Documente Academic
Documente Profesional
Documente Cultură
Administrators
Guide
Version7.1
ContactInformation
Corporate Headquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
2 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................19
SetUpNetworkAccessforExternalServices......................................23
RegistertheFirewall ...............................................................28
ActivateLicensesandSubscriptions .................................................29
InstallContentandSoftwareUpdates................................................31
SegmentYourNetworkUsingInterfacesandZones ...................................35
NetworkSegmentationforaReducedAttackSurface..............................35
ConfigureInterfacesandZones..................................................36
SetUpaBasicSecurityPolicy .......................................................39
AssessNetworkTraffic ............................................................43
EnableBasicThreatPreventionFeatures .............................................45
EnableBasicWildFireForwarding ...............................................45
ScanTrafficforThreats.........................................................47
ControlAccesstoWebContent.................................................51
EnableAutoFocusThreatIntelligence............................................54
BestPracticesforCompletingtheFirewallDeployment................................56
FirewallAdministration ............................................... 57
ManagementInterfaces ............................................................58
UsetheWebInterface .............................................................59
LaunchtheWebInterface ......................................................59
ConfigureBanners,MessageoftheDay,andLogos ................................60
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............62
ManageandMonitorAdministrativeTasks ........................................64
Commit,Validate,andPreviewFirewallConfigurationChanges......................64
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............66
ManageLocksforRestrictingConfigurationChanges...............................67
ManageConfigurationBackups .....................................................69
BackUpaConfiguration ........................................................69
RestoreaConfiguration ........................................................70
ManageFirewallAdministrators .....................................................72
AdministrativeRoles...........................................................72
AdministrativeAuthentication ...................................................73
ConfigureAdministrativeAccountsandAuthentication .............................74
ConfigureanAdministrativeAccount.............................................74
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......75
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 3
TableofContents
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication....... 78
Reference:WebInterfaceAdministratorAccess....................................... 80
WebInterfaceAccessPrivileges ................................................. 80
PanoramaWebInterfaceAccessPrivileges .......................................122
Reference:PortNumberUsage.....................................................125
PortsUsedforManagementFunctions ..........................................125
PortsUsedforHA ............................................................126
PortsUsedforPanorama ......................................................126
PortsUsedforGlobalProtect...................................................127
PortsUsedforUserID ........................................................128
ResettheFirewalltoFactoryDefaultSettings ........................................130
BootstraptheFirewall.............................................................131
USBFlashDriveSupport .......................................................131
Sampleinitcfg.txtFiles ........................................................132
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................133
BootstrapaFirewallUsingaUSBFlashDrive .....................................136
Authentication..................................................... 139
ConfigureanAuthenticationProfileandSequence ....................................140
ConfigureKerberosSingleSignOn .................................................143
ConfigureLocalDatabaseAuthentication ............................................144
ConfigureExternalAuthentication ..................................................145
ConfigureAuthenticationServerProfiles.........................................145
ConfigureaRADIUSServerProfile ..............................................145
RADIUSVendorSpecificAttributesSupport .....................................146
ConfigureaTACACS+ServerProfile ............................................147
ConfigureanLDAPServerProfile ...............................................148
ConfigureaKerberosServerProfile.............................................150
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................150
EnableExternalAuthenticationforUsersandServices .............................151
TestAuthenticationServerConnectivity.............................................152
RuntheTestAuthenticationCommand ..........................................152
TestaLocalDatabaseAuthenticationProfile.....................................153
TestaRADIUSAuthenticationProfile ...........................................154
TestaTACACS+AuthenticationProfile ..........................................156
TestanLDAPAuthenticationProfile ............................................157
TestaKerberosAuthenticationProfile...........................................158
TroubleshootAuthenticationIssues .................................................160
CertificateManagement............................................ 161
KeysandCertificates..............................................................162
CertificateRevocation.............................................................164
CertificateRevocationList(CRL) ................................................164
OnlineCertificateStatusProtocol(OCSP) ........................................165
CertificateDeployment............................................................166
4 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
SetUpVerificationforCertificateRevocationStatus.................................. 167
ConfigureanOCSPResponder................................................. 167
ConfigureRevocationStatusVerificationofCertificates ........................... 168
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption 168
ConfiguretheMasterKey......................................................... 170
ObtainCertificates ............................................................... 171
CreateaSelfSignedRootCACertificate ........................................ 171
GenerateaCertificate ......................................................... 172
ImportaCertificateandPrivateKey............................................. 173
ObtainaCertificatefromanExternalCA ........................................ 174
ExportaCertificateandPrivateKey ................................................ 176
ConfigureaCertificateProfile...................................................... 177
ConfigureanSSL/TLSServiceProfile ............................................... 179
ReplacetheCertificateforInboundManagementTraffic.............................. 180
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 181
RevokeandRenewCertificates .................................................... 182
RevokeaCertificate .......................................................... 182
RenewaCertificate ........................................................... 182
SecureKeyswithaHardwareSecurityModule....................................... 183
SetupConnectivitywithanHSM ............................................... 183
EncryptaMasterKeyUsinganHSM ............................................ 188
StorePrivateKeysonanHSM.................................................. 189
ManagetheHSMDeployment ................................................. 190
HighAvailability....................................................191
HAOverview.................................................................... 192
HAConcepts .................................................................... 193
HAModes ................................................................... 193
HALinksandBackupLinks..................................................... 194
DevicePriorityandPreemption ................................................ 197
Failover ..................................................................... 197
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 198
FloatingIPAddressandVirtualMACAddress.................................... 198
ARPLoadSharing ............................................................ 200
RouteBasedRedundancy ..................................................... 202
HATimers................................................................... 202
SessionOwner............................................................... 205
SessionSetup................................................................ 205
NATinActive/ActiveHAMode ................................................ 207
ECMPinActive/ActiveHAMode ............................................... 208
SetUpActive/PassiveHA ......................................................... 209
PrerequisitesforActive/PassiveHA............................................. 209
ConfigurationGuidelinesforActive/PassiveHA.................................. 210
ConfigureActive/PassiveHA................................................... 212
DefineHAFailoverConditions ................................................. 217
VerifyFailover ............................................................... 218
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 5
TableofContents
SetUpActive/ActiveHA..........................................................219
PrerequisitesforActive/ActiveHA ..............................................219
ConfigureActive/ActiveHA ....................................................220
DetermineYourActive/ActiveUseCase .........................................225
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy ..............226
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses ..................227
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing .....................228
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimary
Firewall229
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
233
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
236
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT...237
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer
3240
HAFirewallStates................................................................243
Reference:HASynchronization.....................................................245
WhatSettingsDontSyncinActive/PassiveHA?..................................245
WhatSettingsDontSyncinActive/ActiveHA?...................................247
SynchronizationofSystemRuntimeInformation..................................249
6 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
TakeanApplicationPacketCapture............................................. 291
TakeaPacketCaptureontheManagementInterface ............................. 294
MonitorApplicationsandThreats .................................................. 296
MonitorandManageLogs ......................................................... 297
LogTypesandSeverityLevels.................................................. 297
WorkwithLogs .............................................................. 301
ConfigureLogStorageQuotasandExpirationPeriods ............................. 307
ScheduleLogExportstoanSCPorFTPServer ................................... 307
ManageReporting ................................................................ 309
ReportTypes................................................................. 309
ViewReports................................................................. 310
ConfiguretheReportExpirationPeriod.......................................... 310
DisablePredefinedReports.................................................... 311
CustomReports.............................................................. 311
GenerateCustomReports ..................................................... 314
GenerateBotnetReports...................................................... 316
GeneratetheSaaSApplicationUsageReport ..................................... 318
ManagePDFSummaryReports................................................. 320
GenerateUser/GroupActivityReports.......................................... 321
ManageReportGroups ........................................................ 323
ScheduleReportsforEmailDelivery ............................................ 324
UseExternalServicesforMonitoring ............................................... 325
ConfigureLogForwarding ......................................................... 326
ConfigureEmailAlerts ............................................................ 329
UseSyslogforMonitoring ......................................................... 330
ConfigureSyslogMonitoring ................................................... 330
SyslogFieldDescriptions ...................................................... 332
SNMPMonitoringandTraps....................................................... 348
SNMPSupport............................................................... 348
UseanSNMPManagertoExploreMIBsandObjects.............................. 349
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 353
MonitorStatisticsUsingSNMP ................................................. 353
ForwardTrapstoanSNMPManager ............................................ 355
SupportedMIBs.............................................................. 357
NetFlowMonitoring .............................................................. 364
ConfigureNetFlowExports.................................................... 364
NetFlowTemplates........................................................... 365
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 369
UserID ...........................................................371
UserIDOverview ................................................................ 372
UserIDConcepts................................................................ 374
GroupMapping............................................................... 374
UserMapping ................................................................ 374
EnableUserID................................................................... 378
MapUserstoGroups............................................................. 382
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 7
TableofContents
MapIPAddressestoUsers ........................................................385
CreateaDedicatedServiceAccountfortheUserIDAgent.........................386
ConfigureUserMappingUsingtheWindowsUserIDAgent .......................389
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent...............396
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.................398
MapIPAddressestoUsernamesUsingCaptivePortal.............................406
ConfigureUserMappingforTerminalServerUsers................................412
SendUserMappingstoUserIDUsingtheXMLAPI ...............................419
EnableUserandGroupBasedPolicy...............................................420
EnablePolicyforUserswithMultipleAccounts.......................................421
VerifytheUserIDConfiguration ...................................................423
DeployUserIDinaLargeScaleNetwork............................................425
DeployUserIDforNumerousMappingInformationSources .......................425
ConfigureFirewallstoRedistributeUserMappingInformation......................429
8 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork............... 483
IdentifyInfectedHosts........................................................ 487
DoSProtectionAgainstFloodingofNewSessions .................................... 489
MultipleSessionDoSAttack ................................................... 489
SingleSessionDoSAttack..................................................... 492
ConfigureDoSProtectionAgainstFloodingofNewSessions ....................... 492
UsetheCLItoEndaSingleAttackingSession.................................... 495
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............ 495
DiscardaSessionWithoutaCommit ............................................ 498
ContentDeliveryNetworkInfrastructureforDynamicUpdates........................ 499
ThreatPreventionResources ...................................................... 501
Decryption .........................................................503
DecryptionOverview ............................................................. 504
DecryptionConcepts ............................................................. 505
KeysandCertificatesforDecryptionPolicies..................................... 505
SSLForwardProxy............................................................ 506
SSLInboundInspection........................................................ 507
SSHProxy................................................................... 508
DecryptionExceptions ........................................................ 509
DecryptionMirroring.......................................................... 510
DefineTraffictoDecrypt.......................................................... 511
CreateaDecryptionProfile.................................................... 511
CreateaDecryptionPolicyRule................................................ 513
ConfigureSSLForwardProxy ...................................................... 515
ConfigureSSLInboundInspection .................................................. 519
ConfigureSSHProxy ............................................................. 521
ConfigureDecryptionExceptions................................................... 522
ExcludeTrafficfromDecryption ................................................ 522
ExcludeaServerfromDecryption .............................................. 523
EnableUserstoOptOutofSSLDecryption ......................................... 524
ConfigureDecryptionPortMirroring................................................ 526
TemporarilyDisableSSLDecryption ................................................ 528
URLFiltering.......................................................529
URLFilteringOverview ........................................................... 530
URLFilteringVendors ......................................................... 530
InteractionBetweenAppIDandURLCategories................................. 531
PANDBPrivateCloud........................................................ 531
URLFilteringConcepts............................................................ 534
URLCategories............................................................... 534
URLFilteringProfile .......................................................... 536
URLFilteringProfileActions ................................................... 536
BlockandAllowLists.......................................................... 537
ExternalDynamicListforURLs ................................................. 538
SafeSearchEnforcement ...................................................... 538
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 9
TableofContents
ContainerPages ..............................................................540
HTTPHeaderLogging.........................................................540
URLFilteringResponsePages ..................................................540
URLCategoryasPolicyMatchCriteria...........................................542
PANDBCategorization...........................................................544
PANDBURLCategorizationComponents .......................................544
PANDBURLCategorizationWorkflow ..........................................545
EnableaURLFilteringVendor......................................................547
EnablePANDBURLFiltering ..................................................547
EnableBrightCloudURLFiltering ...............................................548
DetermineURLFilteringPolicyRequirements ........................................551
UseanExternalDynamicListinaURLFilteringProfile ................................553
MonitorWebActivity .............................................................555
MonitorWebActivityofNetworkUsers .........................................555
ViewtheUserActivityReport..................................................557
ConfigureCustomURLFilteringReports .........................................559
ConfigureURLFiltering ...........................................................560
CustomizetheURLFilteringResponsePages.........................................562
ConfigureURLAdminOverride.....................................................563
EnableSafeSearchEnforcement ...................................................565
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................565
EnableTransparentSafeSearchEnforcement ....................................568
SetUpthePANDBPrivateCloud..................................................572
ConfigurethePANDBPrivateCloud............................................572
ConfiguretheFirewallstoAccessthePANDBPrivateCloud .......................577
URLFilteringUseCaseExamples...................................................578
UseCase:ControlWebAccess .................................................578
UseCase:UseURLCategoriesforPolicyMatching ................................582
TroubleshootURLFiltering ........................................................584
ProblemsActivatingPANDB...................................................584
PANDBCloudConnectivityIssues..............................................585
URLsClassifiedasNotResolved ................................................586
IncorrectCategorization.......................................................586
URLDatabaseOutofDate .....................................................587
10 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
VPNs ..............................................................615
VPNDeployments................................................................ 616
SitetoSiteVPNOverview........................................................ 617
SitetoSiteVPNConcepts ........................................................ 618
IKEGateway ................................................................. 618
TunnelInterface .............................................................. 618
TunnelMonitoring ............................................................ 619
InternetKeyExchange(IKE)forVPN ............................................ 620
IKEv2 ....................................................................... 622
SetUpSitetoSiteVPN ........................................................... 626
SetUpanIKEGateway ........................................................ 626
DefineCryptographicProfiles.................................................. 632
SetUpanIPSecTunnel........................................................ 635
SetUpTunnelMonitoring ..................................................... 638
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 639
TestVPNConnectivity........................................................ 641
InterpretVPNErrorMessages.................................................. 642
SitetoSiteVPNQuickConfigs .................................................... 643
SitetoSiteVPNwithStaticRouting............................................ 643
SitetoSiteVPNwithOSPF.................................................... 647
SitetoSiteVPNwithStaticandDynamicRouting ................................ 653
LargeScaleVPN(LSVPN)............................................659
LSVPNOverview................................................................. 660
CreateInterfacesandZonesfortheLSVPN.......................................... 661
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 663
AboutCertificateDeployment.................................................. 663
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 663
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 666
ConfigurethePortaltoAuthenticateSatellites ....................................... 669
ConfigureGlobalProtectGatewaysforLSVPN....................................... 671
PrerequisiteTasks ............................................................ 671
ConfiguretheGateway ........................................................ 671
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 674
PrerequisiteTasks ............................................................ 674
ConfigurethePortal .......................................................... 674
DefinetheSatelliteConfigurations.............................................. 675
PreparetheSatellitetoJointheLSVPN ............................................. 679
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 11
TableofContents
VerifytheLSVPNConfiguration ....................................................681
LSVPNQuickConfigs.............................................................682
BasicLSVPNConfigurationwithStaticRouting .......................................683
AdvancedLSVPNConfigurationwithDynamicRouting................................686
AdvancedLSVPNConfigurationwithiBGP...........................................689
12 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
NAT............................................................................ 757
NATPolicyRules............................................................. 757
SourceNATandDestinationNAT .............................................. 760
NATRuleCapacities .......................................................... 761
DynamicIPandPortNATOversubscription...................................... 761
DataplaneNATMemoryStatistics.............................................. 763
ConfigureNAT............................................................... 764
NATConfigurationExamples................................................... 771
NPTv6 .......................................................................... 779
NPTv6Overview............................................................. 779
HowNPTv6Works........................................................... 781
NDPProxy................................................................... 782
NPTv6andNDPProxyExample ................................................ 784
CreateanNPTv6Policy ....................................................... 785
ECMP........................................................................... 788
ECMPLoadBalancingAlgorithms .............................................. 788
ECMPPlatform,Interface,andIPRoutingSupport ................................ 789
ConfigureECMPonaVirtualRouter............................................ 790
EnableECMPforMultipleBGPAutonomousSystems ............................. 791
VerifyECMP ................................................................. 793
LLDP ........................................................................... 794
LLDPOverview .............................................................. 794
SupportedTLVsinLLDP....................................................... 795
LLDPSyslogMessagesandSNMPTraps......................................... 796
ConfigureLLDP .............................................................. 797
ViewLLDPSettingsandStatus ................................................. 799
ClearLLDPStatistics .......................................................... 800
BFD............................................................................ 801
BFDOverview ............................................................... 801
ConfigureBFD............................................................... 804
Reference:BFDDetails ........................................................... 811
Policy..............................................................815
PolicyTypes ..................................................................... 816
SecurityPolicy................................................................... 817
ComponentsofaSecurityPolicyRule........................................... 817
SecurityPolicyActions........................................................ 820
CreateaSecurityPolicyRule ................................................... 820
PolicyObjects ................................................................... 823
SecurityProfiles.................................................................. 824
AntivirusProfiles ............................................................. 825
AntiSpywareProfiles......................................................... 825
VulnerabilityProtectionProfiles................................................ 826
URLFilteringProfiles.......................................................... 826
DataFilteringProfiles......................................................... 827
FileBlockingProfiles .......................................................... 828
WildFireAnalysisProfiles ...................................................... 828
DoSProtectionProfiles........................................................ 828
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 13
TableofContents
ZoneProtectionProfiles.......................................................829
SecurityProfileGroup.........................................................829
BestPracticeInternetGatewaySecurityPolicy .......................................833
WhatIsaBestPracticeInternetGatewaySecurityPolicy? .........................833
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy? ..................835
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? .................836
IdentifyWhitelistApplications ..................................................837
CreateUserGroupsforAccesstoWhitelistApplications ...........................840
DecryptTrafficforFullVisibilityandThreatInspection ............................840
CreateBestPracticeSecurityProfiles............................................842
DefinetheInitialInternetGatewaySecurityPolicy................................846
MonitorandFineTunethePolicyRulebase ......................................854
RemovetheTemporaryRules ..................................................855
MaintaintheRulebase .........................................................856
EnumerationofRulesWithinaRulebase.............................................857
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem ....................858
UseTagstoGroupandVisuallyDistinguishObjects ...................................859
CreateandApplyTags .........................................................859
ModifyTags ..................................................................860
UsetheTagBrowser..........................................................860
UseanExternalDynamicListinPolicy ..............................................865
ExternalDynamicList .........................................................865
FormattingGuidelinesforanExternalDynamicList ...............................866
EnforcePolicyonEntriesinanExternalDynamicList ..............................867
ViewtheListofEntriesinanExternalDynamicList ...............................870
RetrieveanExternalDynamicListfromtheWebServer ...........................871
RegisterIPAddressesandTagsDynamically .........................................872
MonitorChangesintheVirtualEnvironment .........................................873
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................873
AttributesMonitoredintheAWSandVMwareEnvironments ......................875
UseDynamicAddressGroupsinPolicy..........................................876
CLICommandsforDynamicIPAddressesandTags...................................879
IdentifyUsersConnectedthroughaProxyServer.....................................881
UseXFFValuesforPoliciesandLoggingSourceUsers .............................881
AddXFFValuestoURLFilteringLogs ...........................................882
PolicyBasedForwarding ..........................................................883
PBF.........................................................................883
CreateaPolicyBasedForwardingRule..........................................886
UseCase:PBFforOutboundAccesswithDualISPs ...............................888
VirtualSystems.................................................... 895
VirtualSystemsOverview .........................................................896
VirtualSystemComponentsandSegmentation ...................................896
BenefitsofVirtualSystems .....................................................897
UseCasesforVirtualSystems..................................................897
PlatformSupportandLicensingforVirtualSystems ...............................898
AdministrativeRolesforVirtualSystems .........................................898
14 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
TableofContents
Certifications .......................................................929
EnableFIPSandCommonCriteriaSupport .......................................... 930
FIPSCCSecurityFunctions........................................................ 931
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 15
TableofContents
16 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 17
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
18 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
Gathertherequiredinformationfrom
yournetworkadministrator.
Step2
Connectyourcomputertothefirewall.
Youcanconnecttothefirewallinoneofthefollowingways:
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).Waitafewminutesforthebootupsequenceto
complete;whenthefirewallisready,thepromptchangestothe
nameofthefirewall,forexamplePA-500 login.
ConnectanRJ45Ethernetcablefromyourcomputertothe
MGTportonthefirewall.Fromabrowser,goto
https://192.168.1.1.Notethatyoumayneedtochangethe
IPaddressonyourcomputertoanaddressinthe
192.168.1.0/24network,suchas192.168.1.2,inorderto
accessthisURL.
Step3
Whenprompted,logintothefirewall.
Youmustloginusingthedefaultusernameandpassword
(admin/admin).Thefirewallwillbegintoinitialize.
Step4
ConfiguretheMGTinterface.
1.
2.
ConfiguretheaddresssettingsfortheMGTinterfaceusing
oneofthefollowingmethods:
ToconfigurestaticIPaddresssettingsfortheMGT
interface,settheIP TypetoStaticandentertheIP
Address,Netmask,andDefault Gateway.
TodynamicallyconfiguretheMGTinterfaceaddress
settings,settheIP TypetoDHCP.Tousethismethod,you
mustConfiguretheManagementInterfaceasaDHCP
Client.
Topreventunauthorizedaccesstothemanagement
interface,itisabestpracticetoAddthePermitted IP
Addressesfromwhichanadministratorcanaccessthe
MGTinterface.
PaloAltoNetworks,Inc.
IPaddressforMGTport
Netmask
Defaultgateway
DNSserveraddress
3.
SettheSpeedtoauto-negotiate.
4.
Selectwhichmanagementservicestoallowontheinterface.
MakesureTelnetandHTTParenotselectedbecause
theseservicesuseplaintextandarenotassecureas
theotherservicesandcouldcompromise
administratorcredentials.
5.
ClickOK.
PANOS7.1AdministratorsGuide 19
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
Step5
Step6
ConfigureDNS,updateserver,and
1.
proxyserversettings.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
resolvehostnames;itwillnotuse
2.
DNSserversettingsfrom
anothersource,suchasanISP.
Configuredateandtime(NTP)settings.
20 PANOS7.1AdministratorsGuide
3.
ClickOK.
1.
2.
OntheNTPtab,tousethevirtualclusteroftimeserverson
theInternet,enterthehostnamepool.ntp.orgasthePrimary
NTP ServerorentertheIPaddressofyourprimaryNTP
server.
3.
4.
(Optional)ToauthenticatetimeupdatesfromtheNTP
server(s),forAuthentication Type,selectoneofthefollowing
foreachserver:
None(Default)DisablesNTPauthentication.
Symmetric KeyFirewallusessymmetrickeyexchange
(sharedsecrets)toauthenticatetimeupdates.
Key IDEntertheKeyID(165534).
AlgorithmSelectthealgorithmtouseinNTP
authentication(MD5orSHA1).
AutokeyFirewallusesautokey(publickeycryptography)
toauthenticatetimeupdates.
5.
ClickOK.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccesstotheFirewall(Continued)
Step7
Step8
Step9
(Optional)Configuregeneralfirewall
settingsasneeded.
Setasecurepasswordfortheadmin
account.
1.
2.
EnteraHostnameforthefirewallandenteryournetwork
Domainname.Thedomainnameisjustalabel;itwillnotbe
usedtojointhedomain.
3.
EnterLogin Bannertextthatinformsuserswhoareaboutto
loginthattheyrequireauthorizationtoaccessthefirewall
managementfunctions.
Asabestpractice,avoidusingwelcomingverbiage.
Additionally,youshouldaskyourlegaldepartmentto
reviewthebannermessagetoensureitadequately
warnsthatunauthorizedaccessisprohibited.
4.
5.
ClickOK.
1.
2.
Selectthe adminrole.
3.
Enterthecurrentdefaultpasswordandthenewpassword.
4.
ClickOKtosaveyoursettings.
Commityourchanges.
ClickCommitatthetoprightofthewebinterface.Thefirewallcan
Whentheconfigurationchanges takeupto90secondstosaveyourchanges.
aresaved,youloseconnectivity
tothewebinterfacebecausethe
IPaddresshaschanged.
Step10 Connectthefirewalltoyournetwork.
Step11 OpenanSSHmanagementsessionto
thefirewall.
PaloAltoNetworks,Inc.
1.
Disconnectthefirewallfromyourcomputer.
2.
ConnecttheMGTporttoaswitchportonyourmanagement
networkusinganRJ45Ethernetcable.Makesurethatthe
switchportyoucablethefirewalltoisconfiguredfor
autonegotiation.
Usingaterminalemulationsoftware,suchasPuTTY,launchanSSH
sessiontothefirewallusingthenewIPaddressyouassignedtoit.
PANOS7.1AdministratorsGuide 21
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
Step12 Verifynetworkaccesstoexternal
1.
servicesrequiredforfirewall
management,suchasthePaloAlto
NetworksUpdateServer.
Youcandothisinoneofthefollowing
ways:
Ifyoudonotwanttoallowexternal
networkaccesstotheMGTinterface,
youwillneedtosetupadataportto
retrieverequiredserviceupdates.
ContinuetoSetUpNetworkAccess
forExternalServices.
Ifyoudoplantoallowexternal
networkaccesstotheMGTinterface,
verifythatyouhaveconnectivityand
thenproceedtoRegistertheFirewall
andActivateLicensesand
Subscriptions.
2.
UsethepingutilitytoverifynetworkconnectivitytothePalo
AltoNetworksUpdateserverasshowninthefollowing
example.VerifythatDNSresolutionoccursandtheresponse
includestheIPaddressfortheUpdateserver;theupdate
serverdoesnotrespondtoapingrequest.
admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
AfterverifyingDNSresolution,pressCtrl+Ctostopthe
pingrequest.
UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
22 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices
Step1
Decidewhichportyouwanttousefor TheinterfaceyouusemusthaveastaticIPaddress.
accesstoexternalservicesandconnect
ittoyourswitchorrouterport.
Step2
Logintothewebinterface.
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).Youwillseeacertificate
warning;thatisokay.Continuetothewebpage.
Step3
(Optional)Thefirewallcomes
preconfiguredwithadefaultvirtualwire
interfacebetweenportsEthernet1/1
andEthernet1/2(andacorresponding
defaultsecuritypolicyandzones).Ifyou
donotplantousethisvirtualwire
configuration,youmustmanuallydelete
theconfigurationtopreventitfrom
interferingwithotherinterfacesettings
youdefine.
Youmustdeletetheconfigurationinthefollowingorder:
PaloAltoNetworks,Inc.
1.
Todeletethedefaultsecuritypolicy,selectPolicies >
Security,selecttherule,andclickDelete.
2.
3.
Todeletethedefaulttrustanduntrustzones,selectNetwork
> Zones,selecteachzoneandclickDelete.
4.
Todeletetheinterfaceconfigurations,selectNetwork >
Interfacesandthenselecteachinterface(ethernet1/1and
ethernet1/2)andclickDelete.
5.
Committhechanges.
PANOS7.1AdministratorsGuide 23
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
Step4
Configuretheinterfaceyouplantouse
forexternalaccesstomanagement
services.
24 PANOS7.1AdministratorsGuide
1.
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.
4.
IntheZonedialog,enteraNamefornewzone,forexample
Management,andthenclickOK.
5.
SelecttheIPv4tab,selecttheStaticradiobutton,andclick
AddintheIPsection,andentertheIPaddressandnetwork
masktoassigntotheinterface,forexample
192.168.1.254/24.YoumustuseastaticIPaddressonthis
interface.
6.
7.
EnteraNamefortheprofile,suchasallow_ping,andthen
selecttheservicesyouwanttoallowontheinterface.Forthe
purposesofallowingaccesstotheexternalservices,you
probablyonlyneedtoenablePingandthenclickOK.
Theseservicesprovidemanagementaccesstothe
firewall,soonlyselecttheservicesthatcorrespondto
themanagementactivitiesyouwanttoallowonthis
interface.Forexample,ifyouplantousetheMGT
interfaceforfirewallconfigurationtasksthroughthe
webinterfaceorCLI,youwouldnotwanttoenable
HTTP,HTTPS,SSH,orTelnetsothatyoucould
preventunauthorizedaccessthroughthisinterface
(andifyoudidallowthoseservices,youshouldlimit
accesstoaspecificsetofPermitted IP Addresses).
Fordetails,seeUseInterfaceManagementProfilesto
RestrictAccess.
8.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices(Continued)
Step5
Step6
Configuretheserviceroutes.
1.
Bydefault,thefirewallusestheMGT
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice
routes.
Thisexampleshowshowtoset
upglobalserviceroutes.For
informationonsettingup
networkaccesstoexternal
2.
servicesonavirtualsystembasis
ratherthanaglobalbasis,see
PerVirtualSystemService
Routes.
Forthepurposesofactivatingyourlicensesand
gettingthemostrecentcontentandsoftwareupdates,
youwillwanttochangetheservicerouteforDNS,
Palo Alto Updates,URL Updates,WildFire,and
AutoFocus.
ClicktheCustomizeradiobutton,andselectoneofthe
following:
Forapredefinedservice,selectIPv4orIPv6andclickthe
linkfortheserviceforwhichyouwanttomodifythe
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,the Source Address dropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3.
ClickOKtosavethesettings.
4.
Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5.
Commityourchanges.
Configureanexternalfacinginterface
1.
andanassociatedzoneandthencreatea
securitypolicyruletoallowthefirewall
tosendservicerequestsfromthe
internalzonetotheexternalzone.
2.
Tosetupasecurityrulethatallowstrafficfromyourinternal
networktothePaloAltoNetworksupdateserver,select
Policies > SecurityandclickAdd.
AsabestpracticewhencreatingSecuritypolicyrules,
useapplicationbasedrulesinsteadofportbasedrules
toensurethatyouareaccuratelyidentifyingthe
underlyingapplicationregardlessoftheport,protocol,
evasivetactics,orencryptioninuse.Alwaysleavethe
Servicesettoapplication-default.Inthiscase,create
asecuritypolicyrulethatallowsaccesstotheupdate
server(andotherPaloAltoNetworksservices).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 25
IntegratetheFirewallintoYourManagementNetwork
GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
Step7
CreateaNATpolicyrule.
26 PANOS7.1AdministratorsGuide
1.
IfyouareusingaprivateIPaddressontheinternalfacing
interface,youwillneedtocreateasourceNATruleto
translatetheaddresstoapubliclyroutableaddress.Select
Policies > NATandthenclickAdd.Ataminimumyoumust
defineanamefortherule(Generaltab),specifyasourceand
destinationzone,ManagementtoInternetinthiscase
(Original Packettab),anddefinethesourceaddress
translationsettings(Translated Packettab)andthenclickOK.
2.
Commityourchanges.
PaloAltoNetworks,Inc.
GettingStarted
IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices(Continued)
Step8
Verifythatyouhaveconnectivityfrom
thedataporttotheexternalservices,
includingthedefaultgateway,andthe
PaloAltoNetworksUpdateServer.
Afteryouverifyyouhavetherequired
networkconnectivity,continueto
RegistertheFirewallandActivate
LicensesandSubscriptions.
1.
UsethepingutilitytoverifynetworkconnectivitytothePalo
AltoNetworksUpdateserverasshowninthefollowing
example.VerifythatDNSresolutionoccursandtheresponse
includestheIPaddressfortheUpdateserver;theupdate
serverdoesnotrespondtoapingrequest.
admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
AfterverifyingDNSresolution,pressCtrl+Ctostopthe
pingrequest.
2.
UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.Becauseyourfirewallis
notregistered,theupdateserverwillreturnthefollowing
message:
Contact Us
https://www.paloaltonetworks.com/company/contact-u
s.html
Support Home
https://www.paloaltonetworks.com/support/tabs/over
view.html
Device not found on this update server
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 27
RegistertheFirewall
GettingStarted
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
Step1
Logintothewebinterface.
Step2
Step3
GotothePaloAltoNetworksCustomer Inanewbrowsertaborwindow,goto
Supportportalandlogin.
https://www.paloaltonetworks.com/support/tabs/overview.html.
Step4
Registerthefirewall.
Youmusthaveasupportaccount
toregisterafirewall.Ifyoudonot
yethaveasupportaccount,click
theRegisterlinkonthesupport
loginpageandfollowthe
instructionstogetyouraccount
setupandregisterthefirewall.
28 PANOS7.1AdministratorsGuide
Usingasecureconnection(https)fromyourwebbrowser,login
usingthenewIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Ifyoualreadyhaveasupportaccount,loginandregisterthe
hardwarebasedfirewallasfollows:
1.
2.
3.
4.
EnterthefirewallSerial Number(youcancopyandpasteit
fromthefirewallDashboard).
5.
6.
Provideinformationaboutwhereyouplantodeploythe
firewallincludingtheCity,Postal Code,andCountry.
7.
Readtheenduserlicenseagreement(EULA)andthenclick
Agree and Submit.
PaloAltoNetworks,Inc.
GettingStarted
ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
ActivateLicensesandSubscriptions
Step1
Locatetheactivationcodesforthe
licensesyoupurchased.
Step2
ActivateyourSupportlicense.
Youwillnotbeabletoupdateyour
PANOSsoftwareifyoudonothavea
validSupportlicense.
PaloAltoNetworks,Inc.
Whenyoupurchasedyoursubscriptionsyoushouldhavereceived
anemailfromPaloAltoNetworkscustomerservicelistingthe
activationcodeassociatedwitheachsubscription.Ifyoucannot
locatethisemail,contactCustomerSupporttoobtainyour
activationcodesbeforeyouproceed.
1.
2.
3.
EnteryourAuthorization CodeandthenclickOK.
PANOS7.1AdministratorsGuide 29
ActivateLicensesandSubscriptions
GettingStarted
ActivateLicensesandSubscriptions(Continued)
Step3
Activateeachlicenseyoupurchased.
Step4
Verifythatthelicensewassuccessfully
activated
Step5
(WildFiresubscriptionsonly)Performa
committocompleteWildFire
subscriptionactivation.
AfteractivatingaWildFiresubscription,acommitisrequiredfor
thefirewalltobeginforwardingadvancedfiletypes.Youshould
either:
Commitanypendingchanges.
CheckthattheWildFireAnalysisprofilerulesincludethe
advancedfiletypesthatarenowsupportedwiththeWildFire
subscription.Ifnochangetoanyoftherulesisrequired,makea
minoredittoaruledescriptionandperformacommit.
30 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 31
InstallContentandSoftwareUpdates
GettingStarted
InstallContentandSoftwareUpdates
Step1
Ensurethatthefirewallhasaccesstothe 1.
updateserver.
32 PANOS7.1AdministratorsGuide
Bydefault,thefirewallaccessestheUpdate Serverat
updates.paloaltonetworks.comsothatthefirewall
receivescontentupdatesfromtheservertowhichitisclosest
intheCDNinfrastructure.Ifthefirewallhasrestrictedaccess
totheInternet,settheupdateserveraddresstousethe
hostnamestaticupdates.paloaltonetworks.comor
theIPaddress199.167.52.15insteadofdynamically
selectingaserverfromtheCDNinfrastructure.
2.
3.
(Optional)Ifthefirewallneedstouseaproxyservertoreach
PaloAltoNetworksupdateservices,intheProxy Server
window,enter:
ServerIPaddressorhostnameoftheproxyserver.
PortPortfortheproxyserver.Range:165535.
UserUsernametoaccesstheserver.
PasswordPasswordfortheusertoaccesstheproxy
server.ReenterthepasswordatConfirm Password.
PaloAltoNetworks,Inc.
GettingStarted
InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
Step2
Checkforthelatestcontentupdates.
Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
Step3
Installthecontentupdates.
ClicktheInstalllinkintheActioncolumn.Whentheinstallation
completes,acheckmarkdisplaysintheCurrently Installed
Installationcantakeupto20
minutesonaPA200,PA500,or column.
PA2000Seriesfirewallandupto
twominutesonaPA3000
Series,PA4000Series,PA5000
Series,PA7000Series,or
VMSeriesfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 33
InstallContentandSoftwareUpdates
GettingStarted
InstallContentandSoftwareUpdates(Continued)
Step4
Step5
Scheduleeachcontentupdate.
1.
Repeatthisstepforeachupdateyou
wanttoschedule.
Staggertheupdateschedules
2.
becausethefirewallcanonly
downloadoneupdateatatime.If
youscheduletheupdatesto
downloadduringthesametime
interval,onlythefirstdownload
willsucceed.
Specifyhowoftenyouwanttheupdatestooccurbyselecting
avaluefromtheRecurrencedropdown.Theavailablevalues
varybycontenttype(WildFireupdatesareavailableEvery
Minute, Every 15 Minutes,Every 30 minutes,orEvery Hour
whereasApplicationsandThreatsupdatescanbescheduled
forDailyorWeeklyupdateandAntivirusupdatescanbe
scheduledforHourly,Daily,orWeekly).
AsnewWildFiresignaturesaremadeavailableevery
fiveminutes,setthefirewalltoretrieveWildFire
updatesEvery Minutetogetthelatestsignatures
withinaminuteofavailability.
3.
SpecifytheTimeand(or,minutespastthehourinthecaseof
WildFire),ifapplicabledependingontheRecurrencevalue
youselected,Dayoftheweekthatyouwanttheupdatesto
occur.
4.
5.
Enterhowlongafterareleasetowaitbeforeperforminga
contentupdateintheThreshold (Hours)field.Inrare
instances,errorsincontentupdatesmaybefound.Forthis
reason,youmaywanttodelayinstallingnewupdatesuntil
theyhavebeenreleasedforacertainnumberofhours.
6.
ClickOKtosavetheschedulesettings.
7.
ClickCommittosavethesettingstotherunning
configuration.
UpdatePANOS.
1.
Alwaysupdatecontentbefore
2.
updatingPANOS.Every
PANOSversionhasaminimum
supportedcontentrelease
version.
34 PANOS7.1AdministratorsGuide
SetthescheduleofeachupdatetypebyclickingtheNonelink.
ReviewtheReleaseNotes.
UpdatethePANOSsoftware.
PaloAltoNetworks,Inc.
GettingStarted
SegmentYourNetworkUsingInterfacesandZones
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 35
SegmentYourNetworkUsingInterfacesandZones
GettingStarted
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
4.
ClickOKtwicetosavethevirtualrouterconfiguration.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
oninterfacetopology,thisexampleshowsthestepsfor
Layer3.
3.
4.
IntheVirtual Routerdropdown,selectdefault.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.113.23/24.
6.
7.
Tosavetheinterfaceconfiguration,clickOK.
36 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
SegmentYourNetworkUsingInterfacesandZones
SetUpInterfacesandZones(Continued)
Step3
Step4
Step5
Step6
Configuretheinterfacethatconnectsto 1.
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment 2.
thatusesprivateIPaddresses.
3.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.
4.
Configuretheinterfacethatconnectsto
yourdatacenterapplications.
Althoughthisbasicsecurity
policyexampleconfiguration
depictsusingasinglezoneforall
ofyourdatacenterapplications,
asabestpracticeyouwould
wanttodefinemoregranular
zonestopreventunauthorized
accesstosensitiveapplications
ordataandeliminatethe
possibilityofmalwaremoving
laterallywithinyourdatacenter.
(Optional)Createtagsforeachzone.
Savetheinterfaceconfiguration.
PaloAltoNetworks,Inc.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.1.4/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
1.
Selecttheinterfaceyouwanttoconfigure.
2.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/1astheinterfacethat
providesaccesstoyourdatacenterapplications.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleDataCenterApplications,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
10.1.1.1/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Tagsallowyoutovisuallyscanpolicyrules.
1.
2.
SelectazoneName.
3.
SelectatagColorandclickOK.
ClickCommit.
PANOS7.1AdministratorsGuide 37
SegmentYourNetworkUsingInterfacesandZones
GettingStarted
SetUpInterfacesandZones(Continued)
Step7
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step8
Verifythattheinterfacesareactive.
SelectDashboardandverifythattheinterfacesyouconfigured
showasgreenintheInterfaceswidget.
38 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
SetUpaBasicSecurityPolicy
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.
DefineBasicSecurityPolicyRules
Step1
(Optional)Deletethedefaultsecurity
policyrule.
Step2
CreatetheFileBlockingprofilesyouwill 1.
needtopreventupload/downloadof
maliciousfilesandfordrivebydownload
protection.
ConfigureaFileBlockingprofileforgeneraluse.Youwill
attachthisprofiletomostofyoursecurityprofilestoblock
filesknowntocarrythreatsorthathavenorealbusinessuse
forupload/download.
2.
ConfigureaFileBlockingprofileforriskytraffic.Youwill
attachthisprofiletosecuritypolicyrulesthatallowgeneral
webaccesstopreventusersfromunknowinglydownloading
maliciousfilesfromtheInternet.
PaloAltoNetworks,Inc.
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
PANOS7.1AdministratorsGuide 39
SetUpaBasicSecurityPolicy
GettingStarted
DefineBasicSecurityPolicyRules(Continued)
Step3
Allowaccesstoyournetwork
infrastructureresources.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoIT
Infrastructure.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectdns,ntp,ocsp,ping,smtp.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9.
10. ClickOK.
40 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step4
EnableaccesstogeneralInternet
applications.
Thisisatemporaryrulethat
allowsyoutogatherinformation
aboutthetrafficonyour
network.Afteryouhavemore
insightintowhatapplications
yourusersneedaccessto,you
canmakeinformeddecisions
aboutwhatapplicationstoallow
andcreatemoregranular
applicationbasedrulesforeach
usergroup.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoInternet.
5.
IntheApplicationstab,AddanApplication Filterandentera
Name.Tosafelyenableaccesstolegitimatewebbased
applications,settheCategoryintheapplicationfilterto
general-internetandthenclickOK.Toenableaccessto
encryptedsites,Addthesslapplication.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingstrictprofileyouconfiguredforriskytraffic.
9.
10. ClickOK.
Step5
Enableaccesstodatacenter
applications.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
4.
IntheDestinationtab,settheDestination ZonetoData
CenterApplications.
5.
IntheApplicationstab,Addtheapplicationsthatcorrespond
tothenetworkservicesyouwanttosafelyenable.For
example,selectactivesync,imap,kerberos,ldap,
ms-exchange,and ms-lync.
6.
IntheService/URL Categorytab,keeptheServicesetto
application-default.
7.
IntheActionstab,settheAction SettingtoAllow.
8.
SelectProfilesastheProfile Type.Selectthedefaultprofiles
forAntivirusandURL Filteringandthestrictprofilesfor
Vulnerability ProtectionandAnti-Spyware andselectthe
File Blockingprofileyouconfiguredforgeneraltraffic.
9.
10. ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 41
SetUpaBasicSecurityPolicy
GettingStarted
DefineBasicSecurityPolicyRules(Continued)
Step6
Saveyourpoliciestotherunning
configurationonthefirewall.
ClickCommit.
Step7
Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
application <application_name> protocol
<protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedforaclient
intheuserzonewiththeIPaddress10.35.14.150whenitsendsa
DNSquerytotheDNSserverinthedatacenter:
admin@PA-3050>test security-policy-match
source 10.35.14.150 destination 10.43.2.2
application dns protocol 53
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
42 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
AssessNetworkTraffic
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine.
applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare
Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges.
users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.
WorkwithLogs.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 43
AssessNetworkTraffic
GettingStarted
MonitorNetworkTraffic
ViewAutoFocusThreatDataforLogs.
ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers.
ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
44 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
EnableBasicThreatPreventionFeatures
ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.
Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.
Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 45
EnableBasicThreatPreventionFeatures
GettingStarted
EnableBasicWildFireForwarding
Step1
Step2
Step3
Step4
Confirmthatyourfirewallisregistered 1.
andthatyouhaveavalidsupport
accountaswellasanysubscriptionsyou 2.
require.
ConfigureWildFireforwardingsettings.
EnablethefirewalltoforwardPEsfor
analysis.
GotothePaloAltoNetworksCustomerSupportwebsite,log
in,andselectMy Devices.
Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
theFirewall.
3.
(Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
1.
2.
3.
4.
ClickOKtosaveyourchanges.
1.
2.
Namethenewprofilerule.
3.
ClickAddtocreateaforwardingruleandenteraname.
4.
5.
IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6.
ClickOK.
ApplythenewWildFireAnalysisprofile 1.
totrafficthatthefirewallallows.
2.
SelectActionsandintheProfileSettingssection,setthe
Profile TypetoProfiles.
3.
4.
ClickOK.
Step5
EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
Step6
ReviewandimplementWildFirebestpracticestoensurethatyouaregettingthemostofWildFiredetection
andpreventioncapabilities.
Step7
ClickCommittosaveyourconfigurationupdates.
Step8
46 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
EnableBasicWildFireForwarding
Step9
(ThreatPreventionsubscriptiononly)If 1.
youhaveaThreatPrevention
2.
subscription,butdonothaveaWildFire
subscription,youcanstillreceive
WildFiresignatureupdatesevery2448
hours.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionlicensebundlestheAntivirus,
license.
AntiSpyware,andtheVulnerabilityProtectionfeaturesinone
license.
SelectDevice > LicensestoverifythattheThreat Prevention
licenseisinstalledandvalid(checktheexpirationdate).
Step2
Downloadthelatestantivirusthreat
signatures.
PaloAltoNetworks,Inc.
1.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
Antivirus,andApplicationsandThreatssignatures.
PANOS7.1AdministratorsGuide 47
EnableBasicThreatPreventionFeatures
GettingStarted
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3
Schedulesignatureupdates.
1.
Performadownload-and-install
onadailybasisforantivirus
updatesandweeklyfor
2.
applicationsandthreatsupdates.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
48 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step4
Step5
Attachthesecurityprofilestoasecurity 1.
policy.
Attachacloneofapredefined
2.
securityprofiletoyourbasic
Securitypolicyrules.Thatway,if
youwanttocustomizetheprofileyou
candosowithoutdeletingthereadonly
predefinedstrictordefaultprofileand
attachingacustomizedprofile.
Savetheconfiguration.
ClickCommit.
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 49
EnableBasicThreatPreventionFeatures
GettingStarted
ConfigureFileBlocking
Step6
ConfigureaFileBlockingprofilefor
generaluse.
1.
2.
EnteraNameforthefileblockingprofile,forexample
generalfileblocking.
3.
OptionallyenteraDescription,suchasblockriskyapps.Click
Addtodefinetheprofilesettings.
4.
EnteraName,suchasblockrisky.
5.
6.
LeavetheDirectionsettoboth.
7.
SettheActiontoblock.
8.
AddasecondruleandenteraName,forexamplecontinueexe
andarchive.
9.
10. LeavetheDirectionsettoboth.
11. SettheActiontoblock.
12. ClickOKtosavetheprofile.
Step7
Step8
ConfigureaFileBlockingprofileforrisky
traffic.
Whenusersarewebbrowsingit
ismuchmorelikelythattheywill
downloadamaliciousfile
unintentionally.Therefore,itis
importanttoattachastricterfile
blockingpolicythanyouwould
attachtoSecuritypolicyrules
thatallowaccesstoless
riskproneapplicationtraffic.
1.
2.
Selecttheclonedprofileandgiveitanew Name,suchas
strictblockriskyapps.
3.
ClickintheFileTypessectionoftheblockruleandAddthePE
filetype.
4.
ClickintheFileTypessectionofthecontinuerule,selectPE
andclickDelete.
5.
ClickOKtosavetheprofile.
Attachthefileblockingprofiletothe
securitypoliciesthatallowaccessto
content.
1.
50 PANOS7.1AdministratorsGuide
2.
ClicktheActionstabwithinthesecuritypolicy.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyoucreated.
Ifyoudontseedropdownsforselectingprofiles,
selectProfiles fromtheProfileTypedropdown.
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
ConfigureFileBlocking(Continued)
Step9
Enableresponsepagesinthe
1.
managementprofileforeachinterface
onwhichyouareattachingfileblocking
profilewithacontinueaction.
2.
3.
ClickOKtosavetheinterfacemanagementprofile.
4.
5.
6.
ClickOKtosavetheinterfacesettings.
Step10 Savetheconfiguration.
1.
ClickCommit.
Step11 Testthefileblockingconfiguration.
FromaclientPCinthetrustzoneofthefirewall,attemptto
downloadan.exefilefromawebsiteintheInternetzone.Make
surethefileisblockedasexpectedbasedontheactionyoudefined
inthefileblockingprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedblockastheaction,theFileBlockingBlockPage
responsepageshoulddisplay.
Ifyouselectedthecontinueaction,theFileBlockingContinue
Pageresponsepageshoulddisplay.ClickContinuetodownload
thefile.ThefollowingshowsthedefaultFileBlockingContinue
Page.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 51
EnableBasicThreatPreventionFeatures
GettingStarted
ConfigureURLFiltering
Step1
Step2
Step3
ConfirmlicenseinformationforURL
Filtering.
Downloadtheseeddatabaseand
activatethelicense.
1.
ObtainandinstallaURLFilteringlicense.SeeActivate
LicensesandSubscriptionsfordetails.
2.
1.
Todownloadtheseeddatabase,clickDownloadnextto
Download StatusinthePANDBURLFilteringsectionofthe
Licensespage.
2.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
3.
Afterthedownloadcompletes,clickActivate.
1.
CreateaURLfilteringprofile.
BecausethedefaultURLfiltering 2.
profileblocksriskyand
threatpronecontent,clonethis
3.
profilewhencreatinganew
profileinordertopreservethe
defaultsettings.
52 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
ConfigureURLFiltering(Continued)
Step4
Step5
Definehowtocontrolaccesstoweb
1.
content.
Ifyouarenotsurewhattrafficyouwant
tocontrol,considersettingthe
categories(exceptforthoseblockedby
default)toalert.Youcanthenusethe
visibilitytoolsonthefirewall,suchasthe
ACCandAppScope,todeterminewhich
webcategoriestorestricttospecific
groupsortoblockentirely.Youcanthen
gobackandmodifytheprofiletoblock
andallowcategoriesasdesired.
Youcanalsodefinespecificsitesto
alwaysalloworalwaysblockregardless
ofcategoryandenablethesafesearch
optiontofiltersearchresultswhen
definingtheURLFilteringprofile.
AttachtheURLfilteringprofiletoa
securitypolicy.
PaloAltoNetworks,Inc.
Foreachcategorythatyouwantvisibilityintoorcontrolover,
selectavaluefromtheActioncolumnasfollows:
Ifyoudonotcareabouttraffictoaparticularcategory(that
isyouneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Topresentaresponsepagetousersattemptingtoaccessa
particularcategorytoalertthemtothefactthatthe
contenttheyareaccessingmightnotbeworkappropriate,
selectcontinue.
Topreventaccesstotrafficthatmatchestheassociated
policy,selectblock(thisalsogeneratesalogentry).
2.
ClickOKtosavetheURLfilteringprofile.
1.
2.
Selectthedesiredpolicytomodifyitandthenclickthe
Actionstab.
3.
Ifthisisthefirsttimeyouaredefiningasecurityprofile,select
ProfilesfromtheProfile Typedropdown.
4.
IntheProfile Settingslist,selecttheprofileyoujustcreated
fromtheURL Filteringdropdown.(Ifyoudontsee
dropdownsforselectingprofiles,selectProfiles fromthe
ProfileTypedropdown.)
5.
ClickOKtosavetheprofile.
6.
Committheconfiguration.
PANOS7.1AdministratorsGuide 53
EnableBasicThreatPreventionFeatures
GettingStarted
ConfigureURLFiltering(Continued)
Step6
Enableresponsepagesinthe
managementprofileforeachinterface
onwhichyouarefilteringwebtraffic.
1.
2.
SelectResponse Pages,aswellasanyothermanagement
servicesrequiredontheinterface.
3.
ClickOKtosavetheinterfacemanagementprofile.
4.
5.
6.
ClickOKtosavetheinterfacesettings.
Step7
Savetheconfiguration.
ClickCommit.
Step8
TesttheURLfilteringconfiguration.
AccessaclientPCinthetrustzoneofthefirewallandattemptto
accessasiteinablockedcategory.MakesureURLfilteringis
appliedbasedontheactionyoudefinedintheURLfilteringprofile:
Ifyouselectedalertastheaction,checkthedatafilteringlogto
makesureyouseealogentryfortherequest.
Ifyouselectedthecontinueaction,theURLFilteringContinue
andOverridePageresponsepageshoulddisplay.Continueto
thesite.
Ifyouselectedblockastheaction,theURLFilteringand
CategoryMatchBlockPageresponsepageshoulddisplayas
follows:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
54 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
GettingStarted
EnableBasicThreatPreventionFeatures
EnableAutoFocusThreatIntelligenceontheFirewall
Step1
Step2
VerifythattheAutoFocuslicenseisactivatedon 1.
thefirewall.
2.
Ifthefirewalldoesntdetectthelicense,seeActivate
LicensesandSubscriptions.
1.
2.
EntertheAutoFocus URL:
ConnectthefirewalltoAutoFocus.
https://autofocus.paloaltonetworks.com:1
0443
Step3
Step4
ConnectAutoFocustothefirewall.
Testtheconnectionbetweenthefirewalland
AutoFocus.
PaloAltoNetworks,Inc.
3.
UsetheQuery Timeoutfieldtosetthedurationof
timeforthefirewalltoattempttoqueryAutoFocus
forthreatintelligencedata.IftheAutoFocusportal
doesnotrespondbeforetheendofthespecified
period,thefirewallclosestheconnection.
Asabestpractice,setthequerytimeoutto
thedefaultvalueof15seconds.AutoFocus
queriesareoptimizedtocompletewithinthis
duration.
4.
SelectEnabledtoallowthefirewalltoconnectto
AutoFocus.
5.
ClickOK.
6.
CommityourchangestoretaintheAutoFocus
settingsuponreboot.
1.
LogintotheAutoFocusportal:
https://autofocus.paloaltonetworks.com
2.
SelectSettings.
3.
Add newremotesystems.
4.
EnteradescriptiveNametoidentifythefirewall.
5.
SelectPanOSastheSystemType.
6.
EnterthefirewallIPAddress.
7.
ClickSave changestoaddtheremotesystem.
8.
ClickSave changesagainontheSettingspageto
ensurethefirewallissuccessfullyadded.
1.
2.
VerifythatyoucanViewAutoFocusThreatDatafor
Logs.
PANOS7.1AdministratorsGuide 55
BestPracticesforCompletingtheFirewallDeployment
GettingStarted
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.However,ifyouusePanorama,youmustuse
thesamemasterkeyonPanoramaandallmanagedfirewalls.Otherwise,Panoramacannotpush
configurationstothefirewalls.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
56 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 57
ManagementInterfaces
FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
58 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
LaunchtheWebInterface
Step1
LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.
Step2
EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.
Step3
Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.
Step4
Logintothewebinterface.
Step5
ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 59
UsetheWebInterface
FirewallAdministration
Step2
Configuretheloginbanner.
Setthemessageoftheday.
60 PANOS7.1AdministratorsGuide
1.
2.
EntertheLogin Banner(upto3,200characters).
3.
4.
ClickOK.
1.
2.
3.
4.
5.
(Optional)EnteraheaderTitleforthemessageoftheday
dialog(defaultisMessage of the Day).
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
ConfigureBanners,MessageoftheDay,andLogos(Continued)
Step3
Step4
Configuretheheaderandfooter
banners.
Abrightbackgroundcolorand
contrastingtextcolorcan
increasethelikelihoodthat
administratorswillnoticeand
readabanner.Youcanalsouse
colorsthatcorrespondto
classificationlevelsinyour
organization.
1.
EntertheHeader Banner(upto3,200characters).
2.
3.
EntertheFooter Banner(upto3,200characters)iftheheader
andfooterbannersdiffer.
4.
ClickOK.
Replacethelogosontheloginpageand 1.
intheheader.
Themaximumsizeforanylogo 2.
imageis128KB.
3.
Step5
Verifythatthebanners,messageofthe 1.
day,andlogosdisplayasexpected.
PaloAltoNetworks,Inc.
2.
Enteryourlogincredentials,reviewthebanner,selectI Accept
and Acknowledge the Statement BelowtoenabletheLogin
button,andthenLogin.
Adialogdisplaysthemessageoftheday.MessagesthatPalo
AltoNetworksembeddeddisplayonseparatepagesinthe
samedialog.Tonavigatethepages,clicktheright orleft
arrowsalongthesidesofthedialogorclickapageselector
atthebottomofthedialog.
3.
4.
Closethemessageofthedaydialogtoaccesstheweb
interface.
Headerandfooterbannersdisplayineverywebinterface
pagewiththetextandcolorsthatyouconfigured.Thenew
logoyouselectedforthewebinterfacedisplaysbelowthe
headerbanner.
PANOS7.1AdministratorsGuide 61
UsetheWebInterface
FirewallAdministration
Viewtheloginactivityindicatorsto
1.
monitorrecentactivityonyouraccount.
LogintothewebinterfaceonyourfirewallorPanorama
managementserver.
2.
Viewthelastlogindetailslocatedatthebottomleftofthe
windowandverifythatthetimestampcorrespondstoyour
lastlogin.
3.
Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.
62 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
4.
Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.
Step2
Takethefollowingactionsifyoudetect 1.
anaccountcompromise.
2.
3.
Reverttheconfigurationtoaknowngoodconfigurationifyou
seethatlogsweredeletedorifyouhavedifficultydetermining
ifimproperchangesweremadeusingyouraccount.
Beforeyoucommittoapreviousconfiguration,review
ittoensurethatitcontainsthecorrectsettings.For
example,theconfigurationthatyoureverttomaynot
containrecentchanges,soapplythosechangesafter
youcommitthebackupconfiguration.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 63
UsetheWebInterface
FirewallAdministration
ManageandMonitorAdministrativeTasks
Step1
ClickTasksatthebottomofthewebinterface.
Step2
ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3
Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
64 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.
Preview,Validate,orCommitFirewallConfigurationChanges
Step1
Step2
Step3
Configurethecommit,validation,or
previewoptions.
1.
ClickCommitatthetopofthewebinterface.
2.
(Optional)Excludecertaintypesofconfigurationchanges.
Theseoptionsareincluded(enabled)bydefault.
Ifdependenciesbetweentheconfigurationchanges
youincludedandexcludedcauseavalidationerror,
performthecommitwithallthechangesincluded.For
example,ifyourchangesintroduceanewLog
Forwardingprofile(anobject)thatreferencesanew
Syslogserverprofile(adevicesetting),thecommit
mustincludeboththepolicyandobjectconfiguration
andthedeviceandnetworkconfiguration.
Include Device and Network configuration
Include Policy and Object configurationThisisavailable
onlyonfirewallsforwhichmultiplevirtualsystems
capabilityisdisabled.
Include Shared Object configurationThisisavailableonly
onfirewallswithmultiplevirtualsystems.
Include Virtual System configurationThisisavailable
onlyonfirewallswithmultiplevirtualsystems.Select All
virtual systems(default)orSelect one or more virtual
systemsinthelist.
3.
(Optional)EnteraDescriptionforthecommit.Abrief
summaryofwhatchangedintheconfigurationisusefulto
otheradministratorswhowanttoknowwhatchangeswere
madewithoutperformingaconfigurationaudit.
(Optional)Previewthechangesthatthe 1.
commitwillactivate.Thiscanbeuseful 2.
if,forexample,youdontrememberall
yourchangesandyourenotsureyou
wanttoactivateallofthem.
Thefirewalldisplaysthechangesina
newwindowthatshowstherunningand
candidateconfigurationssidebyside
usingcolorstohighlightthedifferences
linebyline.
(Optional)Validatethechangesbefore
youcommittoensurethecommitwill
succeed.
PaloAltoNetworks,Inc.
ClickPreview Changes.
SelecttheLines of Context,whichisthenumberoflinesfrom
thecomparedconfigurationfilestodisplaybeforeandafter
eachhighlighteddifference.Theseadditionallineshelpyou
correlatethepreviewoutputtosettingsinthewebinterface.
Becausethepreviewresultsdisplayinanewwindow,
yourbrowsermustallowpopupwindows.Ifthe
previewwindowdoesnotopen,refertoyourbrowser
documentationforthestepstounblockpopup
windows.
3.
Closethepreviewwindowwhenyoufinishreviewingthe
changes.
1.
ClickValidate Changes.Theresultsdisplayalltheerrorsand
warningsthatanactualcommitwoulddisplay.
2.
Resolveanyerrorsthatthevalidationresultsidentify.
PANOS7.1AdministratorsGuide 65
UsetheWebInterface
FirewallAdministration
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
Step4
Commityourconfigurationchanges.
ClickCommit.
Toviewdetailsaboutcommitsthatarepending(whichyou
canstillcancel),inprogress,completed,orfailed,see
ManageandMonitorAdministrativeTasks.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
66 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
UsetheWebInterface
UseGlobalFind(Continued)
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
ManageLocksforRestrictingConfigurationChanges
Viewdetailsaboutcurrentlocks.
Forexample,youcancheckwhetherother
administratorshavesetlocksandread
commentstheyenteredtoexplainthelocks.
PaloAltoNetworks,Inc.
Clickthelock atthetopofthewebinterface.Anadjacent
numberindicatesthenumberofcurrentlocks.
PANOS7.1AdministratorsGuide 67
UsetheWebInterface
FirewallAdministration
ManageLocksforRestrictingConfigurationChanges(Continued)
Lockaconfiguration.
1.
Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2.
Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3.
(Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4.
(Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5.
ClickOKandClose.
Unlockaconfiguration.
1.
Onlyasuperuserortheadministratorwho
2.
lockedtheconfigurationcanmanuallyunlockit.
3.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
Clickthelock
Configurethefirewalltoautomaticallylockthe 1.
runningconfigurationwhenyouchangethe
candidateconfiguration.Thissettingappliesto 2.
alladministrators.
68 PANOS7.1AdministratorsGuide
atthetopofthewebinterface.
Selectthelockentryinthelist.
ClickRemove Lock,OK,andClose.
PaloAltoNetworks,Inc.
FirewallAdministration
ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.
BackUpaConfiguration
RestoreaConfiguration
Back Up a Configuration
CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 69
ManageConfigurationBackups
FirewallAdministration
BackUpaConfiguration
Step1
Savealocalbackupsnapshotofthe
candidateconfigurationifitcontains
changesthatyouwanttopreservein
theeventthefirewallreboots.
Thesearechangesyouarenotreadyto
commitforexample,changesyou
cannotfinishinthecurrentloginsession.
Performoneofthefollowingtasksbasedonwhetheryouwantto
overwritethedefaultsnapshot(.snapshot.xml)orcreateasnapshot
withacustomname:
OverwritethedefaultsnapshotClickSaveatthetopofthe
webinterface.
Createacustomnamedsnapshot:
a. SelectDevice > Setup > OperationsandSave named
configuration snapshot.
b. EnteraNameforthesnapshotorselectanexisting
snapshottooverwrite.
c. ClickOKandClose.
Step2
Exportacandidateconfiguration,a
runningconfiguration,orthefirewall
stateinformationtoahostexternalto
thefirewall.
Restore a Configuration
Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).
RestoreaConfiguration
Restorethecurrentrunningconfiguration.
1.
Thisoperationundoesallthechangesyoumade
tothecandidateconfigurationsincethelast
2.
commit.
70 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageConfigurationBackups
RestoreaConfiguration(Continued)
Restorethedefaultsnapshotofthecandidate 1.
configuration.
Thisisthesnapshotthatyoucreateoroverwrite 2.
whenyouclickSaveatthetoprightoftheweb
3.
interface.
Restoreapreviousversionoftherunning
configurationthatisstoredonthefirewall.
Thefirewallcreatesaversionwheneveryou
commitconfigurationchanges.
1.
2.
SelectaconfigurationVersionandclickOK.
3.
(Optional)ClickCommittooverwritetherunning
configurationwiththeversionyoujustrestored.
Restoreoneofthefollowing:
1.
Currentrunningconfiguration(named
runningconfig.xml)
2.
Customnamedversionoftherunning
3.
configurationthatyoupreviouslyimported
Customnamedcandidateconfiguration
snapshot(insteadofthedefaultsnapshot)
Restorearunningorcandidateconfiguration
thatyoupreviouslyexportedtoanexternal
host.
ClickYestoconfirmtheoperation.
(Optional)ClickCommittooverwritetherunning
configurationwiththesnapshot.
1.
2.
3.
(Optional)ClickCommittooverwritetherunning
configurationwiththesnapshotyoujustimported.
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall.
1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate
Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 71
ManageFirewallAdministrators
FirewallAdministration
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
Administrative Roles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole
Privileges
Superuser
Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser (read-only)
Readonlyaccesstothefirewall.
Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
72 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.
ConfigureanAdminRoleProfile
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
ConfigureanAdminRoleProfile
Step1
Step2
EnteraNametoidentifytherole.
Step3
ForthescopeoftheRole,selectDeviceorVirtual System.
Step4
Step5
SelecttheCommand LinetabandselectaCLIaccessoption.TheRolescopecontrolstheavailableoptions:
Devicerolesuperuser,superreader,deviceadmin,devicereader,orNone
Virtual Systemrolevsysadmin,vsysreader,orNone
Step6
ClickOKtosavetheprofile.
Step7
Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.
Administrative Authentication
Youcanconfigurethefollowingtypesofadministratorauthentication:
AccountType Authentication Description
Method
Local
Local(no
database)
PaloAltoNetworks,Inc.
Theadministratoraccountcredentialsandtheauthenticationmechanismsarelocal
tothefirewall.Youcanfurthersecurelocalaccountsbysettingglobalpassword
complexityandexpirationsettingsforallaccountsorbycreatingapasswordprofile
thatdefinespasswordexpirationsettingsforspecificaccounts.Fordetails,see
ConfigureanAdministrativeAccount.
PANOS7.1AdministratorsGuide 73
ManageFirewallAdministrators
FirewallAdministration
Localdatabase
Thefirewallusesalocaldatabasetostoretheadministratoraccountcredentialsand
toperformauthentication.IfyournetworksupportsKerberossinglesignon(SSO),
youcanconfigurelocalauthenticationasafallbackincaseSSOfails.Fordetails,see
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators.
Local
SSLbased
Theadministratoraccountsarelocaltothefirewall,butauthenticationisbasedon
SSHcertificates(forCLIaccess)orclientcertificates(forwebinterfaceaccess).For
details,seeConfigureSSHKeyBasedAdministratorAuthenticationtotheCLIand
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface.
Local
Externalservice Theadministratoraccountsarelocaltothefirewall,butexternalservices(LDAP,
Kerberos,TACACS+,orRADIUS)handletheauthenticationfunctions.Ifyour
networksupportsKerberossinglesignon(SSO),youcanconfigureexternal
authenticationasafallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSO
andExternalorLocalAuthenticationforAdministrators.
External
Externalservice AnexternalRADIUSserverhandlesaccountmanagementandauthentication.You
mustdefineVendorSpecificAttributes(VSAs)onyourRADIUSserverthatmapto
theadministratorrole,accessdomain,usergroup(ifapplicable),andvirtualsystem(if
applicable).Fordetails,seeConfigureRADIUSVendorSpecificAttributesfor
AdministratorAuthentication.
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication
74 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
ConfigureanAdministrativeAccount
Step1
Step2
(Optional)Definepasswordcomplexity 1.
andexpirationsettingsforadministrator
accountsthatarelocaltothefirewall.
Thesesettingscanhelpprotectthe
firewallagainstunauthorizedaccessby
makingitharderforattackerstoguess
passwords.
2.
Youcannotconfigurethese
settingsforlocalaccountsthat
usealocaldatabaseorexternal
serviceforauthentication.
Addanadministrativeaccount.
Defineglobalpasswordcomplexityandexpirationsettingsfor
alllocaladministrators.
a. SelectDevice > Setup > Managementandeditthe
MinimumPasswordComplexitysettings.
b. SelectEnabled.
c. DefinethepasswordsettingsandclickOK.
DefineaPasswordProfileifyouwantcertainlocal
administratorstohavepasswordexpirationsettingsthat
overridetheglobalsettings.
a. SelectDevice > Password Profiles andAddaprofile.
b. EnteraNametoidentifytheprofile.
c. DefinethepasswordexpirationsettingsandclickOK.
1.
2.
EnterauserName.
3.
SelectanAuthentication Profileorsequenceifyou
configuredeitherfortheuser.
Thedefaultoption(None)specifiesthatthefirewallwilllocally
manageandauthenticatetheaccountwithoutalocal
database.Inthiscase,youmustenterandconfirma
Password.
4.
SelecttheAdministrator Type.Ifyouconfiguredacustomrole
fortheuser,selectRole BasedandselecttheAdminRole
Profile.Otherwise,selectDynamic(default)andselecta
dynamicrole.Ifthedynamicroleisvirtual system
administrator,addoneormorevirtualsystemsthatthe
virtualsystemadministratorisallowedtomanage.
5.
(Optional)SelectaPassword Profileforlocaladministrators.
ThisoptionisavailableonlyifyousettheAuthentication
ProfiletoNone.
6.
ClickOKandCommit.
ConfigureaKerberoskeytabforthe
firewall.
RequiredforKerberosSSO
authentication.
PaloAltoNetworks,Inc.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
accountinformation(principalnameandhashedpassword)forthe
firewall.
PANOS7.1AdministratorsGuide 75
ManageFirewallAdministrators
FirewallAdministration
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)
Step2
Configurealocaldatabaseorexternal
serverprofile.
Requiredforlocaldatabaseorexternal
authentication.
LocaldatabaseauthenticationPerformthefollowingtasks:
a. Configuretheuseraccount.
b. (Optional)Configureausergroup.
ExternalauthenticationPerformoneofthefollowingtasks:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
Step3
Configureanauthenticationprofile.
Ifyourusersareinmultiple
Kerberosrealms,createan
authenticationprofileforeach
realmandassignalltheprofiles
toanauthenticationsequence.
Youcanthenassignthesame
authenticationsequencetoall
useraccounts(Step 4).
ConfigureanAuthenticationProfileandSequence.
Step4
Configureanadministratoraccount.
ConfigureanAdministrativeAccount.
Forlocaldatabaseauthentication,specifytheNameoftheuser
youdefinedinStep 2.
AssigntheAuthentication ProfileorsequenceandtheAdmin
RoleProfilethatyoujustcreated.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
Step1
Generateacertificateauthority(CA)
certificateonthefirewall.
YouwillusethisCAcertificatetosign
theclientcertificateofeach
administrator.
76 PANOS7.1AdministratorsGuide
CreateaSelfSignedRootCACertificate.
Alternatively,ImportaCertificateandPrivateKeyfrom
yourenterpriseCA.
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
Step2
Configureacertificateprofilefor
securingaccesstothewebinterface.
ConfigureaCertificateProfile.
SettheUsername FieldtoSubject.
IntheCACertificatessection,AddtheCA Certificateyoujust
createdorimported.
Step3
Configurethefirewalltousethe
certificateprofileforauthenticating
administrators.
1.
2.
SelecttheCertificate Profileyoucreatedforauthenticating
administratorsandclickOK.
Step4
Configuretheadministratoraccountsto Foreachadministratorwhowillaccessthefirewallwebinterface,
useclientcertificateauthentication.
ConfigureanAdministrativeAccountandselectUse only client
certificate authentication.
Ifyouhavealreadydeployedclientcertificatesthatyourenterprise
CAgenerated,skiptoStep 8.Otherwise,gotoStep 5.
Step5
Generateaclientcertificateforeach
administrator.
Step6
Exporttheclientcertificate.
GenerateaCertificate.IntheSigned Bydropdown,selecta
selfsignedrootCAcertificate.
1.
ExportaCertificateandPrivateKey.
2.
Commityourchanges.Thefirewallrestartsandterminates
yourloginsession.Thereafter,administratorscanaccessthe
webinterfaceonlyfromclientsystemsthathavetheclient
certificateyougenerated.
Step7
Refertoyourwebbrowserdocumentation.
Importtheclientcertificateintothe
clientsystemofeachadministratorwho
willaccessthewebinterface.
Step8
Verifythatadministratorscanaccessthe 1.
webinterface.
2.
PaloAltoNetworks,Inc.
OpenthefirewallIPaddressinabrowseronthecomputer
thathastheclientcertificate.
Whenprompted,selectthecertificateyouimportedandclick
OK.Thebrowserdisplaysacertificatewarning.
3.
Addthecertificatetothebrowserexceptionlist.
4.
ClickLogin.Thewebinterfaceshouldappearwithout
promptingyouforausernameorpassword.
PANOS7.1AdministratorsGuide 77
ManageFirewallAdministrators
FirewallAdministration
UseanSSHkeygenerationtoolto
createanasymmetrickeypaironthe
clientsystemoftheadministrator.
ThesupportedkeyformatsareIETF
SECSHandOpenSSH.Thesupported
algorithmsareDSA(1,024bits)andRSA
(7684,096bits).
Forthecommandstogeneratethekeypair,refertoyourSSHclient
documentation.
Thepublickeyandprivatekeyareseparatefiles.Savebothtoa
locationthatthefirewallcanaccess.Foraddedsecurity,entera
passphrasetoencrypttheprivatekey.Thefirewallpromptsthe
administratorforthispassphraseduringlogin.
Step2
Configuretheadministratoraccountto
usepublickeyauthentication.
1.
ConfigureanAdministrativeAccount.
Configuretheauthenticationmethodtouseasafallbackif
SSHkeyauthenticationfails.Ifyouconfiguredan
Authentication Profilefortheadministrator,selectitinthe
dropdown.IfyouselectNone,youmustenteraPassword
andConfirm Password.
SelectUse Public Key Authentication (SSH),thenImport
Key,Browsetothepublickeyyoujustgenerated,andclick
OK.
2.
Commityourchanges.
Step3
ConfiguretheSSHclienttousethe
privatekeytoauthenticatetothe
firewall.
Performthistaskontheclientsystemoftheadministrator.Forthe
steps,refertoyourSSHclientdocumentation.
Step4
Verifythattheadministratorcanaccess 1.
thefirewallCLIusingSSHkey
authentication.
2.
Useabrowserontheclientsystemoftheadministratortogo
tothefirewallIPaddress.
LogintothefirewallCLIastheadministrator.Afterenteringa
username,youwillseethefollowingoutput(thekeyvalueis
anexample):
Authenticating with public key dsa-key-20130415
3.
Ifprompted,enterthepassphraseyoudefinedwhencreating
thekeys.
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA
78 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
ManageFirewallAdministrators
Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.
UseRADIUSVendorSpecificAttributesforAccountAuthentication
Step1
Step2
Configurethefirewall.
ConfiguretheRADIUSserver.
PaloAltoNetworks,Inc.
1.
ConfigureanAdminRoleProfileiftheadministratorwillusea
customrole.
2.
Configureanaccessdomainifthefirewallhasmorethanone
virtualsystem(vsys):
a. SelectDevice > Access Domain,Addanaccessdomain,and
enteraNametoidentifytheaccessdomain.
b. Addeachvsysthattheadministratorwillaccess,andthen
clickOK.
3.
ConfigureaRADIUSServerProfile.
4.
Configureanauthenticationprofile.Settheauthentication
TypetoRADIUSandassigntheRADIUSServer Profile.
5.
Configurethefirewalltousetheauthenticationprofilefor
administratoraccessSelectDevice > Setup > Management,
edittheAuthenticationSettings,andselectthe
Authentication Profile.
6.
ClickOKandCommit.
1.
AddthefirewallIPaddressorhostnameastheRADIUSclient.
2.
DefinetheVSAsforadministratorauthentication.Youmust
specifythevendorcode(25461forPaloAltoNetworks
firewalls)andtheVSAname,number,andvalue:seeRADIUS
VendorSpecificAttributesSupport.
PANOS7.1AdministratorsGuide 79
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccessPrivileges
DefineAccesstotheWebInterfaceTabs
ProvideGranularAccesstotheMonitorTab
ProvideGranularAccesstothePolicyTab
ProvideGranularAccesstotheObjectsTab
ProvideGranularAccesstotheNetworkTab
ProvideGranularAccesstotheDeviceTab
DefineUserPrivacySettingsintheAdminRoleProfile
RestrictAdministratorAccesstoCommitandValidateFunctions
ProvideGranularAccesstoGlobalSettings
80 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
DefineAccesstotheWebInterfaceTabs
Thefollowingtabledescribesthetoplevelaccessprivilegesyoucanassigntoanadminroleprofile(Device
> Admin Roles).Youcanenable,disable,ordefinereadonlyaccessprivilegesatthetopleveltabsintheweb
interface.
AccessLevel
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
No
Yes
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 81
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,high
availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucannotenableaccesstotheAdmin Roles
orAdministratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
No
Yes
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
AccessLevel
Description
Monitor
Yes
EnablesordisablesaccesstotheMonitor Firewall:Yes
tab.Ifdisabled,theadministratorwillnot Panorama:Yes
seethistaboranyoftheassociatedlogsor DeviceGroup/Template:Yes
reports.
82 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
Enable
Read
Only
Disable
No
Yes
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Logs
Reference:WebInterfaceAdministratorAccess
Read
Only
Disable
Enablesordisablesaccesstoalllogfiles. Firewall:Yes
Yes
Youcanalsoleavethisprivilegeenabled Panorama:Yes
andthendisablespecificlogsthatyoudo DeviceGroup/Template:Yes
notwanttheadministratortosee.Keepin
mindthatifyouwanttoprotectthe
privacyofyouruserswhilestillproviding
accesstooneormoreofthelogs,youcan
disablethePrivacy > Show Full Ip
Addressesoptionand/ortheShow User
Names In Logs And Reportsoption.
No
Yes
Traffic
Specifieswhethertheadministratorcan
seethetrafficlogs.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Threat
Specifieswhethertheadministratorcan
seethethreatlogs.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
URL Filtering
Specifieswhethertheadministratorcan
seetheURLfilteringlogs.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
WildFire
Submissions
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
seetheWildFirelogs.Theselogsareonly Panorama:Yes
availableifyouhaveaWildFire
DeviceGroup/Template:Yes
subscription.
No
Yes
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
seetheHIPMatchlogs.HIPMatchlogsare Panorama:Yes
onlyavailableifyouhaveaGlobalProtect DeviceGroup/Template:Yes
portallicenseandgatewaysubscription.
No
Yes
HIP Match
AdministratorRole
Availability
Enable
Configuration Specifieswhethertheadministratorcan
seetheconfigurationlogs.
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
System
Specifieswhethertheadministratorcan
seethesystemlogs.
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
Alarms
Specifieswhethertheadministratorcan
seesystemgeneratedalarms.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Automated
Correlation
Engine
Enablesordisablesaccesstothe
correlationobjectsandcorrelatedevent
logsgeneratedonthefirewall.
Yes
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 83
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
AdministratorRole
Availability
Correlation
Objects
Specifieswhethertheadministratorcan
viewandenable/disablethecorrelation
objects.
Correlated
Events
Specifieswhethertheadministrator
Packet
Capture
Specifieswhethertheadministratorcan
Firewall:Yes
seepacketcaptures(pcaps)fromthe
Panorama:No
Monitortab.Keepinmindthatpacket
DeviceGroup/Template:No
capturesarerawflowdataandassuch
maycontainuserIPaddresses.Disabling
theShow Full IP Addressesprivilegeswill
notobfuscatetheIPaddressinthepcap
andyoushouldthereforedisablethe
PacketCaptureprivilegeifyouare
concernedaboutuserprivacy.
Read
Only
Disable
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
Yes
Yes
Yes
App Scope
Firewall:Yes
Specifieswhethertheadministratorcan
Yes
seetheAppScopevisibilityandanalysis Panorama:Yes
tools.EnablingAppScopeenablesaccess DeviceGroup/Template:Yes
toalloftheApp Scopecharts.
No
Yes
Session
Browser
Specifieswhethertheadministratorcan
Firewall:Yes
browseandfiltercurrentrunningsessions Panorama:No
onthefirewall.Keepinmindthatthe
DeviceGroup/Template:No
sessionbrowsershowsrawflowdataand
assuchmaycontainuserIPaddresses.
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inthesessionbrowserandyoushould
thereforedisabletheSession Browser
privilegeifyouareconcernedaboutuser
privacy.
Yes
No
Yes
Botnet
Specifieswhethertheadministratorcan
Firewall:Yes
generateandviewbotnetanalysisreports Panorama:No
orviewbotnetreportsinreadonlymode. DeviceGroup/Template:No
DisablingtheShow Full IP Addresses
privilegeswillnotobfuscatetheIPaddress
inscheduledbotnetreportsandyou
shouldthereforedisabletheBotnet
privilegeifyouareconcernedaboutuser
privacy.
Yes
Yes
Yes
84 PANOS7.1AdministratorsGuide
Enable
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
PDF Reports
Manage PDF
Summary
Reference:WebInterfaceAdministratorAccess
Read
Only
Disable
EnablesordisablesaccesstoallPDF
Yes
Firewall:Yes
reports.Youcanalsoleavethisprivilege Panorama:Yes
enabledandthendisablespecificPDF
DeviceGroup/Template:Yes
reportsthatyoudonotwantthe
administratortosee.Keepinmindthatif
youwanttoprotecttheprivacyofyour
userswhilestillprovidingaccesstooneor
moreofthereports,youcandisablethe
Privacy > Show Full Ip Addressesoption
and/ortheShow User Names In Logs And
Reportsoption.
No
Yes
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
view,addordeletePDFsummaryreport Panorama:Yes
definitions.Withreadonlyaccess,the
DeviceGroup/Template:Yes
administratorcanseePDFsummaryreport
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
canneitherviewthereportdefinitionsnor
add/deletethem.
Yes
Yes
Yes
PDF Summary Specifieswhethertheadministratorcan
Firewall:Yes
Reports
seethegeneratedPDFSummaryreportsin Panorama:Yes
Monitor > Reports.Ifyoudisablethis
DeviceGroup/Template:Yes
option,thePDF Summary Reports
categorywillnotdisplayintheReports
node.
No
Yes
Yes
Firewall:Yes
Panorama:Yes
DeviceGroup/Template:Yes
Yes
Yes
Yes
SaaS
Firewall:Yes
Specifieswhethertheadministratorcan
Application
view,addordeleteaSaaSapplication
Panorama:Yes
Usage Report usagereport.Withreadonlyaccess,the DeviceGroup/Template:Yes
administratorcanseetheSaaSapplication
usagereportdefinitions,butcannotaddor
deletethem.Ifyoudisablethisoption,the
administratorcanneitherviewthereport
definitionsnoraddordeletethem.
Yes
Yes
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
view,addordeletereportgroup
Panorama:Yes
definitions.Withreadonlyaccess,the
DeviceGroup/Template:Yes
administratorcanseereportgroup
definitions,butnotaddordeletethem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
Yes
Yes
User Activity
Report
Report
Groups
Specifieswhethertheadministratorcan
view,addordeleteUserActivityreport
definitionsanddownloadthereports.
Withreadonlyaccess,theadministrator
canseeUserActivityreportdefinitions,
butnotadd,delete,ordownloadthem.If
youdisablethisoption,theadministrator
cannotseethiscategoryofPDFreport.
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
PANOS7.1AdministratorsGuide 85
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Email
Scheduler
FirewallAdministration
Read
Only
Disable
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
schedulereportgroupsforemail.Because Panorama:Yes
thegeneratedreportsthatgetemailed
DeviceGroup/Template:Yes
maycontainsensitiveuserdatathatisnot
removedbydisablingthePrivacy > Show
Full Ip Addressesoptionand/ortheShow
User Names In Logs And Reportsoptions
andbecausetheymayalsoshowlogdata
towhichtheadministratordoesnothave
access,youshoulddisabletheEmail
Scheduleroptionifyouhaveuserprivacy
requirements.
Yes
Yes
Manage
Custom
Reports
Enablesordisablesaccesstoallcustom
Yes
Firewall:Yes
reportfunctionality.Youcanalsoleavethis Panorama:Yes
privilegeenabledandthendisablespecific DeviceGroup/Template:Yes
customreportcategoriesthatyoudonot
wanttheadministratortobeableto
access.Keepinmindthatifyouwantto
protecttheprivacyofyouruserswhilestill
providingaccesstooneormoreofthe
reports,youcandisablethePrivacy >
Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reports
option.
Reportsthatarescheduledtorun
ratherthanrunondemandwill
showIPaddressanduser
information.Inthiscase,besureto
restrictaccesstothe
correspondingreportareas.In
addition,thecustomreportfeature
doesnotrestricttheabilityto
generatereportsthatcontainlog
datacontainedinlogsthatare
excludedfromtheadministrator
role.
No
Yes
Application
Statistics
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheapplicationstatisticsdatabase.
DeviceGroup/Template:Yes
No
Yes
No
Yes
Threat Log
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheThreatlogs.
DeviceGroup/Template:Yes
No
Yes
Threat
Summary
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheThreatSummarydatabase.
DeviceGroup/Template:Yes
No
Yes
86 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
Enable
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Traffic Log
Reference:WebInterfaceAdministratorAccess
Read
Only
Disable
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficlogs.
DeviceGroup/Template:Yes
No
Yes
Traffic
Summary
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheTrafficSummarydatabase.
DeviceGroup/Template:Yes
No
Yes
URL Log
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheURLFilteringlogs.
DeviceGroup/Template:Yes
No
Yes
Hipmatch
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheHIPMatchlogs.
DeviceGroup/Template:Yes
No
Yes
WildFire Log
Specifieswhethertheadministratorcan
Firewall:Yes
Yes
createacustomreportthatincludesdata Panorama:Yes
fromtheWildFirelogs.
DeviceGroup/Template:Yes
No
Yes
View
Scheduled
Custom
Reports
Specifieswhethertheadministratorcan
viewacustomreportthathasbeen
scheduledtogenerate.
Firewall:Yes
Yes
Panorama:Yes
DeviceGroup/Template:Yes
No
Yes
View
Predefined
Application
Reports
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
viewApplicationReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Threat
Reports
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
viewThreatReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
View
Predefined
URL Filtering
Reports
Specifieswhethertheadministratorcan
Yes
Firewall:Yes
viewURLFilteringReports.Privacy
Panorama:Yes
privilegesdonotimpactreportsavailable DeviceGroup/Template:Yes
ontheMonitor > Reportsnodeandyou
shouldthereforedisableaccesstothe
reportsifyouhaveuserprivacy
requirements.
No
Yes
View
Predefined
Traffic
Reports
Yes
Specifieswhethertheadministratorcan
Firewall:Yes
viewTrafficReports.Privacyprivilegesdo Panorama:Yes
notimpactreportsavailableonthe
DeviceGroup/Template:Yes
Monitor > Reportsnodeandyoushould
thereforedisableaccesstothereportsif
youhaveuserprivacyrequirements.
No
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
PANOS7.1AdministratorsGuide 87
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
AccessLevel
Description
Security
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletesecurityrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthesecurity
rulebase,disablethisprivilege.
Yes
Yes
NAT
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeleteNATrules.Settheprivilege
toreadonlyifyouwanttheadministratortobeable
toseetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheNATrulebase,disable
thisprivilege.
Yes
Yes
QoS
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteQoSrules.Settheprivilegeto
readonlyifyouwanttheadministratortobeableto
seetherules,butnotmodifythem.Topreventthe
administratorfromseeingtheQoSrulebase,disable
thisprivilege.
Yes
Yes
Policy Based
Forwarding
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeletePolicyBasedForwarding
(PBF)rules.Settheprivilegetoreadonlyifyouwant
theadministratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingthePBFrulebase,disablethisprivilege.
Yes
Yes
Decryption
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeletedecryptionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingthedecryption
rulebase,disablethisprivilege.
Yes
Yes
88 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
Application Override
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteapplicationoverridepolicy
rules.Settheprivilegetoreadonlyifyouwantthe
administratortobeabletoseetherules,butnot
modifythem.Topreventtheadministratorfrom
seeingtheapplicationoverriderulebase,disablethis
privilege.
Yes
Yes
Yes
Captive Portal
Yes
Enablethisprivilegetoallowtheadministratorto
view,add,and/ordeleteCaptivePortalrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheCaptive
Portalrulebase,disablethisprivilege.
Yes
Yes
DoS Protection
Enablethisprivilegetoallowtheadministratorto
Yes
view,add,and/ordeleteDoSprotectionrules.Setthe
privilegetoreadonlyifyouwanttheadministratorto
beabletoseetherules,butnotmodifythem.To
preventtheadministratorfromseeingtheDoS
protectionrulebase,disablethisprivilege.
Yes
Yes
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
AccessLevel
Description
Addresses
Specifieswhethertheadministratorcanview,add,or Yes
deleteaddressobjectsforuseinsecuritypolicy.
Yes
Yes
Address Groups
Specifieswhethertheadministratorcanview,add,or Yes
deleteaddressgroupobjectsforuseinsecuritypolicy.
Yes
Yes
Regions
Specifieswhethertheadministratorcanview,add,or Yes
deleteregionsobjectsforuseinsecurity,decryption,
orDoSpolicy.
Yes
Yes
Applications
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationobjectsforuseinpolicy.
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 89
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Application Groups
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationgroupobjectsforuseinpolicy.
Yes
Yes
Application Filters
Specifieswhethertheadministratorcanview,add,or Yes
deleteapplicationfiltersforsimplificationofrepeated
searches.
Yes
Yes
Services
Specifieswhethertheadministratorcanview,add,or Yes
deleteserviceobjectsforuseincreatingpolicyrules
thatlimittheportnumbersanapplicationcanuse.
Yes
Yes
Service Groups
Specifieswhethertheadministratorcanview,add,or Yes
deleteservicegroupobjectsforuseinsecuritypolicy.
Yes
Yes
Tags
Specifieswhethertheadministratorcanview,add,or Yes
deletetagsthathavebeendefinedonthefirewall.
Yes
Yes
GlobalProtect
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPobjectsandprofiles.Youcanrestrict
accesstobothtypesofobjectsattheGlobalProtect
level,orprovidemoregranularcontrolbyenablingthe
GlobalProtectprivilegeandrestrictingHIPObjector
HIPProfileaccess.
No
Yes
HIP Objects
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPobjects,whichareusedtodefineHIP
profiles.HIPObjectsalsogenerateHIPMatchlogs.
Yes
Yes
HIP Profiles
Specifieswhethertheadministratorcanview,add,or Yes
deleteHIPProfilesforuseinsecuritypolicyand/orfor
generatingHIPMatchlogs.
Yes
Yes
Specifieswhethertheadministratorcanview,add,or Yes
deletedynamicblocklistsforuseinsecuritypolicy.
Yes
Yes
Custom Objects
Specifieswhethertheadministratorcanseethe
Yes
customspywareandvulnerabilitysignatures.Youcan
restrictaccesstoeitherenableordisableaccesstoall
customsignaturesatthislevel,orprovidemore
granularcontrolbyenablingtheCustomObjects
privilegeandthenrestrictingaccesstoeachtypeof
signature.
No
Yes
Data Patterns
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomdatapatternsignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
Spyware
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomspywaresignaturesforuseincreating
customVulnerabilityProtectionprofiles.
Yes
Yes
Vulnerability
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomvulnerabilitysignaturesforusein
creatingcustomVulnerabilityProtectionprofiles.
Yes
Yes
URL Category
Specifieswhethertheadministratorcanview,add,or Yes
deletecustomURLcategoriesforuseinpolicy.
Yes
Yes
90 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
Security Profiles
Specifieswhethertheadministratorcanseesecurity Yes
profiles.Youcanrestrictaccesstoeitherenableor
disableaccesstoallsecurityprofilesatthislevel,or
providemoregranularcontrolbyenablingthe
SecurityProfilesprivilegeandthenrestrictingaccess
toeachtypeofprofile.
No
Yes
Antivirus
Specifieswhethertheadministratorcanview,add,or Yes
deleteantivirusprofiles.
Yes
Yes
Anti-Spyware
Specifieswhethertheadministratorcanview,add,or Yes
deleteAntiSpywareprofiles.
Yes
Yes
Vulnerability
Protection
Specifieswhethertheadministratorcanview,add,or Yes
deleteVulnerabilityProtectionprofiles.
Yes
Yes
URL Filtering
Specifieswhethertheadministratorcanview,add,or Yes
deleteURLfilteringprofiles.
Yes
Yes
File Blocking
Specifieswhethertheadministratorcanview,add,or Yes
deletefileblockingprofiles.
Yes
Yes
Data Filtering
Specifieswhethertheadministratorcanview,add,or Yes
deletedatafilteringprofiles.
Yes
Yes
DoS Protection
Specifieswhethertheadministratorcanview,add,or Yes
deleteDoSprotectionprofiles.
Yes
Yes
Yes
Yes
Log Forwarding
Specifieswhethertheadministratorcanview,add,or Yes
deletelogforwardingprofiles.
Yes
Yes
Decryption Profile
Specifieswhethertheadministratorcanview,add,or Yes
deletedecryptionprofiles.
Yes
Yes
Schedules
Specifieswhethertheadministratorcanview,add,or Yes
deleteschedulesforlimitingasecuritypolicytoa
specificdateand/ortimerange.
Yes
Yes
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 91
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Interfaces
Specifieswhethertheadministratorcanview,add,or Yes
deleteinterfaceconfigurations.
Yes
Yes
Zones
Specifieswhethertheadministratorcanview,add,or Yes
deletezones.
Yes
Yes
VLANs
Specifieswhethertheadministratorcanview,add,or Yes
deleteVLANs.
Yes
Yes
Virtual Wires
Specifieswhethertheadministratorcanview,add,or Yes
deletevirtualwires.
Yes
Yes
Virtual Routers
Specifieswhethertheadministratorcanview,add,
modifyordeletevirtualrouters.
Yes
Yes
Yes
IPSec Tunnels
Specifieswhethertheadministratorcanview,add,
modify,ordeleteIPSecTunnelconfigurations.
Yes
Yes
Yes
DHCP
Specifieswhethertheadministratorcanview,add,
modify,ordeleteDHCPserverandDHCPrelay
configurations.
Yes
Yes
Yes
DNS Proxy
Specifieswhethertheadministratorcanview,add,
modify,ordeleteDNSproxyconfigurations.
Yes
Yes
Yes
GlobalProtect
Specifieswhethertheadministratorcanview,add,
Yes
modifyGlobalProtectportalandgateway
configurations.Youcandisableaccesstothe
GlobalProtectfunctionsentirely,oryoucanenable
theGlobalProtectprivilegeandthenrestricttherole
toeithertheportalorgatewayconfigurationareas.
No
Yes
Portals
Yes
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectportalconfigurations.
Yes
Yes
Gateways
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectgateway
configurations.
Yes
Yes
Yes
MDM
Specifieswhethertheadministratorcanview,add,
modify,ordeleteGlobalProtectMDMserver
configurations.
Yes
Yes
Yes
Specifieswhethertheadministratorcanview,add,
modify,ordeletedeviceblocklists.
Yes
Yes
Yes
QoS
Specifieswhethertheadministratorcanview,add,
modify,ordeleteQoSconfigurations.
Yes
Yes
Yes
LLDP
Specifieswhethertheadministratorcanviewadd,
modify,ordeleteLLDPconfigurations.
Yes
Yes
Yes
Network Profiles
Setsthedefaultstatetoenableordisableforallofthe Yes
Networksettingsdescribedbelow.
No
Yes
92 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
IKE Gateways
Yes
Yes
GlobalProtect IPSec
Crypto
Yes
Yes
IPSec Crypto
Yes
Yes
IKE Crypto
Controlshowdevicesexchangeinformationtoensure Yes
securecommunication.Specifytheprotocolsand
algorithmsforidentification,authentication,and
encryptioninVPNtunnelsbasedonIPsecSA
negotiation(IKEv1Phase1).
Yes
Yes
Monitor
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 93
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Interface Mgmt
Yes
Yes
Zone Protection
Yes
Yes
QoS Profile
Yes
Yes
LLDP Profile
Yes
Yes
BFD Profile
Yes
Yes
94 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheDeviceTab
TodefinegranularaccessprivilegesfortheDevicetab,whencreatingoreditinganadminroleprofile(Device
> Admin Roles),scrolldowntotheDevicenodeontheWebUItab.
AccessLevel
Description
Setup
ControlsaccesstotheSetupnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheSetup
nodeorhaveaccesstofirewallwidesetup
configurationinformation,suchasManagement,
Operations,Service,ContentID,WildfireorSession
setupinformation.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Management
Yes
ControlsaccesstotheManagementnode.Ifyou
disablethisprivilege,theadministratorwillnotbeable
toconfiguresettingssuchasthehostname,domain,
timezone,authentication,loggingandreporting,
Panorama,managementinterface,banner,message,
andpasswordcomplexitysettings,andmore.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Operations
ControlsaccesstotheOperationsnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
manageconfigurationfiles,orrebootorshutdown
thefirewall,amongotherthings.
Yes
Yes
Services
ControlsaccesstotheServicesnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
configureservicesforDNSservers,anupdateserver,
proxyserver,orNTPservers,orsetupserviceroutes.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Content-ID
Yes
Yes
WildFire
ControlsaccesstotheWildFirenode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotbeableto
configureWildFiresettings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 95
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Session
ControlsaccesstotheSessionnode.Ifyoudisable
Yes
thisprivilege,theadministratorwillnotbeableto
configuresessionsettingsortimeoutsforTCP,UDP
orICMP,orconfiguredecryptionorVPNsession
settings.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
HSM
ControlsaccesstotheHSMnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotbeableto
configureaHardwareSecurityModule.
Iftheprivilegestateissettoreadonly,youcanview
thecurrentconfigurationbutcannotmakeany
changes.
Yes
Yes
Config Audit
No
Yes
Admin Roles
No
ControlsaccesstotheAdmin Roles node.This
functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdmin Roles nodeorhaveaccesstoany
firewallwideinformationconcerningAdminRole
profilesconfiguration.
Ifyousetthisprivilegetoreadonly,youcanviewthe
configurationinformationforalladministratorroles
configuredonthefirewall.
Yes
Yes
Administrators
ControlsaccesstotheAdministrators node.This
No
functioncanonlybeallowedforreadonlyaccess.
Ifyoudisablethisprivilege,theadministratorwillnot
seetheAdministrators nodeorhaveaccessto
informationabouttheirownadministratoraccount.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheconfigurationinformationfortheirown
administratoraccount.Theywillnotseeany
informationaboutotheradministratoraccounts
configuredonthefirewall.
Yes
Yes
Virtual Systems
Yes
Yes
96 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Shared Gateways
Yes
Yes
User Identification
Yes
Yes
Yes
Yes
High Availability
Yes
Yes
Certificate
Management
Setsthedefaultstatetoenableordisableforallofthe Yes
Certificatesettingsdescribedbelow.
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 97
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Certificates
ControlsaccesstotheCertificates node.Ifyou
Yes
disablethisprivilege,theadministratorwillnotseethe
Certificates nodeorbeabletoconfigureoraccess
informationregardingDeviceCertificatesorDefault
TrustedCertificateAuthorities.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewCertificateconfigurationinformationforthe
firewallbutisnotallowedtoperformany
configurationprocedures.
Yes
Yes
Certificate Profile
Yes
Yes
OCSP Responder
Yes
Yes
Yes
Yes
ControlsaccesstotheSCEPnode.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethenodeorbe
abletodefineaprofilethatspecifiessimplecertificate
enrollmentprotocol(SCEP)settingsforissuingunique
devicecertificates.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingSCEPprofilesbutcannotcreateor
editthem.
Yes
Yes
SCEP
98 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Response Pages
Yes
Yes
Log Settings
Setsthedefaultstatetoenableordisableforallofthe Yes
Logsettingsdescribedbelow.
No
Yes
System
Yes
Yes
Config
Yes
Yes
HIP Match
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 99
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Alarms
Yes
Yes
Manage Logs
Yes
Yes
Server Profiles
Setsthedefaultstatetoenableordisableforallofthe Yes
ServerProfilessettingsdescribedbelow.
No
Yes
SNMP Trap
Yes
Yes
Syslog
Yes
Yes
Yes
Yes
100 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Netflow
Yes
Yes
RADIUS
Yes
Yes
TACACS+
Yes
ControlsaccesstotheServer Profiles > TACACS+
node.
Ifyoudisablethisprivilege,theadministratorwillnot
seethe nodeorconfiguresettingsfortheTACACS+
serversthatauthenticationprofilesreference.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewexistingTACACS+serverprofilesbutcannot
addoreditthem.
Yes
Yes
LDAP
Yes
Yes
Kerberos
Yes
ControlsaccesstotheServer Profiles > Kerberos
node.Ifyoudisablethisprivilege,theadministrator
willnotseetheServer Profiles > Kerberos nodeor
configureaKerberosserverthatallowsusersto
authenticatenativelytoadomaincontroller.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheServer Profiles > Kerberos information
butcannotconfiguresettingsforKerberosservers.
Yes
Yes
Setsthedefaultstatetoenableordisableforallofthe Yes
LocalUserDatabasesettingsdescribedbelow.
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 101
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Users
Yes
Yes
User Groups
Yes
Yes
Authentication Profile
Yes
Yes
Authentication
Sequence
Yes
Yes
Access Domain
Yes
ControlsaccesstotheAccess Domainnode.Ifyou
disablethisprivilege,theadministratorwillnotseethe
Access Domainnodeorbeabletocreateoreditan
accessdomain.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheAccess Domain informationbutcannot
createoreditanaccessdomain.
Yes
Yes
102 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
No
Yes
Software
Yes
Yes
GlobalProtect Client
ControlsaccesstotheGlobalProtectClientnode.If Yes
youdisablethisprivilege,theadministratorwillnot
seetheGlobalProtect Client nodeorviewavailable
GlobalProtectreleases,downloadthecodeoractivate
theGlobalProtectagent.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheavailableGlobalProtect Client releases
butcannotdownloadorinstalltheagentsoftware.
Yes
Yes
Dynamic Updates
Yes
Yes
Licenses
Yes
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 103
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
Support
ControlsaccesstotheSupportnode.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethe
Supportnodeorbeabletoaccessproductand
securityalertsfromPaloAltoNetworksorgenerate
techsupportorstatsdumpfiles.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheSupport nodeandaccessproductand
securityalertsbutcannotgeneratetechsupportor
statsdumpfiles.
Yes
Yes
Yes
Yes
DefineUserPrivacySettingsintheAdminRoleProfile
Todefinewhatprivateenduserdataanadministratorhasaccessto,whencreatingoreditinganadminrole
profile(Device > Admin Roles),scrolldowntothePrivacyoptionontheWebUItab.
AccessLevel
Description
Privacy
Setsthedefaultstatetoenableordisableforallofthe Yes
privacysettingsdescribedbelow.
N/A
Yes
N/A
Yes
104 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
ReadOnly Disable
Whendisabled,usernamesobtainedbytraffic
Yes
runningthroughthePaloAltoNetworksfirewallare
notshowninlogsorreports.Columnswheretheuser
nameswouldnormallybedisplayedareempty.
Scheduledreportsthataredisplayedinthe
interfacethroughMonitor > Reportsorreports
thataresentviatheemailschedulerwillstilldisplay
usernames.Becauseofthisexception,we
recommendthatthefollowingsettingswithinthe
Monitortabbesettodisable:CustomReports,
ApplicationReports,ThreatReports,URLFiltering
Reports,TrafficReportsandEmailScheduler.
N/A
Yes
Whendisabled,packetcapturefilesthatarenormally Yes
availablewithintheTraffic,ThreatandDataFiltering
logsarenotdisplayed.
N/A
Yes
RestrictAdministratorAccesstoCommitandValidateFunctions
Torestrictaccesstocommitandvalidatefunctionswhencreatingoreditinganadminroleprofile(Device >
Admin Roles),scrolldowntotheCommitandValidateoptionsontheWebUItab.
AccessLevel
Description
Enable
ReadOnly Disable
Commit
Whendisabled,anadministratorcannotcommitany
changestoaconfiguration.
Yes
N/A
Yes
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
N/A
Yes
ProvideGranularAccesstoGlobalSettings
Todefinewhatglobalsettingsandadministratorhasaccessto,whencreatingoreditinganadminroleprofile
(Device > Admin Roles),scrolldowntotheGlobaloptionontheWebUItab.
AccessLevel
Description
Enable
Global
Setsthedefaultstatetoenableordisableforallofthe Yes
globalsettingsdescribedbelow.Ineffect,thissetting
isonlyforSystemAlarmsatthistime.
N/A
Yes
System Alarms
Whendisabled,anadministratorcannotviewor
acknowledgealarmsthataregenerated.
N/A
Yes
Yes
ReadOnly Disable
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 105
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Setup
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
vieworeditPanoramasetup
DeviceGroup/Template:No
information,suchasManagement,
Operations,Services,WildFire,or
HSM.
Ifyousettheprivilegeto:
readonly,theadministratorcansee
theinformationbutcannoteditit.
disablethisprivilege,the
administratorcannotseeoreditthe
information.
Yes
Yes
Yes
Yes
Yes
Yes
Config Audit
Specifieswhethertheadministratorcan Panorama:Yes
runPanoramaconfigurationaudits.If DeviceGroup/Template:No
youdisablethisprivilege,the
administratorcantrunPanorama
configurationaudits.
Yes
No
Yes
Administrators
Specifieswhethertheadministratorcan Panorama:Yes
viewPanoramaadministratoraccount DeviceGroup/Template:No
details.
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
Panoramaadministrators.)With
readonlyaccess,theadministratorcan
seeinformationabouthisorherown
accountbutnootherPanorama
administratoraccounts.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutanyPanoramaadministrator
account,includinghisorherown.
No
Yes
Yes
106 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Enable
Read Disable
Only
Admin Roles
Specifieswhethertheadministratorcan Panorama:Yes
viewPanoramaadministratorroles.
DeviceGroup/Template:No
Youcantenablefullaccesstothis
function:justreadonlyaccess.(Only
Panoramaadministratorswitha
dynamicrolecanadd,edit,ordelete
customPanoramaroles.)With
readonlyaccess,theadministratorcan
seePanoramaadministratorrole
configurationsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaadministratorroles.
No
Yes
Yes
Access Domain
Specifieswhethertheadministratorcan Panorama:Yes
Yes
view,add,edit,delete,orcloneaccess DeviceGroup/Template:No
domainconfigurationsforPanorama
Youassignaccess
administrators.(Thisprivilegecontrols
domainstoDevice
accessonlytotheconfigurationof
GroupandTemplate
accessdomains,notaccesstothe
administratorssothey
devicegroups,templates,andfirewall
canaccessthe
contextsthatareassignedtoaccess
configurationand
domains.)
monitoringdatawithin
Ifyousetthisprivilegetoreadonly,the
thedevicegroups,
administratorcanviewPanorama
templates,andfirewall
accessdomainconfigurationsbutcant
contextsthatare
managethem.
assignedtothose
Ifyoudisablethisprivilege,the
accessdomains.
administratorcantseeormanage
Panoramaaccessdomain
configurations.
Yes
Yes
Authentication
Profile
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
authenticationprofilesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationprofilesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationprofiles.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 107
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Authentication
Sequence
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
authenticationsequencesforPanorama
administrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
authenticationsequencesbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramaauthenticationsequences.
Yes
Yes
Yes
Managed
Devices
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,tag,ordeletefirewallsas DeviceGroup/Template:Yes
manageddevices,andinstallsoftware
orcontentupdatesonthem.
Ifyousetthisprivilegetoreadonly,the
administratorcanseemanagedfirewalls
butcantadd,delete,tag,orinstall
updatesonthem.
Ifyoudisablethisprivilege,the
administratorcantview,add,edit,tag,
delete,orinstallupdatesonmanaged
firewalls.
Thisprivilegeappliesonlytothe
Panorama > Managed Devices
page.Anadministratorwith
DeviceDeploymentprivileges
canstillusethePanorama >
Device Deploymentpagesto
installupdatesonmanaged
firewalls.
Yes
(Nofor
Device
Group
and
Templat
eroles)
Yes
Yes
Templates
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeletetemplatesand DeviceGroup/Template:Yes
templatestacks.
DeviceGroupand
Ifyousettheprivilegetoreadonly,the
Template
administratorcanseetemplateand
administratorscansee
stackconfigurationsbutcantmanage
onlythetemplatesand
them.
stacksthatarewithin
theaccessdomains
Ifyoudisablethisprivilege,the
assignedtothose
administratorcantseeormanage
templateandstackconfigurations.
administrators.
Yes
(Nofor
Device
Group
and
Templat
e
admins)
Yes
Yes
108 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Device Groups
Specifieswhethertheadministratorcan Panorama:Yes
Yes
view,edit,add,ordeletedevicegroups. DeviceGroup/Template:Yes
Ifyousetthisprivilegetoreadonly,the
DeviceGroupand
administratorcanseedevicegroup
Template
configurationsbutcantmanagethem.
administratorscan
accessonlythedevice
Ifyoudisablethisprivilege,the
administratorcantseeormanage
groupsthatarewithin
devicegroupconfigurations.
theaccessdomains
assignedtothose
administrators.
Yes
Yes
Managed
Collectors
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeletemanaged
DeviceGroup/Template:No
collectors.
Ifyousetthisprivilegetoreadonly,the
administratorcanseemanaged
collectorconfigurationsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantview,edit,add,or
deletemanagedcollector
configurations.
Thisprivilegeappliesonlytothe
Panorama > Managed
Collectorspage.An
administratorwithDevice
Deploymentprivilegescanstill
usethePanorama > Device
Deploymentpagestoinstall
updatesonmanagedcollectors.
Yes
Yes
Yes
Collector
Groups
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,add,ordeleteCollector
DeviceGroup/Template:No
Groups.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeCollectorGroups
butcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
CollectorGroups.
Yes
Yes
Yes
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
Read Disable
Only
PANOS7.1AdministratorsGuide 109
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
AdministratorRole
Availability
Enable
Read Disable
Only
Certificate
Management
Setsthedefaultstate,enabledor
disabled,forallofthePanorama
certificatemanagementprivileges.
Panorama:Yes
DeviceGroup/Template:No
Yes
No
Yes
Certificates
Specifieswhethertheadministratorcan Panorama:Yes
view,edit,generate,delete,revoke,
DeviceGroup/Template:No
renew,orexportcertificates.This
privilegealsospecifieswhetherthe
administratorcanimportorexportHA
keys.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificatesbutcantmanagethe
certificatesorHAkeys.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
PanoramacertificatesorHAkeys.
Yes
Yes
Yes
Certificate
Profile
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,deleteorclone
DeviceGroup/Template:No
Panoramacertificateprofiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseePanorama
certificateprofilesbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Panoramacertificateprofiles.
Yes
Yes
Yes
Yes
Yes
Yes
Log Settings
Yes
No
Yes
Setsthedefaultstate,enabledor
disabled,forallthelogsetting
privileges.
110 PANOS7.1AdministratorsGuide
Panorama:Yes
DeviceGroup/Template:No
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
System
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofSystemlogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheSystemlog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoSystemlogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoSystemlogs
thatPanoramageneratesandto
SystemlogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
SystemlogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofSystemlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
PaloAltoNetworks,Inc.
AdministratorRole
Availability
Enable
Read Disable
Only
Yes
Yes
Yes
PANOS7.1AdministratorsGuide 111
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Config
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofConfiglogsto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheConfiglog
forwardingsettingsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
OnaPanoramaMSeries
appliance,thisprivilegepertains
onlytoConfiglogsthat
Panoramagenerates.Ona
Panoramavirtualappliance,this
privilegeappliestoConfiglogs
thatPanoramageneratesandto
ConfiglogsthatPanorama
collectsfromfirewalls.The
Panorama > Collector Groups
pagecontrolstheforwardingof
ConfiglogsthatanMSeries
appliancecollectsfrom
firewalls.TheDevice > Log
Settingspagecontrolsthe
forwardingofConfiglogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
112 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
Enable
Read Disable
Only
Yes
Yes
Yes
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
HIP Match
Correlation
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofHIPMatch
logsfromaPanoramavirtualappliance
toexternalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofHIPMatchlogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofHIPMatchlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofHIPMatchlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofCorrelation
logstoexternalservices(syslog,email,
orSNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheCorrelation
logforwardingsettingsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofCorrelationlogs
fromaPanoramaMSeries
appliance.TheDevice > Log
Settingspagecontrolsthe
forwardingofCorrelationlogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 113
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Traffic
Threat
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofTrafficlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofTrafficlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofTrafficlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Trafficlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofThreatlogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofThreatlogsbutcantmanage
them.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofThreatlogsfroma
PanoramaMSeriesappliance.
TheObjects > Log Forwarding
pagecontrolstheforwardingof
Threatlogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama).
Yes
Yes
Yes
114 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Wildfire
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigurethesettingsthat
DeviceGroup/Template:No
controltheforwardingofWildFirelogs
fromaPanoramavirtualapplianceto
externalservices(syslog,email,or
SNMPtrapservers).
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheforwarding
settingsofWildFirelogsbutcant
managethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
settings.
ThePanorama > Collector
Groups pagecontrolsthe
forwardingofWildFirelogs
fromaPanoramaMSeries
appliance.TheObjects > Log
Forwardingpagecontrolsthe
forwardingofWildFirelogs
directlyfromfirewallsto
externalservices(without
aggregationonPanorama).
Yes
Yes
Yes
Server Profiles
Setsthedefaultstate,enabledor
Panorama:Yes
disabled,foralltheserverprofile
DeviceGroup/Template:No
privileges.
Theseprivilegespertainonlyto
theserverprofilesthatareused
forforwardinglogsthat
Panoramageneratesorcollects
fromfirewallsandtheserver
profilesthatareusedfor
authenticatingPanorama
administrators.TheDevice >
Server Profilespagescontrol
theserverprofilesthatareused
forforwardinglogsdirectlyfrom
firewallstoexternalservices
(withoutaggregationon
Panorama)andfor
authenticatingfirewall
administrators.
Yes
No
Yes
SNMP Trap
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureSNMPtrapserver
DeviceGroup/Template:No
profiles.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSNMPtrapserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
SNMPtrapserverprofiles.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 115
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Syslog
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureSyslogserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeSyslogserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanage
Syslogserverprofiles.
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfigureemailserverprofiles. DeviceGroup/Template:No
Ifyousetthisprivilegetoreadonly,the
administratorcanseeemailserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanageemail
serverprofiles.
Yes
Yes
Yes
RADIUS
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheRADIUSserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheRADIUS
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
RADIUSserverprofiles.
Yes
Yes
Yes
TACACS+
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheTACACS+server DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyoudisablethisprivilege,the
administratorcantseethe nodeor
configuresettingsfortheTACACS+
serversthatauthenticationprofiles
reference.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewexisting
TACACS+serverprofilesbutcantadd
oreditthem.
Yes
Yes
Yes
116 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
LDAP
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheLDAPserver
DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheLDAPserver
profilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
LDAPserverprofiles.
Yes
Yes
Yes
Kerberos
Specifieswhethertheadministratorcan Panorama:Yes
seeandconfiguretheKerberosserver DeviceGroup/Template:No
profilesthatareusedtoauthenticate
Panoramaadministrators.
Ifyousetthisprivilegetoreadonly,the
administratorcanseetheKerberos
serverprofilesbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
Kerberosserverprofiles.
Yes
Yes
Yes
Scheduled
Config Export
Specifieswhethertheadministratorcan Panorama:Yes
view,add,edit,delete,orclone
DeviceGroup/Template:No
scheduledPanoramaconfiguration
exports.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewthescheduled
exportsbutcantmanagethem.
Ifyoudisablethisprivilege,the
administratorcantseeormanagethe
scheduledexports.
Yes
No
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 117
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Software
Dynamic
Updates
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
softwareupdates;download,upload,or
installtheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramasoftwareupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
softwareupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
softwareinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Softwarepage
controlsaccesstoPANOS
softwaredeployedonfirewalls
andPanoramasoftware
deployedonDedicatedLog
Collectors.
Yes
Yes
Yes
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutPanorama DeviceGroup/Template:No
contentupdates(forexample,WildFire
updates);download,upload,install,or
reverttheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewinformation
aboutPanoramacontentupdatesand
viewtheassociatedreleasenotesbut
cantperformanyrelatedoperations.
Ifyoudisablethisprivilege,the
administratorcantseePanorama
contentupdates,seetheassociated
releasenotes,orperformanyrelated
operations.
Thisprivilegepertainsonlyto
contentupdatesinstalledona
Panoramamanagementserver.
ThePanorama > Device
Deployment > Dynamic
Updatespagecontrolsaccessto
contentupdatesdeployedon
firewallsandDedicatedLog
Collectors.
Yes
Yes
Yes
118 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Support
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Panorama:Yes
Specifieswhethertheadministrator
can:viewPanoramasupportlicense
DeviceGroup/Template:No
information,productalerts,andsecurity
alerts;activateasupportlicense,
generateTechSupportfiles,and
managecases
Ifyousetthisprivilegetoreadonly,the
administratorcanviewPanorama
supportinformation,productalerts,and
securityalerts,butcantactivatea
supportlicense,generateTechSupport
files,ormanagecases.
Ifyoudisablethisprivilege,the
administratorcant:seePanorama
supportinformation,productalerts,or
securityalerts;activateasupport
license,generateTechSupportfiles,or
managecases.
Yes
Yes
Yes
Device
Deployment
Setsthedefaultstate,enabledor
Panorama:Yes
disabled,forallthedevicedeployment DeviceGroup/Template:Yes
privileges.
Theseprivilegepertainonlyto
softwareandcontentupdates
thatPanoramaadministrators
deployonfirewallsand
DedicatedLogCollectors.The
Panorama > Softwareand
Panorama > Dynamic Updates
pagescontrolthesoftwareand
contentupdatesinstalledona
Panoramamanagementserver.
Yes
No
Yes
Software
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutthe
DeviceGroup/Template:Yes
softwareupdatesinstalledonfirewalls
andLogCollectors;download,upload,
orinstalltheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thesoftwareupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
dedicated LogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthesoftwareupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 119
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
GlobalProtect
Client
FirewallAdministration
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutSSLVPN DeviceGroup/Template:Yes
clientsoftwareupdatesonfirewalls;
download,upload,oractivatethe
updates;andviewtheassociated
releasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
SSLVPNclientsoftwareupdatesand
viewtheassociatedreleasenotesbut
cantactivatetheupdatesonfirewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutSSLVPNclientsoftwareupdates,
seetheassociatedreleasenotes,or
activatetheupdatesonfirewalls.
Yes
Yes
Yes
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationabout
DeviceGroup/Template:Yes
GlobalProtectagent/appsoftware
updatesonfirewalls;download,upload,
oractivatetheupdates;andviewthe
associatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
GlobalProtectagent/appsoftware
updatesandviewtheassociatedrelease
notesbutcantactivatetheupdateson
firewalls.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutGlobalProtectagent/app
softwareupdates,seetheassociated
releasenotes,oractivatetheupdates
onfirewalls.
Yes
Yes
Yes
120 PANOS7.1AdministratorsGuide
AdministratorRole
Availability
PaloAltoNetworks,Inc.
FirewallAdministration
AccessLevel
Description
Dynamic
Updates
Reference:WebInterfaceAdministratorAccess
Enable
Read Disable
Only
Specifieswhethertheadministrator
Panorama:Yes
can:viewinformationaboutthecontent DeviceGroup/Template:Yes
updates(forexample,Applications
updates)installedonfirewallsand
DedicatedLogCollectors;download,
upload,orinstalltheupdates;andview
theassociatedreleasenotes.
Ifyousetthisprivilegetoreadonly,the
administratorcanseeinformationabout
thecontentupdatesandviewthe
associatedreleasenotesbutcant
deploytheupdatestofirewallsor
DedicatedLogCollectors.
Ifyoudisablethisprivilege,the
administratorcantseeinformation
aboutthecontentupdates,seethe
associatedreleasenotes,ordeploythe
updatestofirewallsorDedicatedLog
Collectors.
Yes
Yes
Yes
Licenses
Specifieswhethertheadministratorcan Panorama:Yes
view,refresh,andactivatefirewall
DeviceGroup/Template:Yes
licenses.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewfirewalllicenses
butcantrefreshoractivatethose
licenses.
Ifyoudisablethisprivilege,the
administratorcantview,refresh,or
activatefirewalllicenses.
Yes
Yes
Yes
Specifieswhethertheadministratorcan Panorama:Yes
viewandconfigureamasterkeyby
DeviceGroup/Template:No
whichtoencryptprivatekeyson
Panorama.
Ifyousetthisprivilegetoreadonly,the
administratorcanviewthePanorama
masterkeyconfigurationbutcant
changeit.
Ifyoudisablethisprivilege,the
administratorcantseeoreditthe
Panoramamasterkeyconfiguration.
Yes
Yes
Yes
PaloAltoNetworks,Inc.
AdministratorRole
Availability
PANOS7.1AdministratorsGuide 121
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
PanoramaWebInterfaceAccessPrivileges
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI
accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.
AccessLevel
Description
Dashboard
ControlsaccesstotheDashboardtab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethetab
andwillnothaveaccesstoanyoftheDashboard
widgets.
No
Yes
ACC
ControlsaccesstotheApplicationCommandCenter Yes
(ACC).Ifyoudisablethisprivilege,theACCtabwillnot
displayinthewebinterface.Keepinmindthatifyou
wanttoprotecttheprivacyofyouruserswhilestill
providingaccesstotheACC,youcandisablethe
Privacy > Show Full Ip Addressesoptionand/orthe
Show User Names In Logs And Reportsoption.
No
Yes
Monitor
ControlsaccesstotheMonitortab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheMonitor
tabandwillnothaveaccesstoanyofthelogs,packet
captures,sessioninformation,reportsortoApp
Scope.Formoregranularcontroloverwhat
monitoringinformationtheadministratorcansee,
leavetheMonitoroptionenabledandthenenableor
disablespecificnodesonthetabasdescribedin
ProvideGranularAccesstotheMonitorTab.
No
Yes
Policies
ControlsaccesstothePoliciestab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseethePolicies
tabandwillnothaveaccesstoanypolicyinformation.
Formoregranularcontroloverwhatpolicy
informationtheadministratorcansee,forexampleto
enableaccesstoaspecifictypeofpolicyortoenable
readonlyaccesstopolicyinformation,leavethe
Policiesoptionenabledandthenenableordisable
specificnodesonthetabasdescribedinProvide
GranularAccesstothePolicyTab.
No
Yes
Objects
ControlsaccesstotheObjectstab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheObjects
tabandwillnothaveaccesstoanyobjects,security
profiles,logforwardingprofiles,decryptionprofiles,
orschedules.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheObjects
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheObjectsTab.
No
Yes
122 PANOS7.1AdministratorsGuide
Enable
ReadOnly Disable
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:WebInterfaceAdministratorAccess
AccessLevel
Description
Network
ControlsaccesstotheNetworktab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheNetwork
tabandwillnothaveaccesstoanyinterface,zone,
VLAN,virtualwire,virtualrouter,IPsectunnel,DHCP,
DNSProxy,GlobalProtect,orQoSconfiguration
informationortothenetworkprofiles.Formore
granularcontroloverwhatobjectstheadministrator
cansee,leavetheNetworkoptionenabledandthen
enableordisablespecificnodesonthetabas
describedinProvideGranularAccesstotheNetwork
Tab.
No
Yes
Device
ControlsaccesstotheDevicetab.Ifyoudisablethis Yes
privilege,theadministratorwillnotseetheDevicetab
andwillnothaveaccesstoanyfirewallwide
configurationinformation,suchasUserID,High
Availability,serverprofileorcertificateconfiguration
information.Formoregranularcontroloverwhat
objectstheadministratorcansee,leavetheDevice
optionenabledandthenenableordisablespecific
nodesonthetabasdescribedinProvideGranular
AccesstotheDeviceTab.
YoucantenableaccesstotheAdmin Rolesor
Administratorsnodesforarolebased
administratorevenifyouenablefullaccessto
theDevicetab.
No
Yes
Panorama
ControlsaccesstothePanoramatab.Ifyoudisable Yes
thisprivilege,theadministratorwillnotseethe
Panoramatabandwillnothaveaccesstoany
Panoramawideconfigurationinformation,suchas
ManagedDevices,ManagedCollectors,orCollector
Groups.
Formoregranularcontroloverwhatobjectsthe
administratorcansee,leavethePanoramaoption
enabledandthenenableordisablespecificnodeson
thetabasdescribedinProvideGranularAccesstothe
PanoramaTab.
No
Yes
Privacy
Controlsaccesstotheprivacysettingsdescribedin
DefineUserPrivacySettingsintheAdminRole
Profile.
Yes
No
Yes
Validate
Whendisabled,anadministratorcannotvalidatea
configuration.
Yes
No
Yes
Commit
Setsthedefaultstate(enabledordisabled)forallthe Yes
commitsettingsdescribedbelow(Panorama,Device
Groups,Templates,ForceTemplateValues,Collector
Groups).
No
Yes
Panorama
Whendisabled,anadministratorcannotcommit
changestothePanoramaconfiguration.
Yes
No
Yes
Device Groups
Whendisabled,anadministratorcannotcommit
changestodevicegroups.
Yes
No
Yes
PaloAltoNetworks,Inc.
Enable
ReadOnly Disable
PANOS7.1AdministratorsGuide 123
Reference:WebInterfaceAdministratorAccess
FirewallAdministration
AccessLevel
Description
Enable
ReadOnly Disable
Templates
Whendisabled,anadministratorcannotcommit
changestotemplates.
Yes
No
Yes
No
Yes
Collector Groups
Whendisabled,anadministratorcannotcommit
changestoCollectorGroups.
Yes
No
Yes
Global
Controlsaccesstotheglobalsettings(systemalarms) Yes
describedinProvideGranularAccesstoGlobal
Settings.
No
Yes
124 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:PortNumberUsage
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforGlobalProtect
PortsUsedforUserID
PortsUsedforManagementFunctions
ThefirewallandPanoramausethefollowingportsformanagementfunctions.
DestinationPort Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80
TCP
TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
123
UDP
PortthefirewallusesforNTPupdates.
443
TCP
Usedforcommunicationfromaclientsystemtothefirewallwebinterface.Thisis
alsotheportthefirewallandUserIDagentlistensonforVMInformationsource
updates.
FormonitoringanAWSenvironment,thisistheonlyportthatisused.
FormonitoringaVMwarevCenter/ESXienvironment,thelisteningportdefaults
to443,butitisconfigurable.
162
UDP
Portthefirewall,Panorama,oraLogCollectorusestoForwardTrapstoanSNMP
Manager.
ThisportdoesntneedtobeopenonthePaloAltoNetworksfirewall.You
mustconfiguretheSimpleNetworkManagementProtocol(SNMP)
managertolistenonthisport.Fordetails,refertothedocumentationof
yourSNMPmanagementsoftware.
161
UDP
Portthefirewalllistensonforpollingrequests(GETmessages)fromtheSNMP
manager.
514
TCP
514
UDP
6514
SSL
Portthatthefirewall,Panorama,oraLogCollectorusestosendlogstoasyslog
serverifyouConfigureSyslogMonitoring,andtheportsthatthePANOS
integratedUserIDagentorWindowsbasedUserIDagentlistensonfor
authenticationsyslogmessagesifyouConfigureUserIDtoReceiveUser
MappingsfromaSyslogSender.
2055
UDP
PaloAltoNetworks,Inc.
DefaultportthefirewallusestosendNetFlowrecordstoaNetFlowcollectorif
youConfigureNetFlowExports,butthisisconfigurable.
PANOS7.1AdministratorsGuide 125
Reference:PortNumberUsage
FirewallAdministration
DestinationPort Protocol
Description
5008
TCP
PorttheGlobalProtectMobileSecurityManagerlistensonforHIPrequestsfrom
theGlobalProtectgateways.
IfyouareusingathirdpartyMDMsystem,youcanconfigurethegatewaytouse
adifferentportasrequiredbytheMDMvendor.
6080
TCP
6081
TCP
6082
TCP
PortsusedforCaptivePortal:6080forNTLANManager(NTLM)authentication,
6081forCaptivePortalintransparentmode,and6082forCaptivePortalin
redirectmode.
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
DestinationPort Protocol
Description
28769
TCP
28260
TCP
UsedfortheHA1controllinkforcleartextcommunicationbetweentheHApeer
firewalls.TheHA1linkisaLayer3linkandrequiresanIPaddress.
28
TCP
UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
28770
TCP
ListeningportforHA1backuplinks.
28771
TCP
Usedforheartbeatbackups.PaloAltoNetworksrecommendsenablingheartbeat
backupontheMGTinterfaceifyouuseaninbandportfortheHA1ortheHA1
backuplinks.
99
IP
29281
UDP
UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
Panoramausesthefollowingports.
DestinationPort
Protocol
Description
22
TCP
UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
126 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:PortNumberUsage
DestinationPort
Protocol
Description
443
TCP
UsedforcommunicationfromaclientsystemtothePanoramawebinterface.
3978
TCP
UsedforcommunicationbetweenPanoramaandmanagedfirewallsormanaged
collectors,aswellasforcommunicationamongmanagedcollectorsinaCollector
Group:
ForcommunicationbetweenPanoramaandfirewalls,thisisabidirectional
connectiononwhichthefirewallsforwardlogstoPanoramaandPanorama
pushesconfigurationchangestothefirewalls.Contextswitchingcommands
aresentoverthesameconnection.
LogCollectorsusethisdestinationporttoforwardlogstoPanorama.
ForcommunicationwiththedefaultLogCollectoronanMSeriesappliancein
PanoramamodeandwithDedicatedLogCollectors(MSeriesappliancesinLog
Collectormode).
TCP
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingcleartextcommunication.Communicationcanbeinitiatedbyeitherpeer.
TCP
28
TCP
UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
TCP
UsedforcommunicationamongLogCollectorsinaCollectorGroupforlog
distribution.
TCP
UsedbythePanoramavirtualappliancetowritelogstotheNFSdatastore.
PortsUsedforGlobalProtect
GlobalProtectusesthefollowingports.
DestinationPort
Protocol
Description
443
TCP
UsedforcommunicationbetweenGlobalProtectagentsandportals,or
GlobalProtectagentsandgatewaysandforSSLtunnelconnections.
GlobalProtectgatewaysalsousethisporttocollecthostinformationfrom
GlobalProtectagentsandperformhostinformationprofile(HIP)checks.
4501
UDP
UsedforIPSectunnelconnectionsbetweenGlobalProtectagentsandgateways.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsand
addresses,refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 127
Reference:PortNumberUsage
FirewallAdministration
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
DestinationPort Protocol
Description
389
TCP
PortthefirewallusestoconnecttoanLDAPserver(plaintextorStartTransport
LayerSecurity(StartTLS)toMapUserstoGroups.
3268
TCP
PortthefirewallusestoconnecttoanActiveDirectoryglobalcatalogserver
(plaintextorStartTLS)toMapUserstoGroups.
636
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanLDAPservertoMap
UserstoGroups.
3269
TCP
PortthefirewallusesforLDAPoverSSLconnectionswithanActiveDirectory
globalcatalogservertoMapUserstoGroups.
514
TCP
514
UDP
6514
SSL
PortthePANOSintegratedUserIDagentorWindowsbasedUserIDagent
listensonforauthenticationsyslogmessagesifyouConfigureUserIDtoReceive
UserMappingsfromaSyslogSender.
5007
TCP
PortthefirewalllistensonforusermappinginformationfromtheUserIDor
TerminalServicesagent.TheagentsendstheIPaddressandusernamemapping
alongwithatimestampwheneveritlearnsofaneworupdatedmapping.In
addition,itconnectstothefirewallatregularintervalstorefreshknown
mappings.
5006
TCP
PorttheUserIDagentlistensonforXMLAPIrequests.Thesourceforthis
communicationistypicallythesystemrunningascriptthatinvokestheAPI.
88
UDP/TCP
PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
1812
UDP
PorttheUserIDagentusestoauthenticatetoaRADIUSserver.
49
TCP
PorttheUserIDagentusestoauthenticatetoaTACACS+server.
135
TCP
PorttheUserIDagentusestoestablishTCPbasedWMIconnectionswiththe
MicrosoftRemoteProcedureCall(RPC)EndpointMapper.TheEndpointMapper
thenassignstheagentarandomlyassignedportinthe4915265535portrange.
TheagentusesthisconnectiontomakeRPCqueriesforExchangeServerorAD
serversecuritylogs,sessiontables.ThisisalsotheportusedtoaccessTerminal
Services.
TheUserIDagentalsousesthisporttoconnecttoclientsystemstoperform
WindowsManagementInstrumentation(WMI)probing.
128 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
Reference:PortNumberUsage
DestinationPort Protocol
Description
139
TCP
PorttheUserIDagentusestoestablishTCPbasedNetBIOSconnectionstothe
ADserversothatitcansendRPCqueriesforsecuritylogsandsession
information.
TheUserIDagentalsousesthisporttoconnecttoclientsystemsforNetBIOS
probing(supportedontheWindowsbasedUserIDagentonly).
445
TCP
PorttheUserIDagentusestoconnecttotheActiveDirectory(AD)using
TCPbasedSMBconnectionstotheADserverforaccesstouserlogon
information(printspoolerandNetLogon).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 129
ResettheFirewalltoFactoryDefaultSettings
FirewallAdministration
ResettheFirewalltoFactoryDefaultSettings
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
ResettheFirewalltoFactoryDefaultSettings
Step1
Setupaconsoleconnectiontothe
firewall.
1.
ConnectaserialcablefromyourcomputertotheConsoleport
andconnecttothefirewallusingterminalemulationsoftware
(96008N1).
Ifyourcomputerdoesnothavea9pinserialport,usea
USBtoserialportconnector.
2.
Enteryourlogincredentials.
3.
EnterthefollowingCLIcommand:
debug system maintenance-mode
Thefirewallwillrebootinthemaintenancemode.
Step2
Resetthesystemtofactorydefault
settings.
130 PANOS7.1AdministratorsGuide
1.
Whenthefirewallreboots,pressEntertocontinuetothe
maintenancemodemenu.
2.
SelectFactory ResetandpressEnter.
3.
SelectFactory ResetandpressEnteragain.
Thefirewallwillrebootwithoutanyconfigurationsettings.
Thedefaultusernameandpasswordtologintothefirewallis
admin/admin.
Toperforminitialconfigurationonthefirewallandtosetup
networkconnectivity,seeIntegratetheFirewallintoYour
ManagementNetwork.
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston
KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk
Silicon Power
SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY
PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)
SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 131
BootstraptheFirewall
FirewallAdministration
Sampleinitcfg.txt(DHCPClient)
type=static
ip-address=10.5.107.19
default-gateway=10.5.107.1
netmask=255.255.255.0
ipv6-address=2001:400:f00::1/64
ipv6-default-gateway=2001:400:f00::2
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no
dhcp-send-client-id=no
dhcp-accept-server-hostname=no
dhcp-accept-server-domain=no
type=dhcp-client
ip-address=
default-gateway=
netmask=
ipv6-address=
ipv6-default-gateway=
hostname=Ca-FW-DC1
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=yes
dhcp-send-client-id=yes
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field
Description
type
(Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress
(RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.
defaultgateway
(RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask
(RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address
(RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
ipv6defaultgateway
(RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
hostname
(Optional)Hostnameforthefirewall.
132 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
Fieldsintheinitcfg.txtFile
Field
Description
panoramaserver
(Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2
(Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname
(Recommended)Panoramatemplatename.
dgname
(Recommended)Panoramadevicegroupname.
dnsprimary
(Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary
(Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey
(VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes
(Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain
(DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.
Step2
RegisterS/Nsofnewfirewallsonthe
CustomerSupportportal.
PaloAltoNetworks,Inc.
1.
Gotosupport.paloaltonetworks.com,login,andselect
Assets > Register New Device > Register device using Serial
Number or Authorization Code.
2.
FollowthestepstoRegistertheFirewall.
3.
ClickSubmit.
PANOS7.1AdministratorsGuide 133
BootstraptheFirewall
FirewallAdministration
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step3
Activateauthorizationcodesonthe
1.
CustomerSupportportal,whichcreates
licensekeys.
2.
Gotosupport.paloaltonetworks.com,login,andselectthe
Assets tab.
ForeachS/Nyoujustregistered,clicktheActionlink.
3.
SelectActivate Auth-Code.
4.
Step4
AddtheS/NsinPanorama.
CompleteStep1inAddaFirewallasaManagedDeviceinthe
PanoramaAdministratorsGuide.
Step5
Createtheinitcfg.txtfile.
Createtheinitcfg.txtfile,amandatoryfilethatprovidesbootstrap
parameters.ThefieldsaredescribedinSampleinitcfg.txtFiles.
Iftheinitcfg.txtfileismissing,thebootstrapprocesswill
failandthefirewallwillbootupwiththedefault
configurationinthenormalbootupsequence.
Therearenospacesbetweenthekeyandvalueineach
field;donotaddspacesbecausetheycausefailuresduring
parsingonthemanagementserverside.
Youcanhavemultipleinitcfg.txtfilesoneeachfordifferent
remotesitesbyprependingtheS/Ntothefilename.Forexample:
0008C200105initcfg.txt
0008C200107initcfg.txt
Ifnoprependedfilenameispresent,thefirewallusesthe
initcfg.txtfileandproceedswithbootstrapping.
Step6
(Optional)Createthebootstrap.xmlfile.
Theoptionalbootstrap.xmlfileisacompletefirewallconfiguration
thatyoucanexportfromanexistingproductionfirewall.
1.
134 PANOS7.1AdministratorsGuide
2.
SelecttheNameofthesavedortherunningconfiguration.
3.
ClickOK.
4.
Renamethefileasbootstrap.xml.
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step7
Createanddownloadthebootstrap
bundlefromtheCustomerSupport
portal.
Foraphysicalfirewall,thebootstrap
bundlerequiresonlythe/licenseand
/configdirectories.
Useoneofthefollowingmethodstocreateanddownloadthe
bootstrapbundle:
UseMethod1tocreateabootstrapbundlespecifictoaremote
site(youhaveonlyoneinitcfg.txtfile).
UseMethod2tocreateonebootstrapbundleformultiplesites.
Method 1
1.
Onyourlocalsystem,gotosupport.paloaltonetworks.com
andlogin.
2.
SelectAssets.
3.
SelecttheS/Nofthefirewallyouwanttobootstrap.
4.
SelectBootstrap Container.
5.
ClickSelect.
6.
UploadandOpen theinitcfg.txtfileyoucreatedinStep 5.
7.
(Optional)Selectthebootstrap.xmlfileyoucreatedinStep 6
andUpload Files.
Youmustuseabootstrap.xmlfilefromafirewallofthe
samemodelandPANOSversion.
8.
Method 2
Createatar.gzfileonyourlocalsystemwithtwotoplevel
directories:/licenseand/config.Includealllicensesandall
initcfg.txtfileswithS/Nsprependedtothefilenamesasdescribed
inStep 5.
ThelicensekeyfilesyoudownloadfromtheCustomerSupport
portalhavetheS/Ninthelicensefilename.PANOSchecksthe
S/NinthefilenameagainstthefirewallS/Nwhileexecutingthe
bootstrapprocess.
Step8
Importthetar.gzfile(thatyoucreatedin AccesstheCLIandenteroneofthefollowingcommands:
Step 7)toaPANOS7.1firewallusing tftp import bootstrap-bundle file <path and filename>
SecureCopy(SCP)orTFTP.
from <host IP address>
Forexample:
tftp import bootstrap-bundle file
/home/userx/bootstrap/devices/pa5000.tar.gz from
10.1.2.3
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 135
BootstraptheFirewall
FirewallAdministration
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
Step9
PreparetheUSBflashdrive.
1.
InserttheUSBflashdriveintothefirewallthatyouusedin
Step 8.
2.
EnterthefollowingCLIoperationalcommand,usingyour
tar.gzfilenameinplaceofpa5000.tar.gz.Thiscommand
formatstheUSBflashdrive,unzipsthefile,andvalidatesthe
USBflashdrive:
request system bootstrap-usb prepare from
pa5000.tar.gz
3.
Pressytocontinue.Thefollowingmessagedisplayswhenthe
USBdriveisready:
USB prepare completed successfully.
Step10 DelivertheUSBflashdrivetoyour
remotesite.
4.
RemovetheUSBflashdrivefromthefirewall.
5.
YoucanprepareasmanyUSBflashdrivesasneeded.
IfyouusedMethod2tocreatethebootstrapbundle,youcanuse
thesameUSBflashdrivecontentforbootstrappingfirewallsat
multipleremotesites.Youcantranslatethecontentintomultiple
USBflashdrivesorasingleUSBflashdriveusedmultipletimes.
BootstrapaFirewallUsingaUSBFlashDrive
Step1
Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2
Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3
InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.
136 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
FirewallAdministration
BootstraptheFirewall
BootstrapaFirewallUsingaUSBFlashDrive
Step4
Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > System orbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > Licenses orbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 137
BootstraptheFirewall
138 PANOS7.1AdministratorsGuide
FirewallAdministration
PaloAltoNetworks,Inc.
Authentication
ManyoftheservicesthatPaloAltoNetworksfirewallsandPanoramaproviderequireauthentication,
includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,GlobalProtect
portals,andGlobalProtectgateways.Theauthenticationmethodsthatyoucanconfigurevarybyservice,
andcanincludeKerberossinglesignon(SSO),externalauthenticationservices,certificatesandcertificate
profiles,localdatabaseaccounts,RADIUSVendorSpecificAttributes(VSAs),andNTLANManager(NTLM).
ThefollowingtopicsdescribeauthenticationmethodsthatarecommontomostfirewallandPanorama
services,procedurestoconfigurethem,howtotestauthenticationprofiles,andhowtotroubleshoot
authenticationissues:
ConfigureanAuthenticationProfileandSequence
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
ConfigureExternalAuthentication
TestAuthenticationServerConnectivity
TroubleshootAuthenticationIssues
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 139
ConfigureanAuthenticationProfileandSequence
Authentication
ConfigureanAuthenticationProfileandSequence
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsoffirewallor
PanoramaadministratorsandCaptivePortalorGlobalProtectendusers.Theauthenticationservicecanbe
alocaldatabase(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),or
Kerberossinglesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups(forexample,TACACS+and
LDAP).Toauthenticateusersinsuchcases,configureanauthenticationsequence,whichisarankedorder
ofauthenticationprofilesthatthefirewallorPanoramamatchesauseragainstduringlogin.Thefirewallor
Panoramachecksagainsteachprofileinsequenceuntilonesuccessfullyauthenticatestheuser(thefirewall
alwayschecksthelocaldatabasefirstifthesequenceincludesone).Auserisdeniedaccessonlyif
authenticationfailsforalltheprofilesintheauthenticationsequence.
ConfigureanAuthenticationProfileandSequence
Step1
CreateaKerberoskeytab.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
RequiredifthefirewallorPanoramawill accountinformation(principalnameandhashedpassword)forthe
firewallorPanorama.
useKerberosSSOauthentication.
Step2
Configurealocaldatabase(firewallonly) LocaldatabaseauthenticationPerformthefollowingtasks:
orexternalserverprofile(firewallor
a. Configuretheuseraccount.
Panorama).
b. (Optional)Configureausergroup.
Requiredforlocaldatabaseorexternal ExternalauthenticationPerformoneofthefollowingtasks:
authentication.
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.
ConfigureaKerberosServerProfile.
140 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
Step3
Configureanauthenticationprofile.
Defineoneorbothofthefollowing:
KerberosSSOThefirewallor
PanoramafirsttriesSSO
authentication.Ifthatfails,itfallsback
tothespecifiedauthenticationType.
Localdatabaseorexternal
authenticationThefirewallor
Panoramapromptstheusertoenter
logincredentials,andusesitslocal
database(firewallsonly)oranexternal
servicetoauthenticatetheuser.
1.
2.
EnteraNametoidentifytheauthenticationprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(avsysorShared)wheretheprofileisavailable.
4.
SelecttheauthenticationType.IfyouselectRADIUS,
TACACS+,LDAP,orKerberos,selecttheauthentication
Server Profilefromthedropdown.
IftheTypeisLDAP,definetheLogin Attribute.For
ActiveDirectory,entersAMAccountNameasthe
value.
5.
6.
IfyouwanttoenableKerberosSSO,entertheKerberos
Realm(usuallytheDNSdomainoftheusers,exceptthatthe
realmisUPPERCASE)andImporttheKerberos Keytabthat
youcreatedforthefirewallorPanorama.
7.
SelectAdvancedandAddtheusersandgroupsthatcan
authenticatewiththisprofile.Youcanselectusersandgroups
fromthelocaldatabaseor,ifyouconfiguredanLDAPserver
profile,fromanLDAPbaseddirectoryservicesuchasActive
Directory.Selectingallallowseveryusertoauthenticate.By
default,thelistisempty,meaningnouserscanauthenticate.
Youcanalsocreateandallowcustomgroupsbasedon
LDAPfilters:seeMapUserstoGroups.
8.
EnterthenumberofFailed Attempts(010)tologinthatthe
firewallorPanoramaallowsbeforelockingouttheuser.The
defaultvalue0meansthereisnolimit.
9.
EntertheLockout Time(060),whichisthenumberof
minutesforwhichthefirewallorPanoramalocksouttheuser
afterreachingtheFailed Attemptslimit.Thedefaultvalue0
meansthelockoutappliesuntilanadministratorunlocksthe
useraccount.
10. ClickOKtosavetheauthenticationprofile.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 141
ConfigureanAuthenticationProfileandSequence
Authentication
ConfigureanAuthenticationProfileandSequence(Continued)
Step4
Step5
Configureanauthenticationsequence. 1.
Requiredifyouwantthefirewallor
Panoramatotrymultipleauthentication 2.
profilestoauthenticateusers.The
3.
firewallorPanoramaevaluatesthe
profilesintoptobottomorderuntilone
profilesuccessfullyauthenticatesthe
user.
Assigntheauthenticationprofileor
sequence.
142 PANOS7.1AdministratorsGuide
4.
Addeachauthenticationprofile.Tochangetheevaluation
orderoftheprofiles,selectaprofileandMove UporMove
Down.
5.
ClickOKtosavetheauthenticationsequence.
Assigntheauthenticationprofileorsequencetoanadministrator
accountortoafirewallserviceforendusers.
TestAuthenticationServerConnectivitytoverifythatan
authenticationprofilecancommunicatewiththebackend
authenticationserverandthattheauthenticationrequest
succeeded.
PaloAltoNetworks,Inc.
Authentication
ConfigureKerberosSingleSignOn
ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.
ConfigureKerberosSingleSignOn
Step1
CreateaKerberoskeytab.
1.
LogintotheKDCandopenacommandprompt.
2.
Enterthefollowingcommand,where<principal_name>,
<password>,and<algorithm>arevariables.TheKerberos
principalnameandpasswordareofthefirewallorPanorama,
nottheuser.
IfthefirewallisinFIPS/CCmode,thealgorithmmust
beaes128-cts-hmac-sha1-96or
aes256-cts-hmac-sha1-96.Otherwise,youcanalso
usedes3-cbc-sha1orarcfour-hmac.Tousean
AdvancedEncryptionStandard(AES)algorithm,the
functionalleveloftheKDCmustbeWindowsServer
2008orlaterandyoumustenableAESencryptionfor
thefirewallorPanoramaaccount.
Thealgorithminthekeytabmustmatchthealgorithm
intheserviceticketthattheTGSissuestoclients.Your
Kerberosadministratordetermineswhichalgorithms
theserviceticketsuse.
Step2
Importthekeytabintoanauthentication ConfigureanAuthenticationProfileandSequence:
profile.
1. EntertheKerberos Realm(usuallytheDNSdomainofthe
users,exceptthattherealmisuppercase).
2.
Step3
ImporttheKerberos Keytabthatyoucreatedforthefirewall
orPanorama.
Assigntheauthenticationprofiletothe Configureanadministratoraccount.
administratoraccountortotheCaptive ConfigureCaptivePortal.
Portalsettings.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 143
ConfigureLocalDatabaseAuthentication
Authentication
ConfigureLocalDatabaseAuthentication
Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.
IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.
ConfigureLocalDatabaseAuthentication
Step1
Step2
Configuretheuseraccount.
Configureausergroup.
Requiredifyourusersrequiregroup
membership.
1.
2.
EnterauserNamefortheadministrator.
3.
EnteraPasswordandConfirm PasswordorenteraPassword
Hash.
4.
Enabletheaccount(enabledbydefault)andclickOK.
1.
2.
EnteraNametoidentifythegroup.
3.
AddeachuserwhoisamemberofthegroupandclickOK.
Step3
Configureanauthenticationprofile.
Step4
AdministratorsConfigureanAdministrativeAccount:
Assigntheauthenticationprofiletoan
administratoraccountorfirewallservice.
SpecifytheNameofauseryoudefinedinStep 1.
AssigntheAuthentication Profilethatyouconfiguredfor
theaccount.
EndusersForallservices,youmustassigntheAuthentication
Profilethatyouconfiguredfortheaccounts:
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
Step5
Verifythatthefirewallcancommunicate TestaLocalDatabaseAuthenticationProfile.
withtheauthenticationserver.
144 PANOS7.1AdministratorsGuide
SettheauthenticationTypetoLocal Database.
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
ConfigureExternalAuthentication
PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 145
ConfigureExternalAuthentication
Authentication
ConfigureaRADIUSServerProfile
Step1
Step2
AddaRADIUSserverprofile.
ImplementtheRADIUSserverprofile.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis130,defaultis3).
5.
EnterthenumberofautomaticRetriesfollowingaTimeout
beforetherequestfails(rangeis15,defaultis3).
6.
ForeachRADIUSserver,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(RADIUS
Serverfield),Secret/Confirm Secret(akeytoencrypt
passwords),andserverPortforauthenticationrequests
(defaultis1812).
7.
ClickOK.
1.
AssigntheRADIUSserverprofiletoanauthenticationprofile
orsequence.
2.
TestaRADIUSAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheRADIUSserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4.
Commityourchanges.
Number Value
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain
Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole
Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4
ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup
Thenameofausergroupthatanauthenticationprofile
references.
146 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
Name
ConfigureExternalAuthentication
Number Value
PaloAltoClientSourceIP
PaloAltoClientOS
PaloAltoClientHostname
PaloAltoGlobalProtectClientVersion
10
DontspecifyavaluewhenyoudefinetheseVSAs.
ConfigureaTACACS+ServerProfile
Step1
AddaTACACS+serverprofile.
PaloAltoNetworks,Inc.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
FortheTimeout,enteranintervalinsecondsafterwhichan
authenticationrequesttimesout(rangeis120,defaultis3).
5.
6.
ForeachTACACS+server,clickAddandenteraName(to
identifytheserver),serverIPaddressorFQDN(TACACS+
Serverfield),Secret/Confirm Secret(akeytoencrypt
usernamesandpasswords),andserverPortforauthentication
requests(defaultis49).
7.
ClickOK.
PANOS7.1AdministratorsGuide 147
ConfigureExternalAuthentication
Authentication
ConfigureaTACACS+ServerProfile(Continued)
Step2
ImplementtheTACACS+serverprofile.
1.
AssigntheTACACS+serverprofiletoanauthentication
profileorsequence.
2.
TestaTACACS+AuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheTACACS+server.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4.
Commityourchanges.
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.
148 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
ConfigureanLDAPServerProfile
Step1
AddanLDAPserverprofile.
PaloAltoNetworks,Inc.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
ForeachLDAPserver(uptofour),clickAddandenteraName
(toidentifytheserver),serverIPaddress(LDAP Serverfield),
andserverPort(default389).
5.
SelecttheserverTypefromthedropdown:active-directory,
e-directory,sun,orother.
6.
IfyouwantthefirewallorPanoramatouseSSLorTLSfora
moresecureconnectionwiththedirectoryserver,selectthe
Require SSL/TLS secured connectioncheckbox(itisselected
bydefault).TheprotocolthatthefirewallorPanoramauses
dependsontheserverPort:
389(default)TLS(Specifically,thefirewallorPanorama
usestheStartTLSoperation,whichupgradestheinitial
plaintextconnectiontoTLS.)
636SSL
AnyotherportThefirewallorPanoramafirsttriestouse
TLS.IfthedirectoryserverdoesntsupportTLS,thefirewall
orPanoramafallsbacktoSSL.
7.
Toimprovesecurity,youcanselecttheVerify Server
Certificate for SSL sessionscheckbox(itisclearedby
default)sothatthefirewallorPanoramaverifiesthecertificate
thatthedirectoryserverpresentsforSSL/TLSconnections.If
theverificationfails,theconnectionfails.Toenable
verification,youmustalsoselecttheRequire SSL/TLS
secured connectioncheckbox.ThefirewallorPanorama
verifiesthecertificateintworespects:
Thecertificateistrustedandvalid.Forthefirewallor
Panoramatotrustthecertificate,itsrootcertificate
authority(CA)andanyintermediatecertificatesmustbein
thecertificatestoreunderDevice > Certificate
Management > Certificates > Device Certificates.Import
thecertificateifnecessary:seeImportaCertificateand
PrivateKey.
ThecertificatenamemustmatchthehostNameofthe
LDAPserver.ThefirewallorPanoramafirstchecksthe
certificateattributeSubjectAltNameformatching,then
triestheattributeSubjectDN.Ifthecertificateusesthe
FQDNofthedirectoryserver,youmustenterthatFQDN
intheLDAP Serverfieldforthenamematchingtosucceed.
8.
ClickOK.
PANOS7.1AdministratorsGuide 149
ConfigureExternalAuthentication
Authentication
ConfigureanLDAPServerProfile(Continued)
Step2
ImplementtheLDAPserverprofile.
1.
AssigntheLDAPserverprofiletoanauthenticationprofileor
sequence.
2.
TestanLDAPAuthenticationProfiletoverifythatthefirewall
orPanoramacanconnecttotheLDAPserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4.
Commityourchanges.
ConfigureaKerberosServerProfile
Step1
Step2
AddaKerberosserverprofile.
ImplementtheKerberosserverprofile.
1.
2.
EnteraProfile Nametoidentifytheserverprofile.
3.
Forafirewallwithmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wheretheprofileisavailable.
4.
ForeachKerberosserver,clickAddandenteraName(to
identifytheserver),serverIPv4addressorFQDN(Kerberos
Serverfield),andanoptionalPortnumberforcommunication
withtheserver(default88).
5.
ClickOK.
1.
AssigntheKerberosserverprofiletoanauthenticationprofile
orsequence.
2.
TestaKerberosAuthenticationProfiletoverifythatthe
firewallorPanoramacanconnecttotheKerberosserver.
3.
Assigntheauthenticationprofileorsequencetoan
administratoraccountortoafirewallserviceforendusers.
4.
Commityourchanges.
150 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
ConfigureExternalAuthentication
AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]
WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.
Step1
Configureanexternalserverprofile.
Step2
Assigntheserverprofiletoan
authenticationprofile.
Optionally,youcanassignmultiple
authenticationprofilestoan
authenticationsequence.
1.
ConfigureanAuthenticationProfileandSequence.
2.
TestAuthenticationServerConnectivity.
Step3
Assigntheauthenticationprofileor
Administrators:ConfigureanAdministrativeAccount.
sequencetoanadministratoraccountor Enduserservices:
toafirewallserviceforendusers.
ConfigureCaptivePortal.
ConfiguretheGlobalProtectportal.
ConfiguretheGlobalProtectgateway.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 151
TestAuthenticationServerConnectivity
Authentication
TestAuthenticationServerConnectivity
AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile
OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
152 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
RuntheTestAuthenticationCommand
Step4
Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.
Step5
Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.
OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 153
TestAuthenticationServerConnectivity
Authentication
LocalDatabaseAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password
Step5
Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.
Step6
Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"
OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
154 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
RADIUSAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> set system setting target-vsys <vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> set system setting target-vsys vsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password
Step5
Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.
Step6
Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 155
TestAuthenticationServerConnectivity
Authentication
OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password
Step5
Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
156 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
TACACS+AuthenticationProfileTestExample
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"
OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 157
TestAuthenticationServerConnectivity
Authentication
LDAPAuthenticationProfileTestExample
Step5
Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"
OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.
Step2
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
158 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Authentication
TestAuthenticationServerConnectivity
KerberosAuthenticationProfileTestExample
Step3
(Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4
RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password
Step5
Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
3. ClickOKtosavethechange.
Step7
Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 159
TroubleshootAuthenticationIssues
Authentication
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task
Command
debug authentication
Usethedebug authenticationcommandto
{
troubleshootauthenticationevents.
on {debug | dump | error | info | warn} |
show |
Usetheshowoptionstodisplayauthenticationrequest
show-active-requests |
statisticsandthecurrentdebugginglevel:
show-pending-requests |
connection-show |
showdisplaysthecurrentdebugginglevelforthe
{
authenticationservice(authd).
connection-id |
protocol-type
show-active-requestsdisplaysthenumberofactive
{
checksforauthenticationrequests,allowlists,and
Kerberos connection-id <value> |
lockeduseraccounts.
LDAP connection-id <value> |
RADIUS connection-id <value> |
show-pending-requests displaysthenumberof
TACACS+ connection-id <value> |
pendingchecksforauthenticationrequests,allowlists,
}
connection-debug-on |
andlockeduseraccounts.
{
connection-showdisplaysauthenticationrequestand
connection-id |
debug-prefix |
responsestatisticsforallauthenticationserversorfora
protocol-type
specificprotocoltype.
{
Kerberos connection-id <value> |
Usetheconnection-debugoptionstoenableordisable
LDAP connection-id <value> |
authenticationdebugging:
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
Usetheonoptiontoenableortheoffoptiontodisable
}
debuggingforauthd.
connection-debug-off |
{
Usetheconnection-debug-onoptiontoenableorthe
connection-id |
connection-debug-offoptiontodisabledebugging
protocol-type
forallauthenticationserversorforaspecificprotocol
{
Kerberos connection-id <value> |
type.
LDAP connection-id <value> |
RADIUS connection-id <value> |
TACACS+ connection-id <value> |
}
connection-debug-on
}
160 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ThefollowingtopicsdescribethedifferentkeysandcertificatesthatPaloAltoNetworksfirewallsand
Panoramause,andhowtoobtainandmanagethem:
KeysandCertificates
CertificateRevocation
CertificateDeployment
SetUpVerificationforCertificateRevocationStatus
ConfiguretheMasterKey
ObtainCertificates
ExportaCertificateandPrivateKey
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
RevokeandRenewCertificates
SecureKeyswithaHardwareSecurityModule
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 161
KeysandCertificates
CertificateManagement
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage
Description
Administrative Access
SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
Captive Portal
IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,
designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
Forward Trust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
Forward Untrust
ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.
162 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
KeysandCertificates
Key/CertificateUsage
Description
CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.
GlobalProtect
AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
Master Key
Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
Secure Syslog
Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
Trusted Root CA
ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 163
CertificateRevocation
CertificateManagement
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.
164 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
CertificateRevocation
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 165
CertificateDeployment
CertificateManagement
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).
166 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SetUpVerificationforCertificateRevocationStatus
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfigureanOCSPResponder
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
ConfigureanOCSPResponder
Step1
Step2
DefineanOCSPresponder.
EnableOCSPcommunicationonthe
firewall.
PaloAltoNetworks,Inc.
1.
2.
EnteraNametoidentifytheresponder(upto31characters).
Thenameiscasesensitive.Itmustbeuniqueanduseonly
letters,numbers,spaces,hyphens,andunderscores.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
4.
IntheHost Namefield,enterthehostname(recommended)
orIPaddressoftheOCSPresponder.Fromthisvalue,
PANOSautomaticallyderivesaURLandaddsittothe
certificatebeingverified.
IfyouconfigurethefirewallitselfasanOCSPresponder,the
hostnamemustresolvetoanIPaddressintheinterfacethat
thefirewallusesforOCSPservices(specifiedinStep 3).
5.
ClickOK.
1.
2.
IntheManagementInterfaceSettingssection,edittoselect
theHTTP OCSPcheckbox,thenclickOK.
PANOS7.1AdministratorsGuide 167
SetUpVerificationforCertificateRevocationStatus
CertificateManagement
ConfigureanOCSPResponder
Step3
(Optional)Toconfigurethefirewallitself 1.
asanOCSPresponder,addanInterface 2.
ManagementProfiletotheinterface
usedforOCSPservices.
3.
4.
5.
6.
ClickOKandCommit.
ConfigureRevocationStatusVerificationofCertificates
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
ConfigureRevocationStatusVerificationofCertificates
Step1
ConfigureaCertificateProfileforeach
application.
AssignoneormorerootCAcertificatestotheprofileandselect
howthefirewallverifiescertificaterevocationstatus.Thecommon
name(FQDNorIPaddress)ofacertificatemustmatchaninterface
towhichyouapplytheprofileinStep 2.
Fordetailsonthecertificatesthatvariousapplicationsuse,see
KeysandCertificates
Step2
Assignthecertificateprofilestothe
relevantapplications.
Thestepstoassignacertificateprofiledependontheapplication
thatrequiresit.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.
168 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SetUpVerificationforCertificateRevocationStatus
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
Step1
Definetheservicespecifictimeout
intervalsforrevocationstatusrequests.
1.
2.
Performoneorbothofthefollowingsteps,dependingon
whetherthefirewallwilluseOnlineCertificateStatus
Protocol(OCSP)ortheCertificateRevocationList(CRL)
methodtoverifytherevocationstatusofcertificates.Ifthe
firewallwilluseboth,itfirsttriesOCSP;iftheOCSPresponder
isunavailable,thefirewallthentriestheCRLmethod.
IntheCRLsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theCRLservice.
IntheOCSPsection,selecttheEnablecheckboxandenter
theReceive Timeout.Thisistheinterval(160seconds)
afterwhichthefirewallstopswaitingforaresponsefrom
theOCSPresponder.
DependingontheCertificate Status Timeoutvalueyou
specifyinStep 2,thefirewallmightregisteratimeoutbefore
eitherorbothoftheReceive Timeoutintervalspass.
Step2
Definethetotaltimeoutintervalfor
revocationstatusrequests.
Step3
Definetheblockingbehaviorfor
unknowncertificatestatusora
revocationstatusrequesttimeout.
IfyouwantthefirewalltoblockSSL/TLSsessionswhentheOCSP
orCRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock Session With Unknown Certificate Statuscheck
box.Otherwise,thefirewallproceedswiththesession.
IfyouwantthefirewalltoblockSSL/TLSsessionsafteritregisters
arequesttimeout,selecttheBlock Session On Certificate Status
Check Timeoutcheckbox.Otherwise,thefirewallproceedswith
thesession.
Step4
Saveandapplyyourentries.
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 169
ConfiguretheMasterKey
CertificateManagement
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsalltheprivatekeys
andpasswordsintheconfigurationtosecurethem(suchastheprivatekeyusedforSSLForwardProxy
Decryption).Forthebestsecurityposture,configureanewmasterkeyandchangeitperiodically.
Ifahighavailability(HA)configuration,youmustusethesamemasterkeyonbothfirewallsorPanoramain
thepair.Otherwise,HAsynchronizationwillnotworkproperly.
Additionally,ifyouareusingPanoramatomanageyourfirewalls,youmustusethesamemasterkeyon
PanoramaandallmanagedfirewallssothatPanoramacanpushconfigurationstothefirewalls.
Foraddedsecurity,EncryptaMasterKeyUsinganHSM.
Besuretostorethemasterkeyinasafelocation.Youcannotrecoverthemasterkeyandtheonlywayto
restorethedefaultmasterkeyistoResettheFirewalltoFactoryDefaultSettings.
ConfigureaMasterKey
Step1
Step2
Step3
Step4
TospecifythemasterkeyLife Time,enterthenumberofDaysand/orHoursafterwhichthekeywillexpire.
Youmustconfigureanewmasterkeybeforethecurrentkeyexpires.Ifthemasterkeyexpires,the
firewallorPanoramaautomaticallyrebootsinMaintenancemode.YoumustthenResettheFirewall
toFactoryDefaultSettings.
Step5
Step6
(Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7
ClickOKandCommit.
170 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
GenerateaSelfsignedRootCACertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
ClickGenerate.
Step4
EnteraCertificate Name,suchasGlobalProtect_CA.Thenameiscasesensitiveandcanhaveupto31
characters.Itmustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step6
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step7
LeavetheSigned Byfieldblanktodesignatethecertificateasselfsigned.
Step8
(Required)SelecttheCertificate Authoritycheckbox.
Step9
LeavetheOCSP Responderfieldblank;revocationstatusverificationdoesntapplytorootCAcertificates.
Step10 ClickGenerateandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 171
ObtainCertificates
CertificateManagement
Generate a Certificate
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
GenerateaCertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
ClickGenerate.
Step4
SelectLocal(default)astheCertificate TypeunlessyouwanttodeploySCEPcertificatestoGlobalProtect
clients.
Step5
EnteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.Itmustbeuniqueand
useonlyletters,numbers,hyphens,andunderscores.
Step6
IntheCommon Namefield,entertheFQDN(recommended)orIPaddressoftheinterfacewhereyouwill
configuretheservicethatwillusethiscertificate.
Step7
Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step8
IntheSigned Byfield,selecttherootCAcertificatethatwillissuethecertificate.
Step9
(Optional)SelectanOCSP Responder.
172 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
GenerateaCertificate(Continued)
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslog checkbox.
Step17 ClickOKandCommit.
ImportaCertificateandPrivateKey
Step1
FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step2
Step3
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step4
ClickImportandenteraCertificate Name.Thenameiscasesensitiveandcanhaveupto31characters.It
mustbeuniqueanduseonlyletters,numbers,hyphens,andunderscores.
Step5
Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step6
EnterthepathandnameoftheCertificate FilereceivedfromtheCA,orBrowsetofindthefile.
Step7
SelectaFile Format:
Encrypted Private Key and Certificate (PKCS12)Thisisthedefaultandmostcommonformat,inwhich
thekeyandcertificateareinasinglecontainer(Certificate File).Ifahardwaresecuritymodule(HSM)will
storetheprivatekeyforthiscertificate,selectthePrivate key resides on Hardware Security Module
checkbox.
Base64 Encoded Certificate (PEM)Youmustimportthekeyseparatelyfromthecertificate.Ifahardware
securitymodule(HSM)storestheprivatekeyforthiscertificate,selectthePrivate key resides on
Hardware Security ModulecheckboxandskipStep8.Otherwise,selecttheImport Private Keycheck
box,entertheKey FileorBrowsetoit,thenperformStep8.
Step8
Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 173
ObtainCertificates
CertificateManagement
ImportaCertificateandPrivateKey
Step9
ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
Requestthecertificatefromanexternal 1.
CA.
2.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
3.
ClickGenerate.
4.
EnteraCertificate Name.Thenameiscasesensitiveandcan
haveupto31characters.Itmustbeuniqueanduseonly
letters,numbers,hyphens,andunderscores.
5.
IntheCommon Namefield,entertheFQDN(recommended)
orIPaddressoftheinterfacewhereyouwillconfigurethe
servicethatwillusethiscertificate.
6.
Ifthefirewallhasmorethanonevsysandyouwantthe
certificatetobeavailabletoeveryvsys,selecttheShared
checkbox.
7.
8.
Ifapplicable,selectanOCSP Responder.
9.
(Optional)AddtheCertificate Attributestouniquelyidentify
thefirewallandtheservicethatwillusethecertificate.
IfyouaddaHost Nameattribute,itisabestpractice
forittomatchtheCommon Name(thisismandatory
forGlobalProtect).Thehostnamepopulatesthe
SubjectAlternativeNamefieldofthecertificate.
10. ClickGenerate.TheDeviceCertificatestabdisplaystheCSR
withaStatusofpending.
Step2
SubmittheCSRtotheCA.
174 PANOS7.1AdministratorsGuide
1.
SelecttheCSRandclickExporttosavethe.csrfiletoalocal
computer.
2.
Uploadthe.csrfiletotheCA.
PaloAltoNetworks,Inc.
CertificateManagement
ObtainCertificates
ObtainaCertificatefromanExternalCA
Step3
Step4
Importthecertificate.
Configurethecertificate.
PaloAltoNetworks,Inc.
1.
AftertheCAsendsasignedcertificateinresponsetotheCSR,
returntotheDevice CertificatestabandclickImport.
2.
EntertheCertificate NameusedtogeneratetheCSRin
Step 14.
3.
EnterthepathandnameofthePEMCertificate Filethatthe
CAsent,orBrowsetoit.
4.
ClickOK.TheDevice Certificatestabdisplaysthecertificate
withaStatusofvalid.
1.
ClickthecertificateName.
2.
Selectthecheckboxesthatcorrespondtotheintendeduseof
thecertificateonthefirewall.Forexample,ifthefirewallwill
usethiscertificatetosecureforwardingofsyslogstoan
externalsyslogserver,selecttheCertificate for Secure
Syslog checkbox.
3.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 175
ExportaCertificateandPrivateKey
CertificateManagement
ExportaCertificateandPrivateKey
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step3
Selectthecertificate,clickExport,andselectaFile Format:
Base64 Encoded Certificate (PEM)Thisisthedefaultformat.Itisthemostcommonandhasthebroadest
supportontheInternet.Ifyouwanttheexportedfiletoincludetheprivatekey,selecttheExport Private
Keycheckbox.
Encrypted Private Key and Certificate (PKCS12)ThisformatismoresecurethanPEMbutisnotas
commonorasbroadlysupported.Theexportedfilewillautomaticallyincludetheprivatekey.
Binary Encoded Certificate (DER)Moreoperatingsystemtypessupportthisformatthantheothers.You
canexportonlythecertificate,notthekey:ignoretheExport Private Keycheckboxandpassphrasefields.
Step4
Step5
ClickOKandsavethecertificate/keyfiletoyourcomputer.
176 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ConfigureaCertificateProfile
ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
ConfigureaCertificateProfile
Step1
Obtainthecertificateauthority(CA)
certificatesyouwillassign.
PerformoneofthefollowingstepstoobtaintheCAcertificates
youwillassigntotheprofile.Youmustassignatleastone.
GenerateaCertificate.
ExportacertificatefromyourenterpriseCAandthenimportit
ontothefirewall(seeStep 3).
Step2
Identifythecertificateprofile.
1.
2.
EnteraNametoidentifytheprofile.Thenameis
casesensitive,mustbeuniqueandcanuseupto31
charactersthatincludeonlyletters,numbers,spaces,hyphens,
andunderscores.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthecertificate.
Step3
Assignoneormorecertificates.
PaloAltoNetworks,Inc.
PerformthefollowingstepsforeachCAcertificate:
1.
IntheCACertificatestable,clickAdd.
2.
SelectaCA Certificate.Alternatively,toimportacertificate,
clickImport,enteraCertificate Name,Browsetothe
Certificate FileyouexportedfromyourenterpriseCA,and
clickOK.
3.
(Optional)IfthefirewallusesOCSPtoverifycertificate
revocationstatus,configurethefollowingfieldstooverride
thedefaultbehavior.Formostdeployments,thesefieldsdo
notapply.
Bydefault,thefirewallusestheOCSPresponderURLthat
yousetintheprocedureConfigureanOCSPResponder.To
overridethatsetting,enteraDefault OCSP URL(starting
withhttp://orhttps://).
Bydefault,thefirewallusesthecertificateselectedinthe
CA CertificatefieldtovalidateOCSPresponses.Tousea
differentcertificateforvalidation,selectitintheOCSP
Verify CA Certificatefield.
4.
ClickOK.TheCACertificatestabledisplaystheassigned
certificate.
PANOS7.1AdministratorsGuide 177
ConfigureaCertificateProfile
CertificateManagement
ConfigureaCertificateProfile
Step4
Step5
Definethemethodsforverifying
certificaterevocationstatusandthe
associatedblockingbehavior.
Saveandapplyyourentries.
178 PANOS7.1AdministratorsGuide
1.
2.
Dependingontheverificationmethod,entertheCRL Receive
Timeoutand/orOCSP Receive Timeout.Thesearethe
intervals(160seconds)afterwhichthefirewallstopswaiting
foraresponsefromtheCRL/OCSPservice.
3.
4.
IfyouwantthefirewalltoblocksessionswhentheOCSPor
CRLservicereturnsacertificaterevocationstatusofunknown,
selecttheBlock session if certificate status is unknown
checkbox.Otherwise,thefirewallproceedswiththesession.
5.
Ifyouwantthefirewalltoblocksessionsafteritregistersan
OCSPorCRLrequesttimeout,selecttheBlock session if
certificate status cannot be retrieved within timeoutcheck
box.Otherwise,thefirewallproceedswiththesession.
ClickOKandCommit.
PaloAltoNetworks,Inc.
CertificateManagement
ConfigureanSSL/TLSServiceProfile
ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
Intheclientsystemsthatrequestfirewallservices,thecertificatetrustlist(CTL)mustincludethecertificate
authority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,userswill
seeacertificateerrorwhenrequestingfirewallservices.MostthirdpartyCAcertificatesarepresentbydefault
inclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythatCA
certificatetotheCTLinclientbrowsers.
ConfigureanSSL/TLSServiceProfile
Step1
Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notCAcertificates,inSSL/TLSserviceprofiles.
Step2
Step3
Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4
ClickAddandenteraNametoidentifytheprofile.
Step5
SelecttheCertificateyoujustobtained.
Step6
Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
Step7
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 179
ReplacetheCertificateforInboundManagementTraffic
CertificateManagement
ReplacetheCertificateforInboundManagementTraffic
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.
ReplacetheCertificateforInboundManagementTraffic
Step1
Obtainthecertificatethatwill
YoucansimplifyyourCertificateDeploymentbyusingacertificate
authenticatethefirewallorPanoramato thattheclientsystemsalreadytrust.Therefore,werecommend
theclientsystemsofadministrators.
thatyouImportaCertificateandPrivateKeyfromyourenterprise
certificateauthority(CA)orObtainaCertificatefromanExternal
CA;thetrustedrootcertificatestoreoftheclientsystemsislikely
toalreadyhavetheassociatedrootCAcertificatethatensures
trust.
IfyouGenerateaCertificateonthefirewallorPanorama,
administratorswillseeacertificateerrorbecausetheroot
CAcertificateisnotinthetrustedrootcertificatestoreof
clientsystems.Topreventthis,deploytheselfsignedroot
CAcertificatetoallclientsystems.
Regardlessofhowyouobtainthecertificate,we
recommendaDigestalgorithmofsha256orhigherfor
enhancedsecurity.
Step2
ConfigureanSSL/TLSServiceProfile.
SelecttheCertificateyoujustobtained.
Forenhancedsecurity,werecommendthatyousettheMin
Version(earliestallowedTLSversion)toTLSv1.1for
inboundmanagementtraffic.Wealsorecommendthatyou
useadifferentSSL/TLSServiceProfileforeachfirewallor
Panoramaserviceinsteadofreusingthisprofileforall
services.
Step3
ApplytheSSL/TLSServiceProfileto
inboundmanagementtraffic.
1.
2.
3.
ClickOKandCommit.
180 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step1
Step2
SelectaKey Size:
Defined by destination hostThefirewalldeterminesthekeysizeforthecertificatesitgeneratesto
establishSSLproxysessionswithclientsbasedonthekeysizeofthedestinationservercertificate.Ifthe
destinationserverusesa1024bitRSAkey,thefirewallgeneratesacertificatewiththatkeysizeandan
SHA1hashingalgorithm.Ifthedestinationserverusesakeysizelargerthan1,024bits(forexample,2,048
bitsor4,096bits),thefirewallgeneratesacertificatethatusesa2,048bitRSAkeyandSHA256algorithm.
Thisisthedefaultsetting.
1024-bit RSAThefirewallgeneratescertificatesthatusea1,024bitRSAkeyandSHA1hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.AsofDecember31,2013,public
certificateauthorities(CAs)andpopularbrowsershavelimitedsupportforX.509certificatesthatusekeys
offewerthan2,048bits.Inthefuture,dependingonsecuritysettings,whenpresentedwithsuchkeysthe
browsermightwarntheuserorblocktheSSL/TLSsessionentirely.
2048-bit RSAThefirewallgeneratescertificatesthatusea2,048bitRSAkeyandSHA256hashing
algorithmregardlessofthekeysizeofthedestinationservercertificates.PublicCAsandpopularbrowsers
support2,048bitkeys,whichprovidebettersecuritythanthe1,024bitkeys.
Changingthekeysizesettingclearsthecurrentcertificatecache.
Step3
ClickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 181
RevokeandRenewCertificates
CertificateManagement
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step1
Step2
Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3
Selectthecertificatetorevoke.
Step4
ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step1
Step2
Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3
SelectacertificatetorenewandclickRenew.
Step4
Step5
ClickOKandCommit.
182 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
TheIPaddressontheHSMclientfirewallmustbeastaticIPaddress,notadynamicaddressassignedby
DHCP.HSMauthenticatesthefirewallusingtheIPaddressbeforetheHSMconnectioncomesup.
OperationsonHSMwouldstopworkingiftheIPaddressweretochangeduringruntime.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 183
SecureKeyswithaHardwareSecurityModule
CertificateManagement
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
Step1
Step2
Step3
Configurethefirewallto
communicatewiththeSafeNet
NetworkHSM.
(Optional)Configureaservice
routetoenablethefirewallto
connecttotheHSM.
Bydefault,thefirewallusesthe
ManagementInterfaceto
communicatewiththeHSM.To
useadifferentinterface,you
mustconfigureaserviceroute.
Configurethefirewallto
authenticatetotheHSM.
184 PANOS7.1AdministratorsGuide
1.
2.
EdittheHardwareSecurityModuleProvidersectionandselect
Safenet Luna SA (SafeNetNetwork)astheProvider Configured.
3.
ClickAddandenteraModule Name.ThiscanbeanyASCIIstringupto
31charactersinlength.
4.
5.
(Optional)IfconfiguringahighavailabilityHSMconfiguration,select
theHigh Availabilitycheckboxandaddthefollowing:avalueforAuto
Recovery RetryandaHigh Availability Group Name.
IftwoHSMserversareconfigured,youshouldconfigurehigh
availability.OtherwisethesecondHSMserverisnotused.
6.
ClickOKandCommit.
1.
2.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interface
dropdown.
IfyouselectadataplaneconnectedportforHSM,issuingthe
clear session allCLIcommandwillclearallexistingHSM
sessions,causingallHSMstatestobebroughtdownandthen
up.DuringtheseveralsecondsrequiredforHSMtorecover,all
SSL/TLSoperationswillfail.
7.
ClickOKandCommit.
1.
2.
3.
SelecttheHSMServer Namefromthedropdown.
4.
5.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
6.
ClickOK.
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
Step4
Registerthefirewall(theHSM 1.
client)withtheHSMandassign 2.
ittoapartitionontheHSM.
IftheHSMalreadyhasa
firewallwiththesame
<cl-name>registered,
youmustremovethe
duplicateregistration
3.
usingthefollowing
commandbefore
registrationwillsucceed:
client delete -client
<cl-name>
LogintotheHSMfromaremotesystem.
Registerthefirewallusingthefollowingcommand:
client register -c <cl-name> -ip <fw-ip-addr>
where<cl-name>isanamethatyouassigntothefirewallforuseon
theHSMand<fw-ip-addr>istheIPaddressofthefirewallthatis
beingconfiguredasanHSMclient.ItmustbeastaticIPaddress,not
anaddressassignedbyDHCP.
Assignapartitiontothefirewallusingthefollowingcommand:
client assignpartition -c <cl-name> -p <partition-name>
where<cl-name>isthenameassignedtothefirewallintheclient
register commandand<partition-name>isthenameofa
previouslyconfiguredpartitionthatyouwanttoassigntothefirewall.
where<cl-name>isthe
nameoftheclient
(firewall)registrationyou
wanttodelete.
Step5
Step6
Step7
Configurethefirewalltoconnect 1.
totheHSMpartition.
2.
(Optional)Configurean
additionalHSMforhigh
availability(HA).
Verifyconnectivitywiththe
HSM.
PaloAltoNetworks,Inc.
3.
4.
5.
ClickOK.
1.
2.
IfyouremoveanHSMfromyourconfiguration,repeatStep 5.
ThiswillremovethedeletedHSMfromtheHAgroup.
1.
2.
ChecktheStatusoftheHSMconnection:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSM
isdown.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatusarea
todetermineauthenticationstatus:
Serial NumberTheserialnumberoftheHSMpartitioniftheHSM
wassuccessfullyauthenticated.
PartitionThepartitionnameontheHSMthatwasassignedonthe
firewall.
Module StateThecurrentoperatingstateoftheHSM.Italwayshas
thevalueAuthenticatediftheHSMisdisplayedinthistable.
PANOS7.1AdministratorsGuide 185
SecureKeyswithaHardwareSecurityModule
CertificateManagement
SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
Step1
Step2
Step3
ConfiguretheThales
1.
nShieldConnectserveras
thefirewallsHSM
2.
provider.
3.
(Optional)Configurea
serviceroutetoenable
thefirewalltoconnectto
theHSM.
Bydefault,thefirewall
usestheManagement
Interfacetocommunicate
withtheHSM.Tousea
differentinterface,you
mustconfigureaservice
route.
Registerthefirewall(the
HSMclient)withtheHSM
server.
Thisstepbrieflydescribes
theprocedureforusing
thefrontpanelinterface
oftheThalesnShield
ConnectHSM.Formore
details,consulttheThales
documentation.
4.
EntertheIPv4addressastheServer AddressoftheHSMmodule.
IfyouareconfiguringahighavailabilityHSMconfiguration,entermodule
namesandIPaddressesfortheadditionalHSMdevices.
5.
6.
ClickOKandCommit.
1.
2.
3.
SelectCustomizefromtheServiceRouteConfigurationarea.
4.
SelecttheIPv4tab.
5.
SelectHSMfromtheServicecolumn.
6.
SelectaninterfacetouseforHSMfromtheSource Interfacedropdown.
IfyouselectadataplaneconnectedportforHSM,issuingtheclear
session allCLIcommandwillclearallexistingHSMsessions,
causingallHSMstatestobebroughtdownandthenup.Duringthe
severalsecondsrequiredforHSMtorecover,allSSL/TLSoperations
willfail.
7.
ClickOKandCommit.
1.
LogintothefrontpaneldisplayoftheThalesnShieldConnectHSMunit.
2.
Ontheunitfrontpanel,usetherighthandnavigationbuttontoselect
System > System configuration > Client config > New client.
3.
EntertheIPaddressofthefirewall.ItmustbeastaticIPaddress,notan
addressassignedbyDHCP.
4.
SelectSystem > System configuration > Client config > Remote file system
andentertheIPaddressoftheclientcomputerwhereyousetuptheremote
filesystem.
186 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
Step4
Setuptheremote
filesystemtoaccept
connectionsfromthe
firewall.
1.
Logintotheremotefilesystem(RFS)fromaLinuxclient.
2.
Obtaintheelectronicserialnumber(ESN)andthehashoftheKNETIkey.The
KNETIkeyauthenticatesthemoduletoclients:
anonkneti <ip-address>
where<ip-address>istheIPaddressoftheHSM.
Thefollowingisanexample:
anonkneti 192.0.2.1
B1E2-2D4C-E6A2 5a2e5107e70d525615a903f6391ad72b1c03352c
Inthisexample,B1E2-2D4C-E6A2istheESMand
5a2e5107e70d525615a903f6391ad72b1c03352cisthehashoftheKNETI
key.
3.
Usethefollowingcommandfromasuperuseraccounttoperformtheremote
filesystemsetup:
rfs-setup --force <ip-address> <ESN> <hash-Kneti-key>
where<ip-address>istheIPaddressoftheHSM,
<ESN>istheelectronicserialnumber(ESN)and
<hash-Kneti-key>isthehashoftheKNETIkey.
Thefollowingexampleusesthevaluesobtainedinthisprocedure:
rfs-setup --force <192.0.2.1> <B1E2-2D4C-E6A2>
<5a2e5107e70d525615a903f6391ad72b1c03352c>
4.
UsethefollowingcommandtopermitclientsubmitontheRemote
Filesystem:
rfs-setup --gang-client --write-noauth <FW-IPaddress>
where<FW-IPaddress>istheIPaddressofthefirewall.
Step5
Step6
Step7
Configurethefirewallto 1.
authenticatetotheHSM. 2.
3.
ClickOK.
ThefirewallattemptstoperformanauthenticationwiththeHSMand
displaysastatusmessage.
4.
ClickOK.
Synchronizethefirewall
withtheremote
filesystem.
1.
2.
Verifythatthefirewall
canconnecttotheHSM.
1.
2.
ChecktheStatusindicatortoverifythatthefirewallisconnectedtotheHSM:
GreenHSMisauthenticatedandconnected.
RedHSMwasnotauthenticatedornetworkconnectivitytotheHSMis
down.
3.
ViewthefollowingcolumnsinHardwareSecurityModuleStatussectionto
determineauthenticationstatus.
Name:ThenameoftheHSMattemptingtobeauthenticated.
IP address:TheIPaddressoftheHSMthatwasassignedonthefirewall.
Module State:ThecurrentoperatingstateoftheHSM:Authenticated orNot
Authenticated.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 187
SecureKeyswithaHardwareSecurityModule
CertificateManagement
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
EncryptaMasterKeyUsinganHSM
Step1
Step2
Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3
Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4
SelecttheHSMcheckbox.
Life Time:Thenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for Reminder:Thenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5
ClickOK.
188 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
CertificateManagement
SecureKeyswithaHardwareSecurityModule
RefreshtheMasterKeyEncryption
Asabestpractice,periodicallyrefreshthemasterkeyencryptionbyrotatingthewrappingkeythatencrypts
it.Thefrequencyoftherotationdependsonyourapplication.ThewrappingkeyresidesonyourHSM.The
followingcommandisthesameforSafeNetNetworkandThalesnShieldConnectHSMs.
RefreshtheMasterKeyEncryption
Step1
UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
SSLForwardProxyTheHSMcanstoretheprivatekeyoftheForwardTrustcertificatethatsigns
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthecertificatestotheclient.
SSLInboundInspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
StorePrivateKeysonanHSM
Step1
OntheHSM,importorgenerate Forinstructionsonimportingorgeneratingacertificateandprivatekeyon
thecertificateandprivatekey
theHSM,refertoyourHSMdocumentation.
usedinyourdecryption
deployment.
Step2
(ThalesnShieldConnectonly)
1.
Synchronizethekeydatafrom 2.
theThalesnShieldremotefile
systemtothefirewall.
Synchronizationwiththe
SafeNetNetworkHSMis
automatic.
Step3
Importthecertificatethat
1.
correspondstotheHSMstored
keyontothefirewall.
2.
PaloAltoNetworks,Inc.
3.
BrowsetotheCertificate FileontheHSM.
4.
SelectaFile Format.
5.
6.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 189
SecureKeyswithaHardwareSecurityModule
CertificateManagement
StorePrivateKeysonanHSM(Continued)
Step4
Step5
(ForwardTrustcertificatesonly) 1.
Enablethecertificateforusein 2.
SSL/TLSForwardProxy.
3.
OpenthecertificateyouimportedinStep 3forediting.
SelectForward Trust Certificate.
ClickOKandCommit.
Verifythatyousuccessfully
LocatethecertificateyouimportedinStep 3andchecktheiconintheKey
importedthecertificateontothe column:
firewall.
LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.
DisplaydetailedHSM
information.
ExportSupportfile.
ResetHSMconfiguration.
190 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Highavailability(HA)isadeploymentinwhichtwofirewallsareplacedinagroupandtheirconfigurationis
synchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settinguptwofirewallsinan
HApairprovidesredundancyandallowsyoutoensurebusinesscontinuity.
PaloAltoNetworksfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsession
andconfigurationsynchronizationwithafewexceptions:
ThePA200firewallsupportsHALiteonly.
TheVMSeriesfirewallinAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElastic
LoadBalancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
TheVMSeriesfirewallinMicrosoftAzuredoesnotsupportHA.
Thefollowingtopicsprovidemoreinformationabouthighavailabilityandhowtoconfigureitinyour
environment.
HAOverview
HAConcepts
SetUpActive/PassiveHA
SetUpActive/ActiveHA
HAFirewallStates
Reference:HASynchronization
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 191
HAOverview
HighAvailability
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.
192 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HA Modes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 193
HAConcepts
HighAvailability
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
194 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
HALinksand
BackupLinks
Description
Control Link
TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
Data Link
TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
Backup Links
ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
Packet-Forwarding Link
InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 195
HAConcepts
HighAvailability
HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
HALinksand
BackupLinks
PortsontheSMC
Description
ControlLink
HA1A
Speed:Ethernet
10/100/1000
UsedforHAcontrolandsynchronizationinbothHAModes.Connect
thisportdirectlyfromtheHA1Aportonthefirstfirewalltothe
HA1Aonthesecondfirewallinthepair,orconnectthemtogether
throughaswitchorrouter.
HA1cannotbeconfiguredonNPCdataportsortheMGTport.
ControlLink
Backup
HA1B
Speed:Ethernet
10/100/1000port
UsedforHAcontrolandsynchronizationasabackupforHA1Ain
bothHAModes.ConnectthisportdirectlyfromtheHA1Bporton
thefirstfirewalltotheHA1Bonthesecondfirewallinthepair,or
connectthemtogetherthroughaswitchorrouter.
HA1BackupcannotbeconfiguredonNPCdataportsortheMGT
port.
DataLink
HSCIA
DataLink
Backup
HSCIB
TheHighSpeedChassisInterconnect(HSCI)portsarelayer1Quad
PortSFP+(QSFP+)interfaceswhichareusedtoconnecttwo
PA7000SeriesfirewallsinanHAconfiguration.Eachportis
comprisedoffour10gigabitchannelsmultiplexedforacombined
speedof40gigabits.
ThetrafficcarriedontheHSCIportsisrawlayer1,whichisnot
routableorswitchable;thereforetheHSCIportsmustbeconnected
directlytoeachother.TheHSCIAonthefirstchassisconnects
directlytoHSCIAonthesecondchassisandHSCIBonthefirst
chassisconnectstoHSCIBonthesecondchassis.Thiswillprovide
full80gigabittransferrates.Insoftware,bothports(HSCIAand
HSCIB)aretreatedasoneHAinterface.
PaloAltoNetworksrecommendsusingthededicatedHSCIportsfor
theHA2link.TheHA3link,requiredforpacketforwardinginan
active/activedeployment,mustusetheHSCIport;theHA3traffic
cannotbeconfiguredondataports.
Ifthefirewallsaredeployedin:
anactive/activeconfiguration,theHA3linkmayuseonlytheHSCI
ports.TheHA2linkandHA2backuplinkscanusetheHSCIports
ordataportsontheNPC.
anactive/passiveconfiguration,youcanconfigureadataporton
theNPCfortheHA2linkortheHA2backuplink,ifneeded.
196 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.FordetailsontheHA
timersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 197
HAConcepts
HighAvailability
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
198 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 199
HAConcepts
HighAvailability
ARP Load-Sharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.
200 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
PaloAltoNetworks,Inc.
HAConcepts
PANOS7.1AdministratorsGuide 201
HAConcepts
HighAvailability
Route-Based Redundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HA Timers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.
202 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Timers
HAConcepts
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500
PA4000Series
PA200
Panorama
MSeries
0/0
0/0
0/0
Preemptionhold
time
1/1
Timethatapassiveor
activesecondaryfirewallwill
waitbeforetakingoverasthe
activeoractiveprimary
firewall.
1/1
1/1
Heartbeatinterval
FrequencyatwhichtheHA
peersexchangeheartbeat
messagesintheformofan
ICMP(ping).
2000/1000
2000/1000
2000/500
2000/500
PA3000Series
VMSeries
Monitorfailholdup Intervalduringwhichthe
time
firewallwillremainactive
followingapathmonitoror
linkmonitorfailure.This
settingisrecommendedto
avoidanHAfailoverdueto
theoccasionalflappingof
neighboringdevices.
1000/1000
2000/1000(only
forVMSeriesin
AWS)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 203
HAConcepts
Timers
HighAvailability
Description
PA7000Series
PA2000Series
PanoramaVirtual
Appliance
PA5000Series
PA500
PA4000Series
PA200
Panorama
MSeries
PA3000Series
VMSeries
Additionalmaster
holduptime
Timeintervalthatisappliedto 500/500
thesameeventasMonitor
FailHoldUpTime(range
060000ms,default500ms).
Theadditionaltimeintervalis
appliedonlytotheactive
firewallinactive/passive
modeandtothe
activeprimaryfirewallin
active/activemode.Thistimer
isrecommendedtoavoida
failoverwhenbothfirewalls
experiencethesamelink/path
monitorfailure
simultaneously.
500/500
7000/5000
Hellointerval
Intervalinmilliseconds
8000/8000
betweenhellopacketsthat
aresenttoverifythattheHA
functionalityontheother
firewallisoperational.The
rangeis800060000mswith
adefaultof8000msforall
platforms.
8000/8000
8000/8000
Maximumno.of
flaps
3/3
Aflapiscountedwhenthe
firewallleavestheactivestate
within15minutesafteritlast
lefttheactivestate.Thisvalue
indicatesthemaximum
numberofflapsthatare
permittedbeforethefirewall
isdeterminedtobe
suspendedandthepassive
firewalltakesover(range
016;default3).
3/3
NotApplicable
204 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
Session Owner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
Session Setup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption
Description
IP Modulo
ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash
ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Primary Device
Theactiveprimaryfirewallalwayssetsupthesession;onlyonefirewallperformsall
sessionsetupresponsibilities.
First Packet
Thefirewallthatreceivesthefirstpacketofasessionperformssessionsetup.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 205
HAConcepts
HighAvailability
Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.
206 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
HAConcepts
Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 207
HAConcepts
HighAvailability
ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
208 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
model.
The same PAN-OS versionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
The same type of interfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 209
SetUpActive/PassiveHA
HighAvailability
createavirtualMACaddressforalltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMAC
AddressforinformationaboutvirtualMACaddresses.Whenanewactivefirewalltakesover,itsends
GratuitousARPmessagesfromeachofitsconnectedinterfacestoinformtheconnectedLayer2
switchesofthevirtualMACaddressnewlocation.
IfyouareusinginbandportsasHAlinks,youmustsettheinterfacesfortheHA1andHA2linkstotype
HA.
SettheHAModetoActivePassiveonbothfirewalls.
Ifrequired,enablepreemptiononbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onboth
firewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowing
recommendationstodecidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
HA1Backup:Inbandport
Recommendation:DonotenableHeartbeatBackup
210 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
Independent
PeerA
ConfigurationSettings
PeerB
ControlLink
IPaddressoftheHA1linkconfiguredon
thisfirewall(PeerB).
IPaddressoftheHA1linkconfiguredonthis
firewall(PeerA).
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
Bydefault,theHA2linkusesEthernet/Layer2.
DataLink
IfusingaLayer3connection,configuretheIP
Thedatalink
addressforthedatalinkonthisfirewall(PeerA).
informationis
synchronizedbetween
thefirewallsafterHA
isenabledandthe
controllinkis
establishedbetween
thefirewalls.
Bydefault,theHA2linkuses
Ethernet/Layer2.
IfusingaLayer3connection,configure
theIPaddressforthedatalinkonthis
firewall(PeerB).
DevicePriority
Thefirewallyouplantomakeactivemusthavea IfPeerBispassive,setthedevicepriority
(required,if
lowernumericalvaluethanitspeer.So,ifPeerA valuetoanumberlargerthanthesetting
preemptionisenabled) istofunctionastheactivefirewall,keepthe
onPeerA.Forexample,setthevalueto
defaultvalueof100andincrementthevalueon 110.
PeerB.
Ifthefirewallshavethesamedevicepriority
value,theyusetheMACaddressoftheirHA1as
thetiebreaker.
LinkMonitoring
Selectthephysicalinterfacesonthefirewallthat Pickasimilarsetofphysicalinterfacesthat
Monitoroneormore youwouldliketomonitoranddefinethefailure youwouldliketomonitoronthisfirewall
physicalinterfaces
anddefinethefailurecondition(allorany)
condition(allorany)totriggerafailover.
thathandlevitaltraffic
totriggerafailover.
onthisfirewalland
definethefailure
condition.
PathMonitoring
Monitoroneormore
destinationIP
addressesthatthe
firewallcanuseICMP
pingstoascertain
responsiveness.
Definethefailurecondition(allorany),ping
intervalandthepingcount.Thisisparticularly
usefulformonitoringtheavailabilityofother
interconnectednetworkingdevices.Forexample,
monitortheavailabilityofarouterthatconnects
toaserver,connectivitytotheserveritself,or
someothervitaldevicethatisintheflowof
traffic.
Makesurethatthenode/devicethatyouare
monitoringisnotlikelytobeunresponsive,
especiallywhenitcomesunderload,asthiscould
causeaapathmonitoringfailureandtriggera
failover.
PaloAltoNetworks,Inc.
Pickasimilarsetofdevicesordestination
IPaddressesthatcanbemonitoredfor
determiningthefailovertriggerforPeerB.
Definethefailurecondition(allorany),
pingintervalandthepingcount.
PANOS7.1AdministratorsGuide 211
SetUpActive/PassiveHA
HighAvailability
Configure Active/Passive HA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
Toconfigureanactive/passiveHApair,firstcompletethefollowingworkflowonthefirstfirewallandthen
repeatthestepsonthesecondfirewall.
ConnectandConfiguretheFirewalls
Step1
ConnecttheHAportstosetupa
physicalconnectionbetweenthe
firewalls.
ForfirewallswithdedicatedHAports,useanEthernetcableto
connectthededicatedHA1portsandtheHA2portsonpeers.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
other.
ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
EthernetcabletoconnecttheseinbandHAinterfacesacross
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
Step2
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
1.
2.
SelectPingasaservicethatispermittedontheinterface.
1.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
Step3
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
continuetothenextstep.
212 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step4
Step5
Step6
Step7
SettheHAmodeandgroupID.
1.
2.
SetaGroup IDandoptionallyaDescriptionforthepair.The
GroupIDuniquelyidentifieseachHApaironyournetwork.If
youhavemultipleHApairsthatsharethesamebroadcast
domainyoumustsetauniqueGroupIDforeachpair.
3.
SetthemodetoActive Passive.
1.
Setupthecontrollinkconnection.
Thisexampleshowsaninbandportthat
issettointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
1.
(Optional)Enableencryptionforthe
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
Setupthebackupcontrollink
connection.
PaloAltoNetworks,Inc.
2.
3.
SelectEncryption Enabled.
1.
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.
PANOS7.1AdministratorsGuide 213
SetUpActive/PassiveHA
HighAvailability
ConnectandConfiguretheFirewalls(Continued)
Step8
Step9
Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
1.
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIPorUDPasthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
6.
7.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
inbandport.
2.
Youdonotneedtoenableheartbeat
backupifyouareusingthemanagement
portforthecontrollink.
214 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step10 Setthedevicepriorityandenable
1.
preemption.
Thissettingisonlyrequiredifyouwishto 2.
makesurethataspecificfirewallisthe
preferredactivefirewall.For
information,seeDevicePriorityand
Preemption.
3.
Step11 (Optional)ModifytheHATimers.
1.
Bydefault,theHAtimerprofileissetto
theRecommendedprofileandissuited 2.
formostHAdeployments.
Step12 (Optional,onlyconfiguredonthepassive
firewall)ModifythelinkstatusoftheHA
portsonthepassivefirewall.
Thepassivelinkstateis
shutdown,bydefault.Afteryou
enableHA,thelinkstateforthe
HAportsontheactivefirewall
willbegreenandthoseonthe
passivefirewallwillbedownand
displayasred.
PaloAltoNetworks,Inc.
SettingthelinkstatetoAutoallowsforreducingtheamountoftime
ittakesforthepassivefirewalltotakeoverwhenafailoveroccurs
anditallowsyoutomonitorthelinkstate.
Toenablethelinkstatusonthepassivefirewalltostayupand
reflectthecablingstatusonthephysicalinterface:
1.
2.
PANOS7.1AdministratorsGuide 215
SetUpActive/PassiveHA
HighAvailability
ConnectandConfiguretheFirewalls(Continued)
Step13 EnableHA.
Step14 (Optional)EnableLACPandLLDP
PreNegotiationforActive/PassiveHA
forfasterfailoverifyournetworkuses
LACPorLLDP.
EnableLACPandLLDPbefore
configuringHAprenegotiation
fortheprotocolifyouwant
prenegotiationtofunctionin
activemode.
Step15 Saveyourconfigurationchanges.
216 PANOS7.1AdministratorsGuide
1.
2.
SelectEnable HA.
3.
4.
EntertheIPaddressassignedtothecontrollinkofthepeerin
Peer HA1 IP Address.
ForfirewallswithoutdedicatedHAports,ifthepeerusesthe
managementportfortheHA1link,enterthemanagementport
IPaddressofthepeer.
5.
1.
EnsurethatinStep 12yousetthelinkstatetoAuto.
2.
3.
ToenableLACPactiveprenegotiation:
a. SelectanAEinterfaceinaLayer2orLayer3deployment.
b. SelecttheLACPtab.
c. SelectEnable in HA Passive State.
d. ClickOK.
YoucannotalsoselectSame System MAC Address for
Active-Passive HAbecauseprenegotiationrequires
uniqueinterfaceMACaddressesontheactiveand
passivefirewalls.
4.
ToenableLACPpassiveprenegotiation:
a. SelectanEthernetinterfaceinavirtualwiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLACPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
5.
ToenableLLDPactiveprenegotiation:
a. SelectanEthernetinterfaceinaLayer2,Layer3,orvirtual
wiredeployment.
b. SelecttheAdvancedtab.
c. SelecttheLLDPtab.
d. SelectEnable in HA Passive State.
e. ClickOK.
IfyouwanttoallowLLDPpassiveprenegotiationfor
avirtualwiredeployment,performStep 5butdonot
enableLLDPitself.
ClickCommit.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/PassiveHA
ConnectandConfiguretheFirewalls(Continued)
Step16 Afteryoufinishconfiguringboth
firewalls,verifythatthefirewallsare
pairedinactive/passiveHA.
1.
AccesstheDashboardonbothfirewalls,andviewtheHigh
Availabilitywidget.
2.
Ontheactivefirewall,clicktheSync to peerlink.
3.
Confirmthatthefirewallsarepairedandsynced,asshownas
follows:
Onthepassivefirewall:thestateofthelocalfirewallshould
displaypassive andtheRunningConfigshouldshowas
synchronized.
Ontheactivefirewall:Thestateofthelocalfirewallshould
displayactiveandtheRunningConfigshouldshowas
synchronized.
Step2
Step3
Toconfigurelinkmonitoring,definethe 1.
interfacesyouwanttomonitor.A
changeinthelinkstateofthese
2.
interfaceswilltriggerafailover.
(Optional)Modifythefailurecondition 1.
fortheLinkGroupsthatyouconfigured 2.
(intheprecedingstep)onthefirewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredlinkfails.
SelecttheLink Monitoringsection.
Toconfigurepathmonitoring,definethe 1.
destinationIPaddressesthatthefirewall
shouldpingtoverifynetwork
connectivity.
2.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
SelecttheappropriateitemfromthedropdownfortheName
andAddtheIPaddresses(sourceand/ordestination,as
prompted)thatyouwishtomonitor.ThenselecttheFailure
Conditionforthegroup.Thepathgroupyoudefineisaddedto
thePath Groupsection.
Step4
(Optional)Modifythefailurecondition
forallPathGroupsconfiguredonthe
firewall.
Bydefault,thefirewallwilltriggera
failoverwhenanymonitoredpathfails.
SettheFailure ConditiontoAll.
ThedefaultsettingisAny.
Step5
Saveyourchanges.
ClickCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 217
SetUpActive/PassiveHA
HighAvailability
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
Verify Failover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1
Suspendtheactivefirewall.
Step2
Verifythatthepassivefirewallhastaken OntheDashboard,verifythatthestateofthepassivefirewall
overasactive.
changestoactiveintheHighAvailabilitywidget.
Step3
1.
Restorethesuspendedfirewalltoa
functionalstate.Waitforacoupleof
minutes,andthenverifythatpreemption
hasoccurred,ifPreemptiveisenabled. 2.
218 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
DetermineYourActive/ActiveUseCase
uptodateontheapplication,URL,andthreatdatabases.
The same multi virtual system capabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
The same type of interfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 219
SetUpActive/ActiveHA
HighAvailability
Configure Active/Active HA
Thefollowingproceduredescribesthebasicworkflowforconfiguringyourfirewallsinanactive/active
configuration.However,beforeyoubegin,DetermineYourActive/ActiveUseCaseforconfiguration
examplesmoretailoredtoyourspecificnetworkenvironment.
Toconfigureactive/active,firstcompletethefollowingstepsononepeerandthencompletethemonthe
secondpeer,ensuringthatyousettheDeviceIDtodifferentvalues(0or1)oneachpeer.
ConfigureActive/ActiveHA
Step1
ConnecttheHAportstosetupa
ForfirewallswithdedicatedHAports,useanEthernetcableto
physicalconnectionbetweenthe
connectthededicatedHA1portsandtheHA2portsonpeers.
Useacrossovercableifthepeersaredirectlyconnectedtoeach
firewalls.
other.
Foreachusecase,thefirewalls
couldbeanyhardwareplatform; ForfirewallswithoutdedicatedHAports,selecttwodata
interfacesfortheHA2linkandthebackupHA1link.Then,usean
choosetheHA3stepthat
EthernetcabletoconnecttheseinbandHAinterfacesacross
correspondswithyourplatform.
bothfirewalls.
UsethemanagementportfortheHA1linkandensurethatthe
managementportscanconnecttoeachotheracrossyour
network.
ForHA3:
OnPA7000Seriesfirewalls,connecttheHighSpeed
ChassisInterconnect(HSCIA)onthefirstchassistothe
HSCIAonthesecondchassis,andtheHSCIBonthefirst
chassistotheHSCIBonthesecondchassis.
Onanyotherhardwareplatform,usedataplaneinterfaces
forHA3.
Step2
Enablepingonthemanagementport.
Enablingpingallowsthemanagement
porttoexchangeheartbeatbackup
information.
1.
2.
SelectPingasaservicethatispermittedontheinterface.
Ifthefirewalldoesnothavededicated
HAports,setupthedataportsto
functionasHAports.
ForfirewallswithdedicatedHAports
continuetothenextstep.
1.
2.
Confirmthatthelinkisupontheportsthatyouwanttouse.
3.
SelecttheinterfaceandsetInterface TypetoHA.
4.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
Step3
Step4
Enableactive/activeHAandsetthe
groupID.
220 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
Step5
Step6
Step7
Step8
SettheDeviceID,enable
1.
synchronization,andidentifythecontrol 2.
linkonthepeerfirewall
3.
4.
5.
6.
ClickOK.
1.
2.
SelectPreemptivetocausethefirewallwiththelowerDevice
IDtoautomaticallyresumeactiveprimaryoperationafter
eitherfirewallrecoversfromafailure.Bothfirewallsmust
havePreemptiveselectedforpreemptiontooccur.
LeavePreemptiveunselectedifyouwanttheactiveprimary
roletoremainwiththecurrentfirewalluntilyoumanually
maketherecoveredfirewalltheactiveprimaryfirewall.
Enableheartbeatbackupifyourcontrol 1.
linkusesadedicatedHAportoran
2.
inbandport.
Youneednotenableheartbeatbackupif
youareusingthemanagementportfor
thecontrollink.
1.
(Optional)ModifytheHA Timers.
Bydefault,theHAtimerprofileissetto 2.
theRecommendedprofileandissuited
formostHAdeployments.
Determinewhetherornotthefirewall
withthelowerDeviceIDpreemptsthe
activeprimaryfirewalluponrecovery
fromafailure.
PaloAltoNetworks,Inc.
SelectHeartbeat Backup.
Toallowtheheartbeatstobetransmittedbetweenthe
firewalls,youmustverifythatthemanagementportacross
bothpeerscanroutetoeachother.
Enablingheartbeatbackupallowsyoutopreventa
splitbrainsituation.SplitbrainoccurswhentheHA1
linkgoesdown,causingthefirewalltomissheartbeats,
althoughthefirewallisstillfunctioning.Insucha
situation,eachpeerbelievestheotherisdownand
attemptstostartservicesthatarerunning,thereby
causingasplitbrain.Enablingheartbeatbackup
preventssplitbrainbecauseredundantheartbeatsand
hellomessagesaretransmittedoverthemanagement
port.
SelectAggressivetotriggerfasterfailover.SelectAdvanced
todefinecustomvaluesfortriggeringfailoverinyoursetup.
Toviewthepresetvalueforanindividualtimer
includedinaprofile,selectAdvancedandclickLoad
RecommendedorLoad Aggressive.Thepresetvalues
foryourhardwaremodelwillbedisplayedonscreen.
PANOS7.1AdministratorsGuide 221
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHA(Continued)
Step9
Setupthecontrollinkconnection.
1.
Thisexampleusesaninbandportthatis
settointerfacetypeHA.
2.
Forfirewallsthatusethemanagement 3.
portasthecontrollink,theIPaddress
informationisautomatically
prepopulated.
Step10 (Optional)Enableencryptionforthe
1.
controllinkconnection.
Thisistypicallyusedtosecurethelinkif
thetwofirewallsarenotdirectly
connected,thatisiftheportsare
connectedtoaswitchorarouter.
ExporttheHAkeyfromonefirewallandimportitintothepeer
firewall.
a. SelectDevice > Certificate Management > Certificates.
b. SelectExport HA key. SavetheHAkeytoanetwork
locationthatthepeercanaccess.
c. Onthepeerfirewall,selectDevice > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportit
intothepeer.
2.
3.
SelectEncryption Enabled.
1.
2.
SelecttheHA1backupinterfaceandsettheIPv4/IPv6
AddressandNetmask.
1.
Step11 Setupthebackupcontrollink
connection.
Step12 Setupthedatalinkconnection(HA2)
andthebackupHA2connection
betweenthefirewalls.
222 PANOS7.1AdministratorsGuide
2.
SelectthePorttouseforthedatalinkconnection.
3.
SelecttheTransportmethod.Thedefaultisethernet,andwill
workwhentheHApairisconnecteddirectlyorthrougha
switch.Ifyouneedtoroutethedatalinktrafficthroughthe
network,selectIP or UDP asthetransportmode.
4.
IfyouuseIPorUDPasthetransportmethod,enterthe
IPv4/IPv6 AddressandNetmask.
5.
6.
7.
8.
ClickOK.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
Step13 ConfiguretheHA3linkforpacket
forwarding.
Step14 (Optional)ModifytheTentativeHold
time.
Step15 ConfigureSessionOwnerandSession
Setup.
PaloAltoNetworks,Inc.
1.
2.
ForHA3 Interface,selecttheinterfaceyouwanttouseto
forwardpacketsbetweenactive/activeHApeers.Itmustbea
dedicatedinterfacecapableofLayer2transportandsetto
Interface Type HA.
3.
4.
SelectQoS SynctosynchronizetheQoSprofileselectiononall
physicalinterfaces.Selectwhenbothpeershavesimilarlink
speedsandrequirethesameQoSprofilesonallphysical
interfaces.ThissettingaffectsthesynchronizationofQoS
settingsontheNetworktab.QoSpolicyissynchronized
regardlessofthissetting.
1.
2.
1.
2.
3.
ForSession Setup,selectoneofthefollowing:
IP ModuloDistributessessionsetuploadbasedonparity
ofthesourceIPaddress(recommendedsetting).
Primary DeviceTheactiveprimaryfirewallsetsupall
sessions.
First PacketThefirewallthatreceivesthefirstpacketof
anewsessionperformssessionsetup.
IP HashThefirewallusesahashofeitherthesourceIP
addressoracombinationofthesourceanddestinationIP
addressestodistributesessionsetupresponsibilities.
4.
ClickOK.
PANOS7.1AdministratorsGuide 223
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHA(Continued)
Step16 ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
AddressorARPLoadSharing.
Step17 ConfigurethefloatingIPaddress.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ForType:
SelectFloatingtoconfigurethevirtualIPaddresstobea
floatingIPaddress.
SelectARP Load Sharing toconfigurethevirtualIPaddress
tobeasharedIPaddressandproceedtoStep 18.
1.
2.
3.
4.
ClickOK.
1.
Step18 ConfigureARPLoadSharing.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
Step19 Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
SwitchportsthatconnecttheHA3link
mustsupportjumboframestohandle
theoverheadassociatedwiththe
MACinMACencapsulationontheHA3
link.
Thejumboframepacketsizeon
thefirewallmustmatchthe
settingontheswitch.
2.
ClickOK.
1.
2.
3.
ClickOK.
4.
Repeatonanyintermediarynetworkingdevices.
Step20 DefineHAFailoverConditions.
Step21 Savetheconfiguration.
ClickCommit.
Step22 Rebootthefirewallafterchangingthe
jumboframeconfiguration.
1.
2.
ClickReboot Device.
224 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 225
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step1
ConfigureActive/ActiveHA.
Step2
ConfigureOSPF.
SeeOSPF.
Step3
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step4
Savetheconfiguration.
ClickCommit.
Step5
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
226 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAwithFloatingIPAddresses
Step1
ConfigureActive/ActiveHA.
Step2
ConfigureanHAvirtualaddress.
Youneedavirtualaddresstousea
FloatingIPAddressandVirtualMAC
Address.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ForType,selectFloatingtoconfigurethevirtualIPaddressto
beafloatingIPaddress.
1.
2.
3.
4.
ClickOK.
Step3
ConfigurethefloatingIPaddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 227
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step4
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step5
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step6
Savetheconfiguration.
ClickCommit.
Step7
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
ConfigureActive/ActiveHAwithARPLoadSharing
Step1
228 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2
Step3
ConfigureanHAvirtualaddress.
ThevirtualaddressisthesharedIP
addressthatallowsARPLoadSharing.
1.
2.
EnterorselectanInterface.
3.
SelecttheIPv4orIPv6tabandclickAdd.
4.
5.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
2.
ClickOK.
Step4
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step5
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step6
Savetheconfiguration.
ClickCommit.
Step7
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 229
SetUpActive/ActiveHA
HighAvailability
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
230 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
Step1
Step2
(Optional)Disablepreemption.
1.
Disablingpreemptionallowsyou
fullcontroloverwhenthe
2.
recoveredfirewallbecomesthe
3.
activeprimaryfirewall.
Step3
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 231
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)
Step4
Step5
Step6
ConfigureSessionOwnerandSession
Setup.
ConfigureanHAvirtualaddress.
BindthefloatingIPaddresstothe
activeprimaryfirewall.
1.
2.
3.
4.
ClickOK.
1.
2.
EnterorselectanInterface.
3.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5.
ClickOK.
1.
2.
3.
ClickOK.
Step7
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
232 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating
IP Addresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
Step1
OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 233
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step2
Enableactive/activeHA.
Step3
Step4
ConfigureSessionOwnerandSession
Setup.
Step5
Step6
ConfigureanHAvirtualaddress.
ConfigurethefloatingIPaddress.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
ForMode,selectActive Active.
5.
SelectDevice ID1.
6.
7.
8.
9.
ClickOK.
1.
2.
3.
4.
ClickOK.
1.
2.
SelectInterfaceeth1/1.
3.
4.
ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
1.
2.
3.
ClickOK.
Step7
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step8
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step9
Savetheconfiguration.
ClickCommit.
234 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step10 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
Step11 StillonPA30501,createthesource
NATruleforDeviceID0.
1.
2.
EnteraNamefortherulethatinthisexampleidentifiesitasa
sourceNATruleforDeviceID0.
3.
ForNAT Type,selectipv4(default).
4.
5.
ForDestination Zone,selectthezoneyoucreatedforthe
externalnetwork.
6.
7.
8.
9.
OntheActive/Active HA Bindingtab,forActive/Active HA
Binding,select 0tobindtheNATruletoDeviceID0.
10. ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 235
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step12 CreatethesourceNATrulefor
Device ID 1.
Step13 Savetheconfiguration.
1.
2.
EnteraNameforthepolicyrulethatinthisexamplehelps
identifyitasasourceNATruleforDeviceID1.
3.
ForNAT Type,selectipv4(default).
4.
5.
6.
7.
8.
OnActive/Active HA Bindingtab,fortheActive/Active HA
Binding,select 1tobindtheNATruletoDeviceID1.
9.
ClickOK.
ClickCommit.
OnoneHAfirewall,createaddress
objects.
236 PANOS7.1AdministratorsGuide
1.
2.
ForType,selectIP Rangeandentertherange
10.1.1.14010.1.1.150.
3.
ClickOK.
4.
Repeatthissteptoconfigureanotheraddressobjectnamed
DynIPPooldev1withtheIP Rangeof
10.1.1.16010.1.1.170.
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
Step2
Step3
Step4
CreatethesourceNATrulefor
Device ID 0.
CreatethesourceNATrulefor
Device ID 1.
Savetheconfiguration.
1.
2.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID0:
DynIPPooldev0.
6.
ForActive/Active HA Binding,select0tobindtheNATruleto
DeviceID0.
7.
ClickOK.
1.
2.
3.
ForDestination Zone,selectthedestinationzoneforwhich
youwanttotranslatethesourceaddress,suchasUntrust.
4.
5.
ForTranslated Address,Addtheaddressobjectyoucreated
forthepoolofaddressesbelongingtoDeviceID1:
DynIPPooldev1.
6.
ForActive/Active HA Binding,select1tobindtheNATruleto
DeviceID1.
7.
ClickOK.
SelectCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 237
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
Step1
OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
Step2
Enableactive/activeHA.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
6.
SelectDevice IDtobe1.
7.
8.
9.
10. ClickOK.
Step3
238 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
Step4
Step5
ConfigureanHAvirtualaddress.
1.
2.
SelectInterfaceeth1/1.
3.
4.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
2.
sharing.
Step6
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step7
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATrulesothatthe
2.
activeprimaryfirewallrespondstoARP
requests.
3.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 239
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
Step1
OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
240 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
SetUpActive/ActiveHA
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2
Enableactive/activeHA.
1.
2.
SelectEnable HA.
3.
EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4.
(Optional)EnteraDescription.
5.
ForMode,selectActive Active.
6.
SelectDevice IDtobe1.
7.
8.
9.
10. ClickOK.
Step3
Step4
ConfigureanHAvirtualaddress.
Step5
1.
2.
SelectInterfaceeth1/2.
3.
4.
ConfigureARPLoadSharing.
1.
Thedeviceselectionalgorithm
determineswhichHAfirewallresponds
totheARPrequeststoprovideload
sharing.
2.
Step6
Enablejumboframesonfirewallsother
thanPA7000Seriesfirewalls.
PerformStep 19ofConfigureActive/ActiveHA.
Step7
DefineHAfailoverconditions.
DefineHAFailoverConditions.
Step8
Savetheconfiguration.
ClickCommit.
Step9
Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 241
SetUpActive/ActiveHA
HighAvailability
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step10 StillonPA30501(DeviceID0),create 1.
thedestinationNATruleforbothDevice 2.
ID0andDeviceID1.
3.
4.
5.
ForDestination Zone,selecttheUntrustzoneyoucreatedfor
theexternalnetwork.
6.
7.
ForDestination Address,specify10.1.1.200.
8.
FortheTranslated Packet,SourceAddressTranslation
remainsNone.
9.
242 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
HighAvailability
HAFirewallStates
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
HAFirewallState
OccursIn
Description
Initial
A/P or A/A
TransientstateofafirewallwhenitjoinstheHApair.Thefirewallremainsinthis
stateafterbootupuntilitdiscoversapeerandnegotiationsbegins.Aftera
timeout,thefirewallbecomesactiveifHAnegotiationhasnotstarted.
Active
A/P
Stateoftheactivefirewallinanactive/passiveconfiguration.
Passive
A/P
Stateofthepassivefirewallinanactive/passiveconfiguration.Thepassive
firewallisreadytobecometheactivefirewallwithnodisruptiontothenetwork.
Althoughthepassivefirewallisnotprocessingothertraffic:
Ifpassivelinkstateautoisconfigured,thepassivefirewallisrunningrouting
protocols,monitoringlinkandpathstate,andthepassivefirewallwill
prenegotiateLACPandLLDPifLACPandLLDPprenegotiationare
configured,respectively.
Thepassivefirewallissynchronizingflowstate,runtimeobjects,and
configuration.
Thepassivefirewallismonitoringthestatusoftheactivefirewallusingthe
helloprotocol.
Active-Primary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserverandDHCPrelay,andmatchesNATandPBFruleswith
theDeviceIDoftheactiveprimaryfirewall.Afirewallinthisstatecanown
sessionsandsetupsessions.
Active-Secondary
A/A
Inanactive/activeconfiguration,stateofthefirewallthatconnectstoUserID
agents,runsDHCPserver,andmatchesNATandPBFruleswiththeDeviceID
oftheactivesecondaryfirewall.Afirewallinactivesecondarystatedoesnot
supportDHCPrelay.Afirewallinthisstatecanownsessionsandsetupsessions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 243
HAFirewallStates
HighAvailability
HAFirewallState
OccursIn
Description
Tentative
A/A
Stateofafirewall(inanactive/activeconfiguration)causedbyoneofthe
following:
Failureofafirewall.
Failureofamonitoredobject(alinkorpath).
Thefirewallleavessuspendedornonfunctionalstate.
Afirewallintentativestatesynchronizessessionsandconfigurationsfromthe
peer.
Inavirtualwiredeployment,whenafirewallenterstentativestateduetoa
pathfailureandreceivesapackettoforward,itsendsthepackettothepeer
firewallovertheHA3linkforprocessing.Thepeerfirewallprocessesthe
packetandsendsitbackovertheHA3linktothefirewalltobesentoutthe
egressinterface.Thisbehaviorpreservestheforwardingpathinavirtualwire
deployment.
InaLayer3deployment,whenafirewallintentativestatereceivesapacket,
itsendsthatpacketovertheHA3linkforthepeerfirewalltoownorsetup
thesession.Dependingonthenetworktopology,thisfirewalleithersendsthe
packetouttothedestinationorsendsitbacktothepeerintentativestatefor
forwarding.
Afterthefailedpathorlinkclearsorasafailedfirewalltransitionsfromtentative
statetoactivesecondarystate,theTentative Hold Timeistriggeredandrouting
convergenceoccurs.Thefirewallattemptstobuildroutingadjacenciesand
populateitsroutetablebeforeprocessinganypackets.Withoutthistimer,the
recoveringfirewallwouldenteractivesecondarystateimmediatelyandwould
blackholepacketsbecauseitwouldnothavethenecessaryroutes.
Whenafirewallleavessuspendedstate,itgoesintotentativestateforthe
Tentative Hold Timeafterlinksareupandabletoprocessincomingpackets.
Tentative Hold Time range (sec)canbedisabled(whichis0seconds)orinthe
range10600;defaultis60.
Non-functional
A/P or A/A
Errorstateduetoadataplanefailureoraconfigurationmismatch,suchasonly
onefirewallconfiguredforpacketforwarding,VRsyncorQoSsync.
Inactive/passivemode,allofthecauseslistedforTentativestatecause
nonfunctionalstate.
Suspended
A/P or A/A
Administrativelydisabledstate.Inthisstate,anHAfirewallcannotparticipatein
theHAelectionprocess.
244 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Passive?
Management Interface
Settings
Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
Multi-vsys Capability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 245
Reference:HASynchronization
HighAvailability
ConfigurationItem
WhatDoesntSyncinActive/Passive?
Administrator
Authentication Settings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
Panorama Settings
SNMP
Statistics Collection
Services
Data Protection
Jumbo Frames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
Device > Setup > HSM > Hardware Security Module Provider > Master Key
Secured by HSM
Software Updates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtect Agent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
Content Updates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
Licenses/Subscriptions
Support Subscription
Master Key
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HA settings
246 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem
WhatDoesntSyncinActive/Active?
Management Interface
Settings
Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
Multi-vsys Capability
Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator
Authentication Settings
Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
Panorama Settings
SNMP
Statistics Collection
Services
Data Protection
Jumbo Frames
Device > Setup > Session > Session Settings > Enable Jumbo Frame
Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
HSM Configuration
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 247
Reference:HASynchronization
HighAvailability
ConfigurationItem
WhatDoesntSyncinActive/Active?
Software Updates
Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtect Agent
Package
WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
Content Updates
Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
Licenses/Subscriptions
Support Subscription
Ethernet Interface IP
Addresses
AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
> Interface > Ethernet).
Loopback Interface IP
Addresses
AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
(Network > Interface > Loopback).
Tunnel Interface IP
Addresses
AllTunnelinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network >
Interface > Tunnel).
EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
VirtualrouterconfigurationsynchronizesonlyifyouhaveenabledVRSync(Device >
High Availability > Active/Active Config > Packet Forwarding).Whetherornottodo
thisdependsonyournetworkdesign,includingwhetheryouhaveasymmetric
routing.
IPSec Tunnels
IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtect Portal
Configuration
GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
GlobalProtect Gateway
Configuration
GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
248 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
HighAvailability
Reference:HASynchronization
ConfigurationItem
WhatDoesntSyncinActive/Active?
QoS
LLDP
NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD
NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKE Gateways
IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
Master Key
ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
HA settings
SynchronizationofSystemRuntimeInformation
ThefollowingtablesummarizeswhatsystemruntimeinformationissynchronizedbetweenHApeers.
RuntimeInformation
ConfigSynced?
HALink
A/P
A/A
Yes
Yes
HA1
Yes
Yes
HA1
DNS Cache
No
No
N/A
FQDN Refresh
No
No
N/A
Yes
Yes
HA1
No
N/A
Details
Management Plane
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 249
Reference:HASynchronization
RuntimeInformation
HighAvailability
ConfigSynced?
HALink
Details
A/P
A/A
No
No
N/A
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
No
No
N/A
Thisfeatureisdisabledbydefaultand
mustbeenabledseparatelyoneachHA
peer.
Yes
No
HA1
Thisissynchronizedupondatabase
backuptodisk(everyeighthours,when
URLdatabaseversionupdates),orwhen
thefirewallreboots.
Yes
Yes
HA1
Yes
Yes
HA1
Yes
Yes
HA1
Yes
Yes
HA1
Yes
HA1
Dataplane
Session Table
Yes
Yes
HA2
Active/passivepeersdonotsyncICMP
orhostsessioninformation.
Active/activepeersdonotsynchost
session,multicastsession,orBFD
sessioninformation.
ARP Table
Yes
No
HA2
UponupgradetoPANOS7.1,theARP
tablecapacityautomaticallyincreases.To
avoidamismatch,upgradebothpeers
withinashortperiodoftime.
Asabestpractice,cleartheARP
cache(clear arp)onbothpeers
priortoupgradingtoPANOS7.1.
Yes
No
HA2
MAC Table
Yes
No
HA2
Yes
Yes
HA2
DoS Protection
Yes
Yes
HA2
User to IP Address
Mappings
Yes
Yes
HA2
Virtual MAC
Yes
Yes
HA2
250 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Inordertoforestallpotentialissues,andaccelerateincidenceresponsewhenneeded,thefirewallprovides
intelligenceontrafficanduserpatternsandcustomizableandinformativereports.Thedashboard,
ApplicationCommandCenter(ACC),reports,andlogsonthefirewallallowyoutomonitoractivityonyour
network.Youcanmonitorthelogsandfiltertheinformationtogeneratereportswithpredefinedor
customizedviews.Youcan,forexample,usethepredefinedtemplatestogeneratereportsonuseractivities,
oranalyzethereportsandlogstointerpretunusualbehavioronyournetworkandgenerateacustomreport
onthetrafficpattern.Foravisuallyengagingpresentationofnetworkactivity,thedashboardandtheACC
includewidgets,charts,andtablesthatyoucaninteractwithtofindinformationthatyoucareabout.In
addition,youcanconfigurethefirewalltoforwardmonitoredinformationasemailnotifications,syslog
messages,SNMPtraps,andNetFlowrecordstoexternalservices.
UsetheDashboard
UsetheApplicationCommandCenter
AppScope
UsetheAutomatedCorrelationEngine
TakePacketCaptures
MonitorApplicationsandThreats
MonitorandManageLogs
ManageReporting
UseExternalServicesforMonitoring
ConfigureLogForwarding
ConfigureEmailAlerts
UseSyslogforMonitoring
SNMPMonitoringandTraps
NetFlowMonitoring
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 251
UsetheDashboard
Monitoring
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts
Descriptions
Top Applications
Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
Interface Status
Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
Threat Logs
DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
Config Logs
Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
System Logs
Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
System Resources
DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
Logged In Admins
DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
High Availability
Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks
Showsconfigurationlockstakenbyadministrators.
252 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 253
UsetheApplicationCommandCenter
Monitoring
ACCFirst Look
TakeaquicktouroftheACC.
ACCFirstLook
Tabs
TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets
Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.
254 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
ACCFirstLook(Continued)
Time
Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Global Filters
TheGlobalFiltersallowyoutosetthefilteracrossallwidgetsandalltabs.The
charts/graphsapplytheselectedfiltersbeforerenderingthedata.Forinformationon
usingthefilters,seeACCFilters.
Risk Factor
Theriskfactor(1=lowestto5=highest)indicatestherelativeriskbasedonthe
applicationsusedonyournetwork.Theriskfactorusesavarietyoffactorstoassess
theassociatedrisklevels,suchaswhethertheapplicationcansharefiles,isitprone
tomisuseordoesittrytoevadefirewalls,italsofactorsinthethreatactivityand
malwareasseenthroughthenumberofblockedthreats,compromisedhostsor
traffictomalwarehosts/domains.
Source
Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData SourceasPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export
YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACC Tabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab
Description
Network Activity
Displaysanoverviewoftrafficanduseractivityonyournetworkincluding:
Topapplicationsinuse
Topuserswhogeneratetraffic(withadrilldownintothebytes,content,threats
orURLsaccessedbytheuser)
Mostusedsecurityrulesagainstwhichtrafficmatchesoccur
Inaddition,youcanalsoviewnetworkactivitybysourceordestinationzone,region,
orIPaddress,ingressoregressinterfaces,andGlobalProtecthostinformationsuch
astheoperatingsystemsofthedevicesmostcommonlyusedonthenetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 255
UsetheApplicationCommandCenter
Monitoring
Tab
Description
Threat Activity
Displaysanoverviewofthethreatsonthenetwork,focusingonthetopthreats:
vulnerabilities,spyware,viruses,hostsvisitingmaliciousdomainsorURLs,top
WildFiresubmissionsbyfiletypeandapplication,andapplicationsthatuse
nonstandardports.TheCompromisedHostswidgetinthistab(thewidgetis
supportedonsomeplatformsonly),supplementsdetectionwithbettervisualization
techniques;itusestheinformationfromthecorrelatedeventstab(Automated
Correlation Engine > Correlated Events)topresentanaggregatedviewof
compromisedhostsonyournetworkbysourceusers/IPaddressesandsortedby
severity.
Blocked Activity
Focusesontrafficthatwaspreventedfromcomingintothenetwork.Thewidgetsin
thistaballowyoutoviewactivitydeniedbyapplicationname,username,threat
name,blockedcontentfilesanddatathatwereblockedbyafileblockingprofile.It
alsoliststhetopsecurityrulesthatwerematchedontoblockthreats,content,and
URLs.
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.
ACC Widgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.
256 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
Widgets
View
Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.
Graph
Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table
Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Actions
MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
Widget Descriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget
Description
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 257
UsetheApplicationCommandCenter
Monitoring
Widget
Description
Application Usage
Thetabledisplaysthetoptenapplicationsusedonyournetwork,alltheremaining
applicationsusedonthenetworkareaggregatedanddisplayedasother.Thegraph
displaysallapplicationsbyapplicationcategory,subcategory,andapplication.Use
thiswidgettoscanforapplicationsbeingusedonthenetwork,itinformsyouabout
thepredominantapplicationsusingbandwidth,sessioncount,filetransfers,
triggeringthemostthreats,andaccessingURLs.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,area,column,line(thechartsvarybythesortbyattribute
selected)
User Activity
Displaysthetoptenmostactiveusersonthenetworkwhohavegeneratedthe
largestvolumeoftrafficandconsumednetworkresourcestoobtaincontent.Usethis
widgettomonitortopusersonusagesortedonbytes,sessions,threats,content(files
andpatterns),andURLsvisited.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source IP Activity
DisplaysthetoptenIPaddressesorhostnamesofthedevicesthathaveinitiated
activityonthenetwork.Allotherdevicesareaggregatedanddisplayedasother.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Destination IP Activity
DisplaystheIPaddressesorhostnamesofthetoptendestinationsthatwere
accessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:area,column,line(thechartsvarybythesortbyattributeselected)
Source Regions
Displaysthetoptenregions(builtinorcustomdefinedregions)aroundtheworld
fromwhereusersinitiatedactivityonyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar
Destination Regions
Displaysthetoptendestinationregions(builtinorcustomdefinedregions)onthe
worldmapfromwherecontentisbeingaccessedbyusersonthenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:map,bar
GlobalProtect Host
Information
Displaysinformationonthestateofthe hostsonwhichtheGlobalProtectagentis
running;thehostsystemisaGlobalProtectclient.Thisinformationissourcedfrom
entriesintheHIPmatchlogthataregeneratedwhenthedatasubmittedbythe
GlobalProtectagentmatchesaHIPobjectoraHIPprofileyouhavedefinedonthe
firewall.IfyoudonothaveHIPMatchlogs,thiswidgetisblank.Tolearnhowto
createHIPobjectsandHIPprofilesandusethemaspolicymatchcriteria,see
ConfigureHIPBasedPolicyEnforcement.
Sortattributes:profiles,objects,operatingsystems
Chartsavailable:bar
Rule Usage
Displaysthetoptenrulesthathaveallowedthemosttrafficonthenetwork.Usethis
widgettoviewthemostcommonlyusedrules,monitortheusagepatterns,andto
assesswhethertherulesareeffectiveinsecuringyournetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
258 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
Widget
Description
Ingress Interfaces
Displaysthefirewallinterfacesthataremostusedforallowingtrafficintothe
network.
Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line
Egress Interfaces
Displaysthefirewallinterfacesthataremostusedbytrafficexitingthenetwork.
Sortattributes:bytes,bytessent,bytesreceived
Chartsavailable:line
Source Zones
Displaysthezonesthataremostusedforallowingtrafficintothenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
Destination Zones
Displaysthezonesthataremostusedbytrafficgoingoutsidethenetwork.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:line
Displaysthehoststhatarelikelycompromisedonyournetwork.Thiswidget
summarizestheeventsfromthecorrelationlogs.Foreachsourceuser/IPaddress,it
includesthecorrelationobjectthattriggeredthematchandthematchcount,which
isaggregatedfromthematchevidencecollatedinthecorrelatedeventslogs.For
detailsseeUsetheAutomatedCorrelationEngine.
AvailableonthePA3000Series,PA5000Series,PA7000Series,andPanorama.
Sortattributes:severity(bydefault)
Displaysthefrequencywithwhichhosts(IPaddress/hostnames)onyournetwork
haveaccessedmaliciousURLs.TheseURLsareknowntobemalwarebasedon
categorizationinPANDB.
Sortattributes:count
Chartsavailable:line
Displaysthethreatsseenonyournetwork.Thisinformationisbasedonsignature
matchesinAntivirus,AntiSpyware,andVulnerabilityProtectionprofilesandviruses
reportedbyWildFire.
Sortattributes:threats
Chartsavailable:bar,area,column
WildFire Activity by
Application
DisplaystheapplicationsthatgeneratedthemostWildFiresubmissions.Thiswidget
usesthemaliciousandbenignverdictfromtheWildFireSubmissionslog.
Sortattributes:malicious,benign
Chartsavailable:bar,line
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 259
UsetheApplicationCommandCenter
Monitoring
Widget
Description
Displaysthethreatvectorbyfiletype.Thiswidgetdisplaysthefiletypesthat
generatedthemostWildFiresubmissionsandusesthemaliciousandbenignverdict
fromtheWildFireSubmissionslog.Ifthisdataisunavailable,thewidgetisempty.
Sortattributes:malicious,benign
Chartsavailable:bar,line
Displaystheapplicationsthatareenteringyournetworkonnonstandardports.If
youhavemigratedyourfirewallrulesfromaportbasedfirewall,usethisinformation
tocraftpolicyrulesthatallowtrafficonlyonthedefaultportfortheapplication.
Whereneeded,makeanexceptiontoallowtrafficonanonstandardportorcreate
acustomapplication.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line
Rules Allowing
Applications On Non
Standard Ports
Displaysthesecuritypolicyrulesthatallowapplicationsonnondefaultports.The
graphdisplaysalltherules,whilethetabledisplaysthetoptenrulesandaggregates
thedatafromtheremainingrulesasother.
Thisinformationhelpsyouidentifygapsinnetworksecuritybyallowingyoutoassess
whetheranapplicationishoppingportsorsneakingintoyournetwork.Forexample,
youcanvalidatewhetheryouhavearulethatallowstrafficonanyportexceptthe
defaultportfortheapplication.Sayforexample,youhavearulethatallowDNS
trafficonitsapplicationdefaultport(port53isthestandardportforDNS).This
widgetwilldisplayanyrulethatallowsDNStrafficintoyournetworkonanyport
exceptport53.
Sortattributes:bytes,sessions,threats,content,URLs
Chartsavailable:treemap,line
Blocked ActivityFocuses on traffic that was prevented from coming into the network
Blocked Application
Activity
Displaystheapplicationsthatweredeniedonyournetwork,andallowsyoutoview
thethreats,content,andURLsthatyoukeptoutofyournetwork.
Sortattributes:threats,content,URLs
Chartsavailable:treemap,area,column
DisplaysuserrequeststhatwereblockedbyamatchonanAntivirus,Antispyware,
FileBlockingorURLFilteringprofileattachedtoSecuritypolicyrule.
Sortattributes:threats,content,URLs
Chartsavailable:bar,area,column
Blocked Threats
Displaysthethreatsthatweresuccessfullydeniedonyournetwork.Thesethreats
werematchedonantivirussignatures,vulnerabilitysignatures,andDNSsignatures
availablethroughthedynamiccontentupdatesonthefirewall.
Sortattributes:threats
Chartsavailable:bar,area,column
Blocked Content
Displaysthefilesanddatathatwasblockedfromenteringthenetwork.Thecontent
wasblockedbecausesecuritypolicydeniedaccessbasedoncriteriadefinedinaFile
BlockingsecurityprofileoraDataFilteringsecurityprofile.
Sortattributes:files,data
Chartsavailable:bar,area,column
260 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Widget
UsetheApplicationCommandCenter
Description
ACC Filters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 261
UsetheApplicationCommandCenter
Monitoring
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
1.
Selectthe
2.
AddaView Name.Thisnamewillbeusedasthenameforthe
tab.Youcanadduptofivetabs.
iconalongthelistoftabs.
Editatab.
Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample
.
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Seewhatwidgetsareincludedinatab.
1.
Selectthetab,andclickonthepencilicontoeditit.
2.
262 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
WorkwiththeTabsandWidgets(Continued)
Addawidgetorawidgetgroup.
Deleteataborawidgetgroup/widget.
1.
Addanewtaboreditapredefinedtab.
2.
SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3.
(Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
1.
Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2.Todeleteawidgetgroup/widget,editthetabandin
theworkspacesection,clickthe[X]iconontheright.You
cannotundoadeletion.
Resetthedefaultwidgetsinatab.
Onapredefinedtab,suchastheBlocked Activitytab,youcan
deleteoneormorewidgets.Ifyouwanttoresetthelayoutto
includethedefaultsetofwidgetsforthetab,editthetabandclick
Reset View.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph.
youzoomintoalinegraph,ittriggersarequeryandthefirewall
fetchesthedatafortheselectedtimeperiod.Itisnotamere
Watchhowthezoomincapabilityworks.
magnification.
Usethetabledropdowntofindmore
informationonanattribute.
1.
Hoveroveranattributeinatabletoseethedropdown.
2.
Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
1.
Setawidgetfilter.
Youcanalsoclickanattributeinthe
2.
table(belowthegraph)toapplyitasa
3.
widgetfilter.
PaloAltoNetworks,Inc.
Selectawidgetandclickthe
Clickthe
icon.
icontoaddthefiltersyouwanttoapply.
ClickApply.Thesefiltersarepersistentacrossreboots.
Theactivewidgetfiltersareindicatednexttothe
widgetname.
PANOS7.1AdministratorsGuide 263
UsetheApplicationCommandCenter
Monitoring
WorkwiththeTabsandWidgets(Continued)
Negateawidgetfilter
Setaglobalfilterfromatable.
1.
Clickthe
2.
Addafilter,andthenclickthe
negateicon.
Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
SetaglobalfilterusingtheGlobalFilterspane. 1.
Watchglobalfiltersinaction.
Promoteawidgetfiltertoaglobalfilter.
icontodisplaytheSetupLocalFiltersdialog.
LocatetheGlobal FilterspaneontheleftsideoftheACC.
2.
Clickthe
icontoviewthelistoffiltersyoucanapply.
1.
Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2.
Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Removeafilter.
Clickthe icontoremoveafilter.
Forglobalfilters:ItislocatedintheGlobalFilterspane.
Forwidgetfilters:Clickthe icontodisplaytheSetupLocal
Filtersdialog,thenselectthefilter,andclickthe icon.
Clearallfilters.
Forglobalfilters:ClicktheClear AllbuttonunderGlobalFilters.
Forwidgetfilters:Selectawidgetandclickthe icon.Then
clicktheClear AllbuttonintheSetupLocalFiltersdialog.
264 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
WorkwiththeTabsandWidgets(Continued)
Seewhatfiltersareinuse.
Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget.
Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 265
UsetheApplicationCommandCenter
Monitoring
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
266 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
TofindoutwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 267
UsetheApplicationCommandCenter
Monitoring
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
268 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 269
UsetheApplicationCommandCenter
Monitoring
Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
icontojumptothelogs;thequeryisgeneratedautomaticallyandonlytherelevantlogsaredisplayed
onscreen(forexampleinMonitor > Logs > Threat Logs).
270 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheApplicationCommandCenter
YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 271
AppScope
Monitoring
AppScope
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport
272 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
Summary Report
TheAppScopeSummaryreport(Monitor > App Scope > Summary)displayschartsforthetopfivegainers,
losers,andbandwidthconsumingapplications,applicationcategories,users,andsources.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 273
AppScope
Monitoring
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers
Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers
Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New
Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped
Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.
274 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
Button
Description
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort
Determineswhethertosortentriesbypercentageorrawgrowth.
Export
Exportsthegraphasa.pngimageorasaPDF.
Compare
Specifiestheperiodoverwhichthechangemeasurementsaretaken.
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Threats
Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 275
AppScope
Monitoring
Button
Description
Filter
Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export
Exportsthegraphasa.pngimageorasaPDF.
Specifiestheperiodoverwhichthemeasurementsaretaken.
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outdoing threats
Displaysoutgoingthreats.
Filer
Appliesafiltertodisplayonlytheselectedtypeofitems.
Zoominandzoomoutofthemap.
Export
Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthemeasurementsaretaken.
276 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
AppScope
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application
Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter
Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Export
Exportsthegraphasa.pngimageorasaPDF.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 277
AppScope
Monitoring
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons
Description
Top 10
Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Incoming threats
Displaysincomingthreats.
Outgoing threats
Displaysoutgoingthreats.
Determineswhethertodisplaysessionorbyteinformation.
Zoominandzoomoutofthemap.
Export
Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
278 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
PA5000Seriesfirewall
PA3000Seriesfirewall
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 279
UsetheAutomatedCorrelationEngine
Monitoring
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
280 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
ViewtheCorrelationObjectsAvailableontheFirewall
Step2
Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
CorrelatedEventsincludesthefollowingdetails:
Field
Description
Match Time
Thetimethecorrelationobjecttriggeredamatch.
Update Time
Thetimewhentheeventwaslastupdatedwithevidenceonthematch.Asthe
firewallcollectsevidenceonpatternorsequenceofeventsdefinedinacorrelation
object,thetimestamponthecorrelatedeventlogisupdated.
Object Name
Thenameofthecorrelationobjectthattriggeredthematch.
Source Address
TheIPaddressoftheuser/deviceonyournetworkfromwhichthetrafficoriginated.
Source User
Theuserandusergroupinformationfromthedirectoryserver,ifUserIDisenabled.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 281
UsetheAutomatedCorrelationEngine
Monitoring
Field
Description
Severity
To
configure
the
firewallor
Panoramatosend
alertsusingemail,
SNMPorsyslog
messagesfora
desiredseverity
level,seeUse
ExternalServices
forMonitoring.
Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
indicatestheextentofdamageorescalationpattern,andthefrequencyof
occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
andtheseverityimpliesthefollowing:
CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
maliciousfile.
HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary
Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe
icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:
282 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UsetheAutomatedCorrelationEngine
Tab
Description
Match
Information
ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Match
Evidence
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
evidencecollectedforeachsession.
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 283
TakePacketCaptures
Monitoring
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoexternalservers(LDAPandRADIUSforexample),softwareand
contentupdates,logforwarding,communicationwithSNMPservers,andauthenticationrequestsfor
GlobalProtectandCaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.
284 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1
DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2
Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 285
TakePacketCaptures
Monitoring
Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
ThefollowingexampleshowshowtouseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.
286 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomPacketCapture(Continued)
Step2
Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Usingfiltersmakesiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreduce
theprocessingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3
SetFilteringtoOn.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 287
TakePacketCaptures
Monitoring
TakeaCustomPacketCapture(Continued)
Step4
Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
2. ContinuetoAddeachStageyouwanttocapture(receive, firewall,transmit,anddrop)andsetaunique
Filenameforeachstage.
Step5
SetPacket CapturetoON.
NotethewarningthatsystemperformancecanbedegradedandthenclickOK.Ifyoudefinefilters,thepacket
captureshouldhavelittleimpactonperformance,butyoushouldalwaysturnOffpacketcaptureafterthe
firewallcapturesthedatathatyouwanttoanalyze.
Step6
Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55
288 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomPacketCapture(Continued)
Step7
TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8
DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9
Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 289
TakePacketCaptures
Monitoring
Enablethepacketcaptureoptioninthe 1.
securityprofile.
Somesecurityprofilesallowyoutodefine
asinglepacketcapture,or
extendedcapture.Ifyouchoose
extendedcapture,definethecapture
length.Thiswillallowthefirewallto
capturemorepacketstoprovide
additionalcontextrelatedtothethreat.
Thefirewallcanonlycapture
packetsiftheactionforagiven
threatissettoalloworalert.
2.
Step2
Addthesecurityprofile(withpacket
1.
captureenabled)toaSecurityPolicyrule. 2.
3.
290 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaThreatPacketCapture(Continued)
Step3
View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1
Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 291
TakePacketCaptures
Monitoring
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2
Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
Step3
Clickthepacketcaptureicon toviewthepacketcaptureorExportittoyourlocalsystem.
292 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaCustomApplicationPacketCapture
YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
TakeaCustomApplicationPacketCapture
Step1
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2
Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3
Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache
: yes
Supernode
: yes
Heuristics
: yes
Cache Threshold
: 16
Bypass when exceeds queue limit: no
Traceroute appid
: yes
Traceroute TTL threshold
: 30
Use cache for appid
: no
Unknown capture
: on
Max. unknown sessions
: 5000
Current unknown sessions
: 0
Application capture
: on
Max. application sessions
: 5000
Current application sessions : 0
Application filter setting:
Rule
: rule1
From
: any
To
: any
Source
: any
Destination
: any
Protocol
: any
Source Port
: any
Dest. Port
: any
Application
: facebook-base
Current APPID Signature
Signature Usage
: 21 MB (Max. 32
TCP 1 C2S
: 15503 states
TCP 1 S2C
: 5070
states
TCP 2 C2S
: 2426
states
TCP 2 S2C
: 702
states
UDP 1 C2S
: 11379 states
UDP 1 S2C
: 2967
states
UDP 2 C2S
: 755
states
UDP 2 S2C
: 224
states
Step4
MB)
AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 293
TakePacketCaptures
Monitoring
TakeaCustomApplicationPacketCapture(Continued)
Step5
View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaManagementInterfacePacketCapture
Step1
Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2
TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3
AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.
294 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
TakePacketCaptures
TakeaManagementInterfacePacketCapture(Continued)
Step4
Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394
0x00 length: 89
09:55:29.144354
09:55:29.379290
0x00 length: 70
09:55:34.379262
Step5
(Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6
Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 295
MonitorApplicationsandThreats
Monitoring
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ViewAutoFocusThreatDataforLogstocheckwhetherloggedeventsonthefirewallposeasecurityrisk.
TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,activities,orbehaviorsassociated
withlogsinyournetworkandonaglobalscale,aswellastheWildFireverdictandAutoFocustagslinkedto
them.WithanactiveAutoFocussubscription,youcanusethisinformationtocreatecustomizedAutoFocus
Alertsthattrackspecificthreatsonyournetwork.
296 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
MonitorandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
WorkwithLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
TrafficLogs
ThreatLogs
URLFilteringLogs
WildFireSubmissionsLogs
DataFilteringLogs
CorrelationLogs
ConfigLogs
SystemLogs
HIPMatchLogs
AlarmsLogs
UnifiedLogs
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 297
MonitorandManageLogs
Monitoring
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click
packets.
besideanentrytoaccessthecaptured
ThefollowingtablesummarizestheThreatseveritylevels:
Severity
Description
Critical
Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High
Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium
Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low
Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
298 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludetheWildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Severity
Description
Benign
IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware
IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Malicious
IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Severity
Description
Critical
Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High
Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 299
MonitorandManageLogs
Monitoring
Severity
Description
Medium
Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low
Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplaysentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Severity
Description
Critical
Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High
Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium
Midlevelnotifications,suchasantiviruspackageupgrades.
Low
Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)matchingenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
300 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms(
)atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries(
)inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
ViewLogs
FilterLogs
ExportLogs
ViewAutoFocusThreatDataforLogs
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 301
MonitorandManageLogs
Monitoring
ViewLogs
Step1
Step2
Step3
Selectalogtypetoview.
(Optional)Customizethelogcolumn
display.
Selectalogtypefromthelist.
Thefirewalldisplaysonlythelogsyouhavepermission
tosee.Forexample,ifyouradministrativeaccount
doesnothavepermissiontoviewWildFire
Submissionslogs,thefirewalldoesnotdisplaythatlog
typewhenyouaccessthelogspages.Administrative
Rolesdefinethepermissions.
1.
Clickthearrowtotherightofanycolumnheader,andselect
Columns.
2.
Selectcolumnstodisplayfromthelist.Thelogupdates
automaticallytomatchyourselections.
Viewadditionaldetailsaboutlogentries. Clickthespyglass(
)foraspecificlogentry.TheDetailedLog
Viewhasmoreinformationaboutthesourceanddestinationof
thesession,aswellasalistofsessionsrelatedtothelogentry.
(Threatlogonly)Click nexttoanentrytoaccesslocalpacket
capturesofthethreat.Toenablelocalpacketcaptures,seeTake
PacketCaptures.
Next Steps...
FilterLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
Step1
(Unifiedlogsonly)Selectthelogtypesto 1.
includeintheUnifiedlogdisplay.
2.
3.
302 PANOS7.1AdministratorsGuide
ClickEffectiveQueries(
).
Selectoneormorelogtypesfromthelist(traffic,threat,url,
data,andwildfire).
ClickOK.TheUnifiedlogupdatestoshowonlyentriesfrom
thelogtypesyouhaveselected.
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
FilterLogs
Step2
Addafiltertothefilterfield.
Clickoneormoreartifacts(suchastheapplicationtype
associatedwithtrafficandtheIPaddressofanattacker)inalog
Ifthevalueoftheartifact
entry.Forexample,clicktheSource10.0.0.25andApplication
matchestheoperator(suchas
web-browsingofalogentrytodisplayonlyentriesthatcontain
hasorin),enclosethevaluein
bothartifactsinthelog(ANDsearch).
quotationmarkstoavoida
).
syntaxerror.Forexample,ifyou Tospecifyartifactstoaddtothefilterfield,clickAddFilter(
filterbydestinationcountryand Toaddapreviouslysavedfilter,clickLoadFilter(
).
useINasavaluetospecify
INDIA,enterthefilteras
( dstloc eq IN ).
Step3
Applythefiltertothelog.
ClickApplyFilter(
).Thelogwillrefreshtodisplayonlylog
entriesthatmatchthecurrentfilter.
Step4
(Optional)Savefrequentlyusedfilters.
1.
ClickSaveFilter(
2.
EnteraNameforthefilter.
3.
ClickOK.YoucanviewyoursavedfiltersbyclickingLoadFilter
(
).
Next Steps...
).
ViewLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
Step1
Step2
Setthenumberofrowstodisplayinthe 1.
report.
Downloadthelog.
Next Step...
PaloAltoNetworks,Inc.
2.
3.
4.
ClickOK.
1.
ClickExporttoCSV(
).Aprogressbarshowingthestatus
ofthedownloadappears.
2.
Whenthedownloadiscomplete,clickDownload filetosavea
copyofthelogtoyourlocalfolder.Fordescriptionsofthe
columnheadersinadownloadedlog,refertoSyslogField
Descriptions.
ScheduleLogExportstoanSCPorFTPServer.
PANOS7.1AdministratorsGuide 303
MonitorandManageLogs
Monitoring
ViewAutoFocusThreatDataforLogs
Traffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogsincludeAutoFocus
threatintelligencedatatoprovidecontextforthefollowingartifactsfoundinthelogentries:
IPaddress
URL
Useragent
Threatname
Filename
SHA256hash
YoucanalsoopenanAutoFocussearchforlogartifacts.
ViewAutoFocusThreatDataforLogs
Step1
ConnectthefirewalltoAutoFocustoEnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocusthreatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedtoAutoFocusand/orarerunningPANOS7.0andearlier
releaseversions(Panorama > Setup > Management > AutoFocus).
Step2
Selectalogtypetoview.
Step3
Step4
OpentheAutoFocusIntelligenceSummary
foranartifact.
1.
2.
Selectoneofthefollowinglogtypes:Traffic,Threat,URL
Filtering,WildFire Submissions,Data Filtering,or
Unified.
1.
Clickthedropdown(
)foranIPaddress,URL,user
agent,threatname,filename,orSHA256hashinanylog
entry.
2.
ClickAutoFocus.
ReviewthelogsandstatisticsintheAutoFocusIntelligenceSummarytoassessthepervasivenessandriskof
theartifact:
304 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
ViewAutoFocusThreatDataforLogs
ViewrecentpassiveDNShistoryforIPaddress,domain,andURLartifacts.
Reviewthematchingtagsfortheartifact.AutoFocusTagsindicatewhetheranartifactislinkedtomalwareor
targetedattacks.
CreateAutoFocusAlertsfortagsissuedbyUnit42,thePaloAltoNetworksthreatresearchteam.Alertsfor
Unit42tagshelpyoudetectadvancedsecuritythreatsandcampaignsastheyoccuronyournetwork.
Viewthenumberofsessionsloggedinyourfirewall(s)wheresamplesassociatedwiththeartifactweredetected.
ComparetheWildFireverdicts(benign,malware,grayware)forglobalandprivatesamplesthatcontainthe
artifact.GlobalreferstosamplesfromallWildFiresubmissions,whileprivatereferstoonlysamplessubmittedto
WildFirebyyourorganization.
ViewthelatestprivatesampleswithwhichWildFirefoundtheartifact.Artifactsfoundwiththesamplesinclude
SHA256hash,thefiletype,thedatethatthesamplewasfirstanalyzedbyWildFire,theWildFireverdictforthe
sample,andthedatethattheWildFireverdictwasupdated(ifapplicable).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 305
MonitorandManageLogs
Monitoring
ViewAutoFocusThreatDataforLogs
Step5
AddartifactsfromthefirewalltoanAutoFocusSearch.
Clickthelinkforthelogartifact.TheAutoFocussearcheditoropensinanewbrowsertab,withthelog
artifactaddedasasearchcondition.
ClickanylinkedartifactinthetablesorchartstoadditasasearchconditiontoanAutoFocussearch.
306 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
MonitorandManageLogs
ViewAutoFocusThreatDataforLogs
Next Step...
LearnmoreaboutAutoFocusSearch.
ConfigureLogStorageQuotasandExpirationPeriods
Step1
Step2
Step3
EntertheMax Days(expirationperiod)foreachlogtype(rangeis12,000).Thefieldsareblankbydefault,
whichmeansthelogsneverexpire.
Thefirewallsynchronizesexpirationperiodsacrosshighavailability(HA)pairs.Becauseonlytheactive
HApeergenerateslogs,thepassivepeerhasnologstodeleteunlessfailoveroccursanditstarts
generatinglogs.
Step4
ClickOKandCommit.
ScheduleLogExportstoanSCPorFTPServer
Step1
Step2
EnteraNameforthescheduledlogexportandEnableit.
Step3
SelecttheLog Typetoexport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 307
MonitorandManageLogs
Monitoring
ScheduleLogExportstoanSCPorFTPServer
Step4
Step5
SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6
EntertheHostnameorIPaddressoftheserver.
Step7
EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
Step8
EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step9
EntertheUsernameand,ifnecessary,thePassword(andConfirm Password)toaccesstheserver.
308 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
ManageReporting
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheReportExpirationPeriod
DisablePredefinedReports
CustomReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroups
ScheduleReportsforEmailDelivery
Report Types
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportonthe
applicationuseandURLactivityforaspecificuserorforausergroup.ThereportincludestheURL
categoriesandanestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/Group
ActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 309
ManageReporting
Monitoring
View Reports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheReportExpirationPeriod:thefirewallwillautomaticallydeletereportsthatexceedthe
period.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolderreportsto
createspaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresourcesonthe
firewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthereports(as
describedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step1
Step2
Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
Step3
Toviewareportoffline,youcanexportthereporttoPDF,CSVortoXMLformats.ClickExport to PDF,
Export to CSV,orExport to XMLatthebottomofthepage,thenprintorsavethefile.
Step2
Step3
ClickOKandCommit.
310 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
Step2
SelectthePre-Defined Reportstabandclearthecheckboxforeachreportyouwanttodisable.Todisable
allpredefinedreports,clickDeselect All.
Step3
ClickOKandCommit.
Custom Reports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection
Description
DataSource
Thedatafilethatisusedtogeneratethereport.Thefirewallofferstwotypesofdata
sourcesSummarydatabasesandDetailedlogs.
Summarydatabasesareavailablefortraffic,threat,andapplicationstatistics.The
firewallaggregatesthedetailedlogsontraffic,application,andthreatat15minute
intervals.Thedataiscondensedduplicatesessionsaregroupedtogetherand
incrementedwitharepeatcounter,andsomeattributes(orcolumns)arenotincluded
inthesummarytoallowfasterresponsetimewhengeneratingreports.
Detailedlogsareitemizedandareacompletelistingofalltheattributes(orcolumns)
thatpertaintothelogentry.Reportsbasedondetailedlogstakemuchlongertorun
andarenotrecommendedunlessabsolutelynecessary.
Attributes
Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
SortBy/GroupBy
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 311
ManageReporting
Selection
Monitoring
Description
ThefollowingexampleillustrateshowtheSelected ColumnsandSort By/Group By
criteriaworktogetherwhengeneratingreports:
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup BycolumnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.
312 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
Selection
ManageReporting
Description
Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimePeriod
Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromlast15minutestothelast30days.Thereportscanbe
runondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder
Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 313
ManageReporting
Monitoring
Step2
ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Templateandchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3
SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4
SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step5
Step6
(Optional)SelecttheQuery Builderattributesifyouwanttofurtherrefinetheselectioncriteria.Tobuilda
reportquery,specifythefollowingandclickAdd.Repeatasneededtoconstructthefullquery.
ConnectorChoosetheconnector(and/or)toprecedetheexpressionyouareadding.
NegateSelectthecheckboxtointerpretthequeryasanegation.If,forexample,youchoosetomatch
entriesinthelast24hoursand/orareoriginatingfromtheuntrustzone,thenegateoptioncausesamatch
onentriesthatarenotinthepast24hoursand/orarenotfromtheuntrustzone.
AttributeChooseadataelement.Theavailableoptionsdependonthechoiceofdatabase.
OperatorChoosethecriteriontodeterminewhethertheattributeapplies(suchas=).Theavailable
optionsdependonthechoiceofdatabase.
ValueSpecifytheattributevaluetomatch.
Forexample,thefollowingfigure(basedontheTraffic Logdatabase)showsaquerythatmatchesifthe
Trafficlogentrywasreceivedinthepast24hoursandisfromtheuntrustzone.
Step7
Totestthereportsettings,selectRun Now.Modifythesettingsasrequiredtochangetheinformationthatis
displayedinthereport.
Step8
ClickOKtosavethecustomreport.
314 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GenerateCustomReports
ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 315
ManageReporting
Monitoring
GenerateCustomReports
Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
ConfigureaBotnetReport
InterpretBotnetReportOutput
ConfigureaBotnetReport
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.
316 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
ConfigureaBotnetReport
Step1
Step2
Definethetypesoftrafficthatindicate
possiblebotnetactivity.
1.
2.
EnableanddefinetheCountforeachtypeofHTTPTraffic
thatthereportwillinclude.
TheCountvaluesrepresenttheminimumnumberofeventsof
eachtraffictypethatmustoccurforthereporttolistthe
associatedhostwithahigherconfidencescore(higher
likelihoodofbotnetinfection).Ifthenumberofeventsisless
thantheCount,thereportwilldisplayalowerconfidence
scoreor(forcertaintraffictypes)wontdisplayanentryforthe
host.Forexample,ifyousettheCounttothreeforMalware
URL visit,thenhoststhatvisitthreeormoreknownmalware
URLswillhavehigherscoresthanhoststhatvisitlessthan
three.Fordetails,seeInterpretBotnetReportOutput.
3.
Definethethresholdsthatdeterminewhetherthereportwill
includehostsassociatedwithtrafficinvolvingUnknownTCP
orUnknownUDPapplications.
4.
SelecttheIRCcheckboxtoincludetrafficinvolvingIRC
servers.
5.
ClickOKtosavethereportconfiguration.
Schedulethereportorrunitondemand. 1.
ClickReport Settingontherightsideofthepage.
2.
3.
SelecttheNo. of Rowstoincludeinthereport.
4.
(Optional)AddqueriestotheQueryBuildertofilterthereport
outputbyattributessuchassource/destinationIPaddresses,
users,orzones.
Forexample,ifyouknowinadvancethattrafficinitiatedfrom
theIPaddress10.3.3.15containsnopotentialbotnetactivity,
addnot (addr.src in 10.0.1.35)asaquerytoexclude
thathostfromthereportoutput.Fordetails,seeInterpret
BotnetReportOutput.
5.
SelectScheduledtorunthereportdailyorclickRun Nowto
runthereportimmediately.
6.
ClickOKandCommit.
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 317
ManageReporting
Monitoring
NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
Thefirstpartofthereport(8pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,andthe
numberofusersusingtheseapplications.ThisfirstpartofthereportalsohighlightsthetopSaaS
applicationsubcategorieslistedinorderbymaximumnumberofapplicationsused,thenumberofusers,
andtheamountofdata(bytes)transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.
318 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GeneratetheSaaSApplicationUsageReport
Step1
Step2
Step3
Tagapplicationsthatyouapprovefor
1.
useonyournetworkasSanctioned.
2.
Theaccuracyofthereport
dependsonwhetheryouhave
3.
taggedanapplicationas
Sanctioned.Youcantagboth
SaaSandnonSaaSapplications
asSanctioned;thedetailed
browsingsectionoftheSaaS
ApplicationUsagereport
displayswhethertheapplication
isSaaSandwhetheritis
sanctioned.
ConfiguretheSaaSApplicationUsage
report.
ScheduleReportsforEmailDelivery.
PaloAltoNetworks,Inc.
4.
ClickOKandClosetoexitallopendialogs.
1.
2.
ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecounttoeightpages.
3.
Togeneratethereportondemand,clickRun Now.Makesure
thatthepopupblockerisdisabledonyourbrowserbecause
thereportopensinanewtab.
4.
ClickOKtosaveyourchanges.
OnthePA200,PA500,andPA2000Seriesfirewalls,theSaaS
ApplicationUsagereportisnotsentasaPDFattachmentinthe
email.Instead,theemailincludesalinkthatyoumustclicktoopen
thereportinawebbrowser.
PANOS7.1AdministratorsGuide 319
ManageReporting
Monitoring
1.
2.
ClickAddandthenenteraNameforthereport.
3.
Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
320 PANOS7.1AdministratorsGuide
4.
ClickOK tosavethereport.
5.
Committhechanges.
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
GeneratePDFSummaryReports
Step2
Viewthereport.
TodownloadandviewthePDFSummaryReport,seeView
Reports.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 321
ManageReporting
Monitoring
GenerateUser/GroupActivityReports
Step1
Step2
Configurethebrowsetimesandnumber 1.
oflogsforUser/GroupActivityreports.
Requiredonlyifyouwanttochangethe
defaultvalues.
2.
GeneratetheUser/GroupActivity
report.
322 PANOS7.1AdministratorsGuide
3.
4.
5.
ClickOKtosaveyourchanges.
1.
2.
ClickAddandthenenteraNameforthereport.
3.
Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4.
SelecttheTime Periodforthereport.
5.
6.
Torunthereportondemand,clickRun Now.
7.
Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
PaloAltoNetworks,Inc.
Monitoring
ManageReporting
Setupreportgroups.
1.
YoumustsetupaReport Group 2.
toemailreport(s).
CreateanEmailserverprofile.
DefinetheReport Group.Areportgroupcancompile
predefinedreports,PDFSummaryreports,customreports,
andLogViewreportintoasinglePDF.
a. SelectMonitor > Report Group.
b. ClickAddandthenenteraNameforthereportgroup.
c. (Optional)SelectTitle PageandaddaTitleforthePDF
output.
d. SelectreportsfromtheleftcolumnandclickAddtomove
eachreporttothereportgroupontheright.
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 323
ManageReporting
Monitoring
Step2
EnteraNametoidentifytheschedule.
Step3
SelecttheReport Groupforemaildelivery.Tosetupareportgroup;seeManageReportGroups.
Step4
Step5
SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step6
Step7
ClickOKandCommit.
324 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseExternalServicesforMonitoring
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 325
ConfigureLogForwarding
Monitoring
ConfigureLogForwarding
TousePanoramaorUseExternalServicesforMonitoringthefirewall,youmustconfigurethefirewallto
forwarditslogs.Beforeforwardingtoexternalservices,thefirewallautomaticallyconvertsthelogstothe
necessaryformat:syslogmessages,SNMPtraps,oremailnotifications.Beforestartingthisprocedure,
ensurethatPanoramaortheexternalserverthatwillreceivethelogdataisalreadysetup.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservices.However,
whenyouusePanoramatomonitorlogsorgeneratereportsforadevicegroupthatincludesa
PA7000Seriesfirewall,PanoramaqueriesthePA7000Seriesfirewallinrealtimetodisplayits
logdata.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoManageReporting,butonlyonaperlogtype
basis,nottheentirelogdatabase.
ConfigureLogForwarding
Step1
Configureaserverprofileforeach
CreateanEmailserverprofile.
externalservicethatwillreceivelog
ConfigureanSNMPTrapserverprofile.ToenabletheSNMP
data.
manager(trapserver)tointerpretfirewalltraps,youmustload
thePaloAltoNetworksSupportedMIBsintotheSNMPmanager
Youcanuseseparateprofilesto
and,ifnecessary,compilethem.Fordetails,refertoyourSNMP
sendeachlogtypetoadifferent
managementsoftwaredocumentation.
server.Toincreaseavailability,
definemultipleserversinasingle ConfigureaSyslogserverprofile.Ifthesyslogserverrequires
profile.
clientauthentication,youmustalsoCreateacertificatetosecure
syslogcommunicationoverSSL.
Step2
Createalogforwardingprofile.
1.
Theprofiledefinesthedestinationsfor 2.
Traffic,Threat,andWildFireSubmission
logs.(ThreatlogsincludeURLFiltering
andDataFilteringlogs.)
3.
326 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
ConfigureLogForwarding
ConfigureLogForwarding(Continued)
Step3
Step4
Step5
Assignthelogforwardingprofileto
securityrules.
Totriggerloggenerationandforwarding,
therulesrequirecertainSecurityProfiles
accordingtologtype:
TrafficlogsNosecurityprofileis
necessary;thetrafficonlyneedsto
matchaspecificsecurityrule.
ThreatlogsThetrafficmustmatch
anysecurityprofileassignedtoa
securityrule.
WildFirelogsThetrafficmustmatch
aWildFireAnalysisprofileassignedto
asecurityrule.
Performthefollowingstepsforeachrulethatwilltriggerlog
forwarding:
1.
2.
SelecttheActionstabandselecttheLog Forwardingprofile
youjustcreated.
3.
IntheProfile Typedropdown,selectProfilesorGroup,and
thenselectthesecurityprofilesorGroup Profilerequiredto
triggerloggenerationandforwarding.
4.
ConfigurethedestinationsforSystem, 1.
Config,HIPMatch,andCorrelationlogs. 2.
(PA7000Seriesfirewallsonly)
1.
Configurealogcardinterfacetoperform
logforwarding.
2.
PaloAltoNetworks,Inc.
3.
4.
5.
6.
ClickOKtosaveyourchanges.
PANOS7.1AdministratorsGuide 327
ConfigureLogForwarding
Monitoring
ConfigureLogForwarding(Continued)
Step6
Commitandverifyyourchanges.
328 PANOS7.1AdministratorsGuide
1.
ClickCommittocompletethelogforwardingconfiguration.
2.
Verifythelogdestinationsyouconfiguredarereceiving
firewalllogs:
PanoramaIfthefirewallforwardslogstoanMSeries
appliance,youmustconfigureaCollectorGroupbefore
Panoramawillreceivethelogs.Youcanthenverifylog
forwarding.
EmailserverVerifythatthespecifiedrecipientsare
receivinglogsasemailnotifications.
SyslogserverRefertothedocumentationforyoursyslog
servertoverifyitisreceivinglogsassyslogmessages.
SNMPmanagerUseanSNMPManagertoExploreMIBs
andObjectstoverifyitisreceivinglogsasSNMPtraps.
PaloAltoNetworks,Inc.
Monitoring
ConfigureEmailAlerts
ConfigureEmailAlerts
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
ConfigureEmailAlerts
Step1
Step2
CreateanEmailserverprofile.
Youcanuseseparateprofilesto
sendemailnotificationsforeach
logtypetoadifferentserver.To
increaseavailability,define
multipleservers(uptofour)ina
singleprofile.
1.
2.
ClickAddandthenenteraNamefortheprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
4.
ForeachSimpleMailTransportProtocol(SMTP)server(email
server),clickAddanddefinethefollowinginformation:
NameNametoidentifytheSMTPserver(131
characters).Thisfieldisjustalabelanddoesnthavetobe
thehostnameofanexistingemailserver.
Email Display NameThenametoshowintheFromfield
oftheemail.
FromTheemailaddressfromwhichthefirewallsends
emails.
ToTheemailaddresstowhichthefirewallsendsemails.
Additional RecipientIfyouwanttosendemailstoa
secondaccount,entertheaddresshere.Youcanaddonly
oneadditionalrecipient.Formultiplerecipients,addthe
emailaddressofadistributionlist.
Email GatewayTheIPaddressorhostnameoftheSMTP
gatewaytouseforsendingemails.
5.
6.
ClickOKtosavetheEmailserverprofile.
ConfigureemailalertsforTraffic,Threat, 1.
andWildFireSubmissionlogs.
2.
Step3
1.
ConfigureemailalertsforSystem,
Config,HIPMatch,andCorrelationlogs. 2.
PaloAltoNetworks,Inc.
Createalogforwardingprofile.
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheEmailserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
SelectDevice > Log Settings.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheEmailserverprofile,andclickOK.
3.
ForConfigandHIPMatchlogs,editthesection,selectthe
Emailserverprofile,andclickOK.
4.
ClickCommit.
PANOS7.1AdministratorsGuide 329
UseSyslogforMonitoring
Monitoring
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ConfigureaSyslogserverprofile.
Youcanuseseparateprofilesto
sendsyslogsforeachlogtypeto
adifferentserver.Toincrease
availability,definemultiple
servers(uptofour)inasingle
profile.
330 PANOS7.1AdministratorsGuide
1.
2.
ClickAddandenteraNamefortheprofile.
3.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
4.
Foreachsyslogserver,clickAddandentertheinformation
thatthefirewallrequirestoconnecttoit:
NameUniquenamefortheserverprofile.
Syslog ServerIPaddressorfullyqualifieddomainname
(FQDN)ofthesyslogserver.
TransportSelectTCP,UDP,orSSLasthemethodof
communicationwiththesyslogserver.
PortTheportnumberonwhichtosendsyslogmessages
(defaultisUDPonport514);youmustusethesameport
numberonthefirewallandthesyslogserver.
FormatSelectthesyslogmessageformattouse:BSD(the
default)orIETF.Traditionally,BSDformatisoverUDPand
IETFformatisoverTCPorSSL.
FacilitySelectasyslogstandardvalue(defaultis
LOG_USER)tocalculatethepriority(PRI)fieldinyour
syslogserverimplementation.Selectthevaluethatmapsto
howyouusethePRIfieldtomanageyoursyslogmessages.
5.
(Optional)Tocustomizetheformatofthesyslogmessages
thatthefirewallsends,selecttheCustom Log Formattab.For
detailsonhowtocreatecustomformatsforthevariouslog
types,refertotheCommonEventFormatConfiguration
Guide.
6.
ClickOKtosavetheserverprofile.
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
ConfigureSyslogMonitoring(Continued)
Step2
ConfiguresyslogforwardingforTraffic, 1.
Threat,andWildFireSubmissionlogs.
2.
Step3
Step4
ConfiguresyslogforwardingforSystem, 1.
Config,HIPMatch,andCorrelationlogs. 2.
Createalogforwardingprofile.
a. SelectObjects > Log Forwarding,clickAdd,andentera
Nametoidentifytheprofile.
b. ForeachlogtypeandeachseveritylevelorWildFire
verdict,selecttheSyslogserverprofileandclickOK.
Assignthelogforwardingprofiletosecurityrules.
SelectDevice > Log Settings.
ForSystemandCorrelationlogs,clickeachSeveritylevel,
selecttheSyslogserverprofile,andclickOK.
3.
ForConfig,HIPMatch,andCorrelationlogs,editthesection,
selecttheSyslogserverprofile,andclickOK.
(Optional)Configuretheheaderformat 1.
ofsyslogmessages.
Thelogdataincludestheunique
2.
identifierofthefirewallthatgenerated
thelog.Choosingtheheaderformat
providesmoreflexibilityinfilteringand
reportingonthelogdataforsome
SecurityInformationandEvent
Management(SIEM)servers.
Thisisaglobalsettingandappliestoall
syslogserverprofilesconfiguredonthe
firewall.
3.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 331
UseSyslogforMonitoring
Monitoring
ConfigureSyslogMonitoring(Continued)
Step5
Step6
Createacertificatetosecuresyslog
communicationoverSSL.
Requiredonlyifthesyslogserveruses
clientauthentication.Thesyslogserver
usesthecertificatetoverifythatthe
firewallisauthorizedtocommunicate
withthesyslogserver.
Ensurethefollowingconditionsaremet:
Theprivatekeymustbeavailableon
thesendingfirewall;thekeyscant
resideonaHardwareSecurity
Module(HSM).
Thesubjectandtheissuerforthe
certificatemustnotbeidentical.
Thesyslogserverandthesending
firewallmusthavecertificatesthatthe
sametrustedcertificateauthority(CA)
signed.Alternatively,youcan
generateaselfsignedcertificateon
thefirewall,exportthecertificate
fromthefirewall,andimportitinto
thesyslogserver.
Commityourchangesandreviewthe
logsonthesyslogserver.
1.
2.
EnteraNameforthecertificate.
3.
IntheCommon Namefield,entertheIPaddressofthefirewall
sendinglogstothesyslogserver.
4.
InSigned by,selectthetrustedCAortheselfsignedCAthat
thesyslogserverandthesendingfirewallbothtrust.
ThecertificatecantbeaCertificate Authoritynoran
External Authority(certificatesigningrequest[CSR]).
5.
ClickGenerate.Thefirewallgeneratesthecertificateandkey
pair.
6.
ClickthecertificateNametoeditit,selecttheCertificate for
Secure Syslogcheckbox,andclickOK.
1.
ClickCommit.
2.
Toreviewthelogs,refertothedocumentationofyoursyslog
managementsoftware.YoucanalsoreviewtheSyslogField
Descriptions.
TrafficLogFields
ThreatLogFields
HIPMatchLogFields
ConfigLogFields
SystemLogFields
CorrelatedEventsLogFields
CustomLog/EventFormat
332 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
EscapeSequences
TrafficLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource
FieldName
Description
ReceiveTime(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(time_generated)
Timethelogwasgeneratedonthedataplane
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfSourceNATperformed,thepostNATSourceIPaddress
NATDestinationIP(natdst)
IfDestinationNATperformed,thepostNATDestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface(inbound_if)
Interfacethatthesessionwassourcedform
EgressInterface(outbound_if)
Interfacethatthesessionwasdestinedto
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 333
UseSyslogforMonitoring
Monitoring
FieldName
Description
LogForwardingProfile(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt)
NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptive
portal(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes(bytes)
Numberoftotalbytes(transmitandreceive)forthesession
BytesSent(bytes_sent)
Numberofbytesintheclienttoserverdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
BytesReceived(bytes_received)
Numberofbytesintheservertoclientdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
334 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
Packets(packets)
Numberoftotalpackets(transmitandreceive)forthesession
StartTime(start)
Timeofsessionstart
ElapsedTime(elapsed)
Elapsedtimeofthesession
Category(category)
URLcategoryassociatedwiththesession(ifapplicable)
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes
PacketsSent(pkts_sent)
Numberofclienttoserverpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
PacketsReceived(pkts_received)
Numberofservertoclientpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 335
UseSyslogforMonitoring
Monitoring
FieldName
Description
SessionEndReason
(session_end_reason)
Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
336 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
DeviceGroupHierarchy
(dg_hier_level_1todg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source)
Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
ThreatLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_id,Filedigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName,FUTURE_USE,
FieldName
Description
ReceiveTime(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 337
UseSyslogforMonitoring
Monitoring
FieldName
Description
Subtype(subtype)
Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,grayware,orbenign,
dependingonwhatyouarelogging)isloggedintheWildFireSubmissionslog.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
SourceIP(src)
OriginalsessionsourceIPaddress
DestinationIP(dst)
OriginalsessiondestinationIPaddress
NATSourceIP(natsrc)
IfsourceNATperformed,thepostNATsourceIPaddress
NATDestinationIP(natdst)
IfdestinationNATperformed,thepostNATdestinationIPaddress
RuleName(rule)
Nameoftherulethatthesessionmatched
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser)
Usernameoftheusertowhichthesessionwasdestined
Application(app)
Applicationassociatedwiththesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththesession
SourceZone(from)
Zonethesessionwassourcedfrom
DestinationZone(to)
Zonethesessionwasdestinedto
IngressInterface
(inbound_if)
Interfacethatthesessionwassourcedfrom
EgressInterface
(outbound_if)
Interfacethatthesessionwasdestinedto
LogForwardingProfile
(logset)
LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid)
Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt)
NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly
SourcePort(sport)
Sourceportutilizedbythesession
DestinationPort(dport)
Destinationportutilizedbythesession
338 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
NATSourcePort(natsport)
PostNATsourceport
NATDestinationPort
(natdport)
PostNATdestinationport
Flags(flags)
32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto)
IPprotocolassociatedwiththesession
Action(action)
Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
Miscellaneous(misc)
Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 339
UseSyslogforMonitoring
Monitoring
FieldName
Description
ThreatID(threatid)
PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category(category)
ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,grayware,orbenign;Forothersubtypes,thevalueis
any.
Severity(severity)
Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical
Direction(direction)
Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(srcloc)
SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationLocation(dstloc)
DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype)
ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id)
Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest)
OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.
340 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
URLIndex(url_idx)
UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer)
OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid)
OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 341
UseSyslogforMonitoring
Monitoring
FieldName
Description
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
HIPMatchLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
User,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,FUTURE_USE,
FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
FieldName
Description
ReceiveTime
(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
SubtypeofHIPmatchlog;unused
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedthesession
VirtualSystem(vsys)
VirtualSystemassociatedwiththeHIPmatchlog
MachineName
(machinename)
Nameoftheusersmachine
OS
Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem)
SourceAddress(src)
IPaddressofthesourceuser
HIP(matchname)
NameoftheHIPobjectorprofile
RepeatCount(repeatcnt)
NumberoftimestheHIPprofilematched
HIPType(matchtype)
WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile
342 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
FieldName
UseSyslogforMonitoring
Description
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
ConfigLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Host,
VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,ActionFlags,
BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel
2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime
(receive_time)
Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthedevicethatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeofconfigurationlog;unused
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
Host(host)
HostnameorIPaddressoftheclientmachine
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
Command(cmd)
CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin)
UsernameoftheAdministratorperformingtheconfiguration
Client(client)
ClientusedbytheAdministrator;valuesareWebandCLI
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 343
UseSyslogforMonitoring
Monitoring
FieldName
Description
Result(result)
Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path)
Thepathoftheconfigurationcommandissued;upto512bytesinlength
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama.
BeforeChangeDetail
(before_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail
(after_change_detail)
Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
Itcontainsthefullxpathaftertheconfigurationchange.
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName
(device_name)
Thehostnameofthefirewallonwhichthesessionwaslogged.
SystemLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial)
Serialnumberofthefirewallthatgeneratedthelog
Type(type)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype)
Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn
344 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
FieldName
Description
GeneratedTime
(time_generated)
Timethelogwasgeneratedonthedataplane
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
EventID(eventid)
Stringshowingthenameoftheevent
Object(object)
Nameoftheobjectassociatedwiththesystemevent
Module(module)
ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description(opaque)
Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber(seqno)
A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags)
AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName
(vsys_name)
Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
CorrelatedEventsLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName
Description
LogID(logid)
Timethelogwasreceivedatthemanagementplane
ID(id)
Serialnumberofthedevicethatgeneratedthelog
MatchOID(match_oid)
Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
ObjectID(objectid)
Nameoftheobjectassociatedwiththesystemevent
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 345
UseSyslogforMonitoring
Monitoring
FieldName
Description
Version(version)
TheversionoftheCorrelationobjectscontentupdate,aspushedbyPaloAltoNetworks.
VirtualSystem(vsys)
VirtualSystemassociatedwiththeconfigurationlog
DeviceGroupHierarchy
(dg_hier_level_1to
dg_hier_level_4)
Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Window(window)
SourceUser(srcuser)
Usernameoftheuserwhoinitiatedtheevent.
Source(src)
IPaddressoftheuserwhoinitiatedtheevent.
LastUpdateTime
(last_update_time)
Thelasttimetheeventsinthecorrelatedeventwereupdatedwithmoreinformation.
Severity(severity)
Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
MatchTime(match_time)
Thetimethattheeventmatchwasrecorded.
ObjectName(objectname)
Nameofthecorrelationobjectthatwasmatchedon
Summary(summary)
Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity
SyslogSeverity
Traffic
Info
Config
Info
Threat/SystemInformational
Info
Threat/SystemLow
Notice
Threat/SystemMedium
Warning
Threat/SystemHigh
Error
Threat/SystemCritical
Critical
346 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
UseSyslogforMonitoring
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 347
SNMPMonitoringandTraps
Monitoring
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSimpleNetworkManagementProtocol(SNMP),andtheprocedurestoconfigureSNMP
monitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMP Support
YoucanuseaSimpleNetworkManagementProtocol(SNMP)managertomonitoreventdrivenalertsand
operationalstatisticsforthefirewall,Panorama,orWF500applianceandforthetraffictheyprocess.The
statisticsandtrapscanhelpyouidentifyresourcelimitations,systemchangesorfailures,andmalware
attacks.Youconfigurealertsbyforwardinglogdataastraps,andenablethedeliveryofstatisticsinresponse
toGETmessages(requests)fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).
RelatedOIDsareorganizedhierarchicallywithintheManagementInformationBases(MIBs)thatyouload
intotheSNMPmanagertoenablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
SNMP
Version
Authentication
MessagePrivacy
Message MIBAccessGranularity
Integrity
SNMPv2c
Communitystring
No(cleartext)
No
SNMPcommunityaccessforallMIBsona
device
SNMPv3
EngineID,username,and
authenticationpassword
(SHAhashingforthe
password)
Privacypasswordfor Yes
AES128encryption
ofSNMPmessages
Useraccessbasedonviewsthatincludeor
excludespecificOIDs
348 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IdentifyaMIBContainingaKnownOID
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 349
SNMPMonitoringandTraps
Monitoring
IdentifyaMIBContainingaKnownOID
Step1
LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2
SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3
Optionally,WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:
350 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1
ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
Step2
OpentheMIBinatexteditorandperformakeywordsearch.Forexample,usingHardware versionasa
searchstringinPANCOMMONMIBidentifiesthepanSysHwVersionobject:
panSysHwVersion OBJECT-TYPE
SYNTAX
DisplayString (SIZE(0..128))
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Hardware version of the unit."
::= {panSys 2}
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 351
SNMPMonitoringandTraps
Monitoring
IdentifytheOIDforaStatisticorTrap(Continued)
Step3
InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.
352 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
EnableSNMPServicesforFirewallSecuredNetworkElements
Step1
Step2
Createanapplicationgroup.
CreateasecurityruletoallowSNMP
services.
1.
2.
EnteraNametoidentifytheapplicationgroup.
3.
ClickAdd,typesnmp,andselectsnmpandsnmp-trapfrom
thedropdown.
4.
ClickOKtosavetheapplicationgroup.
1.
2.
IntheGeneraltab,enteraNamefortherule.
3.
IntheSourceandDestinationtabs,clickAddandentera
Source ZoneandaDestination Zoneforthetraffic.
4.
IntheApplicationstab,clickAdd,typethenameofthe
applicationsgroupyoujustcreated,andselectitfromthe
dropdown.
5.
IntheActionstab,verifythattheActionissettoAllow,and
thenclickOKandCommit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 353
SNMPMonitoringandTraps
Monitoring
MonitorStatisticsUsingSNMP
Step1
Step2
ConfiguretheSNMPManagertoget
statisticsfromfirewalls.
Thefollowingstepsprovideanoverviewofthetasksyouperform
ontheSNMPmanager.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
1.
ToenabletheSNMPmanagertointerpretfirewallstatistics,
loadtheSupportedMIBsforPaloAltoNetworksfirewallsand,
ifnecessary,compilethem.
2.
ForeachfirewallthattheSNMPmanagerwillmonitor,define
theconnectionsettings(IPaddressandport)and
authenticationsettings(SNMPv2ccommunitystringor
SNMPv3EngineID/username/password)forthefirewall.
NotethatallPaloAltoNetworksfirewallsuseport161.
TheSNMPmanagercanusethesameordifferentconnection
andauthenticationsettingsformultiplefirewalls.Thesettings
mustmatchthoseyoudefinewhenyouconfigureSNMPon
thefirewall(seeStep 3).Forexample,ifyouuseSNMPv2c,the
communitystringyoudefinewhenconfiguringthefirewall
mustmatchthecommunitystringyoudefineintheSNMP
managerforthatfirewall.
3.
Determinetheobjectidentifiers(OIDs)ofthestatisticsyou
wanttomonitor.Forexample,tomonitorthesession
utilizationpercentageofafirewall,aMIBbrowsershowsthat
thisstatisticcorrespondstoOID1.3.6.1.4.1.25461.2.1.2.3.1.0
inPANCOMMONMIB.my.Fordetails,seeUseanSNMP
ManagertoExploreMIBsandObjects.
4.
ConfiguretheSNMPmanagertomonitorthedesiredOIDs.
Performthisstepinthefirewallwebinterface.
EnableSNMPtrafficonafirewall
interface.
ToenableSNMPtrafficontheMGTinterface,selectDevice >
Setup > Management,edittheManagementInterfaceSettings,
Thisistheinterfacethatwillreceive
selectSNMP,andthenclickOKandCommit.
statisticsrequestsfromtheSNMP
manager.
ToenableSNMPtrafficonanyotherinterface,createan
interfacemanagementprofileforSNMPservicesandassignthe
PANOSdoesntsynchronize
profiletotheinterfacethatwillreceivetheSNMPrequests.The
management(MGT)interface
interfacetypemustbeLayer3Ethernet.
settingsforfirewallsinahigh
availability(HA)configuration.
Youmustconfiguretheinterface
foreachHApeer.
354 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
MonitorStatisticsUsingSNMP(Continued)
Step3
Configurethefirewalltorespondto
1.
statisticsrequestsfromanSNMP
manager.
2.
PANOSdoesntsynchronize
SNMPresponsesettingsfor
firewallsinahighavailability(HA)
configuration.Youmust
configurethesesettingsforeach
HApeer.
3.
Step4
Monitorthefirewallstatisticsinan
SNMPmanager.
RefertothedocumentationofyourSNMPmanagerfordetails.
Whenmonitoringstatisticsrelatedtofirewallinterfaces,
youmustmatchtheinterfaceindexesintheSNMP
managerwithinterfacenamesinthefirewallwebinterface.
Fordetails,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 355
SNMPMonitoringandTraps
Monitoring
ForwardFirewallTrapstoanSNMPManager
Step1
EnabletheSNMPmanagertointerpret
thetrapsitreceives.
LoadtheSupportedMIBsforPaloAltoNetworksfirewallsand,if
necessary,compilethem.Forthespecificsteps,refertothe
documentationofyourSNMPmanager.
Step2
ConfigureanSNMPTrapserverprofile.
Theprofiledefineshowthefirewall
accessestheSNMPmanagers(trap
servers).YoucandefineuptofourSNMP
managersforeachprofile.
Optionally,configureseparate
SNMPTrapserverprofilesfor
differentlogtypes,severity
levels,andWildFireverdicts.
1.
Logintothefirewallwebinterface.
2.
3.
ClickAddandenteraNamefortheprofile.
4.
Ifthefirewallhasmorethanonevirtualsystem(vsys),select
theLocation(vsysorShared)wherethisprofileisavailable.
5.
SelecttheSNMPVersionandconfiguretheauthentication
valuesasfollows.Forversiondetails,seeSNMPSupport.
V2cForeachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),andCommunity String.The
communitystringidentifiesacommunityofSNMP
managersandmonitoreddevices,andservesasapassword
toauthenticatethecommunitymemberstoeachother.
Asabestpractice,dontusethedefaultcommunity
stringpublic;itswellknownandthereforenot
secure.
V3Foreachserver,clickAddandentertheserverName,
IPaddress(SNMP Manager),SNMPUseraccount(this
mustmatchausernamedefinedintheSNMPmanager),
EngineIDusedtouniquelyidentifythefirewall(youcan
leavethefieldblanktousethefirewallserialnumber),
authenticationpassword(Auth Password)usedto
authenticatetotheserver,andprivacypassword(Priv
Password)usedtoencryptSNMPmessagestotheserver.
6.
ClickOKtosavetheserverprofile.
1.
ConfigurethedestinationsofTraffic,Threat,andWildFire
traps:
a. Createalogforwardingprofile.Foreachlogtypeandeach
severitylevelorWildFireverdict,selecttheSNMP Trap
serverprofile.
b. Assignthelogforwardingprofiletosecurityrules.Therules
willtriggertrapgenerationandforwarding.
2.
ConfigurethedestinationsforSystem,Config,HIPMatch,and
Correlationlogs.Foreachlog(trap)typeandseveritylevel,
selecttheSNMP Trapserverprofile.
3.
ClickCommit.
Step3
Step4
Configurelogforwarding.
MonitorthetrapsinanSNMPmanager. RefertothedocumentationofyourSNMPmanager.
Whenmonitoringtrapsrelatedtofirewallinterfaces,you
mustmatchtheinterfaceindexesintheSNMPmanager
withinterfacenamesinthefirewallwebinterface.For
details,seeFirewallInterfaceIdentifiersinSNMP
ManagersandNetFlowCollectors.
356 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Supported MIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType
SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF)
maintainsmoststandardMIBs.Youcandownloadthe
MIBsfromtheIETFwebsite.
PaloAltoNetworksfirewalls,Panorama,and
WF500appliancesdontsupporteveryobject
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe
supportedOIDs.
MIBII
IFMIB
HOSTRESOURCESMIB
ENTITYMIB
ENTITYSENSORMIB
ENTITYSTATEMIB
IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationportal. PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup
Description
system
Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces
Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 357
SNMPMonitoringandTraps
Monitoring
IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
RFC2863definesthisMIB.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
ObjectGroup
Description
hrDevice
ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem
Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage
Providesinformationsuchastheamountofusedstorage.
RFC2790definesthisMIB.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object
Description
entPhysicalIndex
Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr
Thecomponentdescription.
358 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Object
Description
entPhysicalVendorType
ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn
ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass
Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos
Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName
Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev
Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev
Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev
Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum
Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName
Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate
Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName
Thediskmodelnumber.
entPhysicalAlias
Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID
Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU
Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris
TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
RFC4133definesthisMIB.
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 359
SNMPMonitoringandTraps
Monitoring
ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.
360 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
Table
Description
Aggregator Configuration
Table (dot3adAggTable)
Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Eachaggregate
grouphasoneentry.
Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName
Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap
Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap
LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap
Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap
Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap
Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap
Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 361
SNMPMonitoringandTraps
Monitoring
ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
RFC4957definesthisMIB.
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
RFC7331definesthisMIB.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
ObjectGroup
Description
panSys
Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis
ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession
Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt
StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect
GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector
LogCollectorinformationsuchastheloggingrate,logdatabasestorageduration(indays),
andRAIDdiskusage.
362 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
SNMPMonitoringandTraps
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my> panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 363
NetFlowMonitoring
Monitoring
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficthat
traversesitsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.The
NetFlowcollectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlow(Version9)exceptthePA4000Series
andPA7000Seriesfirewalls.ThefirewallssupportonlyunidirectionalNetFlow,notbidirectional.Youcan
enableNetFlowexportsonallinterfacetypesexceptHA,logcard,ordecryptmirror.Toidentifyfirewall
interfacesinaNetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
ConfigureNetFlowExports
NetFlowTemplates
ConfigureNetFlowExports
ConfigureNetFlowExports
Step1
Step2
Step3
CreateaNetFlowserverprofile.
1.
2.
EnteraNamefortheprofile.
3.
SpecifythefrequencyatwhichthefirewallrefreshesNetFlow
TemplatesinMinutes(defaultis30)orPackets(defaultis20),
accordingtotherequirementsofyourNetFlowcollector.
4.
FortheActive Timeout,specifythefrequencyinminutesat
whichthefirewallexportsrecords(defaultis5).
5.
6.
ForeachNetFlowcollector(uptotwoperprofile)thatwill
receivefields,clickAddandenteranidentifyingserverName,
hostnameorIPaddress(NetFlow Server),andaccessPort
(defaultis2055).
7.
ClickOKtosavetheprofile.
AssigntheNetFlowserverprofiletothe 1.
interfacesthatcarrythetrafficyouwant
toanalyze.
2.
Inthisexample,youassigntheprofileto
anexistingEthernetinterface.
3.
MonitorthefirewalltrafficinaNetFlow RefertothedocumentationforyourNetFlowcollector.
collector.
Whenmonitoringstatistics,youmustmatchtheinterface
indexesintheNetFlowcollectorwithinterfacenamesin
thefirewallwebinterface.Fordetails,seeFirewall
InterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.
364 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Monitoring
NetFlowMonitoring
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,yousettherefreshfrequencyaccordingtothe
requirementsofyourNetFlowcollector.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template
ID
IPv4Standard
256
IPv4Enterprise
257
IPv6Standard
258
IPv6Enterprise
259
IPv4withNATStandard
260
IPv4withNATEnterprise
261
IPv6withNATStandard
262
IPv6withNATEnterprise
263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
Value Field
Description
IN_BYTES
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofbytesassociatedwithanIP
flow.Bydefault,Nis4.
IN_PKTS
IncomingcounterwithlengthN*8bitsfor Alltemplates
thenumberofpacketsassociatedwithanIP
glow.Bydefault,Nis4.
PROTOCOL
IPprotocolbyte.
TOS
TypeofServicebytesettingwhenentering Alltemplates
theingressinterface.
TCP_FLAGS
TotalofalltheTCPflagsinthisflow.
L4_SRC_PORT
TCP/UDPsourceportnumber(forexample, Alltemplates
FTP,Telnet,orequivalent).
IPV4_SRC_ADDR
IPv4sourceaddress.
PaloAltoNetworks,Inc.
Templates
Alltemplates
Alltemplates
IPv4standard
IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
PANOS7.1AdministratorsGuide 365
NetFlowMonitoring
Monitoring
Value Field
Description
10
INPUT_SNMP
Inputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
11
L4_DST_PORT
TCP/UDPdestinationportnumber(for
example,FTP,Telnet,orequivalent).
Alltemplates
12
IPV4_DST_ADDR
IPv4destinationaddress.
IPv4standard
IPv4enterprise
IPv4withNATstandard
IPv4withNATenterprise
14
OUTPUT_SNMP
Outputinterfaceindex.Thevaluelengthis2 Alltemplates
bytesbydefault,buthighervaluesare
possible.FordetailsonhowPaloAlto
Networksfirewallsgenerateinterface
indexes,seeFirewallInterfaceIdentifiersin
SNMPManagersandNetFlowCollectors.
21
LAST_SWITCHED
Systemuptimeinmillisecondswhenthelast Alltemplates
packetofthisflowwasswitched.
22
FIRST_SWITCHED
Systemuptimeinmillisecondswhenthefirst Alltemplates
packetofthisflowwasswitched.
27
IPV6_SRC_ADDR
IPv6sourceaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
IPv6withNATenterprise
28
IPV6_DST_ADDR
IPv6destinationaddress.
IPv6standard
IPv6enterprise
IPv6withNATstandard
IPv6withNATenterprise
32
ICMP_TYPE
InternetControlMessageProtocol(ICMP)
packettype.Thisisreportedas:
ICMPType*256+ICMPcode
Alltemplates
61
DIRECTION
Flowdirection:
0=ingress
1=egress
Alltemplates
148
flowId
Anidentifierofaflowthatisuniquewithin Alltemplates
anobservationdomain.Youcanusethis
informationelementtodistinguishbetween
differentflowsifflowkeyssuchasIP
addressesandportnumbersarenot
reportedorarereportedinseparaterecords.
TheflowIDcorrespondstothesessionID
fieldinTrafficandThreatlogs.
366 PANOS7.1AdministratorsGuide
Templates
PaloAltoNetworks,Inc.
Monitoring
NetFlowMonitoring
Value Field
Description
Templates
233
firewallEvent
Indicatesafirewallevent:
0=Ignore(invalid)
1=Flowcreated
2=Flowdeleted
3=Flowdenied
4=Flowalert
5=Flowupdate(thesessionstate
changedfromactivetodeny)
Alltemplates
225
postNATSourceIPv4Address
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofsourceIPv4Address,
IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
226
postNATDestinationIPv4Address
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofdestinationIPv4Address, IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addresstranslationafterthepacket
traversedtheinterface.
227
postNAPTSourceTransportPort
Thedefinitionofthisinformationelementis IPv4withNATstandard
identicaltothatofsourceTransportPort,
IPv4withNATenterprise
exceptthatitreportsamodifiedvaluethat
thefirewallproducedduringnetwork
addressporttranslationafterthepacket
traversedtheinterface.
228
281
postNATSourceIPv6Address
PaloAltoNetworks,Inc.
Thedefinitionofthisinformationelementis IPv6withNATstandard
identicaltothedefinitionofinformation
IPv6withNATenterprise
elementsourceIPv6Address,exceptthatit
reportsamodifiedvaluethatthefirewall
producedduringNAT64networkaddress
translationafterthepackettraversedthe
interface.SeeRFC2460forthedefinitionof
thesourceaddressfieldintheIPv6header.
SeeRFC6146forNAT64specification.
PANOS7.1AdministratorsGuide 367
NetFlowMonitoring
Monitoring
Value Field
Description
282
postNATDestinationIPv6Address
Thedefinitionofthisinformationelementis IPv6withNATstandard
identicaltothedefinitionofinformation
IPv6withNATenterprise
elementdestinationIPv6Address,except
thatitreportsamodifiedvaluethatthe
firewallproducedduringNAT64network
addresstranslationafterthepacket
traversedtheinterface.SeeRFC2460for
thedefinitionofthedestinationaddressfield
intheIPv6header.SeeRFC6146forNAT64
specification.
346
privateEnterpriseNumber
Thisisauniqueprivateenterprisenumber
thatidentifiesPaloAltoNetworks:25461.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
5670
1
AppID
ThenameofanapplicationthatAppID
identified.Thenamecanbeupto32bytes.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
5670
2
UserID
AusernamethatUserIDidentified.The
namecanbeupto64bytes.
IPv4enterprise
IPv4withNATenterprise
IPv6enterprise
IPv6withNATenterprise
368 PANOS7.1AdministratorsGuide
Templates
PaloAltoNetworks,Inc.
Monitoring
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
FirewallPlatform
Calculation
ExampleInterfaceIndex
Nonchassisbased:
MGTport+physicalportoffset
PA5000Seriesfirewall,Eth1/4=
VMSeries,PA200,PA500,
MGTportThisisaconstantthat
2(MGTport)+4(physicalport)=6
PA2000Series,PA3000Series,
dependsontheplatform:
PA4000Series,PA5000Series
2forhardwarebasedfirewalls(for
example,thePA5000Series
ThePA4000Series
firewall)
platformsupportsSNMP
butnotNetFlow.
1fortheVMSeriesfirewall
PhysicalportoffsetThisisthephysical
portnumber.
Chassisbased:
PA7000Seriesfirewalls
Thisplatformsupports
SNMPbutnotNetFlow.
PaloAltoNetworks,Inc.
(Max.ports*slot)+physicalportoffset+ PA7000Seriesfirewall,Eth3/9=
MGTport
[64(max.ports)*3(slot)]+9(physical
MaximumportsThisisaconstantof
port)+5(MGTport)=206
64.
SlotThisisthechassisslotnumberof
thenetworkinterfacecard.
PhysicalportoffsetThisisthephysical
portnumber.
MGTportThisisaconstantof5for
PA7000Seriesfirewalls.
PANOS7.1AdministratorsGuide 369
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors
Monitoring
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
InterfaceType
Range
Digit9 Digits78
Digits56
Digits14
Layer 3
subinterface
101010001 Type:
19999999 1
9
Layer 2
subinterface
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth1/5.22=100000000(type)+
suffix19999 100000(slot)+50000(port)+
(00019999) 22(suffix)=101050022
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth2/3.6=100000000(type)+
suffix19999 200000(slot)+30000(port)+6
(00019999) (suffix)=102030006
Vwire
subinterface
101010001 Type:
19999999 1
9
Interface
slot:19
(0109)
Interface
port:19
(0109)
Subinterface: Eth4/2.312=100000000(type)
suffix19999 +400000(slot)+20000(port)+
(00019999) 312(suffix)=104020312
VLAN
200000001 Type:
20000999 2
9
00
00
VLANsuffix:
19999
(00019999)
Loopback
300000001 Type:
30000999 3
9
00
00
Loopback
Loopback.55=300000000
suffix:19999 (type)+55(suffix)=300000055
(00019999)
Tunnel
400000001 Type:
40000999 4
9
00
00
Tunnelsuffix: Tunnel.55=400000000(type)+
19999
55(suffix)=400000055
(00019999)
Aggregate group
500010001 Type:
50008999 5
9
00
370 PANOS7.1AdministratorsGuide
ExampleInterfaceIndex
VLAN.55=200000000(type)+
55(suffix)=200000055
PaloAltoNetworks,Inc.
UserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthensecuritypoliciesandreduceincidentresponse
times.UserID,astandardfeatureonthePaloAltoNetworksfirewall,enablesyoutoleverageuser
informationstoredinawiderangeofrepositories.ThefollowingtopicsprovidemoredetailsaboutUserID
andhowtoconfigureit:
UserIDOverview
UserIDConcepts
EnableUserID
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
EnablePolicyforUserswithMultipleAccounts
VerifytheUserIDConfiguration
DeployUserIDinaLargeScaleNetwork
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 371
UserIDOverview
UserID
UserIDOverview
UserIDenablesyoutoidentifyallusersonyournetworkusingavarietyoftechniquestoensurethatyou
canidentifyusersinalllocationsusingavarietyofaccessmethodsandoperatingsystems,including
MicrosoftWindows,AppleiOS,MacOS,Android,andLinux/UNIX.Knowingwhoyourusersareinstead
ofjusttheirIPaddressesenables:
VisibilityImprovedvisibilityintoapplicationusagebasedonusersgivesyouamorerelevantpictureof
networkactivity.ThepowerofUserIDbecomesevidentwhenyounoticeastrangeorunfamiliar
applicationonyournetwork.UsingeitherACCorthelogviewer,yoursecurityteamcandiscernwhatthe
applicationis,whotheuseris,thebandwidthandsessionconsumption,alongwiththesourceand
destinationoftheapplicationtraffic,aswellasanyassociatedthreats.
PolicycontrolTyinguserinformationtoSecuritypolicyrulesimprovessafeenablementofapplications
traversingthenetworkandensuresthatonlythoseuserswhohaveabusinessneedforanapplication
haveaccess.Forexample,someapplications,suchasSaaSapplicationsthatenableaccesstoHuman
Resourcesservices(suchasWorkdayorServiceNow)mustbeavailabletoanyknownuseronyour
network.However,formoresensitiveapplicationsyoucanreduceyourattacksurfacebyensuringthat
onlyuserswhoneedtheseapplicationscanaccessthem.Forexample,whileITsupportpersonnelmay
legitimatelyneedaccesstoremotedesktopapplications,themajorityofyourusersdonot.
Logging,reporting,forensicsIfasecurityincidentoccurs,forensicsanalysisandreportingbasedonuser
informationratherthanjustIPaddressesprovidesamorecompletepictureoftheincident.Forexample,
youcanusethepredefinedUser/GroupActivitytoseeasummaryofthewebactivityofindividualusers
orusergroups,ortheSaaSApplicationUsagereporttoseewhichusersaretransferringthemostdata
overunsanctionedSaaSapplications.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforlogineventsandlistensforsyslogmessagesfrom
authenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,youcanconfigure
thefirewalltoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheusermappingmechanisms
tosuityourenvironment,andevenusedifferentmechanismsatdifferentsitestoensurethatyouaresafely
enablingaccesstoapplicationsforallusers,inalllocations,allthetime.
Figure:UserID
372 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDOverview
Toenableuserandgroupbasedpolicyenforcement,thefirewallrequiresalistofallavailableusersand
theircorrespondinggroupmembershipssothatyoucanselectgroupswhendefiningyourpolicyrules.The
firewallcollectsGroupMappinginformationbyconnectingdirectlytoyourLDAPdirectoryserver,orusing
XMLAPIintegrationwithyourdirectoryserver.
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 373
UserIDConcepts
UserID
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.Ifyouareusingadirectoryserverthatisnotnativelysupportedbythe
firewall,youcanintegratethegroupmappingfunctionusingtheXMLAPI.Youcanthencreateagroup
mappingconfigurationtoMapUserstoGroupsandEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Knowinguserandgroupsnamesisonlyonepieceofthepuzzle.ThefirewallalsoneedstoknowwhichIP
addressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserIDillustrates
thedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshowuser
mappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
PortMapping
Syslog
XFFHeaders
CaptivePortal
GlobalProtect
XMLAPI
ClientProbing
374 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDConcepts
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,DomainControllers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.See
ConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthePANOS
IntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
XFFHeaders
UserIDcanreadtheIPv4orIPv6addressesofusersfromtheXForwardedFor(XFF)headerinHTTPclient
requestswhenthefirewallisdeployedbetweentheInternetandaproxyserverthatwouldotherwisehide
theuserIPaddresses.UserIDmatchesthetrueuserIPaddresseswithusernames.SeeConfigurethe
firewalltoobtaintheuserIPaddressfromtheXForwardedFor(XFF)header.
CaptivePortal
IfthefirewallortheUserIDagentcantmapanIPaddresstoausernameforexample,iftheuserisnt
loggedinorusesanoperatingsystemsuchasLinuxthatyourdomainserversdontsupportyoucan
configureCaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalpolicyrulerequires
userauthentication.Youcanbasetheauthenticationonatransparentbrowserchallenge(KerberosSingle
SignOn(SSO)orNTLANManager(NTLM)authentication),webform(forRADIUS,TACACS+,LDAP,
Kerberos,orlocaldatabaseauthentication),orclientcertificates.Fordetails,seeMapIPAddressesto
UsernamesUsingCaptivePortal.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 375
UserIDConcepts
UserID
Syslog
Inenvironmentswithexistingnetworkservicesthatauthenticateuserssuchaswirelesscontrollers,802.1x
devices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccessControl(NAC)mechanisms
thefirewallUserIDagent(eithertheWindowsagentorthePANOSintegratedagentonthefirewall)can
listenforauthenticationsyslogmessagesfromthoseservices.Syslogfilters,whichareprovidedbyacontent
update(integratedUserIDagentonly)orconfiguredmanually,allowtheUserIDagenttoparseandextract
usernamesandIPaddressesfromauthenticationsyslogeventsgeneratedbytheexternalservice,andadd
theinformationtotheUserIDIPaddresstousernamemappingsmaintainedbythefirewall.SeeConfigure
UserIDtoReceiveUserMappingsfromaSyslogSenderforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
376 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
UserIDConcepts
XMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtothePANOSintegratedUserIDagent.SeeSendUser
MappingstoUserIDUsingtheXMLAPIfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI)and/orNetBIOSprobingatregularintervalstoverifythatan
existingusermappingisstillvalidortoobtaintheusernameforanIPaddressthatisnotyetmapped.
NetBIOSprobingisonlysupportedontheWindowsbasedUserIDagent;itisnotsupportedonthePANOS
integratedUserIDagent.
ClientprobingwasdesignedforlegacynetworkswheremostuserswereonWindowsworkstationsonthe
internalnetwork,butisnotidealfortodaysmoremodernnetworksthatsupportaroamingandmobileuser
baseonavarietyofdevicesandoperatingsystems.Additionally,clientprobingcangeneratealargeamount
ofnetworktraffic(basedonthetotalnumberofmappedIPaddresses)andcanposeasecuritythreatwhen
misconfigured.Therefore,clientprobingisnolongerarecommendedmethodforusermapping.Instead
collectusermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollersand
throughintegrationswithSyslogortheXMLAPI,whichallowyoutosafelycaptureusermapping
informationfromanydevicetypeoroperatingsystem.Ifyouhavesensitiveapplicationsthatrequireyouto
knowexactlywhoauseris,configureCaptivePortaltoensurethatyouareonlyallowingaccessto
authorizedusers.
BecauseWMIprobingtrustsdatareportedbackfromtheendpoint,itisnotarecommendedmethodofobtaining
UserIDinformationinahighsecuritynetwork.IfyouareusingtheUserIDagenttoparseADsecurityevent
logs,syslogmessages,ortheXMLAPItoobtainUserIDmappings,PaloAltoNetworksrecommendsdisabling
WMIprobing.
IfyoudochoosetouseWMIprobing,donotenableitonexternal,untrustedinterfaces,asthiswouldcausethe
agenttosendWMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpassword
hashoftheUserIDagentserviceaccountoutsideofyournetwork.Thisinformationcouldpotentiallybe
exploitedbyanattackertopenetratethenetworktogainfurtheraccess.
Ifyoudochoosetoenableprobinginyourtrustedzones,theagentwillprobeeachlearnedIPaddress
periodically(every20minutesbydefault,butthisisconfigurable)toverifythatthesameuserisstilllogged
in.Inaddition,whenthefirewallencountersanIPaddressforwhichithasnousermapping,itwillsendthe
addresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 377
EnableUserID
UserID
EnableUserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthenyoursecuritypolicyandreduceincidentresponse
times.UserIDenablesyoutoleverageuserinformationstoredinawiderangeofrepositoriesforvisibility,
userandgroupbasedpolicycontrol,andimprovedlogging,reporting,andforensics:
OnPA5060andPA7000Seriesfirewallsthathavethemultiplevirtualsystemscapability
disabled,youcanbasepoliciesonupto3,200distinctusergroups.Iftheseplatformshave
multiplevirtualsystems,thelimitis640groups.Allotherfirewallplatformssupportupto640
groupspervirtualsystemorperfirewall(ifitdoesnthavemultiplevirtualsystems).
UsethefollowingworkflowtoconfigureUserID.
ConfigureUserID
Step1
EnableUserIDonthesourcezonesthat 1.
containtheuserswhowillsendrequests 2.
thatrequireuserbasedaccesscontrols.
EnableUserIDontrustedzones
only.IfyouenableUserIDand
clientprobingonanexternal
untrustedzone(suchasthe
internet),probescouldbesent
outsideyourprotectednetwork,
resultinginaninformation
disclosureoftheUserIDagent
serviceaccountname,domain
name,andencryptedpassword
hash,whichcouldallowan
attackertogainunauthorized
accesstoprotectedresources.
Step2
CreateaDedicatedServiceAccountfor
theUserIDAgent.
Createaserviceaccountwiththe
minimumsetofpermissions
requiredtosupporttheUserID
optionsyouenabletoreduce
yourattacksurfaceintheevent
thattheserviceaccountis
compromised.
ThisisrequiredifyouplantousetheWindowsbasedUserID
agentorthePANOSintegratedUserIDagenttomonitordomain
controllers,Exchangeservers,Windowsclientsforuserloginand
logoutevents.
Step3
MapUserstoGroups.
ThisenablesthefirewalltoconnecttoyourLDAPdirectoryand
retrieveGroupMappinginformationsothatyouwillbeableto
selectusernamesandgroupnameswhencreatingpolicy.
378 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
EnableUserID
ConfigureUserID(Continued)
Step4
MapIPAddressestoUsers.
Asabestpractice,donotenable
clientprobingasausermapping
methodonhighsecurity
networks.Clientprobingcan
generatealargeamountof
networktrafficandcanposea
securitythreatwhen
misconfigured.
Thewayyoudothisdependsonwhereyourusersarelocatedand
whattypesofsystemstheyareusing,andwhatsystemsonyour
networkarecollectingloginandlogouteventsforyourusers.You
mustconfigureoneormoreUserIDagentstoenableUser
Mapping:
ConfigureUserMappingUsingtheWindowsUserIDAgent.
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agent.
ConfigureUserIDtoReceiveUserMappingsfromaSyslog
Sender.
ConfigureUserMappingforTerminalServerUsers.
SendUserMappingstoUserIDUsingtheXMLAPI.
Step5
Specifythenetworkstoincludeand
excludefromusermapping.
Asabestpractice,alwaysspecify
whichnetworkstoincludeand
excludefromUserID.This
allowsyoutoensurethatonly
yourtrustedassetsareprobed
andthatunwanteduser
mappingsarenotcreated
unexpectedly.
Configureeachagentthatyouconfiguredforusermappingas
follows:
SpecifythesubnetworkstheWindowsUserIDagentshould
includeinorexcludefromUserID.
SpecifythesubnetworksthePANOSintegratedUserIDagent
shouldincludeinorexcludefromusermapping.
Step6
Enableuserandgroupbasedpolicy
enforcement.
Createrulesbasedongroup
ratherthanuserwhenever
possible.Thispreventsyoufrom
havingtocontinuallyupdateyour
rules(whichrequiresacommit)
wheneveryouruserbase
changes.
AfterconfiguringUserID,youwillbeabletochooseausername
orgroupnamewhendefiningthesourceordestinationofa
securityrule:
PaloAltoNetworks,Inc.
1.
2.
SelecttheUsertabandspecifywhichusersandgroupsto
matchintheruleinoneofthefollowingways:
Ifyouwanttoselectspecificusers/groupsasmatching
criteria,clicktheAddbuttonintheSourceUsersectionto
displayalistofusersandgroupsdiscoveredbythefirewall
groupmappingfunction.Selecttheusersand/orgroupsto
addtotherule.
Ifyouwanttomatchanyuserwhohasorhasnot
authenticatedandyoudontneedtoknowthespecificuser
orgroupname,selectknown-userorunknownfromthe
dropdownabovetheSourceUserlist.
3.
ConfiguretherestoftheruleasappropriateandthenclickOK
tosaveit.Fordetailsonotherfieldsinthesecurityrule,see
SetUpaBasicSecurityPolicy.
PANOS7.1AdministratorsGuide 379
EnableUserID
UserID
ConfigureUserID(Continued)
Step7
CreatetheSecuritypolicyrulestosafely
enableUserIDwithinyourtrustedzones
andpreventUserIDtrafficfrom
egressingyournetwork.
FollowtheBestPracticeInternetGatewaySecurityPolicyto
ensurethattheUserIDapplication(paloaltouseridagent)isonly
allowedinthezoneswhereyouragents(bothyourWindows
agentsandyourPANOSintegratedagents)aremonitoring
servicesanddistributingmappingstofirewalls.Specifically:
Allowthepaloaltouseridagentapplicationbetweenthezones
whereyouragentsresideandthezoneswherethemonitored
serversreside(orevenbetter,betweenthespecificsystemsthat
hosttheagentandthemonitoredservers).
Allowthepaloaltouseridagentapplicationbetweentheagents
andthefirewallsthatneedtheusermappingsandbetween
firewallsthatareredistributingusermappingsandthefirewalls
theyareredistributingtheinformationto.
Denythepaloaltouseridagentapplicationtoanyexternal
zone,suchasyourinternetzone.
Step8
ConfigureCaptivePortal.
BecauseCaptivePortalauthenticates
usersratherthanrelyingonuser
mappings,itisusefulforensuringthat
youknowexactlywhoisaccessingyour
mostsensitiveapplicationsanddata.You
canconfigureCaptivePortalasthe
fallbacktoidentifyuserswhohavenot
yetbeenidentifiedusinganotheruser
mappingmethodbeforeallowingaccess.
Asabestpractice,choose
Kerberostransparent
authenticationoverNTLM
authenticationwhenconfiguring
CaptivePortal.Kerberosisa
stronger,morerobust
authenticationmethodthan
NTLManditdoesnotrequirethe
firewalltohaveanadministrative
accounttojointhedomain.
1.
2.
AddaNamefortherule.
3.
Definethematchingcriteriafortherulebycompletingthe
Source,Destination,andService/URL Categorytabsas
appropriatetomatchthetrafficyouwanttoauthenticate.The
matchingcriteriaonthesetabsisthesameasthecriteriayou
definewhencreatingaSecuritypolicyrule.SeeSetUpaBasic
SecurityPolicyfordetails.
4.
DefinetheActiontotakeontrafficthatmatchestherule:
no-captive-portalAllowtraffictopasswithout
presentingaCaptivePortalpageforauthentication.
web-formPresentaCaptivePortalpagefortheuserto
explicitlyenterauthenticationcredentialsoruseclient
certificateauthentication.
browser-challengeTransparentlyobtainuser
authenticationcredentials.Ifyouselectthisaction,you
mustenableKerberosSingleSignOn(SSO)orNTLAN
Manager(NTLM)authenticationwhenyouConfigure
CaptivePortal.IfKerberosSSOauthenticationfails,the
firewallfallsbacktoNTLMauthentication.Ifyoudidnt
configureNTLM,orNTLMauthenticationfails,thefirewall
fallsbacktoweb-formauthentication.
5.
ClickOKandCommit.
380 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
EnableUserID
ConfigureUserID(Continued)
Step9
Configurethefirewalltoobtaintheuser 1.
IPaddressfromtheXForwardedFor
(XFF)header.
2.
Whenthefirewallisbetweenthe
Internetandaproxyserver,theIP
addressinthepacketthefirewallsees
containsisfortheproxyserverrather
thantheuser.Toenablevisibilityofthe
3.
userIPaddressinstead,configurethe
firewalltousetheXFFheaderforuser
mapping.Withthisoptionenabled,the
firewallmatchestheIPaddresseswith
usernamesreferencedinpolicytoenable
controlandvisibilityfortheassociated
usersandgroups.Fordetails,seeIdentify
UsersConnectedthroughaProxy
Server.
Step10 VerifytheUserIDConfiguration.
PaloAltoNetworks,Inc.
Afteryouconfigureusermappingandgroupmapping,verifythatit
isworkingproperlyandthatyoucansafelyenableandmonitor
userandgroupaccesstotheapplications,resources,andservices.
PANOS7.1AdministratorsGuide 381
MapUserstoGroups
UserID
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Usethefollowing
proceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroupMapping
information.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
Step1
AddanLDAPserverprofile.
Theprofiledefineshowthefirewall
connectstothedirectoryserversfrom
whichitcollectsgroupmapping
information.Youcanadduptofour
serverstotheprofilebuttheymustbe
thesameType.
382 PANOS7.1AdministratorsGuide
ConfigureanLDAPServerProfile:
1.
2.
ForeachLDAPserver,clickAddandentertheserverName,
IPaddress(LDAP Server),andPort(defaultis389).
3.
BasedonyourTypeselection(forexample,active-directory),
thefirewallautomaticallypopulatesthecorrectLDAP
attributesinthegroupmappingsettings.However,ifyou
customizedyourLDAPschema,youmightneedtomodifythe
defaultsettings.
4.
IntheBase DNfield,entertheDistinguishedName(DN)of
theLDAPtreelocationwhereyouwantthefirewalltobegin
itssearchforuserandgroupinformation.
5.
EntertheauthenticationcredentialsforbindingtotheLDAP
treeintheBind DN,Password,andConfirm Passwordfields.
TheBind DNcanbeafullyqualifiedLDAPname(forexample,
cn=administrator,cn=users,dc=acme,dc=local)orauser
principalname(forexample,administrator@acme.local).
6.
ClickOKtosavetheprofile.
PaloAltoNetworks,Inc.
UserID
MapUserstoGroups
MapUserstoGroups(Continued)
Step2
Configuretheserversettingsinagroup 1.
mappingconfiguration.
2.
3.
PaloAltoNetworks,Inc.
4.
SelecttheLDAPServer Profileyoujustcreated.
5.
(Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6.
(Optional)Tofilterthegroupsthatthefirewalltracksforgroup
mapping,intheGroupObjectssection,enteraSearch Filter
(LDAPquery),Object Class(groupdefinition),Group Name,
andGroup Member.
7.
(Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8.
(Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomainsin
yourorganizationintheMailDomainssection,Domain List
field.Usecommastoseparatemultipledomains(upto256
characters).AfteryouclickOK,PANOSautomatically
populatestheMail AttributesfieldbasedonyourLDAPserver
type(Sun/RFC,ActiveDirectory,orNovell).Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9.
MakesuretheEnabledcheckboxisselected.
PANOS7.1AdministratorsGuide 383
MapUserstoGroups
UserID
MapUserstoGroups(Continued)
Step3
Limitwhichgroupswillbeavailablein
1.
policyrules.
Requiredonlyifyouwanttolimitpolicy
rulestospecificgroups.Bydefault,ifyou
dontspecifygroups,allgroupsare
2.
availableinpolicyrules.
Anycustomgroupsyoucreate
willalsobeavailableintheAllow
Listofauthenticationprofiles.
3.
384 PANOS7.1AdministratorsGuide
Addexistinggroupsfromthedirectoryservice:
a. SelecttheGroup Include Listtab.
b. IntheAvailableGroupslist,selectthegroupsyouwantto
appearinpolicyrulesandclicktheAddicon.
Ifyouwanttobasepolicyrulesonuserattributesthatdont
matchexistingusergroups,createcustomgroupsbasedon
LDAPfilters:
a. SelecttheCustom GrouptabandclickAdd.
b. EnteragroupName thatisuniqueinthegroupmapping
configurationforthecurrentfirewallorvirtualsystem.If
theNamehasthesamevalueastheDistinguishedName
(DN)ofanexistingADgroupdomain,thefirewallusesthe
customgroupinallreferencestothatname(forexample,in
policiesandlogs).
c. SpecifyanLDAP Filterofupto2,048UTF8characters
andclickOK.ThefirewalldoesntvalidateLDAPfilters,so
itsuptoyoutoensuretheyareaccurate.
TominimizetheperformanceimpactontheLDAP
directoryserver,useonlyindexedattributesinthe
filter.
ClickOKandCommit.Acommitisnecessarybeforecustom
groupswillbeavailableinpoliciesandobjects.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsers
UserIDprovidesmanydifferentmethodsformappingIPaddressestousernames.Beforeyoubegin
configuringusermapping,considerwhereyourusersarelogginginfrom,whatservicestheyareaccessing,
andwhatapplicationsanddatayouneedtocontrolaccessto.Thiswillinformwhichtypesofagentsor
integrationswouldbestallowyoutoidentifyyourusers.Forguidance,refertoArchitectingUser
IdentificationDeployments.
Onceyouhaveyourplan,youcanbeginconfiguringusermappingusingoneormoreofthefollowing
methodsasneededtoenableuserbasedaccessandvisibilitytoapplicationsandresources:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
WindowsclientsyoumustconfigureaUserIDagent:
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ConfigureUserMappingUsingtheWindowsUserIDAgent
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.
WhileyoucanconfigureeithertheWindowsagentorthePANOSintegratedUserIDagenton
thefirewalltolistenforauthenticationsyslogmessagesfromthenetworkservices,becauseonly
thePANOSintegratedagentsupportssysloglisteningoverTLS,itisthepreferredconfiguration.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.
Forotherclientsthatyoucantmapusingtheothermethods,youcanSendUserMappingstoUserID
UsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 385
MapIPAddressestoUsers
UserID
ConfigureanActiveDirectoryaccountfortheUserIDAgent
Step1
CreateanADaccountfortheUserID
agent.
Youmustcreateaserviceaccountin
eachdomaintheagentwillmonitor.
386 PANOS7.1AdministratorsGuide
1.
Logintothedomaincontroller.
2.
RightclicktheWindowsicon(
),SearchforActive
Directory Users and Computers,andlaunchthe
application.
3.
Inthenavigationpane,openthedomaintree,rightclick
Managed Service AccountsandselectNew > User.
4.
5.
EnterthePasswordandConfirm Password,andthenclick
NextandFinish.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
Step2
1.
AddtheaccounttotheBuiltingroups
thathaveprivilegesforaccessingthe
servicesandhoststheUserIDagentwill 2.
monitor.
3.
PaloAltoNetworks,Inc.
RightclicktheserviceaccountyoujustaddedandAdd to a
group.
Enter the object names to selectasfollowstoassignthe
accounttogroups.Separateeachentrywithasemicolon.
Event Log Readersoracustomgroupthathasprivileges
forreadingSecuritylogevents.Theseprivilegesare
requirediftheUserIDagentwillcollectmapping
informationbymonitoringSecuritylogs.
(PANOSintegratedagentonly)Distributed COM Users
group,whichhasprivilegesforlaunching,activating,and
usingDistributedComponentObjectModel(DCOM)
objects.
(Notrecommended) Server Operatorsgroup,whichhas
privilegesforopeningsessions.Theagentonlyrequires
theseprivilegesifyouplantoconfigureittorefreshexisting
mappinginformationbymonitoringusersessions.
Becausethisgroupalsohasprivilegesforshutting
downandrestartingservers,assigntheaccountto
itonlyifmonitoringusersessionsisveryimportant.
(PANOSintegratedagentonly)Ifyouplantoconfigure
NTLMauthenticationforCaptivePortal,thefirewallwhere
youveconfiguredtheagentwillneedtojointhedomain.To
enablethis,enterthenameofagroupthathas
administrativeprivilegestojointhedomain,writetothe
validatedserviceprincipalname,andcreateacomputer
objectwithinthecomputersorganizationunit
(ou=computers).
ThePANOSintegratedagentrequiresprivileged
operationstojointhedomain,whichposesa
securitythreatiftheaccountiscompromised.
ConsiderconfiguringKerberosauthenticationfor
CaptivePortalinsteadofNTLM.Kerberosisa
stronger,moresecureauthenticationmethodandit
doesnotrequirethefirewalltojointhedomain.
Forafirewallwithmultiplevirtualsystems,onlyvsys1can
jointhedomainbecauseofADrestrictionsonvirtual
systemsrunningonthesamehost.
Check NamestovalidateyourentriesandclickOKtwice.
PANOS7.1AdministratorsGuide 387
MapIPAddressestoUsers
UserID
ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
Step3
IfyouplantouseWMIprobing,enable
theaccounttoreadtheCIMV2
namespaceontheclientsystems.
Bydefault,accountsintheServer
Operatorsgrouphavethispermission.
Donotenableclientprobingon
highsecuritynetworks.Client
probingcangeneratealarge
amountofnetworktrafficand
canposeasecuritythreatwhen
misconfigured.Insteadcollect
usermappinginformationfrom
moreisolatedandtrusted
sources,suchasdomain
controllersandthrough
integrationswithSyslogorthe
XMLAPI,whichhavetheadded
benefitofallowingyoutosafely
captureusermapping
informationfromanydevicetype
oroperatingsystem,insteadof
justWindowsclients.
PerformthistaskoneachclientsystemthattheUserIDagentwill
probeforusermappinginformation:
1.
RightclicktheWindowsicon( ),Searchforwmimgmt.msc,
andlaunchtheWMIManagementConsole.
2.
Intheconsoletree,rightclickWMI Controlandselect
Properties.
3.
4.
Addthenameoftheserviceaccountyoucreated,Check
Namestoverifyyourentry,andclickOK.
YoumighthavetochangetheLocationsorclick
Advancedtoqueryforaccountnames.Seethedialog
helpfordetails.
5.
InthePermissionsfor<Username>section,AllowtheEnable
AccountandRead Securitypermissions.
6.
ClickOKtwice.
Step4
Turnoffaccountprivilegesthatarenot ToensurethattheUserIDaccounthastheminimumprivileges
necessary,denythefollowingprivilegesontheaccount:
necessary.
DenyinteractivelogonfortheUserIDserviceaccountWhile
ByensuringthattheUserIDservice
theUserIDserviceaccountdoesneedpermissiontoreadand
accounthastheminimumsetofaccount
privileges,youcanreducetheattack
parseActiveDirectorysecurityeventlogs,itdoesnotrequire
surfaceshouldtheaccountbe
theabilitytologontoserversordomainsystemsinteractively.
compromised.
YoucanrestrictthisprivilegeusingGroupPoliciesorbyusinga
ManagedServiceaccount(refertoMicrosoftTechNetformore
information).
DenyremoteaccessfortheUserIDserviceaccountThis
preventsanattackerfromusingtheaccounttoaccessyour
networkfromtheoutsidethenetwork.
Step5
Nextsteps...
388 PANOS7.1AdministratorsGuide
Youarenowreadyto:
ConfigureUserMappingUsingtheWindowsUserIDAgent.
ConfigureUserMappingUsingthePANOSIntegratedUserID
Agent.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
InstalltheUserIDAgent
ConfiguretheUserIDAgentforUserMapping
InstalltheUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertoOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
InstalltheWindowsUserIDAgent
Step1
CreateadedicatedActiveDirectory
CreateaDedicatedServiceAccountfortheUserIDAgent.
serviceaccountfortheUserIDagentto
accesstheservicesandhostsitwill
monitortocollectusermappings.
Step2
DecidewheretoinstalltheUserID
agent.
TheUserIDagentqueriestheDomain
ControllerandExchangeserverlogs
usingMicrosoftRemoteProcedureCalls
(MSRPCs),whichrequireacomplete
transferoftheentirelogateachquery.
Therefore,alwaysinstalloneormore
UserIDagentsateachsitethathas
serverstobemonitored.
Formoredetailedinformationon
wheretoinstallUserIDagents,
refertoArchitectingUser
Identification(UserID)
Deployments.
PaloAltoNetworks,Inc.
YoumustinstalltheUserIDagentonasystemrunningoneof
thesupportedOSversions:seeOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentRelease
Notes.
MakesurethesystemthatwillhosttheUserIDagentisa
memberofthesamedomainastheserversitwillmonitor.
Asabestpractice,installtheUserIDagentclosetotheservers
itwillbemonitoring(thereismoretrafficbetweentheUserID
agentandthemonitoredserversthanthereisbetweenthe
UserIDagentandthefirewall,solocatingtheagentclosetothe
monitoredserversoptimizesbandwidthusage).
Toensurethemostcomprehensivemappingofusers,youmust
monitorallserversthatcontainuserlogininformation.Youmight
needtoinstallmultipleUserIDagentstoefficientlymonitorall
ofyourresources.
PANOS7.1AdministratorsGuide 389
MapIPAddressestoUsers
UserID
InstalltheWindowsUserIDAgent(Continued)
Step3
Step4
DownloadtheUserIDagentinstaller.
InstalltheUserIDagentversion
thatisthesameasthePANOS
versionrunningonthefirewalls.
IfthereisnotaUserIDagent
versionthatmatchesthe
PANOSversion,installthe
latestversionthatisclosestto
thePANOSversion.For
example,ifyouarerunning
PANOS7.1onyourfirewalls,
installUserIDagentversion7.0.
Runtheinstallerasanadministrator.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
ScrolltotheUserIdentificationAgentsectionofthescreen
andDownloadtheversionoftheUserIDagentyouwantto
install.
4.
SavetheUaInstall-x.x.x-xx.msifileonthesystem(s)
whereyouplantoinstalltheagent.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>UaInstall-6.0.
0-1.msi
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtotheC:\Program
Files (x86)\Palo Alto Networks\User-ID Agentfolder,
butyoucanBrowsetoadifferentlocation.
4.
Whentheinstallationcompletes,Closethesetupwindow.
Step5
LaunchtheUserIDAgentapplication.
OpentheWindowsStartmenuandselectUser-ID Agent.
Step6
(Optional)Changetheserviceaccount
thattheUserIDagentusestologin.
Bydefault,theagentusestheadministratoraccountusedtoinstall
the.msifile.However,youmaywanttoswitchthistoarestricted
accountasfollows:
390 PANOS7.1AdministratorsGuide
1.
2.
SelecttheAuthenticationtabandentertheserviceaccount
namethatyouwanttheUserIDagenttouseintheUser
name for Active Directoryfield.
3.
EnterthePasswordforthespecifiedaccount.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
InstalltheWindowsUserIDAgent(Continued)
Step7
(Optional)Assignaccountpermissionsto 1.
theinstallationfolder.
Youonlyneedtoperformthisstepifthe
serviceaccountyouconfiguredforthe
UserIDagentisnotamemberofthe
administratorsgroupforthedomainora
memberofboththeServerOperators
andtheEventLogReadersgroups.
2.
Givetheserviceaccountpermissionstotheinstallationfolder:
a. FromtheWindowsExplorer,navigatetoC:\Program
Files\Palo Alto Networksandrightclickthefolderand
selectProperties.
b. OntheSecuritytab,AddtheUserIDagentserviceaccount
andassignitpermissionstoModify,Read & execute,List
folder contents,andReadandthenclickOKtosavethe
accountsettings.
GivetheserviceaccountpermissionstotheUserIDAgent
registrysubtree:
a. Runregedit32andnavigatetothePaloAltoNetworks
subtreeinoneofthefollowinglocations:
32bitsystemsHKEY_LOCAL_MACHINE\Software\ Palo
Alto Networks
64bitsystemsHKEY_LOCAL_MACHINE\Software\
WOW6432Node\Palo Alto Networks
b. RightclickthePaloAltoNetworksnodeandselect
Permissions.
c. AssigntheUserIDserviceaccountFull Controlandthen
clickOKtosavethesetting.
3.
PaloAltoNetworks,Inc.
Onthedomaincontroller,addtheserviceaccounttothe
builtingroupstoenableprivilegestoreadthesecuritylog
events(EventLogReadergroup)andopensessions(Server
Operatorgroup):
a. RuntheMMCandLaunchtheActiveDirectoryUsersand
Computerssnapin.
b. NavigatetotheBuiltinfolderforthedomainandthen
rightclickeachgroupyouneedtoedit(EventLogReader
andServerOperator)andselectAdd to Grouptoopenthe
propertiesdialog.
c. ClickAddandenterthenameoftheserviceaccountthat
youconfiguredtheUserIDservicetouseandthenclick
Check Namestovalidatethatyouhavetheproperobject
name.
d. ClickOKtwicetosavethesettings.
PANOS7.1AdministratorsGuide 391
MapIPAddressestoUsers
UserID
ConfiguretheUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent
Step1
DefinetheserverstheUserIDagent
willmonitortocollectIPaddresstouser
mappinginformation.
TheUserIDagentcanmonitorupto100
servers,ofwhichupto50canbesyslog
senders.
Tocollectalloftherequired
mappings,theUserIDagent
mustconnecttoallserversthat
youruserslogintoinorderto
monitorthesecuritylogfileson
allserversthatcontainlogin
events.
392 PANOS7.1AdministratorsGuide
1.
OpentheWindowsStartmenuandselectUser-ID Agent.
2.
3.
IntheServerssectionofthescreen,clickAdd.
4.
EnteraNameandServer Addressfortheservertobe
monitored.ThenetworkaddresscanbeaFQDNoranIP
address.
5.
6.
(Optional)Toenablethefirewalltoautomaticallydiscover
domaincontrollersonyournetworkusingDNSlookups,click
Auto Discover.
Autodiscoverylocatesdomaincontrollersinthelocal
domainonly;youmustmanuallyaddExchange
servers,eDirectoryservers,andsyslogsenders.
7.
(Optional)Totunethefrequencyatwhichthefirewallpolls
configuredserversformappinginformation,selectUser
Identification > SetupandEdittheSetupsection.Onthe
Server Monitortab,modifythevalueintheServer Log
Monitor Frequency (seconds)field.Increasethevalueinthis
fieldto5secondsinenvironmentswitholderDomain
Controllersorhighlatencylinks.
EnsurethattheEnable Server Session Readsettingis
notselected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadallusersessions.
Instead,useaSyslogorXMLAPIintegrationto
monitorsourcesthatcaptureloginandlogout(XML
APIonly)eventsforalldevicetypesandoperating
systems(insteadofjustWindows),suchaswireless
controllersandNetworkAccessControllers(NACs).
8.
ClickOKtosavethesettings.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step2
SpecifythesubnetworkstheWindows 1.
UserIDagentshouldincludeinor
2.
excludefromUserID.
Bydefault,theUserIDmapsallusers
accessingtheserversyouaremonitoring.
3.
Asabestpractice,alwaysspecify
whichnetworkstoincludeand
excludefromUserIDtoensure
thattheagentisonly
communicatingwithinternal
resourcesandtoprevent
unauthorizedusersfrombeing
mapped.Youshouldonlyenable
UserIDonthesubnetworks
whereusersinternaltoyour
organizationareloggingin.
4.
Step3
(Optional)Ifyouconfiguredtheagentto 1.
connecttoaNovelleDirectoryserver,
youmustspecifyhowtheagentshould 2.
searchthedirectory.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 393
MapIPAddressestoUsers
UserID
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step4
(Optional,notrecommended)Configure 1.
clientprobing.
Donotenableclientprobingon 2.
highsecuritynetworks.Client
probingcangeneratealarge
amountofnetworktrafficand
canposeasecuritythreatwhen
misconfigured.
Step5
Savetheconfiguration.
ClickOKtosavetheUserIDagentsetupsettingsandthenclick
CommittorestarttheUserIDagentandloadthenewsettings.
Step6
(Optional)Definethesetofusersfor
whichyoudonotneedtoprovideIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousethe
ignore-userlisttoidentify
userswhomyouwanttoforceto
authenticateusingCaptive
Portal.
Createanignore_user_list.txtfileandsaveittotheUserID
Agentfolderonthedomainserverwheretheagentisinstalled.
Listtheuseraccountstoignore;thereisnolimittothenumberof
accountsyoucanaddtothelist.Eachuseraccountnamemustbe
onaseparateline.Forexample:
Step7
SPAdmin
SPInstall
TFSReport
Youcanuseanasteriskasawildcardcharactertomatchmultiple
usernames,butonlyasthelastcharacterintheentry.Forexample,
corpdomain\it-admin*wouldmatchalladministratorsinthe
corpdomaindomainwhoseusernamesstartwiththestring
it-admin.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
UserIDagent.
totheUserIDagenttoreceiveusermappings:
394 PANOS7.1AdministratorsGuide
1.
2.
EnteraNamefortheUserIDagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
UserIDAgentisinstalled.
4.
EnterthePortnumber(165535)onwhichtheagentwill
listenforusermappingrequests.Thisvaluemustmatchthe
valueconfiguredontheUserIDagent.Bydefault,theportis
setto5007onthefirewallandonnewerversionsofthe
UserIDagent.However,someolderUserIDagentversions
useport2010asthedefault.
5.
MakesurethattheconfigurationisEnabled,thenclickOK.
6.
Committhechanges.
7.
VerifythattheConnected statusdisplaysasconnected(a
greenlight).
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
Step8
VerifythattheUserIDagentis
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
connecttotheagent.
PaloAltoNetworks,Inc.
1.
LaunchtheUserIDagentandselectUser Identification.
2.
VerifythattheagentstatusshowsAgent is running.Ifthe
Agentisnotrunning,clickStart.
3.
ToverifythattheUserIDagentcanconnecttomonitored
servers,makesuretheStatusforeachServerisConnected.
4.
ToverifythatthefirewallscanconnecttotheUserIDagent,
makesuretheStatusforeachoftheConnectedDevicesis
Connected.
5.
ToverifythattheUserIDagentismappingIPaddressesto
usernames,selectMonitoringandmakesurethatthemapping
tableispopulated.YoucanalsoSearchforspecificusers,or
Deleteusermappingsfromthelist.
PANOS7.1AdministratorsGuide 395
MapIPAddressestoUsers
UserID
CreateanActiveDirectoryservice
CreateaDedicatedServiceAccountfortheUserIDAgent.
accountfortheUserIDagenttoaccess
theservicesandhostsitwillmonitorfor
collectingusermappinginformation.
Step2
Definetheserversthatthefirewallwill
monitortocollectusermapping
information.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Tocollectalltherequired
mappings,thefirewallmust
connecttoallserversthatyour
userslogintosoitcanmonitor
theSecuritylogfilesonall
serversthatcontainloginevents.
396 PANOS7.1AdministratorsGuide
1.
2.
ClickAddintheServerMonitoringsection.
3.
EnteraNametoidentifytheserver.
4.
SelecttheTypeofserver.
5.
EntertheNetwork Address(anFQDNorIPaddress)ofthe
server.
6.
MakesuretheserverprofileisEnabledandclickOK.
7.
(Optional)ClickDiscoverifyouwantthefirewallto
automaticallydiscoverdomaincontrollersonyournetwork
usingDNSlookups.
Theautodiscoveryfeatureisfordomaincontrollers
only;youmustmanuallyaddanyExchangeserversor
eDirectoryserversyouwanttomonitor.
8.
(Optional)Specifythefrequencyatwhichthefirewallpolls
Windowsserversformappinginformation.Thisistheinterval
betweentheendofthelastqueryandthestartofthenext
query.
Ifthequeryloadishigh,theobserveddelaybetween
queriesmightsignificantlyexceedthespecified
frequency.
a. EditthePaloAltoNetworksUserIDAgentSetup.
b. SelecttheServer MonitortabandspecifytheServer Log
Monitor Frequencyinseconds(defaultis2,rangeis
13600).Increasethevalueinthisfieldto5secondsin
environmentswitholderdomaincontrollersorhighlatency
links.
EnsurethattheEnable Sessionsettingisnot
selected.ThissettingrequiresthattheUserID
agenthaveanActiveDirectoryaccountwithServer
Operatorprivilegessothatitcanreadalluser
sessions.Instead,useaSyslogorXMLAPI
integrationtomonitorsourcesthatcapturelogin
andlogouteventsforalldevicetypesandoperating
systems(insteadofjustWindows),suchaswireless
controllersandNACs.
c. ClickOKtosavethechanges.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step3
SpecifythesubnetworksthePANOS
1.
integratedUserIDagentshouldinclude 2.
inorexcludefromusermapping.
Bydefault,theUserIDmapsallusers
accessingtheserversyouaremonitoring.
3.
Asabestpractice,alwaysspecify
whichnetworkstoincludeand,
optionally,toexcludefrom
UserIDtoensurethattheagent
isonlycommunicatingwith
internalresourcesandtoprevent
unauthorizedusersfrombeing
mapped.Youshouldonlyenable
usermappingonthe
subnetworkswhereusers
internaltoyourorganizationare
loggingin.
4.
Step4
Step5
1.
Setthedomaincredentialsforthe
accountthefirewallwillusetoaccess
2.
Windowsresources.Thisisrequiredfor
monitoringExchangeserversanddomain
controllersaswellasforWMIprobing.
(Optional,notrecommended)Configure 1.
WMIprobing(thePANOSintegrated
UserIDagentdoesnotsupportNetBIOS 2.
probing).
DonotenableWMIprobingon
highsecuritynetworks.Client
probingcangeneratealarge
amountofnetworktrafficand
canposeasecuritythreatwhen
misconfigured.
PaloAltoNetworks,Inc.
3.
ClickOK.
4.
MakesuretheWindowsfirewallwillallowclientprobingby
addingaremoteadministrationexceptiontotheWindows
firewallforeachprobedclient.
PANOS7.1AdministratorsGuide 397
MapIPAddressestoUsers
UserID
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
Step6
(Optional)Definethesetofusersfor
whichyoudontrequireIP
addresstousernamemappings,suchas
kioskaccounts.
Youcanalsousetheignoreuser
listtoidentifyuserswhomyou
wanttoforcetoauthenticate
usingCaptivePortal.
Step7
Activateyourconfigurationchanges.
ClickOKandCommit.
Step8
Verifytheconfiguration.
1.
AccessthefirewallCLI.
2.
Enterthefollowingoperationalcommand:
> show user server-monitor state all
3.
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigurethePANOSintegratedUserIDagenttoreceivesyslog
messagesfromauthenticatingservices.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,you
mustusecautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocol
andassuchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.
AlthoughyoucanrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstill
spooftheIPaddress,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothe
firewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,ifyoumust
useUDP,makesurethatthesyslogserverandclientarebothonadedicated,secureVLANto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
398 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CollectUserMappingsfromSyslogSenders
Step1
Step2
Determinewhetherthereisa
1.
predefinedsyslogfilterforyour
particularsyslogsenders.
PaloAltoNetworksprovidesseveral
predefinedsyslogfilters,whichare
deliveredasApplicationcontentupdates
2.
andarethereforeupdateddynamically
asnewfiltersaredeveloped.The
predefinedfiltersareglobaltothe
firewall,whereascustomfiltersapplyto
asinglevirtualsystemonly.
Anynewsyslogfiltersinagiven
contentreleasewillbe
documentedinthe
correspondingreleasenote
alongwiththespecificregex
usedtodefinethefilter.
VerifythatyourApplicationsorApplicationsandThreats
databaseisuptodate:
a. SelectDevice > Dynamic UpdatesandclickCheck Nowto
checkforthelatestupdates.
b. DownloadandInstallanynewupdate.
DefinecustomsyslogfilterstoextractIP
addresstousernamemapping
informationfromsyslogmessages.
FortheUserIDagenttoparsesyslog
messages,theymustmeetthefollowing
criteria:
Eachmessagemustbeasingleline
textstring.Anewline(\n)ora
carriagereturnplusanewline(\r\n)
arethedelimitersforlinebreaks.
Themaximumsizeforindividual
messagesis2,048bytes.
MessagessentoverUDPmustbe
containedinasinglepacket;
messagessentoverSSLcanspan
multiplepackets.
Asinglepacketmightcontainmultiple
messages.
1.
Reviewthesyslogmessagesthattheauthenticatingservice
generatestoidentifythelogineventsyntax.Thisenablesyou
todefinethematchingpatternsbywhichthefirewallidentifies
andextractsauthenticationeventsfromthemessages.
Whilereviewingsyslogmessages,alsodetermine
whetherlogentriesincludethedomainname.Ifthey
dont,considerdefiningadefaultdomainnamewhen
addingthesyslogsendertothemonitoredserverslist
inStep 5.
2.
3.
SelecttheSyslog FilterstabandAddaSyslogParseprofile.
4.
5.
SpecifytheTypeofparsingtoextractusermapping
information:
Regex IdentifierStep 3describeshowtospecifyregular
expressionsthatdescribesearchpatternstoidentifyand
extractusermappinginformationfromsyslogmessages.
Field IdentifierStep 4describeshowtospecifyastringto
matchtheauthenticationevent,andprefixanddelimiter
stringstoidentifyusermappinginformationinsyslog
messages.
PaloAltoNetworks,Inc.
Determinewhichpredefinedfiltersareavailable:
a. SelectDevice > User Identification > User Mappingand
AddanentrytotheServerMonitoringsection.
b. SelectSyslog SenderastheserverType.
c. SelecttheFilterdropdownandchecktoseeifthereisa
filterforthemanufacturerandproductyouplantoforward
syslogsfrom.Ifthefilteryouneedisavailable,skiptoStep 5
todefinetheservers.Otherwise,continuetoStep 2.
PANOS7.1AdministratorsGuide 399
MapIPAddressestoUsers
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step3
IfyouselectedRegex Identifierasthe 1.
parsingType,defineregexmatching
patternstoidentifyauthentication
eventsandextractusermapping
information.
Thisexampleshowshowtoconfigurea
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
2.
Ifthesyslogmessagecontainsa
standalonespaceortabasa
delimiter,use\sforaspaceand
\tforatab.
3.
IntheEvent Regexfield,entertheregextomatchsuccessful
authenticationeventsinsyslogmessages.Forthesample
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
IntheUsername Regexfield,entertheregextoidentifythe
startoftheusernameinauthenticationsuccessmessages.In
thesamplemessage,theregexUser:([a-zA-Z0-9\\\._]+)
matchesthestringUser:johndoe1andextractsjohndoe1as
theusername.
Ifthesyslogmessagesdonotcontaindomain
informationandyourequiredomainnamesinyour
usermappings,entertheDefault Domain Namewhen
definingthemonitoredserverentryinStep 5.
IntheAddress Regexfield,entertheregextoidentifytheIP
addressportionofauthenticationsuccessmessages.Inthe
samplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
4.
Step4
IfyouselectedField Identifierasthe
1.
parsingType,definestringmatching
patternstoidentifyauthentication
eventsandextractusermapping
information.
2.
Thisexampleshowshowtoconfigurea
SyslogParseprofilethatmatchessyslog
messageswiththefollowingformat:
400 PANOS7.1AdministratorsGuide
ClickOKtosavetheprofile.
IntheEvent Stringfield,enteramatchingstringtoidentify
successfulauthenticationeventsinsyslogmessages.Inthe
samplemessage,thestringauthentication success
identifiesauthenticationevents.
IntheUsername Prefixfield,enteramatchingstringto
identifythestartoftheusernamefieldinsyslogmessages.The
fielddoesnotsupportregexexpressionssuchas/s(fora
space)or/t(foratab).Inthesamplemessage,User:identifies
thestartoftheusernamefield.
3.
EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4.
IntheAddress Prefixfield,enteramatchingstringtoidentify
thestartoftheIPaddressfieldinsyslogmessages.Thefield
doesnotsupportregexexpressionssuchas/s(foraspace)or
/t(foratab).Inthesamplemessage,Source:identifiesthe
startoftheaddressfield.
5.
EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.Forexample,enter\nto
indicatethedelimiterisalinebreak.
6.
ClickOKtosavetheprofile.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CollectUserMappingsfromSyslogSenders(Continued)
Step5
Definetheserversthatwillsendsyslog
messagestothefirewallforuser
mappingpurposes.
Withinthetotalmaximumof100
monitoredserversperfirewall,youcan
definenomorethan50syslogsenders
foranysinglevirtualsystem.
Thefirewallwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
PaloAltoNetworks,Inc.
1.
2.
EnteraNametoidentifytheserver.
3.
MakesuretheserverprofileisEnabled(default).
4.
SelectSyslog SenderastheserverType.
5.
EntertheNetwork Addressofthesyslogserver(IPaddressor
FQDN).
6.
SelecttheSyslogParseprofileyouconfiguredasaFilter.
7.
SelectUDPorSSL(default)astheConnection Type.
UsecautionwhenusingUDPtoreceivesyslog
messagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassent
fromatrustedsyslogserver.Althoughyoucanrestrict
syslogmessagestospecificsourceIPaddresses,an
attackercanstillspooftheIPaddress,potentially
allowingtheinjectionofunauthorizedsyslogmessages
intothefirewall.Asabestpractice,alwaysuseSSLto
listenforsyslogmessageswhenusingagentlessUser
Mappingonafirewall.However,ifyoumustuseUDP,
makesurethatthesyslogserverandclientarebothon
adedicated,secureVLANtopreventuntrustedhosts
fromsendingUDPtraffictothefirewall.
AsyslogserverusingSSLtoconnectwillshowaStatus
ofConnectedonlywhenthereisanactiveSSL
connection.SyslogserversusingUDPwillnotshowa
Statusvalue.
8.
(Optional)Ifthesyslogsthattheauthenticatingfirewallsends
donotincludedomaininformationinthelogineventlogs,
entertheDefault Domain Nametoappendtotheuser
mappings.
9.
ClickOKtosavethesettings.
PANOS7.1AdministratorsGuide 401
MapIPAddressestoUsers
UserID
CollectUserMappingsfromSyslogSenders(Continued)
Step6
Step7
Enablesysloglistenerservicesinthe
1.
managementprofileassociatedwiththe
interfaceusedforusermapping.
2.
3.
ClickOKtosavetheinterfacemanagementprofile.
EvenafterenablingtheUserIDSyslogListenerservice
ontheinterface,theinterfacewillonlyacceptsyslog
connectionsfromserversthathaveacorresponding
entryintheUserIDmonitoredserversconfiguration.
Thefirewalldiscardsconnectionsormessagesfrom
serversthatarenotonthelist.
4.
IfyoucreatedanewInterfaceManagementprofile,assignitto
theinterfaceusedforusermapping:
a. SelectNetwork > Interfacesandedittheinterface.
b. SelectAdvanced > Other info,selecttheInterface
Management Profileyoujustadded,andclickOK.
Savetheconfiguration.
402 PANOS7.1AdministratorsGuide
ClickCommittosavetheconfiguration.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CollectUserMappingsfromSyslogSenders(Continued)
Step8
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
1000
1000
0
4
To see how many log messages came in from syslog senders and how many entries were successfully mapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
To see how many user mappings were discovered through syslog senders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
ConfiguretheWindowsUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigureaWindowsbasedUserIDagenttolistenforsyslog
messagesfromauthenticatingservices.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogserverandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 403
MapIPAddressestoUsers
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders
Step1
DefinecustomsyslogfilterstoextractIP
addresstousernamemapping
informationfromsyslogmessages.
FortheUserIDagenttoparsesyslog
messages,theymustmeetthefollowing
criteria:
Eachmessagemustbeasingleline
textstring.Anewline(\n)ora
carriagereturnplusanewline(\r\n)
arethedelimitersforlinebreaks.
Themaximumsizeforindividual
messagesis2,048bytes.
MessagessentoverUDPmustbe
containedinasinglepacket;messages
sentoverSSLcanspanmultiple
packets.
Asinglepacketmightcontainmultiple
messages.
1.
OpentheWindowsStartmenuandselectUser-ID Agent.
2.
Reviewthesyslogmessagesthattheauthenticatingservice
generatestoidentifythelogineventsyntax.Thisenablesyou
todefinethematchingpatternsbywhichthefirewall
identifiesandextractsauthenticationeventsfromthe
messages.
Whilereviewingsyslogmessages,alsodetermine
whetherlogentriesincludethedomainname.Ifthey
dont,considerdefiningadefaultdomainnamewhen
addingthesyslogsendertothemonitoredserverslist.
3.
4.
SelectSyslogandAddaSyslogParseprofile.
5.
EnteraProfile NameandDescription.
6.
SpecifytheTypeofparsingtoextractusermapping
information:
RegexUsesregularexpressionsthatdescribesearch
patternstoidentifyandextractusermappinginformation
fromsyslogmessages.
FieldUsesastringtomatchtheauthenticationevent,and
prefixanddelimiterstringstoidentifyusermapping
informationinsyslogmessages.
Step2
1.
IfyouselectedRegex astheparsing
Type,defineregexmatchingpatternsto
identifyauthenticationeventsand
extractusermappinginformation.
Thisexampleshowshowtoconfigurea
SyslogParseprofileformatchingsyslog
messageswiththefollowingformat:
Jul 5 13:15:04 2005 CDT] Administrator
2.
IntheEvent Regexfield,entertheregextomatchsuccessful
authenticationeventsinsyslogmessages.Forthesample
message,thefollowingregexinstructsthefirewalltoextract
thefirst{1}instanceofthestringauthentication success.
Thebackslashbeforethespaceisastandardregexescape
characterthatinstructstheregexenginenottotreatthespace
asaspecialcharacter:(authentication\ success){1}.
[Tue
authentication success User:johndoe1
Source:192.168.3.212
IntheUsername Regexfield,entertheregextoidentifythe
startoftheusernameinauthenticationsuccessmessages.In
thesamplemessage,theregexUser:([a-zA-Z0-9\\\._]+)
matchesthestringUser:johndoe1andextractsjohndoe1as
theusername.
Ifthesyslogmessagesdonotcontaindomain
informationandyourequiredomainnamesinyour
usermappings,entertheDefault Domain Namewhen
definingthemonitoredserverentry.
Ifthesyslogmessagecontainsa
standalonespaceortabasa
delimiter,use\sforaspaceand
\tforatab.
3.
IntheAddress Regexfield,entertheregextoidentifytheIP
addressportionofauthenticationsuccessmessages.Inthe
samplemessage,theregularexpression
Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{
1,3})matchestheIPv4addressSource:192.168.3.212.
4.
404 PANOS7.1AdministratorsGuide
ClickOKtosavetheprofile.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step3
IfyouselectedField astheparsingType, 1.
definestringmatchingpatternsto
identifyauthenticationeventsand
extractusermappinginformation.
Thisexampleshowshowtoconfigurea 2.
SyslogParseprofilethatmatchessyslog
messageswiththefollowingformat:
Step4
Step5
Step6
Savetheconfiguration.
PaloAltoNetworks,Inc.
IntheUsername Prefixfield,enteramatchingstringto
identifythestartoftheusernamefieldinsyslogmessages.The
fielddoesnotsupportregexexpressionssuchas/s(fora
space)or/t(foratab).Inthesamplemessage,User:identifies
thestartoftheusernamefield.
3.
EntertheUsername Delimiterthatindicatestheendofthe
usernamefieldinsyslogmessages.Use\stoindicatea
standalonespace(asinthesamplemessage)and\ttoindicate
atab.
4.
IntheAddress Prefixfield,enteramatchingstringtoidentify
thestartoftheIPaddressfieldinsyslogmessages.Thefield
doesnotsupportregexexpressionssuchas/s(foraspace)or
/t(foratab).Inthesamplemessage,Source:identifiesthe
startoftheaddressfield.
5.
EntertheAddress DelimiterthatindicatestheendoftheIP
addressfieldinsyslogmessages.Forexample,enter\nto
indicatethedelimiterisalinebreak.
6.
ClickOKtosavetheprofile.
Enablethesysloglisteningserviceonthe 1.
agent.
2.
Asabestpractice,makesurethat
thesyslogserverandclientare
3.
bothonadedicated,secure
VLANtopreventuntrustedhosts
fromsendingsyslogstothe
UserIDagent.
Definetheserversthatwillsendsyslog
messagestotheUserIDagent.
Withinthetotalmaximumof100servers
ofalltypesthattheUserIDagentcan
monitor,upto50canbesyslogsenders.
TheUserIDagentwilldiscardanysyslog
messagesreceivedfromserversthatare
notonthislist.
IntheEvent Stringfield,enteramatchingstringtoidentify
successfulauthenticationeventsinsyslogmessages.Inthe
samplemessage,thestringauthentication success
identifiesauthenticationevents.
1.
2.
AddanentrytotheServerssection.
3.
EnteraserverNameandServer Address.
4.
5.
SelectaFilteryoudefinedinStep 1.
6.
(Optional)Ifthesyslogmessagesthattheauthenticating
firewallsendsdonotincludedomaininformationinthelogin
eventlogs,entertheDefault Domain Nametoappendtothe
usermappings.
7.
ClickOKtosavethesettings.
ClickCommittosavetheconfiguration.
PANOS7.1AdministratorsGuide 405
MapIPAddressestoUsers
UserID
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step7
VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
1000
1000
0
4
To see how many log messages came in from syslog senders and how many entries were successfully mapped:
admin@PA-5050> show user server-monitor statistics
Directory Servers:
Name
TYPE
Host
Vsys
Status
----------------------------------------------------------------------------AD
AD
10.2.204.43
vsys1
Connected
Syslog Servers:
Name
Connection Host
Vsys
Status
----------------------------------------------------------------------------Syslog1
UDP
10.5.204.40
vsys1
N/A
Syslog2
SSL
10.5.204.41
vsys1
Not connected
To see how many user mappings were discovered through syslog senders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
IP
axTimeout(s)
--------------192.168.3.8
476
192.168.5.39
480
192.168.2.147
476
192.168.2.175
476
192.168.4.196
480
192.168.4.103
480
192.168.2.193
476
192.168.2.119
476
192.168.3.176
478
Vsys
From
User
IdleTimeout(s) M
SYSLOG
acme\jdonaldson
2480
vsys1
SYSLOG
acme\ccrisp
2476
vsys1
SYSLOG
acme\jjaso
2476
vsys1
SYSLOG
acme\jblevins
2480
vsys1
SYSLOG
acme\bmoss
2480
vsys1
SYSLOG
acme\esogard
2476
vsys1
SYSLOG
acme\acallaspo
2476
vsys1
SYSLOG
acme\jlowrie
2478
Total: 9 users
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
406 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoobtainuserinformationfromtheclientwhenawebrequest
matchesaCaptivePortalrule:
AuthenticationMethod
Description
Kerberos SSO
ThefirewallusesKerberosSingleSignOn(SSO)totransparentlyobtainuser
credentials.Tousethismethod,yournetworkrequiresaKerberosinfrastructure,
includingakeydistributioncenter(KDC)withanauthenticationserverandticket
grantingservice.ThefirewallmusthaveaKerberosaccount,includingaprincipal
nameandpassword.
Asabestpractice,chooseKerberostransparentauthenticationover
NTLMauthentication.Kerberosisastronger,morerobustauthentication
methodthanNTLManditdoesnotrequirethefirewalltohavean
administrativeaccounttojointhedomain.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourCaptivePortalconfiguration.
Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourCaptivePortalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
Web Form
Thefirewallredirectswebrequeststoawebformforauthentication.Youcan
configureCaptivePortaltousealocaluserdatabase,RADIUSserver,TACACS+
server,LDAPserver,orKerberosservertoauthenticateusers(oran
authenticationsequence).Althoughthefirewallalwayspromptsusersfor
credentials,thismethodworkswithallbrowsersandoperatingsystems.
Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 407
MapIPAddressestoUsers
UserID
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode
Description
Transparent
ThefirewallinterceptsthebrowsertrafficpertheCaptivePortalruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,youshouldonlyusethismodewhen
absolutelynecessary,suchasinLayer 2orvirtualwiredeployments.
Redirect
ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.
408 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureCaptivePortal
ThefollowingprocedureshowshowtoconfigureCaptivePortalusingthePANOSintegratedUserIDagent
toredirectwebrequeststhatmatchaCaptivePortalruletoaredirecthost.Aredirecthostistheintranet
hostname(ahostnamewithnoperiodinitsname)thatresolvestotheIPaddressoftheLayer3interfaceon
thefirewalltowhichthefirewallwillredirectrequests.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
Step1
Configuretheinterfacesthatthefirewall 1.
willuseforredirectingwebrequests,
authenticatingusers,and
communicatingwithdirectoryserversto 2.
mapusernamestoIPaddresses.
Thefirewallusesthemanagement(MGT)
interfaceforallthesefunctionsby
default,butyoucanconfigureother
interfaces.Inredirectmode,youmust
3.
useaLayer3interfaceforredirecting
requests.
4.
(Redirectmodeonly)CreateaDNSaddress(A)recordthat
mapstheIPaddressontheLayer3interfacetotheredirect
host.IfyouwilluseKerberosSSO,youmustalsoaddaDNS
pointer(PTR)recordthatperformsthesamemapping.
Ifyournetworkdoesntsupportaccesstothedirectoryservers
fromanyfirewallinterface,youmustConfigureUserMapping
UsingtheWindowsUserIDAgent.
Step2
MakesureDomainNameSystem(DNS) Toverifyproperresolution,pingtheserverFQDN.Forexample:
isconfiguredtoresolveyourdomain
admin@PA-200> ping host dc1.acme.com
controlleraddresses.
Step3
CreateaKerberoskeytabfortheredirect
host.
RequiredforKerberosSSO
authentication.
PaloAltoNetworks,Inc.
CreateaKerberoskeytab.AkeytabisafilethatcontainsKerberos
accountinformation(principalnameandhashedpassword)forthe
redirecthost(thefirewall).
TosupportKerberosSSO,yournetworkmusthaveaKerberos
infrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.
PANOS7.1AdministratorsGuide 409
MapIPAddressestoUsers
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step4
Step5
ConfigureclientstotrustCaptivePortal
certificates.
Requiredforredirectmodeto
transparentlyredirectuserswithout
displayingcertificateerrors.Youcan
generateaselfsignedcertificateor
importacertificatethatanexternal
certificateauthority(CA)signed.
Configureanauthenticationserver
profile.
Requiredforexternalauthentication.If
youenableKerberosSSOorNTLM
authentication,thefirewallusesthe
externalserviceonlyifthosemethods
fail.
Asabestpractice,choose
Kerberostransparent
authenticationoverNTLM
authentication.Kerberosisa
stronger,morerobust
authenticationmethodthan
NTLManditdoesnotrequirethe
firewalltohaveanadministrative
accounttojointhedomain.
410 PANOS7.1AdministratorsGuide
Touseaselfsignedcertificate,createarootCAcertificateanduse
ittosignthecertificateyouwilluseforCaptivePortal:
1.
2.
CreateaSelfSignedRootCACertificateorimportaCA
certificate(seeImportaCertificateandPrivateKey).
3.
GenerateaCertificatetouseforCaptivePortal.Besureto
configurethefollowingfields:
Common NameEntertheDNSnameoftheintranethost
fortheLayer 3interface.
Signed BySelecttheCAcertificateyoujustcreatedor
imported.
CertificateAttributesClickAdd,fortheTypeselectIPand,
fortheValue,entertheIPaddressoftheLayer 3interface
towhichthefirewallwillredirectrequests.
4.
ConfigureanSSL/TLSServiceProfile.AssigntheCaptive
Portalcertificateyoujustcreatedtotheprofile.
5.
Configureclientstotrustthecertificate:
a. ExporttheCAcertificateyoucreatedorimported.
b. ImportthecertificateasatrustedrootCAintoallclient
browsers,eitherbymanuallyconfiguringthebrowserorby
addingthecertificatetothetrustedrootsinanActive
Directory(AD)GroupPolicyObject(GPO).
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
ThePANOSwebservertimeout(defaultis3seconds)must
bethesameasorgreaterthantheserverprofiletimeout
multipliedbythenumberofserversintheprofile.For
RADIUSandTACACS+,thedefaultserverprofileTimeout
is3seconds.ForLDAP,thetimeoutisthetotaloftheBind
Timeout(defaultis30seconds)andSearch Timeout
(defaultis30seconds)foreachserver.ForKerberos,the
nonconfigurabletimeoutcantakeupto17secondsfor
eachserver.Also,theCaptivePortalsessiontimeout
(defaultis30seconds)mustbegreaterthanthewebserver
timeout.
Tochangethewebservertimeout,enterthefollowing
firewallCLIcommand,where<value>is330seconds:set
deviceconfig setting l3-service timeout <value>.
TochangetheCaptivePortalsessiontimeout,selectDevice
> Setup > Session,edittheSessionTimeouts,andentera
newCaptive Portalvalueinseconds(rangeis11,599,999).
Keepinmindthatthemoreyouraisethewebserverand
CaptivePortalsessiontimeouts,theslowerCaptivePortal
willrespondtousers.
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step6
Step7
Step8
Addanauthenticationprofile
Theprofiledefinestheauthentication
methodstouse(KerberosSSO,external
service,orlocaldatabase)whena
CaptivePortalruleinvokesWebForm
authentication.Evenifyouenable
NTLM,youmustdefineasecondary
authenticationmethodincaseNTLM
authenticationfailsortheUserIDagent
doesntsupportNTLM.
Ifyousettheauthentication
TypetoRADIUS,specifya
RADIUSUser Domainincase
usersdontenterthedomainat
login.
Configureanauthenticationprofile:
1.
IftheauthenticationTypeisanexternalservice(RADIUS,
TACACS+,LDAP,orKerberos),selecttheauthentication
Server Profileyoucreated.
2.
IfyouuseKerberosSSO,entertheKerberos Realm(usually
theDNSdomainoftheusers,exceptthattherealmis
uppercase),andimporttheKerberos Keytabyoucreated.
3.
SelectAdvancedandAddtheusersandusergroupsthatcan
authenticateusingthisprofile.IftheauthenticationTypeis
Local Database,addtheCaptivePortalusersorusergroups
youcreated.Youcanselectalltoalloweveryuserto
authenticate.AftercompletingtheAllowList,clickOK.
IfyourusersareinmultipledomainsorKerberos
realms,youcancreateanauthenticationprofilefor
eachdomainorrealm,assignalltheprofilestothe
authenticationsequence,andassignthesequenceto
theCaptivePortalconfiguration.
1.
(Optional)ConfigureClientCertificate
Authentication.
Youdontneedanauthentication
profileorsequenceforclient
2.
certificateauthentication.Ifyou
configurebothanauthentication
3.
profile/sequenceandcertificate
authentication,usersmust
authenticateusingboth.
4.
UsearootCAcertificatetogenerateaclientcertificatefor
eachuserwhowillauthenticatetoCaptivePortal.TheCAin
thiscaseisusuallyyourenterpriseCA,notthefirewall.
(Optional)EnableNTLANManager
(NTLM)authentication.
Asabestpractice,choose
Kerberostransparent
authenticationoverNTLM
authentication.Kerberosisa
stronger,morerobust
authenticationmethodthan
NTLManditdoesnotrequirethe
firewalltohaveanadministrative
accounttojointhedomain.Ifyou
doconfigureNTLM,thePANOS
integratedUserIDagentmust
beabletosuccessfullyresolve
theDNSnameofyourdomain
controllertojointhedomain.
PaloAltoNetworks,Inc.
ExporttheCAcertificateinPEMformattoasystemthatthe
firewallcanaccess.
ImporttheCAcertificateontothefirewall:seeImporta
CertificateandPrivateKey.Aftertheimport,clickthe
importedcertificate,selectTrusted Root CA,andclickOK.
ConfigureaCertificateProfile.
IntheUsername Fielddropdown,selectthecertificate
fieldthatcontainstheuseridentityinformation.
IntheCA Certificateslist,clickAddandselecttheCA
certificateyoujustimported.
1.
Ifyouhaventalreadydoneso,CreateaDedicatedService
AccountfortheUserIDAgent.
2.
3.
4.
EntertheNTLM DomainagainstwhichtheUserIDagenton
thefirewallwillcheckNTLMcredentials.
5.
6.
ClickOK.
PANOS7.1AdministratorsGuide 411
MapIPAddressestoUsers
UserID
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step9
ConfiguretheCaptivePortalsettings.
1.
2.
3.
4.
SelecttheMode(inthisexample,Redirect).
5.
(Redirectmodeonly)SpecifytheRedirect Hostnamethat
resolvestotheIPaddressoftheLayer 3interfacefor
redirectedrequests.
6.
SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
TouseKerberosSSO,anexternalserver,orthelocal
database,selecttheAuthentication Profileor
authenticationsequenceyoucreated.
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
7.
ClickOKandCommittosavetheCaptivePortalconfiguration.
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,referto
OperatingSystem(OS)CompatibilityTSAgentintheTerminalServicesAgentReleaseNotes.
412 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
Step1
DownloadtheTSagentinstaller.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite.
2.
SelectSoftware UpdatesfromtheManageDevicessection.
3.
4.
SavetheTaInstall64.x64-x.x.x-xx.msior
TaInstall-x.x.x-xx.msi file(besuretoselectthe
appropriateversionbasedonwhethertheWindowssystemis
runninga32bitOSora64bitOS)onthesystemswhereyou
plantoinstalltheagent.
Step2
Runtheinstallerasanadministrator.
1.
OpentheWindowsStartmenu,rightclicktheCommand
Promptprogram,andselectRun as administrator.
2.
Fromthecommandline,runthe.msifileyoudownloaded.For
example,ifyousavedthe.msifiletotheDesktopyouwould
enterthefollowing:
C:\Users\administrator.acme>cd Desktop
C:\Users\administrator.acme\Desktop>TaInstall-6.0.
0-1.msi
3.
Followthesetuppromptstoinstalltheagentusingthedefault
settings.Bydefault,theagentgetsinstalledtothe
C:\Program Files (x86)\Palo Alto Networks\Terminal
Server Agentfolder,butyoucanBrowsetoadifferent
location.
4.
PaloAltoNetworks,Inc.
Whentheinstallationcompletes,Closethesetupwindow.
IfyouareupgradingtoaTSAgentversionthathasa
newerdriverthantheexistinginstallation,the
installationwizardpromptsyoutorebootthesystem
afterupgradinginordertousethenewdriver.
PANOS7.1AdministratorsGuide 413
MapIPAddressestoUsers
UserID
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step3
Step4
Definetherangeofportsforthe
TS Agenttoallocatetoendusers.
TheSystem Source Port
Allocation RangeandSystem
Reserved Source Portsfields
specifytherangeofportsthat
willbeallocatedtononuser
sessions.Makesurethevalues
specifiedinthesefieldsdonot
overlapwiththeportsyou
designateforusertraffic.These
valuescanonlybechangedby
editingthecorresponding
Windowsregistrysettings.
1.
OpentheWindowsStartmenuandselectTerminal Server
AgenttolaunchtheTerminalServicesagentapplication.
2.
SelectConfigureinthesidemenu.
3.
4.
(Optional)Ifthereareports/portrangeswithinthesourceport
allocationthatyoudonotwanttheTSAgenttoallocateto
usersessions,specifythemasReserved Source Ports.To
includemultipleranges,usecommaswithnospaces,for
example:2000-3000,3500,4000-5000.
5.
Specifythenumberofportstoallocatetoeachindividualuser
uponlogintotheterminalserverinthePort Allocation Start
Size Per User field(default200).
6.
7.
Specifywhethertocontinueprocessingtrafficfromtheuserif
theuserrunsoutofallocatedports.Bydefault,theFail port
binding when available ports are used upisselected,which
indicatesthattheapplicationwillfailtosendtrafficwhenall
portsareused.Toenableuserstocontinueusingapplications
whentheyrunoutofports,clearthischeckbox.Keepinmind
thatthistrafficmaynotbeidentifiedwithUserID.
Configurethefirewallstoconnecttothe Completethefollowingstepsoneachfirewallyouwanttoconnect
TerminalServicesagent.
totheTerminalServicesagenttoreceiveusermappings:
414 PANOS7.1AdministratorsGuide
1.
2.
EnteraNamefortheTerminalServicesagent.
3.
EntertheIPaddressoftheWindowsHostonwhichthe
TerminalServicesagentisinstalled.
4.
EnterthePortnumberonwhichtheagentwilllistenforuser
mappingrequests.Thisvaluemustmatchthevalueconfigured
ontheTerminalServicesagent.Bydefault,theportissetto
5009onthefirewallandontheagent.Ifyouchangeithere,
youmustalsochangetheListening PortfieldontheTerminal
ServicesagentConfigurescreen.
5.
MakesurethattheconfigurationisEnabledandthenclickOK.
6.
Committhechanges.
7.
VerifythattheConnected statusdisplaysasconnected(a
greenlight).
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
Step5
VerifythattheTerminalServicesagentis 1.
successfullymappingIPaddressesto
usernamesandthatthefirewallscan
2.
connecttotheagent.
3.
Step6
(Windows2012R2serversonly)Disable
EnhancedProtectedModeinMicrosoft
InternetExplorerforeachuserwhouses
thatbrowser.
Thistaskisnotnecessaryforother
browserssuchasGoogleChromeor
MozillaFirefox.
TodisableEnhancedProtected
Modeforallusers,useLocal
SecurityPolicy.
OpentheWindowsStartmenuandselectTerminal Server
Agent.
Verifythatthefirewallscanconnectbymakingsurethe
Connection StatusofeachfirewallintheConnectionListis
Connected.
VerifythattheTerminalServicesagentissuccessfully
mappingportrangestousernamesbyselectingMonitorinthe
sidemenuandmakingsurethatthemappingtableis
populated.
PerformthesestepsontheWindowsServer:
1.
StartInternetExplorer.
2.
3.
4.
ClickOK.
InInternetExplorer,PaloAltoNetworksrecommendsthat
youdonotdisableProtectedMode,whichdiffersfrom
EnhancedProtectedMode.
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectly
fromcommandlineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupports
RESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 415
MapIPAddressestoUsers
UserID
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
Step1
GeneratetheAPIkeythat
willbeusedtoauthenticate
theAPIcommunication
betweenthefirewallandthe
terminalserver.Togenerate
thekeyyoumustprovide
logincredentialsforan
administrativeaccount;the
APIisavailabletoall
administrators(including
rolebasedadministrators
withXMLAPIprivileges
enabled).
Anyspecial
charactersinthe
passwordmustbe
URL/
percentencoded.
Fromabrowser,logintothefirewall.Then,togeneratetheAPIkeyforthe
firewall,openanewbrowserwindowandenterthefollowingURL:
https://<Firewall-IPaddress>/api/?type=keygen&user=<username>&
password=<password>
Where<Firewall-IPaddress> istheIPaddressorFQDNofthefirewalland
<username> and<password> arethecredentialsfortheadministrativeuser
accountonthefirewall.Forexample:
https://10.1.2.5/api/?type=keygen&user=admin&password=admin
Thefirewallrespondswithamessagecontainingthekey,forexample:
<response status="success">
<result>
<key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
</result>
</response>
416 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step2
Step3
(Optional)Generateasetup
messagethattheterminal
serverwillsendtospecifythe
portrangeandblocksizeof
portsperuserthatyour
terminalservicesagentuses.
Iftheterminalservicesagent
doesnotsendasetup
message,thefirewallwill
automaticallycreatea
TerminalServicesagent
configurationusingthe
followingdefaultsettings
uponreceiptofthefirstlogin
message:
Defaultportrange:1025
to65534
Peruserblocksize:200
Maximumnumberof
multiusersystems:1,000
Thefollowingshowsasamplesetupmessage:
Createascriptthatwill
extractthelogineventsand
createtheXMLinputfileto
sendtothefirewall.
Makesurethescriptenforces
assignmentofportnumber
rangesatfixedboundaries
withnoportoverlaps.For
example,iftheportrangeis
10001999andtheblock
sizeis200,acceptable
blockstartvalueswouldbe
1000,1200,1400,1600,or
1800.Blockstartvaluesof
1001,1300,or1850would
beunacceptablebecause
someoftheportnumbersin
therangewouldbeleft
unused.
Theloginevent
payloadthatthe
terminalserversends
tothefirewallcan
containmultiplelogin
events.
ThefollowingshowstheinputfileformatforaPANOSXMLloginevent:
PaloAltoNetworks,Inc.
<uid-message>
<payload>
<multiusersystem>
<entry ip="10.1.1.23" startport="20000"
endport="39999" blocksize="100">
</multiusersystem>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
whereentry ipspecifiestheIPaddressassignedtoterminalserverusers,
startportandendportspecifytheportrangetousewhenassigningportsto
individualusers,andblocksizespecifiesthenumberofportstoassignto
eachuser.Themaximumblocksizeis4000andeachmultiusersystemcan
allocateamaximumof1000blocks.
Ifyoudefineacustomblocksizeandorportrange,keepinmindthatyoumust
configurethevaluessuchthateveryportintherangegetsallocatedandthat
therearenogapsorunusedports.Forexample,ifyousettheportrangeto
10001499,youcouldsettheblocksizeto100,butnotto200.Thisis
becauseifyousetitto200,therewouldbeunusedportsattheendofthe
range.
<uid-message>
<payload>
<login>
<entry name="acme\jjaso" ip="10.1.1.23" blockstart="20000">
<entry name="acme\jparker" ip="10.1.1.23" blockstart="20100">
<entry name="acme\ccrisp" ip="10.1.1.23" blockstart="21000">
</login>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
Thefirewallusesthisinformationtopopulateitsusermappingtable.Basedon
themappingsextractedfromtheexampleabove,ifthefirewallreceiveda
packetwithasourceaddressandportof10.1.1.23:20101,itwouldmapthe
requesttouserjparkerforpolicyenforcement.
Eachmultiusersystemcanallocateamaximumof1,000portblocks.
PANOS7.1AdministratorsGuide 417
MapIPAddressestoUsers
UserID
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step4
Step5
Step6
Createascriptthatwill
extractthelogouteventsand
createtheXMLinputfileto
sendtothefirewall.
Uponreceiptofalogout
eventmessagewitha
blockstartparameter,the
firewallremovesthe
correspondingIP
addressportusermapping.If
thelogoutmessagecontains
ausernameandIPaddress,
butnoblockstart
parameter,thefirewall
removesallmappingsforthe
user.Ifthelogoutmessage
containsanIPaddressonly,
thefirewallremovesthe
multiusersystemandall
associatedmappings.
ThefollowingshowstheinputfileformatforaPANOSXMLlogoutevent:
Makesurethatthescripts
youcreateincludeawayto
dynamicallyenforcethatthe
portblockrangeallocated
usingtheXMLAPImatches
theactualsourceport
assignedtotheuseronthe
terminalserverandthatthe
mappingisremovedwhen
theuserlogsoutortheport
allocationchanges.
OnewaytodothiswouldbetousenetfilterNATrulestohideusersessions
behindthespecificportrangesallocatedviatheXMLAPIbasedontheuid.For
example,toensurethatauserwiththeuserIDjjasoismappedtoasource
networkaddresstranslation(SNAT)valueof10.1.1.23:2000020099,the
scriptyoucreateshouldincludethefollowing:
Definehowtopackagethe
XMLinputfilescontainingthe
setup,login,andlogout
eventsintowgetorcURL
messagesfortransmissionto
thefirewall.
Toapplythefilestothefirewallusingwget:
<uid-message>
<payload>
<logout>
<entry name="acme\jjaso" ip="10.1.1.23"
blockstart="20000">
<entry name="acme\ccrisp" ip="10.1.1.23">
<entry ip="10.2.5.4">
</logout>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>
Youcanalsoclearthemultiusersystementryfromthefirewallusing
thefollowingCLIcommand:clear xml-api multiusersystem
Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
ortheportallocationchanges:
[root@ts1 ~]# iptables -t nat -D POSTROUTING 1
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg usingwgetwould
lookasfollows:
> wget --post file login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx
7ot%2BgzEA9UOnlZRg&file-name=login.xml&client=wget&vsys=vsys1
ToapplythefiletothefirewallusingcURL:
> curl --form file=@<filename>
https://<Firewall-IPaddress>/api/?type=user-id&key=<key>&vsys=<VSYS_name
>
Forexample,thesyntaxforsendinganinputfilenamedlogin.xmltothe
firewallat10.2.5.11usingkey
k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRgusingcURLwould
lookasfollows:
> curl --form file@login.xml
https://10.2.5.11/api/?type=user-id&key=k7J335J6hI7nBxIqyfa62sZugWx7ot%
2BgzEA9UOnlZRg&vsys=vsys1
418 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
MapIPAddressestoUsers
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Step7
Verifythatthefirewallis
successfullyreceivinglogin
eventsfromtheterminal
servers.
VerifytheconfigurationbyopeninganSSHconnectiontothefirewalland
thenrunningthefollowingCLIcommands:
ToverifyiftheterminalserverisconnectingtothefirewalloverXML:
admin@PA-5050> show user xml-api multiusersystem
Host
Vsys
Users
Blocks
---------------------------------------10.5.204.43
vsys1
Toverifythatthefirewallisreceivingmappingsfromaterminalserverover
XML:
admin@PA-5050> show user ip-port-user-mapping all
Global max host index 1, host hash count 1
XML API Multi-user System 10.5.204.43
Vsys 1, Flag 3
Port range: 20000 - 39999
Port size: start 200; max 2000
Block count 100, port count 20000
20000-20199: acme\administrator
Total host: 1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 419
EnableUserandGroupBasedPolicy
UserID
EnableUserandGroupBasedPolicy
AfteryouEnableUserID,youwillbeabletoconfigureSecurityPolicythatappliestospecificusersand
groups.Userbasedpolicycontrolscanalsoincludeapplicationinformation(includingwhichcategoryand
subcategoryitbelongsin,itsunderlyingtechnology,orwhattheapplicationcharacteristicsare).Youcan
definepolicyrulestosafelyenableapplicationsbasedonusersorgroupsofusers,ineitheroutboundor
inbounddirections.
Examplesofuserbasedpoliciesinclude:
EnableonlytheITdepartmenttousetoolssuchasSSH,telnet,andFTPonstandardports.
AllowtheHelpDeskServicesgrouptouseSlack.
AllowalluserstoreadFacebook,butblocktheuseofFacebookapps,andrestrictpostingtoemployees
inmarketing.
420 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
EnablePolicyforUserswithMultipleAccounts
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
Step1
Configureausergroupforeachservice
thatrequiresdistinctaccessprivileges.
Inthisexample,eachgroupisforasingle
service(emailorMySQLserver).
However,itiscommontoconfigureeach
groupforasetofservicesthatrequire
thesameprivileges(forexample,one
groupforallbasicuserservicesandone
groupforalladministrativeservices).
PaloAltoNetworks,Inc.
Ifyourorganizationalreadyhasusergroupsthatcanaccessthe
servicesthattheuserrequires,simplyaddtheusernamethatis
usedforlessrestrictedservicestothosegroups.Inthisexample,
theemailserverrequireslessrestrictedaccessthantheMySQL
server,andcorp_useristheusernameforaccessingemail.
Therefore,youaddcorp_usertoagroupthatcanaccessemail
(corp_employees)andtoagroupthatcanaccesstheMySQLserver
(network_services).
Ifaddingausernametoaparticularexistinggroupwouldviolate
yourorganizationalpractices,youcancreateacustomgroupbased
onanLDAPfilter.Forthisexample,saynetwork_servicesisa
customgroup,whichyouconfigureasfollows:
1.
2.
SelectanLDAPServer ProfileandensuretheEnabledcheck
boxisenabled.
3.
SelecttheCustom GrouptabandAddacustomgroupwith
network_servicesasaName.
4.
SpecifyanLDAP FilterthatmatchesanLDAPattributeof
corp_userandclickOK.
5.
ClickOKandCommit.
Later,ifotherusersthatareinthegroupforlessrestricted
servicesaregivenadditionalusernamesthataccessmore
restrictedservices,youcanaddthoseusernamestothe
groupformorerestrictedservices.Thisscenarioismore
commonthantheinverse;auserwithaccesstomore
restrictedservicesusuallyalreadyhasaccesstoless
restrictedservices.
PANOS7.1AdministratorsGuide 421
EnablePolicyforUserswithMultipleAccounts
UserID
EnablePolicyforaUserwithMultipleAccounts(Continued)
Step2
Step3
Step4
Configuretherulesthatcontroluser
accessbasedonthegroupsyoujust
configured.
ConfiguretheignorelistoftheUserID
agent.
ThisensuresthattheUserIDagent
mapstheclientIPaddressonlytothe
usernamethatisamemberofthegroups
assignedtotherulesyoujustconfigured.
Theignorelistmustcontainallthe
usernamesoftheuserthatarenot
membersofthosegroups.
Configureendpointauthenticationfor
therestrictedservices.
Thisenablestheendpointtoverifythe
credentialsoftheuserandpreservesthe
abilitytoenableaccessforuserswith
multipleusernames.
422 PANOS7.1AdministratorsGuide
EnableUserandGroupBasedPolicy:
1.
Configureasecurityrulethatallowsthecorp_employees
grouptoaccessemail.
2.
Configureasecurityrulethatallowsthenetwork_services
grouptoaccesstheMySQLserver.
Inthisexample,youaddadmin_usertotheignorelistofthe
WindowsbasedUserIDagenttoensurethatitmapstheclientIP
addresstocorp_user.Thisguaranteesthat,whethertheuserlogs
inascorp_useroradmin_user,thefirewallidentifiestheuseras
corp_userandappliesbothrulesthatyouconfiguredbecause
corp_userisamemberofthegroupsthattherulesreference.
1.
Createanignore_user_list.txtfile.
2.
Openthefileandaddadmin_user.
Ifyoulateraddmoreusernames,eachmustbeonaseparate
line.
3.
SavethefiletotheUserIDagentfolderonthedomainserver
wheretheagentisinstalled.
IfyouusethePANOSintegratedUserIDagent,see
ConfigureUserMappingUsingthePANOSIntegrated
UserIDAgentforinstructionsonhowtoconfigurethe
ignorelist.
Inthisexample,youhaveconfiguredafirewallrulethatallows
corp_user,asamemberofthenetwork_servicesgroup,tosenda
servicerequesttotheMySQLserver.Youmustnowconfigurethe
MySQLservertorespondtoanyunauthorizedusername(suchas
corp_user)bypromptingtheusertoenterthelogincredentialsof
anauthorizedusername(admin_user).
Iftheuserlogsintothenetworkasadmin_user,theuser
canthenaccesstheMySQLserverwithoutitpromptingfor
theadmin_usercredentialsagain.
Inthisexample,bothcorp_userandadmin_userhaveemail
accounts,sotheemailserverwontpromptforadditional
credentialsregardlessofwhichusernametheuserenteredwhen
loggingintothenetwork.
Thefirewallisnowreadytoenforcerulesforauserwithmultiple
usernames.
PaloAltoNetworks,Inc.
UserID
VerifytheUserIDConfiguration
VerifytheUserIDConfiguration
AfteryouconfiguregroupmappingandusermappingandenableUserIDonyoursecurityrulesandCaptive
Portalrules,youshouldverifythatitisworkingproperly.
VerifytheUserIDConfiguration
Step1
Verifythatgroupmappingisworking.
FromtheCLI,enterthefollowingoperationalcommand:
> show user group-mapping statistics
Step2
Verifythatusermappingisworking.
IfyouareusingthePANOSintegratedUserIDagent,youcan
verifythisfromtheCLIusingthefollowingcommand:
> show user ip-user-mapping-mp all
IP
Vsys From User
Timeout (sec)
-----------------------------------------------------192.168.201.1
vsys1 UIA
acme\george
210
192.168.201.11 vsys1 UIA
acme\duane
210
192.168.201.50 vsys1 UIA
acme\betsy
210
192.168.201.10 vsys1 UIA
acme\administrator
210
192.168.201.100 vsys1 AD
acme\administrator
748
Total: 5 users
*: WMI probe succeeded
Step3
Testyoursecurityrule.
FromamachineinthezonewhereUserIDisenabled,attempt
toaccesssitesandapplicationstotesttherulesyoudefinedin
yourpolicyandensurethattrafficisallowedanddeniedas
expected.
Youcanalsousethetest security-policy-matchoperational
commandtodeterminewhetherthepolicyisconfigured
correctly.Forexample,supposeyouhavearulethatblocksuser
duanefromplayingWorldofWarcraft;youcouldtestthepolicy
asfollows:
> test security-policy-match application
worldofwarcraft source-user acme\duane source any
destination any destination-port any protocol 6
"deny worldofwarcraft" {
from corporate;
source any;
source-region any;
to internet;
destination any;
destination-region any;
user acme\duane;
category any;
application/service worldofwarcraft;
action deny;
terminal no;
}
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 423
VerifytheUserIDConfiguration
UserID
VerifytheUserIDConfiguration(Continued)
Step4
TestyourCaptivePortalconfiguration. 1.
Fromthesamezone,gotoamachinethatisnotamemberof
yourdirectory,suchasaMacOSsystem,andtrytopingtoa
systemexternaltothezone.Thepingshouldworkwithout
requiringauthentication.
2.
Fromthesamemachine,openabrowserandnavigatetoa
websiteinadestinationzonethatmatchesaCaptivePortal
ruleyoudefined.TheCaptivePortalwebformshoulddisplay
andpromptyouforlogincredentials.
3.
Loginusingthecorrectcredentialsandconfirmthatyouare
redirectedtotherequestedpage.
4.
YoucanalsotestyourCaptivePortalpolicyusingthetest
cp-policy-match operationalcommandasfollows:
> test cp-policy-match from corporate to internet
source 192.168.201.10 destination 8.8.8.8
Matched rule: 'captive portal' action: web-form
Step5
Verifythatthelogfilesdisplay
usernames.
Step6
Verifythatreportsdisplayusernames.
1.
2.
Selectareporttypethatincludesusernames.Forexample,the
DeniedApplicationsreport,SourceUsercolumn,should
displayalistoftheuserswhoattemptedtoaccessthe
applications.
424 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,
globaldatacenterapplications).
DeployUserIDforNumerousMappingInformationSources
ConfigureFirewallstoRedistributeUserMappingInformation
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 425
DeployUserIDinaLargeScaleNetwork
UserID
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersMustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersMustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
426 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureWindowsLogForwarding
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
ConfigureWindowsLogForwarding
Step1
Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2
ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3
ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources
Step1
ConfigureWindowsLogForwardingon ConfigureWindowsLogForwarding.Thissteprequires
thememberserversthatwillcollect
administrativeprivilegesforconfiguringgrouppolicieson
loginevents.
Windowsservers.
Step2
InstalltheWindowsbasedUserID
agent.
InstalltheUserIDAgentonaWindowsserverthatcanaccessthe
memberservers.TheWindowsservercanbeinsideoroutsidethe
ActiveDirectoryforest;itdoesntneedtobeamemberserver
itself.
Step3
ConfiguretheUserIDagenttocollect
usermappinginformationfromthe
memberservers.
1.
StarttheWindowsbasedUserIDagent.
2.
3.
ConfiguretheremainingUserIDagentsettings:see
ConfiguretheUserIDAgentforUserMapping.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 427
DeployUserIDinaLargeScaleNetwork
UserID
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step4
ConfigureanLDAPserverprofileto
1.
specifyhowthefirewallconnectstothe
GlobalCatalogservers(uptofour)for
2.
groupmappinginformation.
Toimproveavailability,useat
leasttwoGlobalCatalogservers
forredundancy.
Youcancollectgroupmapping
informationonlyforuniversal
groups,notlocaldomaingroups 3.
(subdomains).
4.
FortheType,selectactive-directory.
5.
Configuretheremainingfieldsasnecessary:seeAddanLDAP
serverprofile.
Step5
ConfigureanLDAPserverprofileto
specifyhowthefirewallconnectstothe
servers(uptofour)thatcontaindomain
mappinginformation.
UserIDusesthisinformationtomap
DNSdomainnamestoNetBIOSdomain
names.Thismappingensuresconsistent
domain/usernamereferencesinpolicy
rules.
Toimproveavailability,useat
leasttwoserversforredundancy.
ThestepsarethesameasfortheLDAPserverprofileyoucreated
forGlobalCatalogsintheStep 4,exceptforthefollowingfields:
LDAP ServerEntertheIPaddressofthedomaincontroller
thatcontainsthedomainmappinginformation.
PortForaplaintextorStartTLSconnection,usePort389.For
anLDAPoverSSLconnection,usePort636.Iftheconnection
willuseStartTLSorLDAPoverSSL,selecttheRequire SSL/TLS
secured connectioncheckbox.
Base DNSelecttheDNofthepointinthedomaincontroller
wherethefirewallwillstartsearchingfordomainmapping
information.Thevaluemuststartwiththestring:
cn=partitions,cn=configuration(forexample,
cn=partitions,cn=configuration,DC=acbdomain,DC=com).
Step6
Createagroupmappingconfiguration
foreachLDAPserverprofileyou
created.
1.
2.
ClickAddandenteraNametoidentifythegroupmapping
configuration.
3.
SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4.
Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5.
ClickOKandCommit.
428 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
Youcanorganizetheredistributionsequenceinlayers,whereeachlayerhasoneormorefirewalls.Inthe
bottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsandWindowsbasedUserIDagents
runningonWindowsserversperformtheIPaddresstousernamemapping.Eachhigherlayerhasfirewalls
thatreceivethemappinginformationfromupto100UserIDagentsinthelayerbeneathit.Thetoplayer
firewallsaggregatethemappinginformationfromalllayers.Thisdeploymentprovidestheoptionto
configureglobalpoliciesforallusers(intoplayerfirewalls)andregionorfunctionspecificpoliciesfora
subsetofusersinthecorrespondingdomains(inlowerlayerfirewalls).
Figure:UserIDRedistributionshowsadeploymentwiththreelayersoffirewallsthatredistributemapping
informationfromlocalinformationsources(directoryservers,inthisexample)toregionalofficesandthen
toaglobaldatacenter.Thedatacenterfirewallthataggregatesallthemappinginformationsharesitwith
otherdatacenterfirewallssothattheycanallenforceglobalpolicy.Onlythebottomlayerfirewallsuse
PANOSintegratedUserIDagentsandWindowsbasedUserIDagentstoquerythedirectoryservers.
TheinformationsourcesfromwhichUserIDagentscollectmappinginformationdonotcounttowardsthe
maximumoftenhopsinthesequence.However,WindowsbasedUserIDagentsthatforwardmapping
informationtofirewallsdocount.Therefore,inthisexample,redistributionfromtheEuropeanregiontoall
thedatacenterfirewallsrequiresonlythreehops,whileredistributionfromtheNorthAmericanregion
requiresfourhops.Alsointhisexample,thetoplayerhastwohops:thefirsttoaggregatemapping
informationinonedatacenterfirewallandthesecondtosharetheinformationwithotherdatacenter
firewalls.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 429
DeployUserIDinaLargeScaleNetwork
UserID
Figure:UserIDRedistribution
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution
Step1
Plantheredistributionarchitecture.
430 PANOS7.1AdministratorsGuide
DecidewhichUserIDagentsandmethodstouseformapping
IPaddressestousernames.Youcanredistributeusermapping
informationcollectedthroughanymethodexceptTerminal
Services(TS)agents.YoucannotredistributeGroupMapping
orHIPmatchinformation.
DeterminethemostefficientFirewallDeploymentforUserID
Redistribution.Somefactorstoconsiderare:
Whichfirewallswillenforceglobalpoliciesforallusersand
whichfirewallswillenforceregionorfunctionspecific
policiesforasubsetofusers?
Howmanyhopsdoestheredistributionsequencerequireto
aggregatemappinginformationforfirewallsindifferent
functionalorregionallayerstoenforcepolicy?
Howcanyouminimizethenumberoffirewallsthatquery
theinformationsources?Thefewerthenumberofquerying
firewalls,thelowertheprocessingloadisonboththe
firewallsandsources.
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureUserIDRedistribution(Continued)
Step2
ConfiguretheUserIDagentstoperform ConfigureUserMappingUsingthePANOSIntegratedUserID
theusermapping.
Agent.
ConfigureUserMappingUsingtheWindowsUserIDAgent.
Step3
Enableeachbottomlayerfirewallto
1.
forwardmappinginformationtofirewalls
inthelayerabove.
ConfigurethefirewalltofunctionasaUserIDagent.
a. SelectDevice > User Identification > User Mapping.
b. (Firewallswithmultiplevirtualsystemsonly)Selectthe
Location.YoumustconfiguretheUserIDsettingsforeach
virtualsystem.
Youcanredistributemappinginformationamong
virtualsystemsondifferentfirewallsoronthesame
firewall.Inbothcases,eachvirtualsystemcountsas
onehopintheredistributionsequence.
c. EditthePaloAltoNetworksUserIDAgentSetupand
selectRedistribution.
d. EnteraCollector NametoidentifythisfirewallasaUserID
agent.
e. EnterandconfirmaPre-Shared Keytosecure
communicationbetweenthisfirewallandthehigherlayer
firewalls.Onamultivsysfirewall,eachvsysrequiresa
uniquepresharedkey.
f. ClickOK.
2.
ConfigureanInterfaceManagementprofilewiththeUser-ID
serviceenabledandassigntheprofiletotheinterfaceyou
wantthefirewalltousewhenrespondingtomapping
informationqueriesfromfirewallsinthelayerabove.
3.
(Optional)Configurepoliciesthatarespecifictotheuser
accountsforwhichyouwantthisfirewalltocollectmapping
information.
4.
Commityourchanges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 431
DeployUserIDinaLargeScaleNetwork
UserID
ConfigureUserIDRedistribution(Continued)
Step4
Enableeachmiddlelayerfirewallto
1.
receivemappinginformationfromthe
layerbelowandforwardittothelayer
above.
Youmustalsoperformthistaskforany
firewallthatredistributesmapping
informationtootherfirewallsinthe
samelayer.Forexample,Figure:
UserIDRedistributionshowsonedata
centerfirewallthatredistributestoother
datacenterfirewalls.
Eachfirewallcanreceivemapping
informationfromupto100UserID
agents.
Figure:UserIDRedistribution
showsonlyonemiddlelayerof
firewallsbutyoucandeployas
manylayersastheredistribution
limitoftenhopsallows.
2.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
a. SelectDevice > User Identification > User-ID Agentsand
clickAdd.
b. EnteraNametoidentifythelowerlayerfirewall.
c. EntertheHostnameorIPaddressoftheinterfacethatyou
configuredonthelowerlayerfirewalltorespondto
mappinginformationqueries.
d. EnterthePortnumber(defaultis5007)onwhichthe
lowerlayerfirewallwilllistenforUserIDqueries.
e. EntertheCollector Nameyouspecifiedwhenconfiguring
thelowerlayerfirewalltoactasaUserIDagent.
f. EnterandconfirmtheCollector Pre-Shared Keyyou
specifiedonthelowerlayerfirewall.
g. EnsuretheconfigurationisEnabled(default)andclickOK.
h. ChecktheConnectedcolumntoconfirmthefirewallyou
).
justaddedasaUserIDagentisconnected(
3.
Enablethefirewalltoforwardthemappinginformationto
firewallsinthelayerabove.
a. ConfigurethefirewalltofunctionasaUserIDagent.
b. ConfigureanInterfaceManagementprofilewiththe
User-IDserviceenabledandassigntheprofiletothe
interfaceyouwantthefirewalltousewhenrespondingto
mappinginformationqueriesfromfirewallsinthelayer
above.
4.
(Optional)Configurepoliciesspecifictouseraccountsfor
whichyouwantthisfirewalltoaggregatemappinginformation
fromlowerlayers.
5.
Commityourchanges.
432 PANOS7.1AdministratorsGuide
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
a. SelectDevice > Setup > Services.
b. (Firewallswithmultiplevirtualsystemsonly)SelectGlobal
(forafirewallwideserviceroute)orVirtual Systems(fora
virtualsystemspecificserviceroute).Fordetails,referto
CustomizeServiceRoutestoServicesforVirtualSystems.
c. ClickService Route Configuration,selectCustomize,and
selectIPv4orIPv6dependingonyournetworkprotocols.
Configuretheservicerouteforbothprotocolsifyour
networkusesboth.
d. SelectUID AgentandthenselecttheSource Interfaceand
Source Address.
e. ClickOKtwicetosavetheserviceroute.
PaloAltoNetworks,Inc.
UserID
DeployUserIDinaLargeScaleNetwork
ConfigureUserIDRedistribution(Continued)
Step5
Step6
Enableeachtoplayerfirewalltoreceive
mappinginformationfromallother
layers.
Youmustalsoperformthistaskforany
firewallthatisanendpointinthe
redistributionsequencewithinalayer.
IntheexampleofFigure:
UserIDRedistribution,youwould
performthistaskforthetwodatacenter
firewallsthatreceivemapping
informationfromanotherdatacenter
firewall.
1.
Configurethefirewalltoreceivemappinginformationfrom
firewallsactingasUserIDagentsinthelayerbelow.
2.
Configureaservicerouteforthefirewalltouseforsending
mappinginformationqueriestofirewallsinthelayerbelow.
3.
(Optional)Configurepoliciesthatareglobaltoalluser
accounts.
4.
Commityourchanges.
Verifythatthetoplayerfirewallsare
1.
aggregatingmappinginformationfrom
allotherlayers.
Thisstepsamplesasingleusermapping 2.
thatiscollectedinabottomlayer
3.
firewallandforwardedtoatoplayer
firewall.Repeatthestepforseveraluser
mappingsandseveralfirewallstoensure
yourconfigurationissuccessful.
AccesstheCLIofabottomlayerfirewallandrunthefollowing
operationalcommand:
> show user ip-user-mapping all
RecordtheIPaddressassociatedwithanyusername.
AccesstheCLIofatoplayerfirewallandrunthefollowing
command,where<address> istheIPaddressyourecordedin
thepreviousstep:
> show user ip-user-mapping ip <address>
Ifthefirewallsuccessfullyreceivedtheusermappingfromthe
bottomlayerfirewall,itdisplaysoutputsimilartothe
followinganddisplaysthesameusernameasyourecordedin
thebottomlayerfirewall.
IP address:
192.0.2.0 (vsys1)
User:
corpdomain\username1
From:
AD
Idle Timeout:
2643s
Max. TTL:
2643s
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 433
DeployUserIDinaLargeScaleNetwork
434 PANOS7.1AdministratorsGuide
UserID
PaloAltoNetworks,Inc.
AppID
Tosafelyenableapplicationsonyournetwork,thePaloAltoNetworksnextgenerationfirewallsprovide
bothanapplicationandwebperspectiveAppIDandURLFilteringtoprotectagainstafullspectrumof
legal,regulatory,productivity,andresourceutilizationrisks.
AppIDenablesvisibilityintotheapplicationsonthenetwork,soyoucanlearnhowtheyworkand
understandtheirbehavioralcharacteristicsandtheirrelativerisk.Thisapplicationknowledgeallowsyouto
createandenforcesecuritypolicyrulestoenable,inspect,andshapedesiredapplicationsandblock
unwantedapplications.Whenyoudefinepolicyrulestoallowtraffic,AppIDbeginstoclassifytraffic
withoutanyadditionalconfiguration.
AppIDOverview
ManageCustomorUnknownApplications
ManageNewAppIDsIntroducedinContentReleases
UseApplicationObjectsinPolicy
ApplicationswithImplicitSupport
ApplicationLevelGateways
DisabletheSIPApplicationlevelGateway(ALG)
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 435
AppIDOverview
AppID
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.
436 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ManageCustomorUnknownApplications
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 437
ManageNewAppIDsIntroducedinContentReleases
AppID
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesforPendingAppIDs
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules
438 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ManageNewAppIDsIntroducedinContentReleases
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step1
Step2
DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
Step3
ClicktheAppslinkintheFeatures columntoviewdetailsonnewlyidentifiedapplications:
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
Next Steps...
PaloAltoNetworks,Inc.
DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.
PANOS7.1AdministratorsGuide 439
ManageNewAppIDsIntroducedinContentReleases
AppID
ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step1
Step2
Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step3
SelectanewAppIDfromtheApplication dropdowntoviewpolicyrulesthatcurrentlyenforcethe
application.Therulesdisplayedarebasedontheapplicationssignaturesthatmatchtotheapplicationbefore
thenewAppIDisinstalled(viewapplicationdetailstoseethelistofapplicationsignaturesthatanapplication
wasPreviously Identified As beforethenewAppID).
Step4
UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesforPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add
thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
Next Steps...
440 PANOS7.1AdministratorsGuide
DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.
PaloAltoNetworks,Inc.
AppID
ManageNewAppIDsIntroducedinContentReleases
DisableallAppIDsinacontentreleaseorfor TodisableallnewAppIDsintroducedinacontentrelease,select
scheduledcontentupdates.
Device > Dynamic UpdatesandInstallanApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
OntheDevice > Dynamic Updatespage,selectSchedule.
ChoosetoDisable new apps in content updatefordownloads
andinstallationsofcontentreleases.
DisableAppIDsforoneapplicationor
multipleapplicationsatasingletime.
Toquicklydisableasingleapplicationormultipleapplicationsat
thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applicationsand
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
EnableAppIDs.
EnableAppIDsthatyoupreviouslydisabledbyselectingObjects >
Applications.Selectoneormoreapplicationcheckboxandclick
Enableoropenthedetailsforaspecificapplicationandclick
Enable App-ID.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 441
ManageNewAppIDsIntroducedinContentReleases
AppID
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.
442 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ManageNewAppIDsIntroducedinContentReleases
PerformSeamlessPolicyUpdatesforNewAppIDs
Toinstallthecontentreleaseversionnowandthen
updatepolicies:
Dothistobenefitfromnewthreatsignatures
immediately,whileyoureviewnewapplication
signaturesandupdateyourpolicies.
Updatepoliciesnowandtheninstallthecontent
releaseversion.
PaloAltoNetworks,Inc.
1.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
Installthelatestcontentreleaseversion.Beforethe
contentreleaseisinstalled,youarepromptedto
Disable new apps in content update.Selectthecheck
boxandcontinuetoinstallthecontentrelease.Threat
signaturesincludedinthecontentreleasewillbe
installedandeffective,whileneworupdatedAppIDs
aredisabled.
4.
SelectPoliciesandupdateSecurity,QoS,andPolicy
Based Forwardingrulestomatchtoandenforcethe
nowuniquelyidentifiedapplicationtraffic,usingthe
pendingAppIDs.
5.
6.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
1.
2.
ReviewtheImpactofNewAppIDSignatureson
ExistingPolicyRulestoassessthepolicyimpactof
newAppIDs.
3.
WhilereviewingthepolicyimpactfornewAppIDs,
youcanusethePolicy Review based on candidate
configurationtoaddanewAppIDtoexistingpolicy
rules:
.ThenewAppIDisaddedtotheexisting
rulesasadisabledAppID.
4.
ContinuetoreviewthepolicyimpactforallAppIDs
includedinthelatestcontentreleaseversionby
selectingAppIDsintheApplicationsdropdown.
AddthenewAppIDstoexistingpoliciesasneeded.
ClickOKtosaveyourchanges.
5.
Installthelatestcontentreleaseversion.
6.
Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
PANOS7.1AdministratorsGuide 443
UseApplicationObjectsinPolicy
AppID
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
Step2
AddagroupandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5
Committheconfiguration.
444 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
Step2
AddafilterandgiveitadescriptiveName.
Step3
(Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4
DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.
Step5
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 445
UseApplicationObjectsinPolicy
AppID
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentreleaseversion609:
FTP,HTTP,IMAP,POP3,SMB,andSMTP.
Thefollowingisabasicexampleofhowtocreateacustomapplication.
446 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
CreateaCustomApplication
Step1
Gatherinformationaboutthe
Captureapplicationpacketssothatyoucanfindunique
applicationthatyouwillbeabletouse
characteristicsabouttheapplicationonwhichtobaseyour
towritecustomsignatures.
customapplicationsignature.Onewaytodothisistoruna
protocolanalyzer,suchasWireshark,ontheclientsystemto
Todothis,youmusthavean
capturethepacketsbetweentheclientandtheserver.Perform
understandingoftheapplicationand
differentactionsintheapplication,suchasuploadingand
howyouwanttocontrolaccesstoit.For
downloading,sothatyouwillbeabletolocateeachtypeof
example,youmaywanttolimitwhat
sessionintheresultingpacketcaptures(PCAPs).
operationsuserscanperformwithinthe
application(suchasuploading,
Becausethefirewallbydefaulttakespacketcapturesforall
downloading,orlivestreaming).Oryou
unknowntraffic,ifthefirewallisbetweentheclientandthe
serveryoucanviewthepacketcapturefortheunknowntraffic
maywanttoallowtheapplication,but
directlyfromtheTrafficlog.
enforceQoSpolicing.
Usethepacketcapturestofindpatternsorvaluesinthepacket
contextsthatyoucanusetocreatesignaturesthatwilluniquely
matchtheapplicationtraffic.Forexample,lookforstring
patternsinHTTPresponseorrequestheaders,URIpaths,or
hostnames.Forinformationonthedifferentstringcontextsyou
canusetocreateapplicationsignaturesandwhereyoucanfind
thecorrespondingvaluesinthepacket,refertoCreatingCustom
ThreatSignatures.
Step2
Addthecustomapplication.
PaloAltoNetworks,Inc.
1.
2.
OntheConfigurationtab,enteraNameandaDescriptionfor
thecustomapplicationthatwillhelpotheradministrators
understandwhyyoucreatedtheapplication.
3.
(Optional)SelectSharedtocreatetheobjectinashared
locationforaccessasasharedobjectinPanoramaorforuse
acrossallvirtualsystemsinamultiplevirtualsystemfirewall.
4.
DefinetheapplicationPropertiesandCharacteristics.
PANOS7.1AdministratorsGuide 447
UseApplicationObjectsinPolicy
AppID
CreateaCustomApplication(Continued)
Step3
Definedetailsabouttheapplication,
suchastheunderlyingprotocol,theport
numbertheapplicationrunson,the
timeoutvalues,andanytypesof
scanningyouwanttobeabletoperform
onthetraffic.
448 PANOS7.1AdministratorsGuide
OntheAdvancedtab,definesettingsthatwillallowthefirewallto
identifytheapplicationprotocol:
Specifythedefaultportsorprotocolthattheapplicationuses.
Specifythesessiontimeoutvalues.Ifyoudontspecifytimeout
values,thedefaulttimeoutvalueswillbeused.
Indicateanytypeofadditionalscanningyouplantoperformon
theapplicationtraffic.
Forexample,tocreateacustomTCPbasedapplicationthatruns
overSSL,butusesport4443(insteadofthedefaultportforSSL,
443),youwouldspecifytheportnumber.Byaddingtheport
numberforacustomapplication,youcancreatepolicyrulesthat
usethedefaultportfortheapplicationratherthanopeningup
additionalportsonthefirewall.Thisimprovesyoursecurity
posture.
PaloAltoNetworks,Inc.
AppID
UseApplicationObjectsinPolicy
CreateaCustomApplication(Continued)
Step4
Definethecriteriathatthefirewallwill 1.
usetomatchthetraffictothenew
application.
Youwillusetheinformationyou
2.
gatheredfromthepacketcapturesto
specifyuniquestringcontextvaluesthat
3.
thefirewallcanusetomatchpatternsin
theapplicationtraffic.
4.
PaloAltoNetworks,Inc.
OntheSignaturestab,clickAddanddefineaSignature Name
andoptionallyaCommenttoprovideinformationabouthow
youintendtousethissignature.
SpecifytheScopeofthesignature:whetheritmatchestoafull
SessionorasingleTransaction.
SpecifyconditionstodefinesignaturesbyclickingAdd And
ConditionorAdd Or Condition.
SelectanOperatortodefinethetypeofmatchconditionsyou
willuse:Pattern MatchorEqual To.
IfyouselectedPattern Match,selecttheContextandthen
usearegularexpressiontodefinethePatterntomatchthe
selectedcontext.Optionally,clickAddtodefinea
qualifier/valuepair.TheQualifierlistisspecifictothe
Contextyouchose.
IfyouselectedEqual To,selecttheContextandthenusea
regularexpressiontodefinethePositionofthebytesinthe
packetheadertousematchtheselectedcontext.Choose
fromfirst-4bytesorsecond-4bytes.Definethe4bytehex
valuefortheMask(forexample,0xffffff00)andValue(for
example,0xaabbccdd).
Forexample,ifyouarecreatingacustomapplicationforone
ofyourinternalapplications,youcouldusethe
ssl-rsp-certificateContexttodefineapatternmatchforthe
certificateresponsemessageofaSSLnegotiationfromthe
serverandcreateaPatterntomatchthecommonNameofthe
serverinthemessageasshownhere:
5.
Repeatstep3and4foreachmatchingcondition.
6.
Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7.
ClickOKtosavethesignaturedefinition.
PANOS7.1AdministratorsGuide 449
UseApplicationObjectsinPolicy
AppID
CreateaCustomApplication(Continued)
Step5
Step6
Savetheapplication.
1.
ClickOKtosavethecustomapplicationdefinition.
2.
ClickCommit.
Validatethattrafficmatchesthecustom 1.
applicationasexpected.
2.
450 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ApplicationswithImplicitSupport
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
595).
Table:ApplicationswithImplicitSupport
Application
ImplicitlySupports
360-safeguard-update
http
apple-update
http
apt-get
http
as2
http
avg-update
http
avira-antivir-update
http, ssl
blokus
rtmp
bugzilla
http
clubcooee
http
corba
http
cubby
http, ssl
dropbox
ssl
esignal
http
evernote
http, ssl
ezhelp
http
http, ssl
facebook-chat
jabber
facebook-social-plugin
http
fastviewer
http, ssl
forticlient-update
http
good-for-enterprise
http, ssl
google-cloud-print
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 451
ApplicationswithImplicitSupport
AppID
Application
ImplicitlySupports
google-desktop
http
google-talk
jabber
google-update
http
gotomypc-desktop-sharing
citrix-jedi
gotomypc-file-transfer
citrix-jedi
gotomypc-printing
citrix-jedi
hipchat
http
iheartradio
infront
http
http, ssl
issuu
http, ssl
java-update
http
jepptech-updates
http
kerberos
rpc
kik
http, ssl
lastpass
http, ssl
logmein
http, ssl
mcafee-update
http
megaupload
http
metatrader
http
mocha-rdp
t_120
mount
rpc
ms-frs
msrpc
ms-rdp
t_120
ms-scheduler
msrpc
ms-service-controller
msrpc
nfs
rpc
oovoo
http, ssl
paloalto-updates
ssl
panos-global-protect
http
panos-web-interface
http
pastebin
http
452 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
ApplicationswithImplicitSupport
Application
ImplicitlySupports
pastebin-posting
http
http, ssl
portmapper
rpc
prezi
http, ssl
rdp2tcp
t_120
renren-im
jabber
roboform
http, ssl
salesforce
http
stumbleupon
http
supremo
http
symantec-av-update
http
trendmicro
http
trillian
http, ssl
http
http, ssl
xm-radio
rtsp
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 453
ApplicationLevelGateways
AppID
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
AsofContentReleaseversion504,thePaloAltoNetworksfirewallprovidesNATALGsupportforthe
followingprotocols:FTP,H.225,H.248,MGCP,MySQL,Oracle/SQLNet/TNS,RPC,RTSP,SCCP,SIP,and
UNIStim.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefirewallprovidesIPv6toIPv6NetworkPrefixTranslation(NPTv6)ALGsupportforthefollowing
protocols:FTP,Oracle,andRTSP.TheSIPALGisnotsupportedforNPTv6orNAT64.
454 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
AppID
DisabletheSIPApplicationlevelGateway(ALG)
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step1
Step2
Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3
SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step4
SelecttheDisable ALGcheckboxintheApplicationsipdialogboxandclickOK.
Step5
ClosetheApplicationdialogboxandCommitthechange.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 455
DisabletheSIPApplicationlevelGateway(ALG)
456 PANOS7.1AdministratorsGuide
AppID
PaloAltoNetworks,Inc.
ThreatPrevention
ThePaloAltoNetworksnextgenerationfirewallprotectsanddefendsyournetworkfromcommodity
threatsandadvancedpersistentthreats(APTs).Thefirewallsmultiprongeddetectionmechanismsinclude
asignaturebased(IPS/CommandandControl/Antivirus)approach,heuristicsbased(botdetection)
approach,sandboxbased(WildFire)approach,andLayer7protocolanalysisbased(AppID)approach.
Commoditythreatsareexploitsthatarelesssophisticatedandmoreeasilydetectedandpreventedusinga
combinationoftheantivirus,antispyware,vulnerabilityprotectionandtheURLfiltering/Application
identificationcapabilitiesonthefirewall.
Advancedthreatsareperpetuatedbyorganizedcybercriminalsormaliciousgroupsthatusesophisticated
attackvectorstotargetyournetwork,mostcommonlyforintellectualpropertytheftandfinancialdatatheft.
Thesethreatsaremoreevasiveandrequireintelligentmonitoringmechanismsfordetailedhostandnetwork
forensicsonmalware.ThePaloAltoNetworksnextgenerationfirewallinconjunctionwithWildFireand
Panoramaprovidesacomprehensivesolutionthatinterceptsandbreaktheattackchainandprovides
visibilitytopreventsecurityinfringementonyournetworkincludingmobileandvirtualizedinfrastructure.
SetUpSecurityProfilesandPolicies
PreventBruteForceAttacks
CustomizetheActionandTriggerConditionsforaBruteForceSignature
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
EnableDNSProxy
EnablePassiveDNSCollectionforImprovedThreatIntelligence
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
DoSProtectionAgainstFloodingofNewSessions
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPreventionResources
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 457
SetUpSecurityProfilesandPolicies
ThreatPrevention
SetUpSecurityProfilesandPolicies
Thefollowingsectionsprovidebasicthreatpreventionconfigurationexamples:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpDataFiltering
SetUpFileBlocking
Forinformationoncontrollingwebaccessaspartofyourthreatpreventionstrategy,seeURLFiltering.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
Step1
VerifythatyouhaveaThreatPrevention TheThreatPreventionsubscriptionbundlestheantivirus,
license.
antispyware,andthevulnerabilityprotectionfeaturesinone
license.ToverifythatyouhaveanactiveThreatPrevention
subscription,selectDevice > LicensestoverifythattheThreat
Preventionlicenseisinstalledandchecktheexpirationdate.
Step2
Downloadthelatestantivirusthreat
signatures.
458 PANOS7.1AdministratorsGuide
1.
2.
IntheActionscolumn,clickDownloadtoinstallthelatest
AntivirusandApplicationsandThreatssignatures.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step3
Schedulesignatureupdates.
1.
2.
Specifythefrequencyandtimingfortheupdatesandwhether
theupdatewillbedownloadedandinstalledoronly
downloaded.IfyouselectDownloadOnly,youwouldneedto
manuallygoinandclicktheInstalllinkintheActioncolumn
toinstallthesignature.WhenyouclickOK,theupdateis
scheduled.Nocommitisrequired.
3.
(Optional)Youcanalsoenterthenumberofhoursinthe
Thresholdfieldtoindicatetheminimumageofasignature
beforeadownloadwilloccur.Forexample,ifyouentered10,
thesignaturemustbeatleast10hoursoldbeforeitwillbe
downloaded,regardlessoftheschedule.
4.
InanHAconfiguration,youcanalsoclicktheSync To Peer
optiontosynchronizethecontentupdatewiththeHApeer
afterdownload/install.Thiswillnotpushtheschedulesettings
tothepeerfirewall;youneedtoconfigurethescheduleon
eachfirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 459
SetUpSecurityProfilesandPolicies
ThreatPrevention
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step4
Step5
AttachthesecurityprofilestoaSecurity 1.
policyrule.
2.
InProfile Settings,clickthedropdownnexttoeachsecurity
profileyouwouldliketoenable.Inthisexamplewechoose
defaultforAntivirus, Vulnerability Protection, and
Anti-Spyware.ThedefaultAntiSpywareruleenablesDNS
Sinkholing.
Ifnosecurityprofileshavebeenpreviouslydefined,
selectProfilesfromtheProfile Typedropdown.You
willthenseethelistofoptionstoselectthesecurity
profiles.
Savetheconfiguration.
460 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
Step2
CreateaDataFilteringsecurityprofile.
1.
2.
EnteraNameandaDescriptionfortheprofile.Inthisexample
thenameisDF_Profile1withthedescriptionDetectSocial
SecurityNumbers.
3.
(Optional)Ifyouwanttocollectdatathatisblockedbythe
filter,selecttheData Capturecheckbox.
YoumustsetapasswordasdescribedinStep 2ifyou
areusingthedatacapturefeature.
1.
(Optional)Secureaccesstothedata
filteringlogstopreventother
2.
administratorsfromviewingsensitive
data.
3.
Whenyouenablethisoption,youwillbe
promptedforthepasswordwhenyou
viewlogsinMonitor > Logs > Data
Filtering.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 461
SetUpSecurityProfilesandPolicies
ThreatPrevention
DataFilteringConfigurationExample(Continued)
Step3
Step4
Definethedatapatternthatwillbeused 1.
intheDataFilteringProfile.
Inthisexample,wewillusethekeyword
confidentialandwillsettheoptionto
2.
searchforSSNnumberswithdashes
(Example9876544320).
Itishelpfultosettheappropriate 3.
thresholdsanddefinekeywords
withindocumentstoreducefalse
positives.
FromtheDataFilteringProfilepageclickAddandselectNew
fromtheData Patterndropdown.Youcanalsoconfiguredata
patternsfromObjects > Custom Signatures > Data Patterns.
4.
(Optional)YoucanalsosetCustom Patternsthatwillbe
subjecttothisprofile.Inthiscase,youspecifyapatterninthe
custompatternsRegexfieldandsetaweight.Youcanadd
multiplematchexpressionstothesamedatapatternprofile.In
thisexample,wewillcreateaCustom Patternnamed
SSN_Customwithacustompatternofconfidential(the
patterniscasesensitive)anduseaweightof20.Thereasonwe
usethetermconfidentialinthisexampleisbecauseweknow
thatoursocialsecurityWorddocscontainthisterm,sowe
definethatspecifically.
1.
SetApplicationstoAny.Thiswilldetectanysupported
applicationsuchas:webbrowsing,FTP,orSMTP.Ifyouwant
tonarrowdowntheapplication,youcanselectitfromthelist.
ForapplicationssuchasMicrosoftOutlookWebAppthatuses
SSL,youwillneedtoenabledecryption.Alsomakesureyou
understandthenamingforeachapplication.Forexample,
OutlookWebApp,whichistheMicrosoftnameforthis
applicationisidentifiedastheapplicationoutlookwebinthe
PANOSlistofapplications.Youcancheckthelogsforagiven
applicationtoidentifythenamedefinedinPANOS.
2.
SetFile Typestodocanddocxtoonlyscandocanddocxfiles.
Specifywhichapplicationstofilterand
setthefiletypes.
462 PANOS7.1AdministratorsGuide
Forthisexample,nametheDataPatternsignatureDetectSS
NumbersandaddthedescriptionDataPatterntodetect
SocialSecuritynumbers.
IntheWeightsectionforSSN#enter3.SeeWeightand
ThresholdValuesformoredetails.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
DataFilteringConfigurationExample(Continued)
Step5
Step6
Step7
Specifythedirectionoftraffictofilter
andthethresholdvalues.
AttachtheDataFilteringprofiletothe
securityrule.
1.
SettheDirectiontoBoth.Filesthatareuploadedor
downloadedwillbescanned.
2.
3.
SettheBlock Thresholdto50.Thefilewillbeblockedifthe
thresholdof50instancesofaSSNand/ortheterm
confidentialexistsinthefile.Inthiscase,ifthedoccontained
1instanceofthewordconfidentialwithaweightof20that
equals20towardthethreshold,andthedochas15Social
SecurityNumberswithaweightof3thatequals45.Add20
and45andyouhave65,whichwillexceedtheblockthreshold
of50.
1.
2.
Clickthesecuritypolicyruletomodifyitandthenclickthe
Actionstab.IntheData Filteringdropdown,selectthenew
datafilteringprofileyoucreatedandthenclickOKtosave.In
thisexample,thedatafilteringrulenameisDF_Profile1.
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 463
SetUpSecurityProfilesandPolicies
ThreatPrevention
DataFilteringConfigurationExample(Continued)
Step8
Testthedatafilteringconfiguration.
IfyouhaveproblemsgettingData
Filteringtowork,youcanchecktheData
FilteringlogortheTrafficlogtoverify
theapplicationthatyouaretestingwith
andmakesureyourtestdocumenthas
theappropriatenumberofuniqueSocial
SecurityNumberinstances.Forexample,
anapplicationsuchasMicrosoftOutlook
WebApp mayseemtobeidentifiedas
webbrowsing,butifyoulookatthelogs,
theapplicationisoutlook-web.Also
increasethenumberofSSNs,oryour
custompatterntomakesureyouare
hittingthethresholds.
Whentesting,youmustuserealSocialSecurityNumbersandeach
numbermustbeunique.Also,whendefiningCustomPatternsas
wedidinthisexamplewiththewordconfidential,thepatternis
casesensitive.Tokeepyourtestsimple,youmaywanttojusttest
usingadatapatternfirst,thentesttheSSNs.
1.
AccessaclientPCinthetrustzoneofthefirewallandsendan
HTTPrequesttouploada.docor.docxfilethatcontainsthe
exactinformationyoudefinedforfiltering.
2.
CreateaMicrosoftWorddocumentwithoneinstanceofthe
termconfidentialandfiveSocialSecuritynumberswith
dashes.
3.
Uploadthefiletoawebsite.UseanHTTPsiteunlessyouhave
decryptionconfigured,inwhichcaseyoucanuseHTTPS.
4.
5.
Locatethelogthatcorrespondstothefileyoujustuploaded.
Tohelpfilterthelogs,usethesourceofyourclientPCandthe
destinationofthewebserver.Theactioncolumninthelogwill
showreset-both.YoucannowincreasethenumberofSocial
SecurityNumbersinthedocumenttotesttheblockthreshold.
Step2
Createthefileblockingprofile.
Configurethefileblockingoptions.
464 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameforthefileblockingprofile,forexample
Block_EXE.OptionallyenteraDescription,suchasBlockusers
fromdownloadingexefilesfromwebsites.
1.
ClickAddtodefinetheprofilesettings.
2.
EnteraName,suchasBlockEXE.
3.
SettheApplicationsforfiltering,forexamplewebbrowsing.
4.
5.
SettheDirectiontodownload.
6.
SettheActiontocontinue.Bychoosingthecontinueoption,
userswillbepromptedwitharesponsepagepromptingthem
toclickcontinuebeforethefilewillbedownloaded.
7.
ClickOKtosavetheprofile.
PaloAltoNetworks,Inc.
ThreatPrevention
SetUpSecurityProfilesandPolicies
ConfigureFileBlocking(Continued)
Step3
Applythefileblockingprofiletoa
securitypolicy.
1.
2.
ClicktheActionstabwithinthepolicyrule.
3.
IntheProfileSettingssection,clickthedropdownandselect
thefileblockingprofileyouconfigured.Inthiscase,theprofile
nameisBlock_EXE.
4. Committheconfiguration.
Ifnosecurityprofileshavebeenpreviouslydefined,selectthe
ProfileTypedropdownandselectProfiles.Youwillthenseethe
listofoptionstoselectthesecurityprofiles.
Step4
Totestyourfileblockingconfiguration,accessaclientPCinthetrustzoneofthefirewallandattemptto
downloadan.exefilefromawebsiteintheuntrustzone.Aresponsepageshoulddisplay.ClickContinueto
downloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichwillnotprovideacontinuepage
totheuser.ThefollowingshowsthedefaultresponsepageforFileBlocking:
Step5
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 465
PreventBruteForceAttacks
ThreatPrevention
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,Severityandistriggeredwhenapatternisrecorded.The
patternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;some
signaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthepatternto
matchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthedefaultaction
forthesignature.
Toenforceprotection:
Attachthevulnerabilityprofiletoasecurityrule.SeeSetUpAntivirus,AntiSpyware,andVulnerability
Protection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.
466 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignatureandchildsignature.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinatimeintervaland
matchthetrafficpatterndefinedinthechildsignature.
Typically,achildsignatureisofdefaultactionallowbecauseasingleeventisnotindicativeofanattack.In
mostcases,theactionforachildsignatureissettoallowsothatlegitimatetrafficisnotblockedandthreat
logsarenotgeneratedfornonnoteworthyevents.Therefore,PaloAltoNetworksrecommendsthatyou
onlychangethedefaultactionaftercarefulconsideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventbecauseofitsrecurrentpattern.Ifyouwould
liketocustomizetheactionforabruteforcesignature,youcandooneofthefollowing:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcandefine
theactiontoallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforaCVEanddefinean
exceptionforit.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature
youcanmodifytheactiononly.
Toeffectivelymitigateanattack,theblockipaddressactionisrecommendedoverthedropor
resetactionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
Step1
CreateanewVulnerabilityProtection
profile.
PaloAltoNetworks,Inc.
1.
2.
ClickAddandenteraNamefortheVulnerabilityProtection
profile.
PANOS7.1AdministratorsGuide 467
CustomizetheActionandTriggerConditionsforaBruteForceSignature
ThreatPrevention
CustomizetheThresholdandActionforaSignature
Step2
Step3
Createarulethatdefinestheactionfor 1.
allsignaturesinacategory.
2.
(Optional)Customizetheactionfora
specificsignature.
468 PANOS7.1AdministratorsGuide
SelectRules,clickAddandenteraNamefortherule.
SettheAction.Inthisexample,itissettoBlock IP.
3.
SetCategorytobrute-force.
4.
(Optional)Ifblocking,specifywhethertoblockbasedonHost
Typeserverorclient,thedefaultisany.
5.
SeeStep 3tocustomizetheactionforaspecificsignature.
6.
SeeStep 4tocustomizethetriggerthresholdforaparent
signature.
7.
ClickOKtosavetheruleandtheprofile.
1.
2.
Toeditaspecificsignature,clickthepredefineddefaultaction
intheActioncolumn.
3.
Settheactiontoallow,alertorblock-ip.
4.
Ifyouselectblockip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. IntheTrack Byfield,definewhethertoblocktheIPaddress
byIP source orbyIP source and destination.
5.
ClickOK.
6.
Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
7.
ClickOK.
PaloAltoNetworks,Inc.
ThreatPrevention
CustomizetheActionandTriggerConditionsforaBruteForceSignature
CustomizetheThresholdandActionforaSignature
Step4
Step5
Step6
Customizethetriggerconditionsfora
1.
parentsignature.
Aparentsignaturethatcanbeeditedis 2.
markedwiththisicon:
.
Inthisexample,thesearchcriteriawas 3.
bruteforcecategoryand
CVE20081447.
4.
ClickOK.
Attachthisnewprofiletoasecurityrule. 1.
Saveyourchanges.
PaloAltoNetworks,Inc.
Click toeditthetimeattributeandtheaggregationcriteria
forthesignature.
TomodifythetriggerthresholdspecifytheNumber of Hitsper
xseconds.
Specifywhethertoaggregatethenumberofhitsbysource,
destinationorbysource and destination.
2.
3.
SelectActions.
4.
IntheProfileSettingsection,settheProfile TypetoProfiles.
5.
SelectthenewlycreatedVulnerability Protectionprofile.
6.
ClickOK tosavechangestothesecuritypolicyrule.
1.
ClickCommit.
PANOS7.1AdministratorsGuide 469
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.Forevasionprevention,upgradetoPANOS7.1.1andApplicationsand
Threatscontentreleaseversion579.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
EnableDNSProxy.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcaches
hostnametoIPaddressmappingsinordertoquicklyandefficientlyresolvesfutureDNSqueries.
Enableevasionsignatures.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscanalertwhenaclientconnectstoa
domainotherthanthedomainspecifiedintheoriginalDNSrequest.MakesurethatDNSproxyis
configuredifyouchoosetoenableevasionsignatures.WithoutDNSproxyenabled,evasion
signaturescantriggerwhenaDNSserverinDNSloadbalancingconfigurationreturnsdifferentIP
addresses(forservershostingidenticalresources)tothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoonlyallowtheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserversettheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
youshouldcreateanewcustomservicethatonlyincludesport587andusethatnewserviceinyour
securitypolicyruleinsteadofusingapplicationdefault.Additionally,makesuretorestrictaccessto
specificsourceanddestinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection.
CreateaVulnerabilityProtectionprofiletoblockallvulnerabilitieswithseveritylowandhigher.
CreateanAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
CreateanAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
Blockallunknownapplications/trafficusingSecuritypolicy.Typically,theonlyapplicationsthatare
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetwork,orpotentialthreats.
Becauseunknowntrafficcanbeanoncompliantapplicationorprotocolthatisanomalousorabnormal,
oraknownapplicationthatisusingnonstandardports,unknowntrafficshouldbeblocked.SeeManage
CustomorUnknownApplications.
CreateaFileBlockingprofilethatblocksPortableExecutable(PE)filetypesforInternetbasedSMB
(ServerMessageBlock)trafficfromtraversingthetrusttountrustzones,(msdssmbapplications).
470 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
PaloAltoNetworks,Inc.
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
PANOS7.1AdministratorsGuide 471
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
RemoveTCPtimestampsonSYNpacketsbeforethefirewallforwardsthepacket.Whenyouselect
theRemove TCP TimestampoptioninaSYNpacket,theTCPstackonbothendsoftheTCP
connectionwillnotsupportTCPtimestamps.Therefore,bydisablingtheTCPtimestampforaSYN
packet,youcanpreventanattackthatusesdifferenttimestampsonmultiplepacketsforthesame
sequencenumber.(Packet Based Attack Protection > TCP Drop).
SelecttheoptiontodropMismatched overlapping TCP segment.Bydeliberatelyconstructing
connectionswithoverlappingbutdifferentdatainthem,attackerscanattempttocause
misinterpretationoftheintentoftheconnection.Thiscanbeusedtodeliberatelyinducefalse
positivesorfalsenegatives.AnattackercanuseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecthis/herowndataintotheconnection.Selectingthisoption
causesPANOStodiscardsuchframeswithmismatchedandoverlappingdata.Thescenarioswhere
thereceivedsegmentwillbediscardedarewhenthesegmentreceivediscontainedwithinanother
segment,thesegmentreceivedoverlapswithpartofanothersegment,orthesegmentcompletely
containsanothersegment.
472 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
VerifythatsupportforIPv6isenabled,ifyouhaveconfiguredIPv6addressesonyournetworkhosts
(Network > Interfaces > Ethernet> IPv6).
ThisallowsaccesstoIPv6hostsandfiltersIPv6packetsthatareencapsulatedin
IPv4packets.EnablingsupportforIPv6preventsIPv6overIPv4multicast
addressesfrombeingleveragedfornetworkreconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyon
multicasttraffic.(Network > Virtual Router > Multicast).
ManyhostsusetheurgentdataflagintheTCPheadertopromoteapacketforimmediateprocessing,
removingitfromtheprocessingqueueandexpeditingitthroughtheTCP/IPstack.Thisprocessiscalled
outofbandprocessing.However,theimplementationoftheurgentdataflagvariesfromhosttohost.
Configuringthefirewalltoclearthisflageliminatesambiguityinhowthepacketisprocessedonthe
firewallandthehost,allowingthefirewallseesthesamestreamintheprotocolstackasthehostfor
whichthepacketisdestined.Whenthefirewallclearsthisflag,itincludesitinthepayloadandprevents
thepacketfrombeingprocessedurgently.
EnabletheDrop segments without flagoption(Device > Setup > Session > TCP Settings).
IllegalTCPsegmentswithoutanyflagssetcanbeusedtoevadecontentinspection.Whenyouenable
thisoption,thefirewallwilldroppacketsthathavenoflagssetintheTCPheader.
EnabletheDrop segments with null timestampoption(Device > Setup > Session > TCP Settings).
TheTCPtimestamprecordswhenthesegmentwassentandallowsthefirewalltoverifythatthe
timestampisvalidforthatsession,preventingTCPsequencenumberwrapping.TheTCPtimestampis
alsousedtocalculateroundtriptime.WhenaTCPTimestampissetto0(null)itcouldconfuseeitherend
oftheconnection,resultinginanevasion.Thefirewalldropspacketswithnulltimestampswiththis
settingenabled.
DisabletheForward segments exceeding TCP out-of-order queueoption(Device > Setup > Session > TCP
Settings).
Bydefault,thefirewallforwardssegmentsthatexceedtheTCPoutoforderqueuelimitof64per
session.Bydisablingthisoption,thefirewallinsteaddropssegmentsthatexceedtheoutoforderqueue
limit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 473
BestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions
ThreatPrevention
DisabletheForward segments exceeding TCP App-ID inspection queueoption(Device > Setup > Content-ID >
Content-ID Settings).
Bydefault,whentheAppIDinspectionqueueisfullthefirewallskipsAppIDinspectionclassifyingthe
applicationasunknowntcpandforwardsthesegments.Bydisablingthisoption,thefirewallinstead
dropssegmentswhentheAppIDinspectionqueueisfull.
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding
TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfullthefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
DisabletheAllow HTTP Header Range Option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPRangeoptionallowsaclienttofetchpartofafileonly.Whenanextgenerationfirewallinthe
pathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithaRSTpacket.If
thewebbrowserimplementstheHTTPRangeoption,itcanstartanewsessiontofetchonlythe
remainingpartofthefile.Thispreventsthefirewallfromtriggeringthesamesignatureagainduetothe
lackofcontextintotheinitialsession,whileatthesametimeallowingthewebbrowsertoreassemble
thefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.
474 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
EnableDNSProxy
EnableDNSProxy
Domainnamesystem(DNS)serverstranslateuserfriendlydomainstotheassociatedIPaddresseswhich
locateandidentifythecorrespondingresources.APaloAltoNetworksfirewallintermediatetoclientsand
serverscanactasaDNSproxytoresolvedomainnamequeries.
TheDNSproxyfeatureenablesthefirewallto:
Quickly,efficiently,andlocallyresolvedomainnamequeriesbasedonstaticandcachedDNSentries.
ReachouttospecificDNSserverstoresolvecertaintypesofDNSrequests(forexample,thefirewall
canresolvecorporatedomainsbasedonacorporateDNSserverhostnametoIPaddressmappings,and
resolveotherdomainsusingapublicorISPDNSserver).
EnabletheFirewalltoActasaDNSProxy
Step1
Step2
Specifytheinterfacesonwhichyou
wantthefirewalltolistenforDNS
requests.
1.
2.
VerifythatEnableisselectedandNametheobject.
3.
Add oneormoreInterfaceonwhichthefirewalllistensfor
DNSrequests.
4.
(VirtualSystemsOnly)AllowtheDNSproxyobjecttobe
sharedacrossallvirtualsystems,orsettheLocationtoapply
theDNSproxyobjectsettingstoaspecificvirtualsystem.
DefinetheDNSserverwithwhichthe
firewallshouldcommunicatetoresolve
DNSrequests.
IfyouareenablingDNSproxyonavirtualsystem,youmust
select NewintheServerProfiledropdownfirst,andthen
continuewitheitherofthefollowingoptions.
Specify DNS Servers
1.
2.
EnterathePrimaryDNSserverIPaddressoraddressobject.
3.
EntertheSecondary DNSserverIPaddressoraddressobject.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 475
EnableDNSProxy
ThreatPrevention
EnabletheFirewalltoActasaDNSProxy(Continued)
Step3
Step4
Step5
Enablethefirewalltoreachoutto
certainDNSserverstoresolvespecific
domains.
Forexample,thefirewallcanforward
corporatedomainstoacorporateDNS
serverfordomainnameresolution.
1.
2.
3.
AddoneormoreDomain Name.
4.
EntertheIPaddressesoraddressobjectsforthePrimaryand
SecondaryDNSservers.Thefirewallcommunicateswith
theseserverstoresolveDNSrequestsforthelisteddomain
names.
IfyouareenablingDNSproxyonavirtualsystem,you
caninsteadconfigureaDNSServerProfiletodefine
DNSsettingsforthevirtualsystem,includingthe
primaryandsecondaryDNSserver.
SetupstaticFQDNtoIPaddressentries 1.
thatthefirewallcanresolvelocally,
2.
withouthavingtoreachouttoaDNS
3.
server.
4.
SelectStatic Entries.
AddandNameanewstaticmappingentry.
EntertheFQDN thatyouwantthefirewalltoresolve.
AddoneormoreIPAddresstomaptothedomainyou
enteredinthelaststep.
Enablecachingforresolved
SelectAdvanced andconfiguresettingsto:
hostnametoIPaddressmappings,and StorerecentlyresolvedhostnametoIPaddressmappings.
customizeadditionalDNSsettings.
SelectCacheandcontinuetospecifythenumberofentriesfor
thecachetoholdandthenumberofhoursafterwhichallcached
DNSentriesareremoved.
EnableDNSqueriesusingTCP.
SpecifysettingsforUDPqueryretries.
476 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
EnableDNSProxy
EnabletheFirewalltoActasaDNSProxy(Continued)
Step6
Step7
Enableevasionsignatures.
1.
WhenDNSproxyisenabled,
evasionsignaturesthatdetect
craftedHTTPorTLSrequests
canalerttoinstanceswherea
clientconnectstoadomainother
thanthedomainspecifiedinthe
originalDNSquery.
2.
InstalltheApplicationsandThreatscontentversion579or
later:
a. SelectDevice > Dynamic Updates.
b. Check NowtogetthelatestApplicationsandThreats
contentupdate.
c. DownloadandInstallApplicationsandThreatscontent
version579.
Definehowtrafficmatchedtoevasionsignaturesshouldbe
enforced:
a. SelectObjects > Security Profiles > Anti-SpywareandAdd
ormodifyanAntispywareprofile.
b. Select ExceptionsandselectShow all signatures.
c. Filtersignaturesbasedonthekeywordevasion.
d. Forallevasionsignatures,settheActiontoanysetting
otherthanalloworthedefaultaction(thedefaultactionis
forevasionsignaturesisallow).Forexample,settheaction
toalertonorblock.
e. ClickOK tosavetheupdatedAntispywareprofile.
f. AttachtheAntispywareprofiletoasecuritypolicyrule:
SelectPolicies > Security,selectthedesiredpolicyto
modifyandthenclicktheActions tab.InProfileSettings,
clickthedropdownnexttoAnti-Spyware andselectthe
antispywareprofileyoujustmodifiedtoenforceevasion
signatures.
Commit yourchanges.
LearnmoreaboutDNSfeatures...
PaloAltoNetworks,Inc.
UseDNSqueriestoidentifyinfectedhostsonthenetwork.
EnablepassiveDNScollectionforbetterthreatintelligence.
ToworkwithDNSfeaturesandvirtualsystems,seetheseDNS
usecasesforvirtualsystemsandlearnhowtoconfigureaDNS
proxyobjectandDNSserverprofilesforvirtualsystems.
PANOS7.1AdministratorsGuide 477
EnablePassiveDNSCollectionforImprovedThreatIntelligence
ThreatPrevention
EnablePassiveDNSCollectionforImprovedThreat
Intelligence
PassiveDNSisanoptinfeaturethatenablesthefirewalltoactasapassiveDNSsensorandsendselectDNS
informationtoPaloAltoNetworksforanalysisinordertoimprovethreatintelligenceandthreatprevention
capabilities.Thedatacollectedincludesnonrecursive(i.e.originatingfromthelocalrecursiveresolver,not
individualclients)DNSqueryandresponsepacketpayloads.DatasubmittedviathePassiveDNSMonitoring
featureconsistssolelyofmappingsofdomainnamestoIPaddresses.PaloAltoNetworksretainsnorecord
ofthesourceofthisdataanddoesnothavetheabilitytoassociateitwiththesubmitteratafuturedate.
ThePaloAltoNetworksthreatresearchteamusesthisinformationtogaininsightintomalwarepropagation
andevasiontechniquesthatabusetheDNSsystem.Informationgatheredthroughthisdatacollectionis
usedtoimproveaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrolsignatures,andWildFire.
DNSresponsesareonlyforwardedtothePaloAltoNetworksandwillonlyoccurwhenthefollowing
requirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
PassiveDNSmonitoringisdisabledbydefault,butitisrecommendedthatyouenableittofacilitate
enhancedthreatintelligence.UsethefollowingproceduretoenablePassiveDNS:
EnablePassiveDNS
Step1
Step2
Selectanexistingprofiletomodifyitorconfigureanewprofile.
TheAntiSpywareprofilemustbeattachedtoasecuritypolicythatgovernsyour
DNSserversexternalDNStraffic.
Step3
Step4
ClickOKandthenCommit.
478 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNS Sinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 479
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
Figure:DNSSinkholingExample
480 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
EnableDNSsinkholingforthecustom
listofdomainsinanexternaldynamic
list.
PaloAltoNetworks,Inc.
1.
2.
Modifyanexistingprofile,orselectoneoftheexistingdefault
profilesandcloneit.
3.
NametheprofileandselecttheDNS Signaturestab.
4.
5.
ConfigureaccesstotheExternalDynamicList.
a. EnteradescriptiveNameforthelist.
b. EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthe
list.Forexample,https://1.2.3.4/EDL_IP_2015.
c. Populatethelistwithdomainnames.SeeFormatting
GuidelinesforanExternalDynamicList.
d. ClickTest Source URLtoverifythatthefirewallcanconnect
tothelistonthewebserver.
Ifthewebserverisunreachableaftertheconnectionis
established,thefirewallorPanoramausesthelast
successfullyretrievedlistforenforcingpolicyuntilthe
connectionisrestoredwiththewebserver.
e. (Optional)SpecifytheRepeatfrequencyatwhichthe
firewallretrievesthelist.Bydefault,thelistisretrievedonce
everyhour.
f. ClickOK.
6.
(Optional)InthePacket Capturedropdown,select
single-packettocapturethefirstpacketofthesessionor
extended-capture tosetbetween150packets.Youcanthen
usethepacketcapturesforfurtheranalysis.
PANOS7.1AdministratorsGuide 481
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step2
Step3
Step4
Verifythesinkholingsettingsonthe
AntiSpywareprofile.
AttachtheAntiSpywareprofiletoa
Securitypolicyrule.
Testthatthepolicyactionisenforced.
482 PANOS7.1AdministratorsGuide
7.
8.
IntheSinkholesection,verifythatSinkholeisenabled.For
yourconvenience,thedefaultSinkholeIPaddressissetto
accessaPaloAltoNetworksserver.PaloAltoNetworkscan
automaticallyrefreshthisIPaddressthroughcontentupdates.
IfyouwanttomodifytheSinkhole IPv4orSinkhole IPv6
addresstoalocalserveronyournetworkortoaloopback
address,seeConfiguretheSinkholeIPAddresstoaLocal
ServeronYourNetwork.
9.
ClickOKtosavetheAntiSpywareprofile.
1.
2.
3.
IntheProfileSettingsection,clicktheProfile Typedropdown
toviewallProfiles.FromtheAnti-Spywaredropdownand
selectthenewprofile.
4.
ClickOKtosavethepolicyrule.
1.
Accessadomainintheexternaldynamiclist.
2.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theThreatActivityandBlockedActivityforthedomainyou
accessed.
b. SelectMonitor > Logs > Threat andfilterby(action eq
sinkhole)toviewlogsonsinkholeddomains.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
Step5
Verifywhetherentriesintheexternal
dynamiclistareignoredorskipped.
InalistoftypeURL,thefirewall
skipsentriesthatarenotURLsas
invalidandignoresentriesthat
exceedthemaximumlimitforthe
platform.
UsethefollowingCLIcommandonthefirewalltoreviewthedetails
aboutthelist.
request system external-list show type domain name
<list_name>
Forexample:
request system external-list show type domain name
My_List_of_Domains_2015
vsys1/EBLDomain:
Next update at : Thu May 21 10:15:39 2015
Source
:https://1.2.3.4/My_List_of_Domains_2015
Referenced : Yes
Valid
: Yes
Number of entries : 3
domains:
www.example.com
baddomain.com
qqq.abcedfg.com
Step6
(Optional)Retrievetheexternaldynamic Toforcethefirewalltoretrievetheupdatedlistondemandinstead
listondemand.
ofatthenextrefreshinterval(theRepeatfrequencyyoudefined
fortheexternaldynamiclist),usethefollowingCLIcommand:
request system external-list refresh type domain name
<list_name>
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 483
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureSinkholingtoaLocalServeronYourNetwork
Step1
Configurethesinkholeinterfaceand
zone.
Trafficfromthezonewheretheclient
hostsresidemustroutetothezone
wherethesinkholeIPaddressisdefined,
sotrafficwillbelogged.
Useadedicatedzonefor
sinkholetraffic,becausethe
infectedhostwillbesending
traffictothiszone.
1.
2.
IntheInterface Typedropdown,selectLayer3.
3.
ToaddanIPv4address,selecttheIPv4tabandselectStatic
andthenclickAdd.Inthisexample,add10.15.0.20astheIPv4
DNSsinkholeaddress.
4.
SelecttheIPv6tabandclickStaticandthenclickAddand
enteranIPv6addressandsubnetmask.Inthisexample,enter
fd97:3dec:4d27:e37c::/64astheIPv6sinkholeaddress.
5.
ClickOKtosave.
6.
7.
EnterzoneName.
8.
IntheTypedropdownselectLayer3.
9.
IntheInterfacessection,clickAddandaddtheinterfaceyou
justconfigured.
10. ClickOK.
Step2
EnableDNSsinkholing.
Step3
Editthesecuritypolicyrulethatallows
trafficfromclienthostsinthetrustzone
totheuntrustzonetoincludethe
sinkholezoneasadestinationandattach
theAntiSpywareprofile.
Editingthesecurityrule(s)thatallows
trafficfromclienthostsinthetrustzone
totheuntrustzoneensuresthatyouare
identifyingtrafficfrominfectedhosts.By
addingthesinkholezoneasadestination
ontherule,youenableinfectedclientsto
sendbogusDNSqueriestotheDNS
sinkhole.
484 PANOS7.1AdministratorsGuide
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNS
signatures.Tochangethesinkholeaddresstoyourlocalserver,see
step8inConfigureDNSSinkholingforaListofCustomDomains.
1.
2.
Selectanexistingrulethatallowstrafficfromtheclienthost
zonetotheuntrustzone.
3.
OntheDestinationtab,AddtheSinkholezone.Thisallows
clienthosttraffictoflowtothesinkholezone.
4.
5.
IntheProfile Settingsection,selecttheAnti-Spywareprofile
inwhichyouenabledDNSsinkholing.
6.
ClickOKtosavethesecurityruleandthenCommit.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
Step4
Toconfirmthatyouwillbeableto
1.
identifyinfectedhosts,verifythattraffic
goingfromtheclienthostintheTrust
zonetothenewSinkholezoneisbeing
logged.
Inthisexample,theinfectedclienthostis
192.168.2.10andtheSinkholeIPv4
addressis10.15.0.20.
Fromaclienthostinthetrustzone,openacommandprompt
andrunthefollowingcommand:
C:\>ping <sinkhole address>
Thefollowingexampleoutputshowsthepingrequesttothe
DNSsinkholeaddressat10.15.0.2andtheresult,whichis
Request timed out becauseinthisexamplethesinkholeIP
addressisnotassignedtoaphysicalhost:
C:\>ping 10.15.0.20
Pinging 10.15.0.20 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 10.15.0.20:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 485
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
ConfigureSinkholingtoaLocalServeronYourNetwork
Step5
TestthatDNSsinkholingisconfigured 1.
properly.
Youaresimulatingtheactionthatan
infectedclienthostwouldperformwhen
amaliciousapplicationattemptstocall
home.
Findamaliciousdomainthatisincludedinthefirewalls
currentAntivirussignaturedatabasetotestsinkholing.
a. SelectDevice > DynamicUpdatesandintheAntivirus
sectionclicktheRelease Noteslinkforthecurrently
installedantivirusdatabase.Youcanalsofindtheantivirus
releasenotesthatlisttheincrementalsignatureupdates
underDynamicUpdatesonthePaloAltoNetworkssupport
site.
b. Inthesecondcolumnofthereleasenote,locatealineitem
withadomainextension(forexample,.com,.edu,or.net).
Theleftcolumnwilldisplaythedomainname.Forexample,
Antivirusrelease11171560,includesanitemintheleft
columnnamed"tbsbana"andtherightcolumnlists"net".
Thefollowingshowsthecontentinthereleasenoteforthis
lineitem:
conficker:tbsbana1 variants: net
2.
Fromtheclienthost,openacommandprompt.
3.
PerformanNSLOOKUPtoaURLthatyouidentifiedasa
knownmaliciousdomain.
Forexample,usingtheURLtrack.bidtrk.com:
C:\>nslookup track.bidtrk.com
Server: my-local-dns.local
Address: 10.0.0.222
Non-authoritative answer:
Name: track.bidtrk.com.org
Addresses: fd97:3dec:4d27:e37c:5:5:5:5
10.15.0.20
Intheoutput,notethattheNSLOOKUPtothemalicious
domainhasbeenforgedusingthesinkholeIPaddressesthat
weconfigured(10.15.0.20).Becausethedomainmatcheda
maliciousDNSsignature,thesinkholeactionwasperformed.
486 PANOS7.1AdministratorsGuide
4.
5.
Performapingtotrack.bidtrk.com,whichwillgenerate
networktraffictothesinkholeaddress.
PaloAltoNetworks,Inc.
ThreatPrevention
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
PaloAltoNetworks,Inc.
2.
ClicktheShow spywarebuttonalongthetopofthedisplay
page.
3.
Selectatimerange.
ThefollowingscreenshotshowsthreeinstancesofSuspicious
DNSqueries,whichweregeneratedwhenthetestclienthost
performedanNSLOOKUPonaknownmaliciousdomain.Click
thegraphtoseemoredetailsabouttheevent.
PANOS7.1AdministratorsGuide 487
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
ThreatPrevention
DNSSinkholeVerificationandReporting(Continued)
Configureacustomreporttoidentifyallclient 1.
hoststhathavesenttraffictothesinkholeIP 2.
address,whichis10.15.0.20inthisexample.
3.
ForwardtoanSNMPmanager,Syslog
serverand/orPanoramatoenablealerts
ontheseevents.
Inthisexample,theinfectedclienthost
performedanNSLOOKUPtoaknown
maliciousdomainthatislistedinthePalo
AltoNetworksDNSSignaturedatabase.
Whenthisoccurred,thequerywassent
tothelocalDNSserver,whichthen
forwardedtherequestthroughthe
firewalltoanexternalDNSserver.The
firewallsecuritypolicywiththe
AntiSpywareprofileconfiguredmatched
thequerytotheDNSSignaturedatabase,
whichthenforgedthereplyusingthe
sinkholeaddressof10.15.0.20and
fd97:3dec:4d27:e37c:5:5:5:5.Theclient
attemptstostartasessionandthetraffic
logrecordstheactivitywiththesource
hostandthedestinationaddress,whichis
nowdirectedtotheforgedsinkhole
address.
Viewingthetrafficlogonthefirewall
allowsyoutoidentifyanyclienthostthat
issendingtraffictothesinkholeaddress.
Inthisexample,thelogsshowthatthe
sourceaddress192.168.2.10sentthe
maliciousDNSquery.Thehostcanthen
befoundandcleaned.WithouttheDNS
sinkholeoption,theadministratorwould
onlyseethelocalDNSserverasthe
systemthatperformedthequeryand
wouldnotseetheclienthostthatis
infected.Ifyouattemptedtorunareport 4.
onthethreatlogusingtheaction
Sinkhole,thelogwouldshowthelocal
DNSserver,nottheinfectedhost.
5.
488 PANOS7.1AdministratorsGuide
ClickRun Nowtorunthereport.Thereportwillshowallclient
hoststhathavesenttraffictothesinkholeaddress,which
indicatesthattheyaremostlikelyinfected.Youcannowtrack
downthehostsandcheckthemforspyware.
Toviewscheduledreportsthathaverun,selectMonitor >
Reports.
PaloAltoNetworks,Inc.
ThreatPrevention
DoSProtectionAgainstFloodingofNewSessions
DoSProtectionAgainstFloodingofNewSessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsonlyagainstDoSattacksofnewsessions,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
MultipleSessionDoSAttack
SingleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 489
DoSProtectionAgainstFloodingofNewSessions
ThreatPrevention
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port 53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamicallyputtheDoS
ProtectionProfilesettingsintoeffect.TheDoSProtectionProfilespecifiesthataMaxRateof3000packets
persecondisallowed.WhenincomingpacketsmatchtheDoSrule,newconnectionspersecondarecounted
towardtheAlert,Activate,andMaxRatethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMaxRatethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlockDurationisspecified,and
ClassifiedissettoincludesourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
490 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
DoSProtectionAgainstFloodingofNewSessions
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheBlockListsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdonotmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheBlockListwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrulesuntiltheBlock
Durationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
validation.YoumustconfigureaSecuritypolicyrulebecausewithoutone,animplicitdenyruledeniesall
traffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatexactlymatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlock
Durationexpires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblocked
again.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 491
DoSProtectionAgainstFloodingofNewSessions
ThreatPrevention
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyrulein
place.Hence,asinglesessionattackrequiresaSecuritypolicydenyruleinorderforeachpacket
tocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivity.QuarantiningtheIPaddress
fromallactivityprotectsagainstamodernattackerwhoattemptsarotatingapplicationattack,inwhichthe
attackersimplychangesapplicationstostartanewattackorusesacombinationofdifferentattacksina
hybridDoSattack.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
totheSecuritypolicyrules.TheattacktrafficthatmatchedtheDoSProtectionprofileandDoS
ProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
(Requiredforsinglesessionattack
ComponentsofaSecurityPolicyRule
mitigationorattacksthathavenot
CreateaSecurityPolicyRule
triggeredtheDoSProtectionpolicy
threshold;optionalformultiplesession
attackmitigation)
ConfigureSecuritypolicyrulestodeny
trafficfromtheattackersIPaddressand
allowothertrafficbasedonyour
networkneeds.Youcanspecifyanyof
thematchcriteriainaSecuritypolicy
rule,suchassourceIPaddress.
Thisstepisoneofthesteps
typicallyperformedtostopan
existingattack.SeeUsetheCLI
toEndaSingleAttacking
Session.
492 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
DoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step2
ConfigureaDoSProtectionprofilefor 1.
floodprotection.
Becausefloodattackscanoccur 2.
overmultipleprotocols,asabest
3.
practice,activateprotectionfor
allofthefloodtypesintheDoS
Protectionprofile.
PaloAltoNetworks,Inc.
4.
WhenyouenableSYN Flood,selecttheActionthatoccurs
whentheActivate Ratethresholdisexceeded:Random Early
DroporSYN Cookies.
5.
(Optional)Oneachofthefloodtabs,changethefollowing
thresholdstosuityourenvironment:
Alarm Rate (packets/s)Specifythethresholdrate
(packetspersecond[pps])abovewhichaDoSalarmis
generated.(Rangeis02,000,000;defaultis10,000.)
Activate Rate (packets/s)Specifythethresholdrate(pps)
abovewhichaDoSresponseisactivated.Whenthe
Activate Ratethresholdisreached,Random Early Drop
occurs.(Rangeis02,000,000;defaultis10,000.)
Max Rate (packets/s)Specifythethresholdrateof
incomingpacketspersecondthatthefirewallallows.When
thethresholdisexceeded,newpacketsthatarriveare
dropped.(Rangeis22,000,000;defaultis40,000.)
Thedefaultthresholdvaluesinthisstepareonly
startingpointsandmightnotbeappropriateforyour
network.Youmustanalyzethebehaviorofyour
networktoproperlysetinitialthresholdvalues.
6.
Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121,600;defaultis300.)
SetalowBlockDurationvalueifyouareconcerned
thatpacketsyouincorrectlyidentifiedasattacktraffic
willbeblockedunnecessarily.
SetahighBlockDurationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarenotpart
ofanattack.
7.
ClickOK.
PANOS7.1AdministratorsGuide 493
DoSProtectionAgainstFloodingofNewSessions
ThreatPrevention
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
Step3
ConfigureaDoSProtectionpolicyrule
thatspecifiesthecriteriaformatching
theincomingtraffic.
1.
2.
OntheSourcetab,choosetheTypetobeaZoneorInterface,
andthenAddthezone(s)orinterface(s).
3.
(Optional)ForSource Address,selectAnyforanyincomingIP
addresstomatchtheruleorAddanaddressobjectsuchasa
geographicalregion.
4.
(Optional)ForSource User,selectanyorspecifyauser.
5.
(Optional)SelectNegatetomatchanysourcesexceptthose
youspecify.
6.
(Optional)OntheDestinationtab,choosetheTypetobea
ZoneorInterface,andthenAddthedestinationzone(s)or
interface(s).Forexample,enterthesecurityzoneyouwantto
protect.
7.
(Optional)ForDestination Address,selectAnyorentertheIP
addressofthedeviceyouwanttoprotect.
8.
(Optional)OntheOption/Protectiontab,AddaService.Select
aserviceorclickServiceandenteraName.SelectTCPor
UDP.EnteraDestination Port.Notspecifyingaparticular
serviceallowstheruletomatchafloodofanyprotocoltype
withoutregardtoanapplicationspecificport.
9.
OntheOption/Protectiontab,forAction,selectProtect.
10. SelectClassified.
11. ForProfile,selectthenameoftheDoS Protectionprofileyou
created.
12. ForAddress,selectsource-ip-onlyorsrc-dest-ip-both,
whichdeterminesthetypeofIPaddresstowhichtherule
applies.Choosethesettingbasedonhowyouwantthe
firewalltoidentifyoffendingtraffic.
Specifysource-ip-onlyifyouwantthefirewalltoclassify
onlyonthesourceIPaddress.Becauseattackersoftentest
theentirenetworkforhoststoattack,source-ip-onlyisthe
typicalsettingforawiderexamination.
Specifysrc-dest-ip-bothifyouwanttoprotectonly
againstDoSattacksontheserverthathasaspecific
destinationaddressandalsoensurethateverysourceIP
addresswillnotsurpassaspecificconnectionspersecond
thresholdtothatserver.
13. ClickOK.
Step4
Savetheconfiguration.
494 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
ThreatPrevention
DoSProtectionAgainstFloodingofNewSessions
IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,inPANOS7.0andlater,youcanuseACCtofilteron
destinationaddresstoviewtheactivitytothetargethostbeingattacked.
Step2
CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3
CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Step4
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 495
DoSProtectionAgainstFloodingofNewSessions
ThreatPrevention
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1
Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> show running resource-monitor ingress-backlogs
-- SLOT:s1, DP:dp1 -USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:
SESS-ID
PCT
6
92%
GRP-ID
1
7
COUNT
156
1732
SESSION DETAILS
SESS-ID PROTO SZONE SRC
SPORT
6
6
trust 192.168.2.35 55653
DST
DPORT IGR-IF
EGR-IF
APP
10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesplatform,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 dp dp1
OnaPA5000Seriesplatform,youcanlimitoutputtoadataplane.Forexample:
admin@PA-5060> show running resource-monitor ingress-backlogs dp dp1
496 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
DoSProtectionAgainstFloodingofNewSessions
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step2
UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanUsetheCLIto
EndaSingleAttackingSession.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNew
Sessions.
Onahardwareplatformthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstrafficto
theFPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthe
sessiondoesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshould
insteadDiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usetheshow session id <session-id>operationalcommand
intheCLIasshowninthefollowingexample.The layer7 processing valueindicatescompletedfor
sessionsoffloadedorenabledforsessionsnotoffloaded.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 497
DoSProtectionAgainstFloodingofNewSessions
ThreatPrevention
IntheCLI,executethefollowingoperationalcommandonanyhardwareplatform:
admin@PA-7050> request session-discard [timeout <seconds>] [reason <reason-string>] id
<session-id>
Thedefaulttimeoutis3600seconds.
Step2
Verifythatsessionshavebeendiscarded.
admin@PA-7050> show session all filter state discard
498 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
Resource
URL
StaticAddresses(Ifastaticserveris
required)
ApplicationDatabase
updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
address199.167.52.15
Threat/AntivirusDatabase updates.paloaltonetworks.com:443
staticupdates.paloaltonetworks.comortheIP
downloads.paloaltonetworks.com:443 address199.167.52.15
Asabestpractice,settheupdateserver
toupdates.paloaltonetworks.com.This
allowsthePaloAltoNetworksfirewallto
receivecontentupdatesfromtheserver
closesttoitintheCDNinfrastructure.
PANDBURLFiltering
*.urlcloud.paloaltonetworks.com
ResolvestotheprimaryURL
s0000.urlcloud.paloaltonetworks.comand
isthenredirectedtotheregionalserver
thatisclosest:
s0100.urlcloud.paloaltonetworks.com
s0200.urlcloud.paloaltonetworks.com
s0300.urlcloud.paloaltonetworks.com
s0500.urlcloud.paloaltonetworks.com
StaticIPaddressesarenotavailable.
However,youcanmanuallyresolveaURLto
anIPaddressandallowaccesstotheregional
serverIPaddress.
BrightCloudURLFiltering
database.brightcloud.com:443/80
service.brightcloud.com:80
ContactBrightCloudCustomerSupport.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 499
ContentDeliveryNetworkInfrastructureforDynamicUpdates
ThreatPrevention
Resource
URL
StaticAddresses(Ifastaticserveris
required)
WildFire
beta.wildfire.paloaltonetworks.com:443/ mail.wildfire.paloaltonetworks.com:25or
80
theIPaddress54.241.16.83
betas1.wildfire.paloaltonetworks.com:4 wildfire.paloaltonetworks.com:443/80or
43/80
54.241.8.199
Betasitesareonlyaccessedbya
ThePaloAltoNetworksupdateserver
firewallrunningaBetarelease
deliversWildFirecontentupdatestothe
version.
firewall:
mail.wildfire.paloaltonetworks.com:25
staticupdates.paloaltonetworks.comortheIP
wildfire.paloaltonetworks.com:443/80 address199.167.52.15
TheregionalURL/IPaddressesforWildFire
submissionqueuesareasfollows:
cas1.wildfire.paloaltonetworks.com:44or
54.241.34.71
vas1.wildfire.paloaltonetworks.com:443or
174.129.24.252
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443
or54.238.53.161
portal3.wildfire.paloaltonetworks.com:443
/80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443
or54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/8
0or180.37.183.53
500 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
ThreatPrevention
ThreatPreventionResources
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofThreatsandApplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 501
ThreatPreventionResources
502 PANOS7.1AdministratorsGuide
ThreatPrevention
PaloAltoNetworks,Inc.
Decryption
PaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficforvisibility,control,and
granularsecurity.DecryptiononaPaloAltoNetworksfirewallincludesthecapabilitytoenforcesecurity
policiesonencryptedtraffic,whereotherwisetheencryptedtrafficmightnotbeblockedandshaped
accordingtoyourconfiguredsecuritysettings.Usedecryptiononafirewalltopreventmaliciouscontent
fromenteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedtraffic.
EnablingdecryptiononaPaloAltoNetworksfirewallcanincludepreparingthekeysandcertificatesrequired
fordecryption,creatingadecryptionpolicy,andconfiguringdecryptionportmirroring.Seethefollowing
topicstolearnaboutandconfiguredecryption:
DecryptionOverview
DecryptionConcepts
DefineTraffictoDecrypt
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
TemporarilyDisableSSLDecryption
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 503
DecryptionOverview
Decryption
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
504 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 505
DecryptionConcepts
Decryption
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage
Description
Forward Trust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
Forward Untrust
Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
506 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 507
DecryptionConcepts
Decryption
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSH Proxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
508 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DecryptionConcepts
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
Decryption Exceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 509
DecryptionConcepts
Decryption
Decryption Mirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecounselbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
510 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
Step1
Step2
Step3
(DecryptionMirroringOnly)ToConfigureDecryptionPortMirroring,enableanEthernetInterface forthe
firewalltousetocopyandforwarddecryptedtraffic.
Decryptionmirroringrequiresadecryptionportmirrorlicense.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 511
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionProfileRule(Continued)
SelectSSL Decryption:
SelectSSL Forward Proxytoconfiguresettingstoverify
certificates,enforceprotocolversionsandciphersuites,and
performfailurechecksonSSLdecryptedtraffic.Thesesettings
areactiveonlywhenthisprofileisattachedtoadecryption
policyrulethatissettoperformSSLForwardProxydecryption.
Select SSL Inbound Inspectiontoconfiguresettingsenforce
protocolversionsandciphersuitesandtoperformfailure
checksoninboundSSLtraffic.Thesesettingsareactiveonly
whenthisprofileisattachedtoadecryptionpolicyrulethatis
settoperformSSLInboundInspection.
Select SSL Protocol Settings toconfigureminimumand
maximumprotocolversionsandkeyexchange,encryption,and
authenticationalgorithmstoenforceforSSLtraffic.These
settingsareactivewhenthisprofileisattachedtodecryption
policyrulesthataresettoperformeitherSSLForwardProxy
decryptionorSSLInboundInspection.
Step4
(Optional)BlockandcontrolSSL
tunneledand/orinboundtraffic
undergoingSSLForwardProxy
decryptionorSSLInboundInspection.
Step5
Step6
Step7
Addthedecryptionprofileruletoa
1.
decryptionpolicyrule.
Trafficthatthepolicyrulesmatchestois 2.
enforcedbasedontheadditionalprofile
rulesettings.
3.
Step8
Committheconfiguration.
512 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
DefineTraffictoDecrypt
Step2
GivethepolicyruleadescriptiveName.
Step3
Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
Step4
Settheactionthepolicyruleenforceson SelectOptionsandsetthepolicyruleAction:
matchingtraffic:therulecaneither
Decrypt matching traffic:
decryptmatchingtrafficorexclude
1. SelectDecrypt.
matchingtrafficfromdecryption.
2. SettheType ofdecryptionforthefirewalltoperformon
matchingtraffic:
SSLForwardProxy
SSHProxy
SSLInboundInspection.IfyouwanttoenableSSLInbound
Inspection,alsoselectthe Certificate forthedestination
internalserverfortheinboundSSLtraffic.
Exclude matching traffic from decryption:
SelectNo Decrypt.
Step5
(Optional)SelectaDecryption Profiletoapplytheprofilesettingstodecryptedtraffic.(ToCreatea
DecryptionProfile,selectObjects > Decryption Profile).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 513
DefineTraffictoDecrypt
Decryption
ConfigureaDecryptionPolicyRule
Step6
ClickOKtosavethepolicy.
Step7
Chooseyournextstep...
514 PANOS7.1AdministratorsGuide
Fullyenablethefirewalltodecrypttraffic:
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
ConfigureSSLForwardProxy
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 515
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise
CAsignedcertificateastheforward
trustcertificate.
516 PANOS7.1AdministratorsGuide
1.
GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAtosignandvalidate:
a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2.
ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3.
ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4.
ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5.
Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6.
ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLForwardProxy
ConfigureSSLForwardProxy(Continued)
Useaselfsignedcertificateasthe
forwardtrustcertificate.
Step3
Distributetheforwardtrustcertificateto
clientsystemcertificatestores.
Ifyoudonotinstalltheforward
trustcertificateonclient
systems,userswillseecertificate
warningsforeachSSLsitethey
visit.
Ifyouareusingan
enterpriseCAsignedcertificate
astheforwardtrustcertificate
forSSLForwardProxy
decryption,andtheclient
systemsalreadyhavethe
enterpriseCAaddedtothelocal
trustedrootCAlist,youcanskip
thisstep.
1.
Generateanewcertificate:
a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2.
Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3.
ClickOKtosavetheselfsignedforwardtrustcertificate.
2.
SelectAgent andthenselectanexistingagentconfigurationor
Addanewone.
3.
AddtheSSLForwardProxyforwardtrustcertificatetothe
TrustedRootCAsection.
4.
5.
ClickOKtwice.
Without GlobalProtect:
Exporttheforwardtrustcertificateforimportintoclientsystems
byhighlightingthecertificateandclickingExportatthebottomof
thewindow.ChoosePEMformat,anddonotselecttheExport
private keyoption.importitintothebrowsertrustedrootCAlist
ontheclientsystemsinorderfortheclientstotrustit.When
importingtotheclientbrowser,ensurethecertificateisaddedto
theTrustedRootCertificationAuthoritiescertificatestore.On
Windowssystems,thedefaultimportlocationisthePersonal
certificatestore.Youcanalsosimplifythisprocessbyusinga
centralizeddeployment,suchasanActiveDirectoryGroupPolicy
Object(GPO).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 517
ConfigureSSLForwardProxy
Decryption
ConfigureSSLForwardProxy(Continued)
Step4
Configuretheforwarduntrust
certificate.
1.
ClickGenerateatthebottomofthecertificatespage.
2.
EnteraCertificate Name,suchasmyfwduntrust.
3.
SettheCommon Name,forexample192.168.2.1.Leave
Signed Byblank.
4.
ClicktheCertificate Authoritycheckboxtoenablethefirewall
toissuethecertificate.
5.
ClickGeneratetogeneratethecertificate.
6.
ClickOKtosave.
7.
Clickthenewmysslfwuntrustcertificatetomodifyitand
enablethe Forward Untrust Certificateoption.
Donotexporttheforwarduntrustcertificatefor
importintoclientsystems.Iftheforwardtrust
certificateisimportedonclientsystems,theuserswill
notseecertificatewarningsforSSLsiteswith
untrustedcertificates.
8.
ClickOKtosave.
ConfiguretheKeySizeforSSLForwardProxyServerCertificates.
Step5
(Optional)SetthekeysizeoftheSSL
ForwardProxycertificatesthatthe
firewallpresentstoclients.Bydefault,
thefirewalldeterminesthekeysizeto
usebasedonthekeysizeofthe
destinationservercertificate.
Step6
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Forward Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoperformcertificatechecksand
enforcestrongciphersuitesandprotocolversions).
3.
ClickOK tosave.
Step7
EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.
Step8
Committheconfiguration.
Step9
Chooseyournextstep...
518 PANOS7.1AdministratorsGuide
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PaloAltoNetworks,Inc.
Decryption
ConfigureSSLInboundInspection
ConfigureSSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
YoucanalsoenablethefirewalltooforwarddecryptedSSLtrafficforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
ConfigureSSLInboundInspection
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Step2
Ensurethatthetargetedserver
certificateisinstalledonthefirewall.
Step3
1.
OntheDevice Certificatestab,selectImport.
2.
3.
BrowseforandselectthetargetedserverCertificate File.
4.
ClickOK.
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSL Inbound Inspection.
SelecttheCertificatefortheinternalserverthatisthe
destinationoftheinboundSSLtraffic.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Step4
EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.
Step5
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 519
ConfigureSSLInboundInspection
Decryption
ConfigureSSLInboundInspection
Step6
Chooseyournextstep...
520 PANOS7.1AdministratorsGuide
EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
PaloAltoNetworks,Inc.
Decryption
ConfigureSSHProxy
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step1
Ensurethattheappropriateinterfaces
areconfiguredaseithervirtualwire,
Layer2,orLayer3interfaces.
Decryptioncanonlybeperformedon
virtualwire,Layer 2,orLayer3
interfaces.
Step2
CreateaDecryptionPolicyRuletodefine 1.
trafficforthefirewalltodecrypt.
2.
SelectOptions and:
SettheruleActiontoDecryptmatchingtraffic.
SettheruleTypetoSSH Proxy.
(Optional)SelectaDecryption Profiletoblockandcontrol
variousaspectsofthedecryptedtraffic(forexample,Create
aDecryptionProfiletoterminatesessionsifsystem
resourcesarenotavailabletoprocessdecryption).
3.
ClickOK tosave.
Step3
Committheconfiguration.
Step4
(Optional)ContinuetoConfigureDecryptionExceptionstodisabledecryptionforcertaintypesoftraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 521
ConfigureDecryptionExceptions
Decryption
ConfigureDecryptionExceptions
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
Step1
Step2
Excludetrafficfromdecryptionbased
matchcriteria.
Thisexampleshowshowtoexclude
trafficcategorizedasfinancialor
healthrelatedfromSSLForwardProxy
decryption.
1.
2.
Definethetrafficthatyouwanttoexcludefromdecryption.
Inthisexample:
a. GivetheruleadescriptiveName,suchas
NoDecryptFinanceHealth.
b. SettheSource andDestinationtoAnytoapplythe
NoDecryptFinanceHealthruletoallSSLtrafficdestinedfor
anexternalserver.
c. SelectURL CategoryandAddtheURLcategories
financialservicesandhealthandmedicine.
3.
SelectOptionsandsettheruletoNo Decrypt.
4.
(Optional)Youcanstilluseadecryptionprofiletovalidate
certificatesforsessionsthefirewalldoesnotdecrypt.Attacha
decryptionprofiletotherulethatissettoBlock sessions with
expired certificatesand/orBlock sessions with untrusted
issuers.
5.
ClickOKtosavetheNoDecryptFinanceHealthdecryption
rule.
522 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionExceptions
ExcludeTrafficfromaDecryptionPolicy
Step3
Commit theconfiguration.
ExcludeaServerfromDecryption
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
ExcludeaServerfromDecryption
Step1
Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
Step2
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 523
EnableUserstoOptOutofSSLDecryption
Decryption
EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
EnableUserstoOptOutofSSLDecryption
Step1
(Optional)CustomizetheSSL
DecryptionOptoutPage.
1.
2.
3.
SelectthePredefinedpageandclickExport.
4.
UsingtheHTMLtexteditorofyourchoice,editthepage.
5.
Ifyouwanttoaddanimage,hosttheimageonawebserver
thatisaccessiblefromyourendusersystems.
6.
AddalinetotheHTMLtopointtotheimage.Forexample:
<img src="http://cdn.slidesharecdn.com/
Acme-logo-96x96.jpg?1382722588"/>
7.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.
8.
9.
10. ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
11. (Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
12. ClickOKtoimportthefile.
13. SelecttheresponsepageyoujustimportedandclickClose.
Step2
EnableSSLDecryptionOptOut.
524 PANOS7.1AdministratorsGuide
1.
2.
3.
Committhechanges.
PaloAltoNetworks,Inc.
Decryption
EnableUserstoOptOutofSSLDecryption
EnableUserstoOptOutofSSLDecryption
Step3
VerifythattheOptOutpagedisplays
whenyouattempttobrowsetoasite.
PaloAltoNetworks,Inc.
Fromabrowser,gotoanencryptedsitethatmatchesyour
decryptionpolicy.
VerifythattheSSLDecryptionOptoutresponsepagedisplays.
PANOS7.1AdministratorsGuide 525
ConfigureDecryptionPortMirroring
Decryption
ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
ConfigureDecryptionPortMirroring
Step1
Step2
Requestalicenseforeachfirewallon
whichyouwanttoenabledecryption
portmirroring.
1.
LogintothePaloAltoNetworksCustomerSupportwebsite
andnavigatetotheAssetstab.
2.
Selecttheentryforthefirewallyouwanttolicenseandselect
Actions.
3.
4.
Ifyouareclearaboutthepotentiallegalimplicationsand
requirements,clickI understand and wish to proceed.
5.
ClickActivate.
InstalltheDecryptionPortMirrorlicense 1.
onthefirewall.
2.
526 PANOS7.1AdministratorsGuide
3.
Verifythatthelicensehasbeenactivatedonthefirewall.
4.
PaloAltoNetworks,Inc.
Decryption
ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring(Continued)
Step3
Enablethefirewalltoforwarddecrypted Onafirewallwithasinglevirtualsystem:
traffic.Superuserpermissionisrequired 1. SelectDevice > Setup > Content - ID.
toperformthisstep.
2. SelecttheAllow forwarding of decrypted contentcheckbox.
3. ClickOKtosave.
Onafirewallwithmultiplevirtualsystems:
Step4
Step5
Step6
Step7
1.
2.
SelectaVirtualSystemtoeditorcreateanewVirtualSystem
byselectingAdd.
3.
4.
ClickOKtosave.
EnableanEthernetinterfacetobeused 1.
fordecryptionmirroring.
2.
Enablemirroringofdecryptedtraffic.
Attachthedecryptionprofilerule(with
decryptionportmirroringenabled)toa
decryptionpolicyrule.Alltraffic
decryptedbasedonthepolicyruleis
mirrored.
Savetheconfiguration.
PaloAltoNetworks,Inc.
3.
4.
ClickOKtosave.
1.
2.
SelectanInterfacetobeusedforDecryption Mirroring.
TheInterfacedropdowncontainsallEthernetinterfacesthat
havebeendefinedasthetype:Decrypt Mirror.
3.
Specifywhethertomirrordecryptedtrafficbeforeorafter
policyenforcement.
Bydefault,thefirewallwillmirroralldecryptedtraffictothe
interfacebeforesecuritypolicieslookup,whichallowsyouto
replayeventsandanalyzetrafficthatgeneratesathreator
triggersadropaction.Ifyouwanttoonlymirrordecrypted
trafficaftersecuritypolicyenforcement,selectthe
Forwarded Onlycheckbox.Withthisoption,onlytrafficthat
isforwardedthroughthefirewallismirrored.Thisoptionis
usefulifyouareforwardingthedecryptedtraffictoother
threatdetectiondevices,suchasaDLPdeviceoranother
intrusionpreventionsystem(IPS).
4.
ClickOKtosavethedecryptionprofile.
1.
2.
ClickAddtoconfigureadecryptionpolicyorselectanexisting
decryptionpolicytoedit.
3.
IntheOptionstab,selectDecryptandtheDecryption Profile
createdinStep 4.
4.
ClickOKtosavethepolicy.
ClickCommit.
PANOS7.1AdministratorsGuide 527
TemporarilyDisableSSLDecryption
Decryption
TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
TemporarilyDisableSSLDecryption
DisableSSLDecryption
ReenableSSLDecryption
528 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
ThePaloAltoNetworksURLfilteringsolutionallowsyoutomonitorandcontrolhowusersaccesstheweb
overHTTPandHTTPS.
URLFilteringOverview
URLFilteringConcepts
PANDBCategorization
EnableaURLFilteringVendor
DetermineURLFilteringPolicyRequirements
UseanExternalDynamicListinaURLFilteringProfile
MonitorWebActivity
ConfigureURLFiltering
CustomizetheURLFilteringResponsePages
ConfigureURLAdminOverride
EnableSafeSearchEnforcement
SetUpthePANDBPrivateCloud
URLFilteringUseCaseExamples
TroubleshootURLFiltering
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 529
URLFilteringOverview
URLFiltering
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintoapproximately6080categories.Youcanuse
theseURLcategoriesasamatchcriteriainpolicies(CaptivePortal,Decryption,Security,andQoS)orattach
themasURLfilteringprofilesinsecuritypolicy,tosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C2)communicationstoprotectyournetworkfromcyberthreats.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.thatisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.
530 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringOverview
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveinternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 531
URLFilteringOverview
URLFiltering
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
Differences
PANDBPublicCloud
Contentand
Database
Updates
Content(regularandcritical)updatesandfull ContentupdatesandfullURLdatabaseupdates
databaseupdatesarepublishedmultipletimes areavailableonceadayduringtheworkweek.
duringtheday.Thefirewallchecksforcritical
updateswheneveritqueriesthecloudservers
forURLlookups.
532 PANOS7.1AdministratorsGuide
PANDBPrivateCloud
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringOverview
Differences
PANDBPublicCloud
PANDBPrivateCloud
URL
Categorization
Requests
SubmitURLcategorizationchangerequests
usingthefollowingoptions:
PaloAltoNetworksTestASitewebsite.
URLfilteringprofilesetuppageonthe
firewall.
URLfilteringlogonthefirewall.
SubmitURLcategorizationchangerequestsonly
usingthePaloAltoNetworksTestASite
website.
UnresolvedURL
Queries
IfthefirewallcannotresolveaURLquery,the Ifthefirewallcannotresolveaquery,the
requestissenttotheserversinthepublic
requestissenttotheM500appliance(s)inthe
PANDBprivatecloud.Ifthereisnomatchfor
cloud.
theURL,thePANDBprivatecloudsendsa
categoryunknownresponsetothefirewall;the
requestisnotsenttothepubliccloudunlessyou
haveconfiguredtheM500appliancetoaccess
thePANDBpubliccloud.
IftheM500appliance(s)thatconstituteyour
PANDBprivatecloudisconfiguredtobe
completelyoffline,itdoesnotsendanydataor
analyticstothepubliccloud.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 533
URLFilteringConcepts
URLFiltering
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URL Categories
EachwebsitedefinedintheURLfilteringdatabaseisassignedoneofapproximately60differentURL
categories.TherearetwowaystomakeuseofURLcategorizationonthefirewall:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
MatchtrafficbasedonURLcategoryforpolicyenforcementIfyouwantaspecificpolicyruletoapply
onlytowebtraffictositesinaspecificcategory,youwouldaddthecategoryasmatchcriteriawhenyou
createthepolicyrule.Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicyto
applybandwidthcontrolstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryas
PolicyMatchCriteriaformoreinformation.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:
534 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Category
Description
notresolved
IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses
Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown
Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
YoucansubmitURLcategorizationchangerequestsusingthePaloAltoNetworksdedicatedwebportal(Test
ASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlogonthefirewall.Eachchange
requestisautomaticallyprocessedeveryday,providedthewebsitesprovidesmachinereadablecontentthatisin
asupportedformatandlanguage.Sometimes,thecategorizationchangerequiresamemberofthePaloAlto
Networksengineeringstafftoperformamanualreview.Insuchcases,theprocessmaytakealittlelonger.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 535
URLFilteringConcepts
URLFiltering
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
Action
Description
alert
ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow
Thewebsiteisallowedandnologentryisgenerated.
block
Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
continue
Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
TheContinuepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
536 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Action
Description
override
Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeConfigureURLAdminOverride.
TheOverridepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
none
ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
DonotincludeHTTPandHTTPSwhendefiningthealloworblocklistentries.Forexample,enter
www.paloaltonetworks.comorpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample,topreventauserfromaccessinganywebsitewithinthepaloaltonetworks.comdomain,add
*.paloaltonetworks.comtotheblocklist.Thiswillblockallpaloaltoneworks.comURLs,evenifthe
addressincludesadomainprefix(http://,www)orasubdomainprefix(mail.paloaltonetworks.com).The
sameappliestothesubdomainsuffix.Forexample,ifyouwanttoblockpaloaltonetworks.com/en/US,
youwouldaddpaloaltonetworks.com/*totheblocklistaswell.
Further,toblockaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmustaddanentrywith
aslash(/)attheend.Inthisexample,youwouldadd*.paloaltonetworks.com/totheblocklist.
Theblockandallowlistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
Everysubstringseparatedbyacharacterlistedaboveisconsideredatoken.Atokencanbeanynumber
ofASCIIcharactersthatdoesnotcontainanyseparatorcharacteroranasterisks(*).Forexample,the
followingpatternsarevalid:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 537
URLFilteringConcepts
URLFiltering
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausetheasterisks(*)isnottheonlycharacterinthetoken:
ww*.yahoo.com
www.y*.com
BlockSearchResultsthatarenotUsingStrictSafeSearchSettingsWhenanenduserattemptsto
performasearchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearch
queryresultsanddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovidea
URLtothesearchprovidersettingsforconfiguringsafesearch.
EnableTransparentSafeSearchEnforcementWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
Also,becausemostsearchprovidersnowuseSSLtoreturnsearchresults,youmustalsoconfigurea
Decryptionpolicyruleforthesearchtraffictoenablethefirewalltoinspectthesearchtrafficandenforce
safesearch.
538 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
Safesearchenforcementenhancementsandsupportfornewsearchprovidersisperiodically
addedincontentreleases.ThisinformationisdetailedintheApplicationandThreatContent
ReleaseNotes.Howsitesarejudgedtobesafeorunsafeisperformedbyeachsearchprovider,
notbyPaloAltoNetworks.
SafesearchsettingsdifferbysearchproviderasdetailedinTable:SearchProviderSafeSearchSettings.
Table:SearchProviderSafeSearchSettings
SearchProvider
SafeSearchSettingDescription
Google/YouTube
OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
Safe Search Enforcement for Google Searches on Individual Computers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
Safe Search Enforcement for Google and YouTube Searches using a Virtual IP Address
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo
Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
Bing
OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 539
URLFilteringConcepts
URLFiltering
Container Pages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
IfyouhaveenabledtheLog container page onlyoption,theremaynotalwaysbeacorrelated
URLlogentryforthreatsdetectedbyantivirusorvulnerabilityprotection.
Description
User-Agent
ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer
TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
X-Forwarded-For (XFF)
TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
540 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
URLFilteringandCategoryMatchBlockPageAccessblockedbyaURLFilteringProfileorbecausethe
URLcategoryisblockedbyasecuritypolicy.
URLFilteringContinueandOverridePagePagewithinitialblockpolicythatallowsuserstobypassthe
blockbyclickingContinue.WithURLAdminOverrideenabled,(ConfigureURLAdminOverride),after
clickingContinue,theusermustsupplyapasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPageAccessblockedbyasecuritypolicywithaURLfilteringprofile
thathastheSafeSearchEnforcementoptionenabled(seeEnableSafeSearchEnforcement).Theuser
willseethispageifasearchisperformedusingGoogle,Bing,Yahoo,orYandexandtheirbrowseror
searchengineaccountsettingforSafeSearchisnotsettostrict.
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneofthe
supportedResponsePageReferencestoexternalimages,sounds,orstylesheets.
URLFilteringResponsePageVariables
Variable
Usage
<user/>
Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/>
ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 541
URLFilteringConcepts
URLFiltering
Variable
Usage
<category/>
ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/>
HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
document.getElementById("warningText").innerHTML = "Message 2";
break;
case 'kids':
document.getElementById("warningText").innerHTML = "Message 3";
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
ResponsePageReferences
ReferenceType
ExampleHTMLCode
Image
<img
Sound
<embed src="http://simplythebest.net/sounds/WAV/WAV_files/
movie_WAV_files/ do_not_go.wav" volume="100" hidden="true"
autostart="true">
Style Sheet
Hyperlink
<a href="http://en.wikipedia.org/wiki/Acceptable_use_policy">View
Corporate
Policy</a>
src="http://virginiadot.org/images/Stop-Sign-gif.gif">
542 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringConcepts
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType
Description
CaptivePortal
Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionfortheCaptivePortalpolicy.
Decryption
DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.Inthis
case,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS
QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
Security
InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
AsecurityrulethatallowstheITSecuritygrouptoaccesscontentcategorizedas
hacking.ThesecurityrulereferencesthehackingcategoryintheServices/URL
CategorytabandITSecuritygroupintheUserstab.
Anothersecurityrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 543
PANDBCategorization
URLFiltering
PANDBCategorization
PANDBURLCategorizationComponents
PANDBURLCategorizationWorkflow
PANDBURLCategorizationComponents
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component
Description
URLFilteringSeed
Database
Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
CloudService
SeeDifferencesBetween
thePANDBPublicCloud
andPANDBPrivate
Cloud,forinformationon
theprivatecloud.
ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
providesadistributed,highperformance,andstableenvironmentforseeddatabase
downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
mechanismtoupdatethelocalURLdatabaseonthefirewalliftheversiondoesnot
match.EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalso
checkforcriticalupdates.Iftherehavebeennoqueriestothecloudserversformore
than30minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
544 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
PANDBCategorization
Component
Description
ManagementPlane(MP)
URLCache
WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothelocaldriveonthe
firewalleveryeighthours,beforethefirewallisrebooted,orwhenthecloud
upgradestheURLdatabaseversiononthefirewall.Afterrebootingthefirewall,the
filethatwassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecently
used(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheis
full.Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbe
replacedbythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftime;thisexpirationperiodisnotconfigurable.
IfarequestedURLmatchesanexpiredentryinthedataplane(DP)URLcache,thecacherespondswiththe
expiredcategory,butalsosendsaURLcategorizationquerytothemanagementplane(MP)cache.This
preventsunnecessarydelaysintheDP,assumingthatthefrequencyofcategorychangeislow.Similarly,in
theMPURLcache,ifaURLqueryfromtheDPcachematchesanexpiredentryintheMPcache,theMP
respondstotheDPwiththeexpiredcategoryandwillalsosendaURLcategorizationrequesttothePANDB
clouddatabase.Upongettingtheresponsefromthecloud,thefirewallsendstheupdatedcategorytothe
DP.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 545
PANDBCategorization
URLFiltering
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabaseisupdated.Each
timethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30minutes,the
databaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdatewillbe
performed.
546 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
EnableaURLFilteringVendor
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
ObtainandinstallaPANDBURL
1.
filteringlicenseandconfirmthatitis
installed.
Ifthelicenseexpires,PANDB
URLFilteringcontinuestowork
basedontheURLcategory
2.
informationthatexistsinthe
dataplaneandmanagement
planecaches.However,URL
cloudlookupsandother
cloudbasedupdateswillnot
functionuntilyouinstallavalid
license.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 547
EnableaURLFilteringVendor
URLFiltering
EnablePANDBURLFiltering(Continued)
Step2
Step3
Downloadtheinitialseeddatabaseand 1.
activatePANDBURLFiltering.
ThefirewallmusthaveInternet 2.
access;youcannotmanually
uploadthePANDBseed
3.
database.
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
Threats.
AThreatPreventionlicenseis
requiredtoreceivecontent
updates,whichcoversAntivirus
andApplicationsandThreats.
InthePANDBURLFilteringsection,Download Statusfield,
clickDownload Now.
Choosearegion(NorthAmerica,Europe,APAC,Japan)and
thenclickOKtostartthedownload.
Afterthedownloadcompletes,clickActivate.
IfPANDBisalreadytheactiveURLfilteringvendor
andyouclickRe-Download,thiswillreactivate
PANDBbyclearingthedataplaneandmanagement
planecachesandreplacingthemwiththecontentsof
thenewseeddatabase.Youshouldavoiddoingthis
unlessitisnecessary,asyouwillloseyourcache,
whichiscustomizedbasedonthewebtrafficthathas
previouslypassedthroughthefirewallbasedonuser
activity.
SelectDevice > Dynamic Updates.
IntheSchedulefieldintheApplicationsandThreatssection,
clicktheNonelinktoscheduleperiodicupdates.
Youcanonlyscheduledynamicupdatesifthefirewall
hasdirectInternetaccess.Ifupdatesarealready
scheduledinasection,thelinktextdisplaysthe
schedulesettings.
TheApplicationsandThreatsupdatessometimescontain
updatesforURLfilteringrelatedtotheSafe Search
EnforcementoptionintheURLfilteringprofile(Objects >
Security Profiles > URL Filtering).Forexample,ifPaloAlto
Networksaddssupportforanewsearchprovidervendororif
themethodusedtodetecttheSafeSearchsettingforan
existingvendorchanges,theApplicationandThreatsupdates
willincludethatupdate.
ObtainandinstallaBrightCloudURL
1.
filteringlicenseandconfirmthatitis
installed.
BrightCloudhasanoptioninthe
URLfilteringprofile(Objects >
Security Profiles > URL
2.
Filtering)toeitherallowall
categoriesorblockallcategories
ifthelicenseexpires.
548 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
EnableaURLFilteringVendor
EnableBrightCloudURLFiltering(Continued)
Step2
Step3
InstalltheBrightClouddatabase.
Thewayyoudothisdependsonwhether
ornotthefirewallhasdirectInternet
access.
FirewallwithDirectInternetAccess
SelectDevice > LicensesandintheBrightCloudURLFiltering
section,Activefield,clicktheActivatelinktoinstallthe
BrightClouddatabase.Thisoperationautomaticallyinitiatesa
systemreset.
FirewallwithoutDirectInternetAccess
1.
DownloadtheBrightClouddatabasetoahostthathas
Internetaccess.Thefirewallmusthaveaccesstothehost:
a. OnahostwithInternetaccess,gotothePaloAlto
NetworksCustomerSupportwebsite,
www.paloaltonetworks.com/support/tabs/overview.html,
andlogin.
b. IntheResourcessection,clickDynamic Updates.
c. IntheBrightCloudDatabasesection,clickDownloadand
savethefiletothehost.
2.
Uploadthedatabasetothefirewall:
a. Logintothefirewall,selectDevice > Dynamic Updatesand
clickUpload.
b. FortheType,selectURL Filtering.
c. EnterthepathtotheFileonthehostorclickBrowseto
findit,thenclickOK.WhentheStatusisCompleted,click
Close.
3.
Installthedatabase:
a. SelectDevice > Dynamic UpdatesandclickInstall From
File.
b. FortheType,selectURL Filtering.Thefirewall
automaticallyselectsthefileyoujustuploaded.
c. ClickOKand,whentheResultisSucceeded,clickClose.
Enablecloudlookupsfordynamically
1.
categorizingaURLifthecategoryisnot 2.
availableonthelocalBrightCloud
database.
PaloAltoNetworks,Inc.
AccessthePANOSCLI.
EnterthefollowingcommandstoenabledynamicURL
filtering:
configure
set deviceconfig setting url dynamic-url yes
commit
PANOS7.1AdministratorsGuide 549
EnableaURLFilteringVendor
URLFiltering
EnableBrightCloudURLFiltering(Continued)
Step4
Schedulethefirewalltodownload
1.
dynamicupdatesforApplicationsand
2.
ThreatssignaturesandURLfiltering.
Youcanonlyscheduledynamicupdates
3.
ifthefirewallhasdirectInternetaccess.
TheApplicationsandThreatsupdates
mightcontainupdatesforURLfiltering
relatedtotheSafe Search Enforcement
optionintheURLfilteringprofile.For
example,ifPaloAltoNetworksadds
supportforanewsearchprovider
vendororifthemethodusedtodetect
theSafeSearchsettingforanexisting
vendorchanges,theApplicationand
Threatsupdateswillincludethatupdate.
BrightCloudupdatesincludeadatabase
ofapproximately20millionwebsites
thatarestoredlocallyonthefirewall.
YoumustscheduleURLfilteringupdates
toreceiveBrightClouddatabase
updates.
AThreatPreventionlicenseis
requiredtoreceiveAntivirusand
ApplicationsandThreats
updates.
550 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
DetermineURLFilteringPolicyRequirements
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
Step1
Step2
Step3
CreateanewURLFilteringprofile.
1.
2.
SelectthedefaultprofileandthenclickClone.Thenewprofile
willbenameddefault-1.
3.
Selectthedefault-1profileandrenameit.Forexample,
renameittoURLMonitoring.
Configuretheactionforallcategoriesto 1.
alert,exceptforthreatpronecategories, 2.
whichshouldremainblocked.
Toselectallitemsinthecategory
listfromaWindowssystem,click
thefirstcategory,thenhold
downtheshiftkeyandclickthe
lastcategorythiswillselectall
categories.Holdthecontrolkey
(ctrl)downandclickitemsthat
shouldbedeselected.OnaMac,
dothesameusingtheshiftand
commandkeys.Youcouldalso
justsetallcategoriestoalertand
manuallychangethe
recommendedcategoriesbackto
3.
block.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsweb
trafficforusers.
PaloAltoNetworks,Inc.
InthesectionthatlistsallURLcategories,selectallcategories.
TotherightoftheActioncolumnheading,mouseoverand
selectthedownarrowandthenselectSet Selected Actions
andchoosealert.
Toensurethatyoublockaccesstothreatpronesites,select
thefollowingcategoriesandthensettheactiontoblock:
abuseddrugs,adult,gambling,hacking,malware.phishing,
questionable,weapons.
4.
ClickOKtosavetheprofile.
1.
2.
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselectthenewprofile.
3.
ClickOKtosave.
PANOS7.1AdministratorsGuide 551
DetermineURLFilteringPolicyRequirements
URLFiltering
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
Step4
Savetheconfiguration.
Step5
552 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
URLFiltering
UseanExternalDynamicListinaURLFilteringProfile
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenyouupdatethelistonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicListandEnforcePolicyonEntriesinanExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
Step1
Createtheexternaldynamiclistfor
URLsandhostitonawebserver.
CreateatextfileandentertheURLsinthefile;eachURLmustbe
onaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-fo
r-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeeBlockandAllowListsforformattingguidelines.
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
PaloAltoNetworks,Inc.
1.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectShared tosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
IntheTypedropdown,selectURL List.Ensurethatthelist
doesnotincludeIPaddressesordomainnames;thefirewall
skipsnonURLentries.
5.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2016.
6.
7.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhour.
8.
ClickOK.
PANOS7.1AdministratorsGuide 553
UseanExternalDynamicListinaURLFilteringProfile
URLFiltering
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
Step3
Step4
Step5
UsetheexternaldynamiclistinaURL
Filteringprofile.
Testthatthepolicyactionisenforced.
Verifywhetherentriesintheexternal
dynamiclistwereignoredorskipped.
InalistoftypeURL,thefirewallskips
nonURLentriesasinvalidandignores
entriesthatexceedthemaximumlimit
fortheplatform.
554 PANOS7.1AdministratorsGuide
1.
2.
AddormodifyanexistingURLFilteringprofile.
3.
Nametheprofileand,intheCategoriestab,selectthe
externaldynamiclistfromtheCategorylist.
4.
ClickActiontoselectamoregranularactionfortheURLsin
theexternaldynamiclist.
IfaURLthatisincludedinanexternaldynamiclistis
alsoincludedinacustomURLcategory,orBlockand
AllowLists,theactionspecifiedinthecustomcategory
ortheblockandallowlistwilltakeprecedenceover
theexternaldynamiclist.
5.
ClickOK.
6.
AttachtheURLFilteringprofiletoaSecuritypolicyrule.
a. SelectPolicies > Security.
b. SelecttheActionstaband,intheProfileSettingsection,
selectthenewprofileintheURL Filteringdropdown.
c. ClickOKandCommit.
1.
AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
2.
Verifythattheactionyoudefinedisenforcedinthebrowser.
3.
Tomonitortheactivityonthefirewall:
a. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
b. SelectMonitor > Logs > URL Filtering toaccessthe
detailedlogview.
UsethefollowingCLIcommandonafirewalltoreviewthedetails
foralist.
request system external-list show type url <list_name>
Forexample:
request system external-list show type url
EBL_ISAC_Alert_List
PaloAltoNetworks,Inc.
URLFiltering
MonitorWebActivity
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
FromtheACC,youcandirectly Jump to the LogsoryoucannavigatetoMonitor > Logs > URL filtering toview
theURLfilteringlogs.ThefollowingbulletpointsshowexamplesoftheURLfilteringlogs().
AlertlogInthislog,thecategoryisshoppingandtheactionisalert.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 555
MonitorWebActivity
URLFiltering
BlocklogInthislog,thecategorymalwarewassettoblock,sotheactionisblockurlandtheuserwill
seearesponsepageindicatingthatthewebsitewasblocked.
AlertlogonencryptedwebsiteInthisexample,thecategoryissocialnetworkingandtheapplicationis
facebookbase,whichisrequiredtoaccesstheFacebookwebsiteandotherFacebookapplications.
Becausefaceboook.comisalwaysencryptedusingSSL,thetrafficwasdecryptedbythefirewall,which
allowsthewebsitetoberecognizedandcontrolledifneeded.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarebasedona24hourperiodandthedayisselectedbychoosingadayinthecalendar
section.YoucanalsoexportthereporttoPDF,CSV,orXML.
556 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
MonitorWebActivity
ConfigureaUserActivityReport.
PaloAltoNetworks,Inc.
1.
2.
EnterareportNameandselectthereporttype.SelectUserto
generateareportforoneperson,orselectGroupforagroup
ofusers.
YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,you
canselectthetypeUserandentertheIPaddressofthe
userscomputer.
3.
EntertheUsername/IPaddressforauserreportorenterthe
groupnameforausergroupreport.
4.
Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
5.
PANOS7.1AdministratorsGuide 557
MonitorWebActivity
URLFiltering
GenerateaUserActivityReport(Continued)
Step2
Runtheuseractivityreportandthen
downloadthereport.
1.
ClickRun Now.
2.
3.
Afterthereportisdownloaded,clickCancelandthenclickOK
tosavethereport.
Step3
ViewtheuseractivityreportbyopeningthePDFfilethatwasdownloaded.Thetopofthereportwillcontain
atableofcontentssimilartothefollowing:
Step4
558 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
MonitorWebActivity
Step2
Step3
Step4
Addanewcustomreport.
Configurereportoptions.
1.
2.
EnterareportName,forexample,MyURLCustomReport.
3.
FromtheDatabasedropdown,selectURL Log.
1.
SelecttheTime Framedropdownandselectarange.
2.
(Optional)Tocustomizehowthereportissortedandgrouped,
selectSort Byandchosethenumberofitemstodisplay(top
25forexample)andthenselectGroup Byandselectanoption
suchasCategory,andthenselecthowmanygroupswillbe
defined.
3.
IntheAvailable Columnslist,selectthefieldstoincludethe
report.ThefollowingcolumnsaretypicallyusedforaURL
report:
Action
Category
DestinationCountry
SourceUser
URL
Runthereporttochecktheresults.Ifthe 1.
resultsaresatisfactory,setascheduleto
runthereportautomatically.
2.
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClicktheRun Nowicontoimmediatelygeneratethereport
thatwillappearinanewtab.
(Optional)ClicktheSchedulecheckboxtorunthereportonce
perday.Thiswillgenerateadailyreportthatdetailsweb
activityoverthelast24hours.Toaccessthereport,select
Monitor > ReportandthenexpandCustom Reportsonthe
rightcolumnandselectthereport.
ClickCommit.
PANOS7.1AdministratorsGuide 559
ConfigureURLFiltering
URLFiltering
ConfigureURLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
ConfigureWebsiteControls
Step1
CreateaURLFilteringprofileorselect 1.
anexistingone.
BecausethedefaultURLfiltering
profileblocksriskyand
2.
threatpronecontent,itisabest
practicetoclonethisprofileto
preservethesedefaultsettings,
ratherthancreatinganew
profile.
Step2
Definehowtocontrolaccesstoweb
content.
Step3
Definewebsitesthatshouldalwaysbe 1.
blockedorallowed.
Forexample,toreduceURLfilteringlogs,
youmaywantaddyoucorporate
websitesintheallowlist,sonologswill
begeneratedforthosesites.Or,ifthere
isawebsitethisisbeingoverlyusedand
isnotworkrelatedinanyway,youcan
addittotheblocklist.
Itemsintheblocklistwillalwaysbe
blockedregardlessoftheactionforthe 2.
associatedcategory,andURLsinthe
allowlistwillalwaysbeallowed.
3.
Formoreinformationontheproper
formatandwildcardsusage,seeBlock
andAllowLists.
560 PANOS7.1AdministratorsGuide
IntheCategoriestab,foreachcategorythatyouwantvisibility
intoorcontrolover,selectavaluefromtheAction columnas
follows:
Ifyoudonotcareabouttraffictoaparticularcategory(thatis
youneitherwanttoblockitnorlogit),selectallow.
Forvisibilityintotraffictositesinacategory,selectalert.
Todenyaccesstotrafficthatmatchesthecategoryandto
enableloggingoftheblockedtraffic, selectblock.
TorequireuserstoclickContinuetoproceedtoaquestionable
site,selectcontinue.
Toonlyallowaccessifusersprovideaconfiguredpassword,
selectoverride.Formoredetailsonthissetting,seeConfigure
URLAdminOverride.
IntheURLfilteringprofile,enterURLsorIPaddressesinthe
Block List andselectanaction:
blockBlocktheURL.
continuePromptusersclickContinue toproceedtothe
webpage.
overrideTheuserwillbeapromptedforapasswordto
continuetothewebsite.
alertAllowtheusertoaccessthewebsiteandaddanalert
logentryintheURLlog.
FortheAllow list,enterIPaddressesorURLsthatshould
alwaysbeallowed.Eachrowmustbeseparatedbyanewline.
(Optional)EnableSafeSearchEnforcement.
PaloAltoNetworks,Inc.
URLFiltering
ConfigureURLFiltering
ConfigureWebsiteControls
Step4
ModifythesettingtologContainer
Pagesonly.
Step5
EnableHTTPHeaderLoggingforoneor TologanHTTPheaderfield,selectoneormoreofthefollowing
moreofthesupportedHTTPheader
fieldstolog:
fields.
User-Agent
Referer
X-Forwarded-For
Step6
SavetheURLfilteringprofile.
PaloAltoNetworks,Inc.
1.
ClickOK.
2.
(Optional)CustomizetheURLFilteringResponsePages.
3.
ClickCommit.
TotesttheURLfilteringconfiguration,simplyaccessa
websiteinacategorythatissettoblockorcontinueto
seeiftheappropriateactionisperformed.
PANOS7.1AdministratorsGuide 561
CustomizetheURLFilteringResponsePages
URLFiltering
CustomizetheURLFilteringResponsePages
ThefirewallprovidesthreepredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser
attemptstobrowsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFiltering
Profile(block,continue,oroverride)orwhenSafeSearchEnforcementblocksasearchattempt.However,
youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableusepolicies,links
toyourinternalresourcesasfollows:
CustomizetheURLFilteringResponsePages
Step1
Step2
Step3
Exportthedefaultresponsepage(s).
Edittheexportedpage.
Importthecustomizedresponsepage.
1.
2.
SelectthelinkfortheURLfilteringresponsepageyouwantto
modify.
3.
Clicktheresponsepage(predefinedorshared)andthenclick
theExportlinkandsavethefiletoyourdesktop.
1.
UsingtheHTMLtexteditorofyourchoice,editthepage:
Ifyouwanttheresponsepagetodisplaycustom
informationaboutthespecificuser,URL,orcategorythat
wasblocked,addoneormoreofthesupportedURL
FilteringResponsePageVariables.
Ifyouwanttoincludecustomimages(suchasyour
corporatelogo),asound,orstylesheet,orlinktoanother
URL,forexampletoadocumentdetailingyouracceptable
webusepolicy,includeoneormoreofthesupported
ResponsePageReferences.
2.
Savetheeditedpagewithanewfilename.Makesurethatthe
pageretainsitsUTF8encoding.Forexample,inNotepadyou
wouldselectUTF-8fromtheEncodingdropdownintheSave
Asdialog.
1.
2.
SelectthelinkthatcorrespondstotheURLFilteringresponse
pageyouedited.
3.
ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
4.
(Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
5.
ClickOKtoimportthefile.
Step4
Savethenewresponsepage(s).
Committhechanges.
Step5
Verifythatthenewresponsepage
displays.
Fromabrowser,gototheURLthatwilltriggertheresponsepage.
Forexample,toseeamodifiedURLFilteringandCategoryMatch
responsepage,browsetoURLthatyourURLfilteringpolicyisset
toblock.
562 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
ConfigureURLAdminOverride
ConfigureURLAdminOverride
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
ConfigureURLAdminOverride
Step1
Step2
SettheURLadminoverridepassword.
1.
2.
3.
IntheLocationfield,selectthevirtualsystemtowhichthis
passwordapplies.
4.
EnterthePasswordandConfirm Password.
5.
6.
SelecttheModeforpromptingtheuserforthepassword:
TransparentThefirewallinterceptsthebrowsertraffic
destinedforsiteinaURLcategoryyouhavesettooverride
andimpersonatestheoriginaldestinationURL,issuingan
HTTP401topromptforthepassword.Notethattheclient
browserwilldisplaycertificateerrorsifitdoesnottrustthe
certificate.
RedirectThefirewallinterceptsHTTPorHTTPStrafficto
aURLcategorysettooverrideandredirectstherequestto
aLayer3interfaceonthefirewallusinganHTTP302
redirectinordertopromptfortheoverridepassword.If
youselectthisoption,youmustprovidetheAddress(IP
addressorDNShostname)towhichtoredirectthetraffic.
7.
ClickOK.
(Optional)Setacustomoverrideperiod. 1.
PaloAltoNetworks,Inc.
EdittheURLFilteringsection.
2.
Tochangetheamountoftimeuserscanbrowsetoasiteina
categoryforwhichtheyhavesuccessfullyenteredthe
overridepassword,enteranewvalueintheURL Admin
Override Timeout field.Bydefault,userscanaccesssites
withinthecategoryfor15minuteswithoutreenteringthe
password.
3.
Tochangetheamountoftimeusersareblockedfrom
accessingasitesettooverrideafterthreefailedattemptsto
entertheoverridepassword,enteranewvalueintheURL
Admin Lockout Timeoutfield.Bydefault,usersareblocked
for30minutes.
4.
ClickOK.
PANOS7.1AdministratorsGuide 563
ConfigureURLAdminOverride
URLFiltering
ConfigureURLAdminOverride(Continued)
Step3
1.
(Redirectmodeonly)CreateaLayer3
interfacetowhichtoredirectweb
requeststositesinacategoryconfigured
foroverride.
2.
Step4
Step5
Step6
(Redirectmodeonly)Totransparently
redirectuserswithoutdisplaying
certificateerrors,installacertificatethat
matchestheIPaddressoftheinterface
towhichyouareredirectingweb
requeststoasiteinaURLcategory
configuredforoverride.Youcaneither
generateaselfsignedcertificateor
importacertificatethatissignedbyan
externalCA.
CreatetheLayer3interface.Besuretoattachthe
managementprofileyoujustcreated(ontheAdvanced >
Other InfotaboftheEthernetInterfacedialog).
Touseaselfsignedcertificate,youmustfirstcreatearootCA
certificateandthenusethatCAtosignthecertificateyouwilluse
forURLadminoverrideasfollows:
1.
2.
TocreatethecertificatetouseforURLadminoverride,click
Generate.EnteraCertificate NameandentertheDNS
hostnameorIPaddressoftheinterfaceastheCommon
Name.IntheSigned Byfield,selecttheCAyoucreatedinthe
previousstep.AddanIPaddressattributeandspecifytheIP
addressoftheLayer 3interfacetowhichyouwillbe
redirectingwebrequeststoURLcategoriesthathavethe
overrideaction.
3.
Generatethecertificate.
4.
Toconfigureclientstotrustthecertificate,selecttheCA
certificateontheDevice CertificatestabandclickExport.
YoumustthenimportthecertificateasatrustedrootCAinto
allclientbrowsers,eitherbymanuallyconfiguringthebrowser
orbyaddingthecertificatetothetrustedrootsinanActive
DirectoryGroupPolicyObject(GPO).
SpecifywhichURLcategoriesrequirean 1.
overridepasswordtoenableaccess.
2.
OntheCategoriestab,settheActiontooverrideforeach
categorythatrequiresapassword.
3.
CompleteanyremainingsectionsontheURLfilteringprofile
andthenclickOKtosavetheprofile.
1.
ApplytheURLFilteringprofiletothe
securitypolicyrule(s)thatallowsaccess
tothesitesrequiringpasswordoverride 2.
foraccess.
3.
Step7
Createamanagementprofiletoenabletheinterfacetodisplay
theURLFilteringContinueandOverridePageresponsepage:
a. SelectNetwork > Interface MgmtandclickAdd.
b. EnteraNamefortheprofile,selectResponse Pages,and
thenclickOK.
Savetheconfiguration.
564 PANOS7.1AdministratorsGuide
SelecttheActionstabandintheProfile Settingsection,click
thedropdownforURL Filteringandselecttheprofile.
ClickOKtosave.
ClickCommit.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosforsearchquery
returntraffic.YoucanconfigureSafeSearchEnforcementthePaloAltoNetworksnextgenerationfirewall
topreventsearchrequeststhatdonothavethestrictestsafesearchsettingsenabled.
TheSafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddressisnot
compatiblewithSafeSearchEnforcementonthefirewall.
TherearetwowaystoenforceSafeSearchonthefirewall:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
EnableTransparentSafeSearchEnforcement
Block Search Results that are not Using Strict Safe Search Settings
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.SeeTable:SearchProviderSafeSearchSettingsfordetailsonhoweachsearchprovider
implementssafesearch.ThedefaultURLFilteringSafeSearchBlockPageprovidesalinktothesearch
settingsforthecorrespondingsearchprovider.YoucanoptionallyCustomizetheURLFilteringResponse
Pages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoEnableTransparentSafeSearchEnforcement.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 565
EnableSafeSearchEnforcement
URLFiltering
EnableSafeSearchEnforcement
Step1
Step2
Step3
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewprofile.
3.
4.
(Optional)Restrictuserstospecificsearchengines:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
ClickOKtosavetheprofile.
1.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
566 PANOS7.1AdministratorsGuide
AddacustomURLcategoryforthesearchsites:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
SearchEngineDecryption.
c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement(Continued)
Step4
Step5
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
EnableBingSafeSearch.
c. AddthefollowingtotheSiteslist:
www.bing.com/images/*
www.bing.com/videos/*
d. ClickOKtosavethecustomURLcategoryobject.
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. LocatethecustomcategoryintheCategorylistandsetitto
block.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocolandsettheDestination Portto
443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 567
EnableSafeSearchEnforcement
URLFiltering
EnableSafeSearchEnforcement(Continued)
Step6
VerifytheSafeSearchEnforcement
1.
configuration.
Thisverificationsteponlyworks
ifyouareusingblockpagesto
enforcesafesearch.Ifyouare
usingtransparentsafesearch
enforcement,thefirewallblock
pagewillinvokeaURLrewrite
withthesafesearchparameters 2.
inthequerystring.
3.
Fromacomputerthatisbehindthefirewall,disablethestrict
searchsettingsforoneofthesupportedsearchproviders.For
example,onbing.com,clickthePreferencesiconontheBing
menubar.
4.
Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5.
PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
SettheSafeSearchoptiontoModerateorOffandclickSave.
PerformaBingsearchandverifythattheURLFilteringSafe
SearchBlockpagedisplaysinsteadofthesearchresults:
Makesurethefirewallisrunning
ContentReleaseversion475orlater.
568 PANOS7.1AdministratorsGuide
1.
2.
3.
Ifthefirewallisnotrunningtherequiredupdateorlater,click
Check Nowtoretrievealistofavailableupdates.
4.
LocatetherequiredupdateandclickDownload.
5.
Afterthedownloadcompletes,clickInstall.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
Step2
Step3
EnableSafeSearchEnforcementinthe
URLFilteringprofile.
AddtheURLFilteringprofiletothe
securitypolicyrulethatallowstraffic
fromclientsinthetrustzonetothe
Internet.
PaloAltoNetworks,Inc.
1.
2.
Selectanexistingprofiletomodify,orclonethedefaultprofile
tocreateanewone.
3.
4.
(Optional)Allowaccesstospecificsearchenginesonly:
a. OntheCategoriestab,setthesearch-enginescategoryto
block.
b. Foreachsearchenginethatyouwantenduserstobeable
toaccess,enterthewebaddressintheAllow Listtextbox.
Forexample,toallowusersaccesstoGoogleandBing
searchesonly,youwouldenterthefollowing:
www.google.com
www.bing.com
5.
Configureothersettingsasnecessaryto:
Definehowtocontrolaccesstowebcontent.
Definewebsitesthatshouldalwaysbeblockedorallowed.
6.
ClickOKtosavetheprofile.
1.
2.
OntheActionstab,selecttheURL Filteringprofile.
3.
ClickOKtosavethesecuritypolicyrule.
PANOS7.1AdministratorsGuide 569
EnableSafeSearchEnforcement
URLFiltering
EnableTransparentSafeSearchEnforcement(Continued)
Step4
Step5
Step6
(Optional,butrecommended)BlockBing 1.
searchtrafficrunningoverSSL.
BecausetheBingSSLsearchenginedoes
notadheretothesafesearchsettings,
forfullsafesearchenforcement,you
mustdenyallBingsessionsthatrunover
SSL.
AddacustomURLcategoryforBing:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
EnableBingSafeSearch.
c. AddthefollowingtotheSiteslist:
www.bing.com/images/*
www.bing.com/videos/*
d. ClickOKtosavethecustomURLcategoryobject.
2.
CreateanotherURLfilteringprofiletoblockthecustom
categoryyoujustcreated:
a. SelectObjects > Security Profiles > URL Filtering.
b. AddanewprofileandgiveitadescriptiveName.
c. Locatethecustomcategoryyoujustcreatedinthe
Categorylistandsetittoblock.
d. ClickOKtosavetheURLfilteringprofile.
3.
AddasecuritypolicyruletoblockBingSSLtraffic:
a. SelectPolicies > SecurityandAddapolicyrulethatallows
trafficfromyourtrustzonetotheInternet.
b. OntheActionstab,attachtheURLfilteringprofileyoujust
createdtoblockthecustomBingcategory.
c. OntheService/URL CategorytabAddaNew Serviceand
giveitadescriptiveName,suchasbingssl.
d. SelectTCPastheProtocol,settheDestination Portto443.
e. ClickOKtosavetherule.
f. UsetheMoveoptionstoensurethatthisruleisbelowthe
rulethathastheURLfilteringprofilewithsafesearch
enforcementenabled.
EdittheURLFilteringSafeSearchBlock 1.
Page,replacingtheexistingcodewith
theJavaScriptforrewritingsearchquery 2.
URLstoenforcesafesearch
3.
transparently.
ImporttheeditedURLFilteringSafe
SearchBlockpageontothefirewall.
570 PANOS7.1AdministratorsGuide
SelectPredefinedandthenclickExporttosavethefilelocally.
UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththetexthereandthensavethefile.
Copythetransparentsafesearchscriptandpasteit
intotheHTMLeditor,replacingtheentireblockpage.
1.
2.
ClickImportandthenenterthepathandfilenameinthe
Import FilefieldorBrowsetolocatethefile.
3.
(Optional)Selectthevirtualsystemonwhichthisloginpage
willbeusedfromtheDestinationdropdownorselectshared
tomakeitavailabletoallvirtualsystems.
4.
ClickOKtoimportthefile.
PaloAltoNetworks,Inc.
URLFiltering
EnableSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
Step7
Step8
EnableSSLForwardProxydecryption.
1.
Becausemostsearchenginesencrypt
theirsearchresults,youmustenableSSL
forwardproxydecryptionsothatthe
firewallcaninspectthesearchtrafficand
detectthesafesearchsettings.
Savetheconfiguration.
PaloAltoNetworks,Inc.
AddacustomURLcategoryforthesearchsites:
a. SelectObjects > Custom Objects > URL CategoryandAdd
acustomcategory.
b. EnteraNameforthecategory,suchas
SearchEngineDecryption.
c. AddthefollowingtotheSiteslist:
www.bing.*
www.google.*
search.yahoo.*
d. ClickOKtosavethecustomURLcategoryobject.
2.
FollowthestepstoConfigureSSLForwardProxy.
3.
OntheService/URL CategorytabintheDecryptionpolicy
rule,AddthecustomURLcategoryyoujustcreatedandthen
clickOK.
ClickCommit.
PANOS7.1AdministratorsGuide 571
SetUpthePANDBPrivateCloud
URLFiltering
SetUpthePANDBPrivateCloud
TodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyournetworkordatacenter,
youmustcompletethefollowingtasks:
ConfigurethePANDBPrivateCloud
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
ConfigurethePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step1
RackmounttheM500appliance. RefertotheM500HardwareReferenceGuideforinstructions.
Step2
RegistertheM500appliance.
572 PANOS7.1AdministratorsGuide
ForinstructionsonregisteringtheM500appliance,seeRegisterthe
Firewall.
PaloAltoNetworks,Inc.
URLFiltering
SetUpthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step3
PerformInitialConfigurationof
1.
theM500Appliance.
TheM500appliancein
PANDBmodeusestwo
portsMGT(Eth0)and
Eth1;Eth2isnotusedin
PANDBmode.The
managementportisused
foradministrativeaccess
totheapplianceandfor
2.
obtainingthelatest
contentupdatesfromthe
PANDBpubliccloud.For
communicationbetween 3.
theappliance(PANDB
server)andthefirewallson
thenetwork,youcanuse
theMGTportorEth1.
ConnecttotheM500applianceinoneofthefollowingways:
AttachaserialcablefromacomputertotheConsoleporton
theM500applianceandconnectusingaterminalemulation
software(96008N1).
AttachanRJ45EthernetcablefromacomputertotheMGT
portontheM500appliance.Fromabrowser,goto
https://192.168.1.1.EnablingaccesstothisURLmightrequire
changingtheIPaddressonthecomputertoanaddressinthe
192.168.1.0network(forexample,192.168.1.2).
Whenprompted,logintotheappliance.Loginusingthedefault
usernameandpassword(admin/admin).Theappliancewillbegin
toinitialize.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theMGTinterface:
set deviceconfig system ip-address <server-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
where<server-IP>istheIPaddressyouwanttoassigntothe
managementinterfaceoftheserver,<netmask>isthesubnet
mask,<gateway-IP>istheIPaddressofthenetworkgateway,
and<DNS-IP>istheIPaddressoftheprimaryDNSserver.
4.
ConfigureannetworkaccesssettingsincludingtheIPaddressfor
theEth1interface:
set deviceconfig system eth1 ip-address <server-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<server-IP>istheIPaddressyouwanttoassigntothe
datainterfaceoftheserver,<netmask>isthesubnetmask,
<gateway-IP>istheIPaddressofthenetworkgateway,and
<DNS-IP>istheIPaddressoftheDNSserver.
5.
PaloAltoNetworks,Inc.
SaveyourchangestothePANDBserver.
commit
PANOS7.1AdministratorsGuide 573
SetUpthePANDBPrivateCloud
URLFiltering
SetupthePANDBPrivateCloud
Step4
SwitchtoPANDBprivatecloud
mode.
1.
ToswitchtoPANDBmode,usetheCLIcommand:
requestsystemsystemmodepanurldb
YoucanswitchfromPanoramamodetoPANDBmode
andback;andfromPanoramamodetoLogCollectormode
andback.SwitchingdirectlyfromPANDBmodetoLog
Collectormodeorviceversaisnotsupported.When
switchingoperationalmode,adataresetistriggered.With
theexceptionofmanagementaccesssettings,allexisting
configurationandlogswillbedeletedonrestart.
2.
Usethefollowingcommandtoverifythatthemodeischanged:
show pan-url-cloud-status
hostname: M-500
ip-address: 1.2.3.4
netmask: 255.255.255.0
default-gateway: 1.2.3.1
ipv6-address: unknown
ipv6-link-local-address: fe80:00/64
ipv6-default-gateway:
mac-address: 00:56:90:e7:f6:8e
time: Mon Apr 27 13:43:59 2015
uptime: 10 days, 1:51:28
family: m
model: M-500
serial: 0073010000xxx
sw-version: 7.0.0
app-version: 492-2638
app-release-date: 2015/03/19 20:05:33
av-version: 0
av-release-date: unknown
wf-private-version: 0
wf-private-release-date: unknown
logdb-version: 7.0.9
platform-family: m
pan-url-db: 20150417-220
system-mode: Pan-URL-DB
operational-mode: normal
3.
Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status:
Up
URL database version:
20150417-220
574 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
SetUpthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step5
Installcontentanddatabase
Pickoneofthefollowingmethodsofinstallingthecontentand
updates.
databaseupdates:
Theapplianceonlystores IfthePANDBserverhasdirectInternetaccessusethefollowing
thecurrentlyrunning
commands:
versionofthecontentand
a. Tocheckwhetheranewversionispublisheduse:
oneearlierversion.
request pan-url-db upgrade check
b. Tochecktheversionthatiscurrentlyinstalledonyourserver
use:
request pan-url-db upgrade info
c. Todownloadandinstallthelatestversion:
request pan-url-db upgrade download latest
request pan-url-db upgrade install <version latest
| file>
d. ToscheduletheM500appliancetoautomaticallycheckfor
updates:
set deviceconfig system update-schedule pan-url-db
recurring weekly action download-and-install
day-of-week <day of week> at <hr:min>
IfthePANDBserverisoffline,accessthePaloAltoNetworks
CustomerSupportwebsitetodownloadandsavethecontent
updatestoanSCPserveronyournetwork.Youcanthenimportand
installtheupdatesusingthefollowingcommands:
scp import pan-url-db remote-port <port-number> from
username@host:path
request pan-url-db upgrade install file <filename>
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 575
SetUpthePANDBPrivateCloud
URLFiltering
SetupthePANDBPrivateCloud
Step6
Setupadministrativeaccesstothe TosetupalocaladministrativeuseronthePANDBserver:
PANDBprivatecloud.
a. configure
Theappliancehasadefault
b. set mgt-config users <username> permissions
adminaccount.Any
role-based <superreader | superuser> yes
additionaladministrative
c. set mgt-config users <username> password
usersthatyoucreatecan
d. Enter password:xxxxx
eitherbesuperusers(with
e. Confirm password:xxxxx
fullaccess)orsuperusers
f. commit
withreadonlyaccess.
TosetupanadministrativeuserwithRADIUSauthentication:
PANDBprivatecloud
doesnotsupporttheuseof
a. CreateRADIUSserverprofile.
RADIUSVSAs.IftheVSAs
set shared server-profile radius
usedonthefirewallor
<server_profile_name> server <server_name>
Panoramaareusedfor
ip-address <ip_address> port <port_no> secret
<shared_password>
enablingaccesstothe
b. Createauthenticationprofile.
PANDBprivatecloud,an
authenticationfailurewill
set shared authentication-profile
occur.
<auth_profile_name> user-domain
<domain_name_for_authentication> allow-list <all>
method radius server-profile <server_profile_name>
c. Attachtheauthenticationprofiletotheuser.
set mgt-config users <username>
authentication-profile <auth_profile_name>
d. Committhechanges.
commit
Toviewthelistofusers:.
show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}
Step7
ConfiguretheFirewallstoAccess
thePANDBPrivateCloud.
576 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
SetUpthePANDBPrivateCloud
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
Step1
PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> enable
TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothe
PANDBpubliccloud,usethecommand:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthe
firewall.ThefirewallfirstchecksforthelistofPANDBprivatecloudserversandwhenitcannot
findone,thefirewallaccessesthePANDBserversintheAWScloudtodownloadthelistofeligible
serverstowhichitcanconnect.
Step2
Commityourchanges.
Step3
Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status:
URL database version:
PaloAltoNetworks,Inc.
Up
20150417-220
PANOS7.1AdministratorsGuide 577
URLFilteringUseCaseExamples
URLFiltering
URLFilteringUseCaseExamples
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
TheseusecasesrelyonUserIDtoimplementpoliciesbasedonusersandgroupsanda
DecryptiontoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
ConfirmthatURLfilteringislicensed.
578 PANOS7.1AdministratorsGuide
1.
2.
Ifavalidlicenseisnotinstalled,seeEnablePANDBURL
Filtering.
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
ControlWebAccess(Continued)
Step2
Step3
Step4
Step5
ConfirmthatUserIDisworking.UserID 1.
isrequiredtocreatepoliciesbasedon
usersandgroups.
SetupaURLfilteringprofilebycloning
thedefaultprofile.
ConfiguretheURLfilteringprofileto
blocksocialnetworkingandallow
Facebook.
2.
TocheckUserMappingfromtheCLI,enterthefollowing
command:
showuseripusermappingmpall
3.
Ifstatisticsdonotappearand/orIPaddresstousermapping
informationisnotdisplayed,seeUserID.
1.
2.
ClicktheCloneicon.Anewprofileshouldappearnamed
default-1.
3.
Selectthenewprofileandrenameit.
1.
ModifythenewURLfilteringprofileandintheCategorylist
scrolltosocial-networkingandintheActioncolumnclickon
allowandchangetheactiontoblock.
2.
IntheAllow List,enterfacebook.com,pressentertostarta
newlineandthentype*.facebook.com.Bothofthese
formatsarerequired,soallURLvariantsausermayusewillbe
identified,suchasfacebook.com,www.facebook.com,and
https://facebook.com.
3.
ClickOKtosavetheprofile.
ApplythenewURLfilteringprofiletothe 1.
securitypolicyrulethatallowsweb
accessfromtheusernetworktothe
2.
Internet.
3.
PaloAltoNetworks,Inc.
TocheckGroupMappingfromtheCLI,enterthefollowing
command:
showusergroupmappingstatistics
ClickOKtosave.
PANOS7.1AdministratorsGuide 579
URLFilteringUseCaseExamples
URLFiltering
ControlWebAccess(Continued)
Step6
Createthesecuritypolicyrulethatwill
allowmarketingaccesstheFacebook
websiteandallFacebookapplications.
Thisrulemustprecedeotherrules
because:
Itisaspecificrule.Morespecificrules
mustprecedeotherrules.
Allowrulewillterminatewhena
trafficmatchoccurs.
580 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameandoptionallyaDescriptionandTag(s).
3.
OntheSourcetabaddthezonewheretheusersare
connected.
4.
OntheUsertabintheSource UsersectionclickAdd.
5.
Selectthedirectorygroupthatcontainsyourmarketingusers.
6.
OntheDestinationtab,selectthezonethatisconnectedto
theInternet.
7.
OntheApplicationstab,clickAddandaddthefacebook
AppIDsignature.
8.
OntheActionstab,addthedefaultprofilesforAntivirus,
Vulnerability Protection,andAnti-Spyware.
9.
ClickOKtosavethesecurityprofile.
ThefacebookAppIDsignatureusedinthispolicyrule
encompassesallFacebookapplications,suchas
facebookbase,facebookchat,andfacebookmail,sothisis
theonlyAppIDsignaturerequiredinthisrule.
Withthisruleinplace,whenamarketingemployeeattempts
toaccesstheFacebookwebsiteoranyFacebookapplication,
therulematchesbasedontheuserbeingpartofthemarketing
group.Fortrafficfromanyuseroutsideofmarketing,therule
willbeskippedbecausetherewouldnotbeatrafficmatchand
ruleprocessingwouldcontinue.
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
ControlWebAccess(Continued)
Step7
Configurethesecuritypolicytoblockall 1.
otherusersfromusinganyFacebook
applicationsotherthansimpleweb
browsing.Theeasiestwaytodothisisto 2.
clonethemarketingallowpolicyand
3.
thenmodifyit.
4.
OntheApplicationstab,clickthefacebookAppIDsignature
anddeleteit.
5.
ClickAddandaddthefollowingAppIDsignatures:
facebookapps
facebookchat
facebookfilesharing
facebookmail
facebookposting
facebooksocialplugin
6.
OntheActionstabintheAction Settingsection,selectDeny.
Theprofilesettingsshouldalreadybecorrectbecausethisrule
wascloned.
7.
ClickOKtosavethesecurityprofile.
8.
Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9.
ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 581
URLFilteringUseCaseExamples
URLFiltering
Createthenodecryptrulethatwillbe
listedfirstinthedecryptionpolicieslist.
Thiswillpreventanywebsitethatisin
thefinancialservicesor
healthandmedicineURLcategoriesfrom
beingdecrypted.
582 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameandoptionallyenteraDescription andTag(s).
3.
OntheSourcetab,addthezonewheretheusersare
connected.
4.
OntheDestinationtab,enterthezonethatisconnectedtothe
Internet.
5.
OntheURL Categorytab,clickAddandselectthe
financialservicesandhealthandmedicineURLcategories.
6.
OntheOptionstab,settheactiontoNo Decrypt.
7.
(Optional)Althoughthefirewalldoesnotdecryptandinspect
thetrafficforthesession,youcanattachaDecryption profile
ifyouwanttoenforcetheservercertificatesusedduringthe
session.Thedecryptionprofileallowsyoutoconfigurethe
firewalltoterminatetheSSLconnectioneitherwhenthe
servercertificatesareexpiredorwhentheservercertificates
areissuesbyanuntrustedissuer.
8.
ClickOKtosavethepolicyrule.
PaloAltoNetworks,Inc.
URLFiltering
URLFilteringUseCaseExamples
ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
Step2
Createthedecryptionpolicyrulethat
willdecryptallothertraffic.
1.
Selectthenodecryptpolicyyoucreatedpreviouslyandthen
clickClone.
2.
EnteraNameandoptionallyenteraDescriptionandTag(s).
3.
OntheURL Categorytab,selectfinancialservicesand
healthandmedicineandthenclicktheDeleteicon.
4.
OntheOptionstab,settheactiontoDecryptandtheTypeto
SSL Forward Proxy.
5.
(Optional)AttachaDecryption profiletospecifytheserver
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
Step3
Step4
6.
Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
7.
ClickOKtosavethepolicyrule.
(BrightCloudonly)Enablecloudlookups 1.
fordynamicallycategorizingaURLwhen 2.
thecategoryisnotavailableonthelocal
databaseonthefirewall.
Savetheconfiguration.
AccesstheCLIonthefirewall.
EnterthefollowingcommandstoenableDynamicURL
Filtering:
a. configure
b. setdeviceconfigsettingurldynamicurlyes
c. commit
ClickCommit.
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesorhealthandmedicine
URLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 583
TroubleshootURLFiltering
URLFiltering
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
UsethefollowingworkflowtotroubleshootPANDBactivationissues.
TroubleshootPANDBActivationIssues
Step1
AccessthePANOSCLI.
Step2
VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
show system setting url-database
Iftheresponseispaloaltonetworks,PANDBistheactivevendor.
Step3
VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
request license info
Afterinstallingthelicense,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
request url-filtering download paloaltonetworks region <region>
Step5
Checkthedownloadstatusbyrunningthefollowingcommand:
request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloud
ConnectivityIssues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedthe
URLseeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
3.
Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.
584 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
TroubleshootURLFiltering
PANDBCloudConnectivityIssues
TocheckconnectivitybetweenthefirewallandthePANDBcloud:
show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
show url-cloud status
PAN-DB URL Filtering
License :
valid
Current cloud server :
s0000.urlcloud.paloaltonetworks.com
Cloud connection :
connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
Ifthecloudisnotaccessible,theexpectedresponseissimilartothefollowing:
show url-cloud status
PAN-DB URL Filtering
License :
valid
Cloud connection :
not connected
URL database version - device :
2013.11.18.000
URL database version - cloud :
2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status :
good
URL protocol version - device :
pan/0.0.2
URL protocol version - cloud :
pan/0.0.2
Protocol compatibility status :
compatible
Usethefollowingchecklisttoidentifyandresolveconnectivityissues:
DoesthePANDBURLFilteringlicensefieldshowsasinvalid?ObtainandinstallavalidPANDB
license.
DoestheURLdatabasestatusshowasoutofdate?Downloadanewseeddatabasebyrunningthe
followingcommand:
request url-filtering download paloaltonetworks region <region>
DoestheURLprotocolversionshowasnotcompatible?UpgradePANOStothelatestversion.
CanyoupingthePANDBcloudserverfromthefirewall?Runthefollowingcommandtocheck:
ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IsthefirewallinanHAconfiguration?VerifythattheHAstateofthefirewallsisintheactive,
activeprimary,oractivesecondarystate.AccesstothePANDBcloudwillbeblockedifthefirewallis
inadifferentstate.Runthefollowingcommandoneachfirewallinthepairtoseethestate:
show high-availability state
IfyoustillhaveproblemswithconnectivitybetweenthefirewallandthePANDBcloud,contactPaloAltoNetworks
support.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 585
TroubleshootURLFiltering
URLFiltering
URLsClassifiedasNotResolved
UsethefollowingworkflowtotroubleshootwhysomeoralloftheURLsbeingidentifiedbyPANDBare
classifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1
CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
show url-cloud status
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2
Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
show system resources
YoucanalsoviewsystemresourcesontheSystemResourceswidgetontheDashboardintheweb
interface.
Step3
Iftheproblempersist,contactPaloAltoNetworkssupport.
IncorrectCategorization
SometimesyoumaycomeacrossaURLthatyoubelieveiscategorizedincorrectly.Usethefollowing
workflowtodeterminetheURLcategorizationforasiteandrequestacategorychange,ifappropriate.
TroubleshootIncorrectCategorizationIssues
Step1
Verifythecategoryinthedataplanebyrunningthefollowingcommand:
show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2
Verifyifthecategoryinthemanagementplanebyrunningthecommand:
test url-info-host <URL>
Forexample:
test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3
Verifythecategoryinthecloudbyrunningthefollowingcommand:
test url-info-cloud <URL>
586 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
URLFiltering
TroubleshootURLFiltering
TroubleshootIncorrectCategorizationIssues
Step4
IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5
Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
Step6
ClicktheRequest Categorizationchangelinkandfollowinstructions.Youcanalsorequestacategorychange
fromthePaloAltoNetworksTestASitewebsitebysearchingfortheURLandthenclickingtheRequest
Changeicon.Toviewalistofallavailablecategorieswithdescriptionsofeachcategory,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
Ifyourchangerequestisapproved,youwillreceiveanemailnotification.Youthenhavetwooptionstoensure
thattheURLcategoryisupdatedonthefirewall:
WaituntiltheURLinthecacheexpiresandthenexttimetheURLisaccessedbyauser,thenew
categorizationupdatewillbeputinthecache.
Runthefollowingcommandtoforceanupdateinthecache:
request url-filtering update url <URL>
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltothePANDBcloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewall
istooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youmustredownloadaninitialseeddatabase(thisoperationis
notblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 587
TroubleshootURLFiltering
588 PANOS7.1AdministratorsGuide
URLFiltering
PaloAltoNetworks,Inc.
QualityofService
QualityofService(QoS)isasetoftechnologiesthatworkonanetworktoguaranteeitsabilitytodependably
runhighpriorityapplicationsandtrafficunderlimitednetworkcapacity.QoStechnologiesaccomplishthis
byprovidingdifferentiatedhandlingandcapacityallocationtospecificflowsinnetworktraffic.Thisenables
thenetworkadministratortoassigntheorderinwhichtrafficishandled,andtheamountofbandwidth
affordedtotraffic.
PaloAltoNetworksApplicationQualityofService(QoS)providesbasicQoSappliedtonetworksand
extendsittoprovideQoStoapplicationsandusers.
UsethefollowingtopicstolearnaboutandconfigurePaloAltoNetworksapplicationbasedQoS:
QoSOverview
QoSConcepts
ConfigureQoS
ConfigureQoSforaVirtualSystem
EnforceQoSBasedonDSCPClassification
QoSUseCases
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
PA3000Series,andPA2000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 589
QoSOverview
QualityofService
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureQoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwithQoS
enabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheQoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoSpolicy
ruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.The
matchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.
590 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSOverview
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 591
QoSConcepts
QualityofService
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoS Policy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.
592 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSConcepts
QoS Profile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoS Classes
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 593
QoSConcepts
QualityofService
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.
594 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSConcepts
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 595
ConfigureQoS
QualityofService
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Step1
Identifythetrafficyouwanttomanage
withQoS.
ThisexampleshowshowtouseQoSto
limitwebbrowsing.
Step2
Identifytheegressinterfacefor
applicationsthatyouwanttoreceive
QoStreatment.
Theegressinterfacefortraffic
dependsonthetrafficflow.Ifyou
areshapingincomingtraffic,the
egressinterfaceisthe
internalfacinginterface.Ifyou
areshapingoutgoingtraffic,the
egressinterfaceisthe
externalfacinginterface.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:
596 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoS
ConfigureQoS(Continued)
Step3
AddaQoSpolicyrule.
AQoSpolicyruledefinesthetrafficto
receiveQoStreatment.Thefirewall
assignsaQoSclassofservicetothe
trafficmatchedtothepolicyrule.
PaloAltoNetworks,Inc.
1.
2.
OntheGeneral tab,givetheQoSPolicyRuleadescriptive
Name.
3.
SpecifytraffictoreceiveQoStreatmentbasedonSource,
Destination,Application,Service/URL Category, and
DSCP/ToS values(theDSCP/ToS settingsallowyoutoEnforce
QoSBasedonDSCPClassification).
Forexample,selecttheApplication,clickAdd,andselect
webbrowsingtoapplyQoStowebbrowsingtraffic.
4.
(Optional)Continuetodefineadditionalparameters.For
example,selectSourceandAdd asourceusertoprovideQoS
foraspecificuserswebtraffic.
5.
6.
ClickOK.
PANOS7.1AdministratorsGuide 597
ConfigureQoS
QualityofService
ConfigureQoS(Continued)
Step4
AddaQoSprofilerule.
1.
AQoSprofileruleallowsyoutodefine
theeightclassesofservicethattraffic
2.
canreceive,includingpriority,and
3.
enablesQoSBandwidthManagement.
YoucaneditanyexistingQoSprofile,
includingthedefault,byclickingtheQoS
profilename.
4.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.
598 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoS
ConfigureQoS(Continued)
Step5
EnableQoSonaphysicalinterface.
1.
Partofthisstepincludestheoptionto 2.
selectcleartextandtunneledtrafficfor
uniqueQoStreatment.
Checkiftheplatformyoureusing
supportsenablingQoSona
3.
subinterfacebyreviewinga
summaryoftheProduct
Specifications.
4.
5.
IntheDefaultProfilesection,selectaQoSprofileruletoapply
toallClear Text trafficexitingthephysicalinterface.
6.
(Optional)SelectadefaultQoSprofileruletoapplytoall
tunneledtrafficexitingtheinterface.
Forexample,enableQoSonethernet1/1andapplythebandwidth
andprioritysettingsyoudefinedfortheQoSprofileruleLimitWeb
Browsing(Step 4)tobeusedasthedefaultsettingsforcleartext
egresstraffic.
Step6
7.
(Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8.
ClickOK.
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 599
ConfigureQoS
QualityofService
ConfigureQoS(Continued)
Step7
VerifyaQoSconfiguration.
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.
600 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertoVirtualSystemsforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
Step1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 601
ConfigureQoSforaVirtualSystem
QualityofService
ConfigureQoSinaVirtualSystemEnvironment
Step2
IdentifytraffictoapplyQoSto.
Clickanyapplicationnametodisplaydetailedapplication
information.
Step3
Identifytheegressinterfacefor
applicationsthatyouidentifiedas
needingQoStreatment.
Inavirtualsystemenvironment,QoSis
appliedtotrafficonthetrafficsegress
pointonthevirtualsystem.Depending
theconfigurationandQoSpolicyfora
virtualsystem,theegresspointofQoS
trafficcouldbeassociatedwitha
physicalinterfaceorcouldbeazone.
Thisexampleshowshowtolimit
webbrowsingtrafficonvsys1.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.
602 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSinaVirtualSystemEnvironment
Step4
CreateaQoSProfile.
YoucaneditanyexistingQoSProfile,
includingthedefault,byclickingthe
profilename.
PaloAltoNetworks,Inc.
1.
2.
EnteradescriptiveProfile Name.
3.
EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4.
5.
IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6.
ClickOKtosavetheQoSprofile.
PANOS7.1AdministratorsGuide 603
ConfigureQoSforaVirtualSystem
QualityofService
ConfigureQoSinaVirtualSystemEnvironment
Step5
CreateaQoSpolicy.
1.
Inanenvironmentwithmultiplevirtual 2.
systems,trafficspansmorethanone
virtualsystem.Becauseofthis,whenyou
3.
areenablingQoSforavirtualsystem,
youmustdefinetraffictoreceiveQoS
treatmentbasedonsourceand
destinationzones.Thisensuresthatthe
trafficisprioritizedandshapedonlyfor
thatvirtualsystem(andnotforother
virtualsystemsthroughwhichthetraffic
mightflow).
604 PANOS7.1AdministratorsGuide
4.
SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5.
SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
6.
7.
ClickOKtosavetheQoSpolicyrule.
PaloAltoNetworks,Inc.
QualityofService
ConfigureQoSforaVirtualSystem
ConfigureQoSinaVirtualSystemEnvironment
Step6
EnabletheQoSProfileonaphysical
1.
interface.
Itisabestpracticetoalways
2.
definetheEgress Max valuefora
QoSinterface.
Step7
VerifyQoSconfiguration.
PaloAltoNetworks,Inc.
3.
OnthePhysical Interfacetab,selectthedefaultQoSprofileto
applytoallClear Texttraffic.
(Optional)UsetheTunnel Interfacefieldtoapplyadefault
QoSprofiletoalltunneledtraffic.
4.
5.
6.
ClickOK tosavechanges.
7.
Committhechanges.
PANOS7.1AdministratorsGuide 605
EnforceQoSBasedonDSCPClassification
QualityofService
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
606 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
EnforceQoSBasedonDSCPClassification
ApplyQoSBasedonDSCP/ToSMarking
Step1
PerformthepreliminarystepstoConfigureQoS.
Step2
DefinethetraffictoreceiveQoS
treatmentbasedonDSCPvalue.
Step3
Step4
1.
2.
3.
AddaDSCP/ToScodepointsforwhichyouwanttoenforce
QoS.
4.
SelecttheTypeofDSCP/ToSmarkingfortheQoSruleto
matchtotraffic:
ItisabestpracticetouseasingleDSCPtypetomanage
andprioritizeyournetworktraffic.
5.
MatchtheQoSpolicytotrafficonamoregranularscaleby
specifyingtheCodepoint value.Forexample,withAssured
Forwarding(AF)selectedastheTypeofDSCPvalueforthe
policytomatch,furtherspecifyanAFCodepoint valuesuchas
AF11.
WhenExpeditedForwarding(EF)isselectedasthe
TypeofDSCPmarking,agranularCodepointvalue
cannotbespecified.TheQoSpolicyrulematchesto
trafficmarkedwithanyEFcodepointvalue.
6.
7.
ClickOKtosavetheQoSrule.
1.
DefinetheQoSpriorityfortrafficto
receivewhenitismatchedtoaQoSrule
basedtheDSCPmarkingdetectedatthe
beginningofasession.
EnableQoSonaninterface.
PaloAltoNetworks,Inc.
2.
3.
SelectaPriority fortheclassoftraffic,suchashigh.
4.
ClickOKtosavetheQoSProfile.
PANOS7.1AdministratorsGuide 607
EnforceQoSBasedonDSCPClassification
QualityofService
ApplyQoSBasedonDSCP/ToSMarking
Step5
EnableDSCPMarking.
1. SelectPolicies > SecurityandAddormodifyasecuritypolicy.
MarkreturntrafficwithaDSCPvalue, 2. SelectActionsandintheQoS Markingdropdown,choose
enablingtheinboundflowforasession
Follow-Client-to-Server-Flow.
tobemarkedwiththesameDSCPvalue
3. ClickOKtosaveyourchanges.
detectedfortheoutboundflow.
Completingthisstepenablesthefirewalltomarktrafficwiththe
sameDSCPvaluethatwasdetectedatthebeginningofasession
(inthisexample,thefirewallwouldmarkreturntrafficwiththe
DSCPAF11value).WhileconfiguringQoSallowsyoutoshape
trafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewall
andtheclienttocontinuetoenforcepriorityforDSCPmarked
traffic.
Step6
Savetheconfiguration.
608 PANOS7.1AdministratorsGuide
Commityourchanges.
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
ApplyQoStoaSingleUser
Step1
TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 609
QoSUseCases
QualityofService
ApplyQoStoaSingleUser(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
Step3
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.
610 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
ApplyQoStoaSingleUser(Continued)
Step4
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation)andthenenableQoS
onthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadoftheexternalfacinginterface).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 611
QoSUseCases
QualityofService
Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1
TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.
612 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
QualityofService
QoSUseCases
EnsureQualityforVoiceandVideoApplications(Continued)
Step2
TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 613
QoSUseCases
QualityofService
EnsureQualityforVoiceandVideoApplications(Continued)
Step3
BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreated,ensurevoicevideotraffic(Class2inthisprofileis
associatedwithpolicy,VoiceVideo)ontheexternalfacinginterface,inthiscase,ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
Step4
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.
614 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
Virtualprivatenetworks(VPNs)createtunnelsthatallowusers/systemstoconnectsecurelyoverapublic
network,asiftheywereconnectingoveralocalareanetwork(LAN).TosetupaVPNtunnel,youneedapair
ofdevicesthatcanauthenticateeachotherandencrypttheflowofinformationbetweenthem.Thedevices
canbeapairofPaloAltoNetworksfirewalls,oraPaloAltoNetworksfirewallalongwithaVPNcapable
devicefromanothervendor.
VPNDeployments
SitetoSiteVPNOverview
SitetoSiteVPNConcepts
SetUpSitetoSiteVPN
SitetoSiteVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 615
VPNDeployments
VPNs
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments
616 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNOverview
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 617
SitetoSiteVPNConcepts
VPNs
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.IfyouconfigureanyproxyIDs,theproxyIDiscountedtowardany
IPSectunnelcapacity.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.
618 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
SeeSetUpTunnelMonitoringforconfigurationdetails.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 619
SitetoSiteVPNConcepts
VPNs
InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes
620 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP
AH
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc
AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc
AESusingCBCwithasecuritystrengthof192bits
aes256cbc
AESusingCBCwithasecuritystrengthof256bits
aes128ccm
AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm
AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm
AESusingGCMwithasecuritystrengthof256bits
des
DataEncryptionStandard(DES)withasecuritystrengthof56bits
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 621
SitetoSiteVPNConcepts
ESP
VPNs
AH
md5
sha1
sha1
sha256
sha256
sha384
sha384
sha512
sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.
622 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 623
SitetoSiteVPNConcepts
VPNs
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.
624 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNConcepts
HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
InIKEv2,twoIKEcryptoprofilevalues,Key LifetimeandIKEv2 Authentication Multiple,controlthe
establishmentofIKEv2IKESAs.ThekeylifetimeisthelengthoftimethatanegotiatedIKESAkeyis
effective.Beforethekeylifetimeexpires,theSAmustberekeyed;otherwise,uponexpiration,theSAmust
beginanewIKEv2IKESArekey.Thedefaultvalueis8hours.
ThereauthenticationintervalisderivedbymultiplyingtheKey LifetimebytheIKEv2Authentication Multiple.
Theauthenticationmultipledefaultsto0,whichdisablesthereauthenticationfeature.
Therangeoftheauthenticationmultipleis050.So,ifyouweretoconfigureanauthenticationmultipleof
20,forexample,thesystemwouldperformreauthenticationevery20rekeys,whichisevery160hours.
ThatmeansthegatewaycouldperformChildSAcreationfor160hoursbeforethegatewaymust
reauthenticatewithIKEtorecreatetheIKESAfromscratch.
InIKEv2,theInitiatorandRespondergatewayshavetheirownkeylifetimevalue,andthegatewaywiththe
shorterkeylifetimeistheonethatwillrequestthattheSAberekeyed.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 625
SetUpSitetoSiteVPN
VPNs
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
DefinetheIKEGateway.
626 PANOS7.1AdministratorsGuide
1.
2.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step2
Step3
Establishthelocalendpointofthetunnel 1.
(gateway).
2.
Establishthepeeratthefarendofthe
tunnel(gateway).
ForAddress Type,clickIPv4orIPv6.
Selectthephysical,outgoingInterfaceonthefirewallwhere
thelocalgatewayresides.
3.
FromtheLocal IP Addressdropdown,selecttheIPaddress
thatwillbeusedastheendpointfortheVPNconnection.This
istheexternalfacinginterfacewithapubliclyroutableIP
addressonthefirewall.
1.
SelectthePeer IP TypetobeaStaticorDynamicaddress
assignment.
2.
IfthePeer IP Addressisstatic,entertheIPaddressofthe
peer.
Step4
Specifyhowthepeerisauthenticated.
SelecttheAuthenticationmethod:Pre-Shared KeyorCertificate.
IfyouchoosePreSharedKey,proceedtothenextstep.Ifyou
chooseCertificate,skiptoConfigurecertificatebased
authentication.
Step5
Configureapresharedkey.
1.
EnteraPre-shared Key,whichisthesecuritykeytousefor
authenticationacrossthetunnel.Reenterthevalueto
Confirm Pre-shared Key.Useamaximumof255ASCIIor
nonASCIIcharacters.
Generateakeythatisdifficulttocrackwithdictionary
attacks;useapresharedkeygenerator,ifnecessary.
2.
ForLocal Identification,choosefromthefollowingtypesand
enteravaluethatyoudetermine:FQDN (hostname),IP
address,KEYID (binary format ID string in HEX),User FQDN
(email address).Localidentificationdefinestheformatand
identificationofthelocalgateway.Ifnovalueisspecified,the
localIPaddresswillbeusedasthelocalidentificationvalue.
3.
ForPeer Identification,choosefromthefollowingtypesand
enterthevalue:FQDN (hostname), IP address, KEYID (binary
format ID string in HEX), User FQDN (email address). Peer
identificationdefinestheformatandidentificationofthepeer
gateway.Ifnovalueisspecified,thepeerIPaddresswillbe
usedasthepeeridentificationvalue.
4.
ProceedtoStep 7andcontinuefromthere.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 627
SetUpSitetoSiteVPN
VPNs
SetUpanIKEGateway(Continued)
Step6
Configurecertificatebased
1.
authentication.
Performtheremainingstepsinthis
procedureifyouselectedCertificateas
themethodofauthenticatingthepeer
gatewayattheoppositeendofthe
tunnel.
SelectaLocal Certificatethatisalreadyonthefirewallfrom
thedropdown,orImportacertificate,orGeneratetocreate
anewcertificate.
IfyouwanttoImportacertificate,ImportaCertificatefor
IKEv2GatewayAuthenticationandthenreturntothistask.
IfyouwanttoGenerateanewcertificate,generatea
certificateonthefirewallandthenreturntothistask.
2.
3.
SelecttheLocal Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Localidentificationdefinestheformatandidentificationof
thelocalgateway.
4.
SelectthePeer Identificationtypefromthefollowing:
Distinguished Name (Subject), FQDN (hostname), IP
address, User FQDN (email address),andenterthevalue.
Peeridentificationdefinestheformatandidentificationofthe
peergateway.
5.
SelectonetypeofPeer ID Check:
ExactCheckthistoensurethatthelocalsettingandpeer
IKEIDpayloadmatchexactly.
WildcardCheckthistoallowthepeeridentificationto
matchaslongaseverycharacterbeforethewildcard(*)
matches.Thecharactersafterthewildcardneednotmatch.
6.
7.
ChooseaCertificate Profilefromthedropdown.A
certificateprofilecontainsinformationabouthowto
authenticatethepeergateway.
8.
628 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIKEGateway(Continued)
Step7
Step8
Configureadvancedoptionsforthe
gateway.
Savethechanges.
PaloAltoNetworks,Inc.
1.
SelecttheAdvanced Optionstab.
2.
3.
4.
5.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 629
SetUpSitetoSiteVPN
VPNs
ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
Step1
Step2
OntheDevice Certificatestab,selectthecertificatetoExporttotheserver.
Thestatusofthecertificateshouldbevalid,notexpired.Thefirewallwillnotstopyoufromexporting
aninvalidcertificate.
Step3
Step4
Step5
ClickOK.
ImportaCertificateforIKEv2GatewayAuthentication
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.
630 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
ImportaCertificateforIKEv2GatewayAuthentication
Step1
Step2
Importacertificate.
1.
2.
IntheImportCertificatewindow,enteraCertificate Namefor
thecertificateyouareimporting.
3.
SelectSharedifthiscertificateistobesharedamongmultiple
virtualsystems.
4.
ForCertificate File,Browsetothecertificatefile.Clickonthe
filenameandclickOpen,whichpopulatestheCertificate File
field.
5.
ForFile Format,selectoneofthefollowing:
Base64 Encoded Certificate (PEM)Containsthe
certificate,butnotthekey.Itiscleartext.
Encrypted Private Key and Certificate (PKCS12)
Containsboththecertificateandthekey.
6.
7.
ClickOK.
Configurecertificatebasedauthentication.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
Step1
ChangetheSAkeylifetimeor
1.
authenticationintervalforanIKECrypto
profile.
2.
3.
Step2
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 631
SetUpSitetoSiteVPN
VPNs
ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
Step1
Step2
ChangetheCookieActivation
Threshold.
Savetheconfiguration
1.
2.
ClickOK.
ClickOKandCommit.
ConfigureIKEv2TrafficSelectors
InIKEv2,youcanconfigureTrafficSelectors,whicharecomponentsofnetworktrafficthatareusedduring
IKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetupthe
tunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.Usethefollowingworkflowtoconfiguretrafficselectors.
ConfigureTrafficSelectorsforIKEv2
Step1
Step2
SelecttheIPv4orIPv6tab.
Step3
ClickAddandentertheNameintheProxy IDfield.
Step4
IntheLocalfield,entertheSource IP Address.
Step5
IntheRemotefield,entertheDestination IP Address.
Step6
IntheProtocolfield,selectthetransportprotocol(TCPorUDP)fromthedropdown.
Step7
ClickOK.
632 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1
CreateanewIKEprofile.
1.
2.
EnteraNameforthenewprofile.
Step2
SpecifytheDHGroup(DiffieHellman
group)forkeyexchange,andthe
AuthenticationandEncryption
algorithms.
ClickAddinthecorrespondingsections(DHGroup,
Authentication,andEncryption)andselectfromthedropdowns.
IfyouarenotcertainofwhattheVPNpeerssupport,addmultiple
groupsoralgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupportedgroupor
algorithmtoestablishthetunnel:
DHGroupgroup20,group19,group14,group5,group2,and
group1.
Authenticationsha512,sha384,sha256,sha1,md5.
Encryptionaes-256-cbc,aes-192-cbc,aes-128-cbc,3des,
des.
DESisavailabletoprovidebackwardcompatibilitywith
legacydevicesthatdonotsupportstrongerencryption,
butasabestpracticealwaysuseastrongerencryption
algorithm,suchas3DESorAESifthepeercansupport
it.
Step3
Specifythedurationforwhichthekeyis 1.
validandthereauthenticationinterval.
Fordetails,seeSAKeyLifetimeand
ReAuthenticationInterval.
IntheKey Lifetimefields,specifytheperiod(inseconds,
minutes,hours,ordays)forwhichthekeyisvalid.(Rangeis3
minutesto365days;defaultis8hours.)Whenthekey
expires,thefirewallrenegotiatesanewkey.Alifetimeisthe
periodbetweeneachrenegotiation.
2.
Step4
SaveyourIKECryptoprofile.
Step5
AttachtheIKECryptoprofiletotheIKE SeeConfigureadvancedoptionsforthegateway.
Gatewayconfiguration.
PaloAltoNetworks,Inc.
ClickOKandclickCommit.
PANOS7.1AdministratorsGuide 633
SetUpSitetoSiteVPN
VPNs
DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1
CreateanewIPSecprofile.
1.
2.
EnteraNameforthenewprofile.
3.
SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4.
ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
Step2
Step3
Specifythedurationofthekeytimeand Usingacombinationoftimeandtrafficvolumeallowsyouto
volumeoftraffic.
ensuresafetyofdata.
SelecttheLifetimeortimeperiodforwhichthekeyisvalidin
seconds,minutes,hours,ordays(rangeis3minutesto365days).
Whenthespecifiedtimeexpires,thefirewallwillrenegotiateanew
setofkeys.
SelecttheLifesizeorvolumeofdataafterwhichthekeysmustbe
renegotiated.
Step4
SaveyourIPSecprofile.
ClickOKandclickCommit.
Step5
AttachtheIPSecProfiletoanIPSec
tunnelconfiguration.
SeeSetupkeyexchange.
634 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
Step2
OntheGeneraltab,enteraNameforthenewtunnel.
Step3
SelecttheTunnel interfacethatwillbeusedtosetuptheIPSectunnel.
Tocreateanewtunnelinterface:
1. SelectTunnel Interface > New Tunnel Interface.(YoucanalsoselectNetwork > Interfaces > Tunneland
clickAdd.)
2. IntheInterface Name field,specifyanumericsuffix,suchas.2.
3. OntheConfig tab,selecttheSecurity Zone dropdowntodefinethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthetunnel,selectthezonefromthedropdown.
Associatingthetunnelinterfacewiththesamezone(andvirtualrouter)astheexternalfacinginterfaceon
whichthepacketsenterthefirewall,mitigatestheneedtocreateinterzonerouting.
(Recommended)TocreateaseparatezoneforVPNtunneltermination,selectNew Zone.DefineaName
fornewzone(forexamplevpncorp),andclickOK.
4. IntheVirtual Router dropdown,selectdefault.
5. (Optional)IfyouwanttoassignanIPv4addresstothetunnelinterface,selecttheIPv4 tab,andAdd theIP
addressandnetworkmask,forexample10.31.32.1/32.
6. Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 635
SetUpSitetoSiteVPN
VPNs
SetUpanIPSecTunnel(Continued)
Step4
Step5
(Optional)EnableIPv6onthetunnel
interface.
Setupkeyexchange.
1.
2.
3.
Enterthe64bitextendeduniqueInterface IDinhexadecimal
format,forexample,00:26:08:FF:FE:DE:4E:29.Bydefault,the
firewallwillusetheEUI64generatedfromthephysical
interfacesMACaddress.
4.
ToassignanIPv6Addresstothetunnelinterface,Addthe
IPv6addressandprefixlength,forexample
2001:400:f00::1/64.IfPrefixisnotselected,theIPv6address
assignedtotheinterfacewillbewhollyspecifiedintheaddress
textbox.
a. SelectUse interface ID as host portiontoassignanIPv6
addresstotheinterfacethatwillusetheinterfaceIDasthe
hostportionoftheaddress.
b. SelectAnycasttoincluderoutingthroughthenearestnode.
Configureoneofthefollowingtypesofkeyexchange:
SetupAutoKeyexchange
1.
SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2.
(Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
SetupManualKeyexchange
636 PANOS7.1AdministratorsGuide
1.
SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
2.
SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
3.
SelecttheprotocoltobeusedAHorESP.
4.
ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
5.
ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
6.
SpecifytheSPIfortheremotepeer.
7.
EntertheRemote Address,theIPaddressoftheremotepeer.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
SetUpanIPSecTunnel(Continued)
Step6
Step7
Step8
EnableTunnelMonitoring.
Toalertthedeviceadministratortotunnelfailuresandtoprovide
YoumustassignanIPaddressto automaticfailovertoanothertunnelinterface:
thetunnelinterfacefor
1. SpecifyaDestination IPaddressontheothersideofthetunnel
monitoring.
todetermineifthetunnelisworkingproperly.
2.
Step9
CreateaProxyIDtoidentifytheVPN
1.
peers.
2.
ThisstepisrequiredonlyiftheVPNpeer
3.
usespolicybasedVP).
4.
Step10 Saveyourchanges.
PaloAltoNetworks,Inc.
SelectaProfiletodeterminetheactionontunnelfailure.To
createanewprofile,seeDefineaTunnelMonitoringProfile.
Select Network > IPSec Tunnels andclickAdd.
SelecttheProxy IDstab.
SelecttheIPv4orIPv6tab.
ClickAddandentertheProxy IDname.
5.
EntertheLocalIPaddressorsubnetfortheVPNgateway.
6.
EntertheRemoteaddressfortheVPNgateway.
7.
SelecttheProtocolfromthedropdown:
NumberSpecifytheprotocolnumber(usedfor
interoperabilitywiththirdpartydevices).
AnyAllowsTCPand/orUDPtraffic.
TCPSpecifytheLocalPortandRemotePortnumbers.
UDPSpecifytheLocalPortandRemotePortnumbers.
8.
ClickOK.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 637
SetUpSitetoSiteVPN
VPNs
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
DefineaTunnelMonitoringProfile
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
DefineaTunnelMonitoringProfile
Step1
Step2
ClickAdd,andenteraNamefortheprofile.
Step3
SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4
SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5
AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.
638 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
Step1
Step2
ViewtheTunnel Status.
GreenindicatesavalidIPSecSAtunnel.
RedindicatesthatIPSecSAisnotavailableorhasexpired.
Step3
Step4
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorIPSecTunnel
RefreshandRestartBehaviors
RefreshorRestartanIKEGatewayorIPSecTunnel
EnableorDisableanIKEGatewayorIPSecTunnel
EnableorDisableanIKEGatewayorIPSecTunnel
EnableordisableanIKEgateway.
PaloAltoNetworks,Inc.
1.
2.
Atthebottomofthescreen,clickEnableorDisable.
PANOS7.1AdministratorsGuide 639
SetUpSitetoSiteVPN
VPNs
EnableorDisableanIKEGatewayorIPSecTunnel(Continued)
EnableordisableanIPSectunnel.
1.
2.
Atthebottomofthescreen,clickEnableorDisable.
RefreshandRestartBehaviors
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Phase
Refresh
Restart
IKE Gateway
(IKE Phase 1)
Updatestheonscreenstatisticsfortheselected
IKEgateway.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheselectedIKEgateway.
IKEv2:AlsorestartsanyassociatedchildIPSec
securityassociations(SAs).
IKEv1:DoesnotrestarttheassociatedIPSecSAs.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
IPSec Tunnel
(IKE Phase 2)
Updatestheonscreenstatisticsfortheselected
IPSectunnel.
Equivalenttoissuingasecondshowcommand
intheCLI(afteraninitialshowcommand).
RestartstheIPSectunnel.
Arestartisdisruptivetoallexistingsessions.
Equivalenttoissuingaclear, test, show
commandsequenceintheCLI.
RefreshorRestartanIKEGatewayorIPSecTunnel
RestartanIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorrestartanIKEgateway.
640 PANOS7.1AdministratorsGuide
1.
2.
Intherowforthattunnel,undertheStatuscolumn,clickIKE
Info.
3.
AtthebottomoftheIKEInfoscreen,clicktheactionyouwant:
RefreshUpdatesthestatisticsonthescreen.
RestartClearstheSAs,sotrafficisdroppeduntiltheIKE
negotiationstartsoverandthetunnelisrecreated.
PaloAltoNetworks,Inc.
VPNs
SetUpSitetoSiteVPN
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorrestartanIPSectunnel.
1.
Youmightdeterminethatthetunnelneedsto
berefreshedorrestartedbecauseyouusethe 2.
tunnelmonitortomonitorthetunnelstatus,or
youuseanexternalnetworkmonitortomonitor
3.
networkconnectivitythroughtheIPSectunnel.
InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
Step2
enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step3
InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLI
command:
test vpn ipsec-sa tunnel <tunnel_name>
Step4
enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step5
ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
total tunnels configured:
name
id
state
local-ip
peer-ip
tunnel-i/f
------------------------------------------------------------------------vpn-to-siteB
PaloAltoNetworks,Inc.
active
100.1.1.1
200.1.1.1
tunnel.41
PANOS7.1AdministratorsGuide 641
SetUpSitetoSiteVPN
VPNs
Trythis:
VerifythatthepublicIPaddressforeachVPNpeerisaccurateintheIKEGateway
configuration.
VerifythattheIPaddressescanbepingedandthatroutingissuesarenotcausing
theconnectionfailure.
or
IKE phase 1 negotiation
is failed. Couldnt find
configuration for IKE
phase-1 request for peer
IP x.x.x.x[1929]
Received unencrypted
ChecktheIKECryptoprofileconfigurationtoverifythattheproposalsonbothsides
haveacommonencryption,authentication,andDHGroupproposal.
notify payload (no
proposal chosen) from IP
x.x.x.x[500] to
y.y.y.y[500], ignored...
or
IKE phase-1 negotiation
is failed. Unable to
process peers SA
payload.
pfs group mismatched:my:
2peer: 0
or
ChecktheIPSecCryptoprofileconfigurationtoverifythat:
pfsiseitherenabledordisabledonbothVPNpeers
theDHGroupsproposedbyeachpeerhasatleastoneDHGroupincommon
TheVPNpeerononeendisusingpolicybasedVPN.YoumustconfigureaProxyID
onthePaloAltoNetworksfirewall.SeeCreateaProxyIDtoidentifytheVPNpeers..
642 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 643
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting
Step1
ConfigureaLayer3interface.
1.
ThisinterfaceisusedfortheIKEphase1
tunnel.
2.
644 PANOS7.1AdministratorsGuide
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.26/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4192.168.210.120/24
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step2
Step3
Step4
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
Configureastaticroute,onthevirtual
router,tothedestinationsubnet.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
PaloAltoNetworks,Inc.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
(Optional)AssignanIPaddresstothetunnelinterface,select
theIPv4orIPv6tab,clickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface.
Withstaticroutes,thetunnelinterfacedoesnotrequireanIP
address.Fortrafficthatisdestinedtoaspecifiedsubnet/IP
address,thetunnelinterfacewillautomaticallybecomethe
nexthop.ConsideraddinganIPaddressifyouwanttoenable
tunnelmonitoring.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.11
Security Zonevpn_tun
Virtual Routerdefault
IPv4172.19.9.2/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.12
Security Zonevpn_tun
Virtual Routerdefault
IPv4192.168.69.2/24
1.
2.
SelectStatic Route,clickAdd,andenteranewroutetoaccess
thesubnetthatisattheotherendofthetunnel.
Inthisexample,theconfigurationforVPNPeerAis:
Destination192.168.69.0/24
Interfacetunnel.11
TheconfigurationforVPNPeerBis:
Destination172.19.9.0/24
Interfacetunnel.12
1.
2.
PANOS7.1AdministratorsGuide 645
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
Step5
Step6
Step7
SetuptheIKEGateway.
SetuptheIPSecTunnel.
1.
2.
3.
1.
2.
3.
4.
(Optional)Todefinetheactiononfailuretoestablish
connectivity,seeDefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
Step8
Saveanypendingconfigurationchanges. ClickCommit.
Step9
TestVPNconnectivity.
646 PANOS7.1AdministratorsGuide
SeeViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 647
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
Step1
ConfiguretheLayer3interfacesoneach 1.
firewall.
648 PANOS7.1AdministratorsGuide
2.
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4100.1.1.1/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4200.1.1.1/24
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step2
Step3
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
PaloAltoNetworks,Inc.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedasthenexthopIPaddresstoroute
traffictothetunnelandcanalsobeusedtomonitorthestatus
ofthetunnel.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.41
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.141/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.40
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.140/24
1.
2.
PANOS7.1AdministratorsGuide 649
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step4
Step5
SetuptheOSPFconfigurationonthe
1.
virtualrouterandattachtheOSPFareas
withtheappropriateinterfacesonthe
2.
firewall.
3.
FormoreinformationontheOSPF
optionsthatareavailableonthefirewall,
seeConfigureOSPF.
UseBroadcastasthelinktypewhen
therearemorethantwoOSPFrouters
thatneedtoexchangerouting
information.
SetuptheIKEGateway.
1.
ThisexamplesusesstaticIPaddresses 2.
forbothVPNpeers.Typically,the
corporateofficeusesastatically
configuredIPaddress,andthebranch
sidecanbeadynamicIPaddress;
dynamicIPaddressesarenotbestsuited
forconfiguringstableservicessuchas
VPN.
3.
650 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step6
Step7
SetuptheIPSecTunnel.
1.
2.
3.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 651
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
Step8
VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
Step9
TestVPNconnectivity.
652 PANOS7.1AdministratorsGuide
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 653
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
Step1
Step2
ConfiguretheLayer3interfacesoneach 1.
firewall.
SetuptheCryptoprofiles(IKECrypto
profileforphase1andIPSecCrypto
profileforphase2).
Completethistaskonbothpeersand
makesuretosetidenticalvalues.
654 PANOS7.1AdministratorsGuide
2.
3.
OntheConfigtab,selecttheSecurity Zonetowhichthe
interfacebelongs:
Theinterfacemustbeaccessiblefromazoneoutsideof
yourtrustnetwork.ConsidercreatingadedicatedVPNzone
forvisibilityandcontroloveryourVPNtraffic.
Ifyouhavenotyetcreatedthezone,selectNew Zonefrom
theSecurity Zonedropdown,defineaNameforthenew
zoneandthenclickOK.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
192.168.210.26/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfaceethernet1/7
Security Zoneuntrust
Virtual Routerdefault
IPv4100.1.1.1/24
TheconfigurationforVPNPeerBis:
Interfaceethernet1/11
Security Zoneuntrust
Virtual Routerdefault
IPv4200.1.1.1/24
1.
2.
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step3
SetuptheIKEGateway.
1.
Withpresharedkeys,toadd
2.
authenticationscrutinywhensettingup
theIKEphase1tunnel,youcansetup
LocalandPeerIdentificationattributes
andacorrespondingvaluethatis
matchedintheIKEnegotiationprocess.
3.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 655
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step4
Step5
Step6
Createatunnelinterfaceandattachitto 1.
avirtualrouterandsecurityzone.
2.
656 PANOS7.1AdministratorsGuide
IntheInterface Namefield,specifyanumericsuffix,say,.41.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplevpntun),andthenclickOK.
4.
SelecttheVirtual Router.
5.
AssignanIPaddresstothetunnelinterface,selecttheIPv4or
IPv6tab,clickAddintheIPsection,andentertheIPaddress
andnetworkmask/prefixtoassigntotheinterface,for
example,172.19.9.2/24.
ThisIPaddresswillbeusedtoroutetraffictothetunnelandto
monitorthestatusofthetunnel.
6.
Tosavetheinterfaceconfiguration,clickOK.
Inthisexample,theconfigurationforVPNPeerAis:
Interfacetunnel.41
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.141/24
TheconfigurationforVPNPeerBis:
Interfacetunnel.42
Security Zonevpn_tun
Virtual Routerdefault
IPv42.1.1.140/24
Specifytheinterfacetoroutetraffictoa 1.
destinationonthe192.168.x.xnetwork. 2.
SetupthestaticrouteandtheOSPF
configurationonthevirtualrouterand
attachtheOSPFareaswiththe
appropriateinterfacesonthefirewall.
OnVPNPeerA,selectthevirtualrouter.
SelectStatic Routes,andAddtunnel.41astheInterfacefor
routingtrafficwithaDestinationinthe192.168.x.xnetwork.
1.
2.
3.
4.
Inthisexample,theOSPFconfigurationforVPNPeerBis:
RouterID:192.168.100.140
AreaID:0.0.0.0isassignedtotheinterfaceEthernet1/12
Linktype:Broadcast
AreaID:0.0.0.10thatisassignedtotheinterface
Ethernet1/1andLinkType:Broadcast
AreaID:0.0.0.20isassignedtotheinterfaceEthernet1/15
andLinkType:Broadcast
PaloAltoNetworks,Inc.
VPNs
SitetoSiteVPNQuickConfigs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step7
Step8
Step9
Createaredistributionprofiletoinject
thestaticroutesintotheOSPF
autonomoussystem.
SetuptheIPSecTunnel.
1.
CreatearedistributionprofileonVPNPeerB.
a. SelectNetwork > Virtual Routers,andselecttherouteryou
usedabove.
b. SelectRedistribution Profiles, andclick Add.
c. EnteraNamefortheprofileandselectRedistandassigna
Priorityvalue.Ifyouhaveconfiguredmultipleprofiles,the
profilewiththelowestpriorityvalueismatchedfirst.
d. SetSource Type as static,andclickOK.Thestaticroute
definedinStep 62willbeusedfortheredistribution.
2.
InjectthestaticroutesintotheOSPFsystem.
a. SelectOSPF> Export Rules (forIPv4) or OSPFv3> Export
Rules (forIPv6).
b. ClickAdd,andselecttheredistributionprofilethatyoujust
created.
c. SelecthowtheexternalroutesarebroughtintotheOSPF
system.Thedefaultoption,Ext2 calculatesthetotalcostof
therouteusingonlytheexternalmetrics.Touseboth
internalandexternalOSPFmetrics,use Ext1.
d. AssignaMetric (costvalue)fortheroutesinjectedintothe
OSPFsystem.Thisoptionallowsyoutochangethemetric
fortheinjectedrouteasitcomesintotheOSPFsystem.
e. ClickOKtosavethechanges.
1.
2.
3.
4.
Todefinetheactiononfailuretoestablishconnectivity,see
DefineaTunnelMonitoringProfile.
Createpoliciestoallowtrafficbetween 1.
thesites(subnets).
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 657
SitetoSiteVPNQuickConfigs
VPNs
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
Step10 VerifyOSPFadjacenciesandroutesfrom Verifythatboththefirewallscanseeeachotherasneighborswith
theCLI.
fullstatus.AlsoconfirmthattheIPaddressoftheVPNpeerstunnel
interfaceandtheOSPFRouterID.UsethefollowingCLIcommands
oneachVPNpeer.
show routing protocol ospf neighbor
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
Step11 TestVPNconnectivity.
658 PANOS7.1AdministratorsGuide
SeeSetUpTunnelMonitoringandViewtheStatusoftheTunnels.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
TheGlobalProtectLargeScaleVPN(LSVPN)featureonthePaloAltoNetworksnextgenerationfirewall
simplifiesthedeploymentoftraditionalhubandspokeVPNs,enablingyoutoquicklydeployenterprise
networkswithseveralbranchofficeswithaminimumamountofconfigurationrequiredontheremote
satellites.ThissolutionusescertificatesforfirewallauthenticationandIPSectosecuredata.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 659
LSVPNOverview
LargeScaleVPN(LSVPN)
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.
660 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
CreateInterfacesandZonesfortheLSVPN
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
Step1
ConfigureaLayer3interface.
1.
Theportalandeachgatewayand
satelliteallrequireaLayer3interfaceto 2.
enabletraffictoberoutedbetweensites.
3.
Ifthegatewayandportalareonthesame
firewall,youcanuseasingleinterfacefor
bothcomponents.
IPv6addressesarenotsupported
withLSVPN.
PaloAltoNetworks,Inc.
4.
SelecttheVirtual Routertouse.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4tab,
clickAddintheIPsection,andentertheIPaddressand
networkmasktoassigntotheinterface,forexample
203.0.11.100/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
PANOS7.1AdministratorsGuide 661
CreateInterfacesandZonesfortheLSVPN
LargeScaleVPN(LSVPN)
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
MakesuretoenableUserIDin
thezonewheretheVPNtunnels
terminate.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas.2.
3.
OntheConfigtab,expandtheSecurity Zonedropdownto
definethezoneasfollows:
Touseyourtrustzoneastheterminationpointforthe
tunnel,selectthezonefromthedropdown.
(Recommended)TocreateaseparatezoneforVPNtunnel
termination,clickNew Zone.IntheZonedialog,definea
Namefornewzone(forexamplelsvpntun),selectthe
Enable User Identificationcheckbox,andthenclickOK.
4.
SelecttheVirtual Router.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample203.0.11.33/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
Step3
Ifyoucreatedaseparatezonefortunnel Forexample,apolicyruleenablestrafficbetweenthelsvpntun
terminationofVPNconnections,create zoneandtheL3Trustzone.
asecuritypolicytoenabletrafficflow
betweentheVPNzoneandyourtrust
zone.
Step4
Savetheconfiguration.
662 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 663
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents
Step1
Step2
Onthefirewallhostingthe
CreateaSelfSignedRootCACertificate:
GlobalProtectportal,createtherootCA 1. SelectDevice > Certificate Management > Certificates >
certificateforsigningthecertificatesof
Device Certificates andclickGenerate.
theGlobalProtectcomponents.
2. EnteraCertificate Name,suchasLSVPN_CA.
3.
DonotselectavalueintheSigned Byfield(thisiswhat
indicatesthatitisselfsigned).
4.
SelecttheCertificate AuthoritycheckboxandthenclickOK
togeneratethecertificate.
CreateSSL/TLSserviceprofilesforthe 1.
GlobalProtectportalandgateways.
Fortheportalandeachgateway,you
mustassignanSSL/TLSserviceprofile
thatreferencesauniqueselfsigned
servercertificate.
Thebestpracticeistoissueallof
therequiredcertificatesonthe
portal,sothatthesigning
certificate(withtheprivatekey)
doesnthavetobeexported.
IftheGlobalProtectportaland
gatewayareonthesamefirewall
interface,youcanusethesame
servercertificateforboth
components.
UsetherootCAontheportaltoGenerateaCertificatefor
eachgatewayyouwilldeploy:
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickGenerate.
b. EnteraCertificate Name.
c. EntertheFQDN(recommended)orIPaddressofthe
interfacewhereyouplantoconfigurethegatewayinthe
Common Namefield.
d. IntheSigned Byfield,selecttheLSVPN_CAcertificateyou
justcreated.
e. IntheCertificateAttributessection,clickAddanddefine
theattributestouniquelyidentifythegateway.Ifyouadda
Host Nameattribute(whichpopulatestheSANfieldofthe
certificate),itmustexactlymatchthevalueyoudefinedfor
theCommon Name.
f. Generatethecertificate.
2.
ConfigureanSSL/TLSServiceProfilefortheportalandeach
gateway:
a. SelectDevice > Certificate Management > SSL/TLS
Service ProfileandclickAdd.
b. EnteraNametoidentifytheprofileandselecttheserver
Certificateyoujustcreatedfortheportalorgateway.
c. DefinetherangeofTLSversions(Min VersiontoMax
Version)allowedforcommunicatingwithsatellitesand
clickOK.
664 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step3
Step4
Deploytheselfsignedservercertificates
tothegateways.
BestPractices:
Exporttheselfsignedserver
certificatesissuedbytherootCA
fromtheportalandimportthem
ontothegateways.
Besuretoissueauniqueserver
certificateforeachgateway.
TheCommonName(CN)and,if
applicable,theSubject
AlternativeName(SAN)fieldsof
thecertificatemustmatchtheIP
addressorfullyqualifieddomain
name(FQDN)oftheinterface
whereyouconfigurethe
gateway.
1.
2.
3.
Enter(andreenter)aPassphrasetoencrypttheprivatekey
associatedwiththecertificateandthenclickOKtodownload
thePKCS12filetoyourcomputer.
4.
5.
EnteraCertificate Name.
6.
EnterthepathandnametotheCertificate Fileyoujust
downloadedfromtheportal,orBrowsetofindthefile.
7.
8.
EnterthepathandnametothePKCS12fileintheKey File
fieldorBrowsetofindit.
9.
EnterandreenterthePassphraseyouusedtoencryptthe
privatekeywhenyouexporteditfromtheportalandthen
clickOKtoimportthecertificateandkey.
1.
ImporttherootCAcertificateusedto
issueservercertificatesfortheLSVPN
components.
YoumustimporttherootCAcertificate
ontoallgatewaysandsatellites.For
securityreasons,makesureyouexport
thecertificateonly,andnotthe
associatedprivatekey.
2.
PaloAltoNetworks,Inc.
DownloadtherootCAcertificatefromtheportal.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates.
b. SelecttherootCAcertificateusedtoissuecertificatesfor
theLSVPNcomponentsandclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Donotexporttheprivatekey.)
Onthefirewallshostingthegatewaysandsatellites,import
therootCAcertificate.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
g. Committhechanges.
PANOS7.1AdministratorsGuide 665
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
Step5
Step6
Createacertificateprofile.
1.
TheGlobalProtectLSVPNportaland
eachgatewayrequireacertificateprofile 2.
thatspecifieswhichcertificatetouseto
3.
authenticatethesatellites.
Savetheconfiguration.
4.
(Optional,butrecommended)EnableuseofCRLand/orOCSP
toenablecertificatestatusverification.
5.
ClickOKtosavetheprofile.
ClickCommit.
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
Step1
Step2
CreateaSCEPprofile.
(Optional)TomaketheSCEPbased
certificategenerationmoresecure,
configureaSCEPchallengeresponse
mechanismbetweenthePKIandportal
foreachcertificaterequest.
Afteryouconfigurethismechanism,its
operationisinvisible,andnofurther
inputfromyouisnecessary.
TocomplywiththeU.S.Federal
InformationProcessingStandard(FIPS),
useaDynamicSCEPchallengeand
specifyaServer URLthatusesHTTPS
(seeStep 7).
666 PANOS7.1AdministratorsGuide
1.
2.
EnteraNametoidentifytheSCEPprofile.
3.
Ifthisprofileisforafirewallwithmultiplevirtualsystems
capability,selectavirtualsystemorSharedastheLocation
wheretheprofileisavailable.
Selectoneofthefollowingoptions:
None(Default)TheSCEPserverdoesnotchallengetheportal
beforeitissuesacertificate.
FixedObtaintheenrollmentchallengepasswordfromthe
SCEPserver(forexample,
http://10.200.101.1/CertSrv/mscep_admin/)inthePKI
infrastructureandthencopyorenterthepasswordintothe
Passwordfield.
DynamicEntertheSCEPServer URLwheretheportalclient
submitsthesecredentials(forexample,
http://10.200.101.1/CertSrv/mscep_admin/),anda
usernameandOTPofyourchoice.Theusernameandpassword
canbethecredentialsofthePKIadministrator.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
EnableSSLBetweenGlobalProtectLSVPNComponents
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step3
Specifythesettingsfortheconnection 1.
betweentheSCEPserverandtheportal
toenabletheportaltorequestand
receiveclientcertificates.
2.
Toidentifythesatellite,theportal
automaticallyincludesthedeviceserial
3.
numberintheCSRrequesttotheSCEP
server.BecausetheSCEPprofile
requiresavalueintheSubjectfield,you
canleavethedefault$USERNAMEtoken
eventhoughthevalueisnotusedin
clientcertificatesforLSVPN.
ConfiguretheServer URLthattheportalusestoreachthe
SCEPserverinthePKI(forexample,
http://10.200.101.1/certsrv/mscep/).
Enterastring(upto255charactersinlength)intheCA-IDENT
NamefieldtoidentifytheSCEPserver.
SelecttheSubject Alternative Name Type:
RFC 822 NameEntertheemailnameinacertificates
subjectorSubjectAlternativeNameextension.
DNS NameEntertheDNSnameusedtoevaluate
certificates.
Uniform Resource IdentifierEnterthenameofthe
resourcefromwhichtheclientwillobtainthecertificate.
NoneDonotspecifyattributesforthecertificate.
Step4
(Optional)Configurecryptographic
settingsforthecertificate.
Selectthekeylength(Number of Bits)forthecertificate.Ifthe
firewallisinFIPSCCmodeandthekeygenerationalgorithmis
RSA.TheRSAkeysmustbe2048bitsorlarger.
SelecttheDigest for CSR whichindicatesthedigestalgorithmfor
thecertificatesigningrequest(CSR):SHA1,SHA256,SHA384,or
SHA512.
Step5
Step6
(Optional)Toensurethattheportalis
1.
connectingtothecorrectSCEPserver,
entertheCA Certificate Fingerprint.
ObtainthisfingerprintfromtheSCEP
2.
serverinterfaceintheThumbprintfield.
EntertheURLfortheSCEPserversadministrativeUI(for
example,http://<hostname or
IP>/CertSrv/mscep_admin/).
CopythethumbprintandenteritintheCA Certificate
Fingerprintfield.
Step7
SelecttheSCEPserversrootCA Certificate.Optionally,youcan
EnablemutualSSLauthentication
enablemutualSSLauthenticationbetweentheSCEPserverand
betweentheSCEPserverandthe
GlobalProtectportal.Thisisrequiredto theGlobalProtectportalbyselectingaClient Certificate.
complywiththeU.S.FederalInformation
ProcessingStandard(FIPS).
FIPSCCoperationisindicated
onthefirewallloginpageandin
itsstatusbar.
Step8
Saveandcommittheconfiguration.
1.
ClickOKtosavethesettingsandclosetheSCEPconfiguration.
2. Committheconfiguration.
TheportalattemptstorequestaCAcertificateusingthesettingsin
theSCEPprofileandsavesittothefirewallhostingtheportal.If
successful,theCAcertificateisshowninDevice > Certificate
Management > Certificates.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 667
EnableSSLBetweenGlobalProtectLSVPNComponents
LargeScaleVPN(LSVPN)
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
Step9
1.
(Optional)IfaftersavingtheSCEP
profile,theportalfailstoobtainthe
certificate,youcanmanuallygeneratea 2.
certificatesigningrequest(CSR)fromthe
3.
portal.
4.
668 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigurethePortaltoAuthenticateSatellites
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 669
ConfigurethePortaltoAuthenticateSatellites
LargeScaleVPN(LSVPN)
SetUpSatelliteAuthentication
Step1
(Externalauthenticationonly)Createa
serverprofileontheportal.
Theserverprofiledefineshowthe
firewallconnectstoanexternal
authenticationservicetovalidatethe
authenticationcredentialsthatthe
satelliteadministratorenters.
Ifyouuselocalauthentication,
skipthisstepandinsteadadda
localuserforthesatellite
administrator:seeConfigurethe
useraccount.
Step2
Configureanauthenticationprofile.
1.
Theauthenticationprofiledefineswhich 2.
serverprofiletousetoauthenticate
satellites.
Configureaserverprofilefortheauthenticationservicetype:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.IfyouuseLDAPtoconnect
toActiveDirectory(AD),createaseparateLDAPserverprofile
foreveryADdomain.
ConfigureaKerberosServerProfile.
3.
670 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigureGlobalProtectGatewaysforLSVPN
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
PrerequisiteTasks
ConfiguretheGateway
PrerequisiteTasks
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfiguretheGateway
AfteryouhavecompletedthePrerequisiteTasks,configureeachGlobalProtectgatewaytoparticipateinthe
LSVPNasfollows:
ConfiguretheGatewayforLSVPN
Step1
Step2
Addagateway.
1.
2.
IntheGeneralscreen,enteraNameforthegateway.The
gatewaynameshouldhavenospacesand,asabestpractice,
shouldincludethelocationorotherdescriptiveinformationto
helpusersandadministratorsidentifythegateway.
3.
(Optional)Selectthevirtualsystemtowhichthisgateway
belongsfromtheLocationfield.
Specifythenetworkinformationthat
1.
enablessatellitedevicestoconnectto
thegateway.
2.
Ifyouhaventcreatedthenetwork
3.
interfaceforthegateway,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
PaloAltoNetworks,Inc.
SelecttheInterfacethatsatelliteswilluseforingressaccess
tothegateway.
SelecttheIP Addressforgatewayaccess.
ClickOKtosavechanges.
PANOS7.1AdministratorsGuide 671
ConfigureGlobalProtectGatewaysforLSVPN
LargeScaleVPN(LSVPN)
ConfiguretheGatewayforLSVPN(Continued)
Step3
Specifyhowthegatewayauthenticates
satellitesattemptingtoestablishtunnels.
IfyouhaventyetcreatedanSSL/TLS
Serviceprofileforthegateway,see
DeployServerCertificatestothe
GlobalProtectLSVPNComponents.
Ifyouhaventsetuptheauthentication
profilesorcertificateprofiles,see
ConfigurethePortaltoAuthenticate
Satellitesforinstructions.
Ifyouhavenotyetsetupthecertificate
profile,seeEnableSSLBetween
GlobalProtectLSVPNComponentsfor
instructions.
OntheGlobalProtectGatewayConfigurationdialog,select
Authenticationandthenconfigureanyofthefollowing:
Tosecurecommunicationbetweenthegatewayandthe
satellites,selecttheSSL/TLS Service Profileforthegateway.
Tospecifytheauthenticationprofiletousetoauthenticate
satellites,AddaClientAuthentication.Then,enteraNameto
identifytheconfiguration,selectOS:Satellitetoapplythe
configurationtoallsatellites,andspecifytheAuthentication
Profiletousetoauthenticatethesatellite.Youcanalsoselecta
Certificate Profileforthegatewaytousetoauthenticate
satellitedevicesattemptingtoestablishtunnels.
Step4
Configurethetunnelparametersand
enabletunneling.
1.
OntheGlobalProtectGatewayConfigurationdialog,select
Satellite > Tunnel Settings.
2.
SelecttheTunnel Configurationcheckboxtoenable
tunneling.
3.
SelecttheTunnel InterfaceyoudefinedtoterminateVPN
tunnelsestablishedbytheGlobalProtectsatelliteswhenyou
performedthetasktoCreateInterfacesandZonesforthe
LSVPN.
4.
(Optional)IfyouwanttopreservetheTypeofService(ToS)
informationintheencapsulatedpackets,selectCopy TOS.
Iftherearemultiplesessionsinsidethetunnel(each
withadifferentTOSvalue),copyingtheTOSheader
cancausetheIPSecpacketstoarriveoutoforder.
Step5
Step6
(Optional)Enabletunnelmonitoring.
1.
Tunnelmonitoringenablessatellitesto 2.
monitoritsgatewaytunnelconnection,
allowingittofailovertoabackup
gatewayiftheconnectionfails.Failover
toanothergatewayistheonlytypeof
tunnelmonitoringprofilesupportedwith
3.
LSVPN.
SelecttheIPSecCryptoprofiletouse
whenestablishingtunnelconnections.
TheprofilespecifiesthetypeofIPSec
encryptionandtheauthentication
methodforsecuringthedatathatwill
traversethetunnel.Becausebothtunnel
endpointsinanLSVPNaretrusted
firewallswithinyourorganization,you
cantypicallyusethedefault(predefined)
profile,whichusesESPastheIPSec
protocol,group2fortheDHgroup,
AES128CBCforencryption,and
SHA1forauthentication.
672 PANOS7.1AdministratorsGuide
SelecttheTunnel Monitoringcheckbox.
SpecifytheDestination IPaddressthesatellitesshoulduseto
determineifthegatewayisactive.Alternatively,ifyou
configuredanIPaddressforthetunnelinterface,youcan
leavethisfieldblankandthetunnelmonitorwillinsteaduse
thetunnelinterfacetodetermineiftheconnectionisactive.
SelectFailoverfromtheTunnel Monitor Profiledropdown
(thisistheonlysupportedtunnelmonitorprofileforLSVPN).
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
Step7
Step8
Step9
Configurethenetworksettingstoassign 1.
thesatellitesduringestablishmentofthe
IPSectunnel.
2.
Youcanalsoconfigurethe
satellitetopushtheDNSsettings
toitslocalclientsbyconfiguringa
DHCPserveronthefirewall
hostingthesatellite.Inthis
configuration,thesatellitewill
pushDNSsettingsitlearnsfrom
thegatewaytotheDHCPclients.
PaloAltoNetworks,Inc.
(Optional)Ifclientslocaltothesatelliteneedtoresolve
FQDNsonthecorporatenetwork,configurethegatewayto
pushDNSsettingstothesatellitesinoneofthefollowing
ways:
Ifthegatewayhasaninterfacethatisconfiguredasa
DHCPclient,youcansettheInheritance Sourcetothat
interfaceandassignthesamesettingsreceivedbythe
DHCPclienttoGlobalProtectsatellites.Youcanalsoinherit
theDNSsuffixfromthesamesource.
ManuallydefinethePrimary DNS,Secondary DNS,and
DNS Suffixsettingstopushtothesatellites.
3.
TospecifytheIP Poolofaddressestoassignthetunnel
interfaceonthesatelliteswhentheVPNisestablished,click
AddandthenspecifytheIPaddressrange(s)touse.
4.
Todefinewhatdestinationsubnetstoroutethroughthe
tunnelclickAddintheAccess Routeareaandthenenterthe
routesasfollows:
Ifyouwanttoroutealltrafficfromthesatellitesthrough
thetunnel,leavethisfieldblank.Notethatinthiscase,all
trafficexcepttrafficdestinedforthelocalsubnetwillbe
tunneledtothegateway.
Torouteonlysometrafficthroughthegateway(calledsplit
tunneling),specifythedestinationsubnetsthatmustbe
tunneled.Inthiscase,thesatellitewillroutetrafficthatis
notdestinedforaspecifiedaccessrouteusingitsown
routingtable.Forexample,youmaychoosetoonlytunnel
trafficdestinedforyourcorporatenetwork,andusethe
localsatellitetosafelyenableInternetaccess.
Ifyouwanttoenableroutingbetweensatellites,enterthe
summaryrouteforthenetworkprotectedbyeachsatellite.
(Optional)Definewhatroutes,ifany,the 1.
gatewaywillacceptfromsatellites.
Bydefault,thegatewaywillnotaddany 2.
routessatellitesadvertisetoitsrouting
3.
table.Ifyoudonotwantthegatewayto
acceptroutesfromsatellites,youdonot
needtocompletethisstep.
Savethegatewayconfiguration.
OntheGlobalProtectGatewayConfigurationdialog,select
Satellite > Network Settings.
Toenablethegatewaytoacceptroutesadvertisedby
satellites,selectSatellite > Route Filter.
SelecttheAccept published routescheckbox.
Tofilterwhichoftheroutesadvertisedbythesatellitestoadd
tothegatewayroutingtable,clickAddandthendefinethe
subnetstoinclude.Forexample,ifallthesatellitesare
configuredwithsubnet192.168.x.0/24ontheLANside,
configuringapermittedrouteof192.168.0.0/16toenablethe
gatewaytoonlyacceptroutesfromthesatelliteifitisinthe
192.168.0.0/16subnet.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
GatewayConfigurationdialog.
2.
Committheconfiguration.
PANOS7.1AdministratorsGuide 673
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
PrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedthePrerequisiteTasks,configuretheGlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
Step1
Step2
Addtheportal.
1.
2.
OntheGeneral tab,enteraNamefortheportal.Theportal
nameshouldnotcontainanyspaces.
3.
(Optional)Selectthevirtualsystemtowhichthisportal
belongsfromtheLocationfield.
Specifythenetworkinformationto
1.
enablesatellitestoconnecttotheportal.
Ifyouhaventyetcreatedthenetwork 2.
interfacefortheportal,seeCreate
InterfacesandZonesfortheLSVPNfor
instructions.
674 PANOS7.1AdministratorsGuide
SelecttheInterfacethatsatelliteswilluseforingressaccess
totheportal.
SelecttheIP Addressforsatelliteaccesstotheportal.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
Step3
SpecifyanSSL/TLSServiceprofiletouse 1.
toenablethesatellitetoestablishan
SSL/TLSconnectiontotheportal.
2.
IfyouhaventyetcreatedanSSL/TLS
serviceprofilefortheportalandissued
gatewaycertificates,seeDeployServer
CertificatestotheGlobalProtectLSVPN
Components.
OntheGlobalProtectPortalConfigurationdialog,select
Authentication.
SelecttheSSL/TLS Service Profile.
Step4
Specifyanauthenticationprofileand
optionalcertificateprofilefor
authenticatingsatellites.
Iftheportalcantvalidatethe
serialnumbersofconnecting
satellites,itwillfallbacktothe
authenticationprofile.Therefore,
beforeyoucansavetheportal
configuration(byclickingOK),
youmustConfigurean
authenticationprofile.
AddaClientAuthentication,andthenenteraNametoidentifythe
configuration,selectOS:Satellitetoapplytheconfigurationtoall
satellites,andspecifytheAuthentication Profiletouseto
authenticatesatellitedevices.YoucanalsospecifyaCertificate
Profilefortheportaltousetoauthenticatesatellitedevices.
Step5
Continuewithdefiningthe
configurationstopushtothesatellites
or,ifyouhavealreadycreatedthe
satelliteconfigurations,savetheportal
configuration.
ClickOKtosavetheportalconfigurationorcontinuetoDefinethe
SatelliteConfigurations.
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 675
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
Step1
Step2
Addasatelliteconfiguration.
Thesatelliteconfigurationspecifiesthe
GlobalProtectLSVPNconfiguration
settingstodeploytotheconnecting
satellites.Youmustdefineatleastone
satelliteconfiguration.
1.
2.
IntheSatellitesection,clickAdd
3.
EnteraNamefortheconfiguration.
Ifyouplantocreatemultipleconfigurations,makesurethe
nameyoudefineforeachisdescriptiveenoughtoallowyou
todistinguishthem.
4.
Tochangehowoftenasatelliteshouldchecktheportalfor
configurationupdatesspecifyavalueintheConfiguration
Refresh Interval (hours)field(rangeis148;defaultis24).
Specifythesatellitestowhichtodeploy Specifythematchcriteriaforthesatelliteconfigurationasfollows:
thisconfiguration.
Torestrictthisconfigurationtosatelliteswithspecificserial
numbers,selecttheDevicestab,clickAdd,andenterserial
TheportalusestheEnrollment
number(youdonotneedtoenterthesatellitehostname;itwill
User/User Groupsettingsand/or
beautomaticallyaddedwhenthesatelliteconnects).Repeatthis
Devicesserialnumberstomatcha
stepforeachsatelliteyouwanttoreceivethisconfiguration.
satellitetoaconfiguration.Therefore,if
youhavemultipleconfigurations,besure SelecttheEnrollment User/User Grouptab,clickAdd,andthen
toorderthemproperly.Assoonasthe
selecttheuserorgroupyouwanttoreceivethisconfiguration.
portalfindsamatch,itwilldeliverthe
Satellitesthatdonotmatchonserialnumberwillberequiredto
configuration.Therefore,morespecific
authenticateasauserspecifiedhere(eitheranindividualuseror
configurationsmustprecedemore
groupmember).
generalones.SeeStep 5forinstructions
Beforeyoucanrestricttheconfigurationtospecific
onorderingthelistofsatellite
groups,youmustMapUserstoGroups.
configurations.
676 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
ConfiguretheGlobalProtectPortalforLSVPN
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step3
Step4
Step5
Specifythegatewaysthatsatelliteswith
thisconfigurationcanestablishVPN
tunnelswith.
Routespublishedbythegateway
areinstalledonthesatelliteas
staticroutes.Themetricforthe
staticrouteis10xtherouting
priority.Ifyouhavemorethan
onegateway,makesuretoalso
settheroutingprioritytoensure
thatroutesadvertisedbybackup
gatewayshavehighermetrics
comparedtothesameroutes
advertisedbyprimarygateways.
Forexample,ifyousetthe
routingpriorityfortheprimary
gatewayandbackupgatewayto
1and10respectively,the
satellitewilluse10asthemetric
fortheprimarygatewayand100
asthemetricforthebackup
gateway.
Savethesatelliteconfiguration.
1.
OntheGatewaystab,clickAdd.
2.
EnteradescriptiveNameforthegateway.Thenameyou
enterhereshouldmatchthenameyoudefinedwhenyou
configuredthegatewayandshouldbedescriptiveenough
identifythelocationofthegateway.
3.
EntertheFQDNorIPaddressoftheinterfacewherethe
gatewayisconfiguredintheGatewaysfield.Theaddressyou
specifymustexactlymatchtheCommonName(CN)inthe
gatewayservercertificate.
4.
(Optional)Ifyouareaddingtwoormoregatewaystothe
configuration,theRouting Priorityhelpsthesatellitepickthe
preferredgateway.Enteravalueintherangeof125,with
lowernumbershavingthehigherpriority(thatis,thegateway
thesatellitewillconnecttoifallgatewaysareavailable).The
satellitewillmultiplytheroutingpriorityby10todetermine
theroutingmetric.
1.
ClickOKtosavethesatelliteconfiguration.
2.
Ifyouwanttoaddanothersatelliteconfiguration,repeatthe
previoussteps.
Arrangethesatelliteconfigurationsso
Tomoveasatelliteconfigurationuponthelistofconfigurations,
thattheproperconfigurationisdeployed
selecttheconfigurationandclickMove Up.
toeachsatellite.
Tomoveasatelliteconfigurationdownonthelistof
configurations,selecttheconfigurationandclickMove Down.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 677
ConfiguretheGlobalProtectPortalforLSVPN
LargeScaleVPN(LSVPN)
CreateaGlobalProtectSatelliteConfiguration(Continued)
Step6
Step7
Specifythecertificatesrequiredto
enablesatellitestoparticipateinthe
LSVPN.
Savetheportalconfiguration.
678 PANOS7.1AdministratorsGuide
1.
2.
SelectthemethodofClient Certificatedistribution:
TostoretheclientcertificatesontheportalselectLocal
andselecttheRootCAcertificatethattheportalwilluseto
issueclientcertificatestosatellitesuponsuccessfully
authenticatingthemfromtheIssuing Certificate
dropdown.
IftherootCAcertificateusedtoissueyourgateway
servercertificatesisnotontheportal,youcan
Importitnow.SeeEnableSSLBetween
GlobalProtectLSVPNComponentsfordetailson
howtoimportarootCAcertificate.
ToenabletheportaltoactasaSCEPclienttodynamically
requestandissueclientcertificatesselectSCEPandthen
selecttheSCEPprofileusedtogenerateCSRstoyourSCEP
server.
Iftheyouhavenotyetsetuptheportaltoactasa
SCEPclient,youcanaddaNewSCEPprofilenow.
SeeDeployClientCertificatestotheGlobalProtect
SatellitesUsingSCEPfordetails.
1.
ClickOKtosavethesettingsandclosetheGlobalProtect
PortalConfigurationdialog.
2.
Commityourchanges.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheLSVPN
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
Step1
ConfigureaLayer3interface.
Step2
Configurethelogicaltunnelinterfacefor
thetunneltousetoestablishVPN
tunnelswiththeGlobalProtect
gateways.
IPaddressesarenotrequiredon
thetunnelinterfaceunlessyou
plantousedynamicrouting.
However,assigninganIPaddress
tothetunnelinterfacecanbe
usefulfortroubleshooting
connectivityissues.
Step3
Thisisthephysicalinterfacethesatellitewillusetoconnecttothe
portalandthegateway.Thisinterfacemustbeinazonethatallows
accessoutsideofthelocaltrustnetwork.Asabestpractice,create
adedicatedzoneforVPNconnectionsforvisibilityandcontrol
overtrafficdestinedforthecorporategateways.
1.
2.
IntheInterface Namefield,specifyanumericsuffix,suchas
.2.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectanexistingzoneorcreateaseparatezoneforVPN
tunneltrafficbyclickingNew ZoneanddefiningaNamefor
newzone(forexamplelsvpnsat).
4.
IntheVirtual Routerdropdown,selectdefault.
5.
(Optional)IfyouwanttoassignanIPaddresstothetunnel
interface,selecttheIPv4tab,clickAddintheIPsection,and
entertheIPaddressandnetworkmasktoassigntothe
interface,forexample2.2.2.11/24.
6.
Tosavetheinterfaceconfiguration,clickOK.
1.
Ifyougeneratedtheportalserver
certificateusingaRootCAthatisnot
trustedbythesatellites(forexample,if
youusedselfsignedcertificates),import
therootCAcertificateusedtoissuethe
portalservercertificate.
TherootCAcertificateisrequiredto
enablethesatellitetoestablishtheinitial
connectionwiththeportaltoobtainthe
LSVPNconfiguration.
DownloadtheCAcertificatethatwasusedtogeneratethe
portalservercertificates.Ifyouareusingselfsigned
certificates,exporttherootCAcertificatefromtheportalas
follows:
a. SelectDevice > Certificate Management > Certificates >
Device Certificates.
b. SelecttheCAcertificate,andclickExport.
c. SelectBase64 Encoded Certificate (PEM)fromtheFile
FormatdropdownandclickOKtodownloadthe
certificate.(Youdonotneedtoexporttheprivatekey.)
2.
ImporttherootCAcertificateyoujustexportedontoeach
satelliteasfollows.
a. SelectDevice > Certificate Management > Certificates >
Device Certificates andclickImport.
b. EnteraCertificate Namethatidentifiesthecertificateas
yourclientCAcertificate.
c. BrowsetotheCertificate Fileyoudownloadedfromthe
CA.
d. SelectBase64 Encoded Certificate (PEM)astheFile
FormatandthenclickOK.
e. SelectthecertificateyoujustimportedontheDevice
Certificatestabtoopenit.
f. SelectTrusted Root CAandthenclickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 679
PreparetheSatellitetoJointheLSVPN
LargeScaleVPN(LSVPN)
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
Step4
Step5
Step6
Step7
ConfiguretheIPSectunnel
configuration.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheIPSec
configuration.
3.
SelecttheTunnel Interfaceyoucreatedforthesatellite.
4.
SelectGlobalProtect SatelliteastheType.
5.
EntertheIPaddressorFQDNoftheportalasthePortal
Address.
6.
SelecttheLayer3Interfaceyouconfiguredforthesatellite.
7.
SelecttheLocal IP Addresstouseontheselectedinterface.
1.
(Optional)Configurethesatelliteto
publishlocalroutestothegateway.
Pushingroutestothegatewayenables
traffictothesubnetslocaltothesatellite
viathegateway.However,youmustalso
configurethegatewaytoacceptthe
routesasdetailedinConfigurethe
Gateway.
Toenablethesatellitetopushroutestothegateway,onthe
AdvancedtabselectPublish all static and connected routes
to Gateway.
Ifyouselectthischeckbox,thefirewallwillforwardallstatic
andconnectedroutesfromthesatellitetothegateway.
However,topreventthecreationofroutingloops,thefirewall
willapplysomeroutefilters,suchasthefollowing:
Defaultroutes
Routeswithinavirtualrouterotherthanthevirtualrouter
associatedwiththetunnelinterface
Routesusingthetunnelinterface
Routesusingthephysicalinterfaceassociatedwiththe
tunnelinterface
2.
(Optional)Ifyouonlywanttopushroutesforspecificsubnets
ratherthanallroutes,clickAddintheSubnetsectionand
specifywhichsubnetroutestopublish.
1.
ClickOKtosavetheIPSectunnelsettings.
2.
ClickCommit.
Savethesatelliteconfiguration.
1.
Ifrequired,providethecredentialsto
allowthesatellitetoauthenticatetothe
portal.
Thisstepisonlyrequirediftheportal
2.
wasunabletofindaserialnumbermatch
initsconfigurationoriftheserialnumber
didntwork.Inthiscase,thesatellitewill
notbeabletoestablishthetunnelwith
thegateway(s).
680 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
VerifytheLSVPNConfiguration
VerifytheLSVPNConfiguration
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
VerifytheLSVPNConfiguration
Step1
Verifysatelliteconnectivitywithportal.
Fromthefirewallhostingtheportal,verifythatsatellitesare
successfullyconnectingbyselectingNetwork > GlobalProtect >
PortalandclickingSatellite InfointheInfocolumnoftheportal
configurationentry.
Step2
Verifysatelliteconnectivitywiththe
gateway(s).
Oneachfirewallhostingagateway,verifythatsatellitesareableto
establishVPNtunnelsbyselectingNetwork > GlobalProtect >
GatewaysandclickSatellite InfointheInfocolumnofthegateway
configurationentry.Satellitesthathavesuccessfullyestablished
tunnelswiththegatewaywilldisplayontheActive Satellitestab.
Step3
VerifyLSVPNtunnelstatusonthe
satellite.
Oneachfirewallhostingasatellite,verifythetunnelstatusby
selectingNetwork > IPSec Tunnels andverifyactiveStatusas
indicatedbyagreenicon.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 681
LSVPNQuickConfigs
LargeScaleVPN(LSVPN)
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
AdvancedLSVPNConfigurationwithiBGP
682 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
BasicLSVPNConfigurationwithStaticRouting
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step1
ConfigureaLayer3interface.
Inthisexample,theLayer3interfaceontheportal/gateway
requiresthefollowingconfiguration:
Interfaceethernet1/11
Security Zonelsvpnunt
IPv4203.0.113.11/24
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
Toenablevisibilityintousersand
groupsconnectingovertheVPN,
enableUserIDinthezone
wheretheVPNtunnels
terminate.
Inthisexample,theTunnelinterfaceontheportal/gateway
requiresthefollowingconfiguration:
Interfacetunnel.1
Security Zonelsvpntun
Step3
CreatetheSecuritypolicyruletoenable SeeCreateaSecurityPolicyRule.
trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 683
BasicLSVPNConfigurationwithStaticRouting
LargeScaleVPN(LSVPN)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step4
AssignanSSL/TLSServiceprofiletothe 1.
portal/gateway.Theprofilemust
referenceaselfsignedservercertificate.
Thecertificatesubjectnamemustmatch
theFQDNorIPaddressoftheLayer3
interfaceyoucreateforthe
portal/gateway.
2.
OnthefirewallhostingtheGlobalProtectportal,createthe
rootCAcertificateforsigningthecertificatesofthe
GlobalProtectcomponents.Inthisexample,therootCA
certificate,lsvpn-CA,willbeusedtoissuetheserver
certificatefortheportal/gateway.Inaddition,theportalwill
usethisrootCAcertificatetosigntheCSRsfromthesatellites.
CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.
Becausetheportalandgatewayareonthesameinterfacein
thisexample,theycanshareanSSL/TLSServiceprofilethat
usesthesameservercertificate.Inthisexample,theprofileis
namedlsvpnserver.
Step5
Createacertificateprofile.
Inthisexample,thecertificateprofilelsvpn-profile,references
therootCAcertificatelsvpn-CA.Thegatewaywillusethis
certificateprofiletoauthenticatesatellitesattemptingtoestablish
VPNtunnels.
Step6
Configureanauthenticationprofilefor
theportaltouseifthesatelliteserial
numberisnotavailable.
1.
Createonetypeofserverprofileontheportal:
ConfigureaRADIUSServerProfile.
ConfigureaTACACS+ServerProfile.
ConfigureanLDAPServerProfile.IfyouuseLDAPto
connecttoActiveDirectory(AD),createaseparateLDAP
serverprofileforeveryADdomain.
ConfigureaKerberosServerProfile.
2.
Configureanauthenticationprofile.Inthisexample,the
profilelsvpn-satisusedtoauthenticatesatellites.
Step7
ConfiguretheGatewayforLSVPN.
Step8
ConfigurethePortalforLSVPN.
684 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
BasicLSVPNConfigurationwithStaticRouting
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
Step9
CreateaGlobalProtectSatellite
Configuration.
Step10 PreparetheSatellitetoJointheLSVPN.
OntheSatellite tabintheportalconfiguration,AddaSatellite
configurationandaTrustedRootCAandspecifytheCAtheportal
willusetoissuecertificatesforthesatellites.Inthisexamplethe
requiredsettingsareasfollowing:
Gateway203.0.113.11
Issuing CertificatelsvpnCA
Trusted Root CAlsvpnCA
Thesatelliteconfigurationinthisexamplerequiresthefollowing
settings:
Interface Configuration
Layer3interfaceethernet1/1,203.0.113.13/24
Tunnelinterfacetunnel.2
Zonelsvpnsat
Root CA Certificate from Portal
lsvpnCA
IPSec Tunnel Configuration
Tunnel Interfacetunnel.2
Portal Address203.0.113.11
Interfaceethernet1/1
Local IP Address203.0.113.13/24
Publish all static and connected routes to Gatewayenabled
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 685
AdvancedLSVPNConfigurationwithDynamicRouting
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.
686 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting
Step1
Step2
Step3
AddanIPaddresstothetunnelinterface Completethefollowingstepsoneachgatewayandeachsatellite:
configurationoneachgatewayandeach 1. SelectNetwork > Interfaces > Tunnelandselectthetunnel
satellite.
configurationyoucreatedfortheLSVPNtoopentheTunnel
Interfacedialog.
Ifyouhavenotyetcreatedthetunnelinterface,seeStep 2in
QuickConfig:BasicLSVPNwithStaticRouting.
2.
OntheIPv4tab,clickAddandthenenteranIPaddressand
subnetmask.Forexample,toaddanIPaddressforthe
gatewaytunnelinterfaceyouwouldenter2.2.2.100/24.
3.
ClickOKtosavetheconfiguration.
Configurethedynamicroutingprotocol ToconfigureOSPFonthegateway:
onthegateway.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachsatellite,forexample2.2.2.111.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewsatellitetothe
LSVPN.
Configurethedynamicroutingprotocol ToconfigureOSPFonthesatellite:
onthesatellite.
1. SelectNetwork > Virtual Routersandselectthevirtualrouter
associatedwithyourVPNinterfaces.
PaloAltoNetworks,Inc.
2.
OntheAreastab,clickAddtocreatethebackbonearea,or,if
itisalreadyconfigured,clickontheareaIDtoeditit.
3.
Ifyouarecreatinganewarea,enteranArea IDontheType
tab.
4.
OntheInterfacetab,clickAddandselectthetunnelInterface
youcreatedfortheLSVPN.
5.
Selectp2mpastheLink Type.
6.
ClickAddintheNeighborssectionandentertheIPaddressof
thetunnelinterfaceofeachGlobalProtectgateway,for
example2.2.2.100.
7.
ClickOKtwicetosavethevirtualrouterconfigurationand
thenCommitthechangesonthegateway.
8.
Repeatthisstepeachtimeyouaddanewgateway.
PANOS7.1AdministratorsGuide 687
AdvancedLSVPNConfigurationwithDynamicRouting
LargeScaleVPN(LSVPN)
QuickConfig:LSVPNwithDynamicRouting(Continued)
Step4
Verifythatthegatewaysandsatellites
areabletoformrouteradjacencies.
688 PANOS7.1AdministratorsGuide
Oneachsatelliteandeachgateway,confirmthatpeer
adjacencieshaveformedandthatroutingtableentrieshave
beencreatedforthepeers(thatis,thesatelliteshaveroutesto
thegatewaysandthegatewayshaveroutestothesatellites).
SelectNetwork > Virtual RouterandclicktheMore Runtime
StatslinkforthevirtualrouteryouareusingfortheLSVPN.On
theRoutingtab,verifythattheLSVPNpeerhasaroute.
OntheOSPF > Interfacetab,verifythattheTypeisp2mp.
OntheOSPF > Neighbortab,verifythatthefirewallshosting
yourgatewayshaveestablishedrouteradjacencieswiththe
firewallshostingyoursatellitesandviceversa.Alsoverifythat
theStatusisFull,indicatingthatfulladjacencieshavebeen
established.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithiBGP
AdvancedLSVPNConfigurationwithiBGP
ThisusecaseillustrateshowGlobalProtectLSVPNsecurelyconnectsdistributedofficelocationswith
primaryanddisasterrecoverydatacentersthathousecriticalapplicationsforusersandhowinternalborder
gatewayprotocol(iBGP)easesdeploymentandupkeep.Usingthismethod,youcanextendupto500
satelliteofficesconnectingtoasinglegateway.
BGPisahighlyscalable,dynamicroutingprotocolthatisidealforhubandspokedeploymentssuchas
LSVPN.Asadynamicroutingprotocol,iteliminatesmuchoftheoverheadassociatedwithaccessroutes
(staticroutes)bymakingitrelativelyeasytodeployadditionalsatellitefirewalls.Duetoitsroutefiltering
capabilitiesandfeaturessuchasmultipletunabletimers,routedampening,androuterefresh,BGPscalesto
amuchhighernumberofroutingprefixeswithgreaterstabilitythanotherroutingprotocolslikeRIPand
OSPF.InthecaseofiBGP,apeergroup,whichincludesallthesatellitesandgatewaysintheLSVPN
deployment,establishesadjacenciesoverthetunnelendpoints.Theprotocolthenimplicitlytakescontrolof
routeadvertisements,updates,andconvergence.
Inthisexampleconfiguration,anactive/passiveHApairofPA5050firewallsisdeployedintheprimary
(active)datacenterandactsastheportalandprimarygateway.Thedisasterrecoverydatacenteralsohas
twoPA5050sinanactive/passiveHApairactingasthebackupLSVPNgateway.Theportalandgateways
serve500PA200sdeployedasLSVPNsatellitesinbranchoffices.
Bothdatacentersitesadvertiseroutesbutwithdifferentmetrics.Asaresult,thesatellitespreferandinstall
theactivedatacentersroutes.However,thebackuproutesalsoexistinthelocalroutinginformationbase
(RIB).Iftheactivedatacenterfails,theroutesadvertisedbythatdatacenterareremovedandreplacedwith
routesfromthedisasterrecoverydatacentersroutes.ThefailovertimedependsonselectionofiBGPtimes
androutingconvergenceassociatedwithiBGP.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 689
AdvancedLSVPNConfigurationwithiBGP
LargeScaleVPN(LSVPN)
Thefollowingworkflowshowsthestepsforconfiguringthisdeployment:
ConfigureLSVPNwithiBGP
Step1
CreateInterfacesandZonesforthe
LSVPN.
Step2
Onthefirewall(s)hostingGlobalProtect
gateway(s),configurethelogicaltunnel
interfacethatwillterminateVPNtunnels
establishedbytheGlobalProtect
satellites.
690 PANOS7.1AdministratorsGuide
Primary gateway:
Interface:tunnel.5
IPv4:10.11.15.254/22
Zone:LSVPNTunnelPrimary
Backup gateway:
Interface:tunnel.1
IPv4:10.11.15.245/22
Zone:LSVPNTunnelBackup
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithiBGP
ConfigureLSVPNwithiBGP
Step3
Step4
EnableSSLBetweenGlobalProtect
LSVPNComponents.
Thegatewayusestheselfsignedroot
certificateauthority(CA)toissue
certificatesforthesatellitesina
GlobalProtectLSVPN.Becauseone
firewallhousestheportalandprimary
gateway,asinglecertificateisusedfor
authenticatingtothesatellites.Thesame
CAisusedtogenerateacertificatefor
thebackupgateway.TheCAgenerates
certificatesthatpushedtothesatellites
fromtheportalandthenusedbythe
satellitestoauthenticatetothe
gateways.
ConfigureGlobalProtectGatewaysfor
LSVPN.
PaloAltoNetworks,Inc.
YoumustalsogenerateacertificatefromthesameCAforthe
backupgateway,allowingittoauthenticatewiththesatellites.
1.
OnthefirewallhostingtheGlobalProtectportal,createthe
rootCAcertificateforsigningthecertificatesofthe
GlobalProtectcomponents.Inthisexample,therootCA
certificateiscalledCAcert.
2.
CreateSSL/TLSserviceprofilesfortheGlobalProtectportal
andgateways.BecausetheGlobalProtectportalandprimary
gatewayarethesamefirewallinterface,youcanusethesame
servercertificateforbothcomponents.
RootCACertificate:CACert
CertificateName:LSVPNScale
3.
Deploytheselfsignedservercertificatestothegateways.
4.
ImporttherootCAcertificateusedtoissueservercertificates
fortheLSVPNcomponents.
5.
Createacertificateprofile.
6.
Repeatsteps2through5onbackupgatewaywiththe
followingsettings:
RootCACertificate:CAcert
CertificateName:LSVPNbackGWcert
1.
2.
OntheGeneraltab,nametheprimarygatewayLSVPN-Scale.
3.
UnderNetwork Settings,selectethernet1/21astheprimary
gatewayinterfaceandenter172.16.22.1/24astheIP
address.
4.
OntheAuthenticationtab,selecttheLSVPNScalecertificate
createdinStep 3.
5.
6.
7.
Repeatsteps1through5onthebackupgatewaywiththe
followingsettings:
Name: LSVPNbackup
Gateway interface:ethernet1/5
Gateway IP:172.16.22.25/24
Server cert:LSVPNbackupGWcert
Tunnel interface:tunnel.1
PANOS7.1AdministratorsGuide 691
AdvancedLSVPNConfigurationwithiBGP
LargeScaleVPN(LSVPN)
ConfigureLSVPNwithiBGP
Step5
ConfigureiBGPontheprimaryand
backupgatewaysandadda
redistributionprofiletoallowthe
satellitestoinjectlocalroutesbackto
thegateways.
Eachsatelliteofficemanagesitsown
networkandfirewall,sothe
redistributionprofilecalledToAllSatis
configuredtoredistributelocalroutes
backtotheGlobalProtectgateway.
1.
2.
OnRouter Settings,addtheNameandInterfaceforthe
virtualrouter.
3.
OnRedistribution ProfileandselectAdd.
a. NametheredistributionprofileToAllSatandsetthe
Priorityto1.
b. SetRedistributetoRedist.
c. Addethernet1/23fromtheInterfacedropdown.
d. ClickOK.
4.
SelectBGPontheVirtualRoutertoconfigureBGP.
a. OnBGP > General,selectEnable.
b. EnterthegatewayIPaddressastheRouter ID
(172.16.22.1)and1000astheAS Number.
c. IntheOptionssection,selectInstall Route.
d. OnBGP > Peer Group,clickAddapeergroupwithallthe
satellitesthatwillconnecttothegateway.
e. OnBGP > Redist Rules,AddtheToAllSatredistribution
profileyoucreatedpreviously.
5.
ClickOK.
6.
Repeatsteps1through5onthebackupgatewayusing
ethernet1/6fortheredistributionprofile.
Step6
PreparetheSatellitetoJointheLSVPN. 1.
Theconfigurationshownisasampleofa
singlesatellite.
2.
Repeatthisconfigurationeachtimeyou
addanewsatellitetotheLSVPN
3.
deployment.
4.
692 PANOS7.1AdministratorsGuide
Configureatunnelinterfaceasthetunnelendpointforthe
VPNconnectiontothegateways.
SettheIPSectunneltypetoGlobalProtectSatelliteandenter
theIPaddressoftheGlobalProtectPortal.
SelectNetwork > Virtual RoutersandAddavirtualrouter.
OnRouter Settings,addtheNameandInterfaceforthe
virtualrouter.
5.
6.
7.
ClickOK.
PaloAltoNetworks,Inc.
LargeScaleVPN(LSVPN)
AdvancedLSVPNConfigurationwithiBGP
ConfigureLSVPNwithiBGP
Step7
ConfiguretheGlobalProtectPortalfor
LSVPN.
Bothdatacentersadvertisetheirroutes
butwithdifferentroutingprioritiesto
ensurethattheactivedatacenteristhe
preferredgateway.
1.
2.
OnGeneral,enterLSVPN-Portalastheportalname.
3.
On Network Settings,selectethernet1/21astheInterface
andselect172.16.22.1/24astheIP Address.
4.
OntheAuthenticationtab,selectthepreviouslycreated
primarygatewaySSL/TLSProfileLSVPN-Scalefromthe
SSL/TLS Service Profiledropdownmenu.
5.
OntheSatellitetab,AddasatelliteandNameit
sat-config-1.
6.
7.
8.
Step8
VerifytheLSVPNConfiguration.
Step9
(Optional)AddanewsitetotheLSVPN 1.
deployment.
PaloAltoNetworks,Inc.
2.
ConfiguretheIPSectunnelonthesatellitewiththe
GlobalProtectPortalIPaddress.
3.
4.
PANOS7.1AdministratorsGuide 693
AdvancedLSVPNConfigurationwithiBGP
LargeScaleVPN(LSVPN)
694 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
AllPaloAltoNetworksnextgenerationfirewallsprovideaflexiblenetworkingarchitecturethatincludes
supportfordynamicrouting,switching,andVPNconnectivity,andenablesyoutodeploythefirewallinto
nearlyanynetworkingenvironment.WhenconfiguringtheEthernetportsonyourfirewall,youcanchoose
fromvirtualwire,Layer2,orLayer3interfacedeployments.Inaddition,toallowyoutointegrateintoa
varietyofnetworksegments,youcanconfiguredifferenttypesofinterfacesondifferentports.The
InterfaceDeploymentssectionprovidesbasicinformationoneachtypeofdeployment.Formoredetailed
deploymentinformation,refertoDesigningNetworkswithPaloAltoNetworksFirewalls.
ThefollowingtopicsdescribenetworkingconceptsandhowtointegratePaloAltoNetworks
nextgenerationfirewallsintoyournetwork.
InterfaceDeployments
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
VirtualRouters
StaticRoutes
RIP
OSPF
BGP
SessionSettingsandTimeouts
DHCP
NAT
NPTv6
ECMP
LLDP
BFD
Forinformationonroutedistribution,refertoUnderstandingRouteRedistributionandFiltering.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 695
InterfaceDeployments
Networking
InterfaceDeployments
APaloAltoNetworksfirewallcanoperateinmultipledeploymentsatoncebecausethedeploymentsoccur
attheinterfacelevel.Thefollowingsectionsdescribethesupporteddeployments.
VirtualWireDeployments
Layer2Deployments
Layer3Deployments
TapModeDeployments
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
696 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethatthe
VLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisisessential
becauseavirtualwiredoesnotswitchVLANtags.
CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoaddadditional
subinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthecombinationofVLANtags
andaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewiththevlan
tag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 697
InterfaceDeployments
Networking
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
Customer
Vsys
Vwire
Subinterfaces
Zone
VLANTag
IPClassifier
e1/1.1(ingress)
e1/2.1(egress)
Zone3
Zone4
100
100
None
e1/1.2(ingress)
e1/2.2(egress)
Zone5
Zone6
100
100
IPsubnet
192.1.0.0/16
e1/1.3(ingress)
e1/2.3(egress)
Zone7
Zone8
100
100
IPsubnet
192.2.0.0/16
e1/1.4(ingress)
e1/2.4(egress)
Zone9
Zone10
200
200
None
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
698 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Layer 2 Deployments
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Youmustassigna
groupofinterfacestoaVLANobjectinorderforthefirewalltoswitchbetweenthem.Thefirewallperforms
VLANtagswitchingwhenLayer2subinterfacesareattachedtoacommonVLANobject.Choosethisoption
whenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
ACiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
Layer 3 Deployments
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.Thisdeploymentrequiresthat
youassignanIPaddresstoeachinterfaceandconfigureVirtualRouterstoroutethetraffic.Choosethis
optionwhenroutingisrequired.
Figure:Layer3Deployment
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 699
InterfaceDeployments
Networking
ThefollowingLayer3interfacedeploymentsarealsosupported:
PointtoPointProtocoloverEthernetSupport
DHCPClient
PointtoPointProtocoloverEthernetSupport
YoucanconfigurethefirewalltobeaPointtoPointProtocoloverEthernet(PPPoE)terminationpointto
supportconnectivityinaDigitalSubscriberLine(DSL)environmentwherethereisaDSLmodembutno
otherPPPoEdevicetoterminatetheconnection.
YoucanchoosethePPPoEoptionandconfiguretheassociatedsettingswhenaninterfaceisdefinedasa
Layer 3interface.
PPPoEisnotsupportedinHAactive/activemode.
DHCPClient
YoucanconfigurethefirewallinterfacetoactasaDHCPclientandreceiveadynamicallyassignedIP
address.ThefirewallalsoprovidesthecapabilitytopropagatesettingsreceivedbytheDHCPclientinterface
intoaDHCPserveroperatingonthefirewall.ThisismostcommonlyusedtopropagateDNSserversettings
fromanInternetserviceprovidertoclientmachinesoperatingonthenetworkprotectedbythefirewall.
DHCPclientisnotsupportedinHAactive/activemode.
Formoreinformation,seeDHCP.
700 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
InterfaceDeployments
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 701
ConfigureanAggregateInterfaceGroup
Networking
ConfigureanAggregateInterfaceGroup
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesplatformssupportaggregategroups.Youcanadduptoeightaggregategroups
perfirewallandeachgroupcanhaveuptoeightinterfaces.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,
PA4000Series,andPA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
ConfigureanAggregateInterfaceGroup
Step1
Configurethegeneralinterfacegroup
parameters.
702 PANOS7.1AdministratorsGuide
1.
2.
InthefieldadjacenttothereadonlyInterface Name,entera
number(18)toidentifytheaggregategroup.
3.
4.
ConfiguretheremainingparametersfortheInterface Type
youselected.
PaloAltoNetworks,Inc.
Networking
ConfigureanAggregateInterfaceGroup
ConfigureanAggregateInterfaceGroup(Continued)
Step2
ConfiguretheLACPsettings.
Performthissteponlyifyouwantto
enableLACPfortheaggregategroup.
YoucannotenableLACPfor
virtualwireinterfaces.
PaloAltoNetworks,Inc.
1.
SelecttheLACPtabandEnable LACP.
2.
SettheModeforLACPstatusqueriestoPassive(thefirewall
justrespondsthedefault)orActive(thefirewallqueriespeer
devices).
Asabestpractice,setoneLACPpeertoactiveandthe
othertopassive.LACPcannotfunctionifbothpeers
arepassive.Thefirewallcannotdetectthemodeofits
peerdevice.
3.
SettheTransmission RateforLACPqueryandresponse
exchangestoSlow(every30secondsthedefault)orFast
(everysecond).BaseyourselectiononhowmuchLACP
processingyournetworksupportsandhowquicklyLACP
peersmustdetectandresolveinterfacefailures.
4.
SelectFast Failoverifyouwanttoenablefailovertoastandby
interfaceinlessthanonesecond.Bydefault,theoptionis
disabledandthefirewallusestheIEEE802.1axstandardfor
failoverprocessing,whichtakesatleastthreeseconds.
Asabestpractice,useFast Failoverindeployments
whereyoumightlosecriticaldataduringthestandard
failoverinterval.
5.
EntertheMax Ports(numberofinterfaces)thatareactive
(18)intheaggregategroup.Ifthenumberofinterfacesyou
assigntothegroupexceedstheMax Ports,theremaining
interfaceswillbeinstandbymode.ThefirewallusestheLACP
Port Priorityofeachinterfaceyouassign(Step 3)to
determinewhichinterfacesareinitiallyactiveandto
determinetheorderinwhichstandbyinterfacesbecome
activeuponfailover.IftheLACPpeershavenonmatching
portpriorityvalues,thevaluesofthepeerwiththelower
System Prioritynumber(defaultis32,768;rangeis165,535)
willoverridetheotherpeer.
6.
(Optional)Foractive/passivefirewallsonly,selectEnable in
HA Passive StateifyouwanttoenableLACPprenegotiation
forthepassivefirewall.LACPprenegotiationenablesquicker
failovertothepassivefirewall(fordetails,seeLACPandLLDP
PreNegotiationforActive/PassiveHA).
Ifyouselectthisoption,youcannotselectSame
System MAC Address for Active-Passive HA;
prenegotiationrequiresuniqueinterfaceMAC
addressesoneachHAfirewall.
7.
(Optional)Foractive/passivefirewallsonly,selectSame
System MAC Address for Active-Passive HAandspecifya
singleMAC AddressforbothHAfirewalls.Thisoption
minimizesfailoverlatencyiftheLACPpeersarevirtualized
(appearingtothenetworkasasingledevice).Bydefault,the
optionisdisabled:eachfirewallinanHApairhasaunique
MACaddress.
IftheLACPpeersarenotvirtualized,useuniqueMAC
addressestominimizefailoverlatency.
PANOS7.1AdministratorsGuide 703
ConfigureanAggregateInterfaceGroup
Networking
ConfigureanAggregateInterfaceGroup(Continued)
Step3
Step4
Step5
Assigninterfacestotheaggregategroup. Performthefollowingstepsforeachinterface(18)thatwillbea
memberoftheaggregategroup.
Ifthefirewallshaveanactive/active
configurationandyouareaggregating
HA3interfaces,enablepacket
forwardingfortheaggregategroup.
Commityourchangesandverifythe
aggregategroupstatus.
704 PANOS7.1AdministratorsGuide
1.
2.
3.
SelecttheAggregate Groupyoujustdefined.
4.
5.
6.
ClickOK.
1.
2.
SelecttheaggregategroupyouconfiguredfortheHA3
InterfaceandclickOK.
1.
ClickCommit.
2.
3.
VerifythattheLinkStatecolumndisplaysagreeniconforthe
aggregategroup,indicatingthatallmemberinterfacesareup.
Iftheiconisyellow,atleastonememberisdownbutnotall.If
theiconisred,allmembersaredown.
4.
IfyouconfiguredLACP,verifythattheFeaturescolumn
displaystheLACPenabledicon fortheaggregategroup.
PaloAltoNetworks,Inc.
Networking
UseInterfaceManagementProfilestoRestrictAccess
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
Step1
ConfiguretheInterfaceManagement
profile.
PaloAltoNetworks,Inc.
1.
2.
Selecttheprotocolsthattheinterfacepermitsfor
managementtraffic:Ping,Telnet,SSH,HTTP,HTTP OCSP,
HTTPS,orSNMP.
3.
Selecttheservicesthattheinterfacepermitsformanagement
traffic:
Response PagesUsetoenableresponsepagesfor:
CaptivePortalToserveCaptivePortalresponsepages,
thefirewallleavesportsopenonLayer3interfaces:port
6080forNTLANManager(NTLM),6081forCaptive
Portalintransparentmode,and6082forCaptivePortal
inredirectmode.Fordetails,seeConfigureCaptive
Portal.
URLAdminOverrideFordetails,seeConfigureURL
AdminOverride.
User-IDUsetoConfigureFirewallstoRedistributeUser
MappingInformation.
User-ID Syslog Listener-SSLorUser-ID Syslog
Listener-UDPUsetoConfigureUserIDtoReceiveUser
MappingsfromaSyslogSenderoverSSLorUDP.
4.
(Optional)AddthePermittedIPAddressesthatcanaccessthe
interface.Ifyoudontaddentriestothelist,theinterfacehas
noIPaddressrestrictions.
5.
ClickOK.
PANOS7.1AdministratorsGuide 705
UseInterfaceManagementProfilestoRestrictAccess
Networking
ConfigureandAssignanInterfaceManagementProfile(Continued)
Step2
AssigntheInterfaceManagementprofile 1.
toaninterface.
706 PANOS7.1AdministratorsGuide
2.
3.
ClickOKandCommit.
PaloAltoNetworks,Inc.
Networking
VirtualRouters
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningaroute(staticroutes)
orthroughparticipationinLayer3routingprotocols(dynamicroutes).Thebestroutesobtainedthrough
thesemethodsareusedtopopulatethefirewallsIProutetable.Whenapacketisdestinedforadifferent
subnet,theVirtualRouterobtainsthebestroutefromthisIProutetableandforwardsthepackettothenext
hoprouterdefinedinthetable.
TheEthernetinterfacesandVLANinterfacesdefinedonthefirewallreceiveandforwardtheLayer3traffic.
Thedestinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andpolicyrules
areconsultedtoidentifythesecuritypoliciestobeapplied.Inadditiontoroutingtoothernetworkdevices,
virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthopisspecifiedtopointto
anothervirtualrouter.
Youcanconfigurethevirtualroutertoparticipatewithdynamicroutingprotocols(BGP,OSPF,orRIP)as
wellasaddingstaticroutes.Youcanalsocreatemultiplevirtualrouters,eachmaintainingaseparatesetof
routesthatarenotsharedbetweenvirtualrouters,enablingyoutoconfiguredifferentroutingbehaviorsfor
differentinterfaces.
EachLayer3interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociated
withavirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,multipleroutingprotocols
andstaticroutescanbeconfiguredforavirtualrouter.Regardlessofthestaticroutesanddynamicrouting
protocolsconfiguredforavirtualrouter,acommongeneralconfigurationisrequired.Thefirewalluses
EthernetswitchingtoreachotherdevicesonthesameIPsubnet.
ThevirtualrouteronthefirewallsupportsthefollowingLayer3:
RIP
OSPF
OSPFv3
BGP
DefineaVirtualRouterGeneralConfiguration
Step1
Gathertherequiredinformationfrom
yournetworkadministrator.
Interfacesthatyouwanttoroute
Administrativedistancesforstatic,OSPFinternal,OSPF
external,IBGP,EBGPandRIP
Step2
Createthevirtualrouterandnameit.
1.
2.
ClickAddandenteranameforthevirtualrouter.
3.
Selectinterfacestoapplytothevirtualrouter.
4.
ClickOK.
1.
ClickAddintheInterfacesbox.
2.
Selectanalreadydefinedinterfacefromthedropdown.
Repeatthisstepforallinterfacesthatyouwanttoaddtothe
virtualrouter.
Step3
Selectinterfacestoapplytothevirtual
router.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 707
VirtualRouters
Networking
DefineaVirtualRouterGeneralConfiguration(Continued)
Step4
SetAdministrativeDistancesforstatic
anddynamicrouting.
SetAdministrativeDistancesasrequired.
StaticRangeis10240;defaultis10.
OSPF InternalRangeis10240;defaultis30.
OSPF ExternalRangeis10240;defaultis110.
IBGPRangeis10240;defaultis200.
EBGPRangeis10240;defaultis20.
RIPRangeis10240;defaultis120.
Step5
Savevirtualroutergeneralsettings.
ClickOKtosaveyoursettings.
Step6
Commityourchanges.
ClickCommit.Thefirewallcantakeupto90secondstosaveyour
changes.
708 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
StaticRoutes
StaticRoutes
Thefollowingprocedureshowshowtointegratethefirewallintothenetworkusingstaticrouting.
SetUpInterfacesandZones
Step1
Step2
Configureadefaultroutetoyour
Internetrouter.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandentertherouteintheDestinationfield(for
example,0.0.0.0/0).
3.
4.
ClickOKtwicetosavethevirtualrouterconfiguration.
Configuretheexternalinterface(the
1.
interfacethatconnectstotheInternet).
2.
SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleshowsthestepsfor
Layer3.
3.
IntheVirtual Routerdropdown,selectdefault.
4.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
Staticradiobutton.ClickAddintheIPsection,andenterthe
IPaddressandnetworkmasktoassigntotheinterface,for
example208.80.56.100/24.
6.
7.
Tosavetheinterfaceconfiguration,clickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 709
StaticRoutes
Networking
SetUpInterfacesandZones(Continued)
Step3
Step4
Configuretheinterfacethatconnectsto
yourinternalnetwork.
Inthisexample,theinterface
connectstoanetworksegment
thatusesprivateIPaddresses.
BecauseprivateIPaddresses
cannotberoutedexternally,you
willhavetoconfigureNAT.See
ConfigureNATfordetails.
1.
2.
SelectLayer3fromtheInterface Typedropdown.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleTrust,andthenclickOK.
4.
SelectthesameVirtualRouteryouusedinthepreviousstep,
defaultinthisexample.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example192.168.1.4/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Configuretheinterfacethatconnectsto 1.
theDMZ.
2.
Selecttheinterfaceyouwanttoconfigure.
SelectLayer3fromtheInterface Typedropdown.Inthis
example,weareconfiguringEthernet1/13astheDMZ
interface.
3.
OntheConfigtab,expandtheSecurity Zonedropdownand
selectNew Zone.IntheZonedialog,defineaNamefornew
zone,forexampleDMZ,andthenclickOK.
4.
SelecttheVirtualRouteryouusedinStep 2,defaultinthis
example.
5.
ToassignanIPaddresstotheinterface,selecttheIPv4taband
theStaticradiobutton,clickAddintheIPsection,andenter
theIPaddressandnetworkmasktoassigntotheinterface,for
example10.1.1.1/24.
6.
Toenableyoutopingtheinterface,selectthemanagement
profilethatyoucreatedinStep 26.
7.
Tosavetheinterfaceconfiguration,clickOK.
Step5
Savetheinterfaceconfiguration.
ClickCommit.
Step6
Cablethefirewall.
Attachstraightthroughcablesfromtheinterfacesyouconfigured
tothecorrespondingswitchorrouteroneachnetworksegment.
Step7
Verifythattheinterfacesareactive.
710 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
RIP
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfiguregeneralRIPconfiguration
settings.
1.
SelecttheRIPtab.
2.
SelectEnabletoenabletheRIPprotocol.
3.
4.
1.
OntheInterfaces tab,selectaninterfacefromthedropdown
intheInterfaceconfigurationsection.
Step3
Step4
ConfigureinterfacesfortheRIP
protocol.
ConfigureRIPtimers.
PaloAltoNetworks,Inc.
2.
Selectanalreadydefinedinterface.
3.
SelectEnable.
4.
SelectAdvertisetoadvertiseadefaultroutetoRIPpeerswith
thespecifiedmetricvalue.
5.
(Optional)SelectaprofilefromtheAuth Profiledropdown.
6.
Selectnormal,passiveorsendonlyfromtheModedropdown.
7.
ClickOK.
1.
2.
SpecifytheUpdate Intervalstodefinethenumberofintervals
betweenrouteupdateannouncements(rangeis13600;
defaultis30).
3.
SpecifytheDelete Intervalstodefinethenumberofintervals
betweenthetimethattherouteexpirestoitsdeletion(range
is13600;defaultis180).
4.
PANOS7.1AdministratorsGuide 711
RIP
Networking
ConfigureRIP(Continued)
Step5
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseRIPauthenticationforthe
exchangebetweenRIPneighbors.Optionally,youcanconfigure
RIPauthenticationbetweenRIPneighborsbyeitherasimple
passwordorMD5authentication.MD5authenticationis
recommended;itismoresecurethanasimplepassword.
Simple Password RIP authentication
1.
SelectAuth ProfilesandclickAdd.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
4.
Enterasimplepasswordandthenconfirm.
712 PANOS7.1AdministratorsGuide
1.
2.
EnteranamefortheauthenticationprofiletoauthenticateRIP
messages.
3.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
6.
(Optional)SelectPreferred status.
7.
ClickOKtospecifythekeytobeusedtoauthenticateoutgoing
message.
8.
ClickOKagainintheVirtualRouterRIPAuthProfiledialog
box.
PaloAltoNetworks,Inc.
Networking
OSPF
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 713
OSPF
Networking
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType
Description
Backbone Area
Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.
714 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
OSPF
OSPFAreaType
Description
InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSA Area
TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
EnableOSPF.
1.
SelecttheOSPFtab.
2.
SelectEnabletoenabletheOSPFprotocol.
3.
(Optional)EntertheRouter ID.
4.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 715
OSPF
Networking
ConfigureOSPF(Continued)
Step3
Step4
ConfigureAreasTypefortheOSPF
protocol.
ConfigureAreasRangefortheOSPF
protocol
716 PANOS7.1AdministratorsGuide
1.
OntheAreas tab,clickAdd.
2.
EnteranAreaIDfortheareainx.x.x.xformat.Thisisthe
identifierthateachneighbormustaccepttobepartofthe
samearea.
3.
OntheTypetab,selectoneofthefollowingfromtheareaType
dropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanleavethe
areaonlybyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
4.
PriorityEntertheOSPFpriorityforthisinterface(0255).
Thisisthepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)accordingtotheOSPF
protocol.Whenthevalueiszero,therouterwillnotbeelected
asaDRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
NeighborsForp2pmpinterfaces,entertheneighborIP
addressforallneighborsthatarereachablethroughthis
interface.
5.
Selectnormal,passiveorsend-onlyastheMode.
6.
ClickOK.
1.
OntheRangetab,clickAddtoaggregateLSAdestination
addressesintheareaintosubnets.
2.
AdvertiseorSuppressadvertisingLSAsthatmatchthe
subnet,andclickOK.Repeattoaddadditionalranges.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPF(Continued)
Step5
Step6
ConfigureAreasInterfacesforthe
OSPFprotocol
ConfigureAreasVirtualLinks.
PaloAltoNetworks,Inc.
1.
OntheInterfacetab,clickAddandenterthefollowing
informationforeachinterfacetobeincludedinthearea:
InterfaceSelectaninterfacefromthedropdown.
EnableSelectingthisoptioncausestheOSPFinterface
settingstotakeeffect.
PassiveSelectifyoudonotwanttheOSPFinterfaceto
sendorreceiveOSPFpackets.AlthoughOSPFpacketsare
notsentorreceivedifyouchoosethisoption,theinterface
isincludedintheLSAdatabase.
Link typeChooseBroadcastifyouwantallneighborsthat
areaccessiblethroughtheinterfacetobediscovered
automaticallybymulticastingOSPFhellomessages,suchas
anEthernetinterface.Choosep2p(pointtopoint)to
automaticallydiscovertheneighbor.Choosep2mp
(pointtomultipoint)whenneighborsmustbedefined
manually.Definingneighborsmanuallyisallowedonlyfor
p2mpmode.
MetricEnteranOSPFmetricforthisinterface(rangeis
065535;defaultis10).
PriorityEnteranOSPFpriorityforthisinterface.Thisis
thepriorityfortheroutertobeelectedasadesignated
router(DR)orasabackupDR(BDR)(rangeis0255;default
is1).Ifzeroisconfigured,therouterwillnotbeelectedasa
DRorBDR.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
TimingModifythetimingsettingsifdesired(not
recommended).Fordetailsonthesesettings,refertothe
onlinehelp.
Ifp2mpisselectedforLink Typeinterfaces,enterthe
neighborIPaddressesforallneighborsthatarereachable
throughthisinterface.
2.
ClickOK.
1.
OntheVirtual Linktab,clickAddandenterthefollowing
informationforeachvirtuallinktobeincludedinthebackbone
area:
NameEnteranameforthevirtuallink.
Neighbor IDEntertherouterIDoftherouter(neighbor)on
theothersideofthevirtuallink.
Transit AreaEntertheareaIDofthetransitareathat
physicallycontainsthevirtuallink.
EnableSelecttoenablethevirtuallink.
TimingItisrecommendedthatyoukeepthedefaulttiming
settings.
Auth ProfileSelectapreviouslydefinedauthentication
profile.
2.
ClickOK.
PANOS7.1AdministratorsGuide 717
OSPF
Networking
ConfigureOSPF(Continued)
Step7
(Optional)ConfigureAuthProfiles.
Bydefault,thefirewalldoesnotuseOSPFauthenticationforthe
exchangebetweenOSPFneighbors.Optionally,youcanconfigure
OSPFauthenticationbetweenOSPFneighborsbyeitherasimple
passwordorusingMD5authentication.MD5authenticationis
recommended;itismoresecurethanasimplepassword.
Simple Password OSPF authentication
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3.
4.
Enterasimplepasswordandthenconfirm.
Step8
ConfigureAdvancedOSPFoptions.
718 PANOS7.1AdministratorsGuide
1.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFmessages.
3.
4.
ClickAdd.
5.
Enteroneormorepasswordentries,including:
KeyID(rangeis0255)
Key
SelectthePreferredoptiontospecifythatthekeybeused
toauthenticateoutgoingmessages.
6.
ClickOK.
7.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog
box.
1.
2.
3.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPFv3
OSPFv3supportsbothIPv4andIPv6.YoumustuseOSPFv3ifyouareusingIPv6.
ConfigureOSPFv3
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfiguregeneralOSPFconfiguration
settings.
1.
SelecttheOSPFtab.
2.
SelectEnabletoenabletheOSPFprotocol.
3.
4.
Step3
ConfiguregeneralOSPFv3configuration 1.
settings.
2.
3.
PaloAltoNetworks,Inc.
SelecttheOSPFv3tab.
SelectEnabletoenabletheOSPFprotocol.
SelectReject Default Routeifyoudonotwanttolearnany
defaultroutesthroughOSPFv3Thisistherecommended
defaultsetting.
ClearReject Default Routeifyouwanttopermitredistribution
ofdefaultroutesthroughOSPFv3.
PANOS7.1AdministratorsGuide 719
OSPF
Networking
ConfigureOSPFv3(Continued)
Step4
ConfigureAuthProfilefortheOSPFv3
protocol.
WhileOSPFv3doesn'tincludeany
authenticationcapabilitiesofitsown,it
reliesentirelyonIPsectosecure
communicationsbetweenneighbors.
Whenconfiguringanauthenticationprofile,youmustuse
EncapsulatingSecurityPayload(ESP)(whichisrecommended)or
IPv6AuthenticationHeader(AH).
ESP OSPFv3 authentication
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectESPforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youcanenternoneoroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
IfaCrypto Algorithmotherthannonewasselected,entera
valueforKeyandthenconfirm.
AH OSPFv3 authentication
720 PANOS7.1AdministratorsGuide
1.
OntheAuth Profilestab,clickAdd.
2.
Enteranamefortheauthenticationprofiletoauthenticate
OSPFv3messages.
3.
SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4.
SelectAHforProtocol.
5.
SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6.
EnteravalueforKeyandthenconfirm.
7.
ClickOK.
8.
ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.
PaloAltoNetworks,Inc.
Networking
OSPF
ConfigureOSPFv3(Continued)
Step5
Step6
ConfigureAreasTypefortheOSPF
protocol.
AssociateanOSPFv3authentication
profiletoanareaoraninterface.
1.
OntheAreastab,clickAdd.
2.
EnteranAreaID.Thisistheidentifierthateachneighbormust
accepttobepartofthesamearea.
3.
OntheGeneraltab,selectoneofthefollowingfromthearea
Typedropdown:
NormalTherearenorestrictions;theareacancarryall
typesofroutes.
StubThereisnooutletfromthearea.Toreacha
destinationoutsideofthearea,itisnecessarytogothrough
theborder,whichconnectstootherareas.Ifyouselectthis
option,configurethefollowing:
Accept SummaryLinkstateadvertisements(LSA)are
acceptedfromotherareas.Ifthisoptiononastubarea
AreaBorderRouter(ABR)interfaceisdisabled,theOSPF
areawillbehaveasaTotallyStubbyArea(TSA)andthe
ABRwillnotpropagateanysummaryLSAs.
Advertise Default RouteDefaultrouteLSAswillbe
includedinadvertisementstothestubareaalongwitha
configuredmetricvalueintheconfiguredrange1255.
NSSA(NotSoStubbyArea)Thefirewallcanonlyleave
theareabyroutesotherthanOSPFroutes.Ifselected,
configureAccept SummaryandAdvertise Default Routeas
describedforStub.Ifyouselectthisoption,configurethe
following:
TypeSelecteitherExt 1orExt 2routetypetoadvertise
thedefaultLSA.
Ext RangesClickAddinthesectiontoenterrangesof
externalroutesthatyouwanttoenableorsuppress
advertisingfor.
To an Area
1.
OntheAreastab,selectanexistingareafromthetable.
2.
OntheGeneraltab,selectapreviouslydefinedAuthentication
ProfilefromtheAuthenticationdropdown.
3.
ClickOK.
To an Interface
PaloAltoNetworks,Inc.
1.
OntheAreastab,selectanexistingareafromthetable.
2.
SelecttheInterfacetabandclickAdd.
3.
Selecttheauthenticationprofileyouwanttoassociatewith
theOSPFinterfacefromtheAuth Profiledropdown.
PANOS7.1AdministratorsGuide 721
OSPF
Networking
ConfigureOSPFv3(Continued)
Step7
Step8
(Optional)ConfigureExportRules
ConfigureAdvancedOSPFv3options.
1.
OntheExporttab,clickAdd.
2.
3.
Selectthenameofaredistributionprofile.Thevaluemustbe
anIPsubnetorvalidredistributionprofilename.
4.
5.
SpecifyaNew Tagforthematchedroutethathasa32bit
value.
6.
Assignametricforthenewrule(rangeis165535).
7.
ClickOK.
1.
2.
3.
4.
(Optional)ConfigureOSPFGracefulRestart.
ConfigureOSPFGracefulRestart
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGrace Period.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
722 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
OSPF
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMax Neighbor Restart Time.Whenthefirewallreceives
theGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborandadvertise
routesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.Ifneither
expiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithoutnetwork
disruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexithelper
modeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypassthe
neighbor.
ConfigureOSPFGracefulRestart
Step1
Step2
Step3
Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
Step4
ConfigureaGrace Periodinseconds.
Step5
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
Ifyouareusingthewebinterfacetoviewtheroutingtable,usethefollowingworkflow:
ViewtheRoutingTable
1.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 723
OSPF
Networking
ViewtheRoutingTable
2.
ConfirmOSPFAdjacencies
UsethefollowingworkflowtoconfirmthatOSPFadjacencieshavebeenestablished:
ViewtheNeighborTabtoConfirmOSPFAdjacencies
1.
2.
ConfirmthatOSPFConnectionsareEstablished
ViewtheSystemlogtoconfirmthatthefirewallhasestablishedOSPFconnections.
ExaminetheSystemLog
1.
2.
724 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BGP
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
Intheroutingprocess,connectionsareestablishedbetweenBGPpeers(orneighbors).Ifarouteispermitted
bythepolicy,itisstoredintheroutinginformationbase(RIB).EachtimethelocalfirewallRIBisupdated,
thefirewalldeterminestheoptimalroutesandsendsanupdatetotheexternalRIB,ifexportisenabled.
ConditionaladvertisementisusedtocontrolhowBGProutesareadvertised.TheBGProutesmustsatisfy
conditionaladvertisementrulesbeforebeingadvertisedtopeers.
BGPsupportsthespecificationofaggregates,whichcombinemultipleroutesintoasingleroute.Duringthe
aggregationprocess,thefirststepistofindthecorrespondingaggregationrulebyperformingalongest
matchthatcomparestheincomingroutewiththeprefixvaluesforotheraggregationrules.
FormoreinformationonBGP,refertoHowtoConfigureBGPTechNote.
ThefirewallprovidesacompleteBGPimplementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
Routingpoliciesbasedonroutemaptocontrolimport,exportandadvertisement,prefixbasedfiltering,
andaddressaggregation.
AdvancedBGPfeaturesthatincluderoutereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
BGPconfigurationconsistsofthefollowingelements:
Perroutinginstancesettings,whichincludebasicparameterssuchaslocalrouteIDandlocalASand
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflap,anddampening
profiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.Authentication
helpspreventrouteleakingandsuccessfulDoSattacks.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteASandadvancedoptions
suchasneighborattributesandconnections.
Routingpolicy,whichspecifiesrulesetsthatpeergroupsandpeersusetoimplementimports,exports,
conditionaladvertisements,andaddressaggregationcontrols.
PerformthefollowingproceduretoconfigureBGP.
ConfigureBGP
Step1
Configuregeneralvirtualrouter
configurationsettings.
SeeVirtualRoutersfordetails.
Step2
ConfigurestandardBGPconfiguration
settings.
1.
SelecttheBGPtab.
2.
SelectEnabletoenabletheBGPprotocol.
3.
ForRouter ID,assignanIPaddresstothevirtualrouter.
4.
ForAS Number,enterthenumberoftheAStowhichthe
virtualrouterbelongs,basedontherouterID.Rangeis
14294967295.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 725
BGP
Networking
ConfigureBGP(Continued)
Step3
ConfiguregeneralBGPconfiguration
settings.
726 PANOS7.1AdministratorsGuide
1.
SelectBGP> General.
2.
3.
4.
5.
6.
SelectoneofthefollowingvaluesfortheASformatfor
interoperabilitypurposes:
2Byte(defaultvalue)
4Byte
7.
EnableordisableeachofthefollowingvaluesforPath
Selection:
Always Compare MEDEnablethiscomparisontochoose
pathsfromneighborsindifferentautonomoussystems.
Deterministic MED ComparisonEnablethiscomparison
tochoosebetweenroutesthatareadvertisedbyIBGPpeers
(BGPpeersinthesameautonomoussystem).
8.
ClickAddtoincludeanewauthenticationprofileandconfigure
thefollowingsettings:
Profile NameEnteranametoidentifytheprofile.
Secret/Confirm SecretEnterandconfirmapassphrasefor
BGPpeercommunications.TheSecretisusedasakeyin
MD5authentication.
PaloAltoNetworks,Inc.
Networking
BGP
ConfigureBGP(Continued)
Step4
(Optional)ConfigureBGPAdvanced
settings.
PaloAltoNetworks,Inc.
1.
2.
SpecifyanIPv4identifiertorepresentthereflectorclusterin
theReflector Cluster ID box.
3.
SpecifytheidentifierfortheASconfederationtobepresented
asasingleAStoexternalBGPpeersintheConfederation
Member AS box.
4.
ClickAddandenterthefollowinginformationforeach
DampeningProfilethatyouwanttoconfigure,selectEnable,
andclickOK:
Profile NameEnteranametoidentifytheprofile.
CutoffSpecifyaroutewithdrawalthresholdabovewhicha
routeadvertisementissuppressed(rangeis0.01000.0;
defaultis1.25).
ReuseSpecifyaroutewithdrawalthresholdbelowwhicha
suppressedrouteisusedagain(rangeis0.01000.0;default
is 5).
Max Hold Time (sec)Specifythemaximumlengthoftime
insecondsthataroutecanbesuppressed,regardlessof
howunstableithasbeen(rangeis03600seconds;default
is900).
Decay Half Life Reachable (sec)Specifythelengthoftime
insecondsafterwhicharoutesstabilitymetricishalvedif
therouteisconsideredreachable(rangeis03600seconds;
defaultis300).
Decay Half Life Unreachable (sec)Specifythelengthof
timeinsecondsafterwhicharoutesstabilitymetricis
halvediftherouteisconsideredunreachable(rangeis
03600;defaultis300).
5.
ClickOK.
PANOS7.1AdministratorsGuide 727
BGP
Networking
ConfigureBGP(Continued)
Step5
Step6
ConfiguretheBGPpeergroup.
1.
SelectthePeer GrouptabandclickAdd.
2.
EnteraNameforthepeergroupandselectEnable.
3.
4.
5.
SpecifythetypeofpeerorgroupfromtheTypedropdown
andconfiguretheassociatedsettings(seebelowinthistable
fordescriptionsofImportNextHopandExportNextHop).
IBGPExport Next Hop: SpecifyOriginalorUse self
EBGP ConfedExport Next Hop:Specify OriginalorUse
self
EBGP ConfedExport Next Hop:SpecifyOriginalorUse
self
EBGPImport Next Hop:SpecifyOriginalorUse self,
Export Next Hop:SpecifyResolveorUse self.Select
Remove Private AS ifyouwanttoforceBGPtoremove
privateASnumbers.
6.
ClickOKtosave.
1.
ConfigureImportandExportrules.
Theimport/exportrulesareusedto
import/exportroutesfrom/toother
2.
routers.Forexample,importingthe
defaultroutefromyourInternetService
3.
Provider.
728 PANOS7.1AdministratorsGuide
SelecttheImporttabandthenclickAddandenteranamein
theRulesfieldandselectEnable.
ClickAdd andselectthePeer Grouptowhichtherouteswillbe
importedfrom.
ClicktheMatchtabanddefinetheoptionsusedtofilter
routinginformation.YoucanalsodefinetheMultiExit
Discriminator(MED)valueandanexthopvaluetoroutersor
subnetsforroutefiltering.TheMEDoptionisanexternal
metricthatletsneighborsknowaboutthepreferredpathinto
anAS.Alowervalueispreferredoverahighervalue.
4.
ClicktheActiontabanddefinetheactionthatshouldoccur
(allow/deny)basedonthefilteringoptionsdefinedinthe
Matchtab.IfDenyisselected,nofurtheroptionsneedtobe
defined.IftheAllowactionisselected,definetheother
attributes.
5.
ClicktheExporttabanddefineexportattributes,whichare
similartotheImportsettings,butareusedtocontrolroute
informationthatisexportedfromthefirewalltoneighbors.
6.
ClickOKtosave.
PaloAltoNetworks,Inc.
Networking
BGP
ConfigureBGP(Continued)
Step7
Step8
Step9
Configureconditionaladvertising,which
allowsyoutocontrolwhatrouteto
advertiseintheeventthatadifferent
routeisnotavailableinthelocalBGP
routingtable(LocRIB),indicatinga
peeringorreachabilityfailure.
Thisisusefulincaseswhereyouwantto
trytoforceroutestooneASover
another,forexampleifyouhavelinksto
theInternetthroughmultipleISPsand
youwanttraffictoberoutedtoone
providerinsteadoftheotherunless
thereisalossofconnectivitytothe
preferredprovider.
Configureaggregateoptionsto
summarizeroutesintheBGP
configuration.
BGProuteaggregationisusedtocontrol
howBGPaggregatesaddresses.Each
entryinthetableresultsinoneaggregate
addressbeingcreated.Thiswillresultin
anaggregateentryintheroutingtable
whenatleastoneormorespecificroute
matchingtheaddressspecifiedis
learned.
1.
SelecttheConditional Advtab,clickAddandenteranamein
thePolicyfield.
2.
SelectEnable.
3.
ClickAddandintheUsed By sectionenterthepeergroup(s)
thatwillusetheconditionaladvertisementpolicy.
4.
5.
SelecttheAdvertise Filterstabanddefinetheprefix(es)ofthe
routeintheLocalRIBroutingtablethatshouldbeadvertised
intheeventthattherouteinthenonexistfilterisnotavailable
inthelocalroutingtable.Ifaprefixisgoingtobeadvertised
anddoesnotmatchaNonExistfilter,theadvertisementwill
occur.
1.
SelecttheAggregatetab,clickAddandenteranameforthe
aggregateaddress.
2.
InthePrefixfield,enterthenetworkprefixthatwillbethe
primaryprefixfortheaggregatedprefixes.
3.
4.
Configureredistributionrules.
1.
Thisruleisusedtoredistributehost
2.
routesandunknownroutesthatarenot
onthelocalRIBtothepeersrouters.
PaloAltoNetworks,Inc.
SelecttheRedist RulestabandclickAdd.
IntheNamefield,enteranIPsubnetorselectaredistribution
profile.Youcanalsoconfigureanewredistributionprofile
fromthedropdownifneeded.
3.
ClickEnabletoenabletherule.
4.
IntheMetricfield,entertheroutemetricthatwillbeusedfor
therule.
5.
IntheSet Origindropdown,selectincomplete,igp,oregp.
6.
(Optional)SetMED,localpreference,ASpathlimitand
communityvalues.
PANOS7.1AdministratorsGuide 729
SessionSettingsandTimeouts
Networking
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andcaptiveportalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop
730 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 731
SessionSettingsandTimeouts
Networking
TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.
732 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit Handshake optioninaZoneProtectionprofilewillpreventaTCPsessionfrombeingestablishedif
thesessionestablishmentproceduredoesnotusethewellknownthreewayhandshake,butinsteadusesa
variation,suchasafourwayorfivewaysplithandshakeorasimultaneousopen.
ThePaloAltoNetworksnextgenerationfirewallcorrectlyhandlessessionsandallLayer7processesforsplit
handshakeandsimultaneousopensessionestablishmentwithoutenablingtheSplit Handshakeoption.
Nevertheless,theSplit Handshake option(whichcausesaTCPsplithandshakedrop) ismadeavailable.When
theSplit Handshake optionisconfiguredforaZoneProtectionprofileandthatprofileisappliedtoazone,
TCPsessionsforinterfacesinthatzonemustbeestablishedusingthestandardthreewayhandshake;
variationsarenotallowed.
TheSplit Handshake optionisdisabledbydefault.
ThefollowingillustratesthestandardthreewayhandshakeusedtoestablishaTCPsessionwithaPANOS
firewallbetweentheinitiator(typicallyaclient)andthelistener(typicallyaserver).
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 733
SessionSettingsandTimeouts
Networking
YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
734 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 8inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AlthoughUDPusesachecksumfordataintegrity,itperformsnoerrorcheckingatthenetworkinterface
level.ErrorcheckingisassumedtobeunnecessaryorisperformedbytheapplicationratherthanUDPitself.
UDPhasnomechanismtohandleflowcontrolofpackets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.ICMPv4andICMPv6errorpacketscanbe
controlledbyconfiguringasecuritypolicyforazone,andselectingtheicmporipv6-icmpapplicationinthe
policy.Additionally,theICMPv6errorpacketratecanbecontrolledthroughthesessionsettings,as
describedinthesectionConfigureSessionSettings.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdonotfloodthenetworksegmentsprotectedbythefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 735
SessionSettingsandTimeouts
Networking
FirsttheglobalICMPv6errorpacketratecontrolstherateatwhichICMPerrorpacketsareallowedthrough
thefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.Ifthe
firewallreachestheICMPerrorpacketrate,thenthetokenbucketcomesintoplayandthrottlingoccurs,as
follows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPmessagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPmessageissent;whenthebucketreacheszero
tokens,nomoreICMPmessagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsizeof
thetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ChangeSessionTimeouts
Step1
AccesstheSessionSettings.
736 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ChangeSessionTimeouts(Continued)
Step2
(Optional)Changemiscellaneous
timeouts.
DefaultMaximumlengthoftimethatanonTCP/UDPornonICMP
sessioncanbeopenwithoutaresponse(rangeis11599999;default
is30).
Discard DefaultMaximumlengthoftimethatanonTCP/UDP
sessionremainsopenafterPANOSdeniesasessionbasedonsecurity
policiesconfiguredonthefirewall(rangeis11599999;defaultis60).
ScanMaximumlengthoftimethatanysessionremainsopenafterit
isconsideredinactive;anapplicationisregardedasinactivewhenit
exceedstheapplicationtricklingthresholddefinedfortheapplication
(rangeis530;defaultis10).
Captive PortalAuthenticationsessiontimeoutfortheCaptivePortal
webform.Toaccesstherequestedcontent,theusermustenterthe
authenticationcredentialsinthisformandbesuccessfully
authenticated(rangeis11599999;defaultis30).
TodefineotherCaptivePortaltimeouts,suchastheidletimerandthe
expirationtimebeforetheusermustbereauthenticated,select
Device > User Identification > Captive Portal Settings.SeeConfigure
CaptivePortalinUserID.
Step3
(Optional)ChangeTCPtimeouts.
Discard TCPMaximumlengthoftimethataTCPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:90.Range:11599999.
TCPMaximumlengthoftimethataTCPsessionremainsopen
withoutaresponse,afteraTCPsessionisintheEstablishedstate(after
thehandshakeiscompleteand/ordataisbeingtransmitted).
Default: 3600.Range:11599999.
TCP HandshakeMaximumlengthoftimepermittedbetween
receivingtheSYNACKandthesubsequentACKtofullyestablishthe
session.Default:10.Range:160.
TCP initMaximumlengthoftimepermittedbetweenreceivingthe
SYNandSYNACKpriortostartingtheTCPhandshaketimer.Default:
5.Range:160.
TCP Half ClosedMaximumlengthoftimebetweenreceivingthefirst
FINandreceivingthesecondFINoraRST.Default:120.
Range: 1604800.
TCP Time WaitMaximumlengthoftimeafterreceivingthesecond
FINoraRST.Default:15.Range:1600.
Unverified RSTMaximumlengthoftimeafterreceivingaRSTthat
cannotbeverified(theRSTiswithintheTCPwindowbuthasan
unexpectedsequencenumber,ortheRSTisfromanasymmetricpath).
Default:30.Range:1600.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
Step4
(Optional)ChangeUDPtimeouts.
Discard UDPMaximumlengthoftimethataUDPsessionremains
openafteritisdeniedbasedonasecuritypolicyconfiguredonthe
firewall.Default:60.Range:11599999.
UDPMaximumlengthoftimethataUDPsessionremainsopen
withoutaUDPresponse.Default:30.Range:11599999.
SeealsotheScantimeoutinthesection(Optional)Change
miscellaneoustimeouts.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 737
SessionSettingsandTimeouts
Networking
ChangeSessionTimeouts(Continued)
Step5
(Optional)ChangeICMPtimeouts. ICMPMaximumlengthoftimethatanICMPsessioncanbeopen
withoutanICMPresponse.Default:6.Range:11599999.
SeealsotheDiscard Default andScantimeoutinthesection(Optional)
Changemiscellaneoustimeouts.
Step6
Committhechanges.
ClickOKandCommitthechanges.
Changethesessionsettings.
Step2
Specifywhethertoapply
newlyconfiguredSecurity
policyrulestosessionsthat
areinprogress.
Step3
ConfigureIPv6settings.
Step4
Enablejumboframesandset 1.
theMTU.
2.
SettheGlobal MTU,dependingonwhetherornotyouenabledjumbo
frames:
Ifyoudidnotenablejumboframes,theGlobal MTUdefaultsto1500
bytes;therangeis576to1500 bytes.
Ifyouenabledjumboframes,theGlobal MTUdefaultsto9192 bytes;
therangeis9192to9216 bytes.
Ifyouenablejumboframesandyouhaveinterfaceswherethe
MTUisnotspecificallyconfigured,thoseinterfaceswill
automaticallyinheritthejumboframesize.Therefore,beforeyou
enablejumboframes,ifyouhaveanyinterfacethatyoudonot
wanttohavejumboframes,youmustsettheMTUforthat
interfaceto1500bytesoranothervalue.
738 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ConfigureSessionSettings(Continued)
Step5
TuneNATsessionsettings.
Step6
Tuneacceleratedaging
settings.
PaloAltoNetworks,Inc.
ClickOK.
PANOS7.1AdministratorsGuide 739
SessionSettingsandTimeouts
Networking
ConfigureSessionSettings(Continued)
Step7
Step8
Step9
Enablebufferingofmulticast 1.
routesetuppackets.
2.
Ifyouenablebuffering,youcanalsotunetheBuffer Size,whichspecifies
thebuffersizeperflow.Thefirewallcanbufferamaximumof5,000
packets.
Youcanalsotunetheduration,inseconds,forwhichamulticast
routeremainsintheroutingtableonthefirewallafterthesession
endsbyconfiguringthemulticastsettingsonthevirtualrouter
thathandlesyourvirtualrouter(settheMulticast Route Age Out
Time (sec)ontheMulticast > Advancedtabinthevirtualrouter
configuration.
TunetheMaximumSegment 1.
Size(MSS)adjustmentsize
settingsforaLayer3
2.
interface.
3.
Savethechanges.
Step10 Rebootthefirewallafter
changingthejumboframe
configuration.
4.
5.
ClickOK.
ClickCommit.
1.
2.
ClickReboot Device.
740 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
SessionSettingsandTimeouts
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
Step1
Step2
Step3
ConfigureaZoneProtectionprofileto 1.
preventTCPsessionsthatuseanything
otherthanathreewayhandshaketo
2.
establishasession.
3.
4.
ClickOK.
Applytheprofiletooneormoresecurity 1.
zones.
2.
3.
ClickOK.
4.
(Optional)Repeatsteps13toapplytheprofiletoadditional
zones.
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 741
DHCP
Networking
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCP Overview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.
742 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCP Messages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 743
DHCP
Networking
DHCPMessage
Description
DHCPDISCOVER
ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER
ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST
Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK
Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK
Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE
Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE
Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM
Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCP Addressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.
744 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface <interface> expired-onlycommandtoclearexpiredleases,making
thoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface <interface> ip
<ip_address> commandtoreleaseaparticularIPaddress.Usethe clear dhcp lease interface <interface>
mac <mac_address> commandtoreleaseaparticularMACaddress.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 745
DHCP
Networking
DHCP Options
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption
DHCPOptionName
51
Leaseduration
Gateway
IPPoolSubnet(mask)
DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44
WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41
NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42
NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70
PostOfficeProtocolVersion3(POP3)serveraddress
69
SimpleMailTransferProtocol(SMTP)serveraddress
746 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
DHCPOption
DHCPOptionName
15
DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
YoucanentermultipleoptionvaluesforanOption CodewiththesameOption Name,butallvaluesfora
particularcodeandnamecombinationmustbethesametype(IPaddress,ASCII,orhexadecimal).Ifonetype
isinheritedorentered,andlateradifferenttypeisenteredforthesamecodeandnamecombination,the
secondtypewilloverwritethefirsttype.
YoucanenteranOption CodemorethanoncebyusingadifferentOption Name.Inthiscase,theOption Type
fortheOptionCodecandifferamongthemultipleoptionnames.Forexample,ifoptionCoastalServer
(optioncode6)isconfiguredwithIPaddresstype,optionServerXYZ(optioncode6)withASCIItypeisalso
allowed.
Thefirewallsendsmultiplevaluesforanoption(strungtogether)toaclientinorderfromtoptobottom.
Therefore,whenenteringmultiplevaluesforanoption,enterthevaluesintheorderofpreference,orelse
movetheoptionstoachieveyourpreferredorderinthelist.Theorderofoptionsinthefirewallconfiguration
determinestheorderthattheoptionsappearinDHCPOFFERandDHCPACKmessages.
Youcanenteranoptioncodethatalreadyexistsasapredefinedoptioncode,andthecustomizedoption
codewilloverridethepredefinedDHCPoption;thefirewallissuesawarning.
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
Option OptionName
Code
OptionDescription/Behavior
43
VendorSpecific
Information
Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55
ParameterRequestList
Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 747
DHCP
Networking
Option OptionName
Code
OptionDescription/Behavior
60
Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
VendorClassIdentifier
(VCI)
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
ConfigureanInterfaceasaDHCPServer
Step1
SelectaninterfacetobeaDHCPServer. 1.
748 PANOS7.1AdministratorsGuide
2.
EnteranInterfacenameorselectonefromthedropdown.
3.
ForMode,selectenabledorautomode.Automodeenables
theserveranddisablesitifanotherDHCPserverisdetected
onthenetwork.Thedisabledsettingdisablestheserver.
4.
PaloAltoNetworks,Inc.
Networking
DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step2
ConfigurethepredefinedDHCPOptions IntheOptionssection,selectaLeasetype:
thattheserversendstoitsclients.
UnlimitedcausestheservertodynamicallychooseIP
addressesfromtheIP Pools andassignthempermanently
toclients.
Timeoutdetermineshowlongtheleasewilllast.Enterthe
numberofDaysandHours,andoptionallythenumberof
Minutes.
Inheritance SourceLeaveNoneorselectasourceDHCPclient
interfaceorPPPoEclientinterfacetopropagatevariousserver
settingsintotheDHCPserver.IfyouspecifyanInheritance
Source,selectoneormoreoptionsbelowthatyouwant
inheritedfromthissource.
Specifyinganinheritancesourceallowsthefirewalltoquickly
addDHCPoptionsfromtheupstreamserverreceivedbythe
DHCPclient.Italsokeepstheclientoptionsupdatedifthe
sourcechangesanoption.Forexample,ifthesourcereplacesits
NTPserver(whichhadbeenidentifiedasthePrimary NTP
server),theclientwillautomaticallyinheritthenewaddressasits
Primary NTPserver.
WheninheritingDHCPoption(s)thatcontainmultipleIP
addresses,thefirewallusesonlythefirstIPaddress
containedintheoptiontoconservecachememory.If
yourequiremultipleIPaddressesforasingleoption,
configuretheDHCPoptionsdirectlyonthatfirewall
ratherthanconfigureinheritance.
Check inheritance source statusIfyouselectedanInheritance
Source,clickingthislinkopenstheDynamic IP Interface Status
window,whichdisplaystheoptionsthatwereinheritedfromthe
DHCPclient.
GatewayIPaddressofthenetworkgateway(aninterfaceon
thefirewall)thatisusedtoreachanydevicenotonthesameLAN
asthisDHCPserver.
Subnet MaskNetworkmaskusedwiththeaddressesintheIP
Pools.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 749
DHCP
Networking
ConfigureanInterfaceasaDHCPServer(Continued)
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
Step3
(Optional)Configureavendorspecificor 1.
customDHCPoptionthattheDHCP
serversendstoitsclients.
2.
750 PANOS7.1AdministratorsGuide
IntheCustomDHCPOptionssection,clickAddandentera
descriptiveNametoidentifytheDHCPoption.
EntertheOption Code youwanttoconfiguretheserverto
offer(rangeis1254).(SeeRFC2132foroptioncodes.)
3.
4.
5.
6.
7.
EntertheOption ValueyouwanttheDHCPservertoofferfor
thatOption Code.Youcanentermultiplevaluesonseparate
lines.
8.
ClickOK.
PaloAltoNetworks,Inc.
Networking
DHCP
ConfigureanInterfaceasaDHCPServer(Continued)
Step4
Step5
(Optional)Addanothervendorspecific
orcustomDHCPoption.
1.
RepeatStep 3toenteranothercustomDHCPOption.
YoucanentermultipleoptionvaluesforanOption Code
withthesameOption Name,butallvaluesforanOption
Codemustbethesametype(IP Address,ASCII,or
Hexadecimal).Ifonetypeisinheritedorenteredanda
differenttypeisenteredforthesameOption Codeandthe
sameOption Name,thesecondtypewilloverwritethefirst
type.
Whenenteringmultiplevaluesforanoption,enterthe
valuesintheorderofpreference,orelsemovetheCustom
DHCPOptionstoachievethepreferredorderinthelist.
SelectanoptionandclickMove Up orMove Down.
YoucanenteranOption Codemorethanoncebyusinga
differentOption Name.Inthiscase,theOption Typeforthe
OptionCodecandifferamongthemultipleoptionnames.
2.
ClickOK.
IdentifythestatefulpoolofIPaddresses 1.
fromwhichtheDHCPserverchoosesan
addressandassignsittoaDHCPclient.
Ifyouarenotthenetwork
administratorforyournetwork,
askthenetworkadministratorfor
avalidpoolofIPaddressesfrom
thenetworkplanthatcanbe
designatedtobeassignedby
yourDHCPserver.
2.
Step6
Step7
(Optional)SpecifyanIPaddressfromthe
IPpoolsthatwillnotbeassigned
dynamically.IfyoualsospecifyaMAC
Address,theReserved Addressis
assignedtothatdevicewhenthedevice
requestsanIPaddressthroughDHCP.
SeetheDHCPAddressing
sectionforanexplanationof
allocationofaReserved
Address.
Savetheconfiguration.
PaloAltoNetworks,Inc.
IntheIP Poolsfield,clickAddandentertherangeofIP
addressesfromwhichthisserverassignsanaddresstoaclient.
EnteranIPsubnetandsubnetmask(forexample,
192.168.1.0/24)orarangeofIPaddresses(forexample,
192.168.1.10192.168.1.20).
AnIPPooloraReserved Addressismandatoryfor
dynamicIPaddressassignment.
AnIPPoolisoptionalforstaticIPaddressassignmentas
longasthestaticIPaddressesthatyouassignfallintothe
subnetthatthefirewallinterfaceservices.
(Optional)RepeatStep 1tospecifyanotherIPaddresspool.
1.
2.
EnteranIPaddressfromtheIP Pools(formatx.x.x.x)thatyou
donotwanttobeassigneddynamicallybytheDHCPserver.
3.
(Optional)SpecifytheMAC Address(formatxx:xx:xx:xx:xx:xx)
ofthedevicetowhichyouwanttopermanentlyassigntheIP
addressspecifiedinStep 2.
4.
ClickOKandCommitthechange.
PANOS7.1AdministratorsGuide 751
DHCP
Networking
YoucanalsoConfiguretheManagementInterfaceasaDHCPClient.
ConfigureanInterfaceasaDHCPClient
Step1
ConfigureaninterfaceasaDHCPclient. 1.
SelectNetwork>Interfaces.
2.
OntheEthernettabortheVLANtab,clickAddandenteran
interface,orclickaconfiguredinterface,thatyouwanttobea
DHCPclient.
3.
ClicktheIPv4tab;forType,selectDHCP Client.
4.
SelectEnable.
5.
6.
7.
Step2
Savetheconfiguration.
ClickOKandCommitthechange.
NowtheEthernetinterfaceindicatesDynamic-DHCP Clientinits
IP AddressfieldontheEthernettab.
Step3
(Optional)Seewhichinterfacesonthe
firewallareconfiguredasDHCPclients.
1.
2.
752 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingrestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
YoucannotusethedynamicIPaddressofthemanagementinterfacetoconnecttoaHardwareSecurity
Module(HSM).TheIPaddressontheHSMclientfirewallmustbeastaticIPaddressbecauseHSM
authenticatesthefirewallusingtheIPaddress,andoperationsonHSMwouldstopworkingiftheIP
addressweretochangeduringruntime.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
ConfiguretheManagementInterfaceasaDHCPClient
Step1
ConfiguretheManagementinterfaceas 1.
aDHCPclientsothatitcanreceiveits
IPaddress(IPv4),netmask(IPv4),and
2.
defaultgatewayfromaDHCPserver.
3.
Optionally,youcanalsosendthe
hostnameandclientidentifierofthe
managementinterfacetotheDHCP
serveriftheorchestrationsystemyou
useacceptsthisinformation.
4.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 753
DHCP
Networking
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
Step2
(Optional)Configurethefirewallto
1.
acceptthehostnameanddomainfrom
theDHCPserver.
2.
3.
Step3
Savetheconfiguration.
ClickCommit.
Step4
ViewDHCPclientinformation.
1.
2.
Step5
Step6
(Optional)RenewtheDHCPleasewith 1.
theDHCPserver,regardlessofthelease
term.
2.
Thisoptionisconvenientifyouare
3.
testingortroubleshootingnetwork
issues.
754 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
DHCP
SelectDHCPRelay.
Step2
SpecifytheIPaddressofeachDHCP
1.
serverwithwhichtheDHCPrelayagent
willcommunicate.
2.
Step3
Savetheconfiguration.
3.
4.
5.
(Optional)RepeatSteps24toenteramaximumofeight
DHCPserveraddressesperIPaddressfamily.
ClickOKandCommitthechange.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheDHCPserverhasassigned,thecorrespondingMACaddress,
stateanddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 755
DHCP
Networking
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip
mac
state
duration
lease_time
192.168.3.11
f0:2f:af:42:70:cf committed 0
Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface
GW
DNS1
DNS2
DNS-Suffix
Inherit source
------------------------------------------------------------------------------------ethernet1/2
192.168.3.1
10.43.2.10
10.44.2.10
ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state <interface_name>commandorthefollowingcommand:
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd
756 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 757
NAT
Networking
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destination Destination IP address
+ destination-port Destination port
+ from From zone
+ ha-device-id HA Active/Active device ID
+ protocol IP protocol value
+ source Source IP address
+ source-port Source port
+ to To Zone
+ to-interface Egress interface to use
| Pipe through a command
<Enter> Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443
758 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
NATAddressPoolsIdentifiedasAddressObjects
WhenconfiguringaDynamic IPorDynamic IP and PortNATaddresspoolinaNATpolicyrule,itistypicalto
configurethepooloftranslatedaddresseswithaddressobjects.EachaddressobjectcanbeahostIP
address,IPaddressrange,orIPsubnet.
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 759
NAT
Networking
SourceNAT
DestinationNAT
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.
760 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,eveniftheplatformsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
Platform
DefaultOversubscriptionRate
PA-200
PA-500
PA-2020
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 761
NAT
Networking
Platform
DefaultOversubscriptionRate
PA-2050
PA-3020
PA-3050
PA-3060
PA-4020
PA-4050
PA-4060
PA-5020
PA-5050
PA-5060
PA-7050
PA-7080
VM-100
VM-200
VM-300
VM-1000-HV
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachplatformsupports
amaximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesfortheplatform,thecommitwillfail.
762 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 763
NAT
Networking
Configure NAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology:
764 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
Basedonthistopology,therearethreeNATpoliciesweneedtocreateasfollows:
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 765
NAT
Networking
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
Step1
Step2
Step3
Createanaddressobjectfortheexternal 1.
IPaddressyouplantouse.
2.
CreatetheNATpolicy.
Savetheconfiguration.
766 PANOS7.1AdministratorsGuide
3.
SelectIP NetmaskfromtheTypedropdownandthenenter
theIPaddressoftheexternalinterfaceonthefirewall,
203.0.113.100inthisexample.
4.
Tosavetheaddressobject,clickOK.
Althoughyoudonothavetouseaddressobjectsin
yourpolicies,itisabestpracticebecauseitsimplifies
administrationbyallowingyoutomakeupdatesinone
placeratherthanhavingtoupdateeverypolicywhere
theaddressisreferenced.
1.
2.
OntheGeneraltab,enteradescriptiveNameforthepolicy.
3.
(Optional)Enteratag,whichisakeywordorphrasethatallows
youtosortorfilterpolicies.
4.
ForNAT Type,selectipv4(default).
5.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
6.
7.
ForAddress Type,therearetwochoices.Youcouldselect
Translated AddressandthenclickAdd.Selecttheaddress
objectyoujustcreated.
AnalternativeAddress TypeisInterface Address,inwhich
casethetranslatedaddresswillbetheIPaddressofthe
interface.Forthischoice,youwouldselectanInterfaceand
optionallyanIP AddressiftheinterfacehasmorethanoneIP
address.
8.
ClickOKtosavetheNATpolicy.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
NAT
ConfigureSourceNAT(Continued)
Step4
(Optional)AccesstheCLItoverifythe
translation.
1.
2.
3.
IfyouconfiguredDynamicIPNAT,usetheshow counter
global filter aspect session severity drop | match
nat commandtoseeifanysessionsfailedduetoNATIP
allocation.IfalloftheaddressesintheDynamicIPNATpool
areallocatedwhenanewconnectionissupposedtobe
translated,thepacketwillbedropped.
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
Step1
Step2
Step3
Createanaddressobjectfortheweb
server.
CreatetheNATpolicy.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
EnteraNameandoptionalDescriptionfortheobject.
3.
SelectIP NetmaskfromtheTypedropdownandenterthe
publicIPaddressofthewebserver,203.0.113.11inthis
example.
4.
ClickOK.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
4.
IntheDestination Addresssection,clickAddandselectthe
addressobjectyoucreatedforyourpublicwebserver.
5.
6.
ClickOKtosavetheNATpolicy.
ClickCommit.
PANOS7.1AdministratorsGuide 767
NAT
Networking
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
Step1
Step2
Step3
Createanaddressobjectfortheweb
serversinternalIPaddress.
CreatetheNATpolicy.
Savetheconfiguration.
768 PANOS7.1AdministratorsGuide
1.
2.
EnteraNameandoptionalDescriptionfortheobject.
3.
SelectIP NetmaskfromtheTypedropdownandentertheIP
addressofthewebserverontheDMZnetwork,10.1.1.11in
thisexample.
4.
ClickOK.
Ifyoudidnotalreadycreateanaddressobjectforthe
publicaddressofyourwebserver,youshouldcreate
thatobjectnow.
1.
2.
OntheGeneraltab,enteradescriptiveNamefortheNATrule.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourDMZintheSource Zonesection(clickAddandthen
selectthezone)andthezoneyoucreatedfortheexternal
networkfromtheDestination Zonedropdown.
4.
IntheSource Addresssection,clickAddandselecttheaddress
objectyoucreatedforyourinternalwebserveraddress.
5.
6.
IntheBi-directionalfield,selectYes.
7.
ClickOKtosavetheNATpolicy.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
NAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1
ViewtheDIPPNAToversubscription
rate.
1.
Step2
SettheDIPPNAToversubscriptionrate. 1.
2.
3.
ClickOKandCommitthechange.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
Step1
Step2
CreatetheNATpolicy.
Savetheconfiguration.
1.
2.
EnteradescriptiveNameforthepolicy.
3.
OntheOriginal Packettab,selectthezoneyoucreatedfor
yourinternalnetworkintheSource Zonesection(clickAdd
andthenselectthezone)andthezoneyoucreatedforthe
externalnetworkfromtheDestination Zonedropdown.
4.
ForSource Address,clickAddandenterthehostaddress.
ClickOK.
5.
OntheTranslated Packettab,selectNonefromthe
Translation TypedropdownintheSourceAddress
Translationsectionofthescreen.
6.
ClickOKtosavetheNATpolicy.
ClickCommit.
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 769
NAT
Networking
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddresses
ReservedynamicIPNATaddressesfora
firewall.
Enterthefollowingcommands:
ReservedynamicIPNATaddressesfora
virtualsystem.
Enterthefollowingcommands:
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.
770 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 771
NAT
Networking
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:
772 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 773
NAT
Networking
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:
774 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 775
NAT
Networking
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination
NextHop
3.1.1.0/24
2.1.1.2
776 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NAT
RouteonR2:
Destination
NextHop
1.1.1.0/24
2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination
NextHop
2.1.1.8/29
2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 777
NAT
Networking
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination
NextHop
2.1.1.100/32
2.1.1.1
778 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6 Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
PlatformSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 779
NPTv6
Networking
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
PlatformSupportforNPTv6
NPTv6issupportedonthefollowingplatforms(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5000Series,PA4000Series,PA3060firewall,PA3050firewall,andPA2000
Series.Platformssupportedwithnoabilitytohavehardwareperformasessionlookup:PA3020firewall,
PA500firewall,PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivate
network,andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavethe
convenienceofprivateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.
780 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 781
NPTv6
Networking
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDP Proxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.
782 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 783
NPTv6
Networking
TheNDCacheinNPTv6Example
TheNDPProxyinNPTv6Example
TheNPTv6TranslationinNPTv6Example
NeighborsintheNDCacheareNotTranslated
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
784 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
NPTv6
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
TheNPTv6TranslationinNPTv6Example
Inthisexample,theOriginal PacketisconfiguredwithaSource AddressofFDD4:7A3E::0andaDestinationof
Any.TheTranslated PacketisconfiguredwiththeTranslated Addressof2001:DB8::0.
Therefore,outgoingpacketswithasourceofFDD4:7A3E::0aretranslatedto2001:DB8::0.Incoming
packetswithadestinationprefixinthenetwork2001:DB8::0aretranslatedtoFDD4:7A3E::0.
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanewNPTv6policy.
PaloAltoNetworks,Inc.
1.
SelectPolicies>NATandclickAdd.
2.
OntheGeneraltab,enteradescriptiveNamefortheNPTv6
policyrule.
3.
(Optional)EnteraDescriptionandTag.
4.
ForNAT Type,selectNPTv6.
PANOS7.1AdministratorsGuide 785
NPTv6
Networking
ConfigureanNPTv6Policy(Continued)
Step2
Step3
Specifythematchcriteriaforincoming
packets;packetsthatmatchallofthe
criteriaaresubjecttotheNPTv6
translation.
Zonesarerequiredforbothtypesof
translation.
Specifythetranslatedpacket.
786 PANOS7.1AdministratorsGuide
1.
2.
EntertheDestination Zonetowhichthepolicyapplies.
3.
(Optional)SelectaDestination Interface.
4.
(Optional)SelectaService torestrictwhattypeofpacketsare
translated.
5.
Ifyouaredoingsourcetranslation,enteraSource Addressor
selectAny.Theaddresscouldbeanaddressobject.The
followingconstraintsapplytoSource Address andDestination
Address:
PrefixesofSource AddressandDestination Addressfor
theOriginal Packet andTranslated Packetmustbeinthe
formatxxxx:xxxx::/yy,althoughleadingzerosintheprefix
canbedropped.
TheIPv6addresscannothaveaninterfaceidentifier(host)
portiondefined.
Therangeofsupportedprefixlengthsis/32to/64.
TheSource AddressandDestination Addresscannotboth
besettoAny.
6.
Ifyouaredoingsourcetranslation,youcanoptionallyentera
Destination Address.Ifyouaredoingdestinationtranslation,
theDestination Addressisrequired.Seetheconstraintslisted
inthepriorstep.
1.
OntheTranslated Packettab,ifyouwanttodosource
translation,intheSourceAddressTranslationsection,for
Translation Type,selectStatic IP.Ifyoudonotwanttodo
sourcetranslation,selectNone.
2.
3.
(Optional)SelectBi-directional ifyouwantthefirewallto
createacorrespondingNPTv6translationintheopposite
directionofthetranslationyouconfigure.
IfyouenableBi-directionaltranslation,itisvery
importanttomakesureyouhaveSecuritypolicyrules
inplacetocontrolthetrafficinbothdirections.
Withoutsuchpolicyrules,Bi-directionaltranslation
allowspacketstobeautomaticallytranslatedinboth
directions,whichyoumightnotwant.
4.
Ifyouwanttododestinationtranslation,selectDestination
Address Translation.IntheTranslated Addressfield,choose
anaddressobjectfromthedropdownorenteryourinternal
destinationaddress.
5.
ClickOK.
PaloAltoNetworks,Inc.
Networking
NPTv6
ConfigureanNPTv6Policy(Continued)
Step4
ConfigureNDPProxy.
1.
Whenyouconfigurethefirewalltoactas
anNDPProxyforaddresses,itallowsthe 2.
firewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoND
3.
solicitationsfrompeersthatareasking
forMACaddressesofIPv6prefixes
assignedtodevicesbehindthefirewall.
4.
Step5
Savetheconfiguration.
PaloAltoNetworks,Inc.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 787
ECMP
Networking
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPPlatform,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
788 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
ECMP
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 789
ECMP
Networking
ECMPhasthefollowingrestrictions:
PA2000SeriesfirewallsandPA4000SeriesfirewallswithECMPenabledmightnotbeabletooffload
sessionstohardwareforforwarding.PacketsmatchingECMProuteswillbesenttosoftware,while
packetsmatchingnonECMProutescanstillbeforwardedbyhardware.
ForthePA4000Seriesfirewalls,packetstobeforwardedbyECMProuteswillbesenttosoftwarefor
routelookupandforwarding,eventhoughthesessionisinoffloadedstate.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
ConfigureECMPonaVirtualRouter
Step1
EnableECMPforavirtualrouter.
1.
2.
Step2
(Optional)Enablesymmetricreturnof
packetsfromservertoclient.
Step3
Specifythemaximumnumberof
equalcostpaths(toadestination
network)thatcanbecopiedfromthe
RoutingInformationBase(RIB)tothe
ForwardingInformationBase(FIB).
ForMax Pathallowed,enter2,3,or4.Default:2.
Step4
790 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
ECMP
ConfigureECMPonaVirtualRouter(Continued)
Step5
Step6
1.
2.
Step7
Step8
Savetheconfiguration.
Savetheconfiguration.
CreateanECMPgroupbyclickingAddandselectingan
Interfacefromthedropdown.
2.
AddtheotherinterfacesintheECMPgroup.
3.
ClickonWeightandspecifytherelativeweightforeach
interface(rangeis1255;defaultis100).
1.
Click OK.
2.
AttheECMPConfigurationChangeprompt,clickYestorestart
thevirtualrouter.Restartingthevirtualroutermightcause
existingsessionstobeterminated.
Thismessagedisplaysonlyifyouaremodifyingan
existingvirtualrouterwithECMP.
Committheconfiguration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 791
ECMP
Networking
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
Step1
ConfigureECMP.
792 PANOS7.1AdministratorsGuide
SeeConfigureECMPonaVirtualRouter.
PaloAltoNetworks,Inc.
Networking
ECMP
EnableECMPforBGPAutonomousSystems(Continued)
Step2
Step3
ForBGProuting,enableECMPover
multipleautonomoussystems.
Savetheconfiguration.
1.
2.
ClickOKandCommittheconfiguration.
Verify ECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.ToverifyECMP,usethefollowingproceduretolookattheFIBand
confirmthatsomeroutesareequalcostmultiplepaths.
ConfirmThatRoutesAreEqualCostMultiplePaths
Step1
Step2
Step3
SelectRouting>Forwarding TabletoseetheFIB.Inthetable,notethatmultipleroutes
tothesameDestination(outadifferentInterface)havetheEflag.
Anasterisk(*)denotesthepreferredpathfortheECMPgroup.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 793
LLDP
Networking
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDP Overview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
ThePA2000SeriesplatformisnotsupportedduetothehardwarelimitationofhowAggregatedEthernet
interfacesfunction.Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireapplianceare
alsonotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:
794 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
LLDP
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
TLVType
Description
Chassis ID TLV
Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksplatformswill
usetheMACaddressofEth0toensureuniqueness.
Port ID TLV
IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Time-to-live (TTL)
TLV
Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
End of LLDPDU
TLV
IndicatestheendoftheTLVsintheLLDPEthernetframe.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 795
LLDP
Networking
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
OptionalTLVs
TLVType
PurposeandNotesRegardingFirewallImplementation
Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
System Description
TLV
Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
System Capabilities
Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management
Address
OneormoreIPaddressesusedforfirewallmanagement,asfollows:
IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
796 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
LLDP
Configure LLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
Step1
EnableLLDPonthefirewall.
Step2
(Optional)ChangeLLDPglobalsettings. 1.
2.
3.
4.
ForNotification Interval,specifytheinterval(inseconds)at
whichLLDPSyslogMessagesandSNMPTrapsaretransmitted
whenMIBchangesoccur.Default:5seconds.Range:13600
seconds.
5.
ClickOK.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 797
LLDP
Networking
ConfigureLLDP(Continued)
Step3
CreateanLLDPprofile.
FordescriptionsoftheoptionalTLVs,
seeSupportedTLVsinLLDP.
1.
2.
EnteraNamefortheLLDPprofile.
3.
ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
4.
5.
ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
6.
(Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
7.
SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
8.
SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
9.
ClickOK.
10. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
11. ClickOK.
Step4
Step5
AssignanLLDPprofiletoaninterface.
Savetheconfiguration.
798 PANOS7.1AdministratorsGuide
1.
2.
3.
SelectEnable LLDPtoassignanLLDPprofiletotheinterface.
4.
ForProfile,selecttheprofileyoucreated.SelectingNone
enablesLLDPwithbasicfunctionality:sendsthethree
mandatoryTLVsandenablestransmit-receivemode.
Ifyouwanttocreateanewprofile,clickLLDP Profileand
followtheinstructionsstepsabove.
5.
ClickOK.
ClickCommit.
PaloAltoNetworks,Inc.
Networking
LLDP
ViewLLDPglobalsettings.
1.
Step2
ViewtheLLDPstatusinformation.
1.
SelecttheStatustab.
2.
(Optional)Enterafiltertorestricttheinformationthatis
displayed.
InterfaceInformation:
InterfaceNameoftheinterfacesthathaveLLDPprofiles
assignedtothem.
LLDPLLDPstatus:enabledordisabled.
ModeLLDPmodeoftheinterface:Tx/Rx,TxOnly,orRx
Only.
ProfileNameoftheprofileassignedtotheinterface.
TransmissionInformation:
Total TransmittedCountofLLDPDUstransmittedoutthe
interface.
Dropped TransmitCountofLLDPDUsthatwerenot
transmittedouttheinterfacebecauseofanerror.For
example,alengtherrorwhenthesystemisconstructingan
LLDPDUfortransmission.
ReceivedInformation:
Total ReceivedCountofLLDPframesreceivedonthe
interface.
Dropped TLVCountofLLDPframesdiscardedupon
receipt.
ErrorsCountofTLVsthatwerereceivedontheinterface
andcontainederrors.TypesofTLVerrorsinclude:oneor
moremandatoryTLVsmissing,outoforder,containing
outofrangeinformation,orlengtherror.
UnrecognizedCountofTLVsreceivedontheinterface
thatarenotrecognizedbytheLLDPlocalagent.For
example,theTLVtypeisinthereservedTLVrange.
Aged OutCountofitemsdeletedfromtheReceiveMIB
duetoproperTTLexpiration.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 799
LLDP
Networking
ViewLLDPSettingsandStatus(Continued)
Step3
ViewsummaryLLDPinformationfor
eachneighborseenonaninterface.
1.
SelectthePeerstab.
2.
(Optional)Enterafiltertorestricttheinformationbeing
displayed.
LocalInterfaceInterfaceonthefirewallthatdetectedthe
neighboringdevice.
RemoteChassisIDChassisIDofthepeer.TheMAC
addresswillbeused.
PortIDPortIDofthepeer.
NameNameofpeer.
MoreinfoProvidesthefollowingremotepeerdetails,
whicharebasedontheMandatoryandOptionalTLVs:
ChassisType:MACaddress.
MACAddress:MACaddressofthepeer.
SystemName:Nameofthepeer.
SystemDescription:Descriptionofthepeer.
PortDescription:Portdescriptionofthepeer.
PortType:Interfacename.
PortID:Thefirewallusestheinterfacesifname.
SystemCapabilities:Capabilitiesofthesystem.O=Other,
P=Repeater,B=Bridge,W=WirelessLAN,R=Router,
T=Telephone
EnabledCapabilities:Capabilitiesenabledonthepeer.
ManagementAddress:Managementaddressofthepeer.
ClearLLDPstatisticsforspecific
interfaces.
800 PANOS7.1AdministratorsGuide
1.
2.
PaloAltoNetworks,Inc.
Networking
BFD
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFD Overview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDPlatform,Interface,andClientSupport
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 801
BFD
Networking
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDPlatform,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA7000Series,andVMSeriesfirewalls.Each
platformsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.
802 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 803
BFD
Networking
Configure BFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
Configuredavirtualrouter.
ConfiguredoneormorestaticroutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.
804 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD
Step1
CreateaBFDprofile.
1.
IfyouchangeasettinginaBFD
profilethatanexistingBFD
sessionisusingandyoucommit
thechange,beforethefirewall 2.
deletesthatBFDsessionand
recreatesitwiththenewsetting,
thefirewallsendsaBFDpacket
withthelocalstatesettoadmin
down.Thepeerdevicemayor
maynotflaptheroutingprotocol
orstaticroute,dependingonthe 3.
peersimplementationof
RFC 5882,Section3.2.
PaloAltoNetworks,Inc.
4.
5.
PANOS7.1AdministratorsGuide 805
BFD
Networking
ConfigureBFD(Continued)
Step2
6.
7.
(Optional)ForaBGPIPv4implementationonly,configure
hoprelatedsettingsfortheBFDprofile:
SelectMultihoptoenableBFDoverBGPmultihop.
EntertheMinimum Rx TTL.Thisistheminimum
TimetoLivevalue(numberofhops)BFDwillaccept
(receive)inaBFDcontrolpacketwhenBGPsupports
multihopBFD.(Rangeis1254;thereisnodefault).
ThefirewalldropsthepacketifitreceivesasmallerTTL
thanitsconfiguredMinimum Rx TTL.Forexample,ifthe
peeris5hopsaway,andthepeertransmitsaBFDpacket
withaTTLof100tothefirewall,andiftheMinimum Rx
TTLforthefirewallissetto96orhigher,thefirewalldrops
thepacket.
8.
ClickOK.
(Optional)EnableBFDforastaticroute. 1.
Boththefirewallandthepeeratthe
oppositeendofthestaticroutemust
2.
supportBFDsessions.
3.
4.
SelectthestaticroutewhereyouwanttoapplyBFD.
5.
SelectanInterface(evenifyouareusingaDHCPaddress).
TheInterfacesettingcannotbeNone.
6.
7.
ForBFD Profile,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforthis
staticroute.
8.ClickOK.
ABFDcolumnontheIPv4orIPv6tabindicatestheBFDprofile
configuredforthestaticroute.
806 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD(Continued)
Step3
(Optional)EnableBFDforallBGP
interfacesorforasingleBGPpeer.
IfyouenableordisableBFD
globally,allinterfacesrunning
BGPwillbetakendownand
broughtbackupwiththeBFD
function.ThiscandisruptallBGP
traffic.WhenyouenableBFDon
theinterface,thefirewallstops
theBGPconnectiontothepeer
toprogramBFDontheinterface.
ThepeerdeviceseestheBGP
connectiondrop,whichcan
resultinareconvergence.Enable
BFDforBGPinterfacesduringan
offpeaktimewhena
reconvergencewillnotimpact
productiontraffic.
1.
2.
SelecttheBGPtab.
3.
(Optional)ToapplyBFDtoallBGPinterfacesonthevirtual
router,intheBFDdropdown,selectoneofthefollowingand
clickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforallBGP
interfacesonthevirtualrouter;youcannotenableBFD
forasingleBGPinterface.
4.
(Optional)ToenableBFDforasingleBGPpeerinterface
(therebyoverridingtheBFD settingforBGPaslongasitisnot
disabled),performthefollowingtasks:
a. SelectthePeer Group tab.
b. Selectapeergroup.
c. Selectapeer.
d. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings.
Inherit-vr-global-setting(default)TheBGPpeer
inheritstheBFDprofilethatyouselectedgloballyforBGP
forthevirtualrouter.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingDisable BFD disablesBFDfortheBGPpeer.
e. ClickOK.
5. ClickOK.
ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
profileconfiguredfortheinterface.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 807
BFD
Networking
ConfigureBFD(Continued)
Step4
(Optional)EnableBFDforOSPFor
OSPFv3globallyorforanOSPF
interface.
1.
2.
SelecttheOSPForOSPFv3 tab.
3.
(Optional)IntheBFDdropdown,selectoneofthefollowing
toenableBFDforallOSPForOSPFv3interfacesandclickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforall
OSPFinterfacesonthevirtualrouter;youcannot
enableBFDforasingleOSPFinterface.
4.
(Optional)ToenableBFDonasingleOSPFpeerinterface(and
therebyoverridetheBFDsettingforOSPF,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheAreastabandselectanarea.
b. OntheInterfacetab,selectaninterface.
c. IntheBFD dropdown,selectoneofthefollowingto
configureBFDforthespecifiedOSPFpeer:
defaultUsesonlydefaultsettings.
Inherit-vr-global-setting(default)OSPFpeerinherits
theBFDsettingforOSPForOSPFv3forthevirtual
router.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingDisable BFDdisablesBFDfortheOSPFor
OSPFv3interface.
d. ClickOK.
5. ClickOK.
ABFDcolumnontheOSPFInterfacetabindicatestheBFDprofile
configuredfortheinterface.
808 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
BFD
ConfigureBFD(Continued)
Step5
(Optional)EnableBFDforRIPgloballyor 1.
forasingleRIPinterface.
2.
SelecttheRIP tab.
3.
(Optional)IntheBFD dropdown,selectoneofthefollowing
toenableBFDforallRIPinterfacesonthevirtualrouterand
clickOK:
defaultUsesonlydefaultsettings.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
New BFD ProfileAllowsyoutoCreateaBFDprofile.
SelectingNone (Disable BFD) disablesBFDforallRIP
interfacesonthevirtualrouter;youcannotenable
BFDforasingleRIPinterface.
4.
(Optional)ToenableBFDforasingleRIPinterface(and
therebyoverridetheBFDsettingforRIP,aslongasitisnot
disabled),performthefollowingtasks:
a. SelecttheInterfacestabandselectaninterface.
b. IntheBFD dropdown,selectoneofthefollowing:
defaultUsesonlydefaultsettings).
Inherit-vr-global-setting(default)RIPinterface
inheritstheBFDprofilethatyouselectedforRIPglobally
forthevirtualrouter.
ABFDprofileyouconfiguredSeeCreateaBFDprofile.
SelectingNone (Disable BFD)disablesBFDfortheRIP
interface.
c. ClickOK.
5. ClickOK.
TheBFDcolumnontheInterfacetabindicatestheBFDprofile
configuredfortheinterface.
Step6
Savetheconfiguration.
ClickCommit.
Step7
ViewBFDsummaryanddetails.
1.
2.
3.
(Optional)Selectdetailsintherowoftheinterfaceyouare
interestedintoviewReference:BFDDetails.
Step8
MonitorBFDprofilesreferencedbya
routingconfiguration;monitorBFD
statistics,status,andstate.
UsethefollowingCLIoperationalcommands:
show routing bfd active-profile [<name>]
show routing bfd details [interface <name>] [local-ip
<ip>] [multihop] [peer-ip <ip>] [session-id]
[virtual-router <name>]
(Optional)ClearBFDtransmit,receive,
anddropcounters.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 809
BFD
Networking
ConfigureBFD(Continued)
Step10 (Optional)ClearBFDsessionsfor
debugging.
810 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
Reference:BFDDetails
Reference:BFDDetails
Toseethefollowinginformationforavirtualrouter,youcanViewBFDsummaryanddetails.
Name
Value(Example)
Description
SessionID
IDnumberoftheBFDsession.
Interface
ethernet1/12
InterfaceyouselectedwhereBFDisrunning.
Protocol
STATIC(IPV4)OSPF
Staticroute(IPaddressfamilyofstaticroute)and/ordynamic
routingprotocolthatisrunningBFDontheinterface.
LocalIPAddress
10.55.55.2
IPaddressofinterface.
NeighborIPAddress
10.55.55.1
IPaddressofBFDneighbor.
BFDProfile
default*(ThisBFD
sessionhasmultiple
BFDprofiles.Lowest
DesiredMinimumTx
Interval(ms)isusedto
selecttheeffective
profile.)
NameofBFDprofileappliedtotheinterface.
BecausethesampleinterfacehasbothastaticrouteandOSPF
runningBFDwithdifferentprofiles,thefirewallusestheprofile
withthelowestDesired Minimum Tx Interval.Inthisexample,
theprofileusedisthedefaultprofile.
State(local/remote)
up/up
BFDstatesofthelocalandremoteBFDpeers.Possiblestates
areadmindown,down,init,andup.
UpTime
2h36m21s419ms
LengthoftimeBFDhasbeenup(hours,minutes,seconds,and
milliseconds).
Discriminator
(local/remote)
1391591427/
1
DiscriminatorsforlocalandremoteBFDpeers.
Mode
Active
ModeinwhichBFDisconfiguredontheinterface:Activeor
Passive.
DemandMode
Disabled
PANOSdoesnotsupportBFDDemandMode,soitisalwaysin
Disabledstate.
Multihop
Disabled
BFDmultihop:EnabledorDisabled.
MultihopTTL
LocalDiagCode
PaloAltoNetworks,Inc.
TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
0(NoDiagnostic)
Diagnosticcodesindicatingthereasonforthelocalsystemslast
changeinstate:
0NoDiagnostic
1ControlDetectionTimeExpired
2EchoFunctionFailed
3NeighborSignaledSessionDown
4ForwardingPlaneReset
5PathDown
6ConcatenatedPathDown
7AdministrativelyDown
8ReverseConcatenatedPathDown
PANOS7.1AdministratorsGuide 811
Reference:BFDDetails
Name
Networking
Value(Example)
Description
LastReceivedRemoteDiag 0(NoDiagnostic)
Code
DiagnosticcodelastreceivedfromBFDpeer.
TransmitHoldTime
0ms
Holdtime(inmilliseconds)afteralinkcomesupbeforeBFD
transmitsBFDcontrolpackets.Aholdtimeof0msmeansto
transmitimmediately.Rangeis0120000ms.
ReceivedMinRxInterval
1000ms
MinimumRxintervalreceivedfromthepeer;theintervalat
whichtheBFDpeercanreceivecontrolpackets.Maximumis
2000ms.
NegotiatedTransmit
Interval
1000ms
Transmitinterval(inmilliseconds)thattheBFDpeershave
agreedtosendBFDcontrolpacketstoeachother.Maximumis
2000ms.
ReceivedMultiplier
DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
DetectTime(exceeded)
3000ms(0)
Calculateddetectiontime(NegotiatedTransmitInterval
multipliedbyMultiplier)andthenumberofmillisecondsthe
detectiontimeisexceeded.
TxControlPackets(last)
9383(420msago)
NumberofBFDcontrolpacketstransmitted(andlengthoftime
sinceBFDtransmittedthemostrecentcontrolpacket).
RxControlPackets(last)
9384(407msago)
NumberofBFDcontrolpacketsreceived(andlengthoftime
sinceBFDreceivedthemostrecentcontrolpacket).
AgentDataPlane
Slot1DP0
OnPA7000Seriesfirewalls,thedataplaneCPUthatisassigned
tohandlepacketsforthisBFDsession.
Errors
NumberofBFDerrors.
BFDversion.
PollBit
BFDpollbit;0indicatesnotset.
DesiredMinTxInterval
1000ms
Desiredminimumtransmitintervaloflastpacketcausingstate
change.
RequiredMinRxInterval
1000ms
Requiredminimumreceiveintervaloflastpacketcausingstate
change.
DetectMultiplier
DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator
Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
YourDiscriminator
1391591427
Localdiscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
DiagnosticCode
0(NoDiagnostic)
Diagnosticcodeoflastpacketcausingstatechange.
812 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Networking
Reference:BFDDetails
Name
Value(Example)
Description
Length
24
LengthofBFDcontrolpacketinbytes.
DemandBit
PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit
PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit
Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1
Bit
Ifsetto1,thetransmittingsystemsBFDimplementationdoes
notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0
PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
RequiredMinEchoRx
Interval
PANOSdoesnotsupporttheBFDEchofunction,sothiswill
alwaysbe0ms.
PaloAltoNetworks,Inc.
0ms
PANOS7.1AdministratorsGuide 813
Reference:BFDDetails
814 PANOS7.1AdministratorsGuide
Networking
PaloAltoNetworks,Inc.
Policy
Policiesallowyoutoenforcerulesandtakeaction.Thedifferenttypesofpolicyrulesthatyoucancreateon
thefirewallare:Security,NAT,QualityofService(QoS),PolicyBasedForwarding(PBF),Decryption,
ApplicationOverride,CaptivePortal,DenialofService(DoS),andZoneprotectionpolicies.Allthese
differentpoliciesworktogethertoallow,deny,prioritize,forward,encrypt,decrypt,makeexceptions,
authenticateaccess,andresetconnectionsasneededtohelpsecureyournetwork.Thefollowingtopics
describehowtoworkwithpolicy:
PolicyTypes
SecurityPolicy
PolicyObjects
SecurityProfiles
BestPracticeInternetGatewaySecurityPolicy
EnumerationofRulesWithinaRulebase
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
UseTagstoGroupandVisuallyDistinguishObjects
UseanExternalDynamicListinPolicy
RegisterIPAddressesandTagsDynamically
MonitorChangesintheVirtualEnvironment
CLICommandsforDynamicIPAddressesandTags
IdentifyUsersConnectedthroughaProxyServer
PolicyBasedForwarding
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 815
PolicyTypes
Policy
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
PolicyType
Description
Security
Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT
Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS
IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption
Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
Application Override
IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
Captive Portal
Identifytrafficthatrequirestheusertobeknown.Thecaptiveportalpolicyisonly
triggeredifotherUserIDmechanismsdidnotidentifyausertoassociatewiththe
sourceIPaddress.Formoredetails,seeCaptivePortal.
DoS Protection
Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.
816 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualsecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
securitypolicy.Whenasessionmatchoccurs,thesecuritypolicyisappliedtobidirectionaltraffic(clientto
serverandservertoclient)inthatsession.Fortrafficthatdoesntmatchanydefinedrules,thedefaultrules
apply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebasearepredefinedtoallowall
intrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.Althoughtheserulesare
partofthepredefinedconfigurationandarereadonlybydefault,youcanoverridethemandchangea
limitednumberofsettings,includingthetags,action(alloworblock),logsettings,andsecurityprofiles.
Securitypoliciesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirstrule
thatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.Therefore,
themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatchcriteria.Traffic
thatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,ifloggingisenabledfor
thatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfiguredtologatthe
startofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
RequiredFields
OptionalFields
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 817
SecurityPolicy
Policy
RequiredFields
RequiredField
Description
Name
Alabelthatsupportsupto31characters,usedtoidentifytherule.
Rule Type
Specifieswhethertheruleappliestotrafficwithinazone,betweenzones,orboth:
universal(default)Appliestheruletoallmatchinginterzoneandintrazonetrafficinthe
specifiedsourceanddestinationzones.Forexample,ifyoucreateauniversalrulewith
sourcezonesAandBanddestinationzonesAandB,therulewouldapplytoalltraffic
withinzoneA,alltrafficwithinzoneB,andalltrafficfromzoneAtozoneBandalltraffic
fromzoneBtozoneA.
intrazoneAppliestheruletoallmatchingtrafficwithinthespecifiedsourcezones(you
cannotspecifyadestinationzoneforintrazonerules).Forexample,ifyousetthesource
zonetoAandB,therulewouldapplytoalltrafficwithinzoneAandalltrafficwithin
zoneB,butnottotrafficbetweenzonesAandB.
interzoneAppliestheruletoallmatchingtrafficbetweenthespecifiedsourceand
destinationzones.Forexample,ifyousetthesourcezonetoA,B,andCandthe
destinationzonetoAandB,therulewouldapplytotrafficfromzoneAtozoneB,from
zoneBtozoneA,fromzoneCtozoneA,andfromzoneCtozoneB,butnottraffic
withinzonesA,B,orC.
Source Zone
Thezonefromwhichthetrafficoriginates.
Destination Zone
Thezoneatwhichthetrafficterminates.IfyouuseNAT,makesuretoalwaysreferencethe
postNATzone.
Application
Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action
SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField
Description
Tag
Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description
Atextfield,upto255characters,usedtodescribetherule.
Source IP Address
DefinehostIPorFQDN,subnet,namedgroups,orcountrybasedenforcement.Ifyouuse
NAT,makesuretoalwaysrefertotheoriginalIPaddressesinthepacket(i.e.thepreNAT
IPaddress).
Destination IP Address
Thelocationordestinationforthetraffic.IfyouuseNAT,makesuretoalwaysrefertothe
originalIPaddressesinthepacket(i.e.thepreNATIPaddress).
818 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
OptionalField
Description(Continued)
User
Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
URL Category
UsingtheURLCategoryasmatchcriteriaallowsyoutocustomizesecurityprofiles
(Antivirus,AntiSpyware,Vulnerability,FileBlocking,DataFiltering,andDoS)ona
perURLcategorybasis.Forexample,youcanprevent.exefiledownload/uploadforURL
categoriesthatrepresenthigherriskwhileallowingthemforothercategories.This
functionalityalsoallowsyoutoattachschedulestospecificURLcategories(allow
socialmediawebsitesduringlunch&afterhours),markcertainURLcategorieswithQoS
(financial,medical,andbusiness),andselectdifferentlogforwardingprofilesona
perURLcategorybasis.
AlthoughyoucanmanuallyconfigureURLcategoriesonyourfirewall,totakeadvantageof
thedynamicURLcategorizationupdatesavailableonthePaloAltoNetworksfirewalls,you
mustpurchaseaURLfilteringlicense.
ToblockorallowtrafficbasedonURLcategory,youmustapplyaURLFiltering
profiletothesecuritypolicyrules.DefinetheURLCategoryasAnyandattacha
URLFilteringprofiletothesecuritypolicy.SeeDefineBasicSecurityPolicyRules
forinformationonusingthedefaultprofilesinyoursecuritypolicyandseeControl
AccesstoWebContentformoredetails.
Service
AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsand
protocols.Applicationdefaultisthedefaultoption;whilethefirewallstillchecksfor
allapplicationsonallports,withthisconfiguration,applicationsareonlyallowedon
theirstandardports/protocols.
Security Profiles
Provideadditionalprotectionfromthreats,vulnerabilities,anddataleaks.Securityprofiles
areonlyevaluatedforrulesthathaveanallowaction.
HIP Profile(for
GlobalProtect)
AllowsyoutoidentifyclientswithHostInformationProfile(HIP)andthenenforceaccess
privileges.
Options
Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 819
SecurityPolicy
Policy
Description
Allowsthetraffic.
Deny
BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthatis
beingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop
Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client
SendsaTCPresettotheclientsidedevice.
Reset server
SendsaTCPresettotheserversidedevice.
Reset both
SendsaTCPresettoboththeclientsideandserversidedevices.
Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbefore
a3wayhandshakeiscompleted,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMP
Unreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheck
boxisselected,thefirewallsendsanICMPmessagetotheclient.
(Optional)Deletethedefaultsecurity
policyrule.
Bydefault,thefirewallincludesasecurityrulenamedrule1that
allowsalltrafficfromTrustzonetoUntrustzone.Youcaneither
deletetheruleormodifytheruletoreflectyourzonenaming
conventions.
Step2
Addarule.
1.
2.
EnteradescriptiveNamefortheruleintheGeneraltab.
3.
SelectaRule Type.
1.
IntheSourcetab,selectaSource Zone.
2.
SpecifyaSource IP Addressorleavethevaluesettoany.
3.
SpecifyaSourceUserorleavethevaluesettoany.
Step3
Definethematchingcriteriaforthe
sourcefieldsinthepacket.
820 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityPolicy
CreateaSecurityPolicyRule(Continued)
Step4
Step5
Definethematchingcriteriaforthe
destinationfieldsinthepacket.
4.
IntheDestinationtab,settheDestination Zone.
5.
SpecifyaDestination IP Addressorleavethevaluesettoany.
Asabestpractice,considerusingaddressobjectsin
theDestination Addressfieldtoenableaccessto
specificserversorgroupsofserversonly,particularly
forservicessuchasDNSandSMTPthatarecommonly
exploited.Byrestrictinguserstospecificdestination
serveraddressesyoucanpreventdataexfiltrationand
commandandcontroltrafficfromestablishing
communicationthroughtechniquessuchasDNS
tunneling.
Specifytheapplicationtherulewillallow 1.
orblock.
Asabestpractice,alwaysuse
applicationbasedsecuritypolicy 2.
rulesinsteadofportbasedrules
andalwayssettheServiceto
applicationdefaultunlessyou
areusingamorerestrictivelistof
portsthanthestandardportsfor
anapplication.
IntheApplicationstab,AddtheApplicationtosafelyenable.
Youcanselectmultipleapplications,oruseapplicationgroups
orapplicationfilters.
IntheService/URL Categorytab,keeptheServicesetto
application-defaulttoensurethatanyapplicationstherule
allowsareonlyallowedontheirstandardports.
Step6
(Optional)SpecifyaURLcategoryas
matchcriteriafortherule.
Step7
Definewhatactionyouwantthefirewall IntheActionstab,selectanAction.SeeSecurityPolicyActionsfor
totakefortrafficthatmatchestherule. adescriptionofeachaction.
Step8
Configurethelogsettings.
Step9
Attachsecurityprofilestoenablethe
firewalltoscanallallowedtrafficfor
threats.
SeeCreateBestPracticeSecurity
Profilestolearnhowtocreate
securityprofilesthatprotect
yournetworkfrombothknown
andunknownthreats.
IntheActionstab,selectProfilesfromtheProfile Typedropdown
andthenselecttheindividualsecurityprofilestoattachtotherule.
Alternatively,selectGroupfromtheProfile Typedropdownand
selectasecurityGroup Profiletoattach.
Step10 Savethepolicyruletotherunning
configurationonthefirewall.
PaloAltoNetworks,Inc.
ClickCommit.
PANOS7.1AdministratorsGuide 821
SecurityPolicy
Policy
CreateaSecurityPolicyRule(Continued)
Step11 Toverifythatyouhavesetupyourbasic
policieseffectively,testwhetheryour
securitypolicyrulesarebeingevaluated
anddeterminewhichsecuritypolicyrule
appliestoatrafficflow.
Toverifythepolicyrulethatmatchesaflow,usethefollowingCLI
command:
test security-policy-match source <IP_address>
destination <IP_address> destination port <port_number>
protocol <protocol_number>
Theoutputdisplaysthebestrulethatmatchesthesourceand
destinationIPaddressspecifiedintheCLIcommand.
Forexample,toverifythepolicyrulethatwillbeappliedfora
serverinthedatacenterwiththeIPaddress208.90.56.11whenit
accessestheMicrosoftupdateserver:
test security-policy-match source 208.80.56.11
destination 176.9.45.70 destination-port 80 protocol 6
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;
822 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyObjects
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddressgroup
policyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject
Description
Address/Address Group,
Region
Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/User Group
Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/Service Groups
Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 823
SecurityProfiles
Policy
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,spyware,
andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurityprofile(s)
thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecksanddata
filtering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeScanTrafficforThreatsformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup
824 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
Antivirus Profiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action
Description
Default
ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow
Permitstheapplicationtraffic.
Alert
Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop
Dropstheapplicationtraffic.
Reset Client
ForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset Server
ForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset Both
ForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheinternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
Anti-Spyware Profiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasinternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 825
SecurityProfiles
Policy
StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionformedium
andinformationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
826 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
CC#(CreditCard)Identifiescreditcardnumbersusingahashalgorithm.Thecontentmustmatchthe
hashalgorithminorderfordatatobedetectedasacreditcardnumber.Thismethodwillreducefalse
positives.
SSN#(SocialSecurityNumber)Usesanalgorithmtodetectninedigitnumbers,regardlessofformat.
Therearetwofields:SSN#andSSN#(nodash).
WeightandThresholdValues
Itisimportanttounderstandhowtheweightofanobject(SSN,CC#,pattern)iscalculatedinordertosetthe
appropriatethresholdforaconditionyouaretryingtofilter.Eachoccurrencemultipliedbytheweightvalue
willbeaddedtogetherinordertoreachanactionthreshold(alertorblock).
Example:FilterforSocialSecurityNumbersOnly
Forsimplicity,ifyouonlywanttofilterfileswithSocialSecurityNumbers(SSN)andyoudefineaweightof
3forSSN#,youwouldusethefollowingformula:eachinstanceofaSSNxweight=thresholdincrement.In
thiscase,ifaWorddocumenthas10socialsecuritynumbersyoumultiplythatbytheweightof3,so10x
3=30.Inordertotakeactionforafilethatcontains10socialsecuritynumbersyouwouldsetthethreshold
to30.Youmaywanttosetanalertat30andthenblockat60.Youmayalsowanttosetaweightinthefield
SSN#(nodash)forSocialSecurityNumbersthatdonotcontaindashes.Ifmultiplesettingsareused,they
willaccumulatetoreachagiventhreshold.
Example:FilterforSocialSecurityNumbersandaCustomPattern
Inthisexample,wewillfilteronfilesthatcontainSocialSecurityNumbersandthecustompattern
confidential.Inotherwords,ifafilehasSocialSecurityNumbersinadditiontothewordconfidentialandthe
combinedinstancesofthoseitemshitthethreshold,thefilewilltriggeranalertorblock,dependingonthe
actionsetting.
SSN#weight=3
CustomPatternconfidentialweight=20
Thecustompatterniscasesensitive.
Ifthefilecontains20SocialSecurityNumbersandaweightof3isconfigured,thatis20x3=60.Ifthefile
alsocontainsoneinstanceofthetermconfidentialandaweightof20isconfigured,thatis1x20=20for
atotalof80.Ifyourthresholdforblockissetto80,thisscenariowouldblockthefile.Thealertorblock
actionwillbetriggeredassoonasthethresholdishit.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 827
SecurityProfiles
Policy
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
828 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.Formoreinformation,refertotheThreatPreventionTechNote.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 829
SecurityProfiles
Policy
CreateaSecurityProfileGroup
Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
CreateaSecurityProfileGroup
Step1
Step2
Step3
Createasecurityprofilegroup.
Ifyounamethegroupdefault,
thefirewallwillautomatically
attachittoanynewrulesyou
create.Thisisatimesaverifyou
haveapreferredsetofsecurity
profilesthatyouwanttomake
suregetattachedtoeverynew
rule.
1.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.
5.
ClickOKtosavetheprofilegroup.
Addasecurityprofilegrouptoasecurity 1.
policy.
Saveyourchanges.
830 PANOS7.1AdministratorsGuide
2.
SelecttheActionstab.
3.
4.
5.
ClickOK tosavethepolicyandCommityourchanges.
Click Commit.
PaloAltoNetworks,Inc.
Policy
SecurityProfiles
SetUporOverrideaDefaultSecurityProfileGroup
Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
SetUporOverrideaDefaultSecurityProfileGroup
Createasecurityprofilegroup.
1.
2.
GivetheprofilegroupadescriptiveName,forexample,
Threats.
3.
IfthefirewallisinMultipleVirtualSystemMode,enablethe
profiletobeSharedbyallvirtualsystems.
4.
Addexistingprofilestothegroup.Fordetailsoncreating
profiles,seeSecurityProfiles.
5.
ClickOKtosavetheprofilegroup.
6.
Addthesecurityprofilegrouptoasecuritypolicy.
7.
AddormodifyasecuritypolicyruleandselecttheActionstab.
8.
9.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 831
SecurityProfiles
Policy
SetUporOverrideaDefaultSecurityProfileGroup
Setupadefaultsecurityprofilegroup.
1.
2.
Namethesecurityprofilegroupdefault:
3.
ClickOKandCommit.
4.
Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup.
832 PANOS7.1AdministratorsGuide
Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheinternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeinternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
Thefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeinternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateither
blockeverythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,
abestpracticesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeinternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeinternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 833
BestPracticeInternetGatewaySecurityPolicy
Policy
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology
Whyisthisimportant?
Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,attachFileBlockingandURLFilteringprofiles
toallrulesthatallowapplicationtraffictopreventusersfromvisitingthreatprone
websitesandpreventthemfromuploadingordownloadingdangerousfiletypes
(eitherknowinglyorunknowingly).
Enablethefirewalltoscanallallowedtrafficforknownthreatsbyattachingsecurity
profilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
834 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeMethodology
Whyisthisimportant?
ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithinfiles
bydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWF500appliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifitfindsmalware,itautomaticallydevelopsasignature
anddeliversittoyouinaslittleasfiveminutes(andnowthatunknownthreatisa
knownthreat).
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 835
BestPracticeInternetGatewaySecurityPolicy
Policy
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateaninternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,APTsarealldeliveredvialegitimateapplications.Toprotectagainstknownand
unknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallowrules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincludetemporaryrules
836 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
topreventotherapplicationsyoumightnothaveknownaboutfrombreakingandtoidentifypolicygaps
andsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeinternetgatewaysecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 837
BestPracticeInternetGatewaySecurityPolicy
Policy
(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.
838 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
ApplicationType
BestPracticeforSecuring
Sanctioned Applications
ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inaninternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionand
administerforyourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
General Types of
Applications
Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,and
webservices,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
Custom Applications
Specific to Your
Environment
Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 839
BestPracticeInternetGatewaySecurityPolicy
Policy
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:
840 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
BestPracticeDecryptionProfile
Step1
Step2
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 841
BestPracticeInternetGatewaySecurityPolicy
Policy
BestPracticeDecryptionProfile(Continued)
Step3
842 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
SecurityProfile
BestPracticeSettings
File Blocking
CreateaFileBlockingprofilethatblocksfilesthatarecommonlyincludedinmalwareattack
campaignsorthathavenorealusecaseforupload/download.Currently,theseincludebatch
files,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfilesaswellas
WindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,.ocx,.sys,.scr,.drv,.efi,.fon,
and.piffiles.Youcanallowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),but
forceuserstoclickcontinuebeforetransferringafiletogivethempause.Finally,alertonall
otherfiletypesforvisibilityintowhatotherfiletransfersarehappeningsothatyoucan
determineifyouneedtomakepolicychanges.
AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 843
BestPracticeInternetGatewaySecurityPolicy
Policy
SecurityProfile
BestPracticeSettings
Vulnerability
Protection
AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNS
sinkholeandpacketcapturetohelpyoutrackdowntheendpointthatattemptedto
resolvethemaliciousdomain.Forthebestpossibleprotection,enablepassiveDNS
monitoring,whichenablesthefirewalltoactasapassiveDNSsensorandsendselect
DNSinformationtoPaloAltoNetworksforanalysisinordertoimprovethreat
intelligenceandthreatpreventioncapabilities.
844 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
SecurityProfile
BestPracticeSettings
URL Filtering
Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,extremism,copyrightinfringement,andparked.Failuretoblockthesedangerous
categoriesputsyouatriskforexploitinfiltration,malwaredownload,commandandcontrol
activity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 845
BestPracticeInternetGatewaySecurityPolicy
Policy
SecurityProfile
BestPracticeSettings
WildFire
Analysis
Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
Step1:CreatetheApplicationWhitelistRules
Step2:CreatetheApplicationBlockRules
Step3:CreatetheTemporaryTuningRules
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
846 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
Step1:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethefirstpartofthebestpracticeinternet
gatewaysecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1
AllowaccesstoyourcorporateDNSservers.
Step2
AllowaccesstootherrequiredITinfrastructureresources.
Rule Highlights
Why do I need this rule?
Becausetheseapplicationsrunonthedefaultport,allowaccess
Enabletheapplicationsthatprovideyour
toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
networkinfrastructureandmanagement
theseservicesareneeded),andallhaveadestinationaddressof
functions,suchasNTP,OCSP,STUN,and
any,containtheminasingleapplicationgroupandcreatea
ping.
singleruletoenableaccesstoallofthem.
WhileDNStrafficallowedinthepreceding
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
totheinfrastructureapplications,somakesurethisruleallows
thedatacenter,theseapplicationsmaynot
resideinyourdatacenterandtherefore
accesstoanyuser.
requireaseparaterule.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 847
BestPracticeInternetGatewaySecurityPolicy
Policy
CreatetheApplicationWhitelistRules(Continued)
Step3
AllowaccesstoITsanctionedSaaSapplications.
Step4
AllowaccesstoITprovisionedonpremiseapplications.
Step5
Rule Highlights
GroupallsanctionedSaaSapplicationsinanapplicationgroup.
SaaSapplicationsshouldalwaysrunontheapplicationdefault
port.
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Rule Highlights
Groupalldatacenterapplicationsinanapplicationgroup.
Createanaddressgroupforyourdatacenterserveraddresses.
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Allowaccesstoapplicationsyouradministrativeusersneed.
848 PANOS7.1AdministratorsGuide
Rule Highlights
ThisrulerestrictsaccesstousersintheIT_adminsgroup.
Createcustomapplicationsforinternalapplicationsor
applicationsthatrunonnonstandardportssothatyoucan
enforcethemontheirdefaultportsratherthanopening
additionalportsonyournetwork.
Ifyouhavedifferentusergroupsfordifferentapplications,
createseparaterulesforgranularcontrol.
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreatetheApplicationWhitelistRules(Continued)
Step6
Allowaccesstogeneralbusinessapplications.
Step7
Rule Highlights
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Attachthebestpracticesecurityprofilestoensurethatalltraffic
isfreeofknownandunknownthreats.SeeCreateBestPractice
SecurityProfiles.
(Optional)Allowaccesstopersonalapplications.
PaloAltoNetworks,Inc.
Rule Highlights
Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
Forvisibility,createseparateapplicationfiltersforeachtypeof
applicationyouwanttoallow.
Scanalltrafficforthreatsbyattachingyourbestpractice
securityprofilegroup.SeeCreateBestPracticeSecurity
Profiles.
PANOS7.1AdministratorsGuide 849
BestPracticeInternetGatewaySecurityPolicy
Policy
CreatetheApplicationWhitelistRules(Continued)
Step8
Allowgeneralwebbrowsing.
Rule Highlights
Thisruleusesthesamebestpracticesecurityprofilesastherest
oftherules,exceptfortheFileBlockingprofile,whichismore
stringentbecausegeneralwebbrowsingtrafficismore
vulnerabletothreats.
Thisruleallowsonlyknownuserstopreventdeviceswith
malwareorembeddeddevicesfromreachingtheinternet.
Useapplicationfilterstoallowaccesstogeneraltypesof
applications.
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsites.
thatareexcludedfromdecryption.
Step2:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep3:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
850 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreatetheApplicationBlockRules
Step1
Blockapplicationsthatdonothavealegitimateusecase.
Step2
Rule Highlights
UsetheDropActiontosilentlydropthetrafficwithoutsending
asignaltotheclientortheserver.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigatemisuseofapplicationsandpotentialthreatsonyour
network.
Becausethisruleisintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
BlockpublicDNSandSMTPapplications.
Step3:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 851
BestPracticeInternetGatewaySecurityPolicy
Policy
CreateTemporaryTuningRules
Step1
AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
Step2
AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
Step3
Rule Highlights
Unlikethewhitelistrulesthatallowapplicationsonthedefault
portonly,thisruleallowswebbrowsingandSSLtrafficonany
portsothatyoucanfindgapsinyourwhitelist.
Becausethisruleisintendedtofindgapsinpolicy,limititto
knownusersonyournetwork.SeeCreateUserGroupsfor
AccesstoWhitelistApplications.
MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
Rule Highlights
Whilethemajorityoftheapplicationwhitelistrulesapplyto
knownusersorspecificusergroups,thisruleexplicitlymatches
trafficfromunknownusers.
Notethatthisrulemustgoabovetheapplicationblockrulesor
trafficwillneverhitit.
Becauseitisanallowrule,youmustattachthebestpractice
securityprofilestoscanforthreats.
Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
Rule Highlights
Why do I need this rule?
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
theapplicationblockrulestopreventbadapplicationsfrom
thatyouwerentawarewererunningonyour
runningonyournetwork.
networksothatyoucanfinetuneyour
applicationwhitelist.
IfyouarerunningPANOS7.0.xorearlier,toappropriately
identifyunexpectedapplications,youmustuseanapplication
Monitoralltrafficmatchingthisruleto
filterthatincludesallapplications,insteadofsettingtheruleto
determinewhetheritrepresentsapotential
allowanyapplication.
threat,orwhetheryouneedtomodifyyour
whitelistrulestoallowthetraffic.
852 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
CreateTemporaryTuningRules
Step4
Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1
SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2
Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step3
Step4
Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5
Committhechangesyoumadetotherulebase.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 853
BestPracticeInternetGatewaySecurityPolicy
Policy
IdentifyPolicyGaps
Step1
Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
854 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
BestPracticeInternetGatewaySecurityPolicy
IdentifyPolicyGaps(Continued)
Step2
Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
Step2
SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3
Committhechanges.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 855
BestPracticeInternetGatewaySecurityPolicy
Policy
Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2
DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3
TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.
856 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
EnumerationofRulesWithinaRulebase
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 857
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem
Policy
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step1
Step2
SelecttheVirtual Systemandselectoneormorepolicyrulesorobjects.
Step3
Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4
IntheDestinationdropdown,selectthenewvirtualsystemorShared.
Step5
(Policyrulesonly)SelecttheRule order:
Move top(default)Therulewillcomebeforeallotherrules.
Move bottomTherulewillcomeafterallotherrules.
Before ruleIntheadjacentdropdown,selecttherulethatcomesaftertheSelectedRules.
After ruleIntheadjacentdropdown,selecttherulethatcomesbeforetheSelectedRules.
Step6
Step7
ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.
858 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseTagstoGroupandVisuallyDistinguishObjects
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
Createtags.
1.
Totagazone,youmustcreatea 2.
tagwiththesamenameasthe
zone.Whenthezoneisattached
inpolicyrules,thetagcolor
3.
automaticallydisplaysasthe
backgroundcoloragainstthe
zonename.
4.
PaloAltoNetworks,Inc.
5.
(Optional)Assignoneofthe17predefinedcolorstothetag.
Bydefault,ColorisNone.
6.
ClickOKandCommittosavethechanges.
PANOS7.1AdministratorsGuide 859
UseTagstoGroupandVisuallyDistinguishObjects
Policy
CreateandApplyTags(Continued)
Step2
Step3
Applytagstopolicy.
1.
SelectPoliciesandanyrulebaseunderit.
2.
ClickAddtocreateapolicyruleandusethetaggedobjects
youcreatedinStep1.
3.
Verifythatthetagsareinuse.
Applytagstoanaddressobject,address 1.
group,service,orservicegroup.
2.
Createtheobject.
Forexampletocreateaservicegroup,selectObjects >
Service Groups > Add.
SelectatagfromtheTagsdropdownorenteranameinthe
fieldtocreateanewtag.
Toeditatagoraddcolortothetag,see ModifyTags.
Modify Tags
ModifyTags
SelectObjects > Tagstoperformanyofthefollowingoperationswithtags:
ClickthelinkintheNamecolumntoeditthepropertiesofatag.
Selectataginthetable,andclickDeletetoremovethetagfromthefirewall.
ClickClonetocreateaduplicatetagwiththesameproperties.Anumericalsuffixisaddedtothetagname.
Forexample,FTP1.
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
860 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PaloAltoNetworks,Inc.
UseTagstoGroupandVisuallyDistinguishObjects
PANOS7.1AdministratorsGuide 861
UseTagstoGroupandVisuallyDistinguishObjects
Policy
UsetheTagBrowser
Explorethetagbrowser.
862 PANOS7.1AdministratorsGuide
1.
AccesstheTag BrowserontheleftpaneofthePoliciestab.
Thetagbrowserdisplaysthetagsthathavebeenusedinthe
rulesfortheselectedrulebase,forexamplePolicies >
Security.
2.
Tag (#)Displaysthelabelandtherulenumberorrangeof
numbersinwhichthetagisusedcontiguously.Hoveroverthe
labeltoseethelocationwheretherulewasdefined,itcanbe
inheritedfromasharedlocation,adevicegroup,oravirtual
system.
3.
RuleListstherulenumberorrangeofnumbersassociated
withthetags.
4.
Sortthetags.
Filter by first tag in ruleSortsrulesusingthefirsttag
appliedtoeachruleintherulebase.Thisviewisparticularly
usefulifyouwanttonarrowthelistandviewrelatedrules
thatmightbespreadaroundtherulebase.Forexampleif
thefirsttagineachruledenotesitsfunctionbest
practices,administration,webaccess,datacenteraccess,
proxyyoucannarrowtheresultandscantherulesbased
onfunction.
Rule OrderSortsthetagsintheorderofappearance
withintheselectedrulebase.Whendisplayedinorderof
appearance,tagsusedincontiguousrulesaregrouped.The
rulenumberwithwhichthetagisassociatedisdisplayed
alongwiththetagname.
AlphabeticalSortsthetagsinalphabeticalorderwithin
theselectedrulebase.Thedisplayliststhetagnameand
color(ifacolorisassigned)andthenumberoftimesitis
usedwithintherulebase.
ThelabelNonerepresentsruleswithoutanytags;itdoes
notdisplayrulenumbersforuntaggedrules.Whenyou
selectNone,therightpaneisfilteredtodisplayrulesthat
havenotagsassignedtothem.
5.
ClearClearsthefilteronthecurrentlyselectedtagsinthe
searchbar.
6.
Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7.
Expandorcollapsethetagbrowser.
PaloAltoNetworks,Inc.
Policy
UseTagstoGroupandVisuallyDistinguishObjects
UsetheTagBrowser(Continued)
Tagarule.
1.
Selectaruleontherightpane.
2.
Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
3.
Committhechanges.
Viewrulesthatmatchtheselectedtags.
ORfilter:Toviewrulesthathavespecifictags,selectoneormore
tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
YoucanfilterrulesbasedontagswithanAND
includeanyofthecurrentlyselectedtags.
oranORoperator.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags.
Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule.
HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 863
UseTagstoGroupandVisuallyDistinguishObjects
Policy
UsetheTagBrowser(Continued)
Reorderrulesusingtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags.
SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag.
Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.
864 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouhostonanexternalweb
serversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforcepolicyontheentries
inthelist.Asyouupdatethelist,thefirewalldynamicallyimportsthelistattheconfiguredintervaland
enforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthefirewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall.IfyouneedagilityinenforcingpolicyforalistofsourceordestinationIP
addressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIPaddressasasourceor
destinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyorallowaccesstotheIP
addresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.Thefirewalltreatsan
externaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddressesincludedinalistare
handledasoneaddressobject.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule.
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligenceandwanttoprotectyournetworkfromnewsourcesofthreatormalware
assoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamiclist,the
firewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.The
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 865
UseanExternalDynamicListinPolicy
Policy
DNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallplatform,youcanconfigureamaximumof30uniquesourcesforexternaldynamiclists;
theselimitsarenotapplicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledfor
multiplevirtualsystems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.A
sourceisaURLthatincludestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamic
list.ThefirewallmatchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000SeriesandthePA7000Seriesfirewallssupportamaximumof150,000total
IPaddresses;allotherplatformssupportamaximumof50,000totalIPaddresses.Nolimitsareenforced
forthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitisreachedonthe
firewall,thefirewallgeneratesasyslogmessage.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachplatform,with
nolimitsenforcedonthenumberofentriesperlist.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedfortheplatform.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Asubnet
oranIPaddressrange,suchas92.168.20.0/24or192.168.20.40192.168.20.50,countasoneIPaddress
entryandnotasmultipleIPaddresses.Ifyouaddcomments,thecommentmustbeonthesamelineasthe
IPaddress/range/subnet.ThespaceattheendoftheIPaddressisthedelimiterthatseparatesacomment
fromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
866 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
Createtheexternaldynamiclistand
hostitonawebserversothatthe
firewallcanretrievethelistforpolicy
evaluation.
PaloAltoNetworks,Inc.
CreateatextfileandentertheURLs,domains,orIPaddressesin
thefile.
Topreventcommiterrorsandinvalidentries,donotprefix
http://orhttps://toanyoftheentries.SeeFormatting
GuidelinesforanExternalDynamicList.
PANOS7.1AdministratorsGuide 867
UseanExternalDynamicListinPolicy
Policy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step2
Configurethefirewalltoaccessthe
externaldynamiclist.
1.
2.
ClickAddandenteradescriptiveNameforthelist.
3.
(Optional)SelectSharedtosharethelistwithallvirtual
systemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystem
thatiscurrentlyselectedintheVirtual Systemsdropdown.
4.
(Panoramaonly)SelectDisable overridetoensurethata
firewalladministratorcannotoverridesettingslocallyona
firewallthatinheritsthisconfigurationthroughaDevice
GroupcommitfromPanorama.
5.
IntheTypedropdown,selectthelisttype,forexample,URL
List.
Ensurethatthelistonlyincludesentriesforthelisttype.See
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
6.
EntertheSourceforthelistyoujustcreatedontheweb
server.Thesourcemustincludethefullpathtoaccessthelist.
Forexample,https://1.2.3.4/EDL_IP_2015.
7.
8.
(Optional)SpecifytheRepeatfrequencyatwhichthefirewall
retrievesthelist.Bydefault,thefirewallretrievesthelistonce
everyhourandcommitsthechanges.
Theintervalisrelativetothelastcommit.So,forthe
fiveminuteinterval,thecommitoccursin5minutesif
thelastcommitwasanhourago.Toretrievethelist
immediately,seeRetrieveanExternalDynamicList
fromtheWebServer.
9.
ClickOK.
10. Usetheexternaldynamiclistinasecurityprofileordirectlyin
apolicyrule,assupported.Seethefollowing:
UseanExternalDynamicListinaURLFilteringProfile.
ConfigureDNSSinkholingforaListofCustomDomains
UseanExternalDynamicListofTypeURLasMatchCriteria
inaSecurityPolicyRule.
UseanExternalDynamicListofTypeIPasaSourceor
DestinationAddressObjectinaSecurityPolicyRule.
868 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step3
UseanExternalDynamicListofType
URLasMatchCriteriainaSecurityPolicy
Rule.
YoucanalsoUse an External Dynamic
List in a URL Filtering Profile.
1.
2.
ClickAddandenteradescriptiveNamefortherule.
3.
IntheSourcetab,selecttheSource Zone.
4.
IntheDestinationtab,selecttheDestination Zone.
5.
IntheService/URL Categorytab,clickAddtoselectthe
appropriateexternaldynamiclistfromtheURLCategorylist.
6.
IntheActionstab,settheAction SettingtoAlloworDeny.
7.
ClickOKandCommit.
8.
Verifywhetherentriesintheexternaldynamiclistwere
ignoredorskipped.
UsethefollowingCLIcommandonafirewalltoreviewthe
detailsforalist.
request system external-list show type <domain | ip
| url>name_of_ list
For example:
request system external-list show type url
EBL_ISAC_Alert_List
9.
PaloAltoNetworks,Inc.
Testthatthepolicyactionisenforced.
a. AttempttoaccessaURLthatisincludedintheexternal
dynamiclist.
b. Verifythattheactionyoudefinedisenforcedinthe
browser.
c. Tomonitortheactivityonthefirewall:
d. SelectACCandaddaURLDomainasaglobalfiltertoview
theNetworkActivityandBlockedActivityfortheURLyou
accessed.
e. SelectMonitor > Logs > URL Filteringtoaccessthe
detailedlogview.
PANOS7.1AdministratorsGuide 869
UseanExternalDynamicListinPolicy
Policy
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Step4
UseanExternalDynamicListofTypeIP
asaSourceorDestinationAddress
ObjectinaSecurityPolicyRule.
Thiscapabilityisusefulifyoudeploy
newserversandwanttoallowaccessto
thenewlydeployedserverswithout
requiringafirewallcommit.
1.
2.
ClickAdd andgivetheruleadescriptivenameintheGeneral
tab.
3.
4.
5.
6.
7.
Leavealltheotheroptionsatthedefaultvalues.
8.
ClickOKtosavethechanges.
9.
Committhechanges.
10. Testthatthepolicyactionisenforced.
a. AccessaIPaddressthatisincludedintheexternaldynamic
listandverifythatactionyoudefinedisenforced.
b. SelectMonitor > Logs > Trafficandviewthelogentryfor
thesession.
c. Toverifythepolicyrulethatmatchesaflow,usethe
followingCLIcommand:
test security-policy-match source <IP_address>
destination <IP_address> destination port
<port_number> protocol <protocol_number>
LogintotheCLIonthefirewall.
Step2
Enterthefollowingcommandtoviewthelistofentriesthatthefirewallhasretrievedfromthewebserver:
request system external-list show name <name>
Forexample,foralistnamedcaseDBL_2014oftypeIPaddress,theoutputis:
vsys1/DBL_2014:
Next update at: Wed Aug 27 16:00:00 2014
IPs:
1.1.1.1
1.2.2.2/20 #test China
192.168.255.0; test internal
192.168.254.0/24 test internal range
870 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
UseanExternalDynamicListinPolicy
Step2
Selectthelistthatyouwanttorefresh,andclickImport Now.Thejobtoimportthelistwillbeaddedto
queue.
Step3
ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 871
RegisterIPAddressesandTagsDynamically
Policy
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedplatformsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowing
options:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPC
toretrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.
872 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 873
MonitorChangesintheVirtualEnvironment
Policy
SetuptheVMMonitoringAgent
Step1
EnabletheVMMonitoringAgent.
1.
Youcanconfigureupto10VM 2.
informationsourcesforeach
firewall,orforeachvirtual
systemonamultiplevirtual
systemscapablefirewall.
Ifyourfirewallsareconfiguredinahigh
availabilityconfiguration:
Inanactive/passivesetup,onlythe
activefirewallmonitorstheVM
sources.
Inanactive/activesetup,onlythe
firewallwiththepriorityvalueof
primarymonitorstheVMsources.
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatusdisplaysasconnected .
874 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
SetuptheVMMonitoringAgent(Continued)
Step2
Verifytheconnectionstatus.
VerifythattheconnectionStatusdisplaysas
connected.
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource InterfacefortheVM
Monitorservice).
AttributesMonitoredontheAWSVPC
UUID
Architecture
Name
GuestOS
GuestOS
ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation
InstanceState
Version
InstanceType
NetworkVirtualSwitchName,PortGroup
Name,andVLANID
KeyName
ContainerNamevCenterName,DataCenter
PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress.
PublicDNSName
SubnetID
Tag(key,value)(upto5tagssupportedperinstance
VPCID
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 875
MonitorChangesintheVirtualEnvironment
Policy
MaximumnumberofdynamicallyregisteredIP addresses
PA7000Series,PA5060,VM300,VM1000HV
100,000
PA5050
50,000
PA5020
25,000
PA4000Series,PA3000Series
5,000
PA2000Series,PA500,PA200,
VM200,VM100
2,500
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
876 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
MonitorChangesintheVirtualEnvironment
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
UseDynamicAddressGroupsinPolicy
Step1
EnableVMSourceMonitoring.
Step2
Createdynamicaddressgroupsonthe
firewall.
Viewthetutorialtoseeabig
pictureviewofthefeature.
SeeEnableVMMonitoringtoTrackChangesontheVirtual
Network.
1.
Logintothewebinterfaceofthefirewall.
2.
3.
ClickAddandenteraNameandaDescriptionfortheaddress
group.
4.
SelectTypeasDynamic.
5.
Definethematchcriteria.Youcanselectdynamicandstatic
tagsasthematchcriteriatopopulatethemembersofthe
group.ClickAdd Match Criteria,andselecttheAndorOr
operatorandselecttheattributesthatyouwouldliketofilter
forormatchagainst.andthenclickOK.
6.
ClickCommit.
Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.UbuntuLinux64bit'
and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthenameofthe
serverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or'black')
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 877
MonitorChangesintheVirtualEnvironment
Policy
UseDynamicAddressGroupsinPolicy(Continued)
Step3
Usedynamicaddressgroupsinpolicy.
Viewthetutorial.
1.
2.
ClickAddandenteraNameandaDescriptionforthepolicy.
3.
4.
AddtheDestination Zoneatwhichthetrafficisterminating.
5.
FortheDestination Address,selecttheDynamicaddress
groupyoujustcreated.
6.
SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilestotherule.
7.
RepeatsSteps1through6tocreateanotherpolicyrule.
8.
ClickCommit.
Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccesstoweb
servers.
Step4
Validatethatthemembersofthe
1.
dynamicaddressgrouparepopulatedon 2.
thefirewall.
3.
ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongto
thisaddressgroup,andaredisplayedhere.
878 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
CLICommandsforDynamicIPAddressesandTags
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example
CLICommand
ViewallregisteredIPaddressesthatmatchthe
tag,state.poweredOnorthatarenottaggedas
vSwitch0.
ClearallIPaddressesandtagslearnedfroma
specificVMMonitoringsourcewithout
disconnectingthesource.
DisplayIPaddressesregisteredfromallsources.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 879
CLICommandsforDynamicIPAddressesandTags
Example
Policy
CLICommand
Viewalltagsregisteredfromaspecificdata
source,forexamplefromtheVMMonitoring
Agentonthefirewall,theXMLAPI,Windows
UserIDAgentortheCLI.
ToviewtagsregisteredfromtheCLI:
show log iptag datasource_type equal unknown
ToviewtagsregisteredfromtheXMLAPI:
show log iptag datasource_type equal xml-api
ToviewtagsregisteredfromVMInformationsources:
show log iptag datasource_type equal vm-monitor
ToviewtagsregisteredfromtheWindowsUserIDagent:
show log iptag datasource_type equal xml-api
datasource_subtype equal user-id-agent
ViewalltagsthatareregisteredforaspecificIP
address(acrossallsources).
880 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
IdentifyUsersConnectedthroughaProxyServer
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
UseXFFValuesforPoliciesandLoggingSourceUsers
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoEnableUserID.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
UseXFFValuesforPoliciesandLoggingSourceUsers
Step1
Step2
EnablethefirewalltouseXFFvaluesin
policiesandinthesourceuserfieldsof
logs.
1.
2.
RemoveXFFvaluesfromoutgoingweb 1.
requests.
2.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 881
IdentifyUsersConnectedthroughaProxyServer
Policy
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
Step3
Verifythefirewallispopulatingthe
sourceuserfieldsoflogs.
1.
Selectalogtypethathasasourceuserfield(forexample,
Monitor > Logs > Traffic).
2.
VerifythattheSourceUsercolumndisplaystheusernamesof
userswhoaccesstheweb.
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
AddXFFValuestoURLFilteringLogs
Step1
Step2
Step3
ConfigureaURLFilteringprofile.
AttachtheURLFilteringprofiletoa
policyrule.
1.
2.
SelectanexistingprofileorAddanewprofileandentera
descriptiveName.
YoucantenableXFFlogginginthedefaultURLFiltering
profile.
3.
IntheCategoriestab,Definehowtocontrolaccesstoweb
content.
4.
SelecttheSettingstabandselectX-Forwarded-For.
5.
ClickOKtosavetheprofile.
1.
2.
SelecttheActionstab,settheProfile TypetoProfiles,and
selecttheURL Filteringprofileyoujustcreated.
3.
ClickOKandCommit.
VerifythefirewallisloggingXFFvalues. 1.
2.
882 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperinternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheinternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
PathMonitoringforPBF
ServiceVersusApplicationsinPBF
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,
connectivityissuesoccurwhentrafficarrivesatoneinterfaceonthe
firewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsare
different,thefirewallisunabletotrackthestateoftheentiresession
andthiscausesaconnectionfailure.Toensurethatthetrafficusesa
symmetricalpath,whichmeansthatthetrafficarrivesatandleaves
fromthesameinterfaceonwhichthesessionwascreated,youcan
enabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupfor
returntrafficandinsteaddirectstheflowbacktotheMACaddressfrom
whichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egress
interfacesIPaddress,aroutelookupisperformedandsymmetricreturn
isnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 883
PolicyBasedForwarding
Policy
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.
PathMonitoringforPBF
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
Behaviorofasessionona
monitoringfailure
Iftherulestaysenabledwhenthe
monitoredIPaddressisunreachable
IfruleisdisabledwhenthemonitoredIP
addressisunreachable
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
wait-recoverContinuetouseegress
interfacespecifiedinthePBFrule
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overUsepathdeterminedbyrouting
table(noPBF)
wait-recoverUsepathdeterminedby wait-recoverChecktheremainingPBF
routingtable(noPBF)
rules.Ifnomatch,usetheroutingtable
fail-overUsepathdeterminedby
routingtable(noPBF)
fail-overChecktheremainingPBFrules.If
nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
884 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
Youcannotusecustomapplications,applicationfiltersorapplicationgroupsinPBFrules.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 885
PolicyBasedForwarding
Policy
CreateaPBFrule.
1.
WhencreatingaPBFruleyoumust
2.
specifyanamefortherule,asourcezone
3.
orinterface,andanegressinterface.All
othercomponentsareeitheroptionalor
haveadefaultvalueprovided.
Youcanspecifythesourceand
destinationaddressesusinganIP
address,anaddressobject,ora
FQDN.Forthenexthop,
however,youmustspecifyanIP
address.
4.
886 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
CreateaPBFRule(Continued)
Step2
Specifyhowtoforwardtrafficthat
1.
matchestherule.
IfyouareconfiguringPBFina
multiVSYSenvironment,you
mustcreateseparatePBFrules
foreachvirtualsystem(and
createtheappropriateSecurity
policyrulestoenablethetraffic).
Step3
Savethepoliciestotherunning
configurationonthefirewall.
PaloAltoNetworks,Inc.
IntheForwardingtab,selectthefollowing:
a. SettheAction. Theoptionsareasfollows:
ForwardDirectsthepackettoaspecificEgress
Interface.EntertheNext HopIPaddressforthepacket
(youcannotuseadomainnameforthenexthop).
Forward To VSYS(Onafirewallenabledformultiple
virtualsystems)Selectthevirtualsystemtowhichto
forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattacha
Schedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List(youcannotusean
FQDNasthenexthop).Youcanaddupto8nexthopIP
addresses;tunnelandPPoEinterfacesarenotavailableasa
nexthopIPaddress.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheinternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheinternet.
ClickCommit.
ThePBFruleisineffect.
PANOS7.1AdministratorsGuide 887
PolicyBasedForwarding
Policy
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.
888 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs
Step1
Step2
Configuretheingressandtheegress
interfacesonthefirewall.
Egressinterfacescanbeinthesame
zone.Inthisexampleweassignthe
egressinterfacestodifferentzones.
Onthevirtualrouter,addastaticroute
tothebackupISP.
PaloAltoNetworks,Inc.
1.
2.
Tosavetheinterfaceconfiguration,clickOK.
1.
2.
SelecttheStatic RoutestabandclickAdd.EnteraNamefor
therouteandspecifytheDestinationIPaddressforwhichyou
aredefiningthestaticroute.Inthisexample,weuse0.0.0.0/0
foralltraffic.
3.
4.
Specifyacostmetricfortheroute.Inthisexample,weuse10.
5.
ClickOKtwicetosavethevirtualrouterconfiguration.
PANOS7.1AdministratorsGuide 889
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
Step3
CreateaPBFrulethatdirectstrafficto
theinterfacethatisconnectedtothe
primaryISP.
Makesuretoexcludetrafficdestinedto
internalservers/IPaddressesfromPBF.
Defineanegaterulesothattraffic
destinedtointernalIPaddressesisnot
routedthroughtheegressinterface
definedinthePBFrule.
890 PANOS7.1AdministratorsGuide
1.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
IntheSourcetab,settheSource ZonetoTrust.
4.
IntheDestination/Application/Servicetab,setthefollowing:
a. IntheDestinationAddresssection,AddtheIPaddressesor
addressrangeforserversontheinternalnetworkorcreate
anaddressobjectforyourinternalservers.SelectNegateto
excludetheIPaddressesoraddressobjectlistedabovefrom
usingthisrule.
b. IntheServicesection,Addtheservice-httpand
service-httpsservicestoallowHTTPandHTTPStrafficto
usethedefaultports.Forallothertrafficthatisallowedby
securitypolicy,thedefaultroutewillbeused.
ToforwardalltrafficusingPBF,settheServiceto
Any.
5.
IntheForwardingtab,specifytheinterfacetowhichyouwant
toforwardtrafficandenablepathmonitoring.
a. Toforwardtraffic,settheActiontoForward,andselectthe
Egress InterfaceandspecifytheNext Hop.Inthisexample,
theegressinterfaceisethernet1/1,andthenexthopIP
addressis1.1.1.1(youcannotuseaFQDNforthenexthop).
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs(Continued)
b. EnableMonitorandattachthedefaultmonitoringprofile,to
triggerafailovertothebackupISP.Inthisexample,wedo
notspecifyatargetIPaddresstomonitor.Thefirewallwill
monitorthenexthopIPaddress;ifthisIPaddressis
unreachablethefirewallwilldirecttraffictothedefault
routespecifiedonthevirtualrouter.
c. (Requiredifyouhaveasymmetricroutes).SelectEnforce
Symmetric Returntoensurethatreturntrafficfromthe
trustzonetotheinternetisforwardedoutonthesame
interfacethroughwhichtrafficingressedfromtheinternet.
NATensuresthatthetrafficfromtheinternetisreturnedto
thecorrectinterface/IPaddressonthefirewall.
d. ClickOKtosavethechanges.
Step4
1.
CreateNATrulesbasedontheegress
interfaceandISP.Theserulesensure
2.
thatthecorrectsourceIPaddressisused
foroutboundconnections.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 891
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
Step5
Step6
Createsecuritypolicytoallowoutbound Tosafelyenableapplications,createasimplerulethatallowsaccess
accesstotheinternet.
totheinternetandattachthesecurityprofilesavailableonthe
firewall.
Savethepoliciestotherunning
configurationonthefirewall.
892 PANOS7.1AdministratorsGuide
1.
2.
GivetheruleadescriptiveNameintheGeneraltab.
3.
IntheSourcetab,settheSource Zonetotrust.
4.
IntheDestinationtab,SettheDestination ZonetoISPEast
andISPWest.
5.
6.
IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. AttachthedefaultprofilesforAntivirus,AntiSpyware,
VulnerabilityProtectionandURLFiltering,underProfile
Setting.
7.
UnderOptions,verifythatloggingisenabledattheendofa
session.Onlytrafficthatmatchesasecurityruleislogged.
ClickCommit.
PaloAltoNetworks,Inc.
Policy
PolicyBasedForwarding
PBFforOutboundAccesswithDualISPs(Continued)
Step7
VerifythatthePBFruleisactiveandthat 1.
theprimaryISPisusedforinternet
access.
2.
Launchawebbrowserandaccessawebserver.Onthefirewall
checkthetrafficlogforwebbrowsingactivity.
Fromaclientonthenetwork,usethepingutilitytoverify
connectivitytoawebserverontheinternet.andcheckthe
trafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Reply from 4.2.2.1: bytes=32 time=13ms TTL=117
Reply from 4.2.2.1: bytes=32 time=25ms TTL=117
Reply from 4.2.2.1: bytes=32 time=3ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3.
ToconfirmthatthePBFruleisactive,usethefollowingCLI
command:
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS
NextHop
========== === ========== ====== ==============
Use ISP-Pr 1 Active
Forward ethernet1/1 1.1.1.1
Step8
VerifythatthefailovertothebackupISP 1.
occursandthattheSourceNATis
2.
correctlyapplied.
UnplugtheconnectiontotheprimaryISP.
ConfirmthatthePBFruleisinactivewiththefollowingCLI
command:
admin@PA-NGFW> show pbf rule all
Rule
ID
Rule State Action
Egress IF/VSYS
NextHop
========== === ========== ====== ============== ===
Use ISP-Pr 1 Disabled Forward ethernet1/1
1.1.1.1
3.
PaloAltoNetworks,Inc.
Accessawebserver,andcheckthetrafficlogtoverifythat
trafficisbeingforwardedthroughthebackupISP.
PANOS7.1AdministratorsGuide 893
PolicyBasedForwarding
Policy
PBFforOutboundAccesswithDualISPs(Continued)
4.
ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
--------------------------------------------------------ID Application
State
Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
--------------------------------------------------------87212 ssl ACTIVE FLOW NS
192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5.
Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session
87212
c2s flow:
source:
dst:
proto:
sport:
state:
src user:
dst user:
192.168.54.56 [Trust]
204.79.197.200
6
53236
dport:
ACTIVE
type:
unknown
unknown
443
FLOW
s2c flow:
source:
204.79.197.200 [ISP-East]
dst:
2.2.2.2
proto:
6
sport:
443
dport:
12896
state:
ACTIVE
type:
FLOW
src user:
unknown
dst user:
unknown
start time
: Wed Nov5 11:16:10 2014
timeout
: 1800 sec
time to live
: 1757 sec
total byte count(c2s)
: 1918
total byte count(s2c)
: 4333
layer7 packet count(c2s)
: 10
layer7 packet count(s2c)
: 7
vsys
: vsys1
application
: ssl
rule
: Trust2ISP
session to be logged at end
: True
session in session ager
: True
session synced from HA peer
: False
address/port translation
: source
nat-rule
: NAT-Backup ISP(vsys1)
layer7 processing
: enabled
URL filtering enabled
: True
URL category
: search-engines
session via syn-cookies
: False
session terminated on host
: False
session traverses tunnel
: False
captive portal session
: False
ingress interface
: ethernet1/2
egress interface
: ethernet1/3
session QoS rule
: N/A (class 4)
894 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
Thistopicdescribesvirtualsystems,theirbenefits,typicalusecases,andhowtoconfigurethem.Italso
provideslinkstoothertopicswherevirtualsystemsaredocumentedastheyfunctionwithotherfeatures.
VirtualSystemsOverview
CommunicationBetweenVirtualSystems
SharedGateway
ConfigureVirtualSystems
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
ServiceRoutesforVirtualSystems
CustomizeServiceRoutesforaVirtualSystem
DNSResolutionThreeUseCases
VirtualSystemFunctionalitywithOtherFeatures
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 895
VirtualSystemsOverview
VirtualSystems
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(security,NAT,QoS,policybasedforwarding,decryption,application
override,captiveportal,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement
896 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
Serverprofiles
Logging,reporting,andvisibilityfunctions
VirtualSystemsOverview
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 897
VirtualSystemsOverview
VirtualSystems
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA2000,PA3000,PA4000,PA5000,andPA7000Seriesfirewalls.
Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.AVirtual
Systemslicenseisrequiredinthefollowingcases:
TosupportmultiplevirtualsystemsonPA2000orPA3000Seriesfirewalls.
Tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA500orVMSeriesfirewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.
898 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CommunicationBetweenVirtualSystems
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 899
CommunicationBetweenVirtualSystems
VirtualSystems
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.
900 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CommunicationBetweenVirtualSystems
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 901
CommunicationBetweenVirtualSystems
VirtualSystems
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
902 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
SharedGateway
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 903
SharedGateway
VirtualSystems
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportsecurity,DoSpolicies,QoS,decryption,applicationoverride,orcaptiveportalpolicies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.
904 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ServiceRoutesforVirtualSystems
ServiceRoutesforVirtualSystems
ThefirewallusestheMGTinterface(bydefault)toaccessexternalservices,suchasDNSservers,software
updates,andsoftwarelicenses.AnalternativetousingtheMGTinterfaceistoconfigureadataport(a
regularinterface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknown
asaserviceroute.Serviceroutescanbeconfiguredforthefirewallorforindividualvirtualsystems.Each
serviceallowsredirectionofmanagementservicestotherespectivevirtualsystemownerthroughoneofthe
interfacesassociatedwiththatvirtualsystem.
Theabilitytoconfigureserviceroutespervirtualsystemprovidestheflexibilitytocustomizeserviceroutes
fornumeroustenantsordepartmentsonasinglefirewall.Theservicepacketsexitthefirewallonaportthat
isassignedtoaspecificvirtualsystem,andtheserversendsitsresponsetotheconfiguredsourceinterface
andsourceIPaddress.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticular
serviceinheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
UseCasesforServiceRoutesforaVirtualSystem
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
Toconfigureserviceroutesforavirtualsystem,seeCustomizeServiceRoutesforaVirtualSystem.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 905
ServiceRoutesforVirtualSystems
VirtualSystems
Ifavirtualsystemhasmultiplevirtualrouters,packetstoalloftheserversforaservicemustegressout
ofonlyonevirtualrouter.
Apacketwithaninterfacesourceaddressmayegressadifferentinterface,butthereturntrafficwould
beontheinterfacethathasthesourceIPaddress,creatingasymmetrictraffic.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
WhenconfiguringtenantswithDNSservices,eachtenantshouldhaveitsownDNSproxy
defined,whichkeepsthetenantsDNSserviceseparatefromothertenantsservices.
906 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ServiceRoutesforVirtualSystems
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
YoucansupplytheDNSproxywithstaticFQDNtoaddressmappings.YoucancreateDNSproxyrulesthat
controltowhichDNSserverthespecifieddomainnamequeriesaredirected.ADNSproxyhasother
options;toconfigureaDNSproxy,seeConfigureaDNSProxyObject.Amaximumof256DNSproxy
objectscanbeconfiguredonafirewall.
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,whentherequestiscomingfromthemanagementplanetoresolveanFQDNinasecurity
policy.ThefirewallusestheserviceroutetogettoaDNSserverbecausethereisnoincomingvirtual
router.TheDNSserverisconfiguredinDevice > Setup > Services > Global,andServersareconfiguredby
enteringaprimaryandsecondaryDNSserver.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesthatneedtoberesolved
fromasecuritypolicyorareport,youcanspecifyasetofDNSserversspecifictothevirtualsystem
(tenant)oryoucandefaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNS
serverspervirtualsystem,theDNSserverisconfiguredinDevice > Virtual Systems > General > DNS Proxy.
TheDNSproxyobjectisconfiguredinNetwork > DNS Proxy.Theresolutionisspecifictothevirtualsystem
towhichtheDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtual
systemandwanttousetheglobalDNSsetting,theglobalDNSserverstakeprecedence.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 907
ServiceRoutesforVirtualSystems
VirtualSystems
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoitsDNS
servers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryandsecondary
DNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethedefaultDNS
settings.
FormoreinformationonDNSdeployments,seeDNSResolutionThreeUseCases.
908 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureVirtualSystems
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA2000orPA3000Seriesfirewall,orifyouare
creatingmorethanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupport
andLicensingforVirtualSystems.
ConfigureaVirtualSystem
Step1
Step2
Enablevirtualsystems.
Createavirtualsystem.
PaloAltoNetworks,Inc.
1.
2.
1.
2.
3.
EnteradescriptiveNameforthevirtualsystem.Amaximum
of31alphanumeric,space,andunderscorecharactersis
allowed.
PANOS7.1AdministratorsGuide 909
ConfigureVirtualSystems
VirtualSystems
ConfigureaVirtualSystem
Step3
Step4
Assigninterfacestothevirtualsystem.
1.
Thevirtualrouters,vwires,orVLANscan
eitherbeconfiguredalreadyoryoucan 2.
configurethemlater,atwhichpointyou
specifythevirtualsystemassociated
witheach.Theproceduretoconfigurea
3.
virtualrouter,forexample,isinStep6
below.
4.
5.
ClickOK.
(Optional)Limittheresourceallocations 1.
forsessions,rules,andVPNtunnels
allowedforthevirtualsystem.The
flexibilityofbeingabletoallocatelimits
pervirtualsystemallowsyouto
effectivelycontrolfirewallresources.
2.
Step5
Savetheconfiguration.
Step6
Createatleastonevirtualrouterforthe 1.
virtualsysteminordertomakethe
virtualsystemcapableofnetworking
2.
functions,suchasstaticanddynamic
routing.
3.
Alternatively,yourvirtualsystemmight
useaVLANoravirtualwire,depending
onyourdeployment.
Step7
Configureasecurityzoneforeach
interfaceinthevirtualsystem.
910 PANOS7.1AdministratorsGuide
IntheInterfacesfield,clickAddtoentertheinterfacesor
subinterfacestoassigntothevirtualsystem.Aninterfacecan
belongtoonlyonevirtualsystem.
Doanyofthefollowing,basedonthedeploymenttype(s)you
needinthevirtualsystem:
IntheVLANsfield,clickAddtoentertheVLAN(s)toassign
tothevsys.
IntheVirtual Wires field,clickAddtoenterthevirtual
wire(s)toassigntothevsys.
IntheVirtual Routers field,clickAddtoenterthevirtual
router(s)toassigntothevsys.
OntheResourcetab,optionallysetlimitsforavirtualsystem.
Therearenodefaultvalues.
Sessions LimitRangeis1262144.
Security RulesRangeis02500.
NAT RulesRangeis03000.
Decryption RulesRangeis0250.
QoS RulesRangeis01000.
Application Override RulesRangeis0250.
Policy Based Forwarding RulesRangeis0500.
Captive Portal RulesRangeis01000.
DoS Protection RulesRangeis01000.
Site to Site VPN TunnelsRangeis01024.
Concurrent SSL VPN TunnelsRangeis01024.
ClickOK.
ClickCommitandOK.Thevirtualsystemisnowanobject
accessiblefromtheObjectstab.
SelectNetwork > Virtual RoutersandAddavirtualrouterby
Name.
ForInterfaces,clickAddandfromthedropdown,selectthe
interfacesthatbelongtothevirtualrouter.
ClickOK.
Foratleastoneinterface,createaLayer3securityzone.See
ConfigureInterfacesandZones.
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureVirtualSystems
ConfigureaVirtualSystem
Step8
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtraffictoandfromthezones
inthevirtualsystem.
Step9
Savetheconfiguration.
ClickCommitandOK.
Aftercreatingavirtualsystem,youcanusetheCLIto
commitaconfigurationforonlyaspecificvirtualsystem:
commit partial vsys vsys<id>
Step10 (Optional)Viewthesecuritypolicies
configuredforavirtualsystem.
OpenanSSHsessiontousetheCLI.Toviewthesecuritypolicies
foravirtualsystem,inoperationalmode,usethefollowing
commands:
set system setting target-vsys <vsys-id>
show running security-policy
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 911
ConfigureInterVirtualSystemCommunicationwithintheFirewall
VirtualSystems
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
Step1
Configureanexternalzoneforeach
virtualsystem.
1.
2.
ForLocation,selectthevirtualsystemforwhichyouare
creatinganexternalzone.
3.
ForType,selectExternal.
4.
ForVirtual Systems,clickAddandenterthevirtualsystem
thattheexternalzonecanreach.
5.
6.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
7.
8.
ClickOK.
Step2
Configurethesecuritypoliciesallowing SeeSetUpBasicSecurityPolicies.
ordenyingtrafficfromtheinternalzones SeeInterVSYSTrafficThatRemainsWithintheFirewall.
totheexternalzoneofthevirtual
system,andviceversa.
Step3
Savetheconfiguration.
912 PANOS7.1AdministratorsGuide
ClickCommit.
PaloAltoNetworks,Inc.
VirtualSystems
ConfigureaSharedGateway
ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
ConfigureaSharedGateway
Step1
Step2
Step3
ConfigureaSharedGateway.
Configurethezonefortheshared
gateway.
Whenaddingobjectssuchas
zonesorinterfacestoashared
gateway,thesharedgateway
itselfwillbelistedasanavailable
vsysintheVSYSdropdown
menu.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
EnterahelpfulName,preferablyincludingtheIDofthe
gateway.
3.
4.
AddanInterfacethatconnectstotheoutsideworld.
5.
ClickOK.
1.
2.
ForLocation,selectthesharedgatewayforwhichyouare
creatingazone.
3.
ForType,selectLayer3.
4.
5.
Log SettingOptionallyselectalogforwardingprofilefor
forwardingzoneprotectionlogstoanexternalsystem.
6.
7.
ClickOK.
ClickCommit.
PANOS7.1AdministratorsGuide 913
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
Priortoperformingthistask,inordertoseetheGlobalandVirtual Systemstabs,youmustenableMulti
Virtual System Capability.
Inthefollowingusecase,youareconfiguringindividualservicesroutesforafirewallwithmultiplevirtual
systems.
914 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1
Step2
Customizeserviceroutesforavirtual
system.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
3.
Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4.
IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5.
ClickOK.
6.
Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7.
ClickOK.
ClickCommitandOK.
Ifyouareconfiguringpervirtualsystemserviceroutesforlogging
servicesforaPA7000Seriesfirewall,continuetothetask
ConfigureaPA7000SeriesFirewallforLoggingPerVirtual
System.
PANOS7.1AdministratorsGuide 915
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
YoumusthaveenabledMulti Virtual System Capability(Device > Setup > Management)inordertoaccessthe
LPCsubinterfaceconfiguration.
PerformthistaskonyourPA7000Seriesfirewalltoconfigureloggingfordifferentvirtualsystems.Formore
information,seePA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
Step1
Step2
Step3
CreateaLogCardsubinterface.
Addasubinterfaceforeachtenanton
theLPCsphysicalinterface.
Entertheaddressesassignedtothe
subinterface,andconfigurethedefault
gateway.
1.
2.
EntertheInterface Name.
3.
4.
ClickOK.
1.
HighlighttheEthernetinterfacethatisaLogCardinterface
typeandclickAdd Subinterface.
2.
ForInterface Name,aftertheperiod,enterthesubinterface
assignedtothetenantsvirtualsystem.
3.
ForTag,enteraVLANtagvalue.
Makethetagthesameasthesubinterfacenumberfor
easeofuse,butitcouldbeadifferentnumber.
4.
(Optional)EnteraComment.
5.
6.
ClickOK.
1.
2.
ClickOK.
Step4
Savetheconfiguration.
Step5
Ifyouhaventalreadydoneso,configure CustomizeServiceRoutesforaVirtualSystem.
theremainingserviceroutesforthe
virtualsystem.
916 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
ConfigureaDNSProxyObject
IfyourfirewallistoactasaDNSproxyforavirtualsystem,performthistasktoconfigureaDNSProxy
Object.Theproxyobjectcaneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtual
system.
ConfigureaDNSProxyObject
Step1
Step2
Step3
ConfigurethebasicsettingsforaDNS
Proxyobject.
(Optional)SpecifyDNSProxyrules.
1.
2.
VerifythatEnableisselected.
3.
EnteraNamefortheobject.
4.
ForLocation,selectthevirtualsystemtowhichtheobject
applies.IfyouselectShared,youmustspecifyatleasta
PrimaryDNSserveraddress.,andoptionallyaSecondary
address.
5.
Ifyouselectedavirtualsystem,forServer Profile,selecta
DNSServerprofileorelseclickDNS Server Profileto
configureanewprofile.seeConfigureaDNSServerProfile.
6.
ForInterface,clickAddandspecifytheinterfacestowhichthe
DNSProxyobjectapplies.
IfyouusetheDNSProxyobjectforperformingDNS
lookups,aninterfaceisrequired.Thefirewallwilllistenfor
DNSrequestsonthisinterface,andthenproxythem.
IfyouusetheDNSProxyobjectforaserviceroute,the
interfaceisoptional.
1.
2.
3.
ForDomain Name,clickAddandenteroneormoredomains,
oneentryperrow.Eachdomainnamecancontain*asa
wildcard.Thenumberoftokensinawildcardstringmust
matchthenumberoftokensintherequesteddomain.For
example,*.engineering.localwillnotmatch
engineering.local.Bothentriesmustbespecifiedifyouwant
both.
4.
InStep 4above,forLocation:
Ifyouchoseavirtualsystem,selectaDNS Server profile
here.
IfyouchoseShared,enteraPrimaryaddresshere.
5.
ClickOK.
(Optional)SupplytheDNSProxywith
1.
staticFQDNtoaddressentries.Static 2.
DNSentriesallowthefirewalltoresolve
theFQDNtoanIPaddresswithoutgoing 3.
outtotheDNSserver.
4.
5.
PaloAltoNetworks,Inc.
OntheStatic Entriestab,clickAddandenteraName.
EntertheFullyQualifiedDomainName(FQDN).
ForAddress,clickAddandentertheIPaddresstowhichthe
FQDNshouldbemapped.
Repeatsteps13toprovideadditionalstaticentries.
ClickOK.
PANOS7.1AdministratorsGuide 917
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureaDNSProxyObject(Continued)
Step4
Step5
(Optional)Enablecachingandconfigure 1.
otheradvancedsettingsfortheDNS
Proxy.
OntheAdvancedtab,clickCachetoenablethefirewallto
cacheFQDNtoaddressmappingsthatthefirewalllearns.
SizeEnterthemaximumnumberofentriesthefirewall
cancache(rangeis102410240;defaultis1024).
TimeoutEnterthenumberofhoursafterwhichallcached
entriesareremoved(rangeis424;defaultis4).DNS
timetolivevaluesareusedtoremovecacheentrieswhen
theyhavebeenstoredforlessthantheconfiguredtimeout
period.Afteratimeout,newDNSrequestsmustbe
resolvedandcachedagain.
2.
SelectTCP QueriestoenableDNSqueriesusingTCP.
Max Pending RequestsEnterthemaximumnumberof
concurrent,pendingTCPDNSrequeststhatthefirewallwill
support(rangeis64256;defaultis64).
3.
Savetheconfiguration.
918 PANOS7.1AdministratorsGuide
ClickOKandCommit.
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
ConfigureaDNSServerProfile
PerformthistasktoconfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.The
Primary DNSorSecondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstothe
DNSserver.
ConfigureaDNSServerProfile
Step1
Step2
Step3
NametheDNSserverprofile,selectthe 1.
virtualsystemtowhichitapplies,and
2.
specifytheprimaryandsecondaryDNS
3.
serveraddresses.
4.
ForInheritance Source,fromthedropdown,selectNoneif
theDNSserveraddressesarenotinherited.Otherwise,
specifytheDNSserverfromwhichtheprofileshouldinherit
settings.IfyouchooseaDNSserver,clickCheck inheritance
source statustoseethatinformation.
5.
SpecifytheIPaddressofthePrimary DNSserver,orleaveas
inheritedifyouchoseanInheritance Source.
KeepinmindthatifyouspecifyanFQDNinstead
ofanIPaddress,theDNSforthatFQDNis
resolvedinDevice > Virtual Systems > DNS
Proxy.
6.
SpecifytheIPaddressoftheSecondary DNSserver,orleave
asinheritedifyouchoseanInheritance Source.
Configuretheserviceroutethatthe
1.
firewallautomaticallyuses,basedon
whetherthetargetDNSServerhasanIP
addressfamilytypeofIPv4orIPv6.
2.
Savetheconfiguration.
PaloAltoNetworks,Inc.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
3.
SpecifytheIPv4Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
4.
5.
SpecifytheSource InterfacetoselecttheDNSserverssource
IPaddressthattheserviceroutewilluse.Thefirewall
determineswhichvirtualrouterisassignedthatinterface,and
thendoesaroutelookupinthevirtualrouterroutingtableto
reachthedestinationnetwork(basedonthePrimary DNS
address).
6.
SpecifytheIPv6Source Addressfromwhichpacketsgoingto
theDNSserveraresourced.
7.
ClickOK.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 919
CustomizeServiceRoutesforaVirtualSystem
VirtualSystems
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,younowhavetheabilitytocreateandconfiguremore
granularpermissionsforavsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
Step1
CreateanAdminRoleProfilethatgrants 1.
ordisablespermissiontoan
2.
Administratortoconfigureorreadonly
3.
variousareasofthewebinterface.
920 PANOS7.1AdministratorsGuide
4.
OntheWeb UItabfortheAdminRoleProfile,scrolldownto
Device,andleavethegreencheckmark(Enable).
UnderDevice,enableSetup.UnderSetup,enabletheareas
towhichthisprofilewillgrantconfigurationpermissionto
theadministrator,asshownbelow.(TheReadOnlylockicon
appearsintheEnable/DisablerotationifReadOnlyis
allowedforthatsetting.)
ManagementAllowsanadminwiththisprofileto
configuresettingsontheManagementtab.
OperationsAllowsanadminwiththisprofileto
configuresettingsontheOperationstab.
ServicesAllowsanadminwiththisprofiletoconfigure
settingsontheServicestab.Anadminmusthave
ServicesenabledinordertoaccesstheDevice > Setup
Services > Virtual Systemstab.IftheRolewasspecified
asVirtual Systeminthepriorstep,Servicesistheonly
settingthatcanbeenabledunderDevice > Setup.
Content-IDAllowsanadminwiththisprofileto
configuresettingsontheContent-IDtab.
WildFireAllowsanadminwiththisprofiletoconfigure
settingsontheWildFiretab.
SessionAllowsanadminwiththisprofiletoconfigure
settingsontheSessiontab.
HSMAllowsanadminwiththisprofiletoconfigure
settingsontheHSMtab.
5.
ClickOK.
6.
(Optional)RepeattheentiresteptocreateanotherAdminRole
profilewithdifferentpermissions,asnecessary.
PaloAltoNetworks,Inc.
VirtualSystems
CustomizeServiceRoutesforaVirtualSystem
CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
Step2
Step3
ApplytheAdminroleprofiletoan
administrator.
Savetheconfiguration.
PaloAltoNetworks,Inc.
1.
2.
(Optional)SelectanAuthentication Profile.
3.
4.
EnteraPasswordandConfirm Password.
5.
6.
7.
ForProfile,selecttheprofilethatyoujustcreated.
8.
(Optional)SelectaPassword Profile.
9.
ClickOK.
ClickCommitandOK.
PANOS7.1AdministratorsGuide 921
DNSResolutionThreeUseCases
VirtualSystems
DNSResolutionThreeUseCases
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.Thissection
illustratesthreetypesofDNSresolution,whicharelistedinthefollowingtable.Thebindinglocation
determineswhichDNSproxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshow
howaserviceprovidermightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueries
requiredonthefirewallandfortenant(subscriber)virtualsystems.
ResolutionType
Location:Shared
Location:SpecificVsys
FirewallDNSresolutionperformed Binding:Global
bymanagementplane
IllustratedinUseCase1
N/A
Securityprofile,reporting,andserver Binding:Global
profileresolutionperformedby
SamebehaviorasUseCase1
managementplane
Binding:Specificvsys
IllustratedinUseCase2
DNSproxyresolutionforDNSclient
hostsconnectedtointerfaceon
firewall,goingthroughthefirewallto
aDNSServerperformedby
dataplane
Binding:Interface
ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequestwas
received.
IllustratedinUseCase3
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.
922 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureDNSServicesfortheFirewall
Step1
Step2
1.
Configuretheprimaryandsecondary
DNSserversyouwantthefirewallto
useforitsmanagementDNS
resolutions.
2.
Youmustmanuallyconfigureat
leastoneDNSserveronthe
firewalloritwillnotbeableto
3.
resolvehostnames;itwillnotuse
DNSserversettingsfrom
anothersource,suchasanISP.
Alternatively,youcanconfigureaDNS
ProxyObjectifyouwanttoconfigure
advancedDNSfunctionssuchassplit
DNS,DNSproxyoverrides,DNSproxy
rules,staticentries,orDNSinheritance.
PaloAltoNetworks,Inc.
1.
2.
3.
Tocreateanewproxyobject,clickEnableandenteraName
fortheDNSproxyobject.
4.
ForLocation,selectSharedforglobal,firewallwideDNS
proxyservices.
SharedDNSproxyobjectsdonotuseDNSserver
profilesbecausetheydonotrequireaspecificservice
routebelongingtoatenantvirtualsystem.
5.
ForPrimary,entertheprimaryDNSserverIPaddress.
OptionallyenteraSecondaryDNSserverIPaddress.Inthe
ISPexampleinthescreenshotabove,theDNSproxydefines
theprimaryandsecondaryDNSserversthatareusedto
resolvethefirewallmanagementservices.
6.
ClickOKandCommit.
PANOS7.1AdministratorsGuide 923
DNSResolutionThreeUseCases
VirtualSystems
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
objecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Anyservice
withaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminetheprimary(or
secondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.
924 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureaDNSProxyforaVirtualSystem
Step1
Step2
Foreachvirtualsystem,specifytheDNS 1.
Proxytouse.
2.
ConfigureaDNSProxyandaserver
profiletosupportDNSresolutionfora
virtualsystem.
3.
OntheGeneraltab,chooseaDNS Proxyorcreateanewone.
Inthisexample,Corp1DNSProxyisselectedastheproxyfor
Corp1Corporationsvirtualsystem.
(IfyouneedtocreateanewDNSProxy,Step 2belowshows
howtocreateaDNSProxyandaServerProfile.)
4.
ForInterfaces,clickAdd.Inthisexample,Ethernet1/20is
dedicatedtothistenant.
5.
ForVirtual Routers,clickAdd.AvirtualrouternamedCorp1
VRisassignedtothevirtualsysteminordertoseparate
routingfunctions.
6.
ClickOKtosavetheconfiguration.
1.
2.
ClickEnableandenteraNamefortheDNSProxy.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).(Youcouldchoosethe
SharedDNSProxyresourceinstead.)
4.
ForServer Profile,chooseorcreateaprofiletocustomize
DNSserverstouseforDNSresolutionsforthistenants
securitypolicy,reporting,andserverprofileservices.
Iftheprofileisnotalreadyconfigured,intheServer Profile
field,clickDNS Server ProfiletoConfigureaDNSServer
Profile.
TheDNSserverprofileidentifiestheIPaddressesofthe
primaryandsecondaryDNSservertouseformanagement
DNSresolutionsforthisvirtualsystem.
5.
Alsoforthisserverprofile,optionallyconfigureaService
Route IPv4 and/oraService Route IPv6 toinstructthefirewall
whichSource InterfacetouseinitsDNSrequests.Ifthat
interfacehasmorethanoneIPaddress,configuretheSource
Addressalso.
6.
ClickOK tosavetheDNSServerProfile.
7.
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 925
DNSResolutionThreeUseCases
VirtualSystems
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
926 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
VirtualSystems
DNSResolutionThreeUseCases
ConfigureaDNSProxyandDNSProxyRules
Step1
ConfigureaDNSProxyandDNSproxy 1.
rules.
2.
3.
ForLocation,selectthevirtualsystemofthetenant,inthis
example,Corp1Corporation(vsys6).
4.
ForInterface,selecttheinterfacethatwillreceivetheDNS
requestsfromthetenantshosts,inthisexample,
Ethernet1/20.
5.
ChooseorcreateaServer ProfiletocustomizeDNSservers
toresolveDNSrequestsforthistenant.
6.
7.
8.
ClickAddandenteroneormoreDomain Name(s),oneentry
perrow.
Eachdomainnamecancontain*asawildcard.Thenumberof
charactersinawildcardstringmustequalthenumberof
charactersintherequesteddomaintomatch.Forexample,
*.engineering.localdoesnotmatchengineering.local.Both
domainnamesmustbespecifiedinorderforbothtobe
matched.
9.
10. ClickOKtosavetherule.
11. ClickOKtosavetheDNSProxy.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 927
VirtualSystemFunctionalitywithOtherFeatures
VirtualSystems
VirtualSystemFunctionalitywithOtherFeatures
Manyofthefirewallsfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreported
pervirtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthe
documentationandthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seetheVirtualWireSubinterfacesinInterfaceDeployments.
928 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Certifications
ThefollowingtopicsdescribehowtoconfigurethefirewalltosupporttheCommonCriteriaandtheFederal
InformationProcessingStandard1402(FIPS1402),whicharesecuritycertificationsthatensureastandard
setofsecurityassurancesandfunctionalities.ThesecertificationsareoftenrequiredbycivilianU.S.
governmentagenciesandgovernmentcontractors.
EnableFIPSandCommonCriteriaSupport
FIPSCCSecurityFunctions
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 929
EnableFIPSandCommonCriteriaSupport
Certifications
EnableFIPSandCommonCriteriaSupport
UsethefollowingproceduretoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
EnableFIPSCCMode
Step1
Bootthefirewallintomaintenancemodeasfollows:
1. Establishaserialconnectiontotheconsoleportonthefirewall.
2. EnterthefollowingCLIcommand:
debug system maintenance-mode
3. PressEntertocontinue.
Youcanalsorebootthefirewallandenter maint atthemaintenancemode
prompt.
Step2
Step3
Step4
Whenprompted,selectReboot.
AftersuccessfullyswitchingtoFIPSCCmode,thefollowingstatusdisplays:FIPS-CC mode
enabled successfully.Inaddition,thefollowingchangeswilltakeplace:
FIPS-CCwilldisplayatalltimesinthestatusbaratthebottomofthewebinterface.
Theconsoleportfunctionsasastatusoutputportonly.
Thedefaultadminlogincredentialschangetoadmin/paloalto.
930 PANOS7.1AdministratorsGuide
PaloAltoNetworks,Inc.
Certifications
FIPSCCSecurityFunctions
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforced:
Tologintothefirewall,thebrowsermustbeTLS1.0(orlater)compatible.OnaWF500appliance,you
managetheapplianceusingtheCLIonlyandyoumustconnectusinganSSHv2compatibleclient
application.
Allpasswordsonthefirewallmustbeatleastsixcharacters.
YoumustenforceaFailed AttemptsandLockout Time (min) valuethatisgreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustenforceanIdle Timeoutvaluegreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedvalue,theaccountisautomaticallyloggedout.
Thefirewallautomaticallydeterminestheappropriatelevelofselftestingandenforcestheappropriate
levelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPS/CCalgorithmsarenotdecryptedandarethusignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2048bits(or
more)orECDSA256bits(ormore)andyoumustuseadigestofSHA256orgreater.
TheserialconsoleportisonlyavailableasastatusoutputportwhenFIPSCCmodeisenabled.
Telnet,TFTP,andHTTPmanagementconnectionsareunavailable.
Highavailability(HA)portencryptionisrequired.
PaloAltoNetworks,Inc.
PANOS7.1AdministratorsGuide 931
FIPSCCSecurityFunctions
932 PANOS7.1AdministratorsGuide
Certifications
PaloAltoNetworks,Inc.