfield,
clickDownload Now.
2.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3.
Afterthedownloadcompletes,clickActivate.
IfPANDBisalreadytheactiveURLfilteringvendor
andyouclickRe-Download,thiswillreactivate
PANDBbyclearingthedataplaneandmanagement
planecachesandreplacingthemwiththecontentsof
thenewseeddatabase.Youshouldavoiddoingthis
unlessitisnecessary,asyouwillloseyourcache,
whichiscustomizedbasedonthewebtrafficthathas
previouslypassedthroughthefirewallbasedonuser
activity.
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
Threats.
AThreatPreventionlicenseis
requiredtoreceivecontent
updates,whichcoversAntivirus
andApplicationsandThreats.
EnableBrightCloudURLFiltering
EnableBrightCloudURLFiltering
Step1
ObtainandinstallaBrightCloudURL
1.
filteringlicenseandconfirmthatitis
installed.
BrightCloudhasanoptioninthe
URLfilteringprofile(Objects >
Security Profiles > URL
2.
Filtering)toeitherallowall
categoriesorblockallcategories
ifthelicenseexpires.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 533
EnableaURLFilteringVendor
URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step2
Step3
InstalltheBrightClouddatabase.
Thewayyoudothisdependsonwhether
ornotthefirewallhasdirectInternet
access.
FirewallwithDirectInternetAccess
SelectDevice > LicensesandintheBrightCloudURLFiltering
section,Activefield,clicktheActivatelinktoinstallthe
BrightClouddatabase.Thisoperationautomaticallyinitiatesa
systemreset.
FirewallwithoutDirectInternetAccess
1.
DownloadtheBrightClouddatabasetoahostthathas
Internetaccess.Thefirewallmusthaveaccesstothehost:
a. OnahostwithInternetaccess,gotothePaloAlto
NetworksCustomerSupportwebsite,
www.paloaltonetworks.com/support/tabs/overview.html,
andlogin.
b. IntheResourcessection,clickDynamic Updates.
c. IntheBrightCloudDatabasesection,clickDownloadand
savethefiletothehost.
2.
Uploadthedatabasetothefirewall:
a. Logintothefirewall,selectDevice > Dynamic Updatesand
clickUpload.
b. FortheType,selectURL Filtering.
c. EnterthepathtotheFileonthehostorclickBrowseto
findit,thenclickOK.WhentheStatusisCompleted,click
Close.
3.
Installthedatabase:
a. SelectDevice > Dynamic UpdatesandclickInstall From
File.
b. FortheType,selectURL Filtering.Thefirewall
automaticallyselectsthefileyoujustuploaded.
c. ClickOKand,whentheResultisSucceeded,clickClose.
Enablecloudlookupsfordynamically
1.
categorizingaURLifthecategoryisnot 2.
availableonthelocalBrightCloud
database.
534 PANOS7.1AdministratorsGuide
AccessthePANOSCLI.
EnterthefollowingcommandstoenabledynamicURL
filtering:
configure
set deviceconfig setting url dynamic-url yes
commit
PaloAltoNetworks,Inc.
URLFiltering
EnableaURLFilteringVendor
EnableBrightCloudURLFiltering(Continued)
Step4
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
ThreatssignaturesandURLfiltering.
Youcanonlyscheduledynamicupdates
3.
ifthefirewallhasdirectInternetaccess.
TheApplicationsandThreatsupdates
mightcontainupdatesforURLfiltering
relatedtotheSafe Search Enforcement
optionintheURLfilteringprofile.For
example,ifPaloAltoNetworksadds
supportforanewsearchprovider
vendororifthemethodusedtodetect
theSafeSearchsettingforanexisting
vendorchanges,theApplicationand
Threatsupdateswillincludethatupdate.
BrightCloudupdatesincludeadatabase
ofapproximately20millionwebsites
thatarestoredlocallyonthefirewall.
YoumustscheduleURLfilteringupdates
toreceiveBrightClouddatabase
updates.
AThreatPreventionlicenseis
requiredtoreceiveAntivirusand
ApplicationsandThreats
updates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 535
DetermineURLFilteringPolicyRequirements
URLFiltering
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
Step1
Step2
Step3
CreateanewURLFilteringprofile.
1.
2.
SelectthedefaultprofileandthenclickClone.Thenewprofile
willbenameddefault-1.
3.
Selectthedefault-1profileandrenameit.Forexample,
renameittoURLMonitoring.
Configuretheactionforallcategoriesto 1.
alert,exceptforthreatpronecategories, 2.
whichshouldremainblocked.
Toselectallitemsinthecategory
listfromaWindowssystem,click
thefirstcategory,thenhold
downtheshiftkeyandclickthe
lastcategorythiswillselectall
categories.Holdthecontrolkey
(ctrl)downandclickitemsthat
shouldbedeselected.OnaMac,
dothesameusingtheshiftand
commandkeys.Youcouldalso
justsetallcategoriestoalertand
manuallychangethe
recommendedcategoriesbackto
3.
block.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsweb
trafficforusers.
536 PANOS7.1AdministratorsGuide
InthesectionthatlistsallURLcategories,selectallcategories.
TotherightoftheActioncolumnheading,mouseoverand
selectthedownarrowandthenselectSet Selected Actions
andchoosealert.
Toensurethatyoublockaccesstothreatpronesites,select
thefollowingcategoriesandthensettheactiontoblock:
abuseddrugs,adult,gambling,hacking,malware.phishing,
questionable,weapons.
4.
ClickOKtosavetheprofile.
1.
2.
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselectthenewprofile.
3.
ClickOKtosave.
PaloAltoNetworks,Inc.
URLFiltering
DetermineURLFilteringPolicyRequirements
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
Step4
Savetheconfiguration.
Step5
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 537
UseanExternalDynamicListinaURLFilteringProfile
URLFiltering
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenyouupdatethelistonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicListandEnforcePolicyonEntriesinanExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
Step1
Createtheexternaldynamiclistfor
URLsandhostitonawebserver.
CreateatextfileandentertheURLsinthefile;eachURLmustbe
onaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-fo
r-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeeBlockandAllowListsforformattingguidelines.
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
538 PANOS7.1AdministratorsGuide
1.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
IntheTypedropdown,selectURL List.Ensurethatthelist
doesnotincludeIPaddressesordomainnames;thefirewall
skipsnonURLentries.
5.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2016.
6.
7.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhour.
8.
ClickOK.
PaloAltoNetworks,Inc.
URLFiltering
UseanExternalDynamicListinaURLFilteringProfile
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
Step3
Step4
Step5
UsetheexternaldynamiclistinaURL
Filteringprofile.
Testthatthepolicyactionisenforced.
Verifywhetherentriesintheexternal
dynamiclistwereignoredorskipped.
InalistoftypeURL,thefirewallskips
nonURLentriesasinvalidandignores
entriesthatexceedthemaximumlimit
fortheplatform.
PaloAltoNetworks,Inc.
1.
2.
AddormodifyanexistingURLFilteringprofile.
3.
Nametheprofileand,intheCategoriestab,selectthe
externaldynamiclistfromtheCategorylist.
4.
ClickActiontoselectamoregranularactionfortheURLsin
theexternaldynamiclist.
IfaURLthatisincludedinanexternaldynamiclistis
alsoincludedinacustomURLcategory,orBlockand
AllowLists,theactionspecifiedinthecustomcategory
ortheblockandallowlistwilltakeprecedenceover
theexternaldynamiclist.
5.
ClickOK.
6.
AttachtheURLFilteringprofiletoaSecuritypolicyrule.
a. SelectPolicies > Security.
b. SelecttheActionstaband,intheProfileSettingsection,
selectthenewprofileintheURL Filteringdropdown.
c. ClickOKandCommit.
1.
AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
2.
Verifythattheactionyoudefinedisenforcedinthebrowser.
3.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
b. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
UsethefollowingCLIcommandonafirewalltoreviewthedetails
foralist.
request system external-list show type url list_name
For example:
request system external-list show type url
EBL_ISAC_Alert_List
PANOS7.1AdministratorsGuide 539
MonitorWebActivity
URLFiltering
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
MonitorWebActivityofNetworkUsers
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostwidgetsintheNetworkActivitytab,allowsyoutosortonURLs.Forexample,intheApplicationUsage
widget,youcanseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencrypted
tunnel,andssl.YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
FromtheACC,youcandirectly Jump to the LogsoryoucannavigatetoMonitor > Logs > URL filtering toview
theURLfilteringlogs.ThefollowingbulletpointsshowexamplesoftheURLfilteringlogs().
AlertlogInthislog,thecategoryisshoppingandtheactionisalert.
540 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
MonitorWebActivity
BlocklogInthislog,thecategorymalwarewassettoblock,sotheactionisblockurlandtheuserwill
seearesponsepageindicatingthatthewebsitewasblocked.
AlertlogonencryptedwebsiteInthisexample,thecategoryissocialnetworkingandtheapplicationis
facebookbase,whichisrequiredtoaccesstheFacebookwebsiteandotherFacebookapplications.
Becausefaceboook.comisalwaysencryptedusingSSL,thetrafficwasdecryptedbythefirewall,which
allowsthewebsitetoberecognizedandcontrolledifneeded.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarebasedona24hourperiodandthedayisselectedbychoosingadayinthecalendar
section.YoucanalsoexportthereporttoPDF,CSV,orXML.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 541
MonitorWebActivity
URLFiltering
ViewtheUserActivityReport
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1
ConfigureaUserActivityReport.
542 PANOS7.1AdministratorsGuide
1.
2.
EnterareportNameandselectthereporttype.SelectUserto
generateareportforoneperson,orselectGroupforagroup
ofusers.
YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,you
canselectthetypeUserandentertheIPaddressofthe
userscomputer.
3.
EntertheUsername/IPaddressforauserreportorenterthe
groupnameforausergroupreport.
4.
Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
5.
PaloAltoNetworks,Inc.
URLFiltering
MonitorWebActivity
GenerateaUserActivityReport(Continued)
Step2
Runtheuseractivityreportandthen
downloadthereport.
1.
ClickRun Now.
2.
3.
Afterthereportisdownloaded,clickCancelandthenclickOK
tosavethereport.
Step3
ViewtheuseractivityreportbyopeningthePDFfilethatwasdownloaded.Thetopofthereportwillcontain
atableofcontentssimilartothefollowing:
Step4
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 543
MonitorWebActivity
URLFiltering
ConfigureCustomURLFilteringReports
Togenerateadetailedreportthatcanalsobescheduled,youcanconfigureacustomreportandselectfrom
alistofallavailableURLfilteringlogfields.
ConfigureaCustomURLFilteringReport
Step1
Step2
Step3
Step4
Addanewcustomreport.
Configurereportoptions.
1.
2.
EnterareportName,forexample,MyURLCustomReport.
3.
FromtheDatabasedropdown,selectURL Log.
1.
SelecttheTime Framedropdownandselectarange.
2.
(Optional)Tocustomizehowthereportissortedandgrouped,
selectSort Byandchosethenumberofitemstodisplay(top
25forexample)andthenselectGroup Byandselectanoption
suchasCategory,andthenselecthowmanygroupswillbe
defined.
3.
IntheAvailable Columnslist,selectthefieldstoincludethe
report.ThefollowingcolumnsaretypicallyusedforaURL
report:
Action
Category
DestinationCountry
SourceUser
URL
Runthereporttochecktheresults.Ifthe 1.
resultsaresatisfactory,setascheduleto
runthereportautomatically.
2.
Savetheconfiguration.
544 PANOS7.1AdministratorsGuide
ClicktheRun Nowicontoimmediatelygeneratethereport
thatwillappearinanewtab.
(Optional)ClicktheSchedulecheckboxtorunthereportonce
perday.Thiswillgenerateadailyreportthatdetailsweb
activityoverthelast24hours.Toaccessthereport,select
Monitor > ReportandthenexpandCustom Reportsonthe
rightcolumnandselectthereport.
ClickCommit.
PaloAltoNetworks,Inc.
URLFiltering
ConfigureURLFiltering
ConfigureURLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
ConfigureWebsiteControls
Step1
CreateaURLFilteringprofileorselect 1.
anexistingone.
BecausethedefaultURLfiltering
profileblocksriskyand
2.
threatpronecontent,itisabest
practicetoclonethisprofileto
preservethesedefaultsettings,
ratherthancreatinganew
profile.
Step2
Definehowtocontrolaccesstoweb
content.
Step3
Definewebsitesthatshouldalwaysbe 1.
blockedorallowed.
Forexample,toreduceURLfilteringlogs,
youmaywantaddyoucorporate
websitesintheallowlist,sonologswill
begeneratedforthosesites.Or,ifthere
isawebsitethisisbeingoverlyusedand
isnotworkrelatedinanyway,youcan
addittotheblocklist.
Itemsintheblocklistwillalwaysbe
blockedregardlessoftheactionforthe 2.
associatedcategory,andURLsinthe
allowlistwillalwaysbeallowed.
3.
Formoreinformationontheproper
formatandwildcardsusage,seeBlock
andAllowLists.
PaloAltoNetworks,Inc.
IntheCategoriestab,foreachcategorythatyouwantvisibility
intoorcontrolover,selectavaluefromtheAction columnas
follows:
Ifyoudonotcareabouttraffictoaparticularcategory(thatis
youneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Todenyaccesstotrafficthatmatchesthecategoryandto
enableloggingoftheblockedtraffic, selectblock.
TorequireuserstoclickContinuetoproceedtoaquestionable
site,selectcontinue.
Toonlyallowaccessifusersprovideaconfiguredpassword,
selectoverride.Formoredetailsonthissetting,seeConfigure
URLAdminOverride.
IntheURLfilteringprofile,enterURLsorIPaddressesinthe
Block List andselectanaction:
blockBlocktheURL.
continuePromptusersclickContinue toproceedtothe
webpage.
overrideTheuserwillbeapromptedforapasswordto
continuetothewebsite.
alertAllowtheusertoaccessthewebsiteandaddanalert
logentryintheURLlog.
FortheAllow list,enterIPaddressesorURLsthatshould
alwaysbeallowed.Eachrowmustbeseparatedbyanewline.
(Optional)EnableSafeSearchEnforcement.
PANOS7.1AdministratorsGuide 545
ConfigureURLFiltering
URLFiltering
ConfigureWebsiteControls
Step4
ModifythesettingtologContainer
Pagesonly.
Step5
EnableHTTPHeaderLoggingforoneor TologanHTTPheaderfield,selectoneormoreofthefollowing
moreofthesupportedHTTPheader
fieldstolog:
fields.
User-Agent
Referer
X-Forwarded-For
Step6
SavetheURLfilteringprofile.
546 PANOS7.1AdministratorsGuide
1.
ClickOK.
2.
(Optional)CustomizetheURLFilteringResponsePages.
3.
ClickCommit.
TotesttheURLfilteringconfiguration,simplyaccessa
websiteinacategorythatissettoblockorcontinueto
seeiftheappropriateactionisperformed.
PaloAltoNetworks,Inc.
URLFiltering
CustomizetheURLFilteringResponsePages
CustomizetheURLFilteringResponsePages
ThefirewallprovidesthreepredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser
attemptstobrowsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFiltering
Profile(block,continue,oroverride)orwhenSafeSearchEnforcementblocksasearchattempt.However,
youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableusepolicies,links
toyourinternalresourcesasfollows:
CustomizetheURLFilteringResponsePages
Step1
Step2
Step3
Exportthedefaultresponsepage(s).
Edittheexportedpage.
Importthecustomizedresponsepage.
1.
2.
SelectthelinkfortheURLfilteringresponsepageyouwantto
modify.
3.
Clicktheresponsepage(predefinedorshared)andthenclick
theExportlinkandsavethefiletoyourdesktop.
1.
UsingtheHTMLtexteditorofyourchoice,editthepage:
Ifyouwanttheresponsepagetodisplaycustom
informationaboutthespecificuser,URL,orcategorythat
wasblocked,addoneormoreofthesupportedURL
FilteringResponsePageVariables.
Ifyouwanttoincludecustomimages(suchasyour
corporatelogo),asound,orstylesheet,orlinktoanother
URL,forexampletoadocumentdetailingyouracceptable
webusepolicy,includeoneormoreofthesupported
ResponsePageReferences.
2.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.Forexample,inNotepadyou
wouldselectUTF-8fromtheEncodingdropdownintheSave
Asdialog.
1.
2.
SelectthelinkthatcorrespondstotheURLFilteringresponse
pageyouedited.
3.
ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4.
(Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
5.
ClickOKtoimportthefile.
Step4
Savethenewresponsepage(s).
Committhechanges.
Step5
Verifythatthenewresponsepage
displays.
Fromabrowser,gototheURLthatwilltriggertheresponsepage.
Forexample,toseeamodifiedURLFilteringandCategoryMatch
responsepage,browsetoURLthatyourURLfilteringpolicyisset
toblock.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 547
ConfigureURLAdminOverride
URLFiltering
ConfigureURLAdminOverride
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
ConfigureURLAdminOverride
Step1
Step2
SettheURLadminoverridepassword.
1.
2.
3.
IntheLocationfield,selectthevirtualsystemtowhichthis
passwordapplies.
4.
EnterthePasswordandConfirm Password.
5.
6.
SelecttheModeforpromptingtheuserforthepassword:
TransparentThefirewallinterceptsthebrowsertraffic
destinedforsiteinaURLcategoryyouhavesettooverride
andimpersonatestheoriginaldestinationURL,issuingan
HTTP401topromptforthepassword.Notethattheclient
browserwilldisplaycertificateerrorsifitdoesnottrustthe
certificate.
RedirectThefirewallinterceptsHTTPorHTTPStrafficto
aURLcategorysettooverrideandredirectstherequestto
aLayer3interfaceonthefirewallusinganHTTP302
redirectinordertopromptfortheoverridepassword.If
youselectthisoption,youmustprovidetheAddress(IP
addressorDNShostname)towhichtoredirectthetraffic.
7.
ClickOK.
(Optional)Setacustomoverrideperiod. 1.
548 PANOS7.1AdministratorsGuide
EdittheURLFilteringsection.
2.
Tochangetheamountoftimeuserscanbrowsetoasiteina
categoryforwhichtheyhavesuccessfullyenteredthe
overridepassword,enteranewvalueintheURL Admin
Override Timeout field.Bydefault,userscanaccesssites
withinthecategoryfor15minuteswithoutreenteringthe
password.
3.
Tochangetheamountoftimeusersareblockedfrom
accessingasitesettooverrideafterthreefailedattemptsto
entertheoverridepassword,enteranewvalueintheURL
Admin Lockout Timeoutfield.Bydefault,usersareblocked
for30minutes.
4.
ClickOK.
PaloAltoNetworks,Inc.
URLFiltering
ConfigureURLAdminOverride
ConfigureURLAdminOverride(Continued)
Step3
1.
(Redirectmodeonly)CreateaLayer3
interfacetowhichtoredirectweb
requeststositesinacategoryconfigured
foroverride.
2.
Step4
Step5
Step6
(Redirectmodeonly)Totransparently
redirectuserswithoutdisplaying
certificateerrors,installacertificatethat
matchestheIPaddressoftheinterface
towhichyouareredirectingweb
requeststoasiteinaURLcategory
configuredforoverride.Youcaneither
generateaselfsignedcertificateor
importacertificatethatissignedbyan
externalCA.
CreatetheLayer3interface.Besuretoattachthe
managementprofileyoujustcreated(ontheAdvanced >
Other InfotaboftheEthernetInterfacedialog).
Touseaselfsignedcertificate,youmustfirstcreatearootCA
certificateandthenusethatCAtosignthecertificateyouwilluse
forURLadminoverrideasfollows:
1.
2.
TocreatethecertificatetouseforURLadminoverride,click
Generate.EnteraCertificate NameandentertheDNS
hostnameorIPaddressoftheinterfaceastheCommon
Name.IntheSigned Byfield,selecttheCAyoucreatedinthe
previousstep.AddanIPaddressattributeandspecifytheIP
addressoftheLayer 3interfacetowhichyouwillbe
redirectingwebrequeststoURLcategoriesthathavethe
overrideaction.
3.
Generatethecertificate.
4.
Toconfigureclientstotrustthecertificate,selecttheCA
certificateontheDevice CertificatestabandclickExport.
YoumustthenimportthecertificateasatrustedrootCAinto
allclientbrowsers,eitherbymanuallyconfiguringthebrowser
orbyaddingthecertificatetothetrustedrootsinanActive
DirectoryGroupPolicyObject(GPO).
SpecifywhichURLcategoriesrequirean 1.
overridepasswordtoenableaccess.
2.
OntheCategoriestab,settheActiontooverrideforeach
categorythatrequiresapassword.
3.
CompleteanyremainingsectionsontheURLfilteringprofile
andthenclickOKtosavetheprofile.
1.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsaccess
tothesitesrequiringpasswordoverride 2.
foraccess.
3.
Step7
Createamanagementprofiletoenabletheinterfacetodisplay
theURLFilteringContinueandOverridePageresponsepage:
a. SelectNetwork > Interface MgmtandclickAdd.
b. EnteraNamefortheprofile,selectResponse Pages,and
thenclickOK.
Savetheconfiguration.
PaloAltoNetworks,Inc.
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselecttheprofile.
ClickOKtosave.
ClickCommit.
PANOS7.1AdministratorsGuide 549
EnableSafeSearchEnforcement
URLFiltering
EnableSafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosforsearchquery
returntraffic.YoucanconfigureSafeSearchEnforcementthePaloAltoNetworksnextgenerationfirewall
topreventsearchrequeststhatdonothavethestrictestsafesearchsettingsenabled.
TheSafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddressisnot
compatiblewithSafeSearchEnforcementonthefirewall.
TherearetwowaystoenforceSafeSearchonthefirewall:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
EnableTransparentSafeSearchEnforcement
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.SeeTable:SearchProviderSafeSearchSettingsfordetailsonhoweachsearchprovider
implementssafesearch.ThedefaultURLFilteringSafeSearchBlockPageprovidesalinktothesearch
settingsforthecorrespondingsearchprovider.YoucanoptionallyCustomizetheURLFilteringResponse
Pages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoEnableTransparentSafeSearchEnforcement.
550 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement
Step1
Step2
Step3
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewprofile.
3.
4.
(Optional)Restrictuserstospecificsearchengines:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
ClickOKtosavetheprofile.
1.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
PaloAltoNetworks,Inc.
AddacustomURLcategoryforthesearchsites:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
SearchEngineDecryption.
c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
PANOS7.1AdministratorsGuide 551
EnableSafeSearchEnforcement
URLFiltering
EnableSafeSearchEnforcement(Continued)
Step4
Step5
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
EnableBingSafeSearch.
c. AddthefollowingtotheSiteslist:
www.bing.com/images/*
www.bing.com/videos/*
d. ClickOKtosavethecustomURLcategoryobject.
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. LocatethecustomcategoryintheCategorylistandsetitto
block.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocolandsettheDestination Portto
443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
Savetheconfiguration.
552 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement(Continued)
Step6
VerifytheSafeSearchEnforcement
1.
configuration.
Thisverificationsteponlyworks
ifyouareusingblockpagesto
enforcesafesearch.Ifyouare
usingtransparentsafesearch
enforcement,thefirewallblock
pagewillinvokeaURLrewrite
withthesafesearchparameters 2.
inthequerystring.
3.
Fromacomputerthatisbehindthefirewall,disablethestrict
searchsettingsforoneofthesupportedsearchproviders.For
example,onbing.com,clickthePreferencesiconontheBing
menubar.
4.
Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5.
PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
SettheSafeSearchoptiontoModerateorOffandclickSave.
PerformaBingsearchandverifythattheURLFilteringSafe
SearchBlockpagedisplaysinsteadofthesearchresults:
EnableTransparentSafeSearchEnforcement
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
EnableTransparentSafeSearchEnforcement
Step1
Makesurethefirewallisrunning
ContentReleaseversion475orlater.
PaloAltoNetworks,Inc.
1.
2.
3.
Ifthefirewallisnotrunningtherequiredupdateorlater,click
Check Nowtoretrievealistofavailableupdates.
4.
LocatetherequiredupdateandclickDownload.
5.
Afterthedownloadcompletes,clickInstall.
PANOS7.1AdministratorsGuide 553
EnableSafeSearchEnforcement
URLFiltering
EnableTransparentSafeSearchEnforcement(Continued)
Step1
Step2
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
554 PANOS7.1AdministratorsGuide
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewone.
3.
4.
(Optional)Allowaccesstospecificsearchenginesonly:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
ClickOKtosavetheprofile.
1.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
Step3
Step4
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
EnableBingSafeSearch.
c. AddthefollowingtotheSiteslist:
www.bing.com/images/*
www.bing.com/videos/*
d. ClickOKtosavethecustomURLcategoryobject.
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. Locatethecustomcategoryyoujustcreatedinthe
Categorylistandsetittoblock.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocol,settheDestination Portto443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
EdittheURLFilteringSafeSearchBlock 1.
Page,replacingtheexistingcodewith
theJavaScriptforrewritingsearchquery 2.
URLstoenforcesafesearch
3.
transparently.
Forascriptthatyoucancopyandpaste,
gohere.
PaloAltoNetworks,Inc.
SelectPredefinedandthenclickExporttosavethefilelocally.
UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththefollowingtextandthensavethefile:
PANOS7.1AdministratorsGuide 555
EnableSafeSearchEnforcement
URLFiltering
EnableTransparentSafeSearchEnforcement(Continued)
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<h1>Search Blocked</h1>
<p><b>User:</b> <user/> </p>
<p>Your search results have been blocked because your search settings are not in accordance with company
policy. In order to continue, please update your search settings so that Safe Search is set to the strictest
setting. If you are currently logged into your account, please also lock Safe Search and try your search
again.</p>
<p>For more information, please refer to: <a href="<ssurl/>"><ssurl/></a></p>
<p id="java_off"> Please enable JavaScript in your browser.<br></p>
<p><b>Please contact your system administrator if you believe this message is in error.</b></p>
</body>
<script>
// Grab the URL that's in the browser.
var s_u = location.href;
//bing
// Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non
greedy slash. Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
s_u = s_u + "&adlt=strict";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
//google
// Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non
greedy slash. Hopefully the first forward slash.
var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);
if (g_a) {
s_u = s_u.replace(/&safe=off/ig,"");
s_u = s_u + "&safe=active";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
//yahoo
// Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non
greedy slash. Hopefully the first forward slash.
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
556 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
Step5
Step6
Step7
ImporttheeditedURLFilteringSafe
SearchBlockpageontothefirewall.
1.
2.
ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
3.
(Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
4.
ClickOKtoimportthefile.
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
Savetheconfiguration.
PaloAltoNetworks,Inc.
AddacustomURLcategoryforthesearchsites:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
SearchEngineDecryption.
c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
ClickCommit.
PANOS7.1AdministratorsGuide 557
SetUpthePANDBPrivateCloud
URLFiltering
SetUpthePANDBPrivateCloud
UsethefollowingsectiontodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyour
networkordatacenterandConfiguretheFirewallstoAccessthePANDBPrivateCloud.
SetupthePANDBPrivateCloud
Step1
RackmounttheM500appliance. RefertotheM500HardwareReferenceGuideforinstructions.
Step2
RegistertheM500appliance.
Step3
PerformInitialConfigurationof
1.
theM500Appliance.
TheM500appliancein
PANDBmodeusestwo
portsMGT(Eth0)and
Eth1;Eth2isnotusedin
PANDBmode.The
managementportisused
foradministrativeaccess
totheapplianceandfor
2.
obtainingthelatest
contentupdatesfromthe
PANDBpubliccloud.For
communicationbetween 3.
theappliance(PANDB
server)andthefirewallson
thenetwork,youcanuse
theMGTportorEth1.
ForinstructionsonregisteringtheM500appliance,seeRegisterthe
Firewall.
4.
ConnecttotheM500applianceinoneofthefollowingways:
AttachaserialcablefromacomputertotheConsoleporton
theM500applianceandconnectusingaterminalemulation
software(96008N1).
AttachanRJ45EthernetcablefromacomputertotheMGT
portontheM500appliance.Fromabrowser,goto
https://192.168.1.1.EnablingaccesstothisURLmightrequire
changingtheIPaddressonthecomputertoanaddressinthe
192.168.1.0network(forexample,192.168.1.2).
Whenprompted,logintotheappliance.Loginusingthedefault
usernameandpassword(admin/admin).Theappliancewillbegin
toinitialize.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theMGTinterface:
set deviceconfig system ip-address <server-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothe
managementinterfaceoftheserver,<netmask>isthesubnet
mask,<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheprimaryDNSserver.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theEth1interface:
set deviceconfig system eth1 ip-address <server-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<serverIP>istheIPaddressyouwanttoassigntothedata
interfaceoftheserver,<netmask>isthesubnetmask,
<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheDNSserver.
5.
558 PANOS7.1AdministratorsGuide
SaveyourchangestothePANDBserver.
commit
PaloAltoNetworks,Inc.
URLFiltering
SetUpthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step4
SwitchtoPANDBprivatecloud
mode.
1.
ToswitchtoPANDBmode,usetheCLIcommand:
requestsystemsystemmodepanurldb
YoucanswitchfromPanoramamodetoPANDBmode
andback;andfromPanoramamodetoLogCollectormode
andback.SwitchingdirectlyfromPANDBmodetoLog
Collectormodeorviceversaisnotsupported.When
switchingoperationalmode,adataresetistriggered.With
theexceptionofmanagementaccesssettings,allexisting
configurationandlogswillbedeletedonrestart.
2.
Usethefollowingcommandtoverifythatthemodeischanged:
show pan-url-cloud-status
hostname: M-500
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
time: Mon Apr 27 13:43:59 2015
uptime: 10 days, 1:51:28
family: m
model: M-500
serial: 0073010000xxx
sw-version: 7.0.0
app-version: 492-2638
app-release-date: 2015/03/19 20:05:33
av-version: 0
av-release-date: unknown
wf-private-version: 0
wf-private-release-date: unknown
logdb-version: 7.0.9
platform-family: m
pan-url-db: 20150417-220
system-mode: Pan-URL-DB
operational-mode: normal
3.
Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status:
Up
URL database version:
20150417-220
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 559
SetUpthePANDBPrivateCloud
URLFiltering
SetupthePANDBPrivateCloud
Step5
Installcontentanddatabase
Pickoneofthefollowingmethodsofinstallingthecontentand
updates.
databaseupdates:
Theapplianceonlystores IfthePANDBserverhasdirectInternetaccessusethefollowing
thecurrentlyrunning
commands:
versionofthecontentand
a. Tocheckwhetheranewversionispublisheduse:
oneearlierversion.
request pan-url-db upgrade check
b. Tochecktheversionthatiscurrentlyinstalledonyourserver
use:
request pan-url-db upgrade info
c. Todownloadandinstallthelatestversion:
request pan-url-db upgrade download latest
request pan-url-db upgrade install <version latest
| file>
d. ToscheduletheM500appliancetoautomaticallycheckfor
updates:
set deviceconfig system update-schedule pan-url-db
recurring weekly action download-and-install
day-of-week <day of week> at <hr:min>
IfthePANDBserverisoffline,accessthePaloAltoNetworks
CustomerSupportwebsitetodownloadandsavethecontent
updatestoanSCPserveronyournetwork.Youcanthenimportand
installtheupdatesusingthefollowingcommands:
scp import pan-url-db remote-port <port-number> from
username@host:path
request pan-url-db upgrade install file <filename>
560 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
SetUpthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step6
Setupadministrativeaccesstothe TosetupalocaladministrativeuseronthePANDBserver:
PANDBprivatecloud.
a. configure
b. set mgt-config users <username> permissions
Theappliancehasadefault
role-based <superreader | superuser> yes
adminaccount.Any
c. set mgt-config users <username> password
additionaladministrative
Enter password:xxxxx
usersthatyoucreatecan
eitherbesuperusers(with
Confirm password:xxxxx
fullaccess)orsuperusers
d. commit
withreadonlyaccess.
TosetupanadministrativeuserwithRADIUSauthentication:
PANDBprivatecloud
a. CreateRADIUSserverprofile.
doesnotsupporttheuseof
set shared server-profile radius
RADIUSVSAs.IftheVSAs
<server_profile_name> server <server_name>
usedonthefirewallor
ip-address <ip_address> port <port_no> secret
Panoramaareusedfor
<shared_password>
enablingaccesstothe
b. Createauthenticationprofile.
PANDBprivatecloud,an
set shared authentication-profile
authenticationfailurewill
<auth_profile_name> user-domain
occur.
<domain_name_for_authentication> allow-list <all>
method radius server-profile <server_profile_name>
c. Attachtheauthenticationprofiletotheuser.
set mgt-config users <username>
authentication-profile <auth_profile_name>
d. Committhechanges.
commit
Toviewthelistofusers:.
show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
Step7
ConfiguretheFirewallstoAccess
thePANDBPrivateCloud.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 561
SetUpthePANDBPrivateCloud
URLFiltering
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
a. ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
setdeviceconfigsettingpanurldbcloudstaticlist<IPaddresses>enable
Or,inthewebinterfaceforeachfirewall,
1. SelectDevice > Setup >Content-ID, edittheURLFilteringsection.
2. EnterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
b. ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstotheprivate
cloud:
debugdeviceserverpanurldbcloudstaticlistenable<IPaddresses>enable
Step2
Step3
Commityourchanges.
Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status:
URL database version:
Up
20150417-220
TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothePANDBpubliccloud,usethe
command:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthefirewall.Thefirewallfirstchecks
forthelistofPANDBprivatecloudserversandwhenitcannotfindone,thefirewallaccessesthePANDBserversinthe
AWScloudtodownloadthelistofeligibleserverstowhichitcanconnect.
562 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
URLFilteringUseCaseExamples
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
TheUserIDfeatureisrequiredtoimplementpoliciesbasedonusersandgroupsanda
DecryptionpolicyisrequiredtoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
Thissectionincludestwousescases:
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
UseCase:ControlWebAccess
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstsecurityrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
Step1
ConfirmthatURLfilteringislicensed.
PaloAltoNetworks,Inc.
1.
2.
Ifavalidlicenseisnotinstalled,seeEnablePANDBURL
Filtering.
PANOS7.1AdministratorsGuide 563
URLFilteringUseCaseExamples
URLFiltering
ControlWebAccess(Continued)
Step2
Step3
Step4
Step5
ConfirmthatUserIDisworking.UserID 1.
isrequiredtocreatepoliciesbasedon
usersandgroups.
SetupaURLfilteringprofilebycloning
thedefaultprofile.
ConfiguretheURLfilteringprofileto
blocksocialnetworkingandallow
Facebook.
2.
TocheckUserMappingfromtheCLI,enterthefollowing
command:
showuseripusermappingmpall
3.
Ifstatisticsdonotappearand/orIPaddresstousermapping
informationisnotdisplayed,seeUserID.
1.
2.
ClicktheCloneicon.Anewprofileshouldappearnamed
default-1.
3.
Selectthenewprofileandrenameit.
1.
ModifythenewURLfilteringprofileandintheCategorylist
scrolltosocial-networkingandintheActioncolumnclickon
allowandchangetheactiontoblock.
2.
IntheAllow List,enterfacebook.com,pressentertostarta
newlineandthentype*.facebook.com.Bothofthese
formatsarerequired,soallURLvariantsausermayusewillbe
identified,suchasfacebook.com,www.facebook.com,and
https://facebook.com.
3.
ClickOKtosavetheprofile.
ApplythenewURLfilteringprofiletothe 1.
securitypolicyrulethatallowsweb
accessfromtheusernetworktothe
2.
Internet.
3.
564 PANOS7.1AdministratorsGuide
TocheckGroupMappingfromtheCLI,enterthefollowing
command:
showusergroupmappingstatistics
ClickOKtosave.
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
ControlWebAccess(Continued)
Step6
Createthesecuritypolicyrulethatwill
allowmarketingaccesstheFacebook
websiteandallFacebookapplications.
Thisrulemustprecedeotherrules
because:
Itisaspecificrule.Morespecificrules
mustprecedeotherrules.
Allowrulewillterminatewhena
trafficmatchoccurs.
PaloAltoNetworks,Inc.
1.
2.
EnteraNameandoptionallyaDescriptionandTag(s).
3.
OntheSourcetabaddthezonewheretheusersare
connected.
4.
OntheUsertabintheSource UsersectionclickAdd.
5.
Selectthedirectorygroupthatcontainsyourmarketingusers.
6.
OntheDestinationtab,selectthezonethatisconnectedto
theInternet.
7.
OntheApplicationstab,clickAddandaddthefacebook
AppIDsignature.
8.
OntheActionstab,addthedefaultprofilesforAntivirus,
Vulnerability Protection,andAnti-Spyware.
9.
ClickOKtosavethesecurityprofile.
ThefacebookAppIDsignatureusedinthispolicyrule
encompassesallFacebookapplications,suchas
facebookbase,facebookchat,andfacebookmail,sothisis
theonlyAppIDsignaturerequiredinthisrule.
Withthisruleinplace,whenamarketingemployeeattempts
toaccesstheFacebookwebsiteoranyFacebookapplication,
therulematchesbasedontheuserbeingpartofthemarketing
group.Fortrafficfromanyuseroutsideofmarketing,therule
willbeskippedbecausetherewouldnotbeatrafficmatchand
ruleprocessingwouldcontinue.
PANOS7.1AdministratorsGuide 565
URLFilteringUseCaseExamples
URLFiltering
ControlWebAccess(Continued)
Step7
Configurethesecuritypolicytoblockall 1.
otherusersfromusinganyFacebook
applicationsotherthansimpleweb
browsing.Theeasiestwaytodothisisto 2.
clonethemarketingallowpolicyand
3.
thenmodifyit.
4.
OntheApplicationstab,clickthefacebookAppIDsignature
anddeleteit.
5.
ClickAddandaddthefollowingAppIDsignatures:
facebookapps
facebookchat
facebookfilesharing
facebookmail
facebookposting
facebooksocialplugin
6.
OntheActionstabintheAction Settingsection,selectDeny.
Theprofilesettingsshouldalreadybecorrectbecausethisrule
wascloned.
7.
ClickOKtosavethesecurityprofile.
8.
Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9.
ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.
566 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
UseCase:UseURLCategoriesforPolicyMatching
URLcategoriescanalsobeusedasmatchcriteriainthefollowingpolicytypes:CaptivePortal,Decryption,
Security,andQoS.Inthisusecase,URLcategorieswillbeusedinDecryptionpolicyrulestocontrolwhich
webcategoriesshouldbedecryptedornotdecrypted.Thefirstruleisanodecryptrulethatwillnotdecrypt
usertrafficifthewebsitecategoryisfinancialservicesorhealthandmedicineandthesecondrulewilldecrypt
allothertraffic.Thedecryptionpolicytypeissslforwardproxy,whichisusedforcontrollingdecryptionfor
alloutboundconnectionsperformedbyusers.
ConfigureaDecryptionPolicyBasedonURLCategory
Step1
Createthenodecryptrulethatwillbe
listedfirstinthedecryptionpolicieslist.
Thiswillpreventanywebsitethatisin
thefinancialservicesor
healthandmedicineURLcategoriesfrom
beingdecrypted.
PaloAltoNetworks,Inc.
1.
2.
EnteraNameandoptionallyenteraDescription andTag(s).
3.
OntheSourcetab,addthezonewheretheusersare
connected.
4.
OntheDestinationtab,enterthezonethatisconnectedtothe
Internet.
5.
OntheURL Categorytab,clickAddandselectthe
financialservicesandhealthandmedicineURLcategories.
6.
OntheOptionstab,settheactiontoNo Decrypt.
7.
(Optional)Althoughthefirewalldoesnotdecryptandinspect
thetrafficforthesession,youcanattachaDecryption profile
ifyouwanttoenforcetheservercertificatesusedduringthe
session.Thedecryptionprofileallowsyoutoconfigurethe
firewalltoterminatetheSSLconnectioneitherwhenthe
servercertificatesareexpiredorwhentheservercertificates
areissuesbyanuntrustedissuer.
8.
ClickOKtosavethepolicyrule.
PANOS7.1AdministratorsGuide 567
URLFilteringUseCaseExamples
URLFiltering
ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
Step2
Createthedecryptionpolicyrulethat
willdecryptallothertraffic.
1.
Selectthenodecryptpolicyyoucreatedpreviouslyandthen
clickClone.
2.
EnteraNameandoptionallyenteraDescriptionandTag(s).
3.
OntheURL Categorytab,selectfinancialservicesand
healthandmedicineandthenclicktheDeleteicon.
4.
OntheOptionstab,settheactiontoDecryptandtheTypeto
SSL Forward Proxy.
5.
(Optional)AttachaDecryption profiletospecifytheserver
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
Step3
Step4
6.
Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
7.
ClickOKtosavethepolicyrule.
(BrightCloudonly)Enablecloudlookups 1.
fordynamicallycategorizingaURLwhen 2.
thecategoryisnotavailableonthelocal
databaseonthefirewall.
Savetheconfiguration.
AccesstheCLIonthefirewall.
EnterthefollowingcommandstoenableDynamicURL
Filtering:
a. configure
b. setdeviceconfigsettingurldynamicurlyes
c. commit
ClickCommit.
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesorhealthandmedicine
URLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.
568 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
TroubleshootURLFiltering
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
ThefollowingtabledescribesproceduresthatyoucanusetoresolveissueswithactivatingPANDB.
TroubleshootPANDBActivationIssues
Step1
AccessthePANOSCLI.
Step2
VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
admin@PA-200> show system setting url-database
Iftheresponseispaloaltonetworks,thenPANDBistheactivevendor.
Step3
VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
admin@PA-200> request license info
YoushouldseethelicenseentryFeature:PAN_DBURLFiltering.Ifthelicenseisnotinstalled,youwillneed
toobtainandinstallalicense.SeeConfigureURLFiltering.
Step4
Afterthelicenseisinstalled,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region>
3.
Checkthedownloadstatusbyrunningthefollowingcommand:
admin@PA-200> request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloudConnectivity
Issues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedtheURL
seeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
4.
Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 569
TroubleshootURLFiltering
URLFiltering
PANDBCloudConnectivityIssues
Tocheckcloudconnectivity,runthefollowingcommand:
admin@pa-200> show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License :
valid
Current cloud server :
s0000.urlcloud.paloaltonetworks.com
Cloud connection :
connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
Ifthecloudisnoteaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License :
valid
Cloud connection :
not connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
570 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
TroubleshootURLFiltering
Thefollowingtabledescribesproceduresthatyoucanusetoresolveissuesbasedontheoutputoftheshow
url-cloud statuscommand,howtopingtheURLcloudservers,andwhattocheckifthefirewallisina
HighAvailability(HA)configuration.
TroubleshootCloudConnectivityIssues
PANDBURLFilteringlicensefieldshowsinvalidObtainandinstallavalidPANDBlicense.
URLdatabasestatusisoutofdateDownloadanewseeddatabasebyrunningthefollowingcommand:
admin@pa-200> request url-filtering download paloaltonetworks region <region>
URLprotocolversionshowsnotcompatibleUpgradePANOStothelatestversion.
AttempttopingthePANDBcloudserverfromthefirewallbyrunningthefollowingcommand:
admin@pa-200> ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
admin@pa-200> ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IfthefirewallisinanHAconfiguration,verifythattheHAstateofthefirewallssupportsconnectivitytothecloud
systems.YoucandeterminetheHAstatebyrunningthefollowingcommand:
admin@pa-200> show high-availability state
Connectiontothecloudwillbeblockedifthefirewallisnotinoneofthefollowingstates:
active
activeprimary
activesecondary
Iftheproblempersists,contactPaloAltoNetworkssupport.
URLsClassifiedasNotResolved
ThefollowingtabledescribesproceduresyoucanusetoresolveissueswheresomeoralloftheURLsbeing
identifiedbyPANDBareclassifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1
CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
admin@PA-200> show url-cloud status
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2
Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
admin@PA-200> showsystemresources
YoucanalsoviewsystemresourcesfromthefirewallswebinterfacesbyclickingtheDashboard tab
andviewingtheSystem Resources section.
Step3
Iftheproblempersist,contactPaloAltoNetworkssupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 571
TroubleshootURLFiltering
URLFiltering
IncorrectCategorization
ThefollowingstepsdescribetheproceduresyoucanuseifyouidentifyaURLthatdoesnothavethecorrect
categorization.Forexample,iftheURLpaloaltonetworks.comwascategorizedasalcoholandtobacco,the
categorizationisnotcorrect;thecategoryshouldbecomputerandinternetinfo.
TroubleshootIncorrectCategorizationIssues
Step1
Verifythecategoryinthedataplanebyrunningthefollowingcommand:
admin@PA-200> show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
admin@PA-200> show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2
Verifyifthecategoryinthemanagementplanebyrunningthecommand:
admin@PA-200> test url-info-host <URL>
Forexample:
admin@PA-200> test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
admin@PA-200> clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3
Verifythecategoryinthecloudbyrunningthefollowingcommand:
admin@PA-200> test url-info-cloud <URL>
Step4
IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
admin@PA-200> clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
admin@PA-200> delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5
Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
Step6
ClicktheRequest Categorizationchangelinkandfollowinstructions.Youcanalsorequestacategorychange
fromthePaloAltoNetworksTestASitewebsitebysearchingfortheURLandthenclickingtheRequest
Changeicon.Toviewalistofallavailablecategorieswithdescriptionsofeachcategory,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Ifyourchangerequestisapproved,youwillreceiveanemailnotification.Youthenhavetwooptionstoensure
thattheURLcategoryisupdatedonthefirewall:
WaituntiltheURLinthecacheexpiresandthenexttimetheURLisaccessedbyauser,thenew
categorizationupdatewillbeputinthecache.
Runthefollowingcommandtoforceanupdateinthecache:
admin@PA-200> request url-filtering update url <URL>
572 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
TroubleshootURLFiltering
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltotheURLCloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewallis
tooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youwillneedtoredownloadaninitialseeddatabasefromthe
cloud(thisoperationisnotblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 573
TroubleshootURLFiltering
574 PANOS7.1AdministratorsGuide
URLFiltering
PaloAltoNetworks,Inc.
QualityofService
QualityofService(QoS)isasetoftechnologiesthatworkonanetworktoguaranteeitsabilitytodependably
runhighpriorityapplicationsandtrafficunderlimitednetworkcapacity.QoStechnologiesaccomplishthis
byprovidingdifferentiatedhandlingandcapacityallocationtospecificflowsinnetworktraffic.Thisenables
thenetworkadministratortoassigntheorderinwhichtrafficishandled,andtheamountofbandwidth
affordedtotraffic.
PaloAltoNetworksApplicationQualityofService(QoS)providesbasicQoSappliedtonetworksand
extendsittoprovideQoStoapplicationsandusers.
UsethefollowingtopicstolearnaboutandconfigurePaloAltoNetworksapplicationbasedQoS:
QoSOverview
QoSConcepts
ConfigureQoS
ConfigureQoSforaVirtualSystem
EnforceQoSBasedonDSCPClassification
QoSUseCases
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
PA3000Series,andPA2000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 575
QoSOverview
QualityofService
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureQoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwithQoS
enabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheQoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoSpolicy
ruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.The
matchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.
576 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSOverview
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 577
QoSConcepts
QualityofService
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoSforApplicationsandUsers
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoSPolicy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.
578 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSConcepts
QoSProfile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoSClasses
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
QoSPriorityQueuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 579
QoSConcepts
QualityofService
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoSBandwidthManagement
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.
580 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSConcepts
QoSEgressInterface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoSforClearTextandTunneledTraffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 581
ConfigureQoS
QualityofService
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Step1
Identifythetrafficyouwanttomanage
withQoS.
ThisexampleshowshowtouseQoSto
limitwebbrowsing.
Step2
Identifytheegressinterfacefor
applicationsthatyouwanttoreceive
QoStreatment.
Theegressinterfacefortraffic
dependsonthetrafficflow.Ifyou
areshapingincomingtraffic,the
egressinterfaceisthe
internalfacinginterface.Ifyou
areshapingoutgoingtraffic,the
egressinterfaceisthe
externalfacinginterface.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:
582 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoS
ConfigureQoS(Continued)
Step3
AddaQoSpolicyrule.
AQoSpolicyruledefinesthetrafficto
receiveQoStreatment.Thefirewall
assignsaQoSclassofservicetothe
trafficmatchedtothepolicyrule.
PaloAltoNetworks,Inc.
1.
2.
OntheGeneral tab,givetheQoSPolicyRuleadescriptive
Name.
3.
SpecifytraffictoreceiveQoStreatmentbasedonSource,
Destination,Application,Service/URL Category, and
DSCP/ToS values(theDSCP/ToS settingsallowyoutoEnforce
QoSBasedonDSCPClassification).
Forexample,selecttheApplication,clickAdd,andselect
webbrowsingtoapplyQoStowebbrowsingtraffic.
4.
(Optional)Continuetodefineadditionalparameters.For
example,selectSourceandAdd asourceusertoprovideQoS
foraspecificuserswebtraffic.
5.
6.
ClickOK.
PANOS7.1AdministratorsGuide 583
ConfigureQoS
QualityofService
ConfigureQoS(Continued)
Step4
AddaQoSprofilerule.
1.
AQoSprofileruleallowsyoutodefine
theeightclassesofservicethattraffic
2.
canreceive,includingpriority,and
3.
enablesQoSBandwidthManagement.
YoucaneditanyexistingQoSprofile,
includingthedefault,byclickingtheQoS
profilename.
4.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.
584 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoS
ConfigureQoS(Continued)
Step5
EnableQoSonaphysicalinterface.
1.
Partofthisstepincludestheoptionto 2.
selectcleartextandtunneledtrafficfor
uniqueQoStreatment.
Checkiftheplatformyoureusing
supportsenablingQoSona
3.
subinterfacebyreviewinga
summaryoftheProduct
Specifications.
4.
5.
IntheDefaultProfilesection,selectaQoSprofileruletoapply
toallClear Text trafficexitingthephysicalinterface.
6.
(Optional)SelectadefaultQoSprofileruletoapplytoall
tunneledtrafficexitingtheinterface.
Forexample,enableQoSonethernet1/1andapplythebandwidth
andprioritysettingsyoudefinedfortheQoSprofileruleLimitWeb
Browsing(Step 4)tobeusedasthedefaultsettingsforcleartext
egresstraffic.
Step6
7.
(Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8.
ClickOK.
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 585
ConfigureQoS
QualityofService
ConfigureQoS(Continued)
Step7
VerifyaQoSconfiguration.
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.
586 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertotheVirtualSystems(VSYS)technoteforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
Step1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 587
ConfigureQoSforaVirtualSystem
QualityofService
ConfigureQoSinaVirtualSystemEnvironment
Step2
IdentifytraffictoapplyQoSto.
Clickanyapplicationnametodisplaydetailedapplication
information.
Step3
Identifytheegressinterfacefor
applicationsthatyouidentifiedas
needingQoStreatment.
Inavirtualsystemenvironment,QoSis
appliedtotrafficonthetrafficsegress
pointonthevirtualsystem.Depending
theconfigurationandQoSpolicyfora
virtualsystem,theegresspointofQoS
trafficcouldbeassociatedwitha
physicalinterfaceorcouldbeazone.
Thisexampleshowshowtolimit
webbrowsingtrafficonvsys1.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.
588 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSinaVirtualSystemEnvironment
Step4
CreateaQoSProfile.
YoucaneditanyexistingQoSProfile,
includingthedefault,byclickingthe
profilename.
PaloAltoNetworks,Inc.
1.
2.
EnteradescriptiveProfile Name.
3.
EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4.
5.
IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6.
ClickOKtosavetheQoSprofile.
PANOS7.1AdministratorsGuide 589
ConfigureQoSforaVirtualSystem
QualityofService
ConfigureQoSinaVirtualSystemEnvironment
Step5
CreateaQoSpolicy.
1.
Inanenvironmentwithmultiplevirtual 2.
systems,trafficspansmorethanone
virtualsystem.Becauseofthis,whenyou
3.
areenablingQoSforavirtualsystem,
youmustdefinetraffictoreceiveQoS
treatmentbasedonsourceand
destinationzones.Thisensuresthatthe
trafficisprioritizedandshapedonlyfor
thatvirtualsystem(andnotforother
virtualsystemsthroughwhichthetraffic
mightflow).
590 PANOS7.1AdministratorsGuide
4.
SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5.
SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
6.
7.
ClickOKtosavetheQoSpolicyrule.
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSinaVirtualSystemEnvironment
Step6
EnabletheQoSProfileonaphysical
1.
interface.
Itisabestpracticetoalways
2.
definetheEgress Max valuefora
QoSinterface.
Step7
VerifyQoSconfiguration.
PaloAltoNetworks,Inc.
3.
OnthePhysical Interfacetab,selectthedefaultQoSprofileto
applytoallClear Texttraffic.
(Optional)UsetheTunnel Interfacefieldtoapplyadefault
QoSprofiletoalltunneledtraffic.
4.
5.
6.
ClickOK tosavechanges.
7.
Committhechanges.
PANOS7.1AdministratorsGuide 591
EnforceQoSBasedonDSCPClassification
QualityofService
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
592 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
EnforceQoSBasedonDSCPClassification
ApplyQoSBasedonDSCP/ToSMarking
BeforeYouBegin
Makesurethatyouhaveperformedthepreliminarystepsto
ConfigureQoS.
Step1
1.
2.
3.
AddaDSCP/ToScodepointsforwhichyouwanttoenforce
QoS.
4.
SelecttheTypeofDSCP/ToSmarkingfortheQoSruleto
matchtotraffic:
ItisabestpracticetouseasingleDSCPtypetomanage
andprioritizeyournetworktraffic.
5.
MatchtheQoSpolicytotrafficonamoregranularscaleby
specifyingtheCodepoint value.Forexample,withAssured
Forwarding(AF)selectedastheTypeofDSCPvalueforthe
policytomatch,furtherspecifyanAFCodepoint valuesuchas
AF11.
WhenExpeditedForwarding(EF)isselectedasthe
TypeofDSCPmarking,agranularCodepointvalue
cannotbespecified.TheQoSpolicyrulematchesto
trafficmarkedwithanyEFcodepointvalue.
6.
7.
ClickOKtosavetheQoSrule.
Step2
DefinethetraffictoreceiveQoS
treatmentbasedonDSCPvalue.
DefinetheQoSpriorityfortrafficto
1.
receivewhenitismatchedtoaQoSrule
basedtheDSCPmarkingdetectedatthe
beginningofasession.
2.
Step3
EnableQoSonaninterface.
PaloAltoNetworks,Inc.
3.
SelectaPriority fortheclassoftraffic,suchashigh.
4.
ClickOKtosavetheQoSProfile.
PANOS7.1AdministratorsGuide 593
EnforceQoSBasedonDSCPClassification
QualityofService
ApplyQoSBasedonDSCP/ToSMarking
Step4
EnableDSCPMarking.
1. SelectPolicies > SecurityandAddormodifyasecuritypolicy.
MarkreturntrafficwithaDSCPvalue, 2. SelectActionsandintheQoS Markingdropdown,choose
enablingtheinboundflowforasession
Follow-Client-to-Server-Flow.
tobemarkedwiththesameDSCPvalue
3. ClickOKtosaveyourchanges.
detectedfortheoutboundflow.
Completingthisstepenablesthefirewalltomarktrafficwiththe
sameDSCPvaluethatwasdetectedatthebeginningofasession
(inthisexample,thefirewallwouldmarkreturntrafficwiththe
DSCPAF11value).WhileconfiguringQoSallowsyoutoshape
trafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewall
andtheclienttocontinuetoenforcepriorityforDSCPmarked
traffic.
Step5
Savetheconfiguration.
594 PANOS7.1AdministratorsGuide
Commityourchanges.
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
UseCase:QoSforaSingleUser
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1
TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 595
QoSUseCases
QualityofService
ApplyQoStoaSingleUser(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
Step3
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.
596 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
ApplyQoStoaSingleUser(Continued)
Step4
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation,asshowninStep 2)and
thenenableQoSonthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadofthe
externalfacinginterface,asshowninStep 3.)
UseCase:QoSforVoiceandVideoApplications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 597
QoSUseCases
QualityofService
Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1
TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.
598 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
EnsureQualityforVoiceandVideoApplications(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 599
QoSUseCases
QualityofService
EnsureQualityforVoiceandVideoApplications(Continued)
Step3
BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreatedinStep 1,ensurevoicevideotraffic(Class2inthis
profileisassociatedwithpolicycreatedinStep 2,VoiceVideo)ontheexternalfacinginterface,inthiscase,
ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
Step4
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.
600 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
Virtualprivatenetworks(VPNs)createtunnelsthatallowusers/systemstoconnectsecurelyoverapublic
network,asiftheywereconnectingoveralocalareanetwork(LAN).TosetupaVPNtunnel,youneedapair
ofdevicesthatcanauthenticateeachotherandencrypttheflowofinformationbetweenthem.Thedevices
canbeapairofPaloAltoNetworksfirewalls,oraPaloAltoNetworksfirewallalongwithaVPNcapable
devicefromanothervendor.
VPNDeployments
SitetoSiteVPNOverview
SitetoSiteVPNConcepts
SetUpSitetoSiteVPN
SitetoSiteVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 601
VPNDeployments
VPNs
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments
602 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNOverview
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 603
SitetoSiteVPNConcepts
VPNs
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.Eachtunnelinterfacecanhaveamaximumof10IPSectunnels;this
meansthatupto10networkscanbeassociatedwiththesametunnelinterfaceonthefirewall.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.
604 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
Thedefaultmonitoringprofileisconfiguredtowaitforthetunneltorecover;thepollingintervalis3seconds
andthefailurethresholdis5.
SeeSetUpTunnelMonitoringforconfigurationdetails.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 605
SitetoSiteVPNConcepts
VPNs
InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes
606 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP
AH
DiffieHellman(DH)exchangeoptionssupported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryptionalgorithmssupported
3des
TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc
AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc
AESusingCBCwithasecuritystrengthof192bits
aes256cbc
AESusingCBCwithasecuritystrengthof256bits
aes128ccm
AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm
AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm
AESusingGCMwithasecuritystrengthof256bits
des
DataEncryptionStandard(DES)withasecuritystrengthof56bits
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 607
SitetoSiteVPNConcepts
ESP
VPNs
AH
Authenticationalgorithmssupported
md5
md5
sha1
sha1
sha256
sha256
sha384
sha384
sha512
sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.
608 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 609
SitetoSiteVPNConcepts
VPNs
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.
610 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
InIKEv2,twoIKEcryptoprofilevalues,Key LifetimeandIKEv2 Authentication Multiple,controlthe
establishmentofIKEv2IKESAs.ThekeylifetimeisthelengthoftimethatanegotiatedIKESAkeyis
effective.Beforethekeylifetimeexpires,theSAmustberekeyed;otherwise,uponexpiration,theSAmust
beginanewIKEv2IKESArekey.Thedefaultvalueis8hours.
ThereauthenticationintervalisderivedbymultiplyingtheKey LifetimebytheIKEv2Authentication Multiple.
Theauthenticationmultipledefaultsto0,whichdisablesthereauthenticationfeature.
Therangeoftheauthenticationmultipleis050.So,ifyouweretoconfigureanauthenticationmultipleof
20,forexample,thesystemwouldperformreauthenticationevery20rekeys,whichisevery160hours.
ThatmeansthegatewaycouldperformChildSAcreationfor160hoursbeforethegatewaymust
reauthenticatewithIKEtorecreatetheIKESAfromscratch.
InIKEv2,theInitiatorandRespondergatewayshavetheirownkeylifetimevalue,andthegatewaywiththe
shorterkeylifetimeistheonethatwillrequestthattheSAberekeyed.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 611
SetUpSitetoSiteVPN
VPNs
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
SetUpanIKEGateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
Step1
DefinetheIKEGateway.
612 PANOS7.1AdministratorsGuide
1.
2.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step2
Step3
Establishthelocalendpointofthetunnel 1.
(gateway).
2.
Establishthepeeratthefarendofthe
tunnel(gateway).
ForAddress Type,clickIPv4orIPv6.
Selectthephysical,outgoingInterface onthefirewallwhere
thelocalgatewayresides.
3.
1.
SelectthePeer IP TypetobeaStaticorDynamicaddress
assignment.
2.
IfthePeer IP Addressisstatic,entertheIPaddressofthe
peer.
Step4
Specifyhowthepeerisauthenticated.
SelecttheAuthenticationmethod:Pre-Shared KeyorCertificate.
IfyouchoosePreSharedKey,proceedtoStep 5.Ifyouchoose
Certificate,proceedtoStep 6.
Step5
Configureapresharedkey.
1.
EnteraPre-shared Key,whichisthesecuritykeytousefor
authenticationacrossthetunnel.Reenterthevalueto
Confirm Pre-shared Key.
Generateakeythatisdifficulttocrackwithdictionary
attacks;useapresharedkeygenerator,ifnecessary.
2.
ForLocal Identification,choosefromthefollowingtypesand
enteravaluethatyoudetermine:FQDN (hostname),IP
address,KEYID (binary format ID string in HEX),User FQDN
(email address).Localidentificationdefinestheformatand
identificationofthelocalgateway.Ifnovalueisspecified,the
localIPaddresswillbeusedasthelocalidentificationvalue.
3.
ForPeer Identification,choosefromthefollowingtypesand
enterthevalue:FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), User FQDN (email address). Peer
identificationdefinestheformatandidentificationofthepeer
gateway.Ifnovalueisspecified,thepeerIPaddresswillbe
usedasthepeeridentificationvalue.
4.
ProceedtoStep 7andcontinuefromthere.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 613
SetUpSitetoSiteVPN
VPNs
SetUpanIKEGateway(Continued)
Step6
Configurecertificatebased
authentication.Performtheremaining
stepsinthisprocedureifyouselected
Certificateasthemethodof
authenticatingthepeergatewayatthe
oppositeendofthetunnel.
614 PANOS7.1AdministratorsGuide
1.
SelectaLocal Certificatethatisalreadyonthefirewallfrom
thedropdown,orImportacertificate,orGeneratetocreate
anewcertificate.
IfyouwanttoImportacertificate,ImportaCertificatefor
IKEv2GatewayAuthenticationandthenreturntothistask.
IfyouwanttoGenerateanewcertificate,generatea
certificateonthefirewallandthenreturntothistask.
2.
3.
SelecttheLocal Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Localidentificationdefinestheformatandidentificationof
thelocalgateway.
4.
SelectthePeer Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Peeridentificationdefinestheformatandidentificationofthe
peergateway.
5.
SelectonetypeofPeer ID Check:
ExactCheckthistoensurethatthelocalsettingandpeer
IKEIDpayloadmatchexactly.
WildcardCheckthistoallowthepeeridentificationto
matchaslongaseverycharacterbeforethewildcard(*)
matches.Thecharactersafterthewildcardneednotmatch.
6.
7.
ChooseaCertificate Profilefromthedropdown.A
certificateprofilecontainsinformationabouthowto
authenticatethepeergateway.
8.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step7
Step8
Configureadvancedoptionsforthe
gateway.
Savethechanges.
PaloAltoNetworks,Inc.
1.
SelecttheAdvanced Optionstab.
2.
3.
4.
5.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 615
SetUpSitetoSiteVPN
VPNs
ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
ExportacertificateforapeertoaccessusingHash 1.
andURLcertificateexchange.
2.
3.
4.
5.
ClickOK.
ImportaCertificateforIKEv2GatewayAuthentication
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.
616 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
ImportaCertificateforIKEv2GatewayAuthentication
Step1
Step2
Importacertificate.
1.
2.
IntheImportCertificatewindow,enteraCertificate Namefor
thecertificateyouareimporting.
3.
SelectSharedifthiscertificateistobesharedamongmultiple
virtualsystems.
4.
ForCertificate File,Browsetothecertificatefile.Clickonthe
filenameandclickOpen,whichpopulatestheCertificate File
field.
5.
ForFile Format,selectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthe
certificate,butnotthekey.Itiscleartext.
Encrypted Private Key and Certificate (PKCS12)
Containsboththecertificateandthekey.
6.
7.
ClickOK.
Afteryouperformthistask,returnto
ConfigureanIKEv2Gatewayandresume
Step 6.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
Step1
ChangetheSAkeylifetimeor
1.
authenticationintervalforanIKECrypto
profile.
2.
3.
Step2
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 617
SetUpSitetoSiteVPN
VPNs
ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
Step1
Step2
ChangetheCookieActivation
Threshold.
Savetheconfiguration
1.
2.
ClickOK.
ClickOKandCommit.
ConfigureIKEv2TrafficSelectors
ConfigureTrafficSelectorsforIKEv2
Step1
ConfigureTrafficSelectors.
1.
2.
SelecttheIPv4orIPv6tab.
3.
ClickAddandentertheNameintheProxy IDfield.
4.
IntheLocalfield,entertheSource IP Address.
5.
IntheRemotefield,entertheDestination IP Address.
6.
IntheProtocolfield,selectthetransportprotocol(TCPor
UDP)fromthedropdown.
7.
ClickOK.
DefineCryptographicProfiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatisreadyforuse.
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
618 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1
CreateanewIKEprofile.
1.
2.
EnteraName forthenewprofile.
Step2
SpecifytheDHGroup(DiffieHellman
group)forkeyexchange,andthe
AuthenticationandEncryption
algorithms.
ClickAddinthecorrespondingsections(DHGroup,
Authentication,andEncryption)andselectfromthedropdowns.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsoralgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupportedgroupor
algorithmtoestablishthetunnel:
DHGroupgroup20,group19,group14,group5,group2,and
group1.
Authenticationsha512,sha384,sha256,sha1,md5.
Encryptionaes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
des.
DESisavailabletoprovidebackwardcompatibilitywith
legacydevicesthatdonotsupportstrongerencryption,
butasabestpracticealwaysuseastrongerencryption
algorithm,suchas3DESorAESifthepeercansupport
it.
Step3
Specifythedurationforwhichthekeyis 1.
validandthereauthenticationinterval.
Fordetails,seeSAKeyLifetimeand
ReAuthenticationInterval.
IntheKey Lifetimefields,specifytheperiod(inseconds,
minutes,hours,ordays)forwhichthekeyisvalid.(Rangeis3
minutesto365days;defaultis8hours.)Whenthekey
expires,thefirewallrenegotiatesanewkey.Alifetimeisthe
periodbetweeneachrenegotiation.
2.
Step4
SaveyourIKECryptoprofile.
Step5
PaloAltoNetworks,Inc.
ClickOKandclickCommit.
PANOS7.1AdministratorsGuide 619
SetUpSitetoSiteVPN
VPNs
DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1
CreateanewIPSecprofile.
1.
2.
EnteraName forthenewprofile.
3.
SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4.
ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
Step2
Step3
Specifythedurationofthekeytimeand Usingacombinationoftimeandtrafficvolumeallowsyouto
volumeoftraffic.
ensuresafetyofdata.
SelecttheLifetimeortimeperiodforwhichthekeyisvalidin
seconds,minutes,hours,ordays(rangeis3minutesto365days).
Whenthespecifiedtimeexpires,thefirewallwillrenegotiateanew
setofkeys.
SelecttheLifesizeorvolumeofdataafterwhichthekeysmustbe
renegotiated.
Step4
SaveyourIPSecprofile.
ClickOKandclickCommit.
Step5
AttachtheIPSecProfiletoanIPSec
tunnelconfiguration.
SeeStep 4inSetUpanIPSecTunnel.
620 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIPSecTunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
Step1
Step2
SelecttheTunnel interfacethatwillbeusedtosetuptheIPSectunnel.
Tocreateanewtunnelinterface:
1. SelectNetwork > Interfaces > Tunnel andclickAdd.
2. IntheInterface Name field,specifyanumericsuffix,suchas.2.
3. OntheConfig tab,expandtheSecurity Zone dropdowntodefinethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthetunnel,selectthezonefromthedropdown.
Associatingthetunnelinterfacewiththesamezone(andvirtualrouter)astheexternalfacinginterfaceon
whichthepacketsenterthefirewall,mitigatestheneedtocreateinterzonerouting.
(Recommended)TocreateaseparatezoneforVPNtunneltermination,clickNew Zone.IntheZonedialog,
defineaName fornewzone(forexamplevpncorp),andclickOK.
4. IntheVirtual Router dropdown,selectdefault.
5. (Optional)IfyouwanttoassignanIPv4addresstothetunnelinterface,selecttheIPv4 tab,clickAdd inthe
IPsection,andentertheIPaddressandnetworkmasktoassigntotheinterface,forexample10.31.32.1/32.
6. IfyouwanttoassignanIPv6addresstothetunnelinterface,seeStep 3.
7. Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 621
SetUpSitetoSiteVPN
VPNs
SetUpanIPSecTunnel(Continued)
Step3
Step4
(Optional)EnableIPv6onthetunnel
interface.
1.
2.
3.
Enterthe64bitextendeduniqueInterface IDinhexadecimal
format,forexample,00:26:08:FF:FE:DE:4E:29.Bydefault,the
firewallwillusetheEUI64generatedfromthephysical
interfacesMACaddress.
4.
ToenteranIPv6Address,clickAddandenteranIPv6address
andprefixlength,forexample2001:400:f00::1/64.IfPrefixis
notselected,theIPv6addressassignedtotheinterfacewillbe
whollyspecifiedintheaddresstextbox.
a. SelectUse interface ID as host portiontoassignanIPv6
addresstotheinterfacethatwillusetheinterfaceIDasthe
hostportionoftheaddress.
b. SelectAnycasttoincluderoutingthroughthenearestnode.
Selectthetypeofkeythatwillbeusedto Continuetooneofthefollowingsteps,dependingonwhattypeof
securetheIPSectunnel.
keyexchangeyouareusing:
SetupAutoKeyexchange.
SetupaManualKeyexchange.
SetupAutoKeyexchange.
SetupaManualKeyexchange.
622 PANOS7.1AdministratorsGuide
1.
SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2.
(Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
1.
Setuptheparametersforthelocalfirewall:
a. SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
b. SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
c. SelecttheprotocoltobeusedAHorESP.
d. ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
e. ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
2.
SetuptheparametersthatpertaintotheremoteVPNpeer.
a. SpecifytheSPIfortheremotepeer.
b. EntertheRemote Address,theIPaddressoftheremote
peer.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIPSecTunnel(Continued)
Step5
Step6
Step7
EnableTunnelMonitoring.
Toalertthedeviceadministratortotunnelfailuresandtoprovide
YouneedtoassignanIPaddress automaticfailovertoanothertunnelinterface:
tothetunnelinterfacefor
1. SpecifyaDestination IPaddressontheothersideofthetunnel
monitoring.
todetermineifthetunnelisworkingproperly.
2.
Step8
Step9
(RequiredonlyiftheVPNpeeruses
1.
policybasedVPN).CreateaProxyIDto 2.
identifytheVPNpeers.
3.
Saveyourchanges.
PaloAltoNetworks,Inc.
SelectaProfiletodeterminetheactionontunnelfailure.To
createanewprofile,seeDefineaTunnelMonitoringProfile.
Select Network > IPSec Tunnels andclickAdd.
SelecttheProxy IDstab.
SelecttheIPv4orIPv6tab.
4.
ClickAddandentertheProxy IDname.
5.
EntertheLocalIPaddressorsubnetfortheVPNgateway.
6.
EntertheRemoteaddressfortheVPNgateway.
7.
SelecttheProtocolfromthedropdown:
NumberSpecifytheprotocolnumber(usedfor
interoperabilitywiththirdpartydevices).
AnyAllowsTCPand/orUDPtraffic.
TCPSpecifytheLocalPortandRemotePortnumbers.
UDPSpecifytheLocalPortandRemotePortnumbers.
8.
ClickOK.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 623
SetUpSitetoSiteVPN
VPNs
SetUpTunnelMonitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
DefineaTunnelMonitoringProfile
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
DefineaTunnelMonitoringProfile
Step1
Step2
ClickAdd,andenteraNamefortheprofile.
Step3
SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4
SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5
AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.
624 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
Step1
Step2
ViewtheTunnel Status.
GreenindicatesavalidIPSecSAtunnel.
RedindicatesthatIPSecSAisnotavailableorhasexpired.
Step3
Step4
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorTunnel
EnableordisableanIKEgateway.
EnableordisableanIPSectunnel.
PaloAltoNetworks,Inc.
1.
2.
Atthebottomofthescreen,clickEnableorDisable.
1.
2.
Atthebottomofthescreen,clickEnableorDisable.
PANOS7.1AdministratorsGuide 625
SetUpSitetoSiteVPN
VPNs
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Phase
Refresh
Restart
IKEGateway
(IKEPhase1)
Updatestheonscreenstatisticsfortheselected
IKEgateway.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheselectedIKEgateway.
IKEv2:AlsorestartsanyassociatedchildIPSec
securityassociations(SAs).
IKEv1:DoesnotrestarttheassociatedIPSecSAs.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
IPSecTunnel
(IKEPhase2)
Updatestheonscreenstatisticsfortheselected
IPSectunnel.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheIPSectunnel.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
Asthetableaboveindicates,restartinganIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1
gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorrestartanIKEgateway.
1.
2.
Intherowforthattunnel,undertheStatuscolumn,clickIKE
Info.
3.
AtthebottomoftheIKEInfoscreen,clicktheactionyouwant:
RefreshUpdatesthestatisticsonthescreen.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
RefreshorrestartanIPSectunnel.
1.
Youmightdeterminethatthetunnelneedstobe
refreshedorrestartedbecauseyouusethetunnel 2.
monitortomonitorthetunnelstatus,oryouuse
anexternalnetworkmonitortomonitornetwork
3.
connectivitythroughtheIPSectunnel.
626 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
TestVPNConnectivity
TestConnectivity
InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLIcommand:
test vpn ipsec-sa tunnel <tunnel_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
admin@PA-500> show vpn flow
total tunnels configured:
filter - type IPSec, state any
total IPSec tunnel configured:
total IPSec tunnel shown:
1
1
1
name
id
state
local-ip
peer-ip
tunnel-i/f
----------------------------------------------------------------------------vpn-to-siteB
5
active
100.1.1.1
200.1.1.1
tunnel.41
InterpretVPNErrorMessages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis:
Trythis:
VerifythatthepublicIPaddressforeachVPNpeerisaccurateintheIKEGateway
configuration.
VerifythattheIPaddressescanbepingedandthatroutingissuesarenotcausing
theconnectionfailure.
or
IKE phase 1 negotiation
is failed. Couldnt find
configuration for IKE
phase-1 request for peer
IP x.x.x.x[1929]
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 627
SetUpSitetoSiteVPN
Iferroristhis:
VPNs
Trythis:
Received unencrypted
ChecktheIKECryptoprofileconfigurationtoverifythattheproposalsonbothsides
notify payload (no
haveacommonencryption,authentication,andDHGroupproposal.
proposal chosen) from IP
x.x.x.x[500] to
y.y.y.y[500], ignored...
or
IKE phase-1 negotiation
is failed. Unable to
process peers SA
payload.
pfs group mismatched:my:
2peer: 0
or
ChecktheIPSecCryptoprofileconfigurationtoverifythat:
pfsiseitherenabledordisabledonbothVPNpeers
theDHGroupsproposedbyeachpeerhasatleastoneDHGroupincommon
TheVPNpeerononeendisusingpolicybasedVPN.YoumustconfigureaProxyID
onthePaloAltoNetworksfirewall.SeeStep 8.
628 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
SitetoSiteVPNwithStaticRouting
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 629
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting
Step1
ConfigureaLayer3interface.
1.
ThisinterfaceisusedfortheIKEphase1
tunnel.
2.
630 PANOS7.1AdministratorsGuide
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.26/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.120/24
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step2
Step3
Step4
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
Configureastaticroute,onthevirtual
router,tothedestinationsubnet.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
PaloAltoNetworks,Inc.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
(Optional)AssignanIPaddresstothetunnelinterface,select
theIPv4orIPv6tab,clickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface.
Withstaticroutes,thetunnelinterfacedoesnotrequireanIP
address.Fortrafficthatisdestinedtoaspecifiedsubnet/IP
address,thetunnelinterfacewillautomaticallybecomethe
nexthop.ConsideraddinganIPaddressifyouwanttoenable
tunnelmonitoring.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.11
Security Zonevpn_tun
Virtual Routerdefault
IPv4172.19.9.2/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.12
Security Zonevpn_tun
Virtual Routerdefault
IPv4192.168.69.2/24
1.
2.
SelectStatic Route,clickAdd,andenteranewroutetoaccess
thesubnetthatisattheotherendofthetunnel.
Inthisexample,theconfigurationforVPNPeerAis:
Destination192.168.69.0/24
Interfacetunnel.11
TheconfigurationforVPNPeerBis:
Destination172.19.9.0/24
Interfacetunnel.12
1.
2.
PANOS7.1AdministratorsGuide 631
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step5
Step6
Step7
SetuptheIKEGateway.
SetuptheIPSecTunnel.
1.
2.
3.
1.
2.
3.
4.
(Optional)Todefinetheactiononfailuretoestablish
connectivity,seeDefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
Step8
Saveanypendingconfigurationchanges. ClickCommit.
Step9
TestVPNconnectivity.
632 PANOS7.1AdministratorsGuide
SeeViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
SitetoSiteVPNwithOSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 633
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
Step1
ConfiguretheLayer3interfacesoneach 1.
firewall.
634 PANOS7.1AdministratorsGuide
2.
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4100.1.1.1/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4200.1.1.1/24
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step2
Step3
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
PaloAltoNetworks,Inc.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedasthenexthopIPaddresstoroute
traffictothetunnelandcanalsobeusedtomonitorthestatus
ofthetunnel.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.41
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.141/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.40
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.140/24
1.
2.
PANOS7.1AdministratorsGuide 635
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step4
Step5
SetuptheOSPFconfigurationonthe
1.
virtualrouterandattachtheOSPFareas
withtheappropriateinterfacesonthe
2.
firewall.
3.
FormoreinformationontheOSPF
optionsthatareavailableonthefirewall,
seeConfigureOSPF.
UseBroadcastasthelinktypewhen
therearemorethantwoOSPFrouters
thatneedtoexchangerouting
information.
SetuptheIKEGateway.
1.
ThisexamplesusesstaticIPaddresses 2.
forbothVPNpeers.Typically,the
corporateofficeusesastatically
configuredIPaddress,andthebranch
sidecanbeadynamicIPaddress;
dynamicIPaddressesarenotbestsuited
forconfiguringstableservicessuchas
VPN.
3.
636 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step6
Step7
SetuptheIPSecTunnel.
1.
2.
3.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 637
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step8
VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
Step9
TestVPNconnectivity.
638 PANOS7.1AdministratorsGuide
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
SitetoSiteVPNwithStaticandDynamicRouting
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 639
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
Step1
Step2
ConfiguretheLayer3interfacesoneach 1.
firewall.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
640 PANOS7.1AdministratorsGuide
2.
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4100.1.1.1/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4200.1.1.1/24
1.
2.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step3
SetuptheIKEGateway.
1.
Withpresharedkeys,toadd
2.
authenticationscrutinywhensettingup
theIKEphase1tunnel,youcansetup
LocalandPeerIdentificationattributes
andacorrespondingvaluethatis
matchedintheIKEnegotiationprocess.
3.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 641
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step4
Step5
Step6
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
642 PANOS7.1AdministratorsGuide
IntheInterface Namefield,specifyanumericsuffix,say,.41.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedtoroutetraffictothetunnelandto
monitorthestatusofthetunnel.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.41
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.141/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.42
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.140/24
Specifytheinterfacetoroutetraffictoa 1.
destinationonthe192.168.x.xnetwork. 2.
SetupthestaticrouteandtheOSPF
configurationonthevirtualrouterand
attachtheOSPFareaswiththe
appropriateinterfacesonthefirewall.
OnVPNPeerA,selectthevirtualrouter.
SelectStatic Routes,andAddtunnel.41astheInterfacefor
routingtrafficwithaDestinationinthe192.168.x.xnetwork.
1.
2.
3.
4.
Inthisexample,theOSPFconfigurationforVPNPeerBis:
RouterID:192.168.100.140
AreaID:0.0.0.0isassignedtotheinterfaceEthernet1/12
Linktype:Broadcast
AreaID:0.0.0.10thatisassignedtotheinterface
Ethernet1/1andLinkType:Broadcast
AreaID:0.0.0.20isassignedtotheinterfaceEthernet1/15
andLinkType:Broadcast
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step7
Step8
Step9
Createaredistributionprofiletoinject
thestaticroutesintotheOSPF
autonomoussystem.
SetuptheIPSecTunnel.
1.
CreatearedistributionprofileonVPNPeerB.
a. SelectNetwork > Virtual Routers,andselecttherouteryou
usedabove.
b. SelectRedistribution Profiles, andclick Add.
c. EnteraNamefortheprofileandselectRedistandassigna
Priorityvalue.Ifyouhaveconfiguredmultipleprofiles,the
profilewiththelowestpriorityvalueismatchedfirst.
d. SetSource Type as static,andclickOK.Thestaticroute
definedinStep 62willbeusedfortheredistribution.
2.
InjectthestaticroutesintotheOSPFsystem.
a. SelectOSPF> Export Rules (forIPv4) or OSPFv3> Export
Rules (forIPv6).
b. ClickAdd,andselecttheredistributionprofilethatyoujust
created.
c. SelecthowtheexternalroutesarebroughtintotheOSPF
system.Thedefaultoption,Ext2 calculatesthetotalcostof
therouteusingonlytheexternalmetrics.Touseboth
internalandexternalOSPFmetrics,use Ext1.
d. AssignaMetric (costvalue)fortheroutesinjectedintothe
OSPFsystem.Thisoptionallowsyoutochangethemetric
fortheinjectedrouteasitcomesintotheOSPFsystem.
e. ClickOKtosavethechanges.
1.
2.
3.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 643
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step10 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
Step11 TestVPNconnectivity.
644 PANOS7.1AdministratorsGuide
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
TheGlobalProtectLargeScaleVPN(LSVPN)featureonthePaloAltoNetworksnextgenerationfirewall
simplifiesthedeploymentoftraditionalhubandspokeVPNs,enablingyoutoquicklydeployenterprise
networkswithseveralbranchofficeswithaminimumamountofconfigurationrequiredontheremote
satellites.ThissolutionusescertificatesforfirewallauthenticationandIPSectosecuredata.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 645
LSVPNOverview
LargeScaleVPN(LSVPN)
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.
646 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
CreateInterfacesandZonesfortheLSVPN
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
Step1
ConfigureaLayer3interface.
1.
Theportalandeachgatewayand
satelliteallrequireaLayer3interfaceto 2.
enabletraffictoberoutedbetweensites.
3.
Ifthegatewayandportalareonthesame
firewall,youcanuseasingleinterfacefor
bothcomponents.
IPv6addressesarenotsupported
withLSVPN.
PaloAltoNetworks,Inc.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
PANOS7.1AdministratorsGuide 647
CreateInterfacesandZonesfortheLSVPN
LargeScaleVPN(LSVPN)
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
MakesuretoenableUserIDin
thezonewheretheVPNtunnels
terminate.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas.2.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplelsvpntun),selectthe
Enable User Identificationcheckbox,andthenclickOK.
4.
SelecttheVirtual Router.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample203.0.11.33/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Step3
Ifyoucreatedaseparatezonefortunnel Forexample,apolicyruleenablestrafficbetweenthelsvpntun
terminationofVPNconnections,create zoneandtheL3Trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.
Step4
Savetheconfiguration.
648 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 649
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents
Step1
Step2
Onthefirewallhostingthe
CreateaSelfSignedRootCACertificate:
GlobalProtectportal,createtherootCA 1. SelectDevice > Certificate Management > Certificates >
certificateforsigningthecertificatesof
Device Certificates andclickGenerate.
theGlobalProtectcomponents.
2. EnteraCertificate Name,suchasLSVPN_CA.
3.
DonotselectavalueintheSigned Byfield(thisiswhat
indicatesthatitisselfsigned).
4.
SelecttheCertificate AuthoritycheckboxandthenclickOK
togeneratethecertificate.
CreateSSL/TLSserviceprofilesforthe 1.
GlobalProtectportalandgateways.
Fortheportalandeachgateway,you
mustassignanSSL/TLSserviceprofile
thatreferencesauniqueselfsigned
servercertificate.
Thebestpracticeistoissueallof
therequiredcertificatesonthe
portal,sothatthesigning
certificate(withtheprivatekey)
doesnthavetobeexported.
IftheGlobalProtectportaland
gatewayareonthesamefirewall
interface,youcanusethesame
servercertificateforboth
components.
UsetherootCAontheportaltoGenerateaCertificatefor
eachgatewayyouwilldeploy:
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickGenerate.
b. EnteraCertificate Name.
c. EntertheFQDN(recommended)orIPaddressofthe
interfacewhereyouplantoconfigurethegatewayinthe
Common Namefield.
d. IntheSigned Byfield,selecttheLSVPN_CAcertificateyou
justcreated.
e. IntheCertificateAttributessection,clickAddanddefine
theattributestouniquelyidentifythegateway.Ifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustexactlymatchthevalueyoudefinedfor
theCommon Name.
f. Generatethecertificate.
2.
ConfigureanSSL/TLSServiceProfilefortheportalandeach
gateway:
a. SelectDevice > Certificate Management > SSL/TLS
Service ProfileandclickAdd.
b. EnteraNametoidentifytheprofileandselecttheserver
Certificateyoujustcreatedfortheportalorgateway.
c. DefinetherangeofTLSversions(Min VersiontoMax
Version)allowedforcommunicatingwithsatellitesand
clickOK.
650 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step3
Step4
Deploytheselfsignedservercertificates
tothegateways.
BestPractices:
Exporttheselfsignedserver
certificatesissuedbytherootCA
fromtheportalandimportthem
ontothegateways.
Besuretoissueauniqueserver
certificateforeachgateway.
TheCommonName(CN)and,if
applicable,theSubject
AlternativeName(SAN)fieldsof
thecertificatemustmatchtheIP
addressorfullyqualifieddomain
name(FQDN)oftheinterface
whereyouconfigurethe
gateway.
1.
2.
3.
Enter(andreenter)aPassphrasetoencrypttheprivatekey
associatedwiththecertificateandthenclickOKtodownload
thePKCS12filetoyourcomputer.
4.
5.
EnteraCertificate Name.
6.
EnterthepathandnametotheCertificate Fileyoujust
downloadedfromtheportal,orBrowsetofindthefile.
7.
8.
EnterthepathandnametothePKCS12fileintheKey File
fieldorBrowsetofindit.
9.
EnterandreenterthePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportalandthen
clickOKtoimportthecertificateandkey.
1.
ImporttherootCAcertificateusedto
issueservercertificatesfortheLSVPN
components.
YoumustimporttherootCAcertificate
ontoallgatewaysandsatellites.For
securityreasons,makesureyouexport
thecertificateonly,andnotthe
associatedprivatekey.
2.
PaloAltoNetworks,Inc.
DownloadtherootCAcertificatefromtheportal.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates.
b. SelecttherootCAcertificateusedtoissuecertificatesfor
theLSVPNcomponentsandclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Donotexporttheprivatekey.)
Onthefirewallshostingthegatewaysandsatellites,import
therootCAcertificate.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
g. Committhechanges.
PANOS7.1AdministratorsGuide 651
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step5
Step6
Createacertificateprofile.
1.
TheGlobalProtectLSVPNportaland
eachgatewayrequireacertificateprofile 2.
thatspecifieswhichcertificatetouseto
3.
authenticatethesatellites.
Savetheconfiguration.
4.
(Optional,butrecommended)EnableuseofCRLand/orOCSP
toenablecertificatestatusverification.
5.
ClickOKtosavetheprofile.
ClickCommit.
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
Step1
Step2
CreateaSCEPprofile.
(Optional)TomaketheSCEPbased
certificategenerationmoresecure,
configureaSCEPchallengeresponse
mechanismbetweenthePKIandportal
foreachcertificaterequest.
Afteryouconfigurethismechanism,its
operationisinvisible,andnofurther
inputfromyouisnecessary.
TocomplywiththeU.S.Federal
InformationProcessingStandard(FIPS),
useaDynamicSCEPchallengeand
specifyaServer URLthatusesHTTPS
(seeStep 7).
652 PANOS7.1AdministratorsGuide
1.
2.
EnteraNametoidentifytheSCEPprofile.
3.
Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Selectoneofthefollowingoptions:
None(Default)TheSCEPserverdoesnotchallengetheportal
beforeitissuesacertificate.
FixedObtaintheenrollmentchallengepasswordfromthe
SCEPserver(forexample,
http://10.200.101.1/CertSrv/mscep_admin/)inthePKI
infrastructureandthencopyorenterthepasswordintothe
Passwordfield.
DynamicEntertheSCEPServer URLwheretheportalclient
submitsthesecredentials(forexample,
http://10.200.101.1/CertSrv/mscep_admin/),anda
usernameandOTPofyourchoice.Theusernameandpassword
canbethecredentialsofthePKIadministrator.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step3
Specifythesettingsfortheconnection 1.
betweentheSCEPserverandtheportal
toenabletheportaltorequestand
receiveclientcertificates.
2.
Toidentifythesatellite,theportal
automaticallyincludesthedeviceserial
3.
numberintheCSRrequesttotheSCEP
server.BecausetheSCEPprofile
requiresavalueintheSubjectfield,you
canleavethedefault$USERNAMEtoken
eventhoughthevalueisnotusedin
clientcertificatesforLSVPN.
ConfiguretheServer URLthattheportalusestoreachthe
SCEPserverinthePKI(forexample,
http://10.200.101.1/certsrv/mscep/).
Enterastring(upto255charactersinlength)intheCA-IDENT
NamefieldtoidentifytheSCEPserver.
SelecttheSubject Alternative Name Type:
RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4
(Optional)Configurecryptographic
settingsforthecertificate.
Selectthekeylength(Number of Bits)forthecertificate.Ifthe
firewallisinFIPSCCmodeandthekeygenerationalgorithmis
RSA.TheRSAkeysmustbe2048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):SHA1,SHA256,SHA384,or
SHA512.
Step5
Step6
(Optional)Toensurethattheportalis
1.
connectingtothecorrectSCEPserver,
entertheCA Certificate Fingerprint.
ObtainthisfingerprintfromtheSCEP
2.
serverinterfaceintheThumbprintfield.
EntertheURLfortheSCEPserversadministrativeUI(for
example,http://<hostname or
IP>/CertSrv/mscep_admin/).
CopythethumbprintandenteritintheCA Certificate
Fingerprintfield.
Step7
SelecttheSCEPserversrootCA Certificate.Optionally,youcan
EnablemutualSSLauthentication
enablemutualSSLauthenticationbetweentheSCEPserverand
betweentheSCEPserverandthe
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicated
onthefirewallloginpageandin
itsstatusbar.
Step8
Saveandcommittheconfiguration.
1.
ClickOKtosavethesettingsandclosetheSCEPconfiguration.
2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 653
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step9
1.
(Optional)IfaftersavingtheSCEP
profile,theportalfailstoobtainthe
certificate,youcanmanuallygeneratea 2.
certificatesigningrequest(CSR)fromthe
3.
portal.
4.
654 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigurethePortaltoAuthenticateSatellites
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 655
ConfigurethePortaltoAuthenticateSatellites
LargeScaleVPN(LSVPN)
SetUpSatelliteAuthentication
Step1
(Externalauthenticationonly)Createa
serverprofileontheportal.
Theserverprofiledefineshowthe
firewallconnectstoanexternal
authenticationservicetovalidatethe
authenticationcredentialsthatthe
satelliteadministratorenters.
Ifyouuselocalauthentication,
skipthisstepandinsteadadda
localuserforthesatellite
administrator:seeConfigurethe
useraccount.
Step2
Configureanauthenticationprofile.
1.
Theauthenticationprofiledefineswhich 2.
serverprofiletousetoauthenticate
satellites.
Configureaserverprofilefortheauthenticationservicetype:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.IfyouuseLDAPtoconnect
toActiveDirectory(AD),createaseparateLDAPserverprofile
foreveryADdomain.
ConfigureaKerberosServerProfile.
3.
656 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigureGlobalProtectGatewaysforLSVPN
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
PrerequisiteTasks
ConfiguretheGateway
PrerequisiteTasks
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfiguretheGateway
AfteryouhavecompletedthePrerequisiteTasks,configureeachGlobalProtectgatewaytoparticipateinthe
LSVPNasfollows:
ConfiguretheGatewayforLSVPN
Step1
Step2
Addagateway.
1.
2.
IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3.
(Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Specifythenetworkinformationthat
1.
enablessatellitedevicestoconnectto
thegateway.
2.
Ifyouhaventcreatedthenetwork
3.
interfaceforthegateway,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
PaloAltoNetworks,Inc.
SelecttheInterfacethatsatelliteswilluseforingressaccess
tothegateway.
SelecttheIP Addressforgatewayaccess.
ClickOKtosavechanges.
PANOS7.1AdministratorsGuide 657
ConfigureGlobalProtectGatewaysforLSVPN
LargeScaleVPN(LSVPN)
ConfiguretheGatewayforLSVPN(Continued)
Step3
Specifyhowthegatewayauthenticates
satellitesattemptingtoestablishtunnels.
IfyouhaventyetcreatedanSSL/TLS
Serviceprofileforthegateway,see
DeployServerCertificatestothe
GlobalProtectLSVPNComponents.
Ifyouhaventsetuptheauthentication
profilesorcertificateprofiles,see
ConfigurethePortaltoAuthenticate
Satellitesforinstructions.
Ifyouhavenotyetsetupthecertificate
profile,seeEnableSSLBetween
GlobalProtectLSVPNComponentsfor
instructions.
OntheGlobalProtectGatewayConfigurationdialog,select
Authenticationandthenconfigureanyofthefollowing:
Tosecurecommunicationbetweenthegatewayandthe
satellites,selecttheSSL/TLS Service Profileforthegateway.
Tospecifytheauthenticationprofiletousetoauthenticate
satellites,AddaClientAuthentication.Then,enteraNameto
identifytheconfiguration,selectOS:Satellitetoapplythe
configurationtoallsatellites,andspecifytheAuthentication
Profiletousetoauthenticatethesatellite.Youcanalsoselecta
Certificate Profileforthegatewaytousetoauthenticate
satellitedevicesattemptingtoestablishtunnels.
Step4
Configurethetunnelparametersand
enabletunneling.
1.
OntheGlobalProtectGatewayConfigurationdialog,select
Satellite > Tunnel Settings.
2.
SelecttheTunnel Configurationcheckboxtoenable
tunneling.
3.
4.
(Optional)IfyouwanttopreservetheTypeofService(ToS)
informationintheencapsulatedpackets,selectCopy TOS.
Iftherearemultiplesessionsinsidethetunnel(each
withadifferentTOSvalue),copyingtheTOSheader
cancausetheIPSecpacketstoarriveoutoforder.
Step5
Step6
(Optional)Enabletunnelmonitoring.
1.
Tunnelmonitoringenablessatellitesto 2.
monitoritsgatewaytunnelconnection,
allowingittofailovertoabackup
gatewayiftheconnectionfails.Failover
toanothergatewayistheonlytypeof
tunnelmonitoringprofilesupportedwith
3.
LSVPN.
SelecttheIPSecCryptoprofiletouse
whenestablishingtunnelconnections.
TheprofilespecifiesthetypeofIPSec
encryptionandtheauthentication
methodforsecuringthedatathatwill
traversethetunnel.Becausebothtunnel
endpointsinanLSVPNaretrusted
firewallswithinyourorganization,you
cantypicallyusethedefault(predefined)
profile,whichusesESPastheIPSec
protocol,group2fortheDHgroup,
AES128CBCforencryption,and
SHA1forauthentication.
658 PANOS7.1AdministratorsGuide
SelecttheTunnel Monitoringcheckbox.
SpecifytheDestination IPaddressthesatellitesshoulduseto
determineifthegatewayisactive.Alternatively,ifyou
configuredanIPaddressforthetunnelinterface,youcan
leavethisfieldblankandthetunnelmonitorwillinsteaduse
thetunnelinterfacetodetermineiftheconnectionisactive.
SelectFailoverfromtheTunnel Monitor Profiledropdown
(thisistheonlysupportedtunnelmonitorprofileforLSVPN).
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
Step7
Step8
Step9
Configurethenetworksettingstoassign 1.
thesatellitesduringestablishmentofthe
IPSectunnel.
2.
Youcanalsoconfigurethe
satellitetopushtheDNSsettings
toitslocalclientsbyconfiguringa
DHCPserveronthefirewall
hostingthesatellite.Inthis
configuration,thesatellitewill
pushDNSsettingsitlearnsfrom
thegatewaytotheDHCPclients.
PaloAltoNetworks,Inc.
(Optional)Ifclientslocaltothesatelliteneedtoresolve
FQDNsonthecorporatenetwork,configurethegatewayto
pushDNSsettingstothesatellitesinoneofthefollowing
ways:
Ifthegatewayhasaninterfacethatisconfiguredasa
DHCPclient,youcansettheInheritance Sourcetothat
interfaceandassignthesamesettingsreceivedbythe
DHCPclienttoGlobalProtectsatellites.Youcanalsoinherit
theDNSsuffixfromthesamesource.
ManuallydefinethePrimary DNS,Secondary DNS,and
DNS Suffixsettingstopushtothesatellites.
3.
TospecifytheIP Poolofaddressestoassignthetunnel
interfaceonthesatelliteswhentheVPNisestablished,click
AddandthenspecifytheIPaddressrange(s)touse.
4.
Todefinewhatdestinationsubnetstoroutethroughthe
tunnelclickAddintheAccess Routeareaandthenenterthe
routesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthrough
thetunnel,leavethisfieldblank.Notethatinthiscase,all
trafficexcepttrafficdestinedforthelocalsubnetwillbe
tunneledtothegateway.
Torouteonlysometrafficthroughthegateway(calledsplit
tunneling),specifythedestinationsubnetsthatmustbe
tunneled.Inthiscase,thesatellitewillroutetrafficthatis
notdestinedforaspecifiedaccessrouteusingitsown
routingtable.Forexample,youmaychoosetoonlytunnel
trafficdestinedforyourcorporatenetwork,andusethe
localsatellitetosafelyenableInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthe
summaryrouteforthenetworkprotectedbyeachsatellite.
(Optional)Definewhatroutes,ifany,the 1.
gatewaywillacceptfromsatellites.
Bydefault,thegatewaywillnotaddany 2.
routessatellitesadvertisetoitsrouting
3.
table.Ifyoudonotwantthegatewayto
acceptroutesfromsatellites,youdonot
needtocompletethisstep.
Savethegatewayconfiguration.
OntheGlobalProtectGatewayConfigurationdialog,select
Satellite > Network Settings.
Toenablethegatewaytoacceptroutesadvertisedby
satellites,selectSatellite > Route Filter.
SelecttheAccept published routescheckbox.
Tofilterwhichoftheroutesadvertisedbythesatellitestoadd
tothegatewayroutingtable,clickAddandthendefinethe
subnetstoinclude.Forexample,ifallthesatellitesare
configuredwithsubnet192.168.x.0/24ontheLANside,
configuringapermittedrouteof192.168.0.0/16toenablethe
gatewaytoonlyacceptroutesfromthesatelliteifitisinthe
192.168.0.0/16subnet.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
GatewayConfigurationdialog.
2.
Committheconfiguration.
PANOS7.1AdministratorsGuide 659
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
PrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedthePrerequisiteTasks,configuretheGlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
Step1
Step2
Addtheportal.
1.
2.
OntheGeneral tab,enteraNamefortheportal.Theportal
nameshouldnotcontainanyspaces.
3.
(Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Specifythenetworkinformationto
1.
enablesatellitestoconnecttotheportal.
Ifyouhaventyetcreatedthenetwork 2.
interfacefortheportal,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
660 PANOS7.1AdministratorsGuide
SelecttheInterfacethatsatelliteswilluseforingressaccess
totheportal.
SelecttheIP Addressforsatelliteaccesstotheportal.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
Step3
SpecifyanSSL/TLSServiceprofiletouse 1.
toenablethesatellitetoestablishan
SSL/TLSconnectiontotheportal.
2.
IfyouhaventyetcreatedanSSL/TLS
serviceprofilefortheportalandissued
gatewaycertificates,seeDeployServer
CertificatestotheGlobalProtectLSVPN
Components.
OntheGlobalProtectPortalConfigurationdialog,select
Authentication.
SelecttheSSL/TLS Service Profile.
Step4
Specifyanauthenticationprofileand
optionalcertificateprofilefor
authenticatingsatellites.
Iftheportalcantvalidatethe
serialnumbersofconnecting
satellites,itwillfallbacktothe
authenticationprofile.Therefore,
beforeyoucansavetheportal
configuration(byclickingOK),
youmustConfigurean
authenticationprofile.
AddaClientAuthentication,andthenenteraNametoidentifythe
configuration,selectOS:Satellitetoapplytheconfigurationtoall
satellites,andspecifytheAuthentication Profiletouseto
authenticatesatellitedevices.YoucanalsospecifyaCertificate
Profilefortheportaltousetoauthenticatesatellitedevices.
Step5
Continuewithdefiningthe
configurationstopushtothesatellites
or,ifyouhavealreadycreatedthe
satelliteconfigurations,savetheportal
configuration.
ClickOKtosavetheportalconfigurationorcontinuetoDefinethe
SatelliteConfigurations.
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 661
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
Step1
Step2
Addasatelliteconfiguration.
Thesatelliteconfigurationspecifiesthe
GlobalProtectLSVPNconfiguration
settingstodeploytotheconnecting
satellites.Youmustdefineatleastone
satelliteconfiguration.
1.
2.
IntheSatellitesection,clickAdd
3.
EnteraNamefortheconfiguration.
Ifyouplantocreatemultipleconfigurations,makesurethe
nameyoudefineforeachisdescriptiveenoughtoallowyou
todistinguishthem.
4.
Tochangehowoftenasatelliteshouldchecktheportalfor
configurationupdatesspecifyavalueintheConfiguration
Refresh Interval (hours)field(rangeis148;defaultis24).
Specifythesatellitestowhichtodeploy Specifythematchcriteriaforthesatelliteconfigurationasfollows:
thisconfiguration.
Torestrictthisconfigurationtosatelliteswithspecificserial
numbers,selecttheDevicestab,clickAdd,andenterserial
TheportalusestheEnrollment
number(youdonotneedtoenterthesatellitehostname;itwill
User/User Groupsettingsand/or
beautomaticallyaddedwhenthesatelliteconnects).Repeatthis
Devicesserialnumberstomatcha
stepforeachsatelliteyouwanttoreceivethisconfiguration.
satellitetoaconfiguration.Therefore,if
youhavemultipleconfigurations,besure SelecttheEnrollment User/User Grouptab,clickAdd,andthen
toorderthemproperly.Assoonasthe
selecttheuserorgroupyouwanttoreceivethisconfiguration.
portalfindsamatch,itwilldeliverthe
Satellitesthatdonotmatchonserialnumberwillberequiredto
configuration.Therefore,morespecific
authenticateasauserspecifiedhere(eitheranindividualuseror
configurationsmustprecedemore
groupmember).
generalones.SeeStep 5forinstructions
Beforeyoucanrestricttheconfigurationtospecific
onorderingthelistofsatellite
groups,youmustMapUserstoGroups.
configurations.
662 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step3
Step4
Step5
Specifythegatewaysthatsatelliteswith
thisconfigurationcanestablishVPN
tunnelswith.
Routespublishedbythegateway
areinstalledonthesatelliteas
staticroutes.Themetricforthe
staticrouteis10xtherouting
priority.Ifyouhavemorethan
onegateway,makesuretoalso
settheroutingprioritytoensure
thatroutesadvertisedbybackup
gatewayshavehighermetrics
comparedtothesameroutes
advertisedbyprimarygateways.
Forexample,ifyousetthe
routingpriorityfortheprimary
gatewayandbackupgatewayto
1and10respectively,the
satellitewilluse10asthemetric
fortheprimarygatewayand100
asthemetricforthebackup
gateway.
Savethesatelliteconfiguration.
1.
OntheGatewaystab,clickAdd.
2.
EnteradescriptiveNameforthegateway.Thenameyou
enterhereshouldmatchthenameyoudefinedwhenyou
configuredthegatewayandshouldbedescriptiveenough
identifythelocationofthegateway.
3.
EntertheFQDNorIPaddressoftheinterfacewherethe
gatewayisconfiguredintheGatewaysfield.Theaddressyou
specifymustexactlymatchtheCommonName(CN)inthe
gatewayservercertificate.
4.
(Optional)Ifyouareaddingtwoormoregatewaystothe
configuration,theRouting Priorityhelpsthesatellitepickthe
preferredgateway.Enteravalueintherangeof125,with
lowernumbershavingthehigherpriority(thatis,thegateway
thesatellitewillconnecttoifallgatewaysareavailable).The
satellitewillmultiplytheroutingpriorityby10todetermine
theroutingmetric.
1.
ClickOKtosavethesatelliteconfiguration.
2.
Ifyouwanttoaddanothersatelliteconfiguration,repeat
Step 1throughStep 4.
Arrangethesatelliteconfigurationsso
Tomoveasatelliteconfigurationuponthelistofconfigurations,
thattheproperconfigurationisdeployed
selecttheconfigurationandclickMove Up.
toeachsatellite.
Tomoveasatelliteconfigurationdownonthelistof
configurations,selecttheconfigurationandclickMove Down.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 663
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step6
Step7
Specifythecertificatesrequiredto
enablesatellitestoparticipateinthe
LSVPN.
Savetheportalconfiguration.
664 PANOS7.1AdministratorsGuide
1.
2.
SelectthemethodofClient Certificatedistribution:
TostoretheclientcertificatesontheportalselectLocal
andselecttheRootCAcertificatethattheportalwilluseto
issueclientcertificatestosatellitesuponsuccessfully
authenticatingthemfromtheIssuing Certificate
dropdown.
IftherootCAcertificateusedtoissueyourgateway
servercertificatesisnotontheportal,youcan
Importitnow.SeeEnableSSLBetween
GlobalProtectLSVPNComponentsfordetailson
howtoimportarootCAcertificate.
ToenabletheportaltoactasaSCEPclienttodynamically
requestandissueclientcertificatesselectSCEPandthen
selecttheSCEPprofileusedtogenerateCSRstoyourSCEP
server.
Iftheyouhavenotyetsetuptheportaltoactasa
SCEPclient,youcanaddaNewSCEPprofilenow.
SeeDeployClientCertificatestotheGlobalProtect
SatellitesUsingSCEPfordetails.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
PortalConfigurationdialog.
2.
Commityourchanges.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheLSVPN
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
Step1
ConfigureaLayer3interface.
Step2
Configurethelogicaltunnelinterfacefor
thetunneltousetoestablishVPN
tunnelswiththeGlobalProtect
gateways.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
Step3
Thisisthephysicalinterfacethesatellitewillusetoconnecttothe
portalandthegateway.Thisinterfacemustbeinazonethatallows
accessoutsideofthelocaltrustnetwork.Asabestpractice,create
adedicatedzoneforVPNconnectionsforvisibilityandcontrol
overtrafficdestinedforthecorporategateways.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas
.2.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectanexistingzoneorcreateaseparatezoneforVPN
tunneltrafficbyclickingNew ZoneanddefiningaNamefor
newzone(forexamplelsvpnsat).
4.
IntheVirtual Routerdropdown,selectdefault.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample2.2.2.11/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
1.
Ifyougeneratedtheportalserver
certificateusingaRootCAthatisnot
trustedbythesatellites(forexample,if
youusedselfsignedcertificates),import
therootCAcertificateusedtoissuethe
portalservercertificate.
TherootCAcertificateisrequiredto
enablethesatellitetoestablishtheinitial
connectionwiththeportaltoobtainthe
LSVPNconfiguration.
DownloadtheCAcertificatethatwasusedtogeneratethe
portalservercertificates.Ifyouareusingselfsigned
certificates,exporttherootCAcertificatefromtheportalas
follows:
a. SelectDevice > Certificate Management > Certificates >
Device Certificates.
b. SelecttheCAcertificate,andclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Youdonotneedtoexporttheprivatekey.)
2.
ImporttherootCAcertificateyoujustexportedontoeach
satelliteasfollows.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 665
PreparetheSatellitetoJointheLSVPN
LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step4
Step5
Step6
Step7
ConfiguretheIPSectunnel
configuration.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheIPSec
configuration.
3.
SelecttheTunnel Interfaceyoucreatedforthesatellite.
4.
SelectGlobalProtect SatelliteastheType.
5.
EntertheIPaddressorFQDNoftheportalasthePortal
Address.
6.
SelecttheLayer3Interfaceyouconfiguredforthesatellite.
7.
SelecttheLocal IP Addresstouseontheselectedinterface.
1.
(Optional)Configurethesatelliteto
publishlocalroutestothegateway.
Pushingroutestothegatewayenables
traffictothesubnetslocaltothesatellite
viathegateway.However,youmustalso
configurethegatewaytoacceptthe
routesasdetailedinStep 8inConfigure
theGateway.
Toenablethesatellitetopushroutestothegateway,onthe
AdvancedtabselectPublish all static and connected routes
to Gateway.
Ifyouselectthischeckbox,thefirewallwillforwardallstatic
andconnectedroutesfromthesatellitetothegateway.
However,topreventthecreationofroutingloops,thefirewall
willapplysomeroutefilters,suchasthefollowing:
Defaultroutes
Routeswithinavirtualrouterotherthanthevirtualrouter
associatedwiththetunnelinterface
Routesusingthetunnelinterface
Routesusingthephysicalinterfaceassociatedwiththe
tunnelinterface
2.
(Optional)Ifyouonlywanttopushroutesforspecificsubnets
ratherthanallroutes,clickAddintheSubnetsectionand
specifywhichsubnetroutestopublish.
1.
ClickOKtosavetheIPSectunnelsettings.
2.
ClickCommit.
Savethesatelliteconfiguration.
Ifrequired,providethecredentialsto
1.
allowthesatellitetoauthenticatetothe
portal.
Thisstepisonlyrequirediftheportal
2.
wasunabletofindaserialnumbermatch
initsconfigurationoriftheserialnumber
didntwork.Inthiscase,thesatellitewill
notbeabletoestablishthetunnelwith
thegateway(s).
666 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
VerifytheLSVPNConfiguration
VerifytheLSVPNConfiguration
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
VerifytheLSVPNConfiguration
Step1
Verifysatelliteconnectivitywithportal.
Fromthefirewallhostingtheportal,verifythatsatellitesare
successfullyconnectingbyselectingNetwork > GlobalProtect >
PortalandclickingSatellite InfointheInfocolumnoftheportal
configurationentry.
Step2
Verifysatelliteconnectivitywiththe
gateway(s).
Oneachfirewallhostingagateway,verifythatsatellitesareableto
establishVPNtunnelsbyselectingNetwork > GlobalProtect >
GatewaysandclickSatellite InfointheInfocolumnofthegateway
configurationentry.Satellitesthathavesuccessfullyestablished
tunnelswiththegatewaywilldisplayontheActive Satellitestab.
Step3
VerifyLSVPNtunnelstatusonthe
satellite.
Oneachfirewallhostingasatellite,verifythetunnelstatusby
selectingNetwork > IPSec Tunnels andverifyactiveStatusas
indicatedbyagreenicon.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 667
LSVPNQuickConfigs
LargeScaleVPN(LSVPN)
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
668 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
BasicLSVPNConfigurationwithStaticRouting
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step1
ConfigureaLayer3interface.
Inthisexample,theLayer3interfaceontheportal/gateway
requiresthefollowingconfiguration:
Interfaceethernet1/11
Security Zonelsvpnunt
IPv4203.0.113.11/24
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
Toenablevisibilityintousersand
groupsconnectingovertheVPN,
enableUserIDinthezone
wheretheVPNtunnels
terminate.
Inthisexample,theTunnelinterfaceontheportal/gateway
requiresthefollowingconfiguration:
Interfacetunnel.1
Security Zonelsvpntun
Step3
Createthesecuritypolicyruletoenable
trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 669
BasicLSVPNConfigurationwithStaticRouting
LargeScaleVPN(LSVPN)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step4
AssignanSSL/TLSServiceprofiletothe 1.
portal/gateway.Theprofilemust
referenceaselfsignedservercertificate.
Thecertificatesubjectnamemustmatch
theFQDNorIPaddressoftheLayer3
interfaceyoucreateforthe
portal/gateway.
2.
OnthefirewallhostingtheGlobalProtectportal,createthe
rootCAcertificateforsigningthecertificatesofthe
GlobalProtectcomponents.Inthisexample,therootCA
certificate,lsvpn-CA,willbeusedtoissuetheserver
certificatefortheportal/gateway.Inaddition,theportalwill
usethisrootCAcertificatetosigntheCSRsfromthesatellites.
CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.
Becausetheportalandgatewayareonthesameinterfacein
thisexample,theycanshareanSSL/TLSServiceprofilethat
usesthesameservercertificate.Inthisexample,theprofileis
namedlsvpnserver.
Step5
Createacertificateprofile.
Inthisexample,thecertificateprofilelsvpn-profile,references
therootCAcertificatelsvpn-CA.Thegatewaywillusethis
certificateprofiletoauthenticatesatellitesattemptingtoestablish
VPNtunnels.
Step6
Configureanauthenticationprofilefor
theportaltouseifthesatelliteserial
numberisnotavailable.
1.
Createonetypeofserverprofileontheportal:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.IfyouuseLDAPto
connecttoActiveDirectory(AD),createaseparateLDAP
serverprofileforeveryADdomain.
ConfigureaKerberosServerProfile.
2.
Configureanauthenticationprofile.Inthisexample,the
profilelsvpn-satisusedtoauthenticatesatellites.
Step7
ConfiguretheGatewayforLSVPN.
Step8
ConfigurethePortalforLSVPN.
670 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
BasicLSVPNConfigurationwithStaticRouting
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step9
CreateaGlobalProtectSatellite
Configuration.
Step10 PreparetheSatellitetoJointheLSVPN.
OntheSatellite tabintheportalconfiguration,AddaSatellite
configurationandaTrustedRootCAandspecifytheCAtheportal
willusetoissuecertificatesforthesatellites.Inthisexamplethe
requiredsettingsareasfollowing:
Gateway203.0.113.11
Issuing CertificatelsvpnCA
Trusted Root CAlsvpnCA
Thesatelliteconfigurationinthisexamplerequiresthefollowing
settings:
InterfaceConfiguration
Layer3interfaceethernet1/1,203.0.113.13/24
Tunnelinterfacetunnel.2
Zonelsvpnsat
RootCACertificatefromPortal
lsvpnCA
IPSecTunnelConfiguration
Tunnel Interfacetunnel.2
Portal Address203.0.113.11
Interfaceethernet1/1
Local IP Address203.0.113.13/24
Publish all static and connected routes to Gatewayenabled
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 671
AdvancedLSVPNConfigurationwithDynamicRouting
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.
672 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting
Step1
Step2
Step3
AddanIPaddresstothetunnelinterface Completethefollowingstepsoneachgatewayandeachsatellite:
configurationoneachgatewayandeach 1. SelectNetwork > Interfaces > Tunnelandselectthetunnel
satellite.
configurationyoucreatedfortheLSVPNtoopentheTunnel
Interfacedialog.
Ifyouhavenotyetcreatedthetunnelinterface,seeStep 2in
QuickConfig:BasicLSVPNwithStaticRouting.
2.
OntheIPv4tab,clickAddandthenenteranIPaddressand
subnetmask.Forexample,toaddanIPaddressforthe
gatewaytunnelinterfaceyouwouldenter2.2.2.100/24.
3.
ClickOKtosavetheconfiguration.
Configurethedynamicroutingprotocol ToconfigureOSPFonthegateway:
onthegateway.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachsatellite,forexample2.2.2.111.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewsatellitetothe
LSVPN.
Configurethedynamicroutingprotocol ToconfigureOSPFonthesatellite:
onthesatellite.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
PaloAltoNetworks,Inc.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachGlobalProtectgateway,for
example2.2.2.100.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewgateway.
PANOS7.1AdministratorsGuide 673
AdvancedLSVPNConfigurationwithDynamicRouting
LargeScaleVPN(LSVPN)
QuickConfig:LSVPNwithDynamicRouting(Continued)
Step4
Verifythatthegatewaysandsatellites
areabletoformrouteradjacencies.
674 PANOS7.1AdministratorsGuide
Oneachsatelliteandeachgateway,confirmthatpeer
adjacencieshaveformedandthatroutingtableentrieshave
beencreatedforthepeers(thatis,thesatelliteshaveroutesto
thegatewaysandthegatewayshaveroutestothesatellites).
SelectNetwork > Virtual RouterandclicktheMore Runtime
StatslinkforthevirtualrouteryouareusingfortheLSVPN.On
theRoutingtab,verifythattheLSVPNpeerhasaroute.
OntheOSPF > Interfacetab,verifythattheTypeisp2mp.
OntheOSPF > Neighbortab,verifythatthefirewallshosting
yourgatewayshaveestablishedrouteradjacencieswiththe
firewallshostingyoursatellitesandviceversa.Alsoverifythat
theStatusisFull,indicatingthatfulladjacencieshavebeen
established.
PaloAltoNetworks,Inc.
Networking
AllPaloAltoNetworksnextgenerationfirewallsprovideaflexiblenetworkingarchitecturethatincludes
supportfordynamicrouting,switching,andVPNconnectivity,andenablesyoutodeploythefirewallinto
nearlyanynetworkingenvironment.WhenconfiguringtheEthernetportsonyourfirewall,youcanchoose
fromvirtualwire,Layer2,orLayer3interfacedeployments.Inaddition,toallowyoutointegrateintoa
varietyofnetworksegments,youcanconfiguredifferenttypesofinterfacesondifferentports.The
InterfaceDeploymentssectionprovidesbasicinformationoneachtypeofdeployment.Formoredetailed
deploymentinformation,refertoDesigningNetworkswithPaloAltoNetworksFirewalls.
ThefollowingtopicsdescribenetworkingconceptsandhowtointegratePaloAltoNetworks
nextgenerationfirewallsintoyournetwork.
InterfaceDeployments
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
VirtualRouters
StaticRoutes
RIP
OSPF
BGP
SessionSettingsandTimeouts
DHCP
NAT
NPTv6
ECMP
LLDP
BFD
Forinformationonroutedistribution,refertoUnderstandingRouteRedistributionandFiltering.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 675
InterfaceDeployments
Networking
InterfaceDeployments
APaloAltoNetworksfirewallcanoperateinmultipledeploymentsatoncebecausethedeploymentsoccur
attheinterfacelevel.Thefollowingsectionsdescribethesupporteddeployments.
VirtualWireDeployments
Layer2Deployments
Layer3Deployments
TapModeDeployments
VirtualWireDeployments
Inavirtualwiredeployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwo
portstogetherandshouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeploymentallowsthefollowingconveniences:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
676 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
Step1
ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
Step2
CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethat
theVLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisis
essentialbecauseavirtualwiredoesnotswitchVLANtags.
Step3
CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoadd
additionalsubinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthe
combinationofVLANtagsandaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewith
thevlantag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 677
InterfaceDeployments
Networking
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
Customer
Vsys
Vwire
Subinterfaces
Zone
VLANTag
IPClassifier
e1/1.1(ingress)
e1/2.1(egress)
Zone3
Zone4
100
100
None
e1/1.2(ingress)
e1/2.2(egress)
Zone5
Zone6
100
100
IPsubnet
192.1.0.0/16
e1/1.3(ingress)
e1/2.3(egress)
Zone7
Zone8
100
100
IPsubnet
192.2.0.0/16
e1/1.4(ingress)
e1/2.4(egress)
Zone9
Zone10
200
200
None
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
678 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Layer2Deployments
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Youmustassigna
groupofinterfacestoaVLANobjectinorderforthefirewalltoswitchbetweenthem.Thefirewallperforms
VLANtagswitchingwhenLayer2subinterfacesareattachedtoacommonVLANobject.Choosethisoption
whenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
TheCiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
Layer3Deployments
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.Thisdeploymentrequiresthat
youassignanIPaddresstoeachinterfaceandconfigureVirtualRouterstoroutethetraffic.Choosethis
optionwhenroutingisrequired.
Figure:Layer3Deployment
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 679
InterfaceDeployments
Networking
ThefollowingLayer3interfacedeploymentsarealsosupported:
PointtoPointProtocoloverEthernetSupport
DHCPClient
PointtoPointProtocoloverEthernetSupport
YoucanconfigurethefirewalltobeaPointtoPointProtocoloverEthernet(PPPoE)terminationpointto
supportconnectivityinaDigitalSubscriberLine(DSL)environmentwherethereisaDSLmodembutno
otherPPPoEdevicetoterminatetheconnection.
YoucanchoosethePPPoEoptionandconfiguretheassociatedsettingswhenaninterfaceisdefinedasa
Layer 3interface.
PPPoEisnotsupportedinHAactive/activemode.
DHCPClient
YoucanconfigurethefirewallinterfacetoactasaDHCPclientandreceiveadynamicallyassignedIP
address.ThefirewallalsoprovidesthecapabilitytopropagatesettingsreceivedbytheDHCPclientinterface
intoaDHCPserveroperatingonthefirewall.ThisismostcommonlyusedtopropagateDNSserversettings
fromanInternetserviceprovidertoclientmachinesoperatingonthenetworkprotectedbythefirewall.
DHCPclientisnotsupportedinHAactive/activemode.
Formoreinformation,seeDHCP.
TapModeDeployments
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.
680 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 681
ConfigureanAggregateInterfaceGroup
Networking
ConfigureanAggregateInterfaceGroup
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesplatformssupportaggregategroups.Youcanadduptoeightaggregategroups
perfirewallandeachgroupcanhaveuptoeightinterfaces.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,
PA4000Series,andPA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
ConfigureanAggregateInterfaceGroup
Step1
Configurethegeneralinterfacegroup
parameters.
682 PANOS7.1AdministratorsGuide
1.
2.
InthefieldadjacenttothereadonlyInterface Name,entera
number(18)toidentifytheaggregategroup.
3.
4.
ConfiguretheremainingparametersfortheInterface Type
youselected.
PaloAltoNetworks,Inc.
Networking
ConfigureanAggregateInterfaceGroup
ConfigureanAggregateInterfaceGroup(Continued)
Step2
ConfiguretheLACPsettings.
Performthissteponlyifyouwantto
enableLACPfortheaggregategroup.
YoucannotenableLACPfor
virtualwireinterfaces.
PaloAltoNetworks,Inc.
1.
SelecttheLACPtabandEnable LACP.
2.
SettheModeforLACPstatusqueriestoPassive(thefirewall
justrespondsthedefault)orActive(thefirewallqueriespeer
devices).
Asabestpractice,setoneLACPpeertoactiveandthe
othertopassive.LACPcannotfunctionifbothpeers
arepassive.Thefirewallcannotdetectthemodeofits
peerdevice.
3.
SettheTransmission RateforLACPqueryandresponse
exchangestoSlow(every30secondsthedefault)orFast
(everysecond).BaseyourselectiononhowmuchLACP
processingyournetworksupportsandhowquicklyLACP
peersmustdetectandresolveinterfacefailures.
4.
SelectFast Failoverifyouwanttoenablefailovertoastandby
interfaceinlessthanonesecond.Bydefault,theoptionis
disabledandthefirewallusestheIEEE802.1axstandardfor
failoverprocessing,whichtakesatleastthreeseconds.
Asabestpractice,useFast Failoverindeployments
whereyoumightlosecriticaldataduringthestandard
failoverinterval.
5.
EntertheMax Ports(numberofinterfaces)thatareactive
(18)intheaggregategroup.Ifthenumberofinterfacesyou
assigntothegroupexceedstheMax Ports,theremaining
interfaceswillbeinstandbymode.ThefirewallusestheLACP
Port Priorityofeachinterfaceyouassign(Step 3)to
determinewhichinterfacesareinitiallyactiveandto
determinetheorderinwhichstandbyinterfacesbecome
activeuponfailover.IftheLACPpeershavenonmatching
portpriorityvalues,thevaluesofthepeerwiththelower
System Prioritynumber(defaultis32,768;rangeis165,535)
willoverridetheotherpeer.
6.
(Optional)Foractive/passivefirewallsonly,selectEnable in
HA Passive StateifyouwanttoenableLACPprenegotiation
forthepassivefirewall.LACPprenegotiationenablesquicker
failovertothepassivefirewall(fordetails,seeLACPandLLDP
PreNegotiationforActive/PassiveHA).
Ifyouselectthisoption,youcannotselectSame
System MAC Address for Active-Passive HA;
prenegotiationrequiresuniqueinterfaceMAC
addressesoneachHAfirewall.
7.
(Optional)Foractive/passivefirewallsonly,selectSame
System MAC Address for Active-Passive HAandspecifya
singleMAC AddressforbothHAfirewalls.Thisoption
minimizesfailoverlatencyiftheLACPpeersarevirtualized
(appearingtothenetworkasasingledevice).Bydefault,the
optionisdisabled:eachfirewallinanHApairhasaunique
MACaddress.
IftheLACPpeersarenotvirtualized,useuniqueMAC
addressestominimizefailoverlatency.
PANOS7.1AdministratorsGuide 683
ConfigureanAggregateInterfaceGroup
Networking
ConfigureanAggregateInterfaceGroup(Continued)
Step3
Step4
Step5
Assigninterfacestotheaggregategroup. Performthefollowingstepsforeachinterface(18)thatwillbea
memberoftheaggregategroup.
Ifthefirewallshaveanactive/active
configurationandyouareaggregating
HA3interfaces,enablepacket
forwardingfortheaggregategroup.
Commityourchangesandverifythe
aggregategroupstatus.
684 PANOS7.1AdministratorsGuide
1.
2.
3.
SelecttheAggregate Groupyoujustdefined.
4.
5.
6.
ClickOK.
1.
2.
SelecttheaggregategroupyouconfiguredfortheHA3
InterfaceandclickOK.
1.
ClickCommit.
2.
3.
VerifythattheLinkStatecolumndisplaysagreeniconforthe
aggregategroup,indicatingthatallmemberinterfacesareup.
Iftheiconisyellow,atleastonememberisdownbutnotall.If
theiconisred,allmembersaredown.
4.
IfyouconfiguredLACP,verifythattheFeaturescolumn
displaystheLACPenabledicon fortheaggregategroup.
PaloAltoNetworks,Inc.
Networking
UseInterfaceManagementProfilestoRestrictAccess
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
Step1
ConfiguretheInterfaceManagement
profile.
PaloAltoNetworks,Inc.
1.
2.
Selecttheprotocolsthattheinterfacepermitsfor
managementtraffic:Ping,Telnet,SSH,HTTP,HTTP OCSP,
HTTPS,orSNMP.
3.
Selecttheservicesthattheinterfacepermitsformanagement
traffic:
Response PagesUsetoenableresponsepagesfor:
CaptivePortalToserveCaptivePortalresponsepages,
thefirewallleavesportsopenonLayer3interfaces:port
6080forNTLANManager(NTLM),6081forCaptive
Portalintransparentmode,and6082forCaptivePortal
inredirectmode.Fordetails,seeConfigureCaptive
Portal.
URLAdminOverrideFordetails,seeConfigureURL
AdminOverride.
User-IDUsetoConfigureFirewallstoRedistributeUser
MappingInformation.
User-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPUsetoConfigureUserIDtoReceiveUser
MappingsfromaSyslogSenderoverSSLorUDP.
4.
(Optional)AddthePermittedIPAddressesthatcanaccessthe
interface.Ifyoudontaddentriestothelist,theinterfacehas
noIPaddressrestrictions.
5.
ClickOK.
PANOS7.1AdministratorsGuide 685
UseInterfaceManagementProfilestoRestrictAccess
Networking
ConfigureandAssignanInterfaceManagementProfile(Continued)
Step2
AssigntheInterfaceManagementprofile 1.
toaninterface.
686 PANOS7.1AdministratorsGuide
2.
3.
ClickOKandCommit.
PaloAltoNetworks,Inc.
Networking
VirtualRouters
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningaroute(staticroutes)
orthroughparticipationinLayer3routingprotocols(dynamicroutes).Thebestroutesobtainedthrough
thesemethodsareusedtopopulatethefirewallsIProutetable.Whenapacketisdestinedforadifferent
subnet,theVirtualRouterobtainsthebestroutefromthisIProutetableandforwardsthepackettothenext
hoprouterdefinedinthetable.
TheEthernetinterfacesandVLANinterfacesdefinedonthefirewallreceiveandforwardtheLayer3traffic.
Thedestinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andpolicyrules
areconsultedtoidentifythesecuritypoliciestobeapplied.Inadditiontoroutingtoothernetworkdevices,
virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthopisspecifiedtopointto
anothervirtualrouter.
Youcanconfigurethevirtualroutertoparticipatewithdynamicroutingprotocols(BGP,OSPF,orRIP)as
wellasaddingstaticroutes.Youcanalsocreatemultiplevirtualrouters,eachmaintainingaseparatesetof
routesthatarenotsharedbetweenvirtualrouters,enablingyoutoconfiguredifferentroutingbehaviorsfor
differentinterfaces.
EachLayer3interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociated
withavirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,multipleroutingprotocols
andstaticroutescanbeconfiguredforavirtualrouter.Regardlessofthestaticroutesanddynamicrouting
protocolsconfiguredforavirtualrouter,acommongeneralconfigurationisrequired.Thefirewalluses
EthernetswitchingtoreachotherdevicesonthesameIPsubnet.
ThefollowingLayer3routingprotocolsaresupportedfromVirtualRouters:
RIP
OSPF
OSPFv3
BGP
DefineaVirtualRouterGeneralConfiguration
Step1
Gathertherequiredinformationfrom
yournetworkadministrator.
Interfacesthatyouwanttoroute
Administrativedistancesforstatic,OSPFinternal,OSPF
external,IBGP,EBGPandRIP
Step2
Createthevirtualrouterandnameit.
1.
2.
ClickAddandenteranameforthevirtualrouter.
3.
Selectinterfacestoapplytothevirtualrouter.
4.
ClickOK.
1.
ClickAddintheInterfacesbox.
Step3
Selectinterfacestoapplytothevirtual
router.
PaloAltoNetworks,Inc.
2.
Selectanalreadydefinedinterfacefromthedropdown.
3.
RepeatStep2forallinterfacesthatyouwanttoaddtothe
virtualrouter.
PANOS7.1AdministratorsGuide 687
VirtualRouters
Networking
DefineaVirtualRouterGeneralConfiguration(Continued)
Step4
SetAdministrativeDistancesforstatic
anddynamicrouting.
SetAdministrativeDistancesasrequired.
StaticRangeis10240;defaultis10.
OSPF InternalRangeis10240;defaultis30.
OSPF ExternalRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
Step5
Savevirtualroutergeneralsettings.
ClickOKtosaveyoursettings.
Step6
Commityourchanges.
ClickCommit.Thefirewallcantakeupto90secondstosaveyour
changes.
688 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
StaticRoutes
StaticRoutes
Thefollowingprocedureshowshowtointegratethefirewallintothenetworkusingstaticrouting.
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
4.
ClickOKtwicetosavethevirtualrouterconfiguration.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
IntheVirtual Routerdropdown,selectdefault.
4.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
Staticradiobutton.ClickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface,for
example208.80.56.100/24.
6.
7.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 689
StaticRoutes
Networking
SetUpInterfacesandZones(Continued)
Step3
Step4
Configuretheinterfacethatconnectsto
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment
thatusesprivateIPaddresses.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.See
ConfigureNATfordetails.
1.
2.
SelectLayer3fromtheInterface Typedropdown.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleTrust,andthenclickOK.
4.
SelectthesameVirtualRouteryouusedinStep 2,defaultin
thisexample.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example192.168.1.4/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Configuretheinterfacethatconnectsto 1.
theDMZ.
2.
Selecttheinterfaceyouwanttoconfigure.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/13astheDMZ
interface.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleDMZ,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example10.1.1.1/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Step5
Savetheinterfaceconfiguration.
ClickCommit.
Step6
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step7
Verifythattheinterfacesareactive.
690 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
RIP
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfiguregeneralRIPconfiguration
settings.
1.
SelecttheRIPtab.
2.
SelectEnabletoenabletheRIPprotocol.
3.
4.
1.
OntheInterfaces tab,selectaninterfacefromthedropdown
intheInterfaceconfigurationsection.
Step3
Step4
ConfigureinterfacesfortheRIP
protocol.
ConfigureRIPtimers.
PaloAltoNetworks,Inc.
2.
Selectanalreadydefinedinterface.
3.
SelectEnable.
4.
SelectAdvertisetoadvertiseadefaultroutetoRIPpeerswith
thespecifiedmetricvalue.
5.
(Optional)SelectaprofilefromtheAuth Profiledropdown.
SeeStep 5fordetails.
6.
Selectnormal,passiveorsendonlyfromtheModedropdown.
7.
ClickOK.
1.
2.
SpecifytheUpdate Intervalstodefinethenumberofintervals
betweenrouteupdateannouncements(rangeis13600;
defaultis30).
3.
SpecifytheDelete Intervalstodefinethenumberofintervals
betweenthetimethattherouteexpirestoitsdeletion(range
is13600;defaultis180).
4.
PANOS7.1AdministratorsGuide 691
RIP
Networking
ConfigureRIP(Continued)
Step5
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseRIPauthenticationforthe
exchangebetweenRIPneighbors.Optionally,youcanconfigure
RIPauthenticationbetweenRIPneighborsbyeitherasimple
passwordorusingMD5authentication.
SimplePasswordRIPauthentication
1.
SelectAuth ProfilesandclickAdd.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
4.
Enterasimplepasswordandthenconfirm.
MD5RIPauthentication
692 PANOS7.1AdministratorsGuide
1.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
6.
(Optional)SelectPreferred status.
7.
ClickOKtospecifythekeytobeusedtoauthenticateoutgoing
message.
8.
ClickOKagainintheVirtualRouterRIPAuthProfiledialog
box.
PaloAltoNetworks,Inc.
Networking
OSPF
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
AlsorefertoHowtoConfigureOSPFTechNote.
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 693
OSPF
Networking
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType
Description
BackboneArea
Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.
694 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
OSPF
OSPFAreaType
Description
NormalOSPFArea
InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
StubOSPFArea
Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSAArea
TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
EnableOSPF.
1.
SelecttheOSPFtab.
2.
SelectEnabletoenabletheOSPFprotocol.
3.
(Optional)EntertheRouter ID.
4.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 695
OSPF
Networking
ConfigureOSPF(Continued)
Step3
Step4
ConfigureAreasTypefortheOSPF
protocol.
ConfigureAreasRangefortheOSPF
protocol
696 PANOS7.1AdministratorsGuide
1.
OntheAreas tab,clickAdd.
2.
EnteranAreaIDfortheareainx.x.x.xformat.Thisisthe
identifierthateachneighbormustaccepttobepartofthe
samearea.
3.
OntheTypetab,selectoneofthefollowingfromtheareaType
dropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanleavethe
areaonlybyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
4.
PriorityEntertheOSPFpriorityforthisinterface(0255).
Thisisthepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)accordingtotheOSPF
protocol.Whenthevalueiszero,therouterwillnotbeelected
asaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
NeighborsForp2pmpinterfaces,entertheneighborIP
addressforallneighborsthatarereachablethroughthis
interface.
5.
Selectnormal,passiveorsend-onlyastheMode.
6.
ClickOK.
1.
OntheRangetab,clickAddtoaggregateLSAdestination
addressesintheareaintosubnets.
2.
AdvertiseorSuppressadvertisingLSAsthatmatchthe
subnet,andclickOK.Repeattoaddadditionalranges.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPF(Continued)
Step5
ConfigureAreasInterfacesforthe
OSPFprotocol
PaloAltoNetworks,Inc.
1.
OntheInterfacetab,clickAddandenterthefollowing
informationforeachinterfacetobeincludedinthearea:
InterfaceSelectaninterfacefromthedropdown.
EnableSelectingthisoptioncausestheOSPFinterface
settingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfaceto
sendorreceiveOSPFpackets.AlthoughOSPFpacketsare
notsentorreceivedifyouchoosethisoption,theinterface
isincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthat
areaccessiblethroughtheinterfacetobediscovered
automaticallybymulticastingOSPFhellomessages,suchas
anEthernetinterface.Choosep2p(pointtopoint)to
automaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefined
manually.Definingneighborsmanuallyisallowedonlyfor
p2mpmode.
MetricEnteranOSPFmetricforthisinterface(rangeis
065535;defaultis10).
PriorityEnteranOSPFpriorityforthisinterface.Thisis
thepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)(rangeis0255;default
is1).Ifzeroisconfigured,therouterwillnotbeelectedasa
DRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingThefollowingOSPFtimingsettingscanbeset.Palo
AltoNetworksrecommendsthatyouretainthedefault
timingsettings.
Hello Interval (sec)Interval(inseconds)atwhichthe
OSPFprocesssendshellopacketstoitsdirectly
connectedneighbors(rangeis03600;defaultis10).
Dead CountsNumberoftimesthehellointervalcan
occurforaneighborwithoutOSPFreceivingahello
packetfromtheneighbor,beforeOSPFconsidersthat
neighbordown(rangeis320;defaultis4).TheHello
Interval multipliedbytheDead Countsequalsthevalueof
thedeadtimer.
Retransmit Interval (sec)Lengthoftime(inseconds)
thatOSPFwaitstoreceivealinkstateadvertisement
(LSA)fromaneighborbeforeOSPFretransmitstheLSA
(rangeis03600;defaultis10).
Transit Delay (sec)Lengthoftime(inseconds)thatan
LSAisdelayedbeforeitissentoutofaninterface(range
is03600;defaultis1).
PANOS7.1AdministratorsGuide 697
OSPF
Networking
ConfigureOSPF(Continued)
Graceful Restart Hello Delay (sec)AppliestoanOSPF
interfacewhenActive/PassiveHighAvailabilityis
configured.Graceful Restart Hello Delayisthelengthof
time(inseconds)duringwhichthefirewallsendsGrace
LSApacketsat1secondintervals(rangeis110;defaultis
10).Duringthistime,nohellopacketsaresentfromthe
restartingfirewall.Duringtherestart,thedeadtimer
(whichistheHello IntervalmultipliedbytheDead
Counts)isalsocountingdown.Ifthedeadtimeristoo
short,theadjacencywillgodownduringthegraceful
restartbecauseofthehellodelay.Therefore,itis
recommendedthatthedeadtimerbeatleastfourtimes
thevalueoftheGraceful Restart Hello Delay.For
example,aHello Intervalof10secondsandaDead
Countsof4yieldadeadtimerof40seconds.Ifthe
Graceful Restart Hello Delayissetto10seconds,that
10seconddelayofhellopacketsiscomfortablywithinthe
40seconddeadtimer,sotheadjacencywillnottimeout
duringagracefulrestart.
Ifp2mpisselectedforLink Typeinterfaces,enterthe
neighborIPaddressesforallneighborsthatarereachable
throughthisinterface.
Step6
ConfigureAreasVirtualLinks.
698 PANOS7.1AdministratorsGuide
2.
ClickOK
1.
OntheVirtual Linktab,clickAddandenterthefollowing
informationforeachvirtuallinktobeincludedinthebackbone
area:
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)on
theothersideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathat
physicallycontainsthevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
2.
ClickOK.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPF(Continued)
Step7
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseOSPFauthenticationforthe
exchangebetweenOSPFneighbors.Optionally,youcanconfigure
OSPFauthenticationbetweenOSPFneighborsbyeitherasimple
passwordorusingMD5authentication.
SimplePasswordOSPFauthentication
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3.
4. Enterasimplepasswordandthenconfirm.
MD5OSPFauthentication
Step8
ConfigureAdvancedOSPFoptions.
PaloAltoNetworks,Inc.
1.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
SelectthePreferredoptiontospecifythatthekeybeused
toauthenticateoutgoingmessages.
6.
ClickOK.
7.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog
box.
1.
2.
3.
PANOS7.1AdministratorsGuide 699
OSPF
Networking
ConfigureOSPFv3
ConfigureOSPFv3
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfiguregeneralOSPFconfiguration
settings.
1.
SelecttheOSPFtab.
2.
SelectEnabletoenabletheOSPFprotocol.
3.
4.
Step3
ConfiguregeneralOSPFv3configuration 1.
settings.
2.
3.
Step4
ConfigureAuthProfilefortheOSPFv3
protocol.
WhileOSPFv3doesn'tincludeany
authenticationcapabilitiesofitsown,it
reliesentirelyonIPsectosecure
communicationsbetweenneighbors.
700 PANOS7.1AdministratorsGuide
SelecttheOSPFv3tab.
SelectEnabletoenabletheOSPFprotocol.
SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughOSPFv3Thisistherecommended
defaultsetting.
DeselectReject Default Routeifyouwanttopermit
redistributionofdefaultroutesthroughOSPFv3.
Whenconfiguringanauthenticationprofile,youmustuse
EncapsulatingSecurityPayload(ESP)orIPv6Authentication
Header(AH).
ESPOSPFv3authentication
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectESPforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youcanenternoneoroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
IfaCrypto Algorithmotherthannonewasselected,entera
valueforKeyandthenconfirm.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPFv3(Continued)
AHOSPFv3authentication
Step5
ConfigureAreasTypefortheOSPF
protocol.
PaloAltoNetworks,Inc.
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectAHforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
EnteravalueforKeyandthenconfirm.
7.
ClickOK.
8.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.
1.
OntheAreastab,clickAdd.
2.
EnteranAreaID.Thisistheidentifierthateachneighbormust
accepttobepartofthesamearea.
3.
OntheGeneraltab,selectoneofthefollowingfromthearea
Typedropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanonlyleave
theareabyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
PANOS7.1AdministratorsGuide 701
OSPF
Networking
ConfigureOSPFv3(Continued)
Step6
AssociateanOSPFv3authentication
profiletoanareaoraninterface.
ToanArea
1.
OntheAreastab,selectanexistingareafromthetable.
2.
OntheGeneraltab,selectapreviouslydefinedAuthentication
ProfilefromtheAuthenticationdropdown.
3. ClickOK.
ToanInterface
1.
Step7
Step8
(Optional)ConfigureExportRules
ConfigureAdvancedOSPFv3options.
OntheAreastab,selectanexistingareafromthetable.
2.
SelecttheInterfacetabandclickAdd.
3.
Selecttheauthenticationprofileyouwanttoassociatewith
theOSPFinterfacefromtheAuth Profiledropdown.
1.
OntheExporttab,clickAdd.
2.
3.
Selectthenameofaredistributionprofile.Thevaluemustbe
anIPsubnetorvalidredistributionprofilename.
4.
5.
SpecifyaNew Tagforthematchedroutethathasa32bit
value.
6.
Assignametricforthenewrule(rangeis165535).
7.
ClickOK.
1.
2.
3.
4.
(Optional)ConfigureOSPFGracefulRestart.
ConfigureOSPFGracefulRestart
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
702 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
OSPF
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGracePeriod.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMaxNeighborRestartTime.Whenthefirewall
receivestheGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborand
advertiseroutesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.
Ifneitherexpiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithout
networkdisruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexit
helpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypass
theneighbor.
ConfigureOSPFGracefulRestart
1.
2.
3.
Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
4.
ConfigureaGrace Periodinseconds.
5.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 703
OSPF
Networking
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
Thefollowingproceduredescribeshowtousethewebinterfacetoviewtheroutingtable.
ViewtheRoutingTable
1.
2.
ConfirmOSPFAdjacencies
ByviewingtheNeighbortabasdescribedinthefollowingprocedure,youcanconfirmthatOSPFadjacencies
havebeenestablished.
ViewtheNeighborTabtoConfirmOSPFAdjacencies
1.
2.
ConfirmthatOSPFConnectionsareEstablished
Byviewingthesystemlog,youcanconfirmthatOSPFconnectionshavebeenestablished,asdescribedin
thefollowingprocedure:
ExaminetheSystemLog
1.
2.
704 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BGP
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
Intheroutingprocess,connectionsareestablishedbetweenBGPpeers(orneighbors).Ifarouteispermitted
bythepolicy,itisstoredintheroutinginformationbase(RIB).EachtimethelocalfirewallRIBisupdated,
thefirewalldeterminestheoptimalroutesandsendsanupdatetotheexternalRIB,ifexportisenabled.
ConditionaladvertisementisusedtocontrolhowBGProutesareadvertised.TheBGProutesmustsatisfy
conditionaladvertisementrulesbeforebeingadvertisedtopeers.
BGPsupportsthespecificationofaggregates,whichcombinemultipleroutesintoasingleroute.Duringthe
aggregationprocess,thefirststepistofindthecorrespondingaggregationrulebyperformingalongest
matchthatcomparestheincomingroutewiththeprefixvaluesforotheraggregationrules.
FormoreinformationonBGP,refertoHowtoConfigureBGPTechNote.
ThefirewallprovidesacompleteBGPimplementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
Routingpoliciesbasedonroutemaptocontrolimport,exportandadvertisement,prefixbasedfiltering,
andaddressaggregation.
AdvancedBGPfeaturesthatincluderoutereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
BGPconfigurationconsistsofthefollowingelements:
Perroutinginstancesettings,whichincludebasicparameterssuchaslocalrouteIDandlocalASand
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflap,anddampening
profiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteASandadvancedoptions
suchasneighborattributesandconnections.
Routingpolicy,whichspecifiesrulesetsthatpeergroupsandpeersusetoimplementimports,exports,
conditionaladvertisements,andaddressaggregationcontrols.
PerformthefollowingproceduretoconfigureBGP.
ConfigureBGP
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfigurestandardBGPconfiguration
settings.
1.
SelecttheBGPtab.
2.
SelectEnabletoenabletheBGPprotocol.
3.
ForRouter ID,assignanIPaddresstothevirtualrouter.
4.
ForAS Number,enterthenumberoftheAStowhichthe
virtualrouterbelongs,basedontherouterID.Rangeis
14294967295.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 705
BGP
Networking
ConfigureBGP(Continued)
Step3
ConfiguregeneralBGPconfiguration
settings.
706 PANOS7.1AdministratorsGuide
1.
SelectBGP> General.
2.
3.
4.
5.
6.
SelectoneofthefollowingvaluesfortheASformatfor
interoperabilitypurposes:
2Byte(defaultvalue)
4Byte
7.
EnableordisableeachofthefollowingvaluesforPath
Selection:
Always Compare MEDEnablethiscomparisontochoose
pathsfromneighborsindifferentautonomoussystems.
Deterministic MED ComparisonEnablethiscomparison
tochoosebetweenroutesthatareadvertisedbyIBGPpeers
(BGPpeersinthesameautonomoussystem).
8.
ClickAddtoincludeanewauthenticationprofileandconfigure
thefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphrasefor
BGPpeercommunications.
PaloAltoNetworks,Inc.
Networking
BGP
ConfigureBGP(Continued)
Step4
(Optional)ConfigureBGPAdvanced
settings.
PaloAltoNetworks,Inc.
1.
2.
SpecifyanIPv4identifiertorepresentthereflectorclusterin
theReflector Cluster ID box.
3.
SpecifytheidentifierfortheASconfederationtobepresented
asasingleAStoexternalBGPpeersintheConfederation
Member AS box.
4.
ClickAddandenterthefollowinginformationforeach
DampeningProfilethatyouwanttoconfigure,selectEnable,
andclickOK:
Profile NameEnteranametoidentifytheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicha
routeadvertisementissuppressed(rangeis0.01000.0;
defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhicha
suppressedrouteisusedagain(rangeis0.01000.0;default
is 5).
Max Hold Time (sec)Specifythemaximumlengthoftime
insecondsthataroutecanbesuppressed,regardlessof
howunstableithasbeen(rangeis03600seconds;default
is900).
Decay Half Life Reachable (sec)Specifythelengthoftime
insecondsafterwhicharoutesstabilitymetricishalvedif
therouteisconsideredreachable(rangeis03600seconds;
defaultis300).
Decay Half Life Unreachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredunreachable(rangeis
03600;defaultis300).
5.
ClickOK.
PANOS7.1AdministratorsGuide 707
BGP
Networking
ConfigureBGP(Continued)
Step5
Step6
ConfiguretheBGPpeergroup.
1.
SelectthePeer GrouptabandclickAdd.
2.
EnteraNameforthepeergroupandselectEnable.
3.
4.
5.
SpecifythetypeofpeerorgroupfromtheTypedropdown
andconfiguretheassociatedsettings(seebelowinthistable
fordescriptionsofImportNextHopandExportNextHop).
IBGPExport Next Hop: SpecifyOriginalorUse self
EBGP ConfedExport Next Hop:Specify OriginalorUse
self
EBGP ConfedExport Next Hop:SpecifyOriginalorUse
self
EBGPImport Next Hop:SpecifyOriginalorUse self,
Export Next Hop:SpecifyResolveorUse self.Select
Remove Private AS ifyouwanttoforceBGPtoremove
privateASnumbers.
6.
ClickOKtosave.
1.
ConfigureImportandExportrules.
Theimport/exportrulesareusedto
import/exportroutesfrom/toother
2.
routers.Forexample,importingthe
defaultroutefromyourInternetService
3.
Provider.
708 PANOS7.1AdministratorsGuide
SelecttheImporttabandthenclickAddandenteranamein
theRulesfieldandselectEnable.
ClickAdd andselectthePeer Grouptowhichtherouteswillbe
importedfrom.
ClicktheMatchtabanddefinetheoptionsusedtofilter
routinginformation.YoucanalsodefinetheMultiExit
Discriminator(MED)valueandanexthopvaluetoroutersor
subnetsforroutefiltering.TheMEDoptionisanexternal
metricthatletsneighborsknowaboutthepreferredpathinto
anAS.Alowervalueispreferredoverahighervalue.
4.
ClicktheActiontabanddefinetheactionthatshouldoccur
(allow/deny)basedonthefilteringoptionsdefinedinthe
Matchtab.IfDenyisselected,nofurtheroptionsneedtobe
defined.IftheAllowactionisselected,definetheother
attributes.
5.
ClicktheExporttabanddefineexportattributes,whichare
similartotheImportsettings,butareusedtocontrolroute
informationthatisexportedfromthefirewalltoneighbors.
6.
ClickOKtosave.
PaloAltoNetworks,Inc.
Networking
BGP
ConfigureBGP(Continued)
Step7
Step8
Step9
Configureconditionaladvertising,which
allowsyoutocontrolwhatrouteto
advertiseintheeventthatadifferent
routeisnotavailableinthelocalBGP
routingtable(LocRIB),indicatinga
peeringorreachabilityfailure.
Thisisusefulincaseswhereyouwantto
trytoforceroutestooneASover
another,forexampleifyouhavelinksto
theInternetthroughmultipleISPsand
youwanttraffictoberoutedtoone
providerinsteadoftheotherunless
thereisalossofconnectivitytothe
preferredprovider.
Configureaggregateoptionsto
summariesroutesintheBGP
configuration.
BGProuteaggregationisusedtocontrol
howBGPaggregatesaddresses.Each
entryinthetableresultsinoneaggregate
addressbeingcreated.Thiswillresultin
anaggregateentryintheroutingtable
whenatleastoneormorespecificroute
matchingtheaddressspecifiedis
learned.
1.
SelecttheConditional Advtab,clickAddandenteranamein
thePolicyfield.
2.
SelectEnable.
3.
ClickAddandintheUsed By sectionenterthepeergroup(s)
thatwillusetheconditionaladvertisementpolicy.
4.
5.
SelecttheAdvertise Filterstabanddefinetheprefix(es)ofthe
routeintheLocalRIBroutingtablethatshouldbeadvertised
intheeventthattherouteinthenonexistfilterisnotavailable
inthelocalroutingtable.Ifaprefixisgoingtobeadvertised
anddoesnotmatchaNonExistfilter,theadvertisementwill
occur.
1.
SelecttheAggregatetab,clickAddandenteranameforthe
aggregateaddress.
2.
InthePrefixfield,enterthenetworkprefixthatwillbethe
primaryprefixfortheaggregatedprefixes.
3.
4.
Configureredistributionrules.
1.
Thisruleisusedtoredistributehost
2.
routesandunknownroutesthatarenot
onthelocalRIBtothepeersrouters.
PaloAltoNetworks,Inc.
SelecttheRedist RulestabandclickAdd.
IntheNamefield,enteranIPsubnetorselectaredistribution
profile.Youcanalsoconfigureanewredistributionprofile
fromthedropdownifneeded.
3.
ClickEnabletoenabletherule.
4.
IntheMetricfield,entertheroutemetricthatwillbeusedfor
therule.
5.
IntheSet Origindropdown,selectincomplete,igp,oregp.
6.
(Optional)SetMED,localpreference,ASpathlimitand
communityvalues.
PANOS7.1AdministratorsGuide 709
SessionSettingsandTimeouts
Networking
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andcaptiveportalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TransportLayerSessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
710 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 711
SessionSettingsandTimeouts
Networking
TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.
712 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit Handshake optioninaZoneProtectionprofilewillpreventaTCPsessionfrombeingestablishedif
thesessionestablishmentproceduredoesnotusethewellknownthreewayhandshake,butinsteadusesa
variation,suchasafourwayorfivewaysplithandshakeorasimultaneousopen.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessionsandallLayer7processesforsplit
handshakeandsimultaneousopensessionestablishmentwithoutenablingtheSplit Handshakeoption.
Nevertheless,theSplit Handshake option(whichcausesaTCPsplithandshakedrop) ismadeavailable.When
theSplit Handshake optionisconfiguredforaZoneProtectionprofileandthatprofileisappliedtoazone,
TCPsessionsforinterfacesinthatzonemustbeestablishedusingthestandardthreewayhandshake;
variationsarenotallowed.
TheSplit Handshake optionisdisabledbydefault.
ThefollowingillustratesthestandardthreewayhandshakeusedtoestablishaTCPsessionwithaPANOS
firewallbetweentheinitiator(typicallyaclient)andthelistener(typicallyaserver).
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 713
SessionSettingsandTimeouts
Networking
YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
714 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 8inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AlthoughUDPusesachecksumfordataintegrity,itperformsnoerrorcheckingatthenetworkinterface
level.ErrorcheckingisassumedtobeunnecessaryorisperformedbytheapplicationratherthanUDPitself.
UDPhasnomechanismtohandleflowcontrolofpackets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.ICMPv4andICMPv6errorpacketscanbe
controlledbyconfiguringasecuritypolicyforazone,andselectingtheicmporipv6-icmpapplicationinthe
policy.Additionally,theICMPv6errorpacketratecanbecontrolledthroughthesessionsettings,as
describedinthesectionConfigureSessionSettings.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdonotfloodthenetworksegmentsprotectedbythefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 715
SessionSettingsandTimeouts
Networking
FirsttheglobalICMPv6errorpacketratecontrolstherateatwhichICMPerrorpacketsareallowedthrough
thefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.Ifthe
firewallreachestheICMPerrorpacketrate,thenthetokenbucketcomesintoplayandthrottlingoccurs,as
follows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPmessagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPmessageissent;whenthebucketreacheszero
tokens,nomoreICMPmessagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsizeof
thetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ConfigureSessionTimeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
Step1
AccesstheSessionSettings.
716 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ChangeSessionTimeouts(Continued)
Step2
(Optional)Changemiscellaneous
timeouts.
DefaultMaximumlengthoftimethatanonTCP/UDPornonICMP
sessioncanbeopenwithoutaresponse(rangeis11599999;default
is30).
Discard DefaultMaximumlengthoftimethatanonTCP/UDP
sessionremainsopenafterPANOSdeniesasessionbasedonsecurity
policiesconfiguredonthefirewall(rangeis11599999;defaultis60).
ScanMaximumlengthoftimethatanysessionremainsopenafterit
isconsideredinactive;anapplicationisregardedasinactivewhenit
exceedstheapplicationtricklingthresholddefinedfortheapplication
(rangeis530;defaultis10).
Captive PortalAuthenticationsessiontimeoutfortheCaptivePortal
webform.Toaccesstherequestedcontent,theusermustenterthe
authenticationcredentialsinthisformandbesuccessfully
authenticated(rangeis11599999;defaultis30).
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,select
Device > User Identification > Captive Portal Settings.SeeConfigure
CaptivePortalinUserID.
Step3
(Optional)ChangeTCPtimeouts.
Discard TCPMaximumlengthoftimethataTCPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:90.Range:11599999.
TCPMaximumlengthoftimethataTCPsessionremainsopen
withoutaresponse,afteraTCPsessionisintheEstablishedstate(after
thehandshakeiscompleteand/ordataisbeingtransmitted).
Default: 3600.Range:11599999.
TCP HandshakeMaximumlengthoftimepermittedbetween
receivingtheSYNACKandthesubsequentACKtofullyestablishthe
session.Default:10.Range:160.
TCP initMaximumlengthoftimepermittedbetweenreceivingthe
SYNandSYNACKpriortostartingtheTCPhandshaketimer.Default:
5.Range:160.
TCP Half ClosedMaximumlengthoftimebetweenreceivingthefirst
FINandreceivingthesecondFINoraRST.Default:120.
Range: 1604800.
TCP Time WaitMaximumlengthoftimeafterreceivingthesecond
FINoraRST.Default:15.Range:1600.
Unverified RSTMaximumlengthoftimeafterreceivingaRSTthat
cannotbeverified(theRSTiswithintheTCPwindowbuthasan
unexpectedsequencenumber,ortheRSTisfromanasymmetricpath).
Default:30.Range:1600.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step4
(Optional)ChangeUDPtimeouts.
Discard UDPMaximumlengthoftimethataUDPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:60.Range:11599999.
UDPMaximumlengthoftimethataUDPsessionremainsopen
withoutaUDPresponse.Default:30.Range:11599999.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 717
SessionSettingsandTimeouts
Networking
ChangeSessionTimeouts(Continued)
Step5
(Optional)ChangeICMPtimeouts. ICMPMaximumlengthoftimethatanICMPsessioncanbeopen
withoutanICMPresponse.Default:6.Range:11599999.
SeealsotheDiscard Default andScantimeoutinthesection(Optional)
Changemiscellaneoustimeouts.
Step6
Committhechanges.
ClickOKandCommitthechanges.
ConfigureSessionSettings
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
ConfigureSessionSettings
Step1
Changethesessionsettings.
Step2
Specifywhethertoapply
newlyconfiguredSecurity
policyrulestosessionsthat
areinprogress.
Step3
ConfigureIPv6settings.
Step4
Enablejumboframesandset 1.
theMTU.
2.
SettheGlobal MTU,dependingonwhetherornotyouenabledjumbo
frames:
Ifyoudidnotenablejumboframes,theGlobal MTUdefaultsto1500
bytes;therangeis576to1500 bytes.
Ifyouenabledjumboframes,theGlobal MTUdefaultsto9192 bytes;
therangeis9192to9216 bytes.
Ifyouenablejumboframesandyouhaveinterfaceswherethe
MTUisnotspecificallyconfigured,thoseinterfaceswill
automaticallyinheritthejumboframesize.Therefore,beforeyou
enablejumboframes,ifyouhaveanyinterfacethatyoudonot
wanttohavejumboframes,youmustsettheMTUforthat
interfaceto1500bytesoranothervalue.
718 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ConfigureSessionSettings(Continued)
Step5
TuneNATsessionsettings.
Step6
Tuneacceleratedaging
settings.
PaloAltoNetworks,Inc.
ClickOK.
PANOS7.1AdministratorsGuide 719
SessionSettingsandTimeouts
Networking
ConfigureSessionSettings(Continued)
Step7
Step8
Step9
Enablebufferingofmulticast 1.
routesetuppackets.
2.
Ifyouenablebuffering,youcanalsotunetheBuffer Size,whichspecifies
thebuffersizeperflow.Thefirewallcanbufferamaximumof5,000
packets.
Youcanalsotunetheduration,inseconds,forwhichamulticast
routeremainsintheroutingtableonthefirewallafterthesession
endsbyconfiguringthemulticastsettingsonthevirtualrouter
thathandlesyourvirtualrouter(settheMulticast Route Age Out
Time (sec)ontheMulticast > Advancedtabinthevirtualrouter
configuration.
TunetheMaximumSegment 1.
Size(MSS)adjustmentsize
settingsforaLayer3
2.
interface.
3.
Savethechanges.
4.
5.
ClickOK.
ClickCommit.
PreventTCPSplitHandshakeSessionEstablishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step1
ConfigureaZoneProtectionprofileto 1.
preventTCPsessionsthatuseanything
otherthanathreewayhandshaketo
2.
establishasession.
720 PANOS7.1AdministratorsGuide
3.
4.
ClickOK.
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step2
Step3
Applytheprofiletooneormoresecurity 1.
zones.
Savetheconfiguration.
PaloAltoNetworks,Inc.
2.
3.
ClickOK.
4.
(Optional)Repeatsteps13toapplytheprofiletoadditional
zones.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 721
DHCP
Networking
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCPOverview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallsinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.
722 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
FirewallasaDHCPServerandClient
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCPMessages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 723
DHCP
Networking
DHCPMessage
Description
DHCPDISCOVER
ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER
ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST
Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK
Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK
Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE
Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE
Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM
Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCPAddressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.
724 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface value expired-only commandtoclearexpiredleases,
makingthoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface
value ipip commandtoreleaseaparticularIPaddress.Usetheclear dhcp lease interface
value mac mac_address commandtoreleaseaparticularMACaddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 725
DHCP
Networking
DHCPOptions
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption
DHCPOptionName
51
Leaseduration
Gateway
IPPoolSubnet(mask)
DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44
WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41
NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42
NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70
PostOfficeProtocolVersion3(POP3)serveraddress
69
SimpleMailTransferProtocol(SMTP)serveraddress
726 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
DHCPOption
DHCPOptionName
15
DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
YoucanentermultipleoptionvaluesforanOption CodewiththesameOption Name,butallvaluesfora
particularcodeandnamecombinationmustbethesametype(IPaddress,ASCII,orhexadecimal).Ifonetype
isinheritedorentered,andlateradifferenttypeisenteredforthesamecodeandnamecombination,the
secondtypewilloverwritethefirsttype.
YoucanenteranOption CodemorethanoncebyusingadifferentOption Name.Inthiscase,theOption Type
fortheOptionCodecandifferamongthemultipleoptionnames.Forexample,ifoptionCoastalServer
(optioncode6)isconfiguredwithIPaddresstype,optionServerXYZ(optioncode6)withASCIItypeisalso
allowed.
Thefirewallsendsmultiplevaluesforanoption(strungtogether)toaclientinorderfromtoptobottom.
Therefore,whenenteringmultiplevaluesforanoption,enterthevaluesintheorderofpreference,orelse
movetheoptionstoachieveyourpreferredorderinthelist.Theorderofoptionsinthefirewallconfiguration
determinestheorderthattheoptionsappearinDHCPOFFERandDHCPACKmessages.
Youcanenteranoptioncodethatalreadyexistsasapredefinedoptioncode,andthecustomizedoption
codewilloverridethepredefinedDHCPoption;thefirewallissuesawarning.
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
Option OptionName
Code
OptionDescription/Behavior
43
VendorSpecific
Information
Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55
ParameterRequestList
Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 727
DHCP
Networking
Option OptionName
Code
OptionDescription/Behavior
60
Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
VendorClassIdentifier
(VCI)
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
ConfigureanInterfaceasaDHCPServer
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
ConfigureanInterfaceasaDHCPServer
Step1
SelectaninterfacetobeaDHCPServer. 1.
728 PANOS7.1AdministratorsGuide
2.
EnteranInterfacenameorselectonefromthedropdown.
3.
ForMode,selectenabledorautomode.Automodeenables
theserveranddisablesitifanotherDHCPserverisdetected
onthenetwork.Thedisabledsettingdisablestheserver.
4.
PaloAltoNetworks,Inc.
Networking
DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step2
ConfigurethepredefinedDHCPOptions IntheOptionssection,selectaLeasetype:
thattheserversendstoitsclients.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIP Pools andassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionallythenumberof
Minutes.
Inheritance SourceLeaveNoneorselectasourceDHCPclient
interfaceorPPPoEclientinterfacetopropagatevariousserver
settingsintotheDHCPserver.IfyouspecifyanInheritance
Source,selectoneormoreoptionsbelowthatyouwant
inheritedfromthissource.
Specifyinganinheritancesourceallowsthefirewalltoquickly
addDHCPoptionsfromtheupstreamserverreceivedbythe
DHCPclient.Italsokeepstheclientoptionsupdatedifthe
sourcechangesanoption.Forexample,ifthesourcereplacesits
NTPserver(whichhadbeenidentifiedasthePrimary NTP
server),theclientwillautomaticallyinheritthenewaddressasits
Primary NTPserver.
WheninheritingDHCPoption(s)thatcontainmultipleIP
addresses,thefirewallusesonlythefirstIPaddress
containedintheoptiontoconservecachememory.If
yourequiremultipleIPaddressesforasingleoption,
configuretheDHCPoptionsdirectlyonthatfirewall
ratherthanconfigureinheritance.
Check inheritance source statusIfyouselectedanInheritance
Source,clickingthislinkopenstheDynamic IP Interface Status
window,whichdisplaystheoptionsthatwereinheritedfromthe
DHCPclient.
GatewayIPaddressofthenetworkgateway(aninterfaceon
thefirewall)thatisusedtoreachanydevicenotonthesameLAN
asthisDHCPserver.
Subnet MaskNetworkmaskusedwiththeaddressesintheIP
Pools.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 729
DHCP
Networking
ConfigureanInterfaceasaDHCPServer(Continued)
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
Step3
(Optional)Configureavendorspecificor 1.
customDHCPoptionthattheDHCP
serversendstoitsclients.
2.
730 PANOS7.1AdministratorsGuide
IntheCustomDHCPOptionssection,clickAddandentera
descriptiveNametoidentifytheDHCPoption.
EntertheOption Code youwanttoconfiguretheserverto
offer(rangeis1254).(SeeRFC2132foroptioncodes.)
3.
4.
5.
6.
7.
EntertheOption ValueyouwanttheDHCPservertoofferfor
thatOption Code.Youcanentermultiplevaluesonseparate
lines.
8.
ClickOK.
PaloAltoNetworks,Inc.
Networking
DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step4
Step5
(Optional)Addanothervendorspecific
orcustomDHCPoption.
1.
RepeatStep 3toenteranothercustomDHCPOption.
YoucanentermultipleoptionvaluesforanOption Code
withthesameOption Name,butallvaluesforanOption
Codemustbethesametype(IP Address,ASCII,or
Hexadecimal).Ifonetypeisinheritedorenteredanda
differenttypeisenteredforthesameOption Codeandthe
sameOption Name,thesecondtypewilloverwritethefirst
type.
Whenenteringmultiplevaluesforanoption,enterthe
valuesintheorderofpreference,orelsemovetheCustom
DHCPOptionstoachievethepreferredorderinthelist.
SelectanoptionandclickMove Up orMove Down.
YoucanenteranOption Codemorethanoncebyusinga
differentOption Name.Inthiscase,theOption Typeforthe
OptionCodecandifferamongthemultipleoptionnames.
2.
ClickOK.
IdentifythestatefulpoolofIPaddresses 1.
fromwhichtheDHCPserverchoosesan
addressandassignsittoaDHCPclient.
Ifyouarenotthenetwork
administratorforyournetwork,
askthenetworkadministratorfor
avalidpoolofIPaddressesfrom
thenetworkplanthatcanbe
designatedtobeassignedby
yourDHCPserver.
2.
Step6
Step7
(Optional)SpecifyanIPaddressfromthe
IPpoolsthatwillnotbeassigned
dynamically.IfyoualsospecifyaMAC
Address,theReserved Addressis
assignedtothatdevicewhenthedevice
requestsanIPaddressthroughDHCP.
SeetheDHCPAddressing
sectionforanexplanationof
allocationofaReserved
Address.
Savetheconfiguration.
PaloAltoNetworks,Inc.
IntheIP Poolsfield,clickAddandentertherangeofIP
addressesfromwhichthisserverassignsanaddresstoaclient.
EnteranIPsubnetandsubnetmask(forexample,
192.168.1.0/24)orarangeofIPaddresses(forexample,
192.168.1.10192.168.1.20).
AnIPPooloraReserved Addressismandatoryfor
dynamicIPaddressassignment.
AnIPPoolisoptionalforstaticIPaddressassignmentas
longasthestaticIPaddressesthatyouassignfallintothe
subnetthatthefirewallinterfaceservices.
(Optional)RepeatStep 1tospecifyanotherIPaddresspool.
1.
2.
EnteranIPaddressfromtheIP Pools(formatx.x.x.x)thatyou
donotwanttobeassigneddynamicallybytheDHCPserver.
3.
(Optional)SpecifytheMAC Address(formatxx:xx:xx:xx:xx:xx)
ofthedevicetowhichyouwanttopermanentlyassigntheIP
addressspecifiedinStep 2.
4.
ClickOKandCommitthechange.
PANOS7.1AdministratorsGuide 731
DHCP
Networking
ConfigureanInterfaceasaDHCPClient
BeforeconfiguringafirewallinterfaceasaDHCPClient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
ToconfigurethemanagementinterfaceasaDHCPclient,seeConfiguretheManagementInterfaceasa
DHCPClient.
ConfigureanInterfaceasaDHCPClient
Step1
ConfigureaninterfaceasaDHCPclient. 1.
SelectNetwork>Interfaces.
2.
OntheEthernettabortheVLANtab,clickAddandenteran
interface,orclickaconfiguredinterface,thatyouwanttobea
DHCPclient.
3.
ClicktheIPv4tab;forType,selectDHCP Client.
4.
SelectEnable.
5.
6.
7.
Step2
Savetheconfiguration.
ClickOKandCommitthechange.
NowtheEthernetinterfaceindicatesDynamic-DHCP Clientinits
IP AddressfieldontheEthernettab.
Step3
(Optional)Seewhichinterfacesonthe
firewallareconfiguredasDHCPclients.
1.
2.
732 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
ConfiguretheManagementInterfaceasaDHCPClient
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramaplatformsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallplatforms(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingtworestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
ConfiguretheManagementInterfaceasaDHCPClient
Step1
ConfiguretheManagementinterfaceas 1.
aDHCPclientsothatitcanreceiveits
IPaddress(IPv4),netmask(IPv4),and
2.
defaultgatewayfromaDHCPserver.
3.
Optionally,youcanalsosendthe
hostnameandclientidentifierofthe
managementinterfacetotheDHCP
serveriftheorchestrationsystemyou
useacceptsthisinformation.
4.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 733
DHCP
Networking
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
Step2
(Optional)Configurethefirewallto
1.
acceptthehostnameanddomainfrom
theDHCPserver.
2.
3.
Step3
Savetheconfiguration.
ClickCommit.
Step4
ViewDHCPclientinformation.
1.
2.
Step5
Step6
(Optional)RenewtheDHCPleasewith 1.
theDHCPserver,regardlessofthelease
term.
2.
Thisoptionisconvenientifyouare
3.
testingortroubleshootingnetwork
issues.
734 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
ConfigureanInterfaceasaDHCPRelayAgent
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
ConfigureanInterfaceasaDHCPRelayAgent
Step1
SelectDHCPRelay.
Step2
SpecifytheIPaddressofeachDHCP
1.
serverwithwhichtheDHCPrelayagent
willcommunicate.
2.
Step3
Savetheconfiguration.
3.
4.
5.
(Optional)RepeatSteps24toenteramaximumofeight
DHCPserveraddressesperIPaddressfamily.
ClickOKandCommitthechange.
MonitorandTroubleshootDHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheserverhasassigned,thecorrespondingMACaddress,state
anddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 735
DHCP
Networking
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip
mac
state
duration
lease_time
192.168.3.11
f0:2f:af:42:70:cf committed 0
Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface
GW
DNS1
DNS2
DNS-Suffix
Inherit source
------------------------------------------------------------------------------------ethernet1/2
192.168.3.1
10.43.2.10
10.44.2.10
ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state interface_namecommandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface
State
IP
Gateway
Leased-until
--------------------------------------------------------------------------ethernet1/1
Bound
10.43.14.80
10.43.14.1
70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd
736 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyRules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 737
NAT
Networking
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destinationDestination IP address
+ destination-portDestination port
+ fromFrom zone
+ ha-device-idHA Active/Active device ID
+ protocolIP protocol value
+ sourceSource IP address
+ source-portSource port
+ toTo Zone
+ to-interfaceEgress interface to use
|Pipe through a command
<Enter>Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443
738 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
NATAddressPoolsIdentifiedasAddressObjects
WhenconfiguringaDynamic IPorDynamic IP and PortNATaddresspoolinaNATpolicyrule,itistypicalto
configurethepooloftranslatedaddresseswithaddressobjects.EachaddressobjectcanbeahostIP
address,IPaddressrange,orIPsubnet.
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 739
NAT
Networking
SourceNATandDestinationNAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.
740 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NATRuleCapacities
ThenumberofNATrulesallowedisbasedonthefirewallplatform.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
platformspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,eveniftheplatformsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
DynamicIPandPortNATOversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedontheplatform.Theoversubscriptionrateisglobal;
itappliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionratefortheplatformapplies,asshowninthetablebelow.ThePlatform Defaultsetting
allowsforanupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachplatform.
Platform
DefaultOversubscriptionRate
PA200
PA500
PA2020
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 741
NAT
Networking
Platform
DefaultOversubscriptionRate
PA2050
PA3020
PA3050
PA3060
PA4020
PA4050
PA4060
PA5020
PA5050
PA5060
PA7050
PA7080
VM100
VM200
VM300
VM1000HV
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachplatformsupports
amaximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesfortheplatform,thecommitwillfail.
742 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
DataplaneNATMemoryStatistics
Theshow running global-ippoolcommanddisplaysstatisticsrelatedtoNATmemoryconsumptionfora
pool.TheSizecolumndisplaysthenumberofbytesofmemorythattheresourcepoolisusing.TheRatio
columndisplaystheoversubscriptionratio(forDIPPpoolsonly).Thelinesofpoolandmemorystatisticsare
explainedinthefollowingsampleoutput:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 743
NAT
Networking
ConfigureNAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology,whichwasalsousedinGettingStarted
forsettingupinterfacesandzones:
BasedonthetopologyinitiallyusedinGettingStartedtocreatetheinterfacesandzones,therearethree
NATpoliciesweneedtocreateasfollows:
744 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 745
NAT
Networking
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
Step1
Step2
Step3
Createanaddressobjectfortheexternal 1.
IPaddressyouplantouse.
2.
CreatetheNATpolicy.
Savetheconfiguration.
746 PANOS7.1AdministratorsGuide
3.
SelectIP NetmaskfromtheTypedropdownandthenenter
theIPaddressoftheexternalinterfaceonthefirewall,
203.0.113.100inthisexample.
4.
Tosavetheaddressobject,clickOK.
Althoughyoudonothavetouseaddressobjectsin
yourpolicies,itisabestpracticebecauseitsimplifies
administrationbyallowingyoutomakeupdatesinone
placeratherthanhavingtoupdateeverypolicywhere
theaddressisreferenced.
1.
2.
OntheGeneraltab,enteradescriptiveNameforthepolicy.
3.
(Optional)Enteratag,whichisakeywordorphrasethatallows
youtosortorfilterpolicies.
4.
ForNAT Type,selectipv4(default).
5.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
6.
7.
ForAddress Type,therearetwochoices.Youcouldselect
Translated AddressandthenclickAdd.Selecttheaddress
objectyoujustcreated.
AnalternativeAddress TypeisInterface Address,inwhich
casethetranslatedaddresswillbetheIPaddressofthe
interface.Forthischoice,youwouldselectanInterfaceand
optionallyanIP AddressiftheinterfacehasmorethanoneIP
address.
8.
ClickOKtosavetheNATpolicy.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
NAT
ConfigureSourceNAT(Continued)
Step4
(Optional)AccesstheCLItoverifythe
translation.
1.
2.
3.
IfyouconfiguredDynamicIPNAT,usetheshow counter
global filter aspect session severity drop | match
nat commandtoseeifanysessionsfailedduetoNATIP
allocation.IfalloftheaddressesintheDynamicIPNATpool
areallocatedwhenanewconnectionissupposedtobe
translated,thepacketwillbedropped.
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
Step1
Step1
Step2
Createanaddressobjectfortheweb
server.
CreatetheNATpolicy.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
EnteraNameandoptionalDescriptionfortheobject.
3.
SelectIP NetmaskfromtheTypedropdownandenterthe
publicIPaddressofthewebserver,203.0.113.11inthis
example.
4.
ClickOK.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
4.
IntheDestination Addresssection,clickAddandselectthe
addressobjectyoucreatedforyourpublicwebserver.
5.
6.
ClickOKtosavetheNATpolicy.
ClickCommit.
PANOS7.1AdministratorsGuide 747
NAT
Networking
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
Step1
Step2
Step3
Createanaddressobjectfortheweb
serversinternalIPaddress.
CreatetheNATpolicy.
Savetheconfiguration.
748 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameandoptionalDescriptionfortheobject.
3.
SelectIP NetmaskfromtheTypedropdownandentertheIP
addressofthewebserverontheDMZnetwork,10.1.1.11in
thisexample.
4.
ClickOK.
Ifyoudidnotalreadycreateanaddressobjectforthe
publicaddressofyourwebserver,youshouldcreate
thatobjectnow.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourDMZintheSource Zonesection(clickAddandthen
selectthezone)andthezoneyoucreatedfortheexternal
networkfromtheDestination Zonedropdown.
4.
IntheSource Addresssection,clickAddandselecttheaddress
objectyoucreatedforyourinternalwebserveraddress.
5.
6.
IntheBi-directionalfield,selectYes.
7.
ClickOKtosavetheNATpolicy.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
NAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1
ViewtheDIPPNAToversubscription
rate.
1.
Step2
SettheDIPPNAToversubscriptionrate. 1.
2.
3.
ClickOKandCommitthechange.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
Step1
Step2
CreatetheNATpolicy.
Savetheconfiguration.
1.
2.
EnteradescriptiveNameforthepolicy.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
4.
ForSource Address,clickAddandenterthehostaddress.
ClickOK.
5.
OntheTranslated Packettab,selectNonefromthe
Translation TypedropdownintheSourceAddress
Translationsectionofthescreen.
6.
ClickOKtosavetheNATpolicy.
ClickCommit.
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 749
NAT
Networking
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddressesforaFirewall
Step1
Step2
ReserveDynamicIPNATAddressesforaVirtualSystem
Step1
Step2
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.
750 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
NATConfigurationExamples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 751
NAT
Networking
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:
752 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 753
NAT
Networking
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:
754 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 755
NAT
Networking
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination
NextHop
3.1.1.0/24
2.1.1.2
756 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
RouteonR2:
Destination
NextHop
1.1.1.0/24
2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination
NextHop
2.1.1.8/29
2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 757
NAT
Networking
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
758 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
PlatformSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 759
NPTv6
Networking
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
PlatformSupportforNPTv6
NPTv6issupportedonthefollowingplatforms(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5000Series,PA4000Series,PA3050firewall,andPA2000Series.Platforms
supportedwithnoabilitytohavehardwareperformasessionlookup:PA3020firewall,PA500firewall,
PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivate
network,andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavethe
convenienceofprivateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.
760 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
HowNPTv6Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 761
NPTv6
Networking
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDPProxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.
762 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 763
NPTv6
Networking
NPTv6andNDPProxyExample
ThefollowingfigureandtextillustratehowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
764 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
TheNPTv6TranslationinNPTv6Example
Inthisexample,theOriginal PacketisconfiguredwithaSource AddressofFDD4:7A3E::0andaDestinationof
Any.TheTranslated PacketisconfiguredwiththeTranslated Addressof2001:DB8::0.
Therefore,outgoingpacketswithasourceofFDD4:7A3E::0aretranslatedto2001:DB8::0.Incoming
packetswithadestinationprefixinthenetwork2001:DB8::0aretranslatedtoFDD4:7A3E::0.
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanNPTv6Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
Step1
CreateanewNPTv6policy.
PaloAltoNetworks,Inc.
1.
SelectPolicies>NATandclickAdd.
2.
OntheGeneraltab,enteradescriptiveNamefortheNPTv6
policyrule.
3.
(Optional)EnteraDescriptionandTag.
4.
ForNAT Type,selectNPTv6.
PANOS7.1AdministratorsGuide 765
NPTv6
Networking
ConfigureanNPTv6Policy(Continued)
Step2
Step3
Specifythematchcriteriaforincoming
packets;packetsthatmatchallofthe
criteriaaresubjecttotheNPTv6
translation.
Zonesarerequiredforbothtypesof
translation.
Specifythetranslatedpacket.
766 PANOS7.1AdministratorsGuide
1.
2.
EntertheDestination Zonetowhichthepolicyapplies.
3.
(Optional)SelectaDestination Interface.
4.
(Optional)SelectaService torestrictwhattypeofpacketsare
translated.
5.
Ifyouaredoingsourcetranslation,enteraSource Addressor
selectAny.Theaddresscouldbeanaddressobject.The
followingconstraintsapplytoSource Address andDestination
Address:
PrefixesofSource AddressandDestination Addressfor
theOriginal Packet andTranslated Packetmustbeinthe
formatxxxx:xxxx::/yy,althoughleadingzerosintheprefix
canbedropped.
TheIPv6addresscannothaveaninterfaceidentifier(host)
portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TheSource AddressandDestination Addresscannotboth
besettoAny.
6.
Ifyouaredoingsourcetranslation,youcanoptionallyentera
Destination Address.Ifyouaredoingdestinationtranslation,
theDestination Addressisrequired.Seetheconstraintslisted
inthepriorstep.
1.
OntheTranslated Packettab,ifyouwanttodosource
translation,intheSourceAddressTranslationsection,for
Translation Type,selectStatic IP.Ifyoudonotwanttodo
sourcetranslation,selectNone.
2.
3.
(Optional)SelectBi-directional ifyouwantthefirewallto
createacorrespondingNPTv6translationintheopposite
directionofthetranslationyouconfigure.
IfyouenableBi-directionaltranslation,itisvery
importanttomakesureyouhaveSecuritypolicyrules
inplacetocontrolthetrafficinbothdirections.
Withoutsuchpolicyrules,Bi-directionaltranslation
allowspacketstobeautomaticallytranslatedinboth
directions,whichyoumightnotwant.
4.
Ifyouwanttododestinationtranslation,selectDestination
Address Translation.IntheTranslated Addressfield,choose
anaddressobjectfromthedropdownorenteryourinternal
destinationaddress.
5.
ClickOK.
PaloAltoNetworks,Inc.
Networking
NPTv6
ConfigureanNPTv6Policy(Continued)
Step4
ConfigureNDPProxy.
1.
Whenyouconfigurethefirewalltoactas
anNDPProxyforaddresses,itallowsthe 2.
firewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoND
3.
solicitationsfrompeersthatareasking
forMACaddressesofIPv6prefixes
assignedtodevicesbehindthefirewall.
4.
Step5
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 767
ECMP
Networking
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPPlatform,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMPLoadBalancingAlgorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
768 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
ECMP
KeepinmindthatECMPweightsareassignedtointerfacestodetermineloadbalancing(toinfluence
whichequalcostpathischosen),notforrouteselection(aroutechoicefromroutesthatcouldhave
differentcosts).
ECMPPlatform,Interface,andIPRoutingSupport
ECMPissupportedonallPaloAltoNetworksfirewallplatforms,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 769
ECMP
Networking
ECMPhasthefollowingrestrictions:
PA2000SeriesfirewallsandPA4000SeriesfirewallswithECMPenabledmightnotbeabletooffload
sessionstohardwareforforwarding.PacketsmatchingECMProuteswillbesenttosoftware,while
packetsmatchingnonECMProutescanstillbeforwardedbyhardware.
ForthePA4000Seriesfirewalls,packetstobeforwardedbyECMProuteswillbesenttosoftwarefor
routelookupandforwarding,eventhoughthesessionisinoffloadedstate.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
ConfigureECMPonaVirtualRouter
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
ConfigureECMPonaVirtualRouter
Step1
EnableECMPforavirtualrouter.
1.
2.
Step2
(Optional)Enablesymmetricreturnof
packetsfromservertoclient.
Step3
Specifythemaximumnumberof
equalcostpaths(toadestination
network)thatcanbecopiedfromthe
RoutingInformationBase(RIB)tothe
ForwardingInformationBase(FIB).
ForMax Pathallowed,enter2,3,or4.Default:2.
Step4
770 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
ECMP
ConfigureECMPonaVirtualRouter(Continued)
Step5
Step6
1.
2.
Step7
Step8
Savetheconfiguration.
Savetheconfiguration.
CreateanECMPgroupbyclickingAddandselectingan
Interfacefromthedropdown.
2.
AddtheotherinterfacesintheECMPgroup.
3.
ClickonWeightandspecifytherelativeweightforeach
interface(rangeis1255;defaultis100).
1.
Click OK.
2.
AttheECMPConfigurationChangeprompt,clickYestorestart
thevirtualrouter.Restartingthevirtualroutermightcause
existingsessionstobeterminated.
Thismessagedisplaysonlyifyouaremodifyingan
existingvirtualrouterwithECMP.
Committheconfiguration.
EnableECMPforMultipleBGPAutonomousSystems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 771
ECMP
Networking
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
Step1
ConfigureECMP.
772 PANOS7.1AdministratorsGuide
SeeConfigureECMPonaVirtualRouter.
PaloAltoNetworks,Inc.
Networking
ECMP
EnableECMPforBGPAutonomousSystems(Continued)
Step2
Step3
ForBGProuting,enableECMPover
multipleautonomoussystems.
Savetheconfiguration.
1.
2.
ClickOKandCommittheconfiguration.
VerifyECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.
ConfirmThatRoutesAreEqualCostMultiplePaths
LookattheFIBandconfirmthatsomeroutesare 1.
equalcostmultiplepaths.
2.
3.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 773
LLDP
Networking
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDPOverview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
ThePA2000SeriesplatformisnotsupportedduetothehardwarelimitationofhowAggregatedEthernet
interfacesfunction.Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireapplianceare
alsonotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:
774 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
LLDP
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
SupportedTLVsinLLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
MandatoryTLVs
TLVType
Description
ChassisIDTLV
Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksplatformswill
usetheMACaddressofEth0toensureuniqueness.
PortIDTLV
IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Timetolive(TTL)
TLV
Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
EndofLLDPDU
TLV
IndicatestheendoftheTLVsintheLLDPEthernetframe.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 775
LLDP
Networking
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
OptionalTLVs
TLVType
PurposeandNotesRegardingFirewallImplementation
PortDescriptionTLV 4
Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
SystemNameTLV
Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
SystemDescription
TLV
Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
SystemCapabilities
Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management
Address
OneormoreIPaddressesusedforfirewallmanagement,asfollows:
IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDPSyslogMessagesandSNMPTraps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.
776 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
LLDP
ConfigureLLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
Step1
EnableLLDPonthefirewall.
Step2
(Optional)ChangeLLDPglobalsettings. 1.
2.
3.
4.
ForNotification Interval,specifytheinterval(inseconds)at
whichLLDPSyslogMessagesandSNMPTrapsaretransmitted
whenMIBchangesoccur.Default:5seconds.Range:13600
seconds.
5.
ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 777
LLDP
Networking
ConfigureLLDP(Continued)
Step3
CreateanLLDPprofile.
FordescriptionsoftheoptionalTLVs,
seeSupportedTLVsinLLDP.
1.
2.
EnteraNamefortheLLDPprofile.
3.
ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
4.
5.
ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
6.
(Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
7.
SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
8.
SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
9.
ClickOK.
10. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
11. ClickOK.
Step4
Step5
AssignanLLDPprofiletoaninterface.
Savetheconfiguration.
778 PANOS7.1AdministratorsGuide
1.
2.
3.
SelectEnable LLDPtoassignanLLDPprofiletotheinterface.
4.
ForProfile,selecttheprofileyoucreated.SelectingNone
enablesLLDPwithbasicfunctionality:sendsthethree
mandatoryTLVsandenablestransmit-receivemode.
Ifyouwanttocreateanewprofile,clickLLDP Profileand
followtheinstructionsinStep 4.
5.
ClickOK.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
LLDP
ViewLLDPSettingsandStatus
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
ViewLLDPSettingsandStatus
Step1
ViewLLDPglobalsettings.
1.
Step2
ViewtheLLDPstatusinformation.
1.
SelecttheStatustab.
2.
(Optional)Enterafiltertorestricttheinformationthatis
displayed.
InterfaceInformation:
InterfaceNameoftheinterfacesthathaveLLDPprofiles
assignedtothem.
LLDPLLDPstatus:enabledordisabled.
ModeLLDPmodeoftheinterface:Tx/Rx,TxOnly,orRx
Only.
ProfileNameoftheprofileassignedtotheinterface.
TransmissionInformation:
Total TransmittedCountofLLDPDUstransmittedoutthe
interface.
Dropped TransmitCountofLLDPDUsthatwerenot
transmittedouttheinterfacebecauseofanerror.For
example,alengtherrorwhenthesystemisconstructingan
LLDPDUfortransmission.
ReceivedInformation:
Total ReceivedCountofLLDPframesreceivedonthe
interface.
Dropped TLVCountofLLDPframesdiscardedupon
receipt.
ErrorsCountofTLVsthatwerereceivedontheinterface
andcontainederrors.TypesofTLVerrorsinclude:oneor
moremandatoryTLVsmissing,outoforder,containing
outofrangeinformation,orlengtherror.
UnrecognizedCountofTLVsreceivedontheinterface
thatarenotrecognizedbytheLLDPlocalagent.For
example,theTLVtypeisinthereservedTLVrange.
Aged OutCountofitemsdeletedfromtheReceiveMIB
duetoproperTTLexpiration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 779
LLDP
Networking
ViewLLDPSettingsandStatus(Continued)
Step3
ViewsummaryLLDPinformationfor
eachneighborseenonaninterface.
1.
SelectthePeerstab.
2.
(Optional)Enterafiltertorestricttheinformationbeing
displayed.
LocalInterfaceInterfaceonthefirewallthatdetectedthe
neighboringdevice.
RemoteChassisIDChassisIDofthepeer.TheMAC
addresswillbeused.
PortIDPortIDofthepeer.
NameNameofpeer.
MoreinfoProvidesthefollowingremotepeerdetails,
whicharebasedontheMandatoryandOptionalTLVs:
ChassisType:MACaddress.
MACAddress:MACaddressofthepeer.
SystemName:Nameofthepeer.
SystemDescription:Descriptionofthepeer.
PortDescription:Portdescriptionofthepeer.
PortType:Interfacename.
PortID:Thefirewallusestheinterfacesifname.
SystemCapabilities:Capabilitiesofthesystem.O=Other,
P=Repeater,B=Bridge,W=WirelessLAN,R=Router,
T=Telephone
EnabledCapabilities:Capabilitiesenabledonthepeer.
ManagementAddress:Managementaddressofthepeer.
ClearLLDPStatistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
Step1
ClearLLDPstatisticsforspecific
interfaces.
780 PANOS7.1AdministratorsGuide
1.
2.
PaloAltoNetworks,Inc.
Networking
BFD
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFDOverview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDPlatform,Interface,andClientSupport
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 781
BFD
Networking
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDPlatform,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA7000Series,andVMSeriesfirewalls.Each
platformsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.
782 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 783
BFD
Networking
ConfigureBFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
Configuredavirtualrouter.
ConfiguredoneormorestaticroutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.
784 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD
Step1
CreateaBFDprofile.
1.
IfyouchangeasettinginaBFD
profilethatanexistingBFD
sessionisusingandyoucommit
thechange,beforethefirewall 2.
deletesthatBFDsessionand
recreatesitwiththenewsetting,
thefirewallsendsaBFDpacket
withthelocalstatesettoadmin
down.Thepeerdevicemayor
maynotflaptheroutingprotocol
orstaticroute,dependingonthe 3.
peersimplementationof
RFC 5882,Section3.2.
PaloAltoNetworks,Inc.
4.
5.
PANOS7.1AdministratorsGuide 785
BFD
Networking
ConfigureBFD(Continued)
Step2
6.
7.
(Optional)ForaBGPIPv4implementationonly,configure
hoprelatedsettingsfortheBFDprofile:
SelectMultihoptoenableBFDoverBGPmultihop.
EntertheMinimum Rx TTL.Thisistheminimum
TimetoLivevalue(numberofhops)BFDwillaccept
(receive)inaBFDcontrolpacketwhenBGPsupports
multihopBFD.(Rangeis1254;thereisnodefault).
ThefirewalldropsthepacketifitreceivesasmallerTTL
thanitsconfiguredMinimum Rx TTL.Forexample,ifthe
peeris5hopsaway,andthepeertransmitsaBFDpacket
withaTTLof100tothefirewall,andiftheMinimum Rx
TTLforthefirewallissetto96orhigher,thefirewalldrops
thepacket.
8.
ClickOK.
(Optional)EnableBFDforastaticroute. 1.
Boththefirewallandthepeeratthe
oppositeendofthestaticroutemust
2.
supportBFDsessions.
3.
4.
SelectthestaticroutewhereyouwanttoapplyBFD.
5.
SelectanInterface(evenifyouareusingaDHCPaddress).
TheInterfacesettingcannotbeNone.
6.
7.
ForBFD Profile,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforthis
staticroute.
8.ClickOK.
ABFDcolumnontheIPv4orIPv6tabindicatestheBFDprofile
configuredforthestaticroute.
786 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD(Continued)
Step3
(Optional)EnableBFDforallBGP
interfacesorforasingleBGPpeer.
IfyouenableordisableBFD
globally,allinterfacesrunning
BGPwillbetakendownand
broughtbackupwiththeBFD
function.ThiscandisruptallBGP
traffic.WhenyouenableBFDon
theinterface,thefirewallstops
theBGPconnectiontothepeer
toprogramBFDontheinterface.
ThepeerdeviceseestheBGP
connectiondrop,whichcan
resultinareconvergence.Enable
BFDforBGPinterfacesduringan
offpeaktimewhena
reconvergencewillnotimpact
productiontraffic.
1.
2.
SelecttheBGPtab.
3.
(Optional)ToapplyBFDtoallBGPinterfacesonthevirtual
router,intheBFDdropdown,selectoneofthefollowingand
clickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforallBGP
interfacesonthevirtualrouter;youcannotenableBFD
forasingleBGPinterface.
4.
(Optional)ToenableBFDforasingleBGPpeerinterface
(therebyoverridingtheBFD settingforBGPaslongasitisnot
disabled),performthefollowingtasks:
a. SelectthePeer Group tab.
b. Selectapeergroup.
c. Selectapeer.
d. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
Inherit-vr-global-setting(default)TheBGPpeer
inheritstheBFDprofilethatyouselectedgloballyforBGP
forthevirtualrouter.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingDisable BFD disablesBFDfortheBGPpeer.
e. ClickOK.
5. ClickOK.
ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
profileconfiguredfortheinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 787
BFD
Networking
ConfigureBFD(Continued)
Step4
(Optional)EnableBFDforOSPFor
OSPFv3globallyorforanOSPF
interface.
1.
2.
SelecttheOSPForOSPFv3 tab.
3.
(Optional)IntheBFDdropdown,selectoneofthefollowing
toenableBFDforallOSPForOSPFv3interfacesandclickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforall
OSPFinterfacesonthevirtualrouter;youcannot
enableBFDforasingleOSPFinterface.
4.
(Optional)ToenableBFDonasingleOSPFpeerinterface(and
therebyoverridetheBFDsettingforOSPF,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheAreastabandselectanarea.
b. OntheInterfacetab,selectaninterface.
c. IntheBFD dropdown,selectoneofthefollowingto
configureBFDforthespecifiedOSPFpeer:
defaultUsesonlydefaultsettings.
Inherit-vr-global-setting(default)OSPFpeerinherits
theBFDsettingforOSPForOSPFv3forthevirtual
router.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingDisable BFDdisablesBFDfortheOSPFor
OSPFv3interface.
d. ClickOK.
5. ClickOK.
ABFDcolumnontheOSPFInterfacetabindicatestheBFDprofile
configuredfortheinterface.
788 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD(Continued)
Step5
(Optional)EnableBFDforRIPgloballyor 1.
forasingleRIPinterface.
2.
SelecttheRIP tab.
3.
(Optional)IntheBFD dropdown,selectoneofthefollowing
toenableBFDforallRIPinterfacesonthevirtualrouterand
clickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforallRIP
interfacesonthevirtualrouter;youcannotenable
BFDforasingleRIPinterface.
4.
(Optional)ToenableBFDforasingleRIPinterface(and
therebyoverridetheBFDsettingforRIP,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheInterfacestabandselectaninterface.
b. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings).
Inherit-vr-global-setting(default)RIPinterface
inheritstheBFDprofilethatyouselectedforRIPglobally
forthevirtualrouter.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingNone (Disable BFD)disablesBFDfortheRIP
interface.
c. ClickOK.
5. ClickOK.
TheBFDcolumnontheInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Step6
Savetheconfiguration.
ClickCommit.
Step7
ViewBFDsummaryanddetails.
1.
2.
3.
(Optional)Selectdetailsintherowoftheinterfaceyouare
interestedintoviewReference:BFDDetails.
Step8
MonitorBFDprofilesreferencedbya
routingconfiguration;monitorBFD
statistics,status,andstate.
UsethefollowingCLIoperationalcommands:
show routing bfd active-profile [<name>]
show routing bfd details [interface <name>] [local-ip
<ip>] [multihop] [peer-ip <ip>] [session-id]
[virtual-router <name>]
(Optional)ClearBFDtransmit,receive,
anddropcounters.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 789
BFD
Networking
ConfigureBFD(Continued)
Step10 (Optional)ClearBFDsessionsfor
debugging.
790 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
Reference:BFDDetails
Reference:BFDDetails
Toseethefollowinginformationforavirtualrouter,youcanViewBFDsummaryanddetails.
Name
Value(Example)
Description
SessionID
IDnumberoftheBFDsession.
Interface
ethernet1/12
InterfaceyouselectedwhereBFDisrunning.
Protocol
STATIC(IPV4)OSPF
Staticroute(IPaddressfamilyofstaticroute)and/ordynamic
routingprotocolthatisrunningBFDontheinterface.
LocalIPAddress
10.55.55.2
IPaddressofinterface.
NeighborIPAddress
10.55.55.1
IPaddressofBFDneighbor.
BFDProfile
default*(ThisBFD
sessionhasmultiple
BFDprofiles.Lowest
DesiredMinimumTx
Interval(ms)isusedto
selecttheeffective
profile.)
NameofBFDprofileappliedtotheinterface.
BecausethesampleinterfacehasbothastaticrouteandOSPF
runningBFDwithdifferentprofiles,thefirewallusestheprofile
withthelowestDesired Minimum Tx Interval.Inthisexample,
theprofileusedisthedefaultprofile.
State(local/remote)
up/up
BFDstatesofthelocalandremoteBFDpeers.Possiblestates
areadmindown,down,init,andup.
UpTime
2h36m21s419ms
LengthoftimeBFDhasbeenup(hours,minutes,seconds,and
milliseconds).
Discriminator
(local/remote)
1391591427/
1
DiscriminatorsforlocalandremoteBFDpeers.
Mode
Active
ModeinwhichBFDisconfiguredontheinterface:Activeor
Passive.
DemandMode
Disabled
PANOSdoesnotsupportBFDDemandMode,soitisalwaysin
Disabledstate.
Multihop
Disabled
BFDmultihop:EnabledorDisabled.
MultihopTTL
LocalDiagCode
PaloAltoNetworks,Inc.
TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
0(NoDiagnostic)
Diagnosticcodesindicatingthereasonforthelocalsystemslast
changeinstate:
0NoDiagnostic
1ControlDetectionTimeExpired
2EchoFunctionFailed
3NeighborSignaledSessionDown
4ForwardingPlaneReset
5PathDown
6ConcatenatedPathDown
7AdministrativelyDown
8ReverseConcatenatedPathDown
PANOS7.1AdministratorsGuide 791
Reference:BFDDetails
Name
Networking
Value(Example)
Description
LastReceivedRemoteDiag 0(NoDiagnostic)
Code
DiagnosticcodelastreceivedfromBFDpeer.
TransmitHoldTime
0ms
Holdtime(inmilliseconds)afteralinkcomesupbeforeBFD
transmitsBFDcontrolpackets.Aholdtimeof0msmeansto
transmitimmediately.Rangeis0120000ms.
ReceivedMinRxInterval
1000ms
MinimumRxintervalreceivedfromthepeer;theintervalat
whichtheBFDpeercanreceivecontrolpackets.Maximumis
2000ms.
NegotiatedTransmit
Interval
1000ms
Transmitinterval(inmilliseconds)thattheBFDpeershave
agreedtosendBFDcontrolpacketstoeachother.Maximumis
2000ms.
ReceivedMultiplier
DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
DetectTime(exceeded)
3000ms(0)
Calculateddetectiontime(NegotiatedTransmitInterval
multipliedbyMultiplier)andthenumberofmillisecondsthe
detectiontimeisexceeded.
TxControlPackets(last)
9383(420msago)
NumberofBFDcontrolpacketstransmitted(andlengthoftime
sinceBFDtransmittedthemostrecentcontrolpacket).
RxControlPackets(last)
9384(407msago)
NumberofBFDcontrolpacketsreceived(andlengthoftime
sinceBFDreceivedthemostrecentcontrolpacket).
AgentDataPlane
Slot1DP0
OnPA7000Seriesfirewalls,thedataplaneCPUthatisassigned
tohandlepacketsforthisBFDsession.
Errors
NumberofBFDerrors.
LastPacketCausingStateChange
Version
BFDversion.
PollBit
BFDpollbit;0indicatesnotset.
DesiredMinTxInterval
1000ms
Desiredminimumtransmitintervaloflastpacketcausingstate
change.
RequiredMinRxInterval
1000ms
Requiredminimumreceiveintervaloflastpacketcausingstate
change.
DetectMultiplier
DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator
Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
YourDiscriminator
1391591427
Localdiscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
DiagnosticCode
0(NoDiagnostic)
Diagnosticcodeoflastpacketcausingstatechange.
792 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
Reference:BFDDetails
Name
Value(Example)
Description
Length
24
LengthofBFDcontrolpacketinbytes.
DemandBit
PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit
PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit
Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1
Bit
Ifsetto1,thetransmittingsystemsBFDimplementationdoes
notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0
PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
RequiredMinEchoRx
Interval
PANOSdoesnotsupporttheBFDEchofunction,sothiswill
alwaysbe0ms.
PaloAltoNetworks,Inc.
0ms
PANOS7.1AdministratorsGuide 793
Reference:BFDDetails
794 PANOS7.1AdministratorsGuide
Networking
PaloAltoNetworks,Inc.
Policy
Policiesallowyoutoenforcerulesandtakeaction.Thedifferenttypesofpolicyrulesthatyoucancreateon
thefirewallare:Security,NAT,QualityofService(QoS),PolicyBasedForwarding(PBF),Decryption,
ApplicationOverride,CaptivePortal,DenialofService(DoS),andZoneprotectionpolicies.Allthese
differentpoliciesworktogethertoallow,deny,prioritize,forward,encrypt,decrypt,makeexceptions,
authenticateaccess,andresetconnectionsasneededtohelpsecureyournetwork.Thefollowingtopics
describehowtoworkwithpolicy:
PolicyTypes
SecurityPolicy
PolicyObjects
SecurityProfiles
BestPracticeInternetGatewaySecurityPolicy
EnumerationofRulesWithinaRulebase
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
UseTagstoGroupandVisuallyDistinguishObjects
UseanExternalDynamicListinPolicy
RegisterIPAddressesandTagsDynamically
MonitorChangesintheVirtualEnvironment
CLICommandsforDynamicIPAddressesandTags
IdentifyUsersConnectedthroughaProxyServer
PolicyBasedForwarding
DoSProtectionAgainstFloodingofNewSessions
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 795
PolicyTypes
Policy
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
PolicyType
Description
Security
Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT
Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS
IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
PolicyBasedForwarding
Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption
Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
ApplicationOverride
IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
CaptivePortal
Identifytrafficthatrequirestheusertobeknown.Thecaptiveportalpolicyisonly
triggeredifotherUserIDmechanismsdidnotidentifyausertoassociatewiththe
sourceIPaddress.Formoredetails,seeCaptivePortal.
DoSProtection
Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.
796 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualsecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
securitypolicy.Whenasessionmatchoccurs,thesecuritypolicyisappliedtobidirectionaltraffic(clientto
serverandservertoclient)inthatsession.Fortrafficthatdoesntmatchanydefinedrules,thedefaultrules
apply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebasearepredefinedtoallowall
intrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.Althoughtheserulesare
partofthepredefinedconfigurationandarereadonlybydefault,youcanoverridethemandchangea
limitednumberofsettings,includingthetags,action(alloworblock),logsettings,andsecurityprofiles.
Securitypoliciesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirstrule
thatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.Therefore,
themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatchcriteria.Traffic
thatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,ifloggingisenabledfor
thatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfiguredtologatthe
startofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
ComponentsofaSecurityPolicyRule
Thesecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 797
SecurityPolicy
Policy
RequiredFields
RequiredField
Description
Name
Alabelthatsupportsupto31characters,usedtoidentifytherule.
Rule Type
Specifieswhethertheruleappliestotrafficwithinazone,betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzoneandintrazonetrafficinthe
specifiedsourceanddestinationzones.Forexample,ifyoucreateauniversalrolewith
sourcezonesAandBanddestinationzonesAandB,therulewouldapplytoalltraffic
withinzoneA,alltrafficwithinzoneB,andalltrafficfromzoneAtozoneBandalltraffic
fromzoneBtozoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthespecifiedsourcezones(you
cannotspecifyadestinationzoneforintrazonerules).Forexample,ifyousetthesource
zonetoAandB,therulewouldapplytoalltrafficwithinzoneAandalltrafficwithin
zoneB,butnottotrafficbetweenzonesAandB.
interzoneAppliestheruletoallmatchingtrafficbetweenthespecifiedsourceand
destinationzones.Forexample,ifyousetthesourcezonetoA,B,andCandthe
destinationzonetoAandB,therulewouldapplytotrafficfromzoneAtozoneB,from
zoneBtozoneA,fromzoneCtozoneA,andfromzoneCtozoneB,butnottraffic
withinzonesA,B,orC.
Source Zone
Thezonefromwhichthetrafficoriginates.
Destination Zone
Thezoneatwhichthetrafficterminates.IfyouuseNAT,makesuretoalwaysreferencethe
postNATzone.
Application
Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action
SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField
Description
Tag
Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description
Atextfield,upto255characters,usedtodescribetherule.
Source IP Address
DefinehostIPorFQDN,subnet,namedgroups,orcountrybasedenforcement.Ifyouuse
NAT,makesuretoalwaysrefertotheoriginalIPaddressesinthepacket(i.e.thepreNAT
IPaddress).
Destination IP Address
Thelocationordestinationforthetraffic.IfyouuseNAT,makesuretoalwaysrefertothe
originalIPaddressesinthepacket(i.e.thepreNATIPaddress).
798 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
OptionalField
Description(Continued)
User
Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
URL Category
UsingtheURLCategoryasmatchcriteriaallowsyoutocustomizesecurityprofiles
(Antivirus,AntiSpyware,Vulnerability,FileBlocking,DataFiltering,andDoS)ona
perURLcategorybasis.Forexample,youcanprevent.exefiledownload/uploadforURL
categoriesthatrepresenthigherriskwhileallowingthemforothercategories.This
functionalityalsoallowsyoutoattachschedulestospecificURLcategories(allow
socialmediawebsitesduringlunch&afterhours),markcertainURLcategorieswithQoS
(financial,medical,andbusiness),andselectdifferentlogforwardingprofilesona
perURLcategorybasis.
AlthoughyoucanmanuallyconfigureURLcategoriesonyourfirewall,totakeadvantageof
thedynamicURLcategorizationupdatesavailableonthePaloAltoNetworksfirewalls,you
mustpurchaseaURLfilteringlicense.
ToblockorallowtrafficbasedonURLcategory,youmustapplyaURLFiltering
profiletothesecuritypolicyrules.DefinetheURLCategoryasAnyandattacha
URLFilteringprofiletothesecuritypolicy.SeeDefineBasicSecurityPolicyRules
forinformationonusingthedefaultprofilesinyoursecuritypolicyandseeControl
AccesstoWebContentformoredetails.
Service
AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsand
protocols.Applicationdefaultisthedefaultoption;whilethefirewallstillchecksfor
allapplicationsonallports,withthisconfiguration,applicationsareonlyallowedon
theirstandardports/protocols.
Security Profiles
Provideadditionalprotectionfromthreats,vulnerabilities,anddataleaks.Securityprofiles
areonlyevaluatedforrulesthathaveanallowaction.
HIP Profile(for
GlobalProtect)
AllowsyoutoidentifyclientswithHostInformationProfile(HIP)andthenenforceaccess
privileges.
Options
Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 799
SecurityPolicy
Policy
SecurityPolicyActions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action
Description
Allow(defaultaction)
Allowsthetraffic.
Deny
BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthatis
beingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop
Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client
SendsaTCPresettotheclientsidedevice.
Reset server
SendsaTCPresettotheserversidedevice.
Reset both
SendsaTCPresettoboththeclientsideandserversidedevices.
Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbefore
a3wayhandshakeiscompleted,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMP
Unreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheck
boxisselected,thefirewallsendsanICMPmessagetotheclient.
CreateaSecurityPolicyRule
CreateaSecurityPolicyRule
Step1
(Optional)Deletethedefaultsecurity
policyrule.
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2
Addarule.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
SelectaRule Type.
1.
IntheSourcetab,selectaSource Zone.
2.
SpecifyaSource IP Addressorleavethevaluesettoany.
3.
SpecifyaSourceUserorleavethevaluesettoany.
Step3
Definethematchingcriteriaforthe
sourcefieldsinthepacket.
800 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
CreateaSecurityPolicyRule(Continued)
Step4
Step5
Definethematchingcriteriaforthe
destinationfieldsinthepacket.
4.
IntheDestinationtab,settheDestination Zone.
5.
SpecifyaDestination IP Addressorleavethevaluesettoany.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
Specifytheapplicationtherulewillallow 1.
orblock.
Asabestpractice,alwaysuse
applicationbasedsecuritypolicy 2.
rulesinsteadofportbasedrules
andalwayssettheServiceto
applicationdefaultunlessyou
areusingamorerestrictivelistof
portsthanthestandardportsfor
anapplication.
IntheApplicationstab,AddtheApplicationtosafelyenable.
Youcanselectmultipleapplications,oruseapplicationgroups
orapplicationfilters.
IntheService/URL Categorytab,keeptheServicesetto
application-defaulttoensurethatanyapplicationstherule
allowsareonlyallowedontheirstandardports.
Step6
(Optional)SpecifyaURLcategoryas
matchcriteriafortherule.
Step7
Definewhatactionyouwantthefirewall IntheActionstab,selectanAction.SeeSecurityPolicyActionsfor
totakefortrafficthatmatchestherule. adescriptionofeachaction.
Step8
Configurethelogsettings.
Step9
Attachsecurityprofilestoenablethe
firewalltoscanallallowedtrafficfor
threats.
SeeCreateBestPracticeSecurity
Profilestolearnhowtocreate
securityprofilesthatprotect
yournetworkfrombothknown
andunknownthreats.
IntheActionstab,selectProfilesfromtheProfile Typedropdown
andthenselecttheindividualsecurityprofilestoattachtotherule.
Alternatively,selectGroupfromtheProfile Typedropdownand
selectasecurityGroup Profiletoattach.
Step10 Savethepolicyruletotherunning
configurationonthefirewall.
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 801
SecurityPolicy
Policy
CreateaSecurityPolicyRule(Continued)
Step11 Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
testsecuritypolicymatchsource<IP_address>destination
<IP_address>destinationport<port_number>protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedfora
serverinthedatacenterwiththeIPaddress208.90.56.11whenit
accessestheMicrosoftupdateserver:
test security-policy-match source 208.80.56.11
destination 176.9.45.70 destination-port 80 protocol 6
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;
802 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyObjects
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddressgroup
policyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject
Description
Address/AddressGroup,
Region
Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/UserGroup
Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
ApplicationGroupand
ApplicationFilter
AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/ServiceGroups
Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 803
SecurityProfiles
Policy
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,spyware,
andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurityprofile(s)
thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecksanddata
filtering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeScanTrafficforThreatsformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup
804 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
AntivirusProfiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action
Description
Default
ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow
Permitstheapplicationtraffic.
Alert
Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop
Dropstheapplicationtraffic.
Reset Client
ForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset Server
ForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset Both
ForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
AntiSpywareProfiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasInternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 805
SecurityProfiles
Policy
StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionformedium
andinformationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
VulnerabilityProtectionProfiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URLFilteringProfiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.
806 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
DataFilteringProfiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
Youcanusedefaultprofiles,orcreatecustomdatapatterns.Therearetwodefaultprofiles:
CC#(CreditCard)Identifiescreditcardnumbersusingahashalgorithm.Thecontentmustmatchthe
hashalgorithminorderfordatatobedetectedasacreditcardnumber.Thismethodwillreducefalse
positives.
SSN#(SocialSecurityNumber)Usesanalgorithmtodetectninedigitnumbers,regardlessofformat.
Therearetwofields:SSN#andSSN#(nodash).
WeightandThresholdValues
Itisimportanttounderstandhowtheweightofanobject(SSN,CC#,pattern)iscalculatedinordertosetthe
appropriatethresholdforaconditionyouaretryingtofilter.Eachoccurrencemultipliedbytheweightvalue
willbeaddedtogetherinordertoreachanactionthreshold(alertorblock).
Example:FilterforSocialSecurityNumbersOnly
Forsimplicity,ifyouonlywanttofilterfileswithSocialSecurityNumbers(SSN)andyoudefineaweightof
3forSSN#,youwouldusethefollowingformula:eachinstanceofaSSNxweight=thresholdincrement.In
thiscase,ifaWorddocumenthas10socialsecuritynumbersyoumultiplythatbytheweightof3,so10x
3=30.Inordertotakeactionforafilethatcontains10socialsecuritynumbersyouwouldsetthethreshold
to30.Youmaywanttosetanalertat30andthenblockat60.Youmayalsowanttosetaweightinthefield
SSN#(nodash)forSocialSecurityNumbersthatdonotcontaindashes.Ifmultiplesettingsareused,they
willaccumulatetoreachagiventhreshold.
Example:FilterforSocialSecurityNumbersandaCustomPattern
Inthisexample,wewillfilteronfilesthatcontainSocialSecurityNumbersandthecustompattern
confidential.Inotherwords,ifafilehasSocialSecurityNumbersinadditiontothewordconfidentialandthe
combinedinstancesofthoseitemshitthethreshold,thefilewilltriggeranalertorblock,dependingonthe
actionsetting.
SSN#weight=3
CustomPatternconfidentialweight=20
Thecustompatterniscasesensitive.
Ifthefilecontains20SocialSecurityNumbersandaweightof3isconfigured,thatis20x3=60.Ifthefile
alsocontainsoneinstanceofthetermconfidentialandaweightof20isconfigured,thatis1x20=20for
atotalof80.Ifyourthresholdforblockissetto80,thisscenariowouldblockthefile.Thealertorblock
actionwillbetriggeredassoonasthethresholdishit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 807
SecurityProfiles
Policy
FileBlockingProfiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
WildFireAnalysisProfiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoSProtectionProfiles
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
808 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.Formoreinformation,refertotheThreatPreventionTechNote.
ZoneProtectionProfiles
Zoneprotectionprofilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.Formoreinformation,refertothe
ThreatPreventionTechNote.
SecurityProfileGroup
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 809
SecurityProfiles
Policy
CreateaSecurityProfileGroup
Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
CreateaSecurityProfileGroup
Step1
Step2
Step3
Createasecurityprofilegroup.
Ifyounamethegroupdefault,
thefirewallwillautomatically
attachittoanynewrulesyou
create.Thisisatimesaverifyou
haveapreferredsetofsecurity
profilesthatyouwanttomake
suregetattachedtoeverynew
rule.
1.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.
5.
ClickOKtosavetheprofilegroup.
Addasecurityprofilegrouptoasecurity 1.
policy.
Saveyourchanges.
810 PANOS7.1AdministratorsGuide
2.
SelecttheActionstab.
3.
4.
5.
ClickOK tosavethepolicyandCommityourchanges.
Click Commit.
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
SetUporOverrideaDefaultSecurityProfileGroup
Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
SetUporOverrideaDefaultSecurityProfileGroup
Createasecurityprofilegroup.
1.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.Fordetailsoncreating
profiles,seeSecurityProfiles.
5.
ClickOKtosavetheprofilegroup.
6.
Addthesecurityprofilegrouptoasecuritypolicy.
7.
AddormodifyasecuritypolicyruleandselecttheActionstab.
8.
9.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 811
SecurityProfiles
Policy
SetUporOverrideaDefaultSecurityProfileGroup
Setupadefaultsecurityprofilegroup.
1.
2.
Namethesecurityprofilegroupdefault:
3.
ClickOKandCommit.
4.
Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup.
812 PANOS7.1AdministratorsGuide
Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheInternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeInternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
ThefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeInternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
AbestpracticeInternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateither
blockeverythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,
abestpracticesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeInternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeInternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 813
BestPracticeInternetGatewaySecurityPolicy
Policy
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology
Whyisthisimportant?
InspectAllTrafficforVisibility
Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
ReducetheAttackSurface
Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,attachFileBlockingandURLFilteringprofiles
toallrulesthatallowapplicationtraffictopreventusersfromvisitingthreatprone
websitesandpreventthemfromuploadingordownloadingdangerousfiletypes
(eitherknowinglyorunknowingly).
PreventKnownThreats
Enablethefirewalltoscanallallallowedtrafficforknownthreatsbyattaching
securityprofilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
814 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeMethodology
Whyisthisimportant?
DetectUnknownThreats
ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithinfiles
bydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWF500appliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifmalwareisfound,itautomaticallydevelopsa
signatureanddeliversittoyouinaslittleas5minutes(andnowthatunknownthreat
isaknownthreat).
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 815
BestPracticeInternetGatewaySecurityPolicy
Policy
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeInternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateanInternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,APTsarealldeliveredvialegitimateapplications.Toprotectagainstknownand
unknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallowrules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincludetemporaryrules
816 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
topreventotherapplicationsyoumightnothaveknownaboutfrombreakingandtoidentifypolicygaps
andsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeInternetGatewaySecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
IdentifyWhitelistApplications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceInternetGatewaySecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 817
BestPracticeInternetGatewaySecurityPolicy
Policy
(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.
818 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
ApplicationType
BestPracticeforSecuring
SanctionedApplications
ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inanInternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionand
administerforyourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
GeneralTypesof
Applications
Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,and
webservices,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
CustomApplications
SpecifictoYour
Environment
Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 819
BestPracticeInternetGatewaySecurityPolicy
Policy
CreateUserGroupsforAccesstoWhitelistApplications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
DecryptTrafficforFullVisibilityandThreatInspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:
820 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeDecryptionProfile
ConfiguretheSSL Decryption > SSL Forward ProxysettingstoblockexceptionsduringSSLnegotiationand
blocksessionsthatcantbedecrypted:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 821
BestPracticeInternetGatewaySecurityPolicy
Policy
BestPracticeDecryptionProfile(Continued)
Fortrafficthatyouarenotdecrypting,configuretheNo Decryption settingstotoblockencryptedsessions
tositeswithexpiredcertificatesoruntrustedissuers:
CreateBestPracticeSecurityProfiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.
822 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
SecurityProfile
BestPracticeSettings
FileBlocking
CreateaFileBlockingprofilethatblocksfilesthatarecommonlyincludedinmalwareattack
campaignsorthathavenorealusecaseforupload/download.Currently,theseincludebatch
files,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfilesaswellas
WindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,.ocx,.sys,.scr,.drv,.efi,.fon,
and.piffiles.Youcanallowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),but
forceuserstoclickcontinuebeforetransferringafiletogivethempause.Finally,alertonall
otherfiletypesforvisibilityintowhatotherfiletransfersarehappeningsothatyoucan
determineifyouneedtomakepolicychanges.
WhydoIneedthisprofile?
Therearemanywaysforattackerstodelivermaliciousfiles:Asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.AttachingaFileBlockingprofile
reducesyourattacksurfacebypreventingthesetypesofattacks.
WhatifIcantblockalloftherecommendedfiletypes?
IfyoucannotblockallPEfilespertherecommendation,makesureyousendallunknownfiles
toWildFireforanalysis.Additionally,settheActiontocontinuetopreventdrivebydownloads.
Adrivebydownloadiswhenanenduserdownloadscontentthatinstallsmaliciousfiles,such
asJavaappletsorexecutables,withoutknowingtheyaredoingit.Drivebydownloadscan
occurwhenusersvisitwebsites,viewemailmessages,orclickintopopupwindowsmeantto
deceivethem.Educateyourusersthatiftheyarepromptedtocontinuewithafiletransferthey
didntknowinglyinitiate,theymaybesubjecttoamaliciousdownload.
Antivirus
AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
WhydoIneedthisprofile?
ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 823
BestPracticeInternetGatewaySecurityPolicy
Policy
SecurityProfile
BestPracticeSettings
Vulnerability
Protection
AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
WhydoIneedthisprofile?
Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.
AntiSpyware
AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNS
sinkholeandpacketcapturetohelpyoutrackdowntheendpointthatattemptedto
resolvethemaliciousdomain.Forthebestpossibleprotection,enablepassiveDNS
monitoring,whichenablesthefirewalltoactasapassiveDNSsensorandsendselect
DNSinformationtoPaloAltoNetworksforanalysisinordertoimprovethreat
intelligenceandthreatpreventioncapabilities.
824 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
SecurityProfile
BestPracticeSettings
URLFiltering
Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,andparked.Failuretoblockthesedangerouscategoriesputsyouatriskfor
exploitinfiltration,malwaredownload,commandandcontrolactivity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
WhatifIcantblockalloftherecommendedcategories?
Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Allowingtraffictoarecommended
blockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatinfringesoncopyrightsor
thatallowsillegaldownloadofsoftwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 825
BestPracticeInternetGatewaySecurityPolicy
Policy
SecurityProfile
BestPracticeSettings
WildFire
Analysis
Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
DefinetheInitialInternetGatewaySecurityPolicy
TheoverallgoalofabestpracticeInternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockbadapplicationsaswellassometemporaryallowrulesthatare
designedtohelpyourefineyourpolicyandpreventapplicationsyourusersmayneedfrombreakingwhile
youtransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreatetheApplicationWhitelistRules
Step2:CreatetheApplicationBlockRules
Step3:CreatetheTemporaryTuningRules
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
826 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
Step1:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethefirstpartofthebestpracticeInternet
GatewaySecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1
AllowaccesstoyourcorporateDNSservers.
WhydoIneedthisrule?
RuleHighlights
AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly
rulebase.
exploitedbyattackers.
Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS
ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface.
center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2
AllowaccesstootherrequiredITinfrastructureresources.
RuleHighlights
WhydoIneedthisrule?
Becausetheseapplicationsrunonthedefaultport,allowaccess
Enabletheapplicationsthatprovideyour
toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
networkinfrastructureandmanagement
theseservicesareneeded),andallhaveadestinationaddressof
functions,suchasNTP,OCSP,STUN,and
any,containtheminasingleapplicationgroupandcreatea
ping.
singleruletoenableaccesstoallofthem.
WhileDNStrafficallowedinthepreceding
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot
totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore
accesstoanyuser.
requireaseparaterule.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 827
BestPracticeInternetGatewaySecurityPolicy
Policy
CreatetheApplicationWhitelistRules(Continued)
Step3
AllowaccesstoITsanctionedSaaSapplications.
WhydoIneedthisrule?
WithSaaSapplications,yourproprietarydata
isinthecloud.Thisruleensuresthatonly
yourknownusershaveaccesstothese
applications(andtheunderlyingdata).
ScanallowedSaaStrafficforthreats.
Step4
AllowaccesstoITprovisionedonpremiseapplications.
WhydoIneedthisrule?
Businesscriticaldatacenterapplicationsare
oftenleveragedinattacksduringthe
exfiltrationstage,usingapplicationssuchas
FTP,orinthelateralmovementstageby
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5
RuleHighlights
GroupallsanctionedSaaSapplicationsinanapplicationgroup.
SaaSapplicationsshouldalwaysrunontheapplicationdefault
port.
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
RuleHighlights
Groupalldatacenterapplicationsinanapplicationgroup.
Createanaddressgroupforyourdatacenterserveraddresses.
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Allowaccesstoapplicationsyouradministrativeusersneed.
WhydoIneedthisrule?
Toreduceyourattacksurface,CreateUser
GroupsforAccesstoWhitelistApplications.
Becauseadministratorsoftenneedaccessto
sensitiveaccountdataandremoteaccessto
othersystems(forexampleRDP),youcan
greatlyreduceyourattacksurfacebyonly
allowingaccesstotheadministratorswho
haveabusinessneed.
828 PANOS7.1AdministratorsGuide
RuleHighlights
ThisrulerestrictsaccesstousersintheIT_adminsgroup.
Createcustomapplicationsforinternalapplicationsor
applicationsthatrunonnonstandardportssothatyoucan
enforcethemontheirdefaultportsratherthanopening
additionalportsonyournetwork.
Ifyouhavedifferentusergroupsfordifferentapplications,
createseparaterulesforgranularcontrol.
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreatetheApplicationWhitelistRules(Continued)
Step6
Allowaccesstogeneralbusinessapplications.
WhydoIneedthisrule?
Beyondtheapplicationsyousanctionforuse
andadministerforyourusers,therearea
varietyofapplicationsthatusersmay
commonlyuseforbusinesspurposes,for
exampletointeractwithpartners,suchas
WebEx,Adobeonlineservices,orEvernote,
butwhichyoumaynotofficiallysanction.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.
Step7
RuleHighlights
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Attachthebestpracticesecurityprofilestoensurethatalltraffic
isfreeofknownandunknownthreats.SeeCreateBestPractice
SecurityProfiles.
(Optional)Allowaccesstopersonalapplications.
WhydoIneedthisrule?
Asthelinesblurbetweenworkandpersonal
devices,youwanttoensurethatall
applicationsyourusersaccessaresafely
enabledandfreeofthreats.
Byusingapplicationfilters,youcansafely
enableaccesstopersonalapplicationswhen
youcreatethisinitialrulebase.Afteryou
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.
PaloAltoNetworks,Inc.
RuleHighlights
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Scanalltrafficforthreatsbyattachingyourbestpractice
securityprofilegroup.SeeCreateBestPracticeSecurity
Profiles.
PANOS7.1AdministratorsGuide 829
BestPracticeInternetGatewaySecurityPolicy
Policy
CreatetheApplicationWhitelistRules(Continued)
Step8
Allowgeneralwebbrowsing.
WhydoIneedthisrule?
Whilethepreviousruleallowedaccessto
personalapplications(manyofthem
browserbased),thisruleallowsgeneralweb
browsing.
Generalwebbrowsingismoreriskprone
thanothertypesofapplicationtraffic.You
mustCreateBestPracticeSecurityProfiles
andattachthemtothisruleinordertosafely
enablewebbrowsing.
Becausethreatsoftenhideinencrypted
traffic,youmustDecryptTrafficforFull
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.
RuleHighlights
Thisruleusesthesamebestpracticesecurityprofilesastherest
oftherules,exceptfortheFileBlockingprofile,whichismore
stringentbecausegeneralwebbrowsingtrafficismore
vulnerabletothreats.
Thisruleallowsonlyknownuserstopreventdeviceswith
malwareorembeddeddevicesfromreachingtheInternet.
Useapplicationfilterstoallowaccesstogeneraltypesof
applications.
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsites.
thatareexcludedfromdecryption.
Step2:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep3:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
830 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreatetheApplicationBlockRules
Step1
Blockapplicationsthatdonothavealegitimateusecase.
WhydoIneedthisrule?
Blocknefariousapplicationssuchas
encryptedtunnelsandpeertopeerfile
sharing,aswellaswebbasedfilesharing
applicationsthatarenotITsanctioned.
Becausethetuningrulesthatfolloware
designedtoallowtrafficwithmaliciousintent
orlegitimatetrafficthatisnotmatchingyour
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2
RuleHighlights
UsetheDropActiontosilentlydropthetrafficwithoutsending
asignaltotheclientortheserver.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigatemisuseofapplicationsandpotentialthreatsonyour
network.
Becausethisruleisintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
BlockpublicDNSandSMTPapplications.
WhydoIneedthisrule?
RuleHighlights
BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
messagetoboththeclientsideandserversidedevices.
DNStunneling,commandandcontroltraffic,
andremoteadministration.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.
Step3:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 831
BestPracticeInternetGatewaySecurityPolicy
Policy
CreateTemporaryTuningRules
Step1
AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
WhydoIneedthisrule?
Thisrulehelpsyoudetermineifyouhaveany
gapsinyourpolicywhereusersareunableto
accesslegitimateapplicationsbecausethey
arerunningonnonstandardports.
Youmustmonitoralltrafficthatmatchesthis
rule.Foranytrafficthatislegitimate,you
shouldtunetheappropriateallowruleto
includetheapplication,perhapscreatinga
customapplicationwhereappropriate.
Step2
AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
WhydoIneedthisrule?
Thisrulehelpsyoudeterminewhetheryou
havegapsinyourUserIDcoverage.
Thisrulealsohelpsyouidentifycompromised
orembeddeddevicesthataretryingtoreach
theInternet.
Itisimportanttoblocknonstandardport
usage,evenforwebbrowsingtraffic,
becauseitisusuallyanevasiontechnique.
Step3
RuleHighlights
Unlikethewhitelistrulesthatallowapplicationsonthedefault
portonly,thisruleallowswebbrowsingandSSLtrafficonany
portsothatyoucanfindgapsinyourwhitelist.
Becausethisruleisintendedtofindgapsinpolicy,limititto
knownusersonyournetwork.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
RuleHighlights
Whilethemajorityoftheapplicationwhitelistrulesapplyto
knownusersorspecificusergroups,thisruleexplicitlymatches
trafficfromunknownusers.
Notethatthisrulemustgoabovetheapplicationblockrulesor
trafficwillneverhitit.
Becauseitisanallowrule,youmustattachthebestpractice
securityprofilestoscanforthreats.
Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
RuleHighlights
WhydoIneedthisrule?
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
theapplicationblockrulestopreventbadapplicationsfrom
thatyouwerentawarewererunningonyour
runningonyournetwork.
networksothatyoucanfinetuneyour
applicationwhitelist.
IfyouarerunningPANOS7.0.xorearlier,toappropriately
identifyunexpectedapplications,youmustuseanapplication
Monitoralltrafficmatchingthisruleto
determinewhetheritrepresentsapotential
filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour
allowanyapplication.
whitelistrulestoallowthetraffic.
832 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreateTemporaryTuningRules
Step4
Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
WhydoIneedthisrule?
RuleHighlights
Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
fromanyuseronanyport,itmustcomeattheendofyour
applicationsrunningonunknownports.
rulebase.
Thisrulealsohelpsyouidentifyunknown
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateformisuseofapplicationsandpotentialthreatson
customapplicationtoaddtoyourapplication
whitelist.
yournetworkoridentifylegitimateapplicationsthatrequirea
customapplication.
Anytrafficmatchingthisruleisactionable
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1
SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2
Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step3
Step4
Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5
Committhechangesyoumadetotherulebase.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 833
BestPracticeInternetGatewaySecurityPolicy
Policy
MonitorandFineTunethePolicyRulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.
IdentifyPolicyGaps
Step1
Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
834 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
IdentifyPolicyGaps(Continued)
Step2
Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
RemovetheTemporaryRules
AfterseveralmonthsofmonitoringyourinitialInternetGatewaybestpracticeSecuritypolicy,youshould
seelessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
RemovetheTemporaryRules
Step1
Step2
SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3
Committhechanges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 835
BestPracticeInternetGatewaySecurityPolicy
Policy
MaintaintheRulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1
Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2
DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3
TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.
836 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
EnumerationofRulesWithinaRulebase
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 837
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
Policy
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step1
Step2
Step3
Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4
IntheDestinationdropdown,selectthenewvirtualsystemorShared.ThedefaultistheVirtual System
selectedinStep 2.
Step5
(Policyrulesonly)SelecttheRule order:
Move top(default)Therulewillcomebeforeallotherrules.
Move bottomTherulewillcomeafterallotherrules.
Before ruleIntheadjacentdropdown,selecttherulethatcomesaftertheSelectedRules.
After ruleIntheadjacentdropdown,selecttherulethatcomesbeforetheSelectedRules.
Step6
Step7
ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.
838 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseTagstoGroupandVisuallyDistinguishObjects
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
CreateandApplyTags
CreateandApplyTags
Step1
Createtags.
1.
Totagazone,youmustcreatea 2.
tagwiththesamenameasthe
zone.Whenthezoneisattached
inpolicyrules,thetagcolor
3.
automaticallydisplaysasthe
backgroundcoloragainstthe
zonename.
4.
PaloAltoNetworks,Inc.
5.
(Optional)Assignoneofthe17predefinedcolorstothetag.
Bydefault,ColorisNone.
6.
ClickOKandCommittosavethechanges.
PANOS7.1AdministratorsGuide 839
UseTagstoGroupandVisuallyDistinguishObjects
Policy
CreateandApplyTags(Continued)
Step2
Step3
Applytagstopolicy.
1.
SelectPoliciesandanyrulebaseunderit.
2.
ClickAddtocreateapolicyruleandusethetaggedobjects
youcreatedinStep1.
3.
Verifythatthetagsareinuse.
Applytagstoanaddressobject,address 1.
group,service,orservicegroup.
2.
Createtheobject.
Forexampletocreateaservicegroup,selectObjects >
Service Groups > Add.
SelectatagfromtheTagsdropdownorenteranameinthe
fieldtocreateanewtag.
Toeditatagoraddcolortothetag,see ModifyTags.
ModifyTags
ModifyTags
SelectObjects > Tagstoperformanyofthefollowingoperationswithtags:
ClickthelinkintheNamecolumntoeditthepropertiesofatag.
Selectataginthetable,andclickDeletetoremovethetagfromthefirewall.
ClickClone tocreateaduplicatetagwiththesameproperties.Anumericalsuffixisaddedtothetagname.
Forexample,FTP1.
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
UsetheTagBrowser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orInternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.
840 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PaloAltoNetworks,Inc.
UseTagstoGroupandVisuallyDistinguishObjects
PANOS7.1AdministratorsGuide 841
UseTagstoGroupandVisuallyDistinguishObjects
Policy
UsetheTagBrowser
Explorethetagbrowser.
842 PANOS7.1AdministratorsGuide
1.
2.
Tag (#)Displaysthelabelandtherulenumberorrangeof
numbersinwhichthetagisusedcontiguously.Hoveroverthe
labeltoseethelocationwheretherulewasdefined,itcanbe
inheritedfromasharedlocation,adevicegroup,oravirtual
system.
3.
RuleListstherulenumberorrangeofnumbersassociated
withthetags.
4.
Sortthetags.
Filter by first tag in ruleSortsrulesusingthefirsttag
appliedtoeachruleintherulebase.Thisviewisparticularly
usefulifyouwanttonarrowthelistandviewrelatedrules
thatmightbespreadaroundtherulebase.Forexampleif
thefirsttagineachruledenotesitsfunctionbest
practices,administration,webaccess,datacenteraccess,
proxyyoucannarrowtheresultandscantherulesbased
onfunction.
Rule OrderSortsthetagsintheorderofappearance
withintheselectedrulebase.Whendisplayedinorderof
appearance,tagsusedincontiguousrulesaregrouped.The
rulenumberwithwhichthetagisassociatedisdisplayed
alongwiththetagname.
AlphabeticalSortsthetagsinalphabeticalorderwithin
theselectedrulebase.Thedisplayliststhetagnameand
color(ifacolorisassigned)andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoes
notdisplayrulenumbersforuntaggedrules.Whenyou
selectNone,therightpaneisfilteredtodisplayrulesthat
havenotagsassignedtothem.
5.
ClearClearsthefilteronthecurrentlyselectedtagsinthe
searchbar.
6.
Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7.
Expandorcollapsethetagbrowser.
PaloAltoNetworks,Inc.
Policy
UseTagstoGroupandVisuallyDistinguishObjects
UsetheTagBrowser(Continued)
Tagarule.
1.
Selectaruleontherightpane.
2.
Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
3.
Committhechanges.
Viewrulesthatmatchtheselectedtags.
ORfilter:Toviewrulesthathavespecifictags,selectoneormore
tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
YoucanfilterrulesbasedontagswithanAND
includeanyofthecurrentlyselectedtags.
oranORoperator.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags.
Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule.
HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 843
UseTagstoGroupandVisuallyDistinguishObjects
Policy
UsetheTagBrowser(Continued)
Reorderrulesusingtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag.
Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.
844 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouhostonanexternalweb
serversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforcepolicyontheentries
inthelist.Asyouupdatethelist,thefirewalldynamicallyimportsthelistattheconfiguredintervaland
enforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthefirewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
ExternalDynamicList
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.Toretrievetheexternaldynamiclist,thefirewallusestheinterfaceattached
totheserviceroutethatitusestoaccessthePaloAltoUpdatesservice.
Thefirewallsupportsthreetypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall.IfyouneedagilityinenforcingpolicyforalistofsourceordestinationIP
addressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIPaddressasasourceor
destinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyorallowaccesstotheIP
addresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.Thefirewalltreatsan
externaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddressesincludedinalistare
handledasoneaddressobject.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule.
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligenceandwanttoprotectyournetworkfromnewsourcesofthreatormalware
assoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamiclist,the
firewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.The
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 845
UseanExternalDynamicListinPolicy
Policy
DNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallplatform,youcanconfigureamaximumof30uniquesourcesforexternaldynamiclists;
theselimitsarenotapplicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledfor
multiplevirtualsystems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.A
sourceisaURLthatincludestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamic
list.ThefirewallmatchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000SeriesandthePA7000Seriesfirewallssupportamaximumof150,000total
IPaddresses;allotherplatformssupportamaximumof50,000totalIPaddresses.Nolimitsareenforced
forthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitisreachedonthe
firewall,thefirewallgeneratesasyslogmessage.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachplatform,with
nolimitsenforcedonthenumberofentriesperlist.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedfortheplatform.
FormattingGuidelinesforanExternalDynamicList
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Ifyouadd
comments,thecommentmustbeonthesamelineastheIPaddress/range/subnet.Thespaceattheendof
theIPaddressisthedelimiterthatseparatesacommentfromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
846 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
EnforcePolicyonEntriesinanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
Step1
Createtheexternaldynamiclistand
hostitonawebserversothatthe
firewallcanretrievethelistforpolicy
evaluation.
PaloAltoNetworks,Inc.
CreateatextfileandentertheURLs,domains,orIPaddressesin
thefile.
Topreventcommiterrorsandinvalidentries,donotprefix
http://orhttps://toanyoftheentries.SeeFormatting
GuidelinesforanExternalDynamicList.
PANOS7.1AdministratorsGuide 847
UseanExternalDynamicListinPolicy
Policy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
1.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
(Panoramaonly)SelectDisable overridetoensurethata
firewalladministratorcannotoverridesettingslocallyona
firewallthatinheritsthisconfigurationthroughaDevice
GroupcommitfromPanorama.
5.
IntheTypedropdown,selectthelisttype,forexample,URL
List.
Ensurethatthelistonlyincludesentriesforthelisttype.See
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
6.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2015.
7.
8.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhourandcommitsthechanges.
Theintervalisrelativetothelastcommit.So,forthe
fiveminuteinterval,thecommitoccursin5minutesif
thelastcommitwasanhourago.Toretrievethelist
immediately,seeRetrieveanExternalDynamicList
fromtheWebServer.
9.
ClickOK.
10. Usetheexternaldynamiclistinasecurityprofileordirectlyin
apolicyrule,assupported.Seethefollowing:
UseanExternalDynamicListinaURLFilteringProfile.
ConfigureDNSSinkholingforaListofCustomDomains
UseanExternalDynamicListofTypeURLasMatchCriteria
inaSecurityPolicyRule.
UseanExternalDynamicListofTypeIPasaSourceor
DestinationAddressObjectinaSecurityPolicyRule.
848 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
UseanExternalDynamicListofTypeURLas
MatchCriteriainaSecurityPolicyRule.
1.
2.
ClickAddandenteradescriptiveNamefortherule.
YoucanalsoUseanExternalDynamicListina 3.
URLFilteringProfile.
IntheSourcetab,selecttheSource Zone.
4.
IntheDestinationtab,selecttheDestination Zone.
5.
IntheService/URL Categorytab,clickAddtoselectthe
appropriateexternaldynamiclistfromtheURLCategorylist.
6.
IntheActionstab,settheAction SettingtoAlloworDeny.
7.
ClickOKandCommit.
8.
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
UsethefollowingCLIcommandonafirewalltoreviewthe
detailsforalist.
request system external-list show type <domain | ip
| url>name_of_ list
For example:
request system external-list show type url
EBL_ISAC_Alert_List
9.
PaloAltoNetworks,Inc.
Testthatthepolicyactionisenforced.
a. AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
b. Verifythattheactionyoudefinedisenforcedinthe
browser.
c. Tomonitortheactivityonthefirewall:
d. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
e. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
PANOS7.1AdministratorsGuide 849
UseanExternalDynamicListinPolicy
Policy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
UseanExternalDynamicListofTypeIPasa
1.
SourceorDestinationAddressObjectina
2.
SecurityPolicyRule.
Thiscapabilityisusefulifyoudeploynewservers
3.
andwanttoallowaccesstothenewlydeployed
serverswithoutrequiringafirewallcommit.
4.
5.
6.
7.
Leavealltheotheroptionsatthedefaultvalues.
8.
ClickOKtosavethechanges.
9.
Committhechanges.
10. Testthatthepolicyactionisenforced.
a. AccessaIPaddressthatisincludedintheexternaldynamic
listandverifythatactionyoudefinedisenforced.
b. SelectMonitor > Logs > Traffic andviewthelogentryfor
thesession.
c. Toverifythepolicyrulethatmatchesaflow,usethe
followingCLIcommand:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
protocol <protocol_number>
ViewtheListofEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
ToviewthelistofentriesthatthefirewallhasretrievedfromthewebserverenterthefollowingCLIcommand:
vsys1/DBL_2014:
Next update at: Wed Aug 27 16:00:00 2014
IPs:
1.1.1.1
1.2.2.2/20 #test China
192.168.255.0; test internal
192.168.254.0/24 test internal range
850 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
RetrieveanExternalDynamicListfromtheWebServer
YoucanconfigurethefirewalltoretrievetheExternalDynamicListfromthewebserveronanhourly,daily,
weekly,ormonthlybasis.IfyouhaveaddedordeletedIPaddressesonthelistandneedtotriggeran
immediaterefresh,usethefollowingprocess:
RetrieveanExternalDynamicList
1.
2.
Selectthelistthatyouwanttorefresh,andclickImport Now.Thejobtoimportthelistwillbeaddedtoqueue.
ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 851
RegisterIPAddressesandTagsDynamically
Policy
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedplatformsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowing
options:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPC
toretrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.
852 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 853
MonitorChangesintheVirtualEnvironment
Policy
SetuptheVMMonitoringAgent
Step1
EnabletheVMMonitoringAgent.
1.
Youcanconfigureupto10VM 2.
informationsourcesforeach
firewall,orforeachvirtual
systemonamultiplevirtual
systemscapablefirewall.
Ifyourfirewallsareconfiguredinahigh
availabilityconfiguration:
Inanactive/passivesetup,onlythe
activefirewallmonitorstheVM
sources.
Inanactive/activesetup,onlythe
firewallwiththepriorityvalueof
primarymonitorstheVMsources.
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatus displaysasconnected .
854 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
SetuptheVMMonitoringAgent(Continued)
Step2
Verifytheconnectionstatus.
VerifythattheconnectionStatus displaysas
connected.
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource Interface fortheVM
Monitor service).
AttributesMonitoredintheAWSandVMwareEnvironments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource
AttributesMonitoredontheAWSVPC
UUID
Architecture
Name
GuestOS
GuestOS
ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation
InstanceState
Version
InstanceType
NetworkVirtualSwitchName,PortGroup
Name,andVLANID
KeyName
ContainerNamevCenterName,DataCenter
PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress.
PublicDNSName
SubnetID
Tag(key,value)(upto5tagssupportedperinstance
VPCID
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 855
MonitorChangesintheVirtualEnvironment
Policy
UseDynamicAddressGroupsinPolicy
Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachplatformisdifferent.Usethefollowing
tableforspecificsonyourplatform:
Platform
MaximumnumberofdynamicallyregisteredIP addresses
PA7000Series,PA5060,VM1000HV
100,000
PA5050
50,000
PA5020
25,000
PA4000Series,PA3000Series
5,000
PA2000Series,PA500,PA200,VM300,
VM200,VM100
1,000
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
856 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
UseDynamicAddressGroupsinPolicy
Step1
EnableVMSourceMonitoring.
Step2
Createdynamicaddressgroupsonthe
firewall.
Viewthetutorialtoseeabig
pictureviewofthefeature.
SeeEnableVMMonitoringtoTrackChangesontheVirtual
Network.
1.
Logintothewebinterfaceofthefirewall.
2.
3.
Click AddandenteraNameandaDescriptionfortheaddress
group.
4.
SelectType as Dynamic.
5.
Definethematchcriteria.Youcanselectdynamicandstatic
tagsasthematchcriteriatopopulatethemembersofthe
group.ClickAdd Match Criteria,andselecttheAndorOr
operatorandselecttheattributesthatyouwouldliketofilter
forormatchagainst.andthenclickOK.
6.
ClickCommit.
Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.UbuntuLinux64bit'
and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthenameofthe
serverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or'black')
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 857
MonitorChangesintheVirtualEnvironment
Policy
UseDynamicAddressGroupsinPolicy(Continued)
Step3
Usedynamicaddressgroupsinpolicy.
Viewthetutorial.
1.
2.
ClickAddandenteraNameandaDescriptionforthepolicy.
3.
4.
5.
FortheDestination Address,selecttheDynamicaddress
groupyoucreatedinStep 2above.
6.
SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilestotherule.
7.
RepeatsSteps1through6abovetocreateanotherpolicyrule.
8.
ClickCommit.
Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccesstoweb
servers.
Step4
Validatethatthemembersofthe
1.
dynamicaddressgrouparepopulatedon 2.
thefirewall.
3.
ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongto
thisaddressgroup,andaredisplayedhere.
858 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
CLICommandsforDynamicIPAddressesandTags
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example
CLICommand
ViewallregisteredIPaddressesthatmatchthe
show log iptag tag_name equal state.poweredOn
tag,state.poweredOnorthatarenottaggedas show log iptag tag_name not-equal
vSwitch0
switch.vSwitch0
ViewalldynamicallyregisteredIPaddressesthat show vm-monitor source source-name vmware1 tag
weresourcedbyVMInformationSourcewith
state.poweredOn registered-ip all
namevmware1andtaggedaspoweredOn
registered IP
Tags
----------------------------- ----------------fe80::20c:29ff:fe69:2f76
"state.poweredOn"
10.1.22.100
"state.poweredOn"
2001:1890:12f2:11:20c:29ff:fe69:2f76
"state.poweredOn"
fe80::20c:29ff:fe69:2f80
"state.poweredOn"
192.168.1.102
"state.poweredOn"
10.1.22.105
"state.poweredOn"
2001:1890:12f2:11:2cf8:77a9:5435:c0d
"state.poweredOn"
fe80::2cf8:77a9:5435:c0d
"state.poweredOn"
ClearallIPaddressesandtagslearnedfroma
specificVMMonitoringsourcewithout
disconnectingthesource.
DisplayIPaddressesregisteredfromallsources.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 859
CLICommandsforDynamicIPAddressesandTags
Example
Policy
CLICommand
vlanId.4095
vswitch.vSwitch1
host-ip.10.1.5.22
portgroup.TOBEUSED
hostname.panserver22
portgroup.VM Network 2
datacenter.ha-datacenter
vlanId.0
state.poweredOn
vswitch.vSwitch0
vmname.Ubuntu22-100
vmname.win2k8-22-105
resource-pool.Resources
vswitch.vSwitch2
guestos.Ubuntu Linux 32-bit
guestos.Microsoft Windows Server 2008 32-bit
annotation.
version.vmx-08
portgroup.VM Network
vm-info-source.vmware1
uuid.564d362c-11cd-b27f-271f-c361604dfad7
uuid.564dd337-677a-eb8d-47db-293bd6692f76
Total: 22
Viewalltagsregisteredfromaspecificdata
source,forexamplefromtheVMMonitoring
Agentonthefirewall,theXMLAPI,Windows
UserIDAgentortheCLI.
ToviewtagsregisteredfromtheCLI:
860 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
IdentifyUsersConnectedthroughaProxyServer
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
UseXFFValuesforPoliciesandLoggingSourceUsers
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoMapIPAddressestoUsers,MapUserstoGroups(ifyouhave
groupbasedpolicies),andconfigurepoliciesbasedonusersorgroups.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
UseXFFValuesforPoliciesandLoggingSourceUsers
Step1
EnablethefirewalltouseXFFvaluesin
policiesandinthesourceuserfieldsof
logs.
PaloAltoNetworks,Inc.
1.
2.
PANOS7.1AdministratorsGuide 861
IdentifyUsersConnectedthroughaProxyServer
Policy
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
Step2
Step3
RemoveXFFvaluesfromoutgoingweb 1.
requests.
2.
Verifythefirewallispopulatingthe
sourceuserfieldsoflogs.
1.
Selectalogtypethathasasourceuserfield(forexample,
Monitor > Logs > Traffic).
2.
VerifythattheSourceUsercolumndisplaystheusernamesof
userswhoaccesstheweb.
ClickOKandCommit.
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
AddXFFValuestoURLFilteringLogs
Step1
Step2
Step3
ConfigureaURLFilteringprofile.
AttachtheURLFilteringprofiletoa
policyrule.
1.
2.
SelectanexistingprofileorAddanewprofileandentera
descriptiveName.
YoucantenableXFFlogginginthedefaultURLFiltering
profile.
3.
IntheCategoriestab,Definehowtocontrolaccesstoweb
content.
4.
SelecttheSettingstabandselecttheX-Forwarded-Forcheck
box.
5.
ClickOKtosavetheprofile.
1.
2.
SelecttheActionstab,settheProfile TypetoProfiles,and
selecttheURL Filteringprofileyoujustcreated.
3.
ClickOKandCommit.
VerifythefirewallisloggingXFFvalues. 1.
2.
862 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
UseCase:PBFforRoutingTrafficThroughVirtualSystems
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperInternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheInternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,
connectivityissuesoccurwhentrafficarrivesatoneinterfaceonthe
firewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsare
different,thefirewallisunabletotrackthestateoftheentiresession
andthiscausesaconnectionfailure.Toensurethatthetrafficusesa
symmetricalpath,whichmeansthatthetrafficarrivesatandleaves
fromthesameinterfaceonwhichthesessionwascreated,youcan
enabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupfor
returntrafficandinsteaddirectstheflowbacktotheMACaddressfrom
whichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egress
interfacesIPaddress,aroutelookupisperformedandsymmetricreturn
isnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 863
PolicyBasedForwarding
Policy
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.
PathMonitoring
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
Behaviorofasessionona
monitoringfailure
Iftherulestaysenabledwhenthe
monitoredIPaddressisunreachable
IfruleisdisabledwhenthemonitoredIP
addressisunreachable
Foranestablishedsession
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overUsepathdeterminedbyrouting
table(noPBF)
Foranewsession
wait-recoverUsepathdeterminedby wait-recoverChecktheremainingPBF
routingtable(noPBF)
rules.Ifnomatch,usetheroutingtable
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overChecktheremainingPBFrules.If
nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
864 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
PBFrulescannotbebasedondomainnames;onlyIPaddressesarevalid;also,youcannotusecustomapplications,
applicationfiltersorapplicationgroupsinPBFrules.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 865
PolicyBasedForwarding
Policy
CreateaPolicyBasedForwardingRule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
Step1
CreateaPBFrule.
1.
WhencreatingaPBFruleyoumust
2.
specifyanamefortherule,asourcezone
3.
orinterface,andanegressinterface.All
othercomponentsareeitheroptionalor
haveadefaultvalueprovided.
4.
866 PANOS7.1AdministratorsGuide
IntheDestination/Application/Service tab,selectthe
following:
a. Destination Address.BydefaulttheruleappliestoAnyIP
address.UsetheNegateoptiontoexcludeoneormore
destinationIPaddressesfromthePBFrule.
b. SelecttheApplication(s)orService(s)thatyouwantto
controlusingPBF.
Applicationspecificrulesarenotrecommendedfor
usewithPBF.Wheneverpossible,useaserviceobject,
whichistheLayer4port(TCPorUDP)usedbythe
protocolorapplication.Formoredetails,seeService
VersusApplicationsinPBF.
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
CreateaPBFRule(Continued)
5.
Step2
Savethepoliciestotherunning
configurationonthefirewall.
IntheForwardingtab,selectthefollowing:
a. SettheAction. Theoptionsareasfollows:
ForwardDirectsthepackettoaspecificEgress
Interface.EntertheNext Hop IPaddressforthepacket.
Forward To VSYS(Onafirewallenabledformultiple
virtualsystems)Selectthevirtualsystemtowhichto
forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattachaSchedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheInternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheInternet.
ClickCommit.
ThePBFruleisineffect.
UseCase:PBFforOutboundAccesswithDualISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantInternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantInternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 867
PolicyBasedForwarding
Policy
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.
PBFforOutboundAccesswithDualISPs
Step1
Configuretheingressandtheegress
interfacesonthefirewall.
Egressinterfacescanbeinthesame
zone.Inthisexampleweassignthe
egressinterfacestodifferentzones.
868 PANOS7.1AdministratorsGuide
1.
2.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs(Continued)
Step2
Onthevirtualrouter,addastaticroute
tothebackupISP.
PaloAltoNetworks,Inc.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandspecifytheDestinationIPaddressforwhichyou
aredefiningthestaticroute.Inthisexample,weuse0.0.0.0/0
foralltraffic.
3.
4.
Specifyacostmetricfortheroute.Inthisexample,weuse10.
5.
ClickOKtwicetosavethevirtualrouterconfiguration.
PANOS7.1AdministratorsGuide 869
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
Step3
CreateaPBFrulethatdirectstrafficto
theinterfacethatisconnectedtothe
primaryISP.
Makesuretoexcludetrafficdestinedto
internalservers/IPaddressesfromPBF.
Defineanegaterulesothattraffic
destinedtointernalIPaddressesisnot
routedthroughtheegressinterface
definedinthePBFrule.
870 PANOS7.1AdministratorsGuide
1.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
4.
IntheDestination/Application/Servicetab,setthefollowing:
a. IntheDestinationAddresssection,AddtheIPaddressesor
addressrangeforserversontheinternalnetworkorcreate
anaddressobjectforyourinternalservers.SelectNegateto
excludetheIPaddressesoraddressobjectlistedabovefrom
usingthisrule.
b. IntheServicesection,Addtheservice-httpand
service-httpsservicestoallowHTTPandHTTPStrafficto
usethedefaultports.Forallothertrafficthatisallowedby
securitypolicy,thedefaultroutewillbeused.
ToforwardalltrafficusingPBF,settheServicetoAny.
5.
IntheForwardingtab,specifytheinterfacetowhichyouwant
toforwardtrafficandenablepathmonitoring.
a. Toforwardtraffic,settheActiontoForward,andselectthe
Egress Interface andspecifytheNext Hop.Inthisexample,
theegressinterfaceisethernet1/1,andthenexthopIP
addressis1.1.1.1.
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs(Continued)
b. EnableMonitorandattachthedefaultmonitoringprofile,to
triggerafailovertothebackupISP.Inthisexample,wedo
notspecifyatargetIPaddresstomonitor.Thefirewallwill
monitorthenexthopIPaddress;ifthisIPaddressis
unreachablethefirewallwilldirecttraffictothedefault
routespecifiedonthevirtualrouter.
c. (Requiredifyouhaveasymmetricroutes).SelectEnforce
Symmetric Returntoensurethatreturntrafficfromthe
TrustzonetotheInternetisforwardedoutonthesame
interfacethroughwhichtrafficingressedfromtheInternet.
NATensuresthatthetrafficfromtheInternetisreturnedto
thecorrectinterface/IPaddressonthefirewall.
d. ClickOKtosavethechanges.
Step4
1.
CreateNATrulesbasedontheegress
interfaceandISP.Theserulesensure
2.
thatthecorrectsourceIPaddressisused
foroutboundconnections.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 871
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
Step5
Step6
Createsecuritypolicytoallowoutbound Tosafelyenableapplications,createasimplerulethatallowsaccess
accesstotheInternet.
totheInternetandattachthesecurityprofilesavailableonthe
firewall.
Savethepoliciestotherunning
configurationonthefirewall.
872 PANOS7.1AdministratorsGuide
1.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
4.
IntheDestinationtab,SettheDestination ZonetoISPEast
andISPWest.
5.
6.
IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. AttachthedefaultprofilesforAntivirus,AntiSpyware,
VulnerabilityProtectionandURLFiltering,underProfile
Setting.
7.
UnderOptions,verifythatloggingisenabledattheendofa
session.Onlytrafficthatmatchesasecurityruleislogged.
ClickCommit.
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs(Continued)
Step7
VerifythatthePBFruleisactiveandthat 1.
theprimaryISPisusedforInternet
access.
2.
Launchawebbrowserandaccessawebserver.Onthefirewall
checkthetrafficlogforwebbrowsingactivity.
Fromaclientonthenetwork,usethepingutilitytoverify
connectivitytoawebserverontheInternet.andcheckthe
trafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Reply from 4.2.2.1: bytes=32 time=13ms TTL=117
Reply from 4.2.2.1: bytes=32 time=25ms TTL=117
Reply from 4.2.2.1: bytes=32 time=3ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3.
ToconfirmthatthePBFruleisactive,usetheCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1
Active
Forward ethernet1/1
1.1.1.1
Step8
VerifythatthefailovertothebackupISP 1.
occursandthattheSourceNATis
2.
correctlyapplied.
UnplugtheconnectiontotheprimaryISP.
ConfirmthatthePBFruleisinactivewiththeCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1
Disabled
Forward
ethernet1/1
1.1.1.1
3.
PaloAltoNetworks,Inc.
Accessawebserver,andcheckthetrafficlogtoverifythat
trafficisbeingforwardedthroughthebackupISP.
PANOS7.1AdministratorsGuide 873
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
4.
ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
--------------------------------------------------------ID Application
State
Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
--------------------------------------------------------87212 ssl ACTIVE FLOW NS
192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5.
Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session
87212
c2s flow:
source:
dst:
proto:
sport:
state:
src user:
dst user:
192.168.54.56 [Trust]
204.79.197.200
6
53236
dport:
ACTIVE
type:
unknown
unknown
443
FLOW
s2c flow:
source:
204.79.197.200 [ISP-East]
dst:
2.2.2.2
proto:
6
sport:
443
dport:
12896
state:
ACTIVE
type:
FLOW
src user:
unknown
dst user:
unknown
start time
: Wed Nov5 11:16:10 2014
timeout
: 1800 sec
time to live
: 1757 sec
total byte count(c2s)
: 1918
total byte count(s2c)
: 4333
layer7 packet count(c2s)
: 10
layer7 packet count(s2c)
: 7
vsys
: vsys1
application
: ssl
rule
: Trust2ISP
session to be logged at end
: True
session in session ager
: True
session synced from HA peer
: False
address/port translation
: source
nat-rule
: NAT-Backup ISP(vsys1)
layer7 processing
: enabled
URL filtering enabled
: True
URL category
: search-engines
session via syn-cookies
: False
session terminated on host
: False
session traverses tunnel
: False
captive portal session
: False
ingress interface
: ethernet1/2
egress interface
: ethernet1/3
session QoS rule
: N/A (class 4)
874 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
DoSProtectionAgainstFloodingofNewSessions
DoSProtectionAgainstFloodingofNewSessions
ThefollowingtopicsdescribehowtoconfigureDoSprotectiontobetterblockIPaddressesinorderto
handlehighvolumeattacksmoreefficiently.
DoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
DoSProtectionAgainstFloodingofNewSessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsonlyagainstDoSattacksofnewsessions,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
MultipleSessionDoSAttack
SingleSessionDoSAttack
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheprotectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheMaxRateallowed,thefirewalltakes
theactionspecifiedintheDoSProtectionpolicyrule.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 875
DoSProtectionAgainstFloodingofNewSessions
Policy
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port 53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamicallyputtheDoS
ProtectionProfilesettingsintoeffect.TheDoSProtectionProfilespecifiesthataMaxRateof3000packets
persecondisallowed.WhenincomingpacketsmatchtheDoSrule,newconnectionspersecondarecounted
towardtheAlert,Activate,andMaxRatethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMaxRatethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlockDurationisspecified,and
ClassifiedissettoincludessourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
876 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
DoSProtectionAgainstFloodingofNewSessions
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheBlockListsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdonotmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheBlockListwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrulesuntiltheBlock
Durationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
validation.YoumustconfigureaSecuritypolicyrulebecausewithoutone,animplicitdenyruledeniesall
traffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatexactlymatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlock
Durationexpires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblocked
again.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 877
DoSProtectionAgainstFloodingofNewSessions
Policy
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyrulein
place.Hence,asinglesessionattackrequiresaSecuritypolicydenyruleinorderforeachpacket
tocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivity.QuarantiningtheIPaddress
fromallactivityprotectsagainstamodernattackerwhoattemptsarotatingapplicationattack,inwhichthe
attackersimplychangesapplicationstostartanewattackorusesacombinationofdifferentattacksina
hybridDoSattack.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
totheSecuritypolicyrules.TheattacktrafficthatmatchedtheDoSProtectionprofileandDoS
ProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyUsetheCLItoEndaSingleAttackingSession.
ConfigureDoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
Step1
(Requiredforsinglesessionattack
ComponentsofaSecurityPolicyRule
mitigationorattacksthathavenot
CreateaSecurityPolicyRule
triggeredtheDoSProtectionpolicy
threshold;optionalformultiplesession
attackmitigation)
ConfigureSecuritypolicyrulestodeny
trafficfromtheattackersIPaddressand
allowothertrafficbasedonyour
networkneeds.Youcanspecifyanyof
thematchcriteriainaSecuritypolicy
rule,suchassourceIPaddress.
Thisstepisoneofthesteps
typicallyperformedtostopan
existingattack.SeeUsetheCLIto
EndaSingleAttackingSession.
878 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
DoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step2
ConfigureaDoSProtectionprofilefor 1.
floodprotection.
Becausefloodattackscanoccur
2.
overmultipleprotocols,asabest
3.
practice,activateprotectionforall
ofthefloodtypesintheDoS
Protectionprofile.
PaloAltoNetworks,Inc.
4.
(Optional)Oneachofthefloodtabs,changethefollowing
thresholdstosuityourenvironment:
Alarm Rate (packets/s)Specifythethresholdrate
(packetspersecond[pps])abovewhichaDoSalarmis
generated.(Rangeis02000000;defaultis10000.)
Activate Rate (packets/s)Specifythethresholdrate(pps)
abovewhichaDoSresponseisactivated.TheDoS
responseisconfiguredintheActionfieldoftheDoSpolicy
wherethisprofileisreferenced.WhentheActivate Rate
thresholdisreached,Random Early Dropoccurs.(Rangeis
02000000;defaultis10000.)
Max Rate (packets/s)Specifythethresholdrateof
incomingpacketspersecondthatthefirewallallows.When
thethresholdisexceeded,newpacketsthatarriveare
droppedandtheActionspecifiedintheDoSPolicyruleis
triggered.(Rangeis22000000;defaultis40000.)
Thedefaultthresholdvaluesinthisstepareonlystarting
pointsandmightnotbeappropriateforyournetwork.
Youmustanalyzethebehaviorofyournetworkto
properlysetinitialthresholdvalues.
5.
Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121600;defaultis300.)
SetalowBlockDurationvalueifyouareconcernedthat
packetsyouincorrectlyidentifiedasattacktrafficwillbe
blockedunnecessarily.
SetahighBlockDurationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarenotpartof
anattack.
6.
ClickOK.
PANOS7.1AdministratorsGuide 879
DoSProtectionAgainstFloodingofNewSessions
Policy
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step3
ConfigureaDoSProtectionpolicyrule
thatspecifiesthecriteriaformatching
theincomingtraffic.
1.
2.
OntheSourcetab,choosetheTypetobeaZoneorInterface,
andthenAddthezone(s)orinterface(s).
3.
(Optional)ForSource Address,selectAnyforanyincomingIP
addresstomatchtheruleorAddanaddressobjectsuchasa
geographicalregion.
4.
(Optional)ForSource User,selectanyorspecifyauser.
5.
(Optional)SelectNegatetomatchanysourcesexceptthose
youspecify.
6.
(Optional)OntheDestinationtab,choosetheTypetobea
ZoneorInterface,andthenAddthedestinationzone(s)or
interface(s).Forexample,enterthesecurityzoneyouwantto
protect.
7.
(Optional)ForDestination Address,selectAnyorentertheIP
addressofthedeviceyouwanttoprotect.
8.
(Optional)OntheOption/Protection tab,AddaService.Select
aserviceorclickServiceandenteraName.SelectTCPor
UDP.EnteraDestination Port.Notspecifyingaparticular
serviceallowstheruletomatchafloodofanyprotocoltype
withoutregardtoanapplicationspecificport.
9.
OntheOption/Protection tab,forAction,selectProtect.
10. SelectClassified.
11. ForProfile,selectthenameoftheDoS Protectionprofileyou
created.
12. ForAddress,selectsource-ip-onlyorsrc-dest-ip-both,
whichdeterminesthetypeofIPaddresstowhichtherule
applies.Choosethesettingbasedonhowyouwantthe
firewalltoidentifyoffendingtraffic.
Specifysource-ip-onlyifyouwantthefirewalltoclassify
onlyonthesourceIPaddress.Becauseattackersoftentest
theentirenetworkforhoststoattack,source-ip-onlyisthe
typicalsettingforawiderexamination.
Specifysrc-dest-ip-bothifyouwanttoprotectonly
againstDoSattacksontheserverthathasaspecific
destinationaddressandalsoensurethateverysourceIP
addresswillnotsurpassaspecificconnectionspersecond
thresholdtothatserver.
13. ClickOK.
Step4
Savetheconfiguration.
880 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
Policy
DoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
UsetheCLItoEndaSingleAttackingSession
Step1
IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,inPANOS7.0andlater,youcanuseACCtofilteron
destinationaddresstoviewtheactivitytothetargethostbeingattacked.
Step2
CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3
CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Step4
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallplatform(notaVMSeriesfirewall)toidentify,
foreachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 881
DoSProtectionAgainstFloodingofNewSessions
Policy
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1
Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> showrunningresourcemonitoringressbacklogs
-- SLOT:s1, DP:dp1 -USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:
SESS-ID
PCT
6
92%
GRP-ID
1
7
COUNT
156
1732
SESSION DETAILS
SESS-ID PROTO SZONE SRC
SPORT
6
6
trust 192.168.2.35 55653
DST
DPORT IGR-IF
EGR-IF
APP
10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesplatform,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1dpdp1
OnaPA5000Seriesplatform,youcanlimitoutputtoadataplane.Forexample:
admin@PA-5060> showrunningresourcemonitoringressbacklogsdpdp1
882 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
DoSProtectionAgainstFloodingofNewSessions
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step2
UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanUsetheCLIto
EndaSingleAttackingSession.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNew
Sessions.
Onahardwareplatformthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstrafficto
theFPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthe
sessiondoesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshould
insteadDiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usethe show session id <session-id> operational
commandintheCLIasshowninthefollowingexample.The layer7 processing valueindicates completed
forsessionsoffloadedor enabled forsessionsnotoffloaded.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 883
DoSProtectionAgainstFloodingofNewSessions
Policy
DiscardaSessionWithoutaCommit
Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
DiscardaSessionWithoutaCommit
Step1
IntheCLI,executethefollowingoperationalcommandonanyhardwareplatform:
admin@PA-7050> requestsessiondiscard[timeout<seconds>][reason<reasonstring>]id<sessionid>
Thedefaulttimeoutis3600seconds.
Step2
Verifythatsessionshavebeendiscarded.
admin@PA-7050> showsessionallfilterstatediscard
884 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
Thistopicdescribesvirtualsystems,theirbenefits,typicalusecases,andhowtoconfigurethem.Italso
provideslinkstoothertopicswherevirtualsystemsaredocumentedastheyfunctionwithotherfeatures.
VirtualSystemsOverview
CommunicationBetweenVirtualSystems
SharedGateway
ConfigureVirtualSystems
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
ServiceRoutesforVirtualSystems
CustomizeServiceRoutesforaVirtualSystem
DNSResolutionThreeUseCases
VirtualSystemFunctionalitywithOtherFeatures
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 885
VirtualSystemsOverview
VirtualSystems
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(security,NAT,QoS,policybasedforwarding,decryption,application
override,captiveportal,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement
886 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
Serverprofiles
Logging,reporting,andvisibilityfunctions
VirtualSystemsOverview
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 887
VirtualSystemsOverview
VirtualSystems
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA2000,PA3000,PA4000,PA5000,andPA7000Seriesfirewalls.
Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.AVirtual
Systemslicenseisrequiredinthefollowingcases:
TosupportmultiplevirtualsystemsonPA2000orPA3000Seriesfirewalls.
Tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA500orVMSeriesfirewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.
888 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CommunicationBetweenVirtualSystems
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
InterVSYSTrafficThatMustLeavetheFirewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 889
CommunicationBetweenVirtualSystems
VirtualSystems
InterVSYSTrafficThatRemainsWithintheFirewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.
890 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CommunicationBetweenVirtualSystems
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 891
CommunicationBetweenVirtualSystems
VirtualSystems
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
InterVSYSCommunicationUsesTwoSessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.
892 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
SharedGateway
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 893
SharedGateway
VirtualSystems
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportsecurity,DoSpolicies,QoS,decryption,applicationoverride,orcaptiveportalpolicies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.
894 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ServiceRoutesforVirtualSystems
ServiceRoutesforVirtualSystems
ThefirewallusestheMGTinterface(bydefault)toaccessexternalservices,suchasDNSservers,software
updates,andsoftwarelicenses.AnalternativetousingtheMGTinterfaceistoconfigureadataport(a
regularinterface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknown
asaserviceroute.Serviceroutescanbeconfiguredforthefirewallorforindividualvirtualsystems.Each
serviceallowsredirectionofmanagementservicestotherespectivevirtualsystemownerthroughoneofthe
interfacesassociatedwiththatvirtualsystem.
Theabilitytoconfigureserviceroutespervirtualsystemprovidestheflexibilitytocustomizeserviceroutes
fornumeroustenantsordepartmentsonasinglefirewall.Theservicepacketsexitthefirewallonaportthat
isassignedtoaspecificvirtualsystem,andtheserversendsitsresponsetotheconfiguredsourceinterface
andsourceIPaddress.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticular
serviceinheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
UseCasesforServiceRoutesforaVirtualSystem
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
Toconfigureserviceroutesforavirtualsystem,seeCustomizeServiceRoutesforaVirtualSystem.
UseCasesforServiceRoutesforaVirtualSystem
Oneusecaseforconfiguringserviceroutesatthevirtualsystemleveliswhenalargecustomer(suchasan
ISP)needstosupportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.TheISPhas
configuredvirtualsystemsonthefirewall,andwantstohaveseparateserviceroutesforeachvirtualsystem,
ratherthanservicesroutesconfiguredatthegloballevel.Eachtenantrequiresserviceroutecapabilitiesso
thatitcancustomizeservicerouteparametersforDNS,email,Kerberos,LDAP,NetFlow,RADIUS,SNMP
trap,syslog,TACACS+,UserIDAgent,andVMMonitor.
AnotherusecaseisanITorganizationthatwantstoprovidefullautonomytogroupsthatsetserversfor
services.Eachgroupcanhaveavirtualsystemanddefineitsownserviceroutes.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Anorganizationcanhavemultiplevirtualsystems,butuseaglobalservicerouteforaserviceratherthan
differentserviceroutesforeachvirtualsystem.Forexample,thefirewallcanuseasharedemailserverto
originateemailalertstoitsvirtualsystems.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.
ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.
Afteryouselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewall
selectstheegressinterfacebasedonthedestinationIPaddress.Therefore:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 895
ServiceRoutesforVirtualSystems
VirtualSystems
Ifavirtualsystemhasmultiplevirtualrouters,packetstoalloftheserversforaservicemustegressout
ofonlyonevirtualrouter.
Apacketwithaninterfacesourceaddressmayegressadifferentinterface,butthereturntrafficwould
beontheinterfacethathasthesourceIPaddress,creatingasymmetrictraffic.
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathsto
LoggingServers
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.
ToconfiguretheLPCforpervirtualsystemloggingservices,seeConfigureaPA7000SeriesFirewallfor
LoggingPerVirtualSystem.ForinformationabouttheLPCitself,seethePA7000SeriesHardware
ReferenceGuide.
DNSProxyObject
DomainNameSystem(DNS)serversperformtheserviceofresolvingadomainnametoanIPaddress,and
viceversa.DNSproxyisaroleinwhichthefirewallisanintermediarybetweenDNSclientsandservers;it
actsasaDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifthedomainnameisnotfound
intheDNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthe
specificDNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived),andforwardsthequerytoa
DNSserverbasedonthematchresults.Ifnomatchisfound,thedefaultDNSserversareused.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
WhenconfiguringtenantswithDNSservices,eachtenantshouldhaveitsownDNSproxy
defined,whichkeepsthetenantsDNSserviceseparatefromothertenantsservices.
896 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ServiceRoutesforVirtualSystems
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
YoucansupplytheDNSproxywithstaticFQDNtoaddressmappings.YoucancreateDNSproxyrulesthat
controltowhichDNSserverthespecifieddomainnamequeriesaredirected.ADNSproxyhasother
options;toconfigureaDNSproxy,seeConfigureaDNSProxyObject.Amaximumof256DNSproxy
objectscanbeconfiguredonafirewall.
DNSServerProfile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutingtableofthevirtualrouterwherethesourceinterfaceisassigned.Itispossiblethat
theresultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegress
outofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddress
wouldbetheaddressconfigured.Thesourceaddressisusedasthedestinationaddressinthereplyfromthe
DNSserver.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
ADNSserverprofileisforavirtualsystemonly;itisnotforaglobalSharedlocation.ToconfigureaDNS
serverprofile,seeConfigureaDNSServerProfile.
FormoreinformationonDNSserverprofiles,seeDNSResolutionThreeUseCases.
MultiTenantDNSDeployments
TherearethreeusecasesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,whentherequestiscomingfromthemanagementplanetoresolveanFQDNinasecurity
policy.ThefirewallusestheserviceroutetogettoaDNSserverbecausethereisnoincomingvirtual
router.TheDNSserverisconfiguredinDevice > Setup > Services > Global,andServersareconfiguredby
enteringaprimaryandsecondaryDNSserver.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesthatneedtoberesolved
fromasecuritypolicyorareport,youcanspecifyasetofDNSserversspecifictothevirtualsystem
(tenant)oryoucandefaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNS
serverspervirtualsystem,theDNSserverisconfiguredinDevice > Virtual Systems > General > DNS Proxy.
TheDNSproxyobjectisconfiguredinNetwork > DNS Proxy.Theresolutionisspecifictothevirtualsystem
towhichtheDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtual
systemandwanttousetheglobalDNSsetting,theglobalDNSserverstakeprecedence.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 897
ServiceRoutesforVirtualSystems
VirtualSystems
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoitsDNS
servers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryandsecondary
DNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethedefaultDNS
settings.
FormoreinformationonDNSdeployments,seeDNSResolutionThreeUseCases.
898 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureVirtualSystems
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA2000orPA3000Seriesfirewall,orifyouare
creatingmorethanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupport
andLicensingforVirtualSystems.
ConfigureaVirtualSystem
Step1
Step2
Enablevirtualsystems.
Createavirtualsystem.
PaloAltoNetworks,Inc.
1.
2.
1.
2.
3.
EnteradescriptiveNameforthevirtualsystem.Amaximum
of31alphanumeric,space,andunderscorecharactersis
allowed.
PANOS7.1AdministratorsGuide 899
ConfigureVirtualSystems
VirtualSystems
ConfigureaVirtualSystem
Step3
Step4
Assigninterfacestothevirtualsystem.
1.
Thevirtualrouters,vwires,orVLANscan
eitherbeconfiguredalreadyoryoucan 2.
configurethemlater,atwhichpointyou
specifythevirtualsystemassociated
witheach.Theproceduretoconfigurea
3.
virtualrouter,forexample,isinStep6
below.
4.
5.
ClickOK.
(Optional)Limittheresourceallocations 1.
forsessions,rules,andVPNtunnels
allowedforthevirtualsystem.The
flexibilityofbeingabletoallocatelimits
pervirtualsystemallowsyouto
effectivelycontrolfirewallresources.
2.
Step5
Savetheconfiguration.
Step6
Createatleastonevirtualrouterforthe 1.
virtualsysteminordertomakethe
virtualsystemcapableofnetworking
2.
functions,suchasstaticanddynamic
routing.
3.
Alternatively,yourvirtualsystemmight
useaVLANoravirtualwire,depending
onyourdeployment.
Step7
Configureasecurityzoneforeach
interfaceinthevirtualsystem.
900 PANOS7.1AdministratorsGuide
IntheInterfacesfield,clickAddtoentertheinterfacesor
subinterfacestoassigntothevirtualsystem.Aninterfacecan
belongtoonlyonevirtualsystem.
Doanyofthefollowing,basedonthedeploymenttype(s)you
needinthevirtualsystem:
IntheVLANsfield,clickAddtoentertheVLAN(s)toassign
tothevsys.
IntheVirtual Wires field,clickAddtoenterthevirtual
wire(s)toassigntothevsys.
IntheVirtual Routers field,clickAddtoenterthevirtual
router(s)toassigntothevsys.
OntheResourcetab,optionallysetlimitsforavirtualsystem.
Therearenodefaultvalues.
Sessions LimitRangeis1262144.
Security RulesRangeis02500.
NAT RulesRangeis03000.
Decryption RulesRangeis0250.
QoS RulesRangeis01000.
Application Override RulesRangeis0250.
Policy Based Forwarding RulesRangeis0500.
Captive Portal RulesRangeis01000.
DoS Protection RulesRangeis01000.
Site to Site VPN TunnelsRangeis01024.
Concurrent SSL VPN TunnelsRangeis01024.
ClickOK.
ClickCommitandOK.Thevirtualsystemisnowanobject
accessiblefromtheObjectstab.
SelectNetwork > Virtual RoutersandAddavirtualrouterby
Name.
ForInterfaces,clickAddandfromthedropdown,selectthe
interfacesthatbelongtothevirtualrouter.
ClickOK.
Foratleastoneinterface,createaLayer3securityzone.See
ConfigureInterfacesandZones.
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureVirtualSystems
ConfigureaVirtualSystem
Step8
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtraffictoandfromthezones
inthevirtualsystem.
Step9
Savetheconfiguration.
ClickCommitandOK.
Aftercreatingavirtualsystem,youcanusetheCLIto
commitaconfigurationforonlyaspecificvirtualsystem:
commit partial vsys vsys<id>
Step10 (Optional)Viewthesecuritypolicies
configuredforavirtualsystem.
OpenanSSHsessiontousetheCLI.Toviewthesecuritypolicies
foravirtualsystem,inoperationalmode,usethefollowing
commands:
set system setting target-vsys <vsys-id>
show running security-policy
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 901
ConfigureInterVirtualSystemCommunicationwithintheFirewall
VirtualSystems
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
Step1
Configureanexternalzoneforeach
virtualsystem.
1.
2.
ForLocation,selectthevirtualsystemforwhichyouare
creatinganexternalzone.
3.
ForType,selectExternal.
4.
ForVirtual Systems,clickAddandenterthevirtualsystem
thattheexternalzonecanreach.
5.
6.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
7.
8.
ClickOK.
Step2
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtrafficfromtheinternalzones SeeInterVSYSTrafficThatRemainsWithintheFirewall.
totheexternalzoneofthevirtual
system,andviceversa.
Step3
Savetheconfiguration.
902 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureaSharedGateway
ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
ConfigureaSharedGateway
Step1
Step2
Step3
ConfigureaSharedGateway.
Configurethezonefortheshared
gateway.
Whenaddingobjectssuchas
zonesorinterfacestoashared
gateway,thesharedgateway
itselfwillbelistedasanavailable
vsysintheVSYSdropdown
menu.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
EnterahelpfulName,preferablyincludingtheIDofthe
gateway.
3.
4.
AddanInterfacethatconnectstotheoutsideworld.
5.
ClickOK.
1.
2.
ForLocation,selectthesharedgatewayforwhichyouare
creatingazone.
3.
ForType,selectLayer3.
4.
5.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
6.
7.
ClickOK.
ClickCommit.
PANOS7.1AdministratorsGuide 903
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
Priortoperformingthistask,inordertoseetheGlobalandVirtual Systemstabs,youmustenableMulti
Virtual System Capability.
Inthefollowingusecase,youareconfiguringindividualservicesroutesforafirewallwithmultiplevirtual
systems.
904 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1
Step2
Customizeserviceroutesforavirtual
system.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
3.
Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4.
IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5.
ClickOK.
6.
Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7.
ClickOK.
ClickCommitandOK.
Ifyouareconfiguringpervirtualsystemserviceroutesforlogging
servicesforaPA7000Seriesfirewall,continuetothetask
ConfigureaPA7000SeriesFirewallforLoggingPerVirtual
System.
PANOS7.1AdministratorsGuide 905
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
YoumusthaveenabledMulti Virtual System Capability(Device > Setup > Management)inordertoaccessthe
LPCsubinterfaceconfiguration.
PerformthistaskonyourPA7000Seriesfirewalltoconfigureloggingfordifferentvirtualsystems.Formore
information,seePA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
Step1
Step2
Step3
CreateaLogCardsubinterface.
Addasubinterfaceforeachtenanton
theLPCsphysicalinterface.
Entertheaddressesassignedtothe
subinterface,andconfigurethedefault
gateway.
1.
2.
EntertheInterface Name.
3.
4.
ClickOK.
1.
HighlighttheEthernetinterfacethatisaLogCardinterface
typeandclickAdd Subinterface.
2.
ForInterface Name,aftertheperiod,enterthesubinterface
assignedtothetenantsvirtualsystem.
3.
ForTag,enteraVLANtagvalue.
Makethetagthesameasthesubinterfacenumberfor
easeofuse,butitcouldbeadifferentnumber.
4.
(Optional)EnteraComment.
5.
6.
ClickOK.
1.
2.
ClickOK.
Step4
Savetheconfiguration.
Step5
Ifyouhaventalreadydoneso,configure CustomizeServiceRoutesforaVirtualSystem.
theremainingserviceroutesforthe
virtualsystem.
906 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
ConfigureaDNSProxyObject
IfyourfirewallistoactasaDNSproxyforavirtualsystem,performthistasktoconfigureaDNSProxy
Object.Theproxyobjectcaneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtual
system.
ConfigureaDNSProxyObject
Step1
Step2
Step3
ConfigurethebasicsettingsforaDNS
Proxyobject.
(Optional)SpecifyDNSProxyrules.
1.
2.
VerifythatEnableisselected.
3.
EnteraNamefortheobject.
4.
ForLocation,selectthevirtualsystemtowhichtheobject
applies.IfyouselectShared,youmustspecifyatleasta
PrimaryDNSserveraddress.,andoptionallyaSecondary
address.
5.
Ifyouselectedavirtualsystem,forServer Profile,selecta
DNSServerprofileorelseclickDNS Server Profileto
configureanewprofile.seeConfigureaDNSServerProfile.
6.
ForInterface,clickAddandspecifytheinterfacestowhichthe
DNSProxyobjectapplies.
IfyouusetheDNSProxyobjectforperformingDNS
lookups,aninterfaceisrequired.Thefirewallwilllistenfor
DNSrequestsonthisinterface,andthenproxythem.
IfyouusetheDNSProxyobjectforaserviceroute,the
interfaceisoptional.
1.
2.
3.
ForDomain Name,clickAddandenteroneormoredomains,
oneentryperrow.Eachdomainnamecancontain*asa
wildcard.Thenumberoftokensinawildcardstringmust
matchthenumberoftokensintherequesteddomain.For
example,*.engineering.localwillnotmatch
engineering.local.Bothentriesmustbespecifiedifyouwant
both.
4.
InStep 4above,forLocation:
Ifyouchoseavirtualsystem,selectaDNS Server profile
here.
IfyouchoseShared,enteraPrimaryaddresshere.
5.
ClickOK.
(Optional)SupplytheDNSProxywith
1.
staticFQDNtoaddressentries.Static 2.
DNSentriesallowthefirewalltoresolve
theFQDNtoanIPaddresswithoutgoing 3.
outtotheDNSserver.
4.
5.
PaloAltoNetworks,Inc.
OntheStatic Entriestab,clickAddandenteraName.
EntertheFullyQualifiedDomainName(FQDN).
ForAddress,clickAddandentertheIPaddresstowhichthe
FQDNshouldbemapped.
Repeatsteps13toprovideadditionalstaticentries.
ClickOK.
PANOS7.1AdministratorsGuide 907
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureaDNSProxyObject(Continued)
Step4
Step5
(Optional)Enablecachingandconfigure 1.
otheradvancedsettingsfortheDNS
Proxy.
OntheAdvancedtab,clickCachetoenablethefirewallto
cacheFQDNtoaddressmappingsthatthefirewalllearns.
SizeEnterthemaximumnumberofentriesthefirewall
cancache(rangeis102410240;defaultis1024).
TimeoutEnterthenumberofhoursafterwhichallcached
entriesareremoved(rangeis424;defaultis4).DNS
timetolivevaluesareusedtoremovecacheentrieswhen
theyhavebeenstoredforlessthantheconfiguredtimeout
period.Afteratimeout,newDNSrequestsmustbe
resolvedandcachedagain.
2.
SelectTCP QueriestoenableDNSqueriesusingTCP.
Max Pending RequestsEnterthemaximumnumberof
concurrent,pendingTCPDNSrequeststhatthefirewallwill
support(rangeis64256;defaultis64).
3.
Savetheconfiguration.
908 PANOS7.1AdministratorsGuide
ClickOKandCommit.
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
ConfigureaDNSServerProfile
PerformthistasktoconfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.The
Primary DNSorSecondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstothe
DNSserver.
ConfigureaDNSServerProfile
Step1
Step2
Step3
NametheDNSserverprofile,selectthe 1.
virtualsystemtowhichitapplies,and
2.
specifytheprimaryandsecondaryDNS
3.
serveraddresses.
4.
ForInheritance Source,fromthedropdown,selectNoneif
theDNSserveraddressesarenotinherited.Otherwise,
specifytheDNSserverfromwhichtheprofileshouldinherit
settings.IfyouchooseaDNSserver,clickCheck inheritance
source statustoseethatinformation.
5.
SpecifytheIPaddressofthePrimary DNSserver,orleaveas
inheritedifyouchoseanInheritance Source.
KeepinmindthatifyouspecifyanFQDNinstead
ofanIPaddress,theDNSforthatFQDNis
resolvedinDevice > Virtual Systems > DNS
Proxy.
6.
SpecifytheIPaddressoftheSecondary DNSserver,orleave
asinheritedifyouchoseanInheritance Source.
Configuretheserviceroutethatthe
1.
firewallautomaticallyuses,basedon
whetherthetargetDNSServerhasanIP
addressfamilytypeofIPv4orIPv6.
2.
Savetheconfiguration.
PaloAltoNetworks,Inc.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
3.
SpecifytheIPv4Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
4.
5.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
6.
SpecifytheIPv6Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
7.
ClickOK.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 909
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,younowhavetheabilitytocreateandconfiguremore
granularpermissionsforavsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
Step1
CreateanAdminRoleProfilethatgrants 1.
ordisablespermissiontoan
2.
Administratortoconfigureorreadonly
3.
variousareasofthewebinterface.
910 PANOS7.1AdministratorsGuide
4.
OntheWeb UItabfortheAdminRoleProfile,scrolldownto
Device,andleavethegreencheckmark(Enable).
UnderDevice,enableSetup.UnderSetup,enabletheareas
towhichthisprofilewillgrantconfigurationpermissionto
theadministrator,asshownbelow.(TheReadOnlylockicon
appearsintheEnable/DisablerotationifReadOnlyis
allowedforthatsetting.)
ManagementAllowsanadminwiththisprofileto
configuresettingsontheManagementtab.
OperationsAllowsanadminwiththisprofileto
configuresettingsontheOperationstab.
ServicesAllowsanadminwiththisprofiletoconfigure
settingsontheServicestab.Anadminmusthave
ServicesenabledinordertoaccesstheDevice > Setup
Services > Virtual Systemstab.IftheRolewasspecified
asVirtual Systeminthepriorstep,Servicesistheonly
settingthatcanbeenabledunderDevice > Setup.
Content-IDAllowsanadminwiththisprofileto
configuresettingsontheContent-IDtab.
WildFireAllowsanadminwiththisprofiletoconfigure
settingsontheWildFiretab.
SessionAllowsanadminwiththisprofiletoconfigure
settingsontheSessiontab.
HSMAllowsanadminwiththisprofiletoconfigure
settingsontheHSMtab.
5.
ClickOK.
6.
(Optional)RepeattheentiresteptocreateanotherAdminRole
profilewithdifferentpermissions,asnecessary.
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
Step2
Step3
ApplytheAdminroleprofiletoan
administrator.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
(Optional)SelectanAuthentication Profile.
3.
4.
EnteraPasswordandConfirm Password.
5.
6.
7.
ForProfile,selecttheprofilethatyoujustcreated.
8.
(Optional)SelectaPassword Profile.
9.
ClickOK.
ClickCommitandOK.
PANOS7.1AdministratorsGuide 911
DNSResolutionThreeUseCases
VirtualSystems
DNSResolutionThreeUseCases
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.Thissection
illustratesthreetypesofDNSresolution,whicharelistedinthefollowingtable.Thebindinglocation
determineswhichDNSproxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshow
howaserviceprovidermightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueries
requiredonthefirewallandfortenant(subscriber)virtualsystems.
ResolutionType
Location:Shared
Location:SpecificVsys
FirewallDNSresolutionperformed Binding:Global
bymanagementplane
IllustratedinUseCase1
N/A
Securityprofile,reporting,andserver Binding:Global
profileresolutionperformedby
SamebehaviorasUseCase1
managementplane
Binding:Specificvsys
IllustratedinUseCase2
DNSproxyresolutionforDNSclient
hostsconnectedtointerfaceon
firewall,goingthroughthefirewallto
aDNSServerperformedby
dataplane
Binding:Interface
ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequestwas
received.
IllustratedinUseCase3
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.
912 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureDNSServicesfortheFirewall
Step1
Step2
1.
Configuretheprimaryandsecondary
DNSserversyouwantthefirewallto
useforitsmanagementDNS
resolutions.
2.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
3.
resolvehostnames;itwillnotuse
DNSserversettingsfrom
anothersource,suchasanISP.
Alternatively,youcanconfigureaDNS
ProxyObjectifyouwanttoconfigure
advancedDNSfunctionssuchassplit
DNS,DNSproxyoverrides,DNSproxy
rules,staticentries,orDNSinheritance.
PaloAltoNetworks,Inc.
1.
2.
3.
Tocreateanewproxyobject,clickEnableandenteraName
fortheDNSproxyobject.
4.
ForLocation,selectSharedforglobal,firewallwideDNS
proxyservices.
SharedDNSproxyobjectsdonotuseDNSserver
profilesbecausetheydonotrequireaspecificservice
routebelongingtoatenantvirtualsystem.
5.
ForPrimary,entertheprimaryDNSserverIPaddress.
OptionallyenteraSecondaryDNSserverIPaddress.Inthe
ISPexampleinthescreenshotabove,theDNSproxydefines
theprimaryandsecondaryDNSserversthatareusedto
resolvethefirewallmanagementservices.
6.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 913
DNSResolutionThreeUseCases
VirtualSystems
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
objecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Anyservice
withaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminetheprimary(or
secondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.
914 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureaDNSProxyforaVirtualSystem
Step1
Step2
Foreachvirtualsystem,specifytheDNS 1.
Proxytouse.
2.
ConfigureaDNSProxyandaserver
profiletosupportDNSresolutionfora
virtualsystem.
3.
OntheGeneraltab,chooseaDNS Proxyorcreateanewone.
Inthisexample,Corp1DNSProxyisselectedastheproxyfor
Corp1Corporationsvirtualsystem.
(IfyouneedtocreateanewDNSProxy,Step 2belowshows
howtocreateaDNSProxyandaServerProfile.)
4.
ForInterfaces,clickAdd.Inthisexample,Ethernet1/20is
dedicatedtothistenant.
5.
ForVirtual Routers,clickAdd.AvirtualrouternamedCorp1
VRisassignedtothevirtualsysteminordertoseparate
routingfunctions.
6.
ClickOKtosavetheconfiguration.
1.
2.
ClickEnableandenteraNamefortheDNSProxy.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).(Youcouldchoosethe
SharedDNSProxyresourceinstead.)
4.
ForServer Profile,chooseorcreateaprofiletocustomize
DNSserverstouseforDNSresolutionsforthistenants
securitypolicy,reporting,andserverprofileservices.
Iftheprofileisnotalreadyconfigured,intheServer Profile
field,clickDNS Server ProfiletoConfigureaDNSServer
Profile.
TheDNSserverprofileidentifiestheIPaddressesofthe
primaryandsecondaryDNSservertouseformanagement
DNSresolutionsforthisvirtualsystem.
5.
Alsoforthisserverprofile,optionallyconfigureaService
Route IPv4 and/oraService Route IPv6 toinstructthefirewall
whichSource InterfacetouseinitsDNSrequests.Ifthat
interfacehasmorethanoneIPaddress,configuretheSource
Addressalso.
6.
ClickOK tosavetheDNSServerProfile.
7.
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 915
DNSResolutionThreeUseCases
VirtualSystems
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
916 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureaDNSProxyandDNSProxyRules
Step1
ConfigureaDNSProxyandDNSproxy 1.
rules.
2.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).
4.
ForInterface,selecttheinterfacethatwillreceivetheDNS
requestsfromthetenantshosts,inthisexample,
Ethernet1/20.
5.
ChooseorcreateaServer ProfiletocustomizeDNSservers
toresolveDNSrequestsforthistenant.
6.
7.
8.
ClickAddandenteroneormoreDomain Name(s),oneentry
perrow.
Eachdomainnamecancontain*asawildcard.Thenumberof
charactersinawildcardstringmustequalthenumberof
charactersintherequesteddomaintomatch.Forexample,
*.engineering.localdoesnotmatchengineering.local.Both
domainnamesmustbespecifiedinorderforbothtobe
matched.
9.
10. ClickOKtosavetherule.
11. ClickOKtosavetheDNSProxy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 917
VirtualSystemFunctionalitywithOtherFeatures
VirtualSystems
VirtualSystemFunctionalitywithOtherFeatures
Manyofthefirewallsfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreported
pervirtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthe
documentationandthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seetheVirtualWireSubinterfacesinInterfaceDeployments.
918 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Certifications
ThefollowingtopicsdescribehowtoconfigurethefirewalltosupporttheCommonCriteriaandtheFederal
InformationProcessingStandard1402(FIPS1402),whicharesecuritycertificationsthatensureastandard
setofsecurityassurancesandfunctionalities.ThesecertificationsareoftenrequiredbycivilianU.S.
governmentagenciesandgovernmentcontractors.
EnableFIPSandCommonCriteriaSupport
FIPSCCSecurityFunctions
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 919
EnableFIPSandCommonCriteriaSupport
Certifications
EnableFIPSandCommonCriteriaSupport
UsethefollowingproceduretoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
EnableFIPSCCMode
Step1
Bootthefirewallintomaintenancemodeasfollows:
1. Establishaserialconnectiontotheconsoleportonthefirewall.
2. EnterthefollowingCLIcommand:
debug system maintenance-mode
3. PressEntertocontinue.
Youcanalsorebootthefirewallandenter maint atthemaintenancemode
prompt.
Step2
Step3
Step4
Whenprompted,selectReboot.
AftersuccessfullyswitchingtoFIPSCCmode,thefollowingstatusdisplays:FIPS-CC mode
enabled successfully.Inaddition,thefollowingchangeswilltakeplace:
FIPS-CCwilldisplayatalltimesinthestatusbaratthebottomofthewebinterface.
Theconsoleportfunctionsasastatusoutputportonly.
Thedefaultadminlogincredentialschangetoadmin/paloalto.
920 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Certifications
FIPSCCSecurityFunctions
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforced:
Tologintothefirewall,thebrowsermustbeTLS1.0(orlater)compatible.OnaWF500appliance,you
managetheapplianceusingtheCLIonlyandyoumustconnectusinganSSHv2compatibleclient
application.
Allpasswordsonthefirewallmustbeatleastsixcharacters.
YoumustenforceaFailed AttemptsandLockout Time (min) valuethatisgreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustenforceanIdle Timeoutvaluegreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedvalue,theaccountisautomaticallyloggedout.
Thefirewallautomaticallydeterminestheappropriatelevelofselftestingandenforcestheappropriate
levelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPS/CCalgorithmsarenotdecryptedandarethusignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2048bits(or
more)orECDSA256bits(ormore)andyoumustuseadigestofSHA256orgreater.
TheserialconsoleportisonlyavailableasastatusoutputportwhenFIPSCCmodeisenabled.
Telnet,TFTP,andHTTPmanagementconnectionsareunavailable.
Highavailability(HA)portencryptionisrequired.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 921
FIPSCCSecurityFunctions
922 PANOS7.1AdministratorsGuide
Certifications
PaloAltoNetworks,Inc.