Documente Academic
Documente Profesional
Documente Cultură
Administrators
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:March30,2017
2 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 19
IntegratetheFirewallintoYourManagementNetwork.................................20
DetermineYourManagementStrategy ...........................................20
PerformInitialConfiguration ....................................................21
SetUpNetworkAccessforExternalServices......................................25
RegistertheFirewall ...............................................................29
ActivateLicensesandSubscriptions .................................................30
InstallContentandSoftwareUpdates................................................32
SegmentYourNetworkUsingInterfacesandZones ...................................36
NetworkSegmentationforaReducedAttackSurface..............................36
ConfigureInterfacesandZones..................................................37
SetUpaBasicSecurityPolicy .......................................................40
AssessNetworkTraffic ............................................................45
EnableBasicWildFireForwarding...................................................47
ControlAccesstoWebContent .....................................................49
EnableAutoFocusThreatIntelligence ................................................52
BestPracticesforCompletingtheFirewallDeployment................................54
FirewallAdministration ............................................... 55
ManagementInterfaces ............................................................56
UsetheWebInterface .............................................................57
LaunchtheWebInterface ......................................................57
ConfigureBanners,MessageoftheDay,andLogos ................................58
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............60
ManageandMonitorAdministrativeTasks ........................................62
Commit,Validate,andPreviewFirewallConfigurationChanges......................62
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............64
ManageLocksforRestrictingConfigurationChanges...............................66
ManageConfigurationBackups .....................................................67
SaveandExportFirewallConfigurations ..........................................67
RevertFirewallConfigurationChanges...........................................69
ManageFirewallAdministrators .....................................................71
AdministrativeRoles...........................................................71
AdministrativeAuthentication ...................................................72
ConfigureAdministrativeAccountsandAuthentication .............................73
ConfigureaFirewallAdministratorAccount .......................................74
ConfigureLocalorExternalAuthenticationforFirewallAdministrators...............74
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
Reference:WebInterfaceAdministratorAccess .......................................79
WebInterfaceAccessPrivileges .................................................79
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 3
TableofContents
PanoramaWebInterfaceAccessPrivileges .......................................123
Reference:PortNumberUsage.....................................................126
PortsUsedforManagementFunctions ..........................................126
PortsUsedforHA ............................................................127
PortsUsedforPanorama ......................................................127
PortsUsedforGlobalProtect...................................................128
PortsUsedforUserID ........................................................129
ResettheFirewalltoFactoryDefaultSettings ........................................131
BootstraptheFirewall.............................................................132
USBFlashDriveSupport .......................................................132
Sampleinitcfg.txtFiles ........................................................133
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................134
BootstrapaFirewallUsingaUSBFlashDrive .....................................137
Authentication..................................................... 139
AuthenticationTypes .............................................................140
ExternalAuthenticationServices ................................................140
MultiFactorAuthentication ....................................................140
SAML .......................................................................141
Kerberos .....................................................................142
TACACS+ ....................................................................143
RADIUS......................................................................144
LDAP........................................................................145
LocalAuthentication ..........................................................145
PlanYourAuthenticationDeployment...............................................147
ConfigureMultiFactorAuthentication..............................................148
ConfigureSAMLAuthentication ....................................................152
ConfigureKerberosSingleSignOn .................................................157
ConfigureKerberosServerAuthentication ...........................................158
ConfigureTACACS+Authentication ................................................159
ConfigureRADIUSAuthentication ..................................................161
ConfigureLDAPAuthentication....................................................164
ConfigureLocalDatabaseAuthentication ............................................165
ConfigureanAuthenticationProfileandSequence ....................................166
TestAuthenticationServerConnectivity.............................................169
AuthenticationPolicy .............................................................170
AuthenticationTimestamps ....................................................170
ConfigureAuthenticationPolicy ................................................171
TroubleshootAuthenticationIssues .................................................174
CertificateManagement............................................ 177
KeysandCertificates..............................................................178
CertificateRevocation.............................................................180
CertificateRevocationList(CRL) ................................................180
4 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
OnlineCertificateStatusProtocol(OCSP)........................................ 181
CertificateDeployment ........................................................... 182
SetUpVerificationforCertificateRevocationStatus.................................. 183
ConfigureanOCSPResponder................................................. 183
ConfigureRevocationStatusVerificationofCertificates ........................... 184
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption 184
ConfiguretheMasterKey......................................................... 186
ObtainCertificates ............................................................... 187
CreateaSelfSignedRootCACertificate ........................................ 187
GenerateaCertificate ......................................................... 188
ImportaCertificateandPrivateKey............................................. 189
ObtainaCertificatefromanExternalCA ........................................ 190
ExportaCertificateandPrivateKey ................................................ 192
ConfigureaCertificateProfile...................................................... 193
ConfigureanSSL/TLSServiceProfile ............................................... 195
ReplacetheCertificateforInboundManagementTraffic.............................. 196
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 197
RevokeandRenewCertificates .................................................... 198
RevokeaCertificate .......................................................... 198
RenewaCertificate ........................................................... 198
SecureKeyswithaHardwareSecurityModule....................................... 199
SetupConnectivitywithanHSM ............................................... 199
EncryptaMasterKeyUsinganHSM ............................................ 204
StorePrivateKeysonanHSM.................................................. 205
ManagetheHSMDeployment ................................................. 206
HighAvailability....................................................207
HAOverview.................................................................... 208
HAConcepts .................................................................... 209
HAModes ................................................................... 209
HALinksandBackupLinks..................................................... 210
DevicePriorityandPreemption ................................................ 213
Failover ..................................................................... 213
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 214
FloatingIPAddressandVirtualMACAddress.................................... 214
ARPLoadSharing ............................................................ 216
RouteBasedRedundancy ..................................................... 218
HATimers................................................................... 218
SessionOwner............................................................... 221
SessionSetup................................................................ 221
NATinActive/ActiveHAMode ................................................ 223
ECMPinActive/ActiveHAMode ............................................... 224
SetUpActive/PassiveHA ......................................................... 225
PrerequisitesforActive/PassiveHA............................................. 225
ConfigurationGuidelinesforActive/PassiveHA.................................. 226
ConfigureActive/PassiveHA................................................... 228
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 5
TableofContents
DefineHAFailoverConditions..................................................233
VerifyFailover ................................................................233
SetUpActive/ActiveHA..........................................................235
PrerequisitesforActive/ActiveHA ..............................................235
ConfigureActive/ActiveHA ....................................................236
DetermineYourActive/ActiveUseCase .........................................241
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy ..............242
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses ..................243
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing .....................244
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimary
Firewall245
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
249
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
252
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT...253
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer
3256
HAFirewallStates................................................................259
Reference:HASynchronization.....................................................261
WhatSettingsDontSyncinActive/PassiveHA?..................................261
WhatSettingsDontSyncinActive/ActiveHA?...................................263
SynchronizationofSystemRuntimeInformation..................................265
6 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
DisableHardwareOffload..................................................... 303
TakeaCustomPacketCapture ................................................. 304
TakeaThreatPacketCapture.................................................. 308
TakeanApplicationPacketCapture............................................. 309
TakeaPacketCaptureontheManagementInterface ............................. 312
MonitorApplicationsandThreats .................................................. 314
ViewandManageLogs............................................................ 315
LogTypesandSeverityLevels.................................................. 315
ViewLogs ................................................................... 320
FilterLogs ................................................................... 321
ExportLogs .................................................................. 322
ConfigureLogStorageQuotasandExpirationPeriods ............................. 323
ScheduleLogExportstoanSCPorFTPServer ................................... 323
MonitorBlockList ................................................................ 325
ViewandManageReports......................................................... 326
ReportTypes................................................................. 326
ViewReports................................................................. 327
ConfiguretheExpirationPeriodandRunTimeforReports ......................... 327
DisablePredefinedReports.................................................... 328
CustomReports.............................................................. 328
GenerateCustomReports ..................................................... 331
GenerateBotnetReports...................................................... 333
GeneratetheSaaSApplicationUsageReport ..................................... 335
ManagePDFSummaryReports................................................. 338
GenerateUser/GroupActivityReports.......................................... 340
ManageReportGroups ........................................................ 341
ScheduleReportsforEmailDelivery ............................................ 342
UseExternalServicesforMonitoring ............................................... 344
ConfigureLogForwarding ......................................................... 345
ConfigureEmailAlerts ............................................................ 348
UseSyslogforMonitoring ......................................................... 349
ConfigureSyslogMonitoring ................................................... 349
SyslogFieldDescriptions ...................................................... 351
SNMPMonitoringandTraps....................................................... 376
SNMPSupport............................................................... 376
UseanSNMPManagertoExploreMIBsandObjects.............................. 377
EnableSNMPServicesforFirewallSecuredNetworkElements..................... 381
MonitorStatisticsUsingSNMP ................................................. 381
ForwardTrapstoanSNMPManager ............................................ 383
SupportedMIBs.............................................................. 385
ForwardLogstoanHTTP(S)Destination............................................ 393
NetFlowMonitoring .............................................................. 397
ConfigureNetFlowExports.................................................... 397
NetFlowTemplates........................................................... 398
FirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors ................ 403
UserID ............................................................405
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 7
TableofContents
UserIDOverview ................................................................406
UserIDConcepts.................................................................408
GroupMapping ...............................................................408
UserMapping ................................................................408
EnableUserID ...................................................................413
MapUserstoGroups .............................................................417
MapIPAddressestoUsers ........................................................420
CreateaDedicatedServiceAccountfortheUserIDAgent.........................421
ConfigureUserMappingUsingtheWindowsUserIDAgent .......................424
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent...............432
ConfigureUserIDtoMonitorSyslogSendersforUserMapping....................434
MapIPAddressestoUsernamesUsingCaptivePortal.............................444
ConfigureUserMappingforTerminalServerUsers................................451
SendUserMappingstoUserIDUsingtheXMLAPI ...............................459
EnableUserandGroupBasedPolicy...............................................460
EnablePolicyforUserswithMultipleAccounts.......................................461
VerifytheUserIDConfiguration ...................................................463
DeployUserIDinaLargeScaleNetwork............................................465
DeployUserIDforNumerousMappingInformationSources .......................465
RedistributeUserMappingsandAuthenticationTimestamps.......................469
8 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
Decryption .........................................................555
DecryptionOverview ............................................................. 556
DecryptionConcepts ............................................................. 557
KeysandCertificatesforDecryptionPolicies..................................... 557
SSLForwardProxy............................................................ 558
SSLInboundInspection........................................................ 560
SSHProxy................................................................... 561
DecryptionMirroring.......................................................... 562
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates ................. 562
PerfectForwardSecrecy(PFS)SupportforSSLDecryption ........................ 563
DefineTraffictoDecrypt.......................................................... 564
CreateaDecryptionProfile.................................................... 564
CreateaDecryptionPolicyRule................................................ 566
ConfigureSSLForwardProxy ...................................................... 568
ConfigureSSLInboundInspection .................................................. 572
ConfigureSSHProxy ............................................................. 574
DecryptionExclusions ............................................................ 575
PaloAltoNetworksPredefinedDecryptionExclusions ............................ 575
ExcludeaServerfromDecryption .............................................. 576
CreateaPolicyBasedDecryptionExclusion ..................................... 576
EnableUserstoOptOutofSSLDecryption ......................................... 578
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 9
TableofContents
ConfigureDecryptionPortMirroring ................................................580
TemporarilyDisableSSLDecryption ................................................582
10 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
URLDatabaseOutofDate..................................................... 645
QualityofService ...................................................647
QoSOverview................................................................... 648
QoSConcepts ................................................................... 650
QoSforApplicationsandUsers................................................. 650
QoSPolicy ................................................................... 650
QoSProfile .................................................................. 651
QoSClasses.................................................................. 651
QoSPriorityQueuing ......................................................... 652
QoSBandwidthManagement.................................................. 652
QoSEgressInterface .......................................................... 653
QoSforClearTextandTunneledTraffic ......................................... 653
ConfigureQoS ................................................................... 654
ConfigureQoSforaVirtualSystem ................................................. 659
EnforceQoSBasedonDSCPClassification.......................................... 664
QoSUseCases................................................................... 667
UseCase:QoSforaSingleUser................................................ 667
UseCase:QoSforVoiceandVideoApplications.................................. 669
VPNs ..............................................................673
VPNDeployments................................................................ 674
SitetoSiteVPNOverview........................................................ 675
SitetoSiteVPNConcepts ........................................................ 676
IKEGateway ................................................................. 676
TunnelInterface .............................................................. 676
TunnelMonitoring ............................................................ 677
InternetKeyExchange(IKE)forVPN ............................................ 678
IKEv2 ....................................................................... 680
SetUpSitetoSiteVPN ........................................................... 684
SetUpanIKEGateway ........................................................ 684
DefineCryptographicProfiles.................................................. 690
SetUpanIPSecTunnel........................................................ 693
SetUpTunnelMonitoring ..................................................... 696
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel ................ 697
TestVPNConnectivity........................................................ 699
InterpretVPNErrorMessages.................................................. 700
SitetoSiteVPNQuickConfigs .................................................... 701
SitetoSiteVPNwithStaticRouting............................................ 701
SitetoSiteVPNwithOSPF.................................................... 705
SitetoSiteVPNwithStaticandDynamicRouting ................................ 711
LargeScaleVPN(LSVPN)............................................717
LSVPNOverview................................................................. 718
CreateInterfacesandZonesfortheLSVPN.......................................... 719
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 11
TableofContents
EnableSSLBetweenGlobalProtectLSVPNComponents...............................721
AboutCertificateDeployment ..................................................721
DeployServerCertificatestotheGlobalProtectLSVPNComponents ................721
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP................724
ConfigurethePortaltoAuthenticateSatellites .......................................727
ConfigureGlobalProtectGatewaysforLSVPN........................................729
ConfiguretheGlobalProtectPortalforLSVPN........................................732
GlobalProtectPortalforLSVPNPrerequisiteTasks ................................732
ConfigurethePortal ...........................................................732
DefinetheSatelliteConfigurations ..............................................733
PreparetheSatellitetoJointheLSVPN..............................................737
VerifytheLSVPNConfiguration ....................................................740
LSVPNQuickConfigs.............................................................741
BasicLSVPNConfigurationwithStaticRouting .......................................742
AdvancedLSVPNConfigurationwithDynamicRouting................................745
AdvancedLSVPNConfigurationwithiBGP...........................................748
12 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
ConfigureaBGPPeerwithMPBGPforIPv4Multicast............................ 813
RouteRedistribution .............................................................. 815
DHCP........................................................................... 818
DHCPOverview.............................................................. 818
FirewallasaDHCPServerandClient............................................ 819
DHCPMessages.............................................................. 819
DHCPAddressing ............................................................ 820
DHCPOptions............................................................... 822
ConfigureanInterfaceasaDHCPServer........................................ 824
ConfigureanInterfaceasaDHCPClient......................................... 828
ConfiguretheManagementInterfaceasaDHCPClient ........................... 829
ConfigureanInterfaceasaDHCPRelayAgent................................... 831
MonitorandTroubleshootDHCP ............................................... 831
DNS ............................................................................ 833
DNSOverview............................................................... 833
DNSProxyObject............................................................ 834
DNSServerProfile............................................................ 835
MultiTenantDNSDeployments................................................ 835
ConfigureaDNSProxyObject................................................. 836
ConfigureaDNSServerProfile ................................................. 838
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes ........... 839
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Re
porting,andServiceswithinitsVirtualSystem841
UseCase3:FirewallActsasDNSProxyBetweenClientandServer ................. 843
Reference:DNSProxyRuleandFQDNMatching ................................. 844
NAT............................................................................ 848
NATPolicyRules............................................................. 848
SourceNATandDestinationNAT .............................................. 851
NATRuleCapacities .......................................................... 852
DynamicIPandPortNATOversubscription...................................... 852
DataplaneNATMemoryStatistics.............................................. 854
ConfigureNAT............................................................... 855
NATConfigurationExamples................................................... 862
NPTv6 .......................................................................... 870
NPTv6Overview............................................................. 870
HowNPTv6Works........................................................... 872
NDPProxy................................................................... 873
NPTv6andNDPProxyExample ................................................ 875
CreateanNPTv6Policy ....................................................... 876
NAT64 .......................................................................... 879
NAT64Overview ............................................................. 879
IPv4EmbeddedIPv6Address .................................................. 880
DNS64Server................................................................ 880
PathMTUDiscovery .......................................................... 881
IPv6InitiatedCommunication .................................................. 881
ConfigureNAT64forIPv6InitiatedCommunication .............................. 883
ConfigureNAT64forIPv4InitiatedCommunication .............................. 885
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation ........... 887
ECMP........................................................................... 891
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 13
TableofContents
ECMPLoadBalancingAlgorithms ...............................................891
ECMPModel,Interface,andIPRoutingSupport ..................................892
ConfigureECMPonaVirtualRouter ............................................893
EnableECMPforMultipleBGPAutonomousSystems.............................894
VerifyECMP .................................................................896
LLDP............................................................................897
LLDPOverview ...............................................................897
SupportedTLVsinLLDP .......................................................898
LLDPSyslogMessagesandSNMPTraps .........................................899
ConfigureLLDP...............................................................900
ViewLLDPSettingsandStatus .................................................902
ClearLLDPStatistics ..........................................................903
BFD.............................................................................904
BFDOverview................................................................904
ConfigureBFD ...............................................................907
SessionSettingsandTimeouts .....................................................914
TransportLayerSessions.......................................................914
TCP.........................................................................914
UDP.........................................................................919
ICMP ........................................................................919
ControlSpecificICMPorICMPv6TypesandCodes...............................921
ConfigureSessionTimeouts ....................................................922
ConfigureSessionSettings.....................................................923
PreventTCPSplitHandshakeSessionEstablishment ..............................926
TunnelContentInspection .........................................................928
TunnelContentInspectionOverview ............................................928
ConfigureTunnelContentInspection ............................................931
ViewInspectedTunnelActivity.................................................937
ViewTunnelInformationinLogs ................................................938
CreateaCustomReportBasedonTaggedTunnelTraffic ..........................939
Reference:BFDDetails............................................................940
Policy............................................................. 943
PolicyTypes .....................................................................944
SecurityPolicy ...................................................................945
ComponentsofaSecurityPolicyRule ...........................................945
SecurityPolicyActions ........................................................948
CreateaSecurityPolicyRule...................................................948
PolicyObjects ....................................................................951
SecurityProfiles ..................................................................952
AntivirusProfiles..............................................................953
AntiSpywareProfiles .........................................................953
VulnerabilityProtectionProfiles ................................................954
URLFilteringProfiles ..........................................................954
DataFilteringProfiles .........................................................955
FileBlockingProfiles ..........................................................955
WildFireAnalysisProfiles......................................................956
DoSProtectionProfiles ........................................................956
14 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 15
TableofContents
16 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 17
TableofContents
18 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicWildFireForwarding
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
BestPracticesforCompletingtheFirewallDeployment
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 19
IntegratetheFirewallintoYourManagementNetwork GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
DetermineYourManagementStrategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
20 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
PerformInitialConfiguration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 21
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
22 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccesstotheFirewall(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 23
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
24 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccessforExternalServices
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 25
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
26 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 27
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
28 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 29
ActivateLicensesandSubscriptions GettingStarted
ActivateLicensesandSubscriptions
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringProvidestheabilitytocreatesecuritypolicythatallowsorblocksaccesstothewebbased
ondynamicURLcategories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURL
filteringdatabases:PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpublic
cloudortothePANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccessto
WebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA3000Series
firewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincreasethenumberof
virtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000Series,
PA5200Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA800 Series,
PA500,PA200,PA220,andVMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoanonpremiseWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.Ifyouwanttouse
advancedGlobalProtectfeatures(HIPchecksandrelatedcontentupdates,theGlobalProtectMobile
App,IPv6connections,oraGlobalProtectClientlessVPN)youwillneedaGlobalProtectlicense
(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
ActivateLicensesandSubscriptions
30 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 31
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingWildFiresignaturesand
automaticallygeneratedcommandandcontrol(C2)signatures.WildFiresignaturesdetectmalwarefirst
seenbyfirewallsfromaroundtheworld.AutomaticallygeneratedC2detectcertainpatternsinC2traffic
(insteadoftheC2serversendingmaliciouscommandstoacompromisedsystem);thesesignatures
enablethefirewalltodetectC2activityevenwhentheC2hostisunknownorchangesrapidly.Youmust
haveaThreatPreventionsubscriptiontogettheseupdates.Newantivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures,includingthose
thatdetectspywareandvulnerabilities.ThisupdateisavailableifyouhaveaThreatPrevention
subscription(andyougetitinsteadoftheApplicationsupdate).NewApplicationsandThreatsupdates
arepublishedweekly,andthefirewallcanretrievethelatestupdatewithin30minutesofavailability.To
reviewthepolicyimpactofnewapplicationupdates,seeManageNewAppIDsIntroducedinContent
Releases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectlicense
(subscription)andcreateanupdatescheduleinordertoreceivetheseupdates.
GlobalProtectClientlessVPNContainsnewandupdatedapplicationsignaturestoenableClientless
VPNaccesstocommonwebapplicationsfromtheGlobalProtectportal.YoumusthaveaGlobalProtect
license(subscription)andcreateanupdatescheduleinordertoreceivetheseupdatesandenable
ClientlessVPNtofunction.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheantivirusupdate.
WFPrivateProvidesmalwaresignaturesgeneratedbyanonpremiseWildFireappliance.
32 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 33
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates(Continued)
NOTE:Youcannotdownloadtheantivirusupdateuntilyouhave
installedtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
34 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 35
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
NetworkSegmentationforaReducedAttackSurface
ThefollowingdiagramshowsaverybasicexampleofNetworkSegmentationUsingZones.Themore
granularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstrafficbetween
zones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflowfreelywithin
azone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyoudefinea
Securitypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhaveassignedit
toazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontroloveraccessto
sensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishingacommunication
channelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyournetwork.
36 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
ConfigureInterfacesandZones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.ConfigureInterfacesonthefirewallthetosupportthetopologyofeachpartof
thenetworkyouareconnectingto.ThefollowingworkflowshowshowtoconfigureLayer3interfacesand
assignthemtozones.Fordetailsonintegratingthefirewallusingadifferenttypeofinterfacedeployments
(forexampleasVirtualWireInterfacesorasLayer2Interfaces),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 37
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SetUpInterfacesandZones(Continued)
38 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
SetUpInterfacesandZones(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 39
SetUpaBasicSecurityPolicy GettingStarted
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
Eventhoughasecuritypolicyruleallowsapacket,thisdoesnotmeanthatthetrafficisfreeofthreats.To
enablethefirewalltoscanthetrafficthatitallowsbasedonasecuritypolicyrule,youmustalsoattach
SecurityProfilesincludingURLFiltering,Antivirus,AntiSpyware,FileBlocking,andWildFireAnalysisto
eachrule(notethattheprofilesyoucanusedependonwhatsubscriptionsyouhavepurchased).When
creatingyourbasicsecuritypolicy,usethepredefinedsecurityprofilestoensurethatthetrafficyouallow
intoyournetworkisbeingscannedforthreats.Youcancustomizetheseprofileslaterasneededforyour
environment.
Usefollowingworkflowsetupaverybasicsecuritypolicythatenablesaccesstothenetworkinfrastructure,
todatacenterapplications,andtotheInternet.Thiswillenableyoutogetthefirewallupandrunningsothat
youcanverifythatyouhavesuccessfullyconfiguredthefirewall.Thispolicyisnotcomprehensiveenough
toprotectyournetwork.Afteryouverifythatyouhavesuccessfullyconfiguredthefirewallandintegrated
itintoyournetwork,proceedwithcreatingaBestPracticeInternetGatewaySecurityPolicythatwillsafely
enableapplicationaccesswhileprotectingyournetworkfromattack.
DefineBasicSecurityPolicyRules
40 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step1 Allowaccesstoyournetworkinfrastructureresources.
1. SelectPolicies > SecurityandclickAdd.
2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoITInfrastructure.
Asabestpractice,considerusingaddressobjectsintheDestination Addressfieldtoenableaccess
tospecificserversorgroupsofserversonly,particularlyforservicessuchasDNSandSMTPthat
arecommonlyexploited.Byrestrictinguserstospecificdestinationserveraddressesyoucan
preventdataexfiltrationandcommandandcontroltrafficfromestablishingcommunication
throughtechniquessuchasDNStunneling.
5. IntheApplicationstab,Addtheapplicationsthatcorrespondtothenetworkservicesyouwanttosafely
enable.Forexample,selectdns,ntp,ocsp,ping,smtp.
6. IntheService/URL Categorytab,keeptheServicesettoapplication-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SetProfile TypetoProfilesandselectthefollowingsecurityprofilestoattachtothepolicyrule:
ForAntivirusselectdefault
ForVulnerability Protection selectstrict
ForAnti-Spywareselectstrict
ForURL Filteringselectdefault
ForFile Blocking selectbasic file blocking
ForWildFire Analysis selectdefault
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecuritypolicyrulewillbelogged.
10.ClickOK.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 41
SetUpaBasicSecurityPolicy GettingStarted
DefineBasicSecurityPolicyRules(Continued)
Step2 EnableaccesstogeneralInternetapplications.
Thisisatemporaryrulethatallowsyoutogatherinformationaboutthetrafficonyournetwork.After
youhavemoreinsightintowhatapplicationsyourusersneedaccessto,youcanmakeinformed
decisionsaboutwhatapplicationstoallowandcreatemoregranularapplicationbasedrulesforeach
usergroup.
1. SelectPolicies > SecurityandclickAdd.
2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoInternet.
5. IntheApplicationstab,AddanApplication FilterandenteraName.Tosafelyenableaccesstolegitimate
webbasedapplications,settheCategoryintheapplicationfiltertogeneral-internetandthenclickOK.To
enableaccesstoencryptedsites,Addthesslapplication.
6. IntheService/URL Categorytab,keeptheServicesettoapplication-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SetProfile TypetoProfilesandselectthefollowingsecurityprofilestoattachtothepolicyrule:
ForAntivirusselectdefault
ForVulnerability Protection selectstrict
ForAnti-Spywareselectstrict
ForURL Filteringselectdefault
ForFile Blocking selectstrict file blocking
ForWildFire Analysis selectdefault
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecurityrulewillbelogged.
10.ClickOK.
42 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
Step3 Enableaccesstodatacenterapplications.
1. SelectPolicies > SecurityandclickAdd.
2. EnteradescriptiveNamefortheruleintheGeneraltab.
3. IntheSourcetab,settheSource Zone toUsers.
4. IntheDestinationtab,settheDestination ZonetoDataCenterApplications.
5. IntheApplicationstab,Addtheapplicationsthatcorrespondtothenetworkservicesyouwanttosafely
enable.Forexample,selectactivesync,imap,kerberos,ldap,ms-exchange,and ms-lync.
6. IntheService/URL Categorytab,keeptheServicesettoapplication-default.
7. IntheActionstab,settheAction SettingtoAllow.
8. SetProfile TypetoProfilesandselectthefollowingsecurityprofilestoattachtothepolicyrule:
ForAntivirusselectdefault
ForVulnerability Protection selectstrict
ForAnti-Spywareselectstrict
ForURL Filteringselectdefault
ForFile Blocking selectbasic file blocking
ForWildFire Analysis selectdefault
9. VerifythatLog at Session Endisenabled.Onlytrafficthatmatchesasecurityrulewillbelogged.
10.ClickOK.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 43
SetUpaBasicSecurityPolicy GettingStarted
DefineBasicSecurityPolicyRules(Continued)
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
44 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted AssessNetworkTraffic
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine. applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges. users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeCreateaSecurityPolicyRuleand
SecurityProfiles.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 45
AssessNetworkTraffic GettingStarted
MonitorNetworkTraffic
ConfigureLogStorageQuotasandExpiration ReviewtheAutoFocusintelligencesummaryforartifactsinyour
Periods. logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers. ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
46 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicWildFireForwarding
EnableBasicWildFireForwarding
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,phishing,grayware,orbenign.WithWildFireenabled,a
PaloAltoNetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscovered
malware,WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactive
WildFiresubscriptionwithinminutes.ThisenablesallPaloAltonextgenerationfirewallsworldwideto
detectandpreventmalwarefoundbyasinglefirewall.WhenyouenableWildFireforwarding,thefirewall
alsoforwardsfilesthatwereblockedbyAntivirussignatures,inadditiontounknownsamples.Malware
signaturesoftenmatchmultiplevariantsofthesamemalwarefamily,andassuch,blocknewmalware
variantsthatthefirewallhasneverseenbefore.ThePaloAltoNetworksthreatresearchteamusesthethreat
intelligencegatheredfrommalwarevariantstoblockmaliciousIPaddresses,domains,andURLs.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifyoudonothaveaWildFiresubscription,butyoudohavea
ThreatPreventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448
hours(aspartoftheAntivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
EnableBasicWildFireForwarding
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 47
EnableBasicWildFireForwarding GettingStarted
EnableBasicWildFireForwarding(Continued)
Step5 EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
Step6 ReviewandimplementWildFirebestpracticestoensurethatyouaregettingthemostofWildFiredetection
andpreventioncapabilities.
Step7 Commityourconfigurationupdates.
48 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted ControlAccesstoWebContent
ControlAccesstoWebContent
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormoreURLcategories.Youcanthencreatepoliciesthat
specifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichitbelongs.Togetherwith
UserID,youcanalsouseURLFilteringtoPreventCredentialPhishingbasedonURLcategory.
ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,andattach
themtoSecuritypolicyrulestoenforceabasicURLfilteringpolicy.
ConfigureURLFiltering
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 49
ControlAccesstoWebContent GettingStarted
ConfigureURLFiltering(Continued)
Step6 Committheconfiguration.
50 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted ControlAccesstoWebContent
ConfigureURLFiltering(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 51
EnableAutoFocusThreatIntelligence GettingStarted
EnableAutoFocusThreatIntelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
EnableAutoFocusThreatIntelligenceontheFirewall
52 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableAutoFocusThreatIntelligence
EnableAutoFocusThreatIntelligenceontheFirewall
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 53
BestPracticesforCompletingtheFirewallDeployment GettingStarted
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.However,ifyouusePanorama,youmustuse
thesamemasterkeyonPanoramaandallmanagedfirewalls.Otherwise,Panoramacannotpush
configurationstothefirewalls.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
ShareThreatIntelligencewithPaloAltoNetworksPermitthefirewalltoperiodicallycollectandsend
informationaboutapplications,threats,anddevicehealthtoPaloAltoNetworks.Telemetryincludes
optionstoenablepassiveDNSmonitoringandtoallowexperimentaltestsignaturestoruninthe
backgroundwithnoimpacttoyoursecuritypolicyrules,firewalllogs,orfirewallperformance.AllPalo
AltoNetworkscustomersbenefitfromtheintelligencegatheredfromtelemetry,whichPaloAlto
Networksusestoimprovethethreatpreventioncapabilitiesofthefirewall.
54 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 55
ManagementInterfaces FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewall:
UsetheWebInterfacetoperformconfigurationandmonitoringtaskswithrelativeease.Thisgraphical
interfaceallowsyoutoaccessthefirewallusingHTTPS(recommended)orHTTPanditisthebestway
toperformadministrativetasks.
UsetheCommandLineInterface(CLI)toperformaseriesoftasksbyenteringcommandsinrapid
successionoverSSH(recommended),Telnet,ortheconsoleport.TheCLIisanofrillsinterfacethat
supportstwocommandmodes,operationalandconfigure,eachwithadistincthierarchyofcommands
andstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntaxofthecommands,the
CLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
UsePanoramatoperformwebbasedmanagement,reporting,andlogcollectionformultiplefirewalls.
ThePanoramawebinterfaceresemblesthefirewallwebinterfacebutwithadditionalfunctionsfor
centralizedmanagement.
56 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
LaunchtheWebInterface
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
LaunchtheWebInterface
Step1 LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > InterfacesandedittheManagementinterface.
Step2 Logintothefirewallaccordingtothetypeofauthenticationusedforyouraccount.Ifloggingintothefirewall
forthefirsttime,usethedefaultvalueadminforyourusernameandpassword.
SAMLClickUse Single Sign-On(SSO).Ifthefirewallperformsauthorization(roleassignment)for
administrators,enteryourUsernameandContinue.IftheSAMLidentityprovider(IdP)performs
authorization,ContinuewithoutenteringaUsername.Inbothcases,thefirewallredirectsyoutotheIdP,
whichpromptsyoutoenterausernameandpassword.AfteryouauthenticatetotheIdP,thefirewallweb
interfacedisplays.
AnyothertypeofauthenticationEnteryouruserNameandPassword.Readtheloginbannerandselect
I Accept and Acknowledge the Statement Belowiftheloginpagehasthebannerandcheckbox.Thenclick
Login.
Step3 ReadandClosethemessagesoftheday.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 57
UsetheWebInterface FirewallAdministration
ConfigureBanners,MessageoftheDay,andLogos
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
ConfigureBanners,MessageoftheDay,andLogos
58 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
ConfigureBanners,MessageoftheDay,andLogos(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 59
UsetheWebInterface FirewallAdministration
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
3. Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
NOTE:Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillseenewfailed
logindetails,ifany,thenexttimeyoulogin.
60 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
3. Workwithyournetworkadministratortolocatetheuserand
hostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccounttoprevent
futureattacks.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 61
UsetheWebInterface FirewallAdministration
ManageandMonitorAdministrativeTasks
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
ManageandMonitorAdministrativeTasks
Step1 ClickTasksatthebottomofthewebinterface.
Step2 ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3 Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit,Validate,andPreviewFirewallConfigurationChanges
Acommitistheprocessofactivatingpendingchangestothefirewallconfiguration.Youcanfilterpending
changesbyadministratororlocationandthenpreview,validate,orcommitonlythosechanges.Thelocations
canbespecificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.
Thefirewallqueuescommitrequestssothatyoucaninitiateanewcommitwhileapreviouscommitisin
progress.Thefirewallperformsthecommitsintheordertheyareinitiatedbutprioritizesautocommitsthat
areinitiatedbythefirewall(suchasFQDNrefreshes).However,ifthequeuealreadyhasthemaximum
numberofadministratorinitiatedcommits,youmustwaitforthefirewalltofinishprocessingapending
commitbeforeinitiatinganewone.Tocancelpendingcommitsorviewdetailsaboutcommitsofanystatus,
seeManageandMonitorAdministrativeTasks.
62 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknow
(warnings).Forexample,validationcouldindicateaninvalidroutedestinationthatyouneedtofixforthe
committosucceed.Thevalidationprocessenablesyoutofindandfixerrorsbeforeyoucommit(itmakesno
changestotherunningconfiguration).Thisisusefulifyouhaveafixedcommitwindowandwanttobesure
thecommitwillsucceedwithouterrors.
Thecommit,validate,preview,save,andrevertoperationsapplyonlytochangesmadeafterthelastcommit.To
restoreconfigurationstothestatetheywereinbeforethelastcommit,youmustloadapreviouslybackedup
configuration.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
Preview,Validate,orCommitFirewallConfigurationChanges
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 63
UsetheWebInterface FirewallAdministration
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,applicationname.Inadditionto
searchingforconfigurationobjectsandsettings,youcansearchbyjobIDorjobtypeformanualcommits
thatadministratorsperformedorautocommitsthatthefirewallorPanoramaperformed.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
Watchthevideo.
64 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 65
UsetheWebInterface FirewallAdministration
ManageLocksforRestrictingConfigurationChanges
Youcanuseconfigurationlockstopreventotheradministratorsfromchangingthecandidateconfiguration
orfromcommittingconfigurationchangesuntilyoumanuallyremovethelockorthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
ManageLocksforRestrictingConfigurationChanges
Lockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
NOTE:Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2. Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromcommitting
changesmadetothecandidateconfiguration.
3. (Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4. (Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5. ClickOKandClose.
Unlockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
Onlyasuperuserortheadministratorwho 2. Selectthelockentryinthelist.
lockedtheconfigurationcanmanuallyunlockit.
3. ClickRemove Lock,OK,andClose.
However,thefirewallautomaticallyremovesa
lockaftercompletingthecommitoperation.
66 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationonthefirewallcomprisesallsettingsyouhavecommittedandthataretherefore
active,suchaspolicyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.The
candidateconfigurationisacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafter
thelastcommit.Savingbackupversionsoftherunningorcandidateconfigurationenablesyoutolater
restorethoseversions.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfiguration
hasmoreerrorsthanyouwanttofix,youcanrestoreapreviouscandidateconfiguration.Youcanalsorevert
tothecurrentrunningconfigurationwithoutsavingabackupfirst.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesfordetailsaboutcommitoperations.
SaveandExportFirewallConfigurations
RevertFirewallConfigurationChanges
SaveandExportFirewallConfigurations
Savingabackupofthecandidateconfigurationtopersistentstorageonthefirewallenablesyoutolater
reverttothatbackup(seeRevertFirewallConfigurationChanges).Thisisusefulforpreservingchangesthat
wouldotherwisebelostifasystemeventoradministratoractioncausesthefirewalltoreboot.After
rebooting,PANOSautomaticallyrevertstothecurrentversionoftherunningconfiguration,whichthe
firewallstoresinafilenamedrunningconfig.xml.Savingbackupsisalsousefulifyouwanttoreverttoa
firewallconfigurationthatisearlierthanthecurrentrunningconfiguration.Thefirewalldoesnot
automaticallysavethecandidateconfigurationtopersistentstorage.Youmustmanuallysavethecandidate
configurationasadefaultsnapshotfile(.snapshot.xml)orasacustomnamedsnapshotfile.Thefirewall
storesthesnapshotfilelocallybutyoucanexportittoanexternalhost.
Youdonthavetosaveaconfigurationbackuptorevertthechangesmadesincethelastcommit
orreboot;justselectConfig > Revert Changes(seeRevertFirewallConfigurationChanges).
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
PaloAltoNetworksrecommendsthatyoubackupanyimportantconfigurationtoahostexternal
tothefirewall.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 67
ManageConfigurationBackups FirewallAdministration
SaveandExportFirewallConfigurations
68 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups
RevertFirewallConfigurationChanges
Revertoperationsreplacesettingsinthecurrentcandidateconfigurationwithsettingsfromanother
configuration.Revertingchangesisusefulwhenyouwanttoundochangestomultiplesettingsasasingle
operationinsteadofmanuallyreconfiguringeachsetting.
Youcanrevertpendingchangesthatweremadetothefirewallconfigurationsincethelastcommit.The
firewallprovidestheoptiontofilterthependingchangesbyadministratororlocation.Thelocationscanbe
specificvirtualsystems,sharedpoliciesandobjects,orshareddeviceandnetworksettings.Ifyousaveda
snapshotfileforacandidateconfigurationthatisearlierthanthecurrentrunningconfiguration(seeSave
andExportFirewallConfigurations),youcanalsoreverttothatsnapshot.Revertingtoasnapshotenables
youtorestoreacandidateconfigurationthatexistedbeforethelastcommit.Thefirewallautomaticallysaves
anewversionoftherunningconfigurationwheneveryoucommitchanges,andyoucanrestoreanyofthose
versions.
RevertFirewallConfigurationChanges
Reverttothecurrentrunningconfiguration(file Torevertallthechangesthatalladministratorsmade,perform
namedrunningconfig.xml). oneofthefollowingsteps:
Thisoperationundoeschangesyoumadetothe SelectDevice > Setup > Operations,Revert to running
candidateconfigurationsincethelastcommit. configuration,andclickYestoconfirmtheoperation.
Logintothefirewallwithanadministrativeaccountthatis
assignedtheSuperuserroleoranAdminRoleprofilewith
theCommit For Other Adminsprivilegeenabled.Then
selectConfig > Revert Changesatthetopoftheweb
interface,selectRevert All ChangesandRevert.
Torevertonlyspecificchangestothecandidateconfiguration:
a. Logintothefirewallwithanadministrativeaccountthathas
theroleprivilegesrequiredtorevertthedesiredchanges.
NOTE:Theprivilegesthatcontrolcommitoperationsalso
controlrevertoperations.
b. SelectConfig > Revert Changesatthetopoftheweb
interface.
c. SelectRevert Changes Made By.
d. TofiltertheRevertScopebyadministrator,click
<administrator-name>,selecttheadministrators,andclick
OK.
e. TofiltertheRevertScopebylocation,clearanylocations
thatyouwanttoexclude.
f. Revertthechanges.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 69
ManageConfigurationBackups FirewallAdministration
RevertFirewallConfigurationChanges(Continued)
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall. 1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
70 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
AdministrativeRoles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onafirewallwithmultiplevirtualsystems,youcanselectwhether
theroledefinesaccessforallvirtualsystemsorspecificvirtualsystems.Whennewfeaturesareadded
totheproduct,youmustupdatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnot
automaticallyaddnewfeaturestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigure
forcustomadministratorroles,seeReference:WebInterfaceAdministratorAccess.
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole Privileges
Superuser Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser(readonly) Readonlyaccesstothefirewall.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 71
ManageFirewallAdministrators FirewallAdministration
DynamicRole Privileges
Virtualsystemadministrator Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.
Deviceadministrator Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Deviceadministrator(readonly) Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
ConfigureanAdminRoleProfile
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
ConfigureanAdminRoleProfile
Step2 EnteraNametoidentifytherole.
Step6 ClickOKtosavetheprofile.
Step7 Assigntheroletoanadministrator.SeeConfigureaFirewallAdministratorAccount.
AdministrativeAuthentication
Youcanconfigurethefollowingtypesofauthenticationandauthorization(roleandaccessdomain
assignment)forfirewalladministrators:
72 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ConfigureAdministrativeAccountsandAuthentication
Ifyouhavealreadyconfiguredanauthenticationprofile(seeConfigureanAuthenticationProfileand
Sequence)oryoudontrequireonetoauthenticateadministrators,youarereadytoConfigureaFirewall
AdministratorAccount.Otherwise,performoneoftheotherprocedureslistedbelowtoconfigure
administrativeaccountsforspecifictypesofauthentication.
ConfigureaFirewallAdministratorAccount
ConfigureLocalorExternalAuthenticationforFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 73
ManageFirewallAdministrators FirewallAdministration
ConfigureaFirewallAdministratorAccount
Administrativeaccountsspecifyrolesandauthenticationmethodsforfirewalladministrators.Theservice
thatyouusetoassignrolesandperformauthenticationdetermineswhetheryouaddtheaccountsonthe
firewall,onanexternalserver,orboth(seeAdministrativeAuthentication).Iftheauthenticationmethod
reliesonalocalfirewalldatabaseoranexternalservice,youmustconfigureanauthenticationprofilebefore
addinganadministrativeaccount(seeConfigureAdministrativeAccountsandAuthentication).Ifyoualready
configuredtheauthenticationprofileoryouwilluseLocalAuthenticationwithoutafirewalldatabase,
performthefollowingstepstoaddanadministrativeaccountonthefirewall.
ConfigureaFirewallAdministratorAccount
Step2 EnterauserName.
Ifthefirewallusesalocaluserdatabasetoauthenticatetheaccount,enterthenamethatyouspecifiedfor
theaccountinthedatabase(seeAddtheuseraccounttothelocaldatabase.)
Step6 ClickOKandCommit.
ConfigureLocalorExternalAuthenticationforFirewallAdministrators
YoucanuseLocalAuthenticationorExternalAuthenticationServicestoauthenticateadministratorswho
accessthefirewall.Theseauthenticationmethodspromptadministratorstorespondtooneormore
authenticationchallenges,suchasaloginpageforenteringausernameandpassword.
Ifyouuseanexternalservicetomanagebothauthenticationandauthorization(roleandaccessdomain
assignments),see:
ConfigureSAMLAuthentication
ConfigureTACACS+Authentication
ConfigureRADIUSAuthentication
Toauthenticateadministratorswithoutachallengeresponsemechanism,youcanConfigureCertificateBased
AdministratorAuthenticationtotheWebInterfaceandConfigureSSHKeyBasedAdministratorAuthentication
totheCLI.
74 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ConfigureLocalorExternalAuthenticationforFirewallAdministrators
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 75
ManageFirewallAdministrators FirewallAdministration
ConfigureLocalorExternalAuthenticationforFirewallAdministrators(Continued)
ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface
Asamoresecurealternativetopasswordbasedauthenticationtothefirewallwebinterface,youcan
configurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothefirewall.
Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinsteadofa
password.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
76 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 77
ManageFirewallAdministrators FirewallAdministration
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
78 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureaFirewallAdministrator
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccessPrivileges
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual SystemlevelasdefinedbytheDeviceorVirtual System
radiobutton.IfyouselectVirtual System,theadminassignedthisprofileisrestrictedtothevirtualsystem(s)
heorsheisassignedto.Furthermore,onlytheDevice > Setup > Services > Virtual Systemstabisavailableto
thatadmin,nottheGlobaltab.
Thefollowingtopicsdescribehowtosetadminroleprivilegestothedifferentpartsofthewebinterface:
DefineAccesstotheWebInterfaceTabs
ProvideGranularAccesstotheMonitorTab
ProvideGranularAccesstothePolicyTab
ProvideGranularAccesstotheObjectsTab
ProvideGranularAccesstotheNetworkTab
ProvideGranularAccesstotheDeviceTab
DefineUserPrivacySettingsintheAdminRoleProfile
RestrictAdministratorAccesstoCommitandValidateFunctions
ProvideGranularAccesstoGlobalSettings
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 79
Reference:WebInterfaceAdministratorAccess FirewallAdministration
DefineAccesstotheWebInterfaceTabs
Thefollowingtabledescribesthetoplevelaccessprivilegesyoucanassigntoanadminroleprofile(Device
> Admin Roles).Youcanenable,disable,ordefinereadonlyaccessprivilegesatthetopleveltabsintheweb
interface.
80 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 81
Reference:WebInterfaceAdministratorAccess FirewallAdministration
82 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 83
Reference:WebInterfaceAdministratorAccess FirewallAdministration
84 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 85
Reference:WebInterfaceAdministratorAccess FirewallAdministration
86 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 87
Reference:WebInterfaceAdministratorAccess FirewallAdministration
88 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 89
Reference:WebInterfaceAdministratorAccess FirewallAdministration
90 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 91
Reference:WebInterfaceAdministratorAccess FirewallAdministration
92 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 93
Reference:WebInterfaceAdministratorAccess FirewallAdministration
94 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheDeviceTab
TodefinegranularaccessprivilegesfortheDevicetab,whencreatingoreditinganadminroleprofile(Device
> Admin Roles),scrolldowntotheDevicenodeontheWebUItab.
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 95
Reference:WebInterfaceAdministratorAccess FirewallAdministration
96 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 97
Reference:WebInterfaceAdministratorAccess FirewallAdministration
98 PANOS8.0AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS8.0AdministratorsGuide 99
Reference:WebInterfaceAdministratorAccess FirewallAdministration
DefineUserPrivacySettingsintheAdminRoleProfile
Todefinewhatprivateenduserdataanadministratorhasaccessto,whencreatingoreditinganadminrole
profile(Device > Admin Roles),scrolldowntothePrivacyoptionontheWebUItab.
RestrictAdministratorAccesstoCommitandValidateFunctions
Torestrictaccesstocommit(andrevert),save,andvalidatefunctionswhencreatingoreditinganAdminRole
profile(Device > Admin Roles),scrolldowntotheCommit,Save,andValidateoptionsontheWebUItab.
ProvideGranularAccesstoGlobalSettings
Todefinewhatglobalsettingsandadministratorhasaccessto,whencreatingoreditinganadminroleprofile
(Device > Admin Roles),scrolldowntotheGlobaloptionontheWebUItab.
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.
PanoramaWebInterfaceAccessPrivileges
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
TheadministratorrolesyoucancreatearePanoramaandDevice Group and Template.YoucantassignCLI
accessprivilegestoaDevice Group and TemplateAdminRoleprofile.Ifyouassignsuperuserprivilegesforthe
CLItoaPanoramaAdminRoleprofile,administratorswiththatrolecanaccessallfeaturesregardlessofthe
webinterfaceprivilegesyouassign.
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforGlobalProtect
PortsUsedforUserID
PortsUsedforManagementFunctions
ThefirewallandPanoramausethefollowingportsformanagementfunctions.
22 TCP UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80 TCP TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
28 TCP UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
99 IP UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
29281 UDP associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
Panoramausesthefollowingports.
22 TCP UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
49160(5.0and TCP
earlier)
28 TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
PortsUsedforGlobalProtect
GlobalProtectusesthefollowingports.
FortipsonhowtousealoopbackinterfacetoprovideaccesstoGlobalProtectondifferentportsand
addresses,refertoCanGlobalProtectPortalPagebeConfiguredtobeAccessedonanyPort?.
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
88 UDP/TCP PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
49 TCP PorttheUserIDagentusestoauthenticatetoaTACACS+server.
ResettheFirewalltoFactoryDefaultSettings
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USBFlashDriveSupport
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
SiliconPower SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)
Sampleinitcfg.txtFiles
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress) Sampleinitcfg.txt(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2 ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field Description
type (Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress (RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignores
thisfieldifthetypeisdhcpclient.
defaultgateway (RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask (RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address (RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthof
themanagementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
ipv6defaultgateway (RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
hostname (Optional)Hostnameforthefirewall.
Fieldsintheinitcfg.txtFile
Field Description
panoramaserver (Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2 (Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname (Recommended)Panoramatemplatename.
dgname (Recommended)Panoramadevicegroupname.
dnsprimary (Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary (Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey (VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes (Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
PrepareaUSBFlashDriveforBootstrappingaFirewall
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
PrepareaUSBFlashDriveforBootstrappingaFirewall
Step1 Obtainserialnumbers(S/Ns)andauthcodesforsupportsubscriptionsfromyourorderfulfillmentemail.
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
BootstrapaFirewallUsingaUSBFlashDrive
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
BootstrapaFirewallUsingaUSBFlashDrive
Step1 Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2 Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3 InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.
BootstrapaFirewallUsingaUSBFlashDrive
Step4 Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > SystemorbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > LicensesorbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.
AuthenticationTypes
ExternalAuthenticationServices
MultiFactorAuthentication
SAML
Kerberos
TACACS+
RADIUS
LDAP
LocalAuthentication
ExternalAuthenticationServices
ThefirewallandPanoramacanuseexternalserverstocontroladministrativeaccesstothewebinterfaceand
enduseraccesstoservicesorapplicationsthroughCaptivePortalandGlobalProtect.Inthiscontext,any
authenticationservicethatisnotlocaltothefirewallorPanoramaisconsideredexternal,regardlessof
whethertheserviceisinternal(suchasKerberos)orexternal(suchasaSAMLidentityprovider)relativeto
yournetwork.TheservertypesthatthefirewallandPanoramacanintegratewithincludeMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,andLDAP.AlthoughyoucanalsousetheLocal
AuthenticationservicesthatthefirewallandPanoramasupport,usuallyexternalservicesarepreferable
becausetheyprovide:
Centralmanagementofalluseraccountsinanexternalidentitystore.Allthesupportedexternalservices
providethisoptionforendusersandadministrators.
Centralmanagementofaccountauthorization(roleandaccessdomainassignments).SAML,TACACS+,
andRADIUSsupportthisoptionforadministrators.
Singlesignon(SSO),whichenablesuserstoauthenticateonlyonceforaccesstomultipleservicesand
applications.SAMLandKerberossupportSSO.
Multipleauthenticationchallengesofdifferenttypes(factors)toprotectyourmostsensitiveservicesand
applications.MFAservicessupportthisoption.
Authenticationthroughanexternalservicerequiresaserverprofilethatdefineshowthefirewallconnects
totheservice.Youassigntheserverprofiletoauthenticationprofiles,whichdefinesettingsthatyou
customizeforeachapplicationandsetofusers.Forexample,youcanconfigureoneauthenticationprofile
foradministratorswhoaccessthewebinterfaceandanotherprofileforenduserswhoaccessa
GlobalProtectportal.Fordetails,seeConfigureanAuthenticationProfileandSequence.
MultiFactorAuthentication
YoucanConfigureMultiFactorAuthentication(MFA)toensurethateachuserauthenticatesusingmultiple
methods(factors)whenaccessinghighlysensitiveservicesandapplications.Forexample,youcanforce
userstoenteraloginpasswordandthenenteraverificationcodethattheyreceivebyphonebeforeallowing
accesstoimportantfinancialdocuments.Thisapproachhelpstopreventattackersfromaccessingevery
serviceandapplicationinyournetworkjustbystealingpasswords.Ofcourse,noteveryserviceand
applicationrequiresthesamedegreeofprotection,andMFAmightnotbenecessaryforlesssensitive
servicesandapplicationsthatusersaccessfrequently.Toaccommodateavarietyofsecurityneeds,youcan
ConfigureAuthenticationPolicyrulesthattriggerMFAorasingleauthenticationfactor(suchaslogin
credentialsorcertificates)basedonspecificservices,applications,andendusers.
Whenchoosinghowmanyandwhichtypesofauthenticationfactorstoenforce,itsimportanttounderstand
howpolicyevaluationaffectstheuserexperience.Whenauserrequestsaserviceorapplication,thefirewall
firstevaluatesAuthenticationpolicy.IftherequestmatchesanAuthenticationpolicyrulewithMFAenabled,
thefirewalldisplaysaCaptivePortalwebformsothatuserscanauthenticateforthefirstfactor.If
authenticationsucceeds,thefirewalldisplaysanMFAloginpageforeachadditionalfactor.SomeMFA
servicesprompttheusertochooseonefactoroutoftwotofour,whichisusefulwhensomefactorsare
unavailable.Ifauthenticationsucceedsforallfactors,thefirewallevaluatesSecuritypolicyfortherequested
serviceorapplication.
Toreducethefrequencyofauthenticationchallengesthatinterrupttheuserworkflow,youcanconfigurethe
firstfactortouseKerberosorSAMLsinglesignon(SSO)butnotNTLANManager(NTLM)authentication.
ToimplementMFAforGlobalProtect,refertoConfigureGlobalProtecttoDisplayMultiFactorAuthentication
Notifications.
YoucannotuseMFAauthenticationprofilesinauthenticationsequences.
ThefirewallmakesiteasytoimplementMFAinyournetworkbyintegratingdirectlywithseveralMFA
platforms(Duov2,OktaAdaptive,andPingID)andintegratingthroughRADIUSwithallotherMFA
platforms.ThefirewallsupportsthefollowingMFAfactors:
Factor Description
Push Anendpointdevice(suchasaphoneortablet)promptstheusertoallowordeny
authentication.
Shortmessageservice AnSMSmessageontheendpointdevicepromptstheusertoallowordeny
(SMS) authentication.Insomecases,theendpointdeviceprovidesacodethattheusermust
enterintheMFAloginpage.
Voice Anautomatedphonecallpromptstheusertoauthenticatebypressingakeyonthe
phoneorenteringacodeintheMFAloginpage.
Onetimepassword(OTP) Anendpointdeviceprovidesanautomaticallygeneratedalphanumericstring,which
theuserentersintheMFAloginpagetoenableauthenticationforasingle
transactionorsession.
SAML
YoucanuseSecurityAssertionMarkupLanguage(SAML)2.0toauthenticateadministratorswhoaccessthe
firewallorPanoramawebinterfaceandenduserswhoaccesswebapplicationsthatareinternalorexternal
toyourorganization.Inenvironmentswhereeachuseraccessesmanyapplicationsandauthenticatingfor
eachonewouldimpedeuserproductivity,youcanconfigureSAMLsinglesignon(SSO)toenableonelogin
toaccessmultipleapplications.Likewise,SAMLsinglelogout(SLO)enablesausertoendsessionsfor
multipleapplicationsbyloggingoutofjustonesession.SSOisavailabletoadministratorswhoaccessthe
webinterfaceandtoenduserswhoaccessapplicationsthroughGlobalProtectorCaptivePortal.SLOis
availabletoadministratorsandGlobalProtectendusers,butnottoCaptivePortalendusers.Whenyou
configureSAMLauthenticationonthefirewalloronPanorama,youcanspecifySAMLattributesfor
administratorauthorization.SAMLattributesenableyoutoquicklychangetheroles,accessdomains,and
usergroupsofadministratorsthroughyourdirectoryservice,whichisofteneasierthanreconfiguring
settingsonthefirewallorPanorama.
AdministratorscannotuseSAMLtoauthenticatetothefirewallorPanoramaCLI.
YoucannotuseSAMLauthenticationprofilesinauthenticationsequences.
SAMLauthenticationrequiresaserviceprovider(thefirewallorPanorama),whichcontrolsaccessto
applications,andanidentityprovider(IdP)suchasPingFederate,whichauthenticatesusers.Whenauser
requestsaserviceorapplication,thefirewallorPanoramainterceptstherequestandredirectstheuserto
theIdPforauthentication.TheIdPthenauthenticatestheuserandreturnsaSAMLassertion,whichindicates
authenticationsucceededorfailed.Figure:SAMLAuthenticationforCaptivePortalEndUsersillustrates
SAMLauthenticationforanenduserwhoaccessesapplicationsthroughCaptivePortal.
Figure:SAMLAuthenticationforCaptivePortalEndUsers
Kerberos
Kerberosisanauthenticationprotocolthatenablesasecureexchangeofinformationbetweenpartiesover
aninsecurenetworkusinguniquekeys(calledtickets)toidentifytheparties.ThefirewallandPanorama
supporttwotypesofKerberosauthenticationforadministratorsandendusers:
KerberosserverauthenticationAKerberosserverprofileenablesuserstonativelyauthenticatetoan
ActiveDirectorydomaincontrolleroraKerberosV5compliantauthenticationserver.This
authenticationmethodisinteractive,requiringuserstoenterusernamesandpasswords.Forthe
configurationsteps,seeConfigureKerberosServerAuthentication.
Kerberossinglesignon(SSO)AnetworkthatsupportsKerberosV5SSOpromptsausertologinonly
forinitialaccesstothenetwork(suchasloggingintoMicrosoftWindows).Afterthisinitiallogin,theuser
canaccessanybrowserbasedserviceinthenetwork(suchasthefirewallwebinterface)withouthaving
tologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsetsthedurationofSSO
sessions.)IfyouenablebothKerberosSSOandanotherexternalauthenticationservice(suchasa
TACACS+server),thefirewallfirsttriesSSOand,onlyifthatfails,fallsbacktotheexternalservicefor
authentication.TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver
(AS)andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequired
tocreateaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordof
thefirewallorPanorama.TheSSOprocessrequiresthekeytab.
Fortheconfigurationsteps,seeConfigureKerberosSingleSignOn.
KerberosSSOisavailableonlyforservicesandapplicationsthatareinternaltoyourKerberosenvironment.To
enableSSOforexternalservicesandapplications,useSAML.
TACACS+
TerminalAccessControllerAccessControlSystemPlus(TACACS+)isafamilyofprotocolsthatenable
authenticationandauthorizationthroughacentralizedserver.TACACS+encryptsusernamesand
passwords,makingitmoresecurethanRADIUS,whichencryptsonlypasswords.TACACS+isalsomore
reliablebecauseitusesTCP,whereasRADIUSusesUDP.YoucanconfigureTACACS+authenticationfor
endusersoradministratorsonthefirewallandforadministratorsonPanorama.Optionally,youcanuse
TACACS+VendorSpecificAttributes(VSAs)tomanageadministratorauthorization.TACACS+VSAsenable
youtoquicklychangetheroles,accessdomains,andusergroupsofadministratorsthroughyourdirectory
serviceinsteadofreconfiguringsettingsonthefirewallandPanorama.
IfyouuseTACACS+tomanageadministratorauthorization,youcannothaveadministrativeaccountsthatare
localtothefirewallorPanorama;youmustdefinetheaccountsonlyontheTACACS+server.
ThefirewallandPanoramasupportthefollowingTACACS+attributesandVSAs.RefertoyourTACACS+
serverdocumentationforthestepstodefinetheseVSAsontheTACACS+server.
Name Value
service ThisattributeisrequiredtoidentifytheVSAsasspecifictoPalo
AltoNetworks.Youmustsetthevaluetopaloalto.
protocol ThisattributeisrequiredtoidentifytheVSAsasspecifictoPalo
AltoNetworksdevices.Youmustsetthevaluetofirewall.
PaloAltoAdminRole Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
Name Value
PaloAltoPanoramaAdminRole Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup ThenameofausergroupintheAllowListofanauthentication
profile.
RADIUS
RemoteAuthenticationDialInUserService(RADIUS)isabroadlysupportednetworkingprotocolthat
providescentralizedauthenticationandauthorization.YoucanconfigureRADIUSauthenticationforend
usersoradministratorsonthefirewallandforadministratorsonPanorama.Optionally,youcanuseRADIUS
VendorSpecificAttributes(VSAs)tomanageadministratorauthorization.RADIUSVSAsenableyouto
quicklychangetheroles,accessdomains,andusergroupsofadministratorsthroughyourdirectoryservice
insteadofreconfiguringsettingsonthefirewallandPanorama.Youcanalsoconfigurethefirewalltousea
RADIUSserverfor:
CollectingVSAsfromGlobalProtectclients.
ImplementingMultiFactorAuthentication.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileisassignedto
anauthenticationsequencefortheservice(suchasadministrativeaccesstothewebinterface)thatinitiates
theauthenticationprocess.
ThefirewallandPanoramasupportthefollowingRADIUSVSAs.TodefineVSAsonaRADIUSserver,you
mustspecifythevendorcode(25461forPaloAltoNetworksfirewallsorPanorama)andtheVSAnameand
number.SomeVSAsalsorequireavalue.RefertoyourRADIUSserverdocumentationforthestepstodefine
theseVSAs.
IfyouuseRADIUStomanageadministratorauthorization,youcannothaveadministrative
accountsthatarelocaltothefirewallorPanorama;youmustdefinetheaccountsonlyonthe
RADIUSserver.
WhenconfiguringtheadvancedvendoroptionsonaCiscoSecureAccessControlServer(ACS),
youmustsetboththeVendor Length Field SizeandVendor Type Field Sizeto1.
Otherwise,authenticationwillfail.
PaloAltoAdminRole 1 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain 2 Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole 3 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4 ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup 5 Thenameofausergroupthatanauthenticationprofile
references.
PaloAltoUserDomain 6 DontspecifyavaluewhenyoudefinetheseVSAs.
PaloAltoClientSourceIP 7
PaloAltoClientOS 8
PaloAltoClientHostname 9
PaloAltoGlobalProtectClientVersion 10
LDAP
LightweightDirectoryAccessProtocol(LDAP)isastandardprotocolforaccessinginformationdirectories.
YoucanConfigureLDAPAuthenticationforendusersandforfirewallandPanoramaadministrators.
ConfiguringthefirewalltoconnecttoanLDAPserveralsoenablesyoutodefinepolicyrulesbasedonusers
andusergroupsinsteadofjustIPaddresses.Forthesteps,seeMapUserstoGroupsandEnableUserand
GroupBasedPolicy.
LocalAuthentication
AlthoughthefirewallandPanoramaprovidelocalauthenticationforadministratorsandendusers,External
AuthenticationServicesarepreferableinmostcasesbecausetheyprovidecentralaccountmanagement.
However,youmightrequirespecialuseraccountsthatyoudontmanagethroughthedirectoryserversthat
yourorganizationreservesforregularaccounts.Forexample,youmightdefineasuperuseraccountthatis
localtothefirewallsothatyoucanaccessthefirewallevenifthedirectoryserverisdown.Insuchcases,
youcanusethefollowinglocalauthenticationmethods:
(Firewallonly)LocaldatabaseauthenticationToConfigureLocalDatabaseAuthentication,youcreatea
databasethatrunslocallyonthefirewallandcontainsuseraccounts(usernamesandpasswordsor
hashedpasswords)andusergroups.Thistypeofauthenticationisusefulforcreatinguseraccountsthat
reusethecredentialsofexistingUnixaccountsincaseswhereyouknowonlythehashedpasswords,not
theplaintextpasswords.Becauselocaldatabaseauthenticationisassociatedwithauthenticationprofiles,
youcanaccommodatedeploymentswheredifferentsetsofusersrequiredifferentauthentication
settings,suchasKerberossinglesignon(SSO)orMultiFactorAuthentication(MFA).(Fordetails,see
ConfigureanAuthenticationProfileandSequence).Foraccountsthatuseplaintextpasswords,youcan
also(Localauthenticationonly)Definepasswordcomplexityandexpirationsettings.Thisauthentication
methodisavailabletoadministratorswhoaccessthefirewall(butnotPanorama)andenduserswho
accessservicesandapplicationsthroughCaptivePortalorGlobalProtect.
LocalauthenticationwithoutadatabaseYoucanconfigurefirewalladministrativeaccountsor
Panoramaadministrativeaccountswithoutcreatingadatabaseofusersandusergroupsthatrunslocally
onthefirewallorPanorama.Becausethismethodisnotassociatedwithauthenticationprofiles,you
cannotcombineitwithKerberosSSOorMFA.However,thisistheonlyauthenticationmethodthat
allowspasswordprofiles,whichenableyoutoassociateindividualaccountswithpasswordexpiration
settingsthatdifferfromtheglobalsettings.(Fordetails,see(Localauthenticationonly)Definepassword
complexityandexpirationsettings.)
PlanYourAuthenticationDeployment
Thefollowingarekeyquestionstoconsiderbeforeyouimplementanauthenticationsolutionfor
administratorswhoaccessthefirewallandenduserswhoaccessservicesandapplicationsthroughCaptive
Portal.
Forbothendusersandadministrators,consider:
Howcanyouleverageyourexistingsecurityinfrastructure?Usually,integratingthefirewallwithan
existinginfrastructureisfasterandcheaperthansettingupanew,separatesolutionjustforfirewall
services.ThefirewallcanintegratewithMultiFactorAuthentication,SAML,Kerberos,TACACS+,
RADIUS,andLDAPservers.Ifyourusersaccessservicesandapplicationsthatareexternaltoyour
network,youcanuseSAMLtointegratethefirewallwithanidentityprovider(IdP)thatcontrolsaccess
tobothexternalandinternalservicesandapplications.
Howcanyouoptimizetheuserexperience?Ifyoudontwantuserstoauthenticatemanuallyandyou
haveapublickeyinfrastructure,youcanimplementcertificateauthentication.Anotheroptionisto
implementKerberosorSAMLsinglesignon(SSO)sothatuserscanaccessmultipleservicesand
applicationsafterloggingintojustone.Ifyournetworkrequiresadditionalsecurity,youcancombine
certificateauthenticationwithinteractive(challengeresponse)authentication.
Doyourequirespecialuseraccountsthatyoudontmanagethroughthedirectoryserversthatyour
organizationreservesforregularaccounts?Forexample,youmightdefineasuperuseraccountthatis
localtothefirewallsothatyoucanaccessthefirewallevenifthedirectoryserverisdown.Youcan
configureLocalAuthenticationforthesespecialpurposeaccounts.
ExternalAuthenticationServicesareusuallypreferabletolocalauthenticationbecausetheyprovidecentral
accountmanagement.
Forendusersonly,consider:
Whichservicesandapplicationsaremoresensitivethanothers?Forexample,youmightwantstronger
authenticationforkeyfinancialdocumentsthanforsearchengines.Toprotectyourmostsensitive
servicesandapplications,youcanconfigureMultiFactorAuthentication(MFA)toensurethateachuser
authenticatesusingmultiplemethods(factors)whenaccessingthoseservicesandapplications.To
accommodateavarietyofsecurityneeds,ConfigureAuthenticationPolicyrulesthattriggerMFAor
singlefactorauthentication(suchaslogincredentialsorcertificates)basedonspecificservices,
applications,andendusers.Otherwaystoreduceyourattackserviceincludenetworksegmentation
andusergroupsforwhitelistapplications.
Foradministratorsonly,consider:
Doyouuseanexternalservertocentrallymanageauthorizationforalladministrativeaccounts?By
definingVendorSpecificAttributes(VSAs)ontheexternalserver,youcanquicklychange
administrativeroleassignmentsthroughyourdirectoryserviceinsteadofreconfiguringsettingsonthe
firewall.VSAsalsoenableyoutospecifyaccessdomainsforadministratorsoffirewallswithmultiple
virtualsystems.SAML,TACACS+,andRADIUSsupportexternalauthorization.
IfyouuseRADIUSorTACACS+tomanageadministratorauthorization,youcannothaveadministrativeaccounts
thatarelocaltothefirewall;youmustdefinetheaccountsonlyontheRADIUSorTACACS+server.SAML
authorizationallowsbothlocalandexternalaccounts.
ConfigureMultiFactorAuthentication
TouseMultiFactorAuthentication(MFA)forprotectingsensitiveservicesandapplications,youmust
configureCaptivePortaltodisplayawebformforthefirstauthenticationfactorandtorecord
AuthenticationTimestamps.ThefirewallusesthetimestampstoevaluatethetimeoutsforAuthentication
Policyrules.Toenableadditionalauthenticationfactors,youcanintegratethefirewallwithMFAvendors
throughRADIUSorvendorAPIs.AfterevaluatingAuthenticationpolicy,thefirewallevaluatesSecurity
policy,soyoumustconfigurerulesforbothpolicytypes.
PaloAltoNetworksprovidessupportforMFAvendorsthroughApplicationscontentupdates.Thismeansthatif
youusePanoramatopushdevicegroupconfigurationstofirewalls,youmustinstallthesameApplications
updatesonthefirewallsasonPanoramatoavoidmismatchesinvendorsupport.
ConfigureMultiFactorAuthentication
Step3 AddanMFAserverprofile. 1. SelectDevice > Server Profiles > Multi Factor Authenticationand
Theprofiledefineshowthefirewall Addaprofile.
connectstotheMFAserver.Adda 2. EnteraNametoidentifytheMFAserver.
separateprofileforeach
3. SelecttheCertificate Profilethatthefirewallwillusetovalidatethe
authenticationfactorafterthefirst
MFAservercertificatewhenestablishingasecureconnectiontothe
factor.Thefirewallintegrateswith
MFAserver.
theseMFAserversthroughvendor
APIs.Youcanspecifyuptothree 4. SettheTypetotheMFAvendoryoudeployed.
additionalfactors.EachMFA 5. ConfiguretheValueofeachvendorattribute.
vendorprovidesonefactor,though
TheattributesdefinehowthefirewallconnectstotheMFAserver.
somevendorsletuserschooseone
EachvendorTyperequiresdifferentattributesandvalues;referto
factoroutofseveral.
yourvendordocumentationfordetails.
6. ClickOKtosavetheprofile.
ConfigureMultiFactorAuthentication(Continued)
ConfigureMultiFactorAuthentication(Continued)
ConfigureMultiFactorAuthentication(Continued)
3. Enteryourusercredentialsforthefirstauthenticationchallenge.
ThefirewallthendisplaysanMFAloginpageforthenext
authenticationfactor.Forexample,theMFAservicemightprompt
youtoselecttheVoice,SMS,push,orPINcode(OTP)
authenticationmethod.Ifyouselectpush,yourphonepromptsyou
toapprovetheauthentication.
4. Authenticateforthenextfactor.
Thefirewalldisplaysanauthenticationsuccessorfailuremessage.If
authenticationsucceeded,thefirewalldisplaysanMFAloginpage
forthenextauthenticationfactor,ifany.
RepeatthisstepforeachMFAfactor.Afteryouauthenticateforall
thefactors,thefirewallevaluatesSecuritypolicytodetermine
whethertoallowaccesstotheserviceorapplication.
5. Endthesessionfortheserviceorapplicationyoujustaccessed.
6. Startanewsessionforthesameserviceorapplication.Besureto
performthisstepwithintheTimeoutperiodyouconfiguredinthe
Authenticationrule.
Thefirewallallowsaccesswithoutreauthenticating.
7. WaituntiltheTimeoutperiodexpiresandrequestthesameservice
orapplication.
Thefirewallpromptsyoutoreauthenticate.
ConfigureSAMLAuthentication
ToconfigureSAMLsinglesignon(SSO)andsinglelogout(SLO),youmustregisterthefirewallandtheIdP
witheachothertoenablecommunicationbetweenthem.IftheIdPprovidesametadatafilecontaining
registrationinformation,youcanimportitontothefirewalltoregistertheIdPandtocreateanIdPserver
profile.TheserverprofiledefineshowtoconnecttotheIdPandspecifiesthecertificatethattheIdPusesto
signSAMLmessages.YoucanalsouseacertificateforthefirewalltosignSAMLmessages.Usingcertificates
isoptionalbutrecommendedtosecurecommunicationsbetweenthefirewallandtheIdP.
ThefollowingproceduredescribeshowtoconfigureSAMLauthenticationforendusersandfirewall
administrators.YoucanalsoconfigureSAMLauthenticationforPanoramaadministrators.
SSOisavailabletoadministratorsandtoGlobalProtectandCaptivePortalendusers.SLOisavailableto
administratorsandGlobalProtectendusers,butnottoCaptivePortalendusers.
AdministratorscanuseSAMLtoauthenticatetothefirewallwebinterface,butnottotheCLI.
ConfigureSAMLAuthentication
ConfigureSAMLAuthentication
ConfigureSAMLAuthentication
ConfigureSAMLAuthentication
ConfigureSAMLAuthentication
5. LoginusingyourSSOusernameandpassword.
AfteryousuccessfullyauthenticateontheIdP,itredirectsyou
backtothefirewall,whichdisplaysthewebinterface.
6. Useyourfirewalladministratoraccounttorequestaccessto
anotherSSOapplication.
SuccessfulaccessindicatesSAMLSSOauthentication
succeeded.
ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.WithKerberosSSOenabled,theuser
needstologinonlyforinitialaccesstoyournetwork(suchasloggingintoMicrosoftWindows).Afterthis
initiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(suchasthefirewallwebinterface)
withouthavingtologinagainuntiltheSSOsessionexpires.
ConfigureKerberosSingleSignOn
ConfigureKerberosServerAuthentication
YoucanuseKerberostonativelyauthenticateendusersandfirewallorPanoramaadministratorstoan
ActiveDirectorydomaincontrolleroraKerberosV5compliantauthenticationserver.Thisauthentication
methodisinteractive,requiringuserstoenterusernamesandpasswords.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.IPv6addresses
arenotsupported.
ConfigureKerberosAuthentication
ConfigureTACACS+Authentication
YoucanconfigureTACACS+authenticationforendusersandfirewallorPanoramaadministrators.Youcan
alsouseaTACACS+servertomanageadministratorauthorization(roleandaccessdomainassignments)by
definingVendorSpecificAttributes(VSAs).Forallusers,youmustconfigureaTACACS+serverprofilethat
defineshowthefirewallorPanoramaconnectstotheserver(Step 1below).Youthenassigntheserver
profiletoanauthenticationprofileforeachsetofuserswhorequirecommonauthenticationsettings(Step 2
below).WhatyoudowiththeauthenticationprofiledependsonwhichuserstheTACACS+server
authenticates:
EndusersAssigntheauthenticationprofiletoanauthenticationenforcementobjectandassignthe
objecttoAuthenticationpolicyrules.Forthefullprocedure,seeConfigureAuthenticationPolicy.
AdministrativeaccountswithauthorizationmanagedlocallyonthefirewallorPanoramaAssignthe
authenticationprofiletofirewalladministratororPanoramaadministratoraccounts.
AdministrativeaccountswithauthorizationmanagedontheTACACS+serverThefollowingprocedure
describeshowtoconfigureTACACS+authenticationandauthorizationforfirewalladministrators.For
Panoramaadministrators,refertoConfigureTACACS+AuthenticationforPanoramaAdministrators.
ConfigureTACACS+AuthenticationandAuthorizationforAdministrators
ConfigureTACACS+AuthenticationandAuthorizationforAdministrators(Continued)
ConfigureRADIUSAuthentication
YoucanconfigureRADIUSauthenticationforendusersandfirewallorPanoramaadministrators.For
administrators,youcanuseRADIUStomanageauthorization(roleandaccessdomainassignments)by
definingVendorSpecificAttributes(VSAs).YoucanalsouseRADIUStoimplementMultiFactor
Authentication(MFA)foradministratorsandendusers.ToenableRADIUSauthentication,youmust
configureaRADIUSserverprofilethatdefineshowthefirewallorPanoramaconnectstotheserver(Step 1
below).Youthenassigntheserverprofiletoanauthenticationprofileforeachsetofuserswhorequire
commonauthenticationsettings(Step 2below).Whatyoudowiththeauthenticationprofiledependson
whichuserstheRADIUSserverauthenticates:
EndusersAssigntheauthenticationprofiletoanauthenticationenforcementobjectandassignthe
objecttoAuthenticationpolicyrules.Forthefullprocedure,seeConfigureAuthenticationPolicy.
YoucanalsoconfigureclientsystemstosendRADIUSVendorSpecificAttributes(VSAs)totheRADIUSserver
byassigningtheauthenticationprofiletoaGlobalProtectportalorgateway.RADIUSadministratorscanthen
performadministrativetasksbasedonthoseVSAs.
AdministrativeaccountswithauthorizationmanagedlocallyonthefirewallorPanoramaAssignthe
authenticationprofiletofirewalladministratororPanoramaadministratoraccounts.
AdministrativeaccountswithauthorizationmanagedontheRADIUSserverThefollowingprocedure
describeshowtoconfigureRADIUSauthenticationandauthorizationforfirewalladministrators.For
Panoramaadministrators,refertoConfigureRADIUSAuthenticationforPanoramaAdministrators.
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators(Continued)
ConfigureRADIUSAuthenticationandAuthorizationforAdministrators(Continued)
ConfigureLDAPAuthentication
YoucanuseLDAPtoauthenticateenduserswhoaccessapplicationsorservicesthroughCaptivePortaland
authenticatefirewallorPanoramaadministratorswhoaccessthewebinterface.
YoucanalsoconnecttoanLDAPservertodefinepolicyrulesbasedonusergroups.Fordetails,
seeMapUserstoGroups.
ConfigureLDAPAuthentication
ConfigureLocalDatabaseAuthentication
Youcanconfigureauserdatabasethatislocaltothefirewalltoauthenticateadministratorswhoaccessthe
firewallwebinterfaceandtoauthenticateenduserswhoaccessapplicationsthroughCaptivePortalor
GlobalProtect.PerformthefollowingstepstoconfigureLocalAuthenticationwithalocaldatabase.
ExternalAuthenticationServicesareusuallypreferabletolocalauthenticationbecausethey
providethebenefitofcentralaccountmanagement.
Youcanalsoconfigurelocalauthenticationwithoutadatabase,butonlyforfirewallorPanorama
administrators.
ConfigureLocalDatabaseAuthentication
Step2 Addtheusergrouptothelocaldatabase. 1. SelectDevice > Local User Database > User Groupsandclick
Requiredifyourusersrequiregroup Add.
membership. 2. EnteraNametoidentifythegroup.
3. AddeachuserwhoisamemberofthegroupandclickOK.
ConfigureanAuthenticationProfileandSequence
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsof
administratorswhoaccessthefirewallwebinterfaceandenduserswhoaccessapplicationsthroughCaptive
PortalorGlobalProtect.TheservicecanbeLocalAuthenticationthatthefirewallprovidesorExternal
AuthenticationServices.TheauthenticationprofilealsodefinesoptionssuchasKerberossinglesignon
(SSO).
Somenetworkshavemultipledatabases(suchasTACACS+andLDAP)fordifferentusersandusergroups.
Toauthenticateusersinsuchcases,configureanauthenticationsequencearankedorderofauthentication
profilesthatthefirewallmatchesauseragainstduringlogin.Thefirewallchecksagainsteachprofilein
sequenceuntilonesuccessfullyauthenticatestheuser.Ifthesequenceincludesanauthenticationprofile
thatspecifieslocaldatabaseauthentication,thefirewallalwayschecksthatprofilefirstregardlessofthe
orderinthesequence.Auserisdeniedaccessonlyifauthenticationfailsforalltheprofilesinthesequence.
Thesequencecanspecifyauthenticationprofilesthatarebasedonanyauthenticationservicethatthe
firewallsupportsexceptsMultiFactorAuthentication(MFA)andSAML.
ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
ConfigureanAuthenticationProfileandSequence(Continued)
TestAuthenticationServerConnectivity
ThetestauthenticationfeatureenablesyoutoverifywhetherthefirewallorPanoramacancommunicate
withtheauthenticationserverspecifiedinanauthenticationprofileandwhetheranauthenticationrequest
succeedsforaspecificuser.Youcantestauthenticationprofilesthatauthenticateadministratorswho
accessthewebinterfaceorthatauthenticateenduserswhoaccessapplicationsthroughGlobalProtector
CaptivePortal.Youcanperformauthenticationtestsonthecandidateconfigurationtoverifythe
configurationiscorrectbeforecommitting.
TestAuthenticationServerConnectivity
Step1 Configureanauthenticationprofile.Youdonotneedtocommittheauthenticationprofileorserverprofile
configurationbeforetesting.
Step2 LogintothefirewallCLI.
Step3 (Firewallswithmultiplevirtualsystems)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystemssothatthetestauthenticationcommandcanlocate
theuseryouwilltest.
Definethetargetvirtualsystembyentering:
admin@PA-3060> set system setting target-vsys <vsys-name>
Forexample,iftheuserisdefinedinvsys2,enter:
admin@PA-3060> set system setting target-vsys vsys2
NOTE:Thetarget-vsys optionisperloginsession;thefirewallclearstheoptionwhenyoulogoff.
Step4 Testtheauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> test authentication authentication-profile <authentication-profile-name>
username <username> password
Forexample,totestanauthenticationprofilenamedmy-profileforausernamedbsimpson,enter:
admin@PA-3060> test authentication authentication-profile my-profile username bsimpson
password
NOTE:Whenrunningthetestcommand,thenamesofauthenticationprofilesandserverprofilesarecase
sensitive.Also,ifanauthenticationprofilehasausernamemodifierdefined,youmustenterthemodifierwith
theusername.Forexample,ifyouaddtheusernamemodifier%USERINPUT%@%USERDOMAIN%forauser
namedbsimpsonandthedomainnameismydomain.com,enterbsimpson@mydomain.comastheusername.
Thisensuresthatthefirewallsendsthecorrectcredentialstotheauthenticationserver.Inthisexample,
mydomain.comisthedomainthatyoudefineintheUser Domainfieldintheauthenticationprofile.
Step5 Viewthetestoutput.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
NOTE:Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,sothesame
issuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisanetworkproblem,such
asusinganincorrectportorIPaddressintheauthenticationserverprofile,theoutputerrorisnotspecific.
Thisisbecausethetestcommandcannotperformtheinitialhandshakebetweenthefirewallandthe
authenticationservertodeterminedetailsabouttheissue.
AuthenticationPolicy
Authenticationpolicyenablesyoutoauthenticateendusersbeforetheycanaccessservicesand
applications.Wheneverauserrequestsaserviceorapplication(suchasbyvisitingawebpage),thefirewall
evaluatesAuthenticationpolicy.BasedonthematchingAuthenticationpolicyrule,thefirewallthenprompts
theusertoauthenticateusingoneormoremethods(factors),suchasloginandpassword,Voice,SMS,Push,
orOnetimePassword(OTP)authentication.Forthefirstfactor,usersauthenticatethroughaCaptivePortal
webform.Foranyadditionalfactors,usersauthenticatethroughaMultiFactorAuthentication(MFA)login
page.
ToimplementAuthenticationpolicyforGlobalProtect,refertoAuthenticationPolicyandMultiFactor
AuthenticationforGlobalProtect.
Aftertheuserauthenticatesforallfactors,thefirewallevaluatesSecurityPolicytodeterminewhetherto
allowaccesstotheserviceorapplication.
Toreducethefrequencyofauthenticationchallengesthatinterrupttheuserworkflow,youcanspecifya
timeoutperiodduringwhichauserauthenticatesonlyforinitialaccesstoservicesandapplications,notfor
subsequentaccess.AuthenticationpolicyintegrateswithCaptivePortaltorecordthetimestampsusedto
evaluatethetimeoutandtoenableuserbasedpoliciesandreports.
Basedonuserinformationthatthefirewallcollectsduringauthentication,UserIDcreatesanewIP
addresstousernamemappingorupdatestheexistingmappingforthatuser(ifthemappinginformationhas
changed).ThefirewallgeneratesUserIDlogstorecordtheadditionsandupdates.Thefirewallalso
generatesanAuthenticationlogforeachrequestthatmatchesanAuthenticationrule.Ifyoufavor
centralizedmonitoring,youcanconfigurereportsbasedonUserIDorAuthenticationlogsandforwardthe
logstoPanoramaorexternalservicesasyouwouldforanyotherlogtypes.
AuthenticationTimestamps
ConfigureAuthenticationPolicy
AuthenticationTimestamps
WhenconfiguringanAuthenticationpolicyrule,youcanspecifyatimeoutperiodduringwhichauser
authenticatesonlyforinitialaccesstoservicesandapplications,notforsubsequentaccess.Yourgoalisto
specifyatimeoutthatstrikesabalancebetweentheneedtosecureservicesandapplicationsandtheneed
tominimizeinterruptionstotheuserworkflow.Whenauserauthenticates,thefirewallrecordsatimestamp
forthefirstauthenticationchallenge(factor)andatimestampforanyadditionalMultiFactorAuthentication
(MFA)factors.WhentheusersubsequentlyrequestsservicesandapplicationsthatmatchanAuthentication
rule,thefirewallevaluatesthetimeoutspecifiedintherulerelativetoeachtimestamp.Thismeansthe
firewallreissuesauthenticationchallengesonaperfactorbasiswhentimeoutsexpire.IfyouRedistribute
UserMappingsandAuthenticationTimestamps,allyourfirewallswillenforceAuthenticationpolicy
timeoutsconsistentlyforallusers.
ThefirewallrecordsaseparatetimestampforeachMFAvendor.Forexample,ifyouuseDuov2andPingID
serverstoissuechallengesforMFAfactors,thefirewallrecordsonetimestampfortheresponsetotheDuo
factorandonetimestampfortheresponsetothePingIDfactor.
Withinthetimeoutperiod,auserwhosuccessfullyauthenticatesforoneAuthenticationrulecanaccess
servicesorapplicationsthatotherrulesprotect.However,thisportabilityappliesonlytorulesthattrigger
thesameauthenticationfactors.Forexample,auserwhosuccessfullyauthenticatesforarulethattriggers
TACACS+authenticationmustauthenticateagainforarulethattriggersSAMLauthentication,evenifthe
accessrequestsarewithinthetimeoutperiodforbothrules.
WhenevaluatingthetimeoutineachAuthenticationruleandtheglobaltimerdefinedintheCaptivePortal
settings(seeConfigureCaptivePortal),thefirewallpromptstheusertoreauthenticateforwhichever
settingexpiresfirst.Uponreauthenticating,thefirewallrecordsnewauthenticationtimestampsforthe
rulesandresetsthetimecountfortheCaptivePortaltimer.Therefore,toenabledifferenttimeoutperiods
fordifferentAuthenticationrules,settheCaptivePortaltimertoavaluethatisthesameasorhigherthan
thetimeoutinanyrule.
ConfigureAuthenticationPolicy
PerformthefollowingstepstoconfigureAuthenticationpolicyforenduserswhoaccessservicesthrough
CaptivePortal.Beforestarting,ensurethatyourSecurityPolicyallowsuserstoaccesstheservicesandURL
categoriesthatrequireauthentication.
ConfigureAuthenticationPolicy
ConfigureAuthenticationPolicy(Continued)
ConfigureAuthenticationPolicy(Continued)
NOTE:IfyouconfiguredthefirewalltouseoneormoreMFA
services,authenticatefortheadditionalauthenticationfactors.
3. EndthesessionfortheserviceorURLyoujustaccessed.
4. Startanewsessionforthesameserviceorapplication.Besureto
performthisstepwithintheTimeoutperiodyouconfiguredinthe
Authenticationrule.
Thefirewallallowsaccesswithoutreauthenticating.
5. WaituntiltheTimeoutperiodexpiresandrequestthesameservice
orapplication.
Thefirewallpromptsyoutoreauthenticate.
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task Command
Task Command
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage Description
AdministrativeAccess SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
CaptivePortal IndeploymentswhereAuthenticationpolicyidentifiesuserswhoaccessHTTPS
resources,designateaservercertificatefortheCaptivePortalinterface.Ifyouconfigure
CaptivePortaltousecertificatesforidentifyingusers(insteadof,orinadditionto,
interactiveauthentication),deployclientcertificatesalso.Formoreinformationon
CaptivePortal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
ForwardTrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
ForwardUntrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSLInboundInspection ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.
Key/CertificateUsage Description
SSLExcludeCertificate CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
DecryptionExclusions.
GlobalProtect AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
SitetoSiteVPNs(IKE) InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
MasterKey Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
SecureSyslog Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
TrustedRootCA ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
InterDevice Bydefault,Panorama,firewalls,andLogCollectorsuseasetofpredefinedcertificatesfor
Communication theSSL/TLSconnectionsusedformanagementandlogforwarding.However,youcan
enhancetheseconnectionbydeployingcustomcertificatestothedevicesinyour
deployment.ThesecertificatescanalsobeusedtosecuretheSSL/TLSconnection
betweenPanoramaHApeers.
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfigureanOCSPResponder
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
ConfigureanOCSPResponder
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsalltheprivatekeys
andpasswordsintheconfigurationtosecurethem(suchastheprivatekeyusedforSSLForwardProxy
Decryption).Forthebestsecurityposture,configureanewmasterkeyandchangeitperiodically.
Ifahighavailability(HA)configuration,youmustusethesamemasterkeyonbothfirewallsorPanoramain
thepair.Otherwise,HAsynchronizationwillnotworkproperly.
Additionally,ifyouareusingPanoramatomanageyourfirewalls,youmustusethesamemasterkeyon
PanoramaandallmanagedfirewallssothatPanoramacanpushconfigurationstothefirewalls.
Foraddedsecurity,EncryptaMasterKeyUsinganHSM.
Besuretostorethemasterkeyinasafelocation.Youcannotrecoverthemasterkeyandtheonlywayto
restorethedefaultmasterkeyistoResettheFirewalltoFactoryDefaultSettings.
ConfigureaMasterKey
Step6 (Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7 ClickOKandCommit.
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
CreateaSelfSignedRootCACertificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step6 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step10 ClickGenerateandCommit.
GenerateaCertificate
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
GenerateaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step7 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.
ClientcertificatesthatareusedwhenrequestingfirewallservicesthatrelyonTLSv1.2(suchas
administratoraccesstothewebinterface)cannothavesha512asadigestalgorithm.Theclient
certificatesmustusealowerdigestalgorithm(suchassha384)oryoumustlimittheMax Versionto
TLSv1.1whenyouConfigureanSSL/TLSServiceProfileforthefirewallservices.
Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.
GenerateaCertificate(Continued)
Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
NOTE:Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslogcheckbox.
Step17 ClickOKandCommit.
ImportaCertificateandPrivateKey
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
ImportaCertificateandPrivateKey
Step1 FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step2 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step5 Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
ImportaCertificateandPrivateKey
Step8 Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
Step9 ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
ObtainaCertificatefromanExternalCA
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step5 ClickOKandsavethecertificate/keyfiletoyourcomputer.
ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
ConfigureaCertificateProfile
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
Intheclientsystemsthatrequestfirewallservices,thecertificatetrustlist(CTL)mustincludethecertificate
authority(CA)certificatethatissuedthecertificatespecifiedintheSSL/TLSserviceprofile.Otherwise,userswill
seeacertificateerrorwhenrequestingfirewallservices.MostthirdpartyCAcertificatesarepresentbydefault
inclientbrowsers.IfanenterpriseorfirewallgeneratedCAcertificateistheissuer,youmustdeploythatCA
certificatetotheCTLinclientbrowsers.
ConfigureanSSL/TLSServiceProfile
Step1 Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notCAcertificates,inSSL/TLSserviceprofiles.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4 ClickAddandenteraNametoidentifytheprofile.
Step5 SelecttheCertificateyoujustobtained.
Step6 Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
ClientcertificatesthatareusedwhenrequestingfirewallservicesthatrelyonTLSv1.2cannothave
SHA512asadigestalgorithm.Theclientcertificatesmustusealowerdigestalgorithm(suchas
SHA384)oryoumustlimittheMax VersiontoTLSv1.1forthefirewallservices.
Step7 ClickOKandCommit.
ReplacetheCertificateforInboundManagementTraffic
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Tosecuremanagementtraffic,youmustalsoConfigureAdministrativeAccountsandAuthentication.
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step3 ClickOKandCommit.
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3 Selectthecertificatetorevoke.
Step4 ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 SelectacertificatetorenewandclickRenew.
Step5 ClickOKandCommit.
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SetupConnectivitywithanHSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
TheIPaddressontheHSMclientfirewallmustbeastaticIPaddress,notadynamicaddressassignedby
DHCP.HSMauthenticatesthefirewallusingtheIPaddressbeforetheHSMconnectioncomesup.
OperationsonHSMwouldstopworkingiftheIPaddressweretochangeduringruntime.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
EncryptaMasterKeyUsinganHSM
AmasterkeyencryptsallprivatekeysandpasswordsonthefirewallandPanorama.Ifyouhavesecurity
requirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkeyusingan
encryptionkeythatisstoredonanHSM.ThefirewallorPanoramathenrequeststheHSMtodecryptthe
masterkeywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSM
isinahighlysecurelocationthatisseparatefromthefirewallorPanoramaforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,youmustoccasionallychange
(refresh)thiswrappingkey.
FirewallsconfiguredinFIPS/CCmodedonotsupportmasterkeyencryptionusinganHSM.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
EncryptaMasterKeyUsinganHSM
Step2 Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3 Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4 SelecttheHSMcheckbox.
Life TimeThenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for ReminderThenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5 ClickOK.
RefreshtheMasterKeyEncryption
Asabestpractice,periodicallyrefreshthemasterkeyencryptionbyrotatingthewrappingkeythatencrypts
it.Thefrequencyoftherotationdependsonyourapplication.ThewrappingkeyresidesonyourHSM.The
followingcommandisthesameforSafeNetNetworkandThalesnShieldConnectHSMs.
RefreshtheMasterKeyEncryption
Step1 LogintothefirewallCLI.
Step2 UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
StorePrivateKeysonanHSM
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLForwardProxyTheHSMcanstoretheprivatekeyoftheForwardTrustcertificatethatsigns
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthecertificatestotheclient.
SSLInboundInspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
IfyouusetheDHEorECDHEkeyexchangealgorithmstoenablePerfectForwardSecrecy(PFS)
SupportforSSLDecryption,youcannotuseanHSMtostoretheprivatekeysforSSLInbound
Inspection.YoualsocannotuseanHSMtostoreECDSAkeysusedforForwardProxyorInbound
Inspectiondecryption.
StorePrivateKeysonanHSM
StorePrivateKeysonanHSM(Continued)
Step3 Importthecertificatethat 1. SelectDevice > Certificate Management > Certificates > Device
correspondstotheHSMstored CertificatesandclickImport.
keyontothefirewall. 2. EntertheCertificate Name.
3. BrowsetotheCertificate FileontheHSM.
4. SelectaFile Format.
5. SelectPrivate Key resides on Hardware Security Module.
6. ClickOKandCommit.
ManagetheHSMDeployment
ManageHSM
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HAModes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HALinksandBackupLinks
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA800Series,PA3000Series,PA5000Series,
PA5200Series,andPA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethe
dedicatedHAportstomanagecommunicationandsynchronizationbetweenthefirewalls.
ForfirewallswithoutdedicatedHAportssuchasthePA200,PA220,andPA500firewalls,asabest
practiceusethedataplaneportfortheHAport,andusethemanagementportastheHA1backup.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.
HALinksand Description
BackupLinks
ControlLink TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
DataLink TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
BackupLinks ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
PacketForwardingLink InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA800Series,PA3000Series,PA5000Series,andPA5200
Seriesfirewalls,youcanconfigureaggregateinterfacesasanHA3link.Theaggregate
interfacescanalsoprovideredundancyfortheHA3link;youcannotconfigure
backuplinksfortheHA3link.OnPA5200andPA7000Seriesfirewalls,the
dedicatedHSCIportssupporttheHA3link.Thefirewalladdsaproprietarypacket
headertopacketstraversingtheHA3link,sotheMTUoverthislinkmustbegreater
thanthemaximumpacketlengthforwarded.
HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
DevicePriorityandPreemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.Bydefault,theinterval
fortheheartbeatis1000milliseconds.Apingissentevery1000millisecondsandiftherearethree
consecutiveheartbeatlosses,afailoversoccurs.FordetailsontheHAtimersthattriggerafailover,see
HATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls,afailovercanoccur
whenaninternalhealthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecritical
components,suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatform,causing
failover.
LACPandLLDPPreNegotiationforActive/PassiveHA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewallssupporta
prenegotiationconfigurationdependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,or
virtualwiredeployment.AnHApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
FloatingIPAddressandVirtualMACAddress
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)
EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.
ARPLoadSharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.
RouteBasedRedundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HATimers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvalues
(Recommended/Aggressive)acrossthedifferenthardwaremodels;thesevaluesareforcurrentreference
onlyandcanchangeinasubsequentrelease.
PA3000Series PA200
VMSeries
PA3000Series PA200
VMSeries
SessionOwner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
SessionSetup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption Description
IP Modulo ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.
Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NATinActive/ActiveHAMode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:
ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMPinActive/ActiveHAMode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
PrerequisitesforActive/PassiveHA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfigurationResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.
ConfigurationGuidelinesforActive/PassiveHA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingchecklistdetailsthesettingsthatyoumustconfigureidenticallyonbothfirewalls:
YoumustenableHAonbothfirewalls.
YoumustconfigurethesameGroupIDvalueonbothfirewalls.ThefirewallusestheGroupIDvalueto
createavirtualMACaddressforalltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMAC
AddressforinformationaboutvirtualMACaddresses.Whenanewactivefirewalltakesover,itsends
GratuitousARPmessagesfromeachofitsconnectedinterfacestoinformtheconnectedLayer2
switchesofthevirtualMACaddressnewlocation.
IfyouareusinginbandportsasHAlinks,youmustsettheinterfacesfortheHA1andHA2linkstotype
HA.
SettheHAModetoActivePassiveonbothfirewalls.
Ifrequired,enablepreemptiononbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onboth
firewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowing
recommendationstodecidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
HA1Backup:Inbandport
Recommendation:DonotenableHeartbeatBackup
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
ConfigureActive/PassiveHA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
Toconfigureanactive/passiveHApair,firstcompletethefollowingworkflowonthefirstfirewallandthen
repeatthestepsonthesecondfirewall.
ConnectandConfiguretheFirewalls
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
DefineHAFailoverConditions
ConfiguretheFailoverTriggers
Step1 Toconfigurelinkmonitoring,definethe 1. SelectDevice > High Availability > Link and Path Monitoring
interfacesyouwanttomonitor.A andAddaLinkGroup.
changeinthelinkstateofthese 2. NametheLink Group,Addtheinterfacestomonitor,and
interfaceswilltriggerafailover. selecttheFailure Conditionforthegroup.TheLinkgroupyou
defineisaddedtotheLink Groupsection.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
VerifyFailover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
VerifyFailover
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
DetermineYourActive/ActiveUseCase
PrerequisitesforActive/ActiveHA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsmustberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.ThePA5200SeriesandPA7000Series
firewallsusetheHSCIportforHA3.Ontheremainingplatforms,youcanconfigureaggregate
interfacesastheHA3linkforredundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.
ConfigureActive/ActiveHA
Thefollowingproceduredescribesthebasicworkflowforconfiguringyourfirewallsinanactive/active
configuration.However,beforeyoubegin,DetermineYourActive/ActiveUseCaseforconfiguration
examplesmoretailoredtoyourspecificnetworkenvironment.
Toconfigureactive/active,firstcompletethefollowingstepsononepeerandthencompletethemonthe
secondpeer,ensuringthatyousettheDeviceIDtodifferentvalues(0or1)oneachpeer.
ConfigureActive/ActiveHA
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
Step20 DefineHAFailoverConditions.
DetermineYourActive/ActiveUseCase
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.
IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,orARP
LoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step5 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses
ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step7 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing
ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
ThevirtualaddressisthesharedIP Virtual AddressandclickAdd.
addressthatallowsARPLoadSharing. 2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 AddressorIPv6 Address.
5. ForType,selectARP Load Sharing,whichallowsbothpeers
tousethevirtualIPaddressforARPLoadSharing.
Step7 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper
metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)
Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandAddanIPv4 AddressorIPv6
Address.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5. ClickOK.
Step9 Configurethepeerfirewallinthesame
way,exceptselectingadifferent
Device ID.
Forexample,ifyouselectedDeviceID0
forthefirstfirewall,selectDeviceID1
forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.101.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
DefineHAFailoverConditions.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step8 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
Step7 DefineHAFailoverConditions.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
Step1 OnPA30502(DeviceID1),perform
Step 1throughStep 3ofConfigure
Active/ActiveHA.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2 Enableactive/activeHA. 1. SelectDevice > High Availability > General > Setupandedit.
2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.
6. SelectDevice IDtobe1.
7. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
8. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
9. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
10. ClickOK.
Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual AddressandclickAdd.
2. SelectInterfaceeth1/2.
3. SelectIPv4andAddanIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step6 EnablejumboframesonfirewallsotherthanPA7000Seriesfirewalls.
Step7 DefineHAFailoverConditions.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptsettheDevice IDto0insteadof1.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Passive?
ManagementInterface Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
Settings firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
NOTE:TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)issynchronized.Itis
justthesettingofwhichSSL/TLSServiceProfiletouseontheManagement
interfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability YoumustactivatetheVirtualSystemslicenseoneachfirewallinthepairtoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaulton
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
ConfigurationItem WhatDoesntSyncinActive/Passive?
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
MasterKeySecuredby Device > Setup > HSM > Hardware Security Module Provider > Master Key
HSM Secured by HSM
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
ConfigurationItem WhatDoesntSyncinActive/Passive?
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Active?
ManagementInterface Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Settings Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
NOTE:TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)issynchronized.Itis
justthesettingofwhichSSL/TLSServiceProfiletouseontheManagement
interfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability YoumustactivatetheVirtualSystemslicenseoneachfirewallinthepairtoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaulton
PA3000Series,PA5000Series,PA5200Series,andPA7000Seriesfirewalls.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame
ConfigurationItem WhatDoesntSyncinActive/Active?
ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
EthernetInterfaceIP AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
Addresses > Interface > Ethernet).
LoopbackInterfaceIP AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
Addresses (Network > Interface > Loopback).
LACPSystemPriority EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
IPSecTunnels IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtectPortal GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
ConfigurationItem WhatDoesntSyncinActive/Active?
GlobalProtectGateway GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
LLDP NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKEGateways IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
SynchronizationofSystemRuntimeInformation
ThefollowingtablesummarizeswhatsystemruntimeinformationissynchronizedbetweenHApeers.
A/P A/A
ManagementPlane
DNSCache No No N/A
FQDNRefresh No No N/A
A/P A/A
BrightCloudURLDatabase No No N/A
Dataplane
DoSBlockListEntries No No N/A
A/P A/A
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts Descriptions
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
GeneralInformation Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
InterfaceStatus Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
ConfigLogs Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
ACCRiskFactor Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
HighAvailability Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks Showsconfigurationlockstakenbyadministrators.
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery
ACCFirstLook
TakeaquicktouroftheACC.
ACCFirstLook
Tabs TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.
ACCFirstLook(Continued)
Time Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Source ThedatausedfortheACCdisplay.TheoptionsvaryonthefirewallandonPanorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludedatafromallvirtualsystems
orjustaselectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludedatafromalldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData SourceasPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACCTabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab Description
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds,exportthetabandsharewithanotheradministrator.
ACCWidgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.
Widgets
View Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,applications,data,profiles,objects,users.Theavailableoptionsvaryby
widget.
Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Widgets
Actions MaximizeviewAllowsyouenlargethewidgetandviewthetableinalargerscreen
spaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs >
<log-type>tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphis
rendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
WidgetDescriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget Description
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.
Widget Description
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork
Widget Description
Widget Description
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork
ACCFilters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotherightof
theattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplytheattribute
globallytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
InteractwiththeACC
TocustomizeandrefinetheACCdisplay,youcanadd,delete,exportandimporttabs,addanddelete
widgets,setlocalandglobalfilters,andinteractwiththewidgets.
WorkwiththeTabsandWidgets
Editatab. Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample .
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Tosavethetabasthedefaulttab,select .
ExportandImporttabs. 1. Selectthetab,andclickthepenciliconnexttothetabname,
toeditthetab.
2. Selectthe icontoexportthecurrenttabasa.txtfile.You
cansharethis.txtfilewithanotheradministrator.
3. Toimportthetabasanewtabonanotherfirewall,selectthe
iconalongthelistoftabs,andaddanameandclickthe
importicon,browsetoselectthe.txtfile.
Seewhatwidgetsareincludedinatab. 1. Selectthetab,andclickonthepencilicontoeditit.
2. SelecttheAdd Widget dropdownandverifythewidgetsthat
havethecheckboxesselected.
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3. (Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
Deleteataborawidgetgroup/widget. 1. Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2. Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.
WorkwiththeTabsandWidgets(Continued)
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph. youzoomintoalinegraph,ittriggersarequeryandthefirewall
Watchhowthezoomincapabilityworks. fetchesthedatafortheselectedtimeperiod.Itisnotamere
magnification.
Usethetabledropdowntofindmore 1. Hoveroveranattributeinatabletoseethedropdown.
informationonanattribute. 2. Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
Setaglobalfilterfromatable. Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
WorkwiththeTabsandWidgets(Continued)
2. Clickthe icontoviewthelistoffiltersyoucanapply.
Promoteawidgetfiltertoaglobalfilter. 1. Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2. Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
Seewhatfiltersareinuse. Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget. Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
UseCase:ACCPathofInformationDiscovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activitytab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
TofindoutwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.
Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.
UsetheAppScopeReports
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport
SummaryReport
ChangeMonitorReport
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.
Button Description
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort Determineswhethertosortentriesbypercentageorrawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Compare Specifiestheperiodoverwhichthechangemeasurementsaretaken.
ThreatMonitorReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Threats Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.
Button Description
Filter Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export Exportsthegraphasa.pngimageorasaPDF.
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Filer Appliesafiltertodisplayonlytheselectedtypeofitems.
Export Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthemeasurementsaretaken.
NetworkMonitorReport
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Export Exportsthegraphasa.pngimageorasaPDF.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
TrafficMapReport
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Determineswhethertodisplaysessionorbyteinformation.
Export Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Thefollowingmodelssupporttheautomatedcorrelationengine:
PanoramaMSeriesappliancesandvirtualappliances
PA7000Seriesfirewalls
PA5200Seriesfirewalls
PA5000Seriesfirewalls
PA3000Seriesfirewalls
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
AutomatedCorrelationEngineConcepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetworkor
activityseenbyaTrapsprotectedendpointonPanorama.Forexample,whenahostsubmitsafiletothe
WildFirecloudandtheverdictismalicious,thecorrelationobjectlooksforotherhostsorclientsonthe
networkthatexhibitthesamebehaviorseeninthecloud.IfthemalwaresamplehadperformedaDNSquery
andbrowsedtoamalwaredomain,thecorrelationobjectwillparsethelogsforasimilarevent.Whenthe
activityonahostmatchestheanalysisinthecloud,ahighseveritycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ViewtheCorrelatedObjects
ViewtheCorrelationObjectsAvailableontheFirewall
ViewtheCorrelationObjectsAvailableontheFirewall
Step2 Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
InterpretCorrelatedEvents
CorrelatedEventsincludesthefollowingdetails:
Field Description
Field Description
Severity Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevelindicates
Toconfigurethe theextentofdamageorescalationpattern,andthefrequencyofoccurrence.Because
firewallorPanorama correlationobjectsareprimarilyfordetectingthreats,thecorrelatedeventstypically
tosendalertsusing relatetoidentifyingcompromisedhostsonthenetworkandtheseverityimpliesthe
email,SNMPorsyslog following:
messagesfora CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
desiredseveritylevel, thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhenahost
seeUseExternal thatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
Servicesfor commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
Monitoring. maliciousfile.
HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthenetwork
thatmatchesthecommandandcontrolactivitygeneratedbyaparticularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasrepeatedvisitstoknownmaliciousURLs,which
suggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofoneor
multiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:
Tab Description
Match ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Information
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Match Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
Evidence evidencecollectedforeachsession.
UsetheCompromisedHostsWidgetintheACC
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
TypesofPacketCaptures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoExternalAuthenticationServices,softwareandcontentupdates,
logforwarding,communicationwithSNMPservers,andauthenticationrequestsforGlobalProtectand
CaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.
DisableHardwareOffload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA3050,PA3060,PA5000Series,PA5200Series,and
PA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1 DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2 Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes
TakeaCustomPacketCapture
Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
TakeaCustomPacketCapture
Step1 Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
ThefollowingexampleshowshowtouseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.
TakeaCustomPacketCapture(Continued)
Step2 Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Usingfiltersmakesiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreduce
theprocessingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3 SetFilteringtoOn.
TakeaCustomPacketCapture(Continued)
Step4 Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
2. ContinuetoAddeachStageyouwanttocapture(receive, firewall,transmit,anddrop)andsetaunique
Filenameforeachstage.
Step6 Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55
TakeaCustomPacketCapture(Continued)
Step7 TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8 DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9 Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.
TakeaThreatPacketCapture
Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
TakeaThreatPacketCapture
TakeaThreatPacketCapture(Continued)
Step3 View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeanApplicationPacketCapture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1 Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2 Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
TakeaCustomApplicationPacketCapture
YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
TakeaCustomApplicationPacketCapture
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3 Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
Rule : rule1
From : any
To : any
Source : any
Destination : any
Protocol : any
Source Port : any
Dest. Port : any
Application : facebook-base
Current APPID Signature
Signature Usage : 21 MB (Max. 32 MB)
TCP 1 C2S : 15503 states
TCP 1 S2C : 5070 states
TCP 2 C2S : 2426 states
TCP 2 S2C : 702 states
UDP 1 C2S : 11379 states
UDP 1 S2C : 2967 states
UDP 2 C2S : 755 states
UDP 2 S2C : 224 states
Step4 AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off
TakeaCustomApplicationPacketCapture(Continued)
Step5 View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaPacketCaptureontheManagementInterface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200andPA500firewallscapture68
bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA5000Series,thePA7000Series
firewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.Todefinethenumberofpacketsthat
tcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).Settingthesnaplento0willcausethe
firewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3 AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.
TakeaManagementInterfacePacketCapture(Continued)
Step4 Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 89
09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 70
09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
Step5 (Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6 Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ContentDeliveryNetworkInfrastructureforDynamicUpdatestocheckwhetherloggedeventsonthe
firewallposeasecurityrisk.TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,
activities,orbehaviorsassociatedwithlogsinyournetworkandonaglobalscale,aswellastheWildFire
verdictandAutoFocustagslinkedtothem.WithanactiveAutoFocussubscription,youcanusethis
informationtocreatecustomizedAutoFocusAlertsthattrackspecificthreatsonyournetwork.
ViewandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
ViewLogs
FilterLogs
ExportLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
LogTypesandSeverityLevels
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click besideanentrytoaccessthecaptured
packets.
ThefollowingtablesummarizestheThreatseveritylevels:
Severity Description
Critical Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Severity Description
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludethefirewallActionforthesample(alloworblock)the
WildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Severity Description
Benign IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Phishing IndicatesthatWildFireassignedalinkananalysisverdictofphishing.Aphishingverdictindicatesthat
thesitetowhichthelinkdirectsusersdisplayedcredentialphishingactivity.
Malicious IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Severity Description
Critical Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
Medium Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
TunnelInspectionLogs
Tunnelinspectionlogsareliketrafficlogsfortunnelsessions;theydisplayentriesofnonencryptedtunnel
sessions.Topreventdoublecounting,thefirewallsavesonlytheinnerflowsintrafficlogs,andsendstunnel
sessionstothetunnelinspectionlogs.ThetunnelinspectionlogentriesincludeReceiveTime(dateandtime
thelogwasreceived),thetunnelID,monitortag,sessionID,theSecurityruleappliedtothetunnelsession,
numberofbytesinthesession,parentsessionID(sessionIDforthetunnelsession),sourceaddress,source
userandsourcezone,destinationaddress,destinationuser,anddestinationzone.
ClicktheDetailedLogviewtoseedetailsforanentry,suchasthetunnelprotocolused,andtheflag
indicatingwhetherthetunnelcontentwasinspectedornot.Onlyasessionthathasaparentsessionwill
havetheTunnelInspectedflagset,whichmeansthesessionisinatunnelintunnel(twolevelsof
encapsulation).ThefirstouterheaderofatunnelwillnothavetheTunnelInspectedflagset.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplayentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Severity Description
Critical Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium Midlevelnotifications,suchasantiviruspackageupgrades.
Low Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)matchingenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
UserIDLogs
UserIDlogsdisplayinformationaboutIPaddresstousernamemappingsandAuthenticationTimestamps,
suchasthesourcesofthemappinginformationandthetimeswhenusersauthenticated.Youcanusethis
informationtohelptroubleshootUserIDandauthenticationissues.Forexample,ifthefirewallisapplying
thewrongpolicyruleforauser,youcanviewthelogstoverifywhetherthatuserismappedtothecorrect
IPaddressandwhetherthegroupassociationsarecorrect.
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms( )atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
AuthenticationLogs
Authenticationlogsdisplayinformationaboutauthenticationeventsthatoccurwhenenduserstrytoaccess
networkresourcesforwhichaccessiscontrolledbyAuthenticationPolicyrules.Youcanusethisinformation
tohelptroubleshootaccessissuesandtoadjustyourAuthenticationpolicyasneeded.Inconjunctionwith
correlationobjects,youcanalsouseAuthenticationlogstoidentifysuspiciousactivityonyournetwork,such
asbruteforceattacks.
Optionally,youcanconfigureAuthenticationrulestologtimeoutevents.Thesetimeoutsrelatetotheperiod
whenauserneedauthenticateforaresourceonlyoncebutcanaccessitrepeatedly.Seeinginformation
aboutthetimeoutshelpsyoudecideifandhowtoadjustthem(fordetails,seeAuthenticationTimestamps).
SystemlogsrecordauthenticationeventsrelatingtoGlobalProtectandtoadministratoraccesstotheweb
interface.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries( )inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
ViewLogs
ViewLogs
NextSteps... FilterLogs.
ExportLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
FilterLogs
NextSteps... ViewLogs.
ExportLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
NextStep... ScheduleLogExportstoanSCPorFTPServer.
ConfigureLogStorageQuotasandExpirationPeriods
Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
ConfigureLogStorageQuotasandExpirationPeriods
Step4 ClickOKandCommit.
ScheduleLogExportstoanSCPorFTPServer
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
ScheduleLogExportstoanSCPorFTPServer
Step2 EnteraNameforthescheduledlogexportandEnableit.
Step5 SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6 EntertheHostnameorIPaddressoftheserver.
Step7 EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
ScheduleLogExportstoanSCPorFTPServer
Step8 EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step12 ClickOKandCommit.
MonitorBlockList
TherearetwowaysyoucancausethefirewalltoplaceanIPaddressontheblocklist:
ConfigureaVulnerabilityProtectionprofilewitharuletoBlockIPconnectionsandapplytheprofiletoa
Securitypolicy,whichyouapplytoazone.
ConfigureaDoSProtectionpolicyrulewiththeProtectactionandaClassifiedDoSProtectionprofile,
whichspecifiesamaximumrateofconnectionspersecondallowed.Whenincomingpacketsmatchthe
DoSProtectionpolicyandexceedtheMaxRate,andifyouspecifiedaBlockDurationandaClassified
policyruletoincludesourceIPaddress,thefirewallputstheoffendingsourceIPaddressontheblocklist.
Inthecasesdescribedabove,thefirewallautomaticallyblocksthattrafficinhardwarebeforethosepackets
useCPUorpacketbufferresources.Ifattacktrafficexceedstheblockingcapacityofthehardware,the
firewallusesIPblockingmechanismsinsoftwaretoblockthetraffic.
ThefirewallautomaticallycreatesahardwareblocklistentrybasedonyourVulnerabilityProtectionprofile
orDoSProtectionpolicyrule;thesourceaddressfromtheruleisthesourceIPaddressinthehardwareblock
list.
EntriesontheblocklistindicateintheTypecolumnwhethertheywereblockedbyhardware(hw)or
software(sw).Thebottomofthescreendisplays:
CountofTotal Blocked IPsoutofthenumberofblockedIPaddressesthefirewallsupports.
Percentageoftheblocklistthatthefirewallhasused.
Toviewdetailsaboutanaddressontheblocklist,hoveroveraSourceIPaddressandclickthedownarrow
link.ClicktheWhoIslink,whichdisplaystheNetworkSolutionsWhoIsfeature,providinginformationabout
theaddress.
ForinformationonconfiguringaVulnerabilityProtectionprofile,seeCustomizetheActionandTrigger
ConditionsforaBruteForceSignature.FormoreinformationonblocklistandDosProtectionprofiles,see
DoSProtectionAgainstFloodingofNewSessions.
ViewandManageReports
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheExpirationPeriodandRunTimeforReports
DisablePredefinedReports
CustomReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroups
ScheduleReportsforEmailDelivery
ReportTypes
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportontheapplication
useandURLactivityforaspecificuserorforausergroup.ThereportincludestheURLcategoriesand
anestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/GroupActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
ViewReports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheExpirationPeriodandRunTimeforReportstoallowthefirewalltodeletereportsthat
exceedtheperiod.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolder
reportstocreatespaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresources
onthefirewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthe
reports(asdescribedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step2 Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
ConfiguretheExpirationPeriodandRunTimeforReports
TheexpirationperiodandruntimeareglobalsettingsthatapplytoallReportTypes.Afterrunningnew
reports,thefirewallautomaticallydeletesreportsthatexceedtheexpirationperiod.
ConfiguretheExpirationPeriodandRunTimeforReports
Step4 ClickOKandCommit.
DisablePredefinedReports
Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
DisablePredefinedReports
Step3 ClickOKandCommit.
CustomReports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection Description
Database Youcanbasethereportononeofthefollowingdatabasetypes:
SummarydatabasesThesedatabasesareavailableforApplicationStatistics,Traffic,
Threat,URLFiltering,andTunnelInspectionlogs.Thefirewallaggregatesthedetailed
logsat15minuteintervals.Toenablefasterresponsetimewhengeneratingreports,
thefirewallcondensesthedata:duplicatesessionsaregroupedandincrementedwith
arepeatcounter,andsomeattributes(columns)areexcludedfromthesummary.
DetailedlogsThesedatabasesitemizethelogsandlistalltheattributes(columns)for
eachlogentry.
Reportsbasedondetailedlogstakemuchlongertorunandarenot
recommendedunlessabsolutelynecessary.
Attributes Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
Selection Description
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup BycolumnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.
Selection Description
Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimeFrame Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromthelast15minutestothelast30days.Thereportscan
berunondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.
GenerateCustomReports
GenerateCustomReports
Step2 ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Templateandchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3 SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4 SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step8 ClickOKtosavethecustomreport.
GenerateCustomReports
ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:
GenerateCustomReports
Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
GenerateBotnetReports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
ConfigureaBotnetReport
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.
ConfigureaBotnetReport
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.
NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
GeneratetheSaaSApplicationUsageReport
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications,allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(10pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,thenumber
ofusersusingtheseapplications,topusergroupsthatusethelargestnumberofSaaSapplications,and
thetopusergroupsthattransferthelargestvolumeofdatathroughsanctionedandunsanctionedSaaS
applications.ThisfirstpartofthereportalsohighlightsthetopSaaSapplicationsubcategorieslistedin
orderbymaximumnumberofapplicationsused,thenumberofusers,andtheamountofdata(bytes)
transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.
GeneratetheSaaSApplicationUsageReport
GeneratetheSaaSApplicationUsageReport(Continued)
Step2 ConfiguretheSaaSApplicationUsage 1. SelectMonitor > PDF Reports > SaaS Application Usage.
report. 2. ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecountto10pages.
3. SelectwhetheryouwantthereporttoInclude logs from:
All User Groups and ZonesThereportincludesdataonall
securityzonesandusergroupsavailableinthelogs.
Ifyouwanttoincludespecificusergroupsinthereport,
selectInclude user group information in the reportand
clickthemanage groupslinktoselectthegroupsyouwant
toinclude.Youmustaddbetweenoneanduptoa
maximumof25usergroups,sothatthefirewallor
Panoramacanfilterthelogsfortheselectedusergroups.If
youdoselectthegroupstoinclude,thereportwill
aggregateallusergroupsintoonegroupcalledOthers.
Selected ZoneThereportfiltersdataforthespecified
securityzone,andincludesdataonthatzoneonly.
Ifyouwanttoincludespecificusergroupsinthereport,
selectInclude user group information in the reportand
clickthemanage groups for selected zone linktoselectthe
usergroupswithinthiszonethatyouwanttoincludeinthe
report.Youmustaddbetweenoneanduptoamaximumof
25usergroups,sothatthefirewallorPanoramacanfilter
thelogsfortheselectedusergroupswithinthesecurity
zone.Ifyoudoselectthegroupstoinclude,thereportwill
aggregateallusergroupsintoonegroupcalledOthers.
Selected User GroupThereportfiltersdataforthe
specifiedusergrouponly,andincludesSaaSapplication
usageinformationfortheselectedusergrouponly.
GeneratetheSaaSApplicationUsageReport(Continued)
4. Selectwhetheryouwanttoincludealltheapplication
subcategoriesinthereport(thedefault)orLimit the max
subcategories in the report tothetop10,15,20or25
categories(defaultisallsubcategories).
5. ClickRun Nowtogeneratethereportondemandforthelast
7dayandthelast30daytimeperiod.Makesurethatthe
popupblockerisdisabledonyourbrowserbecausethereport
opensinanewtab.
6. ClickOKtosaveyourchanges.
ManagePDFSummaryReports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
GeneratePDFSummaryReports
Step1 SetupaPDF Summary Report. 1. SelectMonitor > PDF Reports > Manage PDF Summary.
2. ClickAddandthenenteraNameforthereport.
3. Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
4. ClickOK tosavethereport.
5. Committhechanges.
GenerateUser/GroupActivityReports
User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.
GenerateUser/GroupActivityReports
GenerateUser/GroupActivityReports(Continued)
Step2 GeneratetheUser/GroupActivity 1. SelectMonitor > PDF Reports > User Activity Report.
report. 2. ClickAddandthenenteraNameforthereport.
3. Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4. SelecttheTime Periodforthereport.
5. (Optional)SelecttheInclude Detailed Browsingcheckbox
(defaultiscleared)toincludedetailedURLlogsinthereport.
Thedetailedbrowsinginformationcanincludealargevolume
oflogs(thousandsoflogs)fortheselecteduserorusergroup
andcanmakethereportverylarge.
6. Torunthereportondemand,clickRun Now.
7. Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
ManageReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
SetupReportGroups
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
ScheduleReportsforEmailDelivery
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.
ScheduleReportsforEmailDelivery
Step2 EnteraNametoidentifytheschedule.
Step5 SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step7 ClickOKandCommit.
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
TosendanHTTPbasedAPIrequestdirectlytoanythirdpartyservicethatexposesanAPItoautomate
aworkfloworanaction.Youcan,forexample,forwardlogsthatmatchadefinedcriteriatocreatean
incidenceticketonServiceNowinsteadofrelyingonanexternalsystemtoconvertsyslogmessagesor
SNMPtrapstoanHTTPrequest.YoucanmodifytheURL,HTTPheader,parameters,andthepayloadin
theHTTPrequesttotriggeranactionbasedontheattributesinafirewalllog.SeeForwardLogstoan
HTTP(S)Destination.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.
ConfigureLogForwarding
Inanenvironmentwhereyouusemultiplefirewallstocontrolandanalyzenetworktraffic,anysinglefirewall
candisplaylogsandreportsonlyforthetrafficitmonitors.Becauseloggingintomultiplefirewallscanmake
monitoringacumbersometask,youcanmoreefficientlyachieveglobalvisibilityintonetworkactivityby
forwardingthelogsfromallfirewallstoPanoramaorexternalservices.IfyouUseExternalServicesfor
Monitoring,thefirewallautomaticallyconvertsthelogstothenecessaryformat:syslogmessages,SNMP
traps,emailnotifications,orasanHTTPpayloadtosendthelogdetailstoanHTTP(S)server.Incaseswhere
someteamsinyourorganizationcanachievegreaterefficiencybymonitoringonlythelogsthatarerelevant
totheiroperations,youcancreateforwardingfiltersbasedonanylogattributes(suchasthreattypeor
sourceuser).Forexample,asecurityoperationsanalystwhoinvestigatesmalwareattacksmightbe
interestedonlyinThreatlogswiththetypeattributesettowildfirevirus.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoViewandManageReports,butonlyonaperlog
typebasis,notfortheentirelogdatabase.
ConfigureLogForwarding
ConfigureLogForwarding(Continued)
ConfigureLogForwarding(Continued)
ConfigureEmailAlerts
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
ConfigureEmailAlerts
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ConfigureSyslogMonitoring
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
ConfigureSyslogMonitoring
ConfigureSyslogMonitoring(Continued)
ConfigureSyslogMonitoring(Continued)
SyslogFieldDescriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionslogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogFields
ThreatLogFields
HIPMatchLogFields
UserIDLogFields
TunnelInspectionLogFields
ConfigLogFields
AuthenticationLogFields
SystemLogFields
CorrelatedEventsLogFields
CustomLog/EventFormat
EscapeSequences
TrafficLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Threat/ContentType,FUTURE_USE,Generated
Time,SourceIP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,Destination
User,Application,VirtualSystem,SourceZone,DestinationZone,InboundInterface,OutboundInterface,
LogForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource,SourceVMUUID,DestinationVMUUID,Tunnel
ID/IMSI,MonitorTag/IMEI,ParentSessionID,ParentStartTime,TunnelType
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(GenerateTime) Timethelogwasgeneratedonthedataplane.
SourceAddress OriginalsessionsourceIPaddress.
DestinationAddress OriginalsessiondestinationIPaddress.
NATSourceIP IfSourceNATperformed,thepostNATSourceIPaddress.
NATDestinationIP IfDestinationNATperformed,thepostNATDestinationIPaddress.
RuleName(Rule) Nameoftherulethatthesessionmatched.
SourceUser Usernameoftheuserwhoinitiatedthesession.
DestinationUser Usernameoftheusertowhichthesessionwasdestined.
Application Applicationassociatedwiththesession.
VirtualSystem VirtualSystemassociatedwiththesession.
SourceZone Zonethesessionwassourcedfrom.
FieldName Description
DestinationZone Zonethesessionwasdestinedto.
InboundInterface Interfacethatthesessionwassourcedfrom.
OutboundInterface Interfacethatthesessionwasdestinedto.
LogAction LogForwardingProfilethatwasappliedtothesession.
SessionID Aninternalnumericalidentifierappliedtoeachsession.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly.
SourcePort Sourceportutilizedbythesession.
DestinationPort Destinationportutilizedbythesession.
NATSourcePort PostNATsourceport.
NATDestinationPort PostNATdestinationport.
Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedthrough
CaptivePortal
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
IPProtocol IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes Numberoftotalbytes(transmitandreceive)forthesession.
FieldName Description
BytesSent Numberofbytesintheclienttoserverdirectionofthesession.
AvailableonallmodelsexceptthePA4000Series.
BytesReceived Numberofbytesintheservertoclientdirectionofthesession.
AvailableonallmodelsexceptthePA4000Series.
Packets Numberoftotalpackets(transmitandreceive)forthesession.
StartTime Timeofsessionstart.
ElapsedTime(sec) Elapsedtimeofthesession.
Category URLcategoryassociatedwiththesession(ifapplicable).
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceCountry SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes.
DestinationCountry DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes.
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession.
AvailableonallmodelsexceptthePA4000Series.
PacketsReceived(pkts_received) Numberofservertoclientpacketsforthesession.
AvailableonallmodelsexceptthePA4000Series.
FieldName Description
SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
(session_end_reason) fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
FieldName Description
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
(dg_hier_level_1todg_hier_level_4) withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source) Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
SourceVMUUID Identifiesthesourceuniversaluniqueidentifierforaguestvirtualmachinein
theVMwareNSXenvironment.
DestinationVMUUID Identifiesthedestinationuniversaluniqueidentifierforaguestvirtualmachine
intheVMwareNSXenvironment.
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity
(IMSI)IDofthemobileuser.
MonitorTag/IMEI MonitornameyouconfiguredfortheTunnelInspectionpolicyruleorthe
InternationalMobileEquipmentIdentity(IMEI)IDofthemobiledevice.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwo
levelsoftunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime(parent_start_time) Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
TunnelType(Tunnel) Typeoftunnel,suchasGREorIPSec.
ThreatLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Threat/ContentType,FUTURE_USE,Generated
Time,SourceIP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,Destination
User,Application,VirtualSystem,SourceZone,DestinationZone,InboundInterface,OutboundInterface,
LogForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_ID,FileDigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel4,VirtualSystemName,DeviceName,FUTURE_USE,
SourceVMUUID,DestinationVMUUID,HTTPMethod,TunnelID/IMSI,MonitorTag/IMEI,ParentSession
ID,ParentStartTime,TunnelType,ThreatCategory,ContentVersion,FUTURE_USE
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,phishing,grayware,or
benign,dependingonwhatyouarelogging)isloggedintheWildFireSubmissions
log.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
SourceAddress OriginalsessionsourceIPaddress.
DestinationAddress OriginalsessiondestinationIPaddress.
NATSourceIP IfsourceNATperformed,thepostNATsourceIPaddress.
NATDestinationIP IfdestinationNATperformed,thepostNATdestinationIPaddress.
RuleName(rule) Nameoftherulethatthesessionmatched.
SourceUser Usernameoftheuserwhoinitiatedthesession.
DestinationUser Usernameoftheusertowhichthesessionwasdestined.
Application Applicationassociatedwiththesession.
VirtualSystem VirtualSystemassociatedwiththesession.
SourceZone Zonethesessionwassourcedfrom.
DestinationZone Zonethesessionwasdestinedto.
InboundInterface Interfacethatthesessionwassourcedfrom.
OutboundInterface Interfacethatthesessionwasdestinedto.
LogAction LogForwardingProfilethatwasappliedtothesession.
SessionID Aninternalnumericalidentifierappliedtoeachsession.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Content/ThreatTypeseenwithin5seconds;usedforICMPonly.
FieldName Description
SourcePort Sourceportutilizedbythesession.
DestinationPort Destinationportutilizedbythesession.
NATSourcePort PostNATsourceport.
NATDestinationPort PostNATdestinationport.
Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedthroughCaptive
Portal
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
IPProtocol IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
URL/Filename Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire
FieldName Description
ThreatContentName PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,phishing,grayware,orbenign;Forothersubtypes,the
valueisany.
Severity Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical.
Direction Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceCountry SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationCountry DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype) ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id) Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest) OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.
FieldName Description
URLIndex(url_idx) UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.
FieldName Description
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
SourceVMUUID Identifiesthesourceuniversaluniqueidentifierforaguestvirtualmachineinthe
VMwareNSXenvironment.
DestinationVMUUID Identifiesthedestinationuniversaluniqueidentifierforaguestvirtualmachineinthe
VMwareNSXenvironment.
HTTPMethod OnlyinURLfilteringlogs.DescribestheHTTPMethodusedinthewebrequest.Only
thefollowingmethodsarelogged:Connect,Delete,Get,Head,Options,Post,Put.
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity
(IMSI)IDofthemobileuser.
MonitorTag/IMEI Theuserdefinedvaluethatgroupssimilartraffictogetherforloggingandreporting.
Thisvalueisgloballydefined.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwo
levelsoftunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
(parent_start_time)
TunnelType(Tunnel) Typeoftunnel,suchasGREorIPSec.
ThreatCategory(thr_category) Describesthreatcategoriesusedtoclassifydifferenttypesofthreatsignatures.
ContentVersion(contentver) ApplicationsandThreatsversiononyourfirewallwhenthelogwasgenerated.
HIPMatchLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Threat/ContentType,FUTURE_USE,Generated
Time,SourceUser,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,
FUTURE_USE,FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,Device
GroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystem
Name,DeviceName,VirtualSystemID,IPv6SourceAddress
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType SubtypeofHIPmatchlog;unused.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
SourceUser Usernameoftheuserwhoinitiatedthesession.
VirtualSystem VirtualSystemassociatedwiththeHIPmatchlog.
MachineName Nameoftheusersmachine.
(machinename)
OS Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem).
SourceAddress IPaddressofthesourceuser.
HIP(matchname) NameoftheHIPobjectorprofile.
RepeatCount NumberoftimestheHIPprofilematched.
HIPType(matchtype) WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile.
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
VirtualSystemID AuniqueidentifierforavirtualsystemonaPaloAltoNetworksfirewall.
IPv6SystemAddress IPv6addressoftheusersmachineordevice.
UserIDLogFields
Format:FUTURE_USER,ReceiveTime,SerialNumber,SequenceNumber,ActionFlags,Type,
Threat/ContentType,FUTURE_USE,GeneratedTime,DeviceGroupHierarchyLevel1,DeviceGroup
HierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel4,VirtualSystemName,
DeviceName,VirtualSystemID,VirtualSystem,SourceIP,User,DataSourceName,EventID,Repeat
Count,TimeOutThreshold,SourcePort,DestinationPort,DataSource,DataSourceType,FUTURE_USE,
FUTURE_USE,FactorType,FactorCompletionTime,FactorNumber
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
(receive_time)
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog.
SequenceNumber Serialnumberofthefirewallthatgeneratedthelog.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
"Startsessionstarted
"Endsessionended
"Dropsessiondroppedbeforetheapplicationisidentifiedandthereisnorulethat
allowsthesession.
"Denysessiondroppedaftertheapplicationisidentifiedandthereisaruletoblock
ornorulethatallowsthesession.
GeneratedTime(Generate Thetimethelogwasgeneratedonthedataplane.
Time)
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
VirtualSystemID AuniqueidentifierforavirtualsystemonaPaloAltoNetworksfirewall.
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog.
SourceIP OriginalsessionsourceIPaddress.
FieldName Description
User Identifiestheenduser.
DataSourceName UserIDsourcethatsendstheIP(Port)UserMapping.
EventID Stringshowingthenameoftheevent.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly.
TimeOut(timeout) TimeoutafterwhichtheIP/UserMappingsarecleared.
SourcePort(beginport) Sourceportutilizedbythesession.
DestinationPort(endport) Destinationportutilizedbythesession.
DataSource Sourcefromwhichmappinginformationiscollected.
DataSourceType MechanismusedtoidentifytheIP/Usermappingswithinadatasource.
FactorType VendorusedtoauthenticateauserwhenMultiFactorauthenticationispresent.
FactorCompletionTime Timetheauthenticationwascompleted.
FactorNumber Indicatestheuseofprimaryauthentication(1)oradditionalfactors(2,3).
TunnelInspectionLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,LogAction,
FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSourcePort,NATDestination
Port,Flags,Protocol,Action,Severity,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,DeviceGroupHierarchyLevel1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel
3,DeviceGroupHierarchyLevel4,VirtualSystemName,DeviceName,TunnelID/IMSI,MonitorTag/IMEI,
ParentSessionID,ParentStartTime,Tunnel,Bytes,BytesSent,BytesReceived,Packets,PacketsSent,
MaximumEncapsulation,UnknownProtocol,StrictCheck,TunnelFragment,SessionsCreated,Sessions
Closed,SessionEndReason,ActionSource,StartTime,ElapsedTime
FieldName Description
ReceiveTime Month,day,andtimethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog.
Type Typeoflogasitpertainstothesession:startorend.
Threat/ContentType Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisnorulethat
allowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisaruletoblockor
norulethatallowsthesession.
FieldName Description
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
SourceAddress SourceIPaddressofpacketsinthesession.
DestinationAddress DestinationIPaddressofpacketsinthesession.
NATSourceIP IfSourceNATperformed,thepostNATSourceIPaddress.
NATDestinationIP IfDestinationNATperformed,thepostNATDestinationIPaddress.
RuleName(Rule) NameoftheSecuritypolicyruleineffectonthesession.
SourceUser SourceUserIDofpacketsinthesession.
DestinationUser DestinationUserIDofpacketsinthesession.
Application Tunnelingprotocolusedinthesession.
VirtualSystem VirtualSystemassociatedwiththesession.
SourceZone Sourcezoneofpacketsinthesession.
DestinationZone Destinationzoneofpacketsinthesession.
InboundInterface Interfacethatthesessionwassourcedfrom.
OutboundInterface Interfacethatthesessionwasdestinedto.
LogAction LogForwardingProfilethatwasappliedtothesession.
SessionID SessionIDofthesessionbeinglogged.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtypeseen
within5seconds;usedforICMPonly.
SourcePort Sourceportutilizedbythesession.
DestinationPort Destinationportutilizedbythesession.
NATSourcePort PostNATsourceport.
NATDestinationPort PostNATdestinationport.
FieldName Description
Flags 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(IPProtocol) IPprotocolassociatedwiththesession.
Action Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachablemessagetothe
hostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesidesofthe
connection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical.
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(source SourcecountryorInternalregionforprivateaddresses;maximumlengthis32bytes.
country)
DestinationLocation DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
(destinationcountry)
FieldName Description
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
TunnelID/IMSI IDofthetunnelbeinginspectedortheInternationalMobileSubscriberIdentity(IMSI)ID
ofthemobileuser.
MonitorTag/IMEI MonitornameyouconfiguredfortheTunnelInspectionpolicyruleortheInternational
MobileEquipmentIdentity(IMEI)IDofthemobiledevice.
ParentSessionID IDofthesessioninwhichthissessionistunneled.Appliestoinnertunnel(iftwolevelsof
tunneling)orinsidecontent(ifoneleveloftunneling)only.
ParentStartTime Year/month/dayhours:minutes:secondsthattheparenttunnelsessionbegan.
(parent_start_time)
TunnelType(Tunnel) Typeoftunnel,suchasGREorIPSec.
Bytes Numberofbytesinthesession.
BytesSent Numberofbytesintheclienttoserverdirectionofthesession.
BytesReceived Numberofbytesintheservertoclientdirectionofthesession.
Packets Numberoftotalpackets(transmitandreceive)forthesession.
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession.
AvailableonallmodelsexceptthePA4000Series.
PacketsReceived Numberofservertoclientpacketsforthesession.
(pkts_received) AvailableonallmodelsexceptthePA4000Series.
MaximumEncapsulation Numberofpacketsthefirewalldroppedbecausethepacketexceededthemaximum
(max_encap) numberofencapsulationlevelsconfiguredintheTunnelInspectionpolicyrule(Drop
packetifovermaximumtunnelinspectionlevel).
UnknownProtocol Numberofpacketsthefirewalldroppedbecausethepacketcontainsanunknown
(unknown_proto) protocol,asenabledintheTunnelInspectionpolicyrule(Droppacketifunknownprotocol
insidetunnel).
StrictChecking Numberofpacketsthefirewalldroppedbecausethetunnelprotocolheaderinthepacket
(strict_check) failedtocomplywiththeRFCforthetunnelprotocol,asenabledintheTunnelInspection
policyrule(Drop packet if tunnel protocol fails strict header check).
FieldName Description
TunnelFragment Numberofpacketsthefirewalldroppedbecauseoffragmentationerrors.
(tunnel_fragment)
SessionsCreated Numberofinnersessionscreated.
(sessions_created)
SessionsClosed Numberofcompleted/closedsessionscreated.
(sessions_closed)
FieldName Description
SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,thisfielddisplays
(session_end_reason) onlythehighestpriorityreason.Thepossiblesessionendreasonvaluesareasfollows,in
orderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock(IP
address)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfiguredthefirewallto
blockSSLforwardproxydecryptionorSSLinboundinspectionwhenthesessionuses
clientauthenticationorwhenthesessionusesaservercertificatewithanyofthe
followingconditions:expired,untrustedissuer,unknownstatus,orstatusverification
timeout.Thissessionendreasonalsodisplayswhentheservercertificateproducesa
fatalerroralertoftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfiguredthe
firewalltoblockSSLforwardproxydecryptionorSSLinboundinspectionwhenthe
sessionusesanunsupportedprotocolversion,cipher,orSSHalgorithm.Thissession
endreasonisdisplayswhenthesessionproducesafatalerroralertoftype
unsupported_extension,unexpected_message,orhandshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewalltoblock
SSLforwardproxydecryptionorSSLinboundinspectionwhenfirewallresourcesorthe
hardwaresecuritymodule(HSM)wereunavailable.Thissessionendreasonisalso
displayedwhenyouconfiguredthefirewalltoblockSSLtrafficthathasSSHerrorsor
thatproducedanyfatalerroralertotherthanthoselistedforthe
decryptcertvalidationanddecryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresourcelimitation.
Forexample,thesessioncouldhaveexceededthenumberofoutoforderpackets
allowedperflowortheglobaloutoforderpacketqueue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessagetoclosethe
session.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(suchas
HTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(forexample,a
clear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthesessionend
reasonfield(releasesolderthanPANOS6.1),thevaluewillbeunknownafteran
upgradetothecurrentPANOSreleaseorafterthelogsareloadedontothe
firewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversiondoesnot
supportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
ActionSource Specifieswhethertheactiontakentoalloworblockanapplicationwasdefinedinthe
(action_source) applicationorinpolicy.Theactionscanbeallow,deny,drop,resetserver,resetclientor
resetbothforthesession.
FieldName Description
StartTime(start) Year/month/dayhours:minutes:secondsthatthesessionbegan.
ElapsedTime(sec) Elapsedtimeofthesession.
AuthenticationLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Threat/ContentType,FUTURE_USE,Generated
Time,VirtualSystem,SourceIP,User,NormalizeUser,Object,AuthenticationPolicy,RepeatCount,
AuthenticationID,Vendor,LogAction,ServerProfile,desc,ClientType,EventType,FactorNumber,Action
Flags,DeviceGroupHierarchy1,DeviceGroupHierarchy2,DeviceGroupHierarchy3,DeviceGroup
Hierarchy4,VirtualSystemName,DeviceName
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthedevicethatgeneratedthelog.
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Threat/ContentType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;values
arecrypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,
pppoe,ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
VirtualSystem VirtualSystemassociatedwiththesession.
SourceIP OriginalsessionsourceIPaddress.
User Enduserbeingauthenticated.
NormalizeUser Normalizedversionofusernamebeingauthenticated(suchasappendingadomain
nametotheusername).
Object Nameoftheobjectassociatedwiththesystemevent.
AuthenticationPolicy Policyinvokedforauthenticationbeforeallowingaccesstoaprotectedresource.
RepeatCount NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly.
AuthenticationID UniqueIDgivenacrossprimaryauthenticationandadditional(multifactor)
authentication.
Vendor Vendorprovidingadditionalfactorauthentication.
LogAction LogForwardingProfilethatwasappliedtothesession.
ServerProfile Authenticationserverusedforauthentication.
(serverprofile)
Description(desc) Additionalauthenticationinformation.
ClientType Typeofclientusedtocompleteauthentication(suchasauthenticationportal).
FieldName Description
EventType Resultoftheauthenticationattempt.
FactorNumber Indicatestheuseofprimaryauthentication(1)oradditionalfactors(2,3).
SequenceNumber A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
ConfigLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Content/ThreatType,FUTURE_USE,Generated
Time,Host,VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,Action
Flags,BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
SerialNumber(Serial#) Serialnumberofthedevicethatgeneratedthelog.
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Content/ThreatType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
Host HostnameorIPaddressoftheclientmachine
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog
FieldName Description
Command(cmd) CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin) UsernameoftheAdministratorperformingtheconfiguration
Client(client) ClientusedbytheAdministrator;valuesareWebandCLI
Result(result) Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path) Thepathoftheconfigurationcommandissued;upto512bytesinlength
BeforeChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(before_change_detail) Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(after_change_detail) Itcontainsthefullxpathaftertheconfigurationchange.
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
SystemLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Content/ThreatType,FUTURE_USE,Generated
Time,VirtualSystem,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,
SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,Device
GroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane
SerialNumber(Serial#) Serialnumberofthefirewallthatgeneratedthelog
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
FieldName Description
Content/ThreatType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane
Time)
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog
EventID Stringshowingthenameoftheevent
Object Nameoftheobjectassociatedwiththesystemevent
Module(module) ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
CorrelatedEventsLogFields
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Content/ThreatType,FUTURE_USE,Generated
Time,SourceAddress.SourceUser,VirtualSystem,Category,Severity,DeviceGroupHierarchyLevel 1,
DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,Virtual
SystemName,DeviceName,VirtualSystemID,ObjectName,ObjectID,Evidence
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane.
FieldName Description
SerialNumber(Serial#) Serialnumberofthedevicethatgeneratedthelog.
Type Typeoflog;valuesaretraffic,threat,config,systemandhipmatch.
Content/ThreatType Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn.
GeneratedTime(Generate Timethelogwasgeneratedonthedataplane.
Time)
SourceAddress IPaddressoftheuserwhoinitiatedtheevent.
SourceUser Usernameoftheuserwhoinitiatedtheevent.
VirtualSystem VirtualSystemassociatedwiththeconfigurationlog.
Category Asummaryofthekindofthreatorharmposedtothenetwork,user,orhost.
Severity Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
enabledformultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
VirtualSystemID AuniqueidentifierforavirtualsystemonaPaloAltoNetworksfirewall.
ObjectName(objectname) Nameofthecorrelationobjectthatwasmatchedon.
ObjectID Nameoftheobjectassociatedwiththesystemevent.
Evidence Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity SyslogSeverity
Traffic Info
Config Info
LogType/Severity SyslogSeverity
Threat/SystemInformational Info
Threat/SystemLow Notice
Threat/SystemMedium Warning
Threat/SystemHigh Error
Threat/SystemCritical Critical
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSNMP,andtheprocedurestoconfigureSNMPmonitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMPSupport
YoucanuseanSNMPmanagertomonitoreventdrivenalertsandoperationalstatisticsforthefirewall,
Panorama,orWF500applianceandforthetraffictheyprocess.Thestatisticsandtrapscanhelpyou
identifyresourcelimitations,systemchangesorfailures,andmalwareattacks.Youconfigurealertsby
forwardinglogdataastraps,andenablethedeliveryofstatisticsinresponsetoGETmessages(requests)
fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).RelatedOIDsareorganized
hierarchicallywithintheManagementInformationBases(MIBs)thatyouloadintotheSNMPmanagerto
enablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
UseanSNMPManagertoExploreMIBsandObjects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IdentifyaMIBContainingaKnownOID
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.
IdentifyaMIBContainingaKnownOID
Step1 LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2 SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3 (Optional)WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:
IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1 ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
IdentifytheOIDforaStatisticorTrap(Continued)
Step3 InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.
EnableSNMPServicesforFirewallSecuredNetworkElements
IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.
MonitorStatisticsUsingSNMP
MonitorStatisticsUsingSNMP(Continued)
ForwardTrapstoanSNMPManager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.
ForwardFirewallTrapstoanSNMPManager
SupportedMIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF) MIBII
maintainsmoststandardMIBs.Youcandownloadthe IFMIB
MIBsfromtheIETFwebsite. HOSTRESOURCESMIB
PaloAltoNetworksfirewalls,Panorama,and ENTITYMIB
WF500appliancesdontsupporteveryobject
ENTITYSENSORMIB
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe ENTITYSTATEMIB
supportedOIDs. IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationportal. PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup Description
system Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.
IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
RFC2863definesthisMIB.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
ObjectGroup Description
hrDevice ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage Providesinformationsuchastheamountofusedstorage.
RFC2790definesthisMIB.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object Description
entPhysicalIndex Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr Thecomponentdescription.
Object Description
entPhysicalVendorType ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName Thediskmodelnumber.
entPhysicalAlias Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
RFC4133definesthisMIB.
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:
ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.
Table Description
AggregatorConfiguration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
Table(dot3adAggTable) firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
AggregationPortListTable Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Each
(dot3adAggPortListTable) aggregategrouphasoneentry.
Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
AggregationPortTable ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
(dot3adAggPortTable) aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
LACPStatisticsTable Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan
(dot3adAggPortStatsTable) aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:
ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
RFC4957definesthisMIB.
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
RFC7331definesthisMIB.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
ObjectGroup Description
panSys Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector LoggingstatisticsforeachLogCollector,includingloggingrate,logquotas,diskusage,
retentionperiods,logredundancy(enabledordisabled),theforwardingstatusfrom
firewallstoLogCollectors,theforwardingstatusfromLogCollectorstoexternalservices,
andthestatusoffirewalltoLogCollectorconnections.
ObjectGroup Description
panDeviceLogging Loggingstatisticsforeachfirewall,includingloggingrate,diskusage,retentionperiods,
theforwardingstatusfromindividualfirewallstoPanoramaandexternalservers,andthe
statusoffirewalltoLogCollectorconnections.
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my> panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.
ForwardLogstoanHTTP(S)Destination
ThefirewallandPanoramacanforwardlogstoanHTTPserver.Youcanchoosetoforwardalllogsor
selectivelyforwardlogstotriggeranactiononanexternalHTTPbasedservicewhenaneventoccurs.When
forwardinglogstoanHTTPserver,youcanchoosethefollowingoptions:
ConfigurethefirewalltosendanHTTPbasedAPIrequestdirectlytoathirdpartyservicetotriggeran
actionbasedontheattributesinafirewalllog.Youcanconfigurethefirewalltoworkwithany
HTTPbasedservicethatexposesanAPI,andmodifytheURL,HTTPheader,parameters,andthepayload
intheHTTPrequesttomeetyourintegrationneeds.
TagthesourceordestinationIPaddressinalogentryautomaticallyandregistertheIPaddressandtag
mappingtoaUserIDagentonthefirewallorPanorama,ortoaremoteUserIDagentsothatyoucan
respondtoaneventanddynamicallyenforcesecuritypolicy.Toenforcepolicy,youmustUseDynamic
AddressGroupsinPolicy.
ForwardLogstoanHTTPDestinationandEnableTagging
Step1 CreateanHTTPserverprofiletoforwardlogstoanHTTP(S)destination.
TheHTTPserverprofileallowsyoutospecifyhowtoaccesstheserveranddefinetheformatinwhichto
forwardlogstotheHTTP(S)destination.Bydefault,thefirewallusesthemanagementporttoforwardthese
logs.Youcanhowever,assignadifferentsourceinterfaceandIPaddressinDevice > Setup > Services >
Service Route Configuration.
1. SelectDevice > Server Profiles > HTTP,addaNamefortheserverprofile,andselecttheLocation.The
profilecanbeSharedacrossallvirtualsystemsorcanbelongtoaspecificvirtualsystem.
2. ClickAdd toprovidethedetailsforeachserver. Eachprofilecanhaveamaximumof4servers.
3. EnteraNameandIPAddress.
4. SelecttheProtocol(HTTPorHTTPS).ThedefaultPortis80or443respectively;youcanmodifytheport
numbertomatchtheportonwhichyourHTTPserverlistens.
5. SelecttheHTTP MethodthatthethirdpartyservicesupportsPUT,POST(default),GETand
DELETE.
6. EntertheUsernameandPasswordforauthenticatingtotheserver,ifneeded.ClickOK.
7. SelectTest Server ConnectiontoverifynetworkconnectivitybetweenthefirewallandtheHTTP(S)
server.
ForwardLogstoanHTTPDestinationandEnableTagging(Continued)
ForwardLogstoanHTTPDestinationandEnableTagging(Continued)
Step3 DefinethematchcriteriaforwhenthefirewallwillforwardlogstotheHTTPserver,andattachtheHTTP
serverprofiletouse.
1. Selectthelogtypesforwhichyouwanttotriggeraworkflow:
AddaLogForwardingProfile(Objects > Log Forwarding Profile)forlogsthatpertaintouseractivity.
Forexample,Traffic,Threat,orAuthenticationlogs.
SelectDevice > Log Settingsforlogsthatpertaintosystemevents,suchasConfigurationorSystem
logs.
2. SelecttheLogTypeandusethenewFilter Buildertodefinethematchcriteria.
3. AddtheHTTPserverprofileforforwardinglogstotheHTTPdestination.
4. AddatagtothesourceordestinationIPaddressinthelogentry.Thiscapabilityallowsyoutouse
dynamicaddressgroupsandsecuritypolicyrulestolimitnetworkaccessorisolatetheIPaddressuntil
youcantriagetheaffecteduserdevice.
SelectAddintheBuiltinActionssectionandselecttheTarget, Action: Add Tag, and Registrationto
registerthetagtothelocalUserIDonafirewallortothePanoramathatismanagingthefirewall.
IfyouwanttoregisterthetagtoaremoteUserIDagent,seeStep 4.
ForwardLogstoanHTTPDestinationandEnableTagging(Continued)
Step4 RegisterorunregisteratagonasourceordestinationIPaddressinalogentrytoaremoteUserIDagent.
1. SelectDevice > Server Profiles > HTTP,addaNamefortheserverprofile,andselecttheLocation.The
profilecanbeSharedacrossallvirtualsystemsorcanbelongtoaspecificvirtualsystem.
2. SelectTag RegistrationtoenablethefirewalltoregistertheIPaddressandtagmappingwiththe
UserIDagentonaremotefirewall.Withtagregistrationenabled,youcannotspecifythepayload
format.
3. AddtheconnectiondetailstoaccesstheremoteUserIDagent.
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficon
itsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.TheNetFlow
collectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlowVersion9.Thefirewallssupportonly
unidirectionalNetFlow,notbidirectional.ThefirewallsperformNetFlowprocessingonallIPpacketsonthe
interfacesanddonotsupportsampledNetFlow.YoucanexportNetFlowrecordsforLayer3,Layer2,virtual
wire,tap,VLAN,loopback,andtunnelinterfaces.ForaggregateEthernetinterfaces,youcanexportrecords
fortheaggregategroupbutnotforindividualinterfaceswithinthegroup.Toidentifyfirewallinterfacesina
NetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlowCollectors.The
firewallssupportstandardandenterprise(PANOSspecific)NetFlowTemplates,whichNetFlowcollectors
usetodeciphertheNetFlowfields.
ConfigureNetFlowExports
NetFlowTemplates
ConfigureNetFlowExports
TouseaNetFlowcollectorforanalyzingthenetworktrafficonfirewallinterfaces,performthefollowing
stepstoconfigureNetFlowrecordexports.
ConfigureNetFlowExports
ConfigureNetFlowExports(Continued)
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,settherefreshratebasedonatimeintervaland
anumberofexportedrecordsaccordingtotherequirementsofyourNetFlowcollector.Thefirewall
refreshesthetemplatesaftereitherthresholdispassed.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template ID
IPv4Standard 256
IPv4Enterprise 257
IPv6Standard 258
IPv6Enterprise 259
IPv4withNATStandard 260
IPv4withNATEnterprise 261
IPv6withNATStandard 262
IPv6withNATEnterprise 263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
UserIDOverview
UserIDenablesyoutoidentifyallusersonyournetworkusingavarietyoftechniquestoensurethatyou
canidentifyusersinalllocationsusingavarietyofaccessmethodsandoperatingsystems,including
MicrosoftWindows,AppleiOS,MacOS,Android,andLinux/UNIX.Knowingwhoyourusersareinstead
ofjusttheirIPaddressesenables:
VisibilityImprovedvisibilityintoapplicationusagebasedonusersgivesyouamorerelevantpictureof
networkactivity.ThepowerofUserIDbecomesevidentwhenyounoticeastrangeorunfamiliar
applicationonyournetwork.UsingeitherACCorthelogviewer,yoursecurityteamcandiscernwhatthe
applicationis,whotheuseris,thebandwidthandsessionconsumption,alongwiththesourceand
destinationoftheapplicationtraffic,aswellasanyassociatedthreats.
PolicycontrolTyinguserinformationtoSecuritypolicyrulesimprovessafeenablementofapplications
traversingthenetworkandensuresthatonlythoseuserswhohaveabusinessneedforanapplication
haveaccess.Forexample,someapplications,suchasSaaSapplicationsthatenableaccesstoHuman
Resourcesservices(suchasWorkdayorServiceNow)mustbeavailabletoanyknownuseronyour
network.However,formoresensitiveapplicationsyoucanreduceyourattacksurfacebyensuringthat
onlyuserswhoneedtheseapplicationscanaccessthem.Forexample,whileITsupportpersonnelmay
legitimatelyneedaccesstoremotedesktopapplications,themajorityofyourusersdonot.
Logging,reporting,forensicsIfasecurityincidentoccurs,forensicsanalysisandreportingbasedonuser
informationratherthanjustIPaddressesprovidesamorecompletepictureoftheincident.Forexample,
youcanusethepredefinedUser/GroupActivitytoseeasummaryofthewebactivityofindividualusers
orusergroups,ortheSaaSApplicationUsagereporttoseewhichusersaretransferringthemostdata
overunsanctionedSaaSapplications.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforlogineventsandlistensforsyslogmessagesfrom
authenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,youcanconfigure
AuthenticationPolicytoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheusermapping
mechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsitestoensurethat
youaresafelyenablingaccesstoapplicationsforallusers,inalllocations,allthetime.
Figure:UserID
Toenableuserandgroupbasedpolicyenforcement,thefirewallrequiresalistofallavailableusersand
theircorrespondinggroupmembershipssothatyoucanselectgroupswhendefiningyourpolicyrules.The
firewallcollectsGroupMappinginformationbyconnectingdirectlytoyourLDAPdirectoryserver,orusing
XMLAPIintegrationwithyourdirectoryserver.
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.Ifyouareusingadirectoryserverthatisnotnativelysupportedbythe
firewall,youcanintegratethegroupmappingfunctionusingtheXMLAPI.Youcanthencreateagroup
mappingconfigurationtoMapUserstoGroupsandEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Knowinguserandgroupsnamesisonlyonepieceofthepuzzle.ThefirewallalsoneedstoknowwhichIP
addressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserIDillustrates
thedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshowuser
mappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
PortMapping
Syslog
XFFHeaders
AuthenticationPolicyandCaptivePortal
GlobalProtect
XMLAPI
ClientProbing
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,DomainControllers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.See
ConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthePANOS
IntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
XFFHeaders
UserIDcanreadtheIPv4orIPv6addressesofusersfromtheXForwardedFor(XFF)headerinHTTPclient
requestswhenthefirewallisdeployedbetweentheInternetandaproxyserverthatwouldotherwisehide
theuserIPaddresses.UserIDmatchesthetrueuserIPaddresseswithusernames.SeeConfigurethe
firewalltoobtainuserIPaddressesfromXForwardedFor(XFF)headers.
AuthenticationPolicyandCaptivePortal
Insomecases,theUserIDagentcantmapanIPaddresstoausernameusingservermonitoringorother
methodsforexample,iftheuserisntloggedinorusesanoperatingsystemsuchasLinuxthatyourdomain
serversdontsupport.Inothercases,youmightwantuserstoauthenticatewhenaccessingsensitive
applicationsregardlessofwhichmethodstheUserIDagentusestoperformusermapping.Forallthese
cases,youcanconfigureConfigureAuthenticationPolicyandMapIPAddressestoUsernamesUsing
CaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationpolicyrulepromptsthe
usertoauthenticatethroughCaptivePortal.YoucanusethefollowingCaptivePortalAuthentication
Methods:
BrowserchallengeUseKerberossinglesignon(recommended)orNTLANManager(NTLM)
authenticationifyouwanttoreducethenumberofloginpromptsthatusersmustrespondto.
WebformUseMultiFactorAuthentication,SAMLsinglesignon,Kerberos,TACACS+,RADIUS,LDAP,
orLocalAuthentication.
ClientCertificateAuthentication.
Syslog
Yourenvironmentmighthaveexistingnetworkservicesthatauthenticateusers.Theseservicesinclude
wirelesscontrollers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,andotherNetwork
AccessControl(NAC)mechanisms.Youcanconfiguretheseservicestosendsyslogmessagesthatcontain
informationaboutloginandlogouteventsandconfiguretheUserIDagenttoparsethosemessages.The
UserIDagentparsesforlogineventstomapIPaddressestousernamesandparsesforlogouteventsto
deleteoutdatedmappings.DeletingoutdatedmappingsisparticularlyusefulinenvironmentswhereIP
addressassignmentschangeoften.
BoththePANOSintegratedUserIDagentandWindowsbasedUserIDagentuseSyslogParseprofilesto
parsesyslogmessages.Inenvironmentswhereservicessendthemessagesindifferentformats,youcan
createacustomprofileforeachformatandassociatemultipleprofileswitheachsyslogsender.Ifyouuse
thePANOSintegratedUserIDagent,youcanalsousepredefinedSyslogParseprofilesthatPaloAlto
NetworksprovidesthroughApplicationscontentupdates.
SyslogmessagesmustmeetthefollowingcriteriaforaUserIDagenttoparsethem:
Eachmessagemustbeasinglelinetextstring.Thealloweddelimitersforlinebreaksareanewline(\n)
oracarriagereturnplusanewline(\r\n).
Themaximumsizeforindividualmessagesis2,048bytes.
MessagessentoverUDPmustbecontainedinasinglepacket;messagessentoverSSLcanspanmultiple
packets.Asinglepacketmightcontainmultiplemessages.
SeeConfigureUserIDtoMonitorSyslogSendersforUserMappingforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
XMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtothePANOSintegratedUserIDagent.SeeSendUser
MappingstoUserIDUsingtheXMLAPIfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI)and/orNetBIOSprobingatregularintervalstoverifythatan
existingusermappingisstillvalidortoobtaintheusernameforanIPaddressthatisnotyetmapped.
NetBIOSprobingisonlysupportedontheWindowsbasedUserIDagent;itisnotsupportedonthePANOS
integratedUserIDagent.
ClientprobingwasdesignedforlegacynetworkswheremostuserswereonWindowsworkstationsonthe
internalnetwork,butisnotidealfortodaysmoremodernnetworksthatsupportaroamingandmobileuser
baseonavarietyofdevicesandoperatingsystems.Additionally,clientprobingcangeneratealargeamount
ofnetworktraffic(basedonthetotalnumberofmappedIPaddresses)andcanposeasecuritythreatwhen
misconfigured.Therefore,clientprobingisnolongerarecommendedmethodforusermapping.Instead
collectusermappinginformationfrommoreisolatedandtrustedsources,suchasdomaincontrollersand
throughintegrationswithSyslogortheXMLAPI,whichallowyoutosafelycaptureusermapping
informationfromanydevicetypeoroperatingsystem.Ifyouhavesensitiveapplicationsthatrequireyouto
knowexactlywhoauseris,configureAuthenticationPolicyandCaptivePortaltoensurethatyouareonly
allowingaccesstoauthorizedusers.
BecauseWMIprobingtrustsdatareportedbackfromtheendpoint,itisnotarecommendedmethodofobtaining
UserIDinformationinahighsecuritynetwork.IfyouareusingtheUserIDagenttoparseADsecurityevent
logs,syslogmessages,ortheXMLAPItoobtainUserIDmappings,PaloAltoNetworksrecommendsdisabling
WMIprobing.
IfyoudochoosetouseWMIprobing,donotenableitonexternal,untrustedinterfaces,asthiswouldcausethe
agenttosendWMIprobescontainingsensitiveinformationsuchastheusername,domainname,andpassword
hashoftheUserIDagentserviceaccountoutsideofyournetwork.Thisinformationcouldpotentiallybe
exploitedbyanattackertopenetratethenetworktogainfurtheraccess.
Ifyoudochoosetoenableprobinginyourtrustedzones,theagentwillprobeeachlearnedIPaddress
periodically(every20minutesbydefault,butthisisconfigurable)toverifythatthesameuserisstilllogged
in.Inaddition,whenthefirewallencountersanIPaddressforwhichithasnousermapping,itwillsendthe
addresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
EnableUserID
Theuseridentity,asopposedtoanIPaddress,isanintegralcomponentofaneffectivesecurity
infrastructure.Knowingwhoisusingeachoftheapplicationsonyournetwork,andwhomayhave
transmittedathreatoristransferringfiles,canstrengthenyoursecuritypolicyandreduceincidentresponse
times.UserIDenablesyoutoleverageuserinformationstoredinawiderangeofrepositoriesforvisibility,
userandgroupbasedpolicycontrol,andimprovedlogging,reporting,andforensics:
ConfigureUserID
ConfigureUserID(Continued)
ConfigureUserID(Continued)
ConfigureUserID(Continued)
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Thenumberofdistinct
usergroupsthateachfirewallorPanoramacanreferenceacrossallpoliciesvariesbymodel:
VM50,VM100,VM300,PA200,PA220,PA500,PA800Series,PA3020,andPA3050firewalls:
1,000groups
VM500,VM700,PA5020,PA5050,PA5060,PA5200Series,andPA7000Seriesfirewalls,andall
Panoramamodels:10,000groups
UsethefollowingproceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroup
Mappinginformation.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Addthegroupmappingconfiguration.
3. EnterauniqueNametoidentifythegroupmapping
configuration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksfor
groupmapping,intheGroupObjectssection,enteraSearch
Filter(LDAPquery),Object Class(groupdefinition),Group
Name,andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomains
(Domain List)inyourorganization.Usecommastoseparate
multipledomains(upto256characters).
AfteryouclickOK(laterinthisprocedure),PANOS
automaticallypopulatestheMail Attributesbasedonthetype
ofLDAPserverspecifiedintheServer Profile.Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesurethegroupmappingconfigurationisEnabled
(defaultisenabled).
MapUserstoGroups(Continued)
MapIPAddressestoUsers
UserIDprovidesmanydifferentmethodsformappingIPaddressestousernames.Beforeyoubegin
configuringusermapping,considerwhereyourusersarelogginginfrom,whatservicestheyareaccessing,
andwhatapplicationsanddatayouneedtocontrolaccessto.Thiswillinformwhichtypesofagentsor
integrationswouldbestallowyoutoidentifyyourusers.Forguidance,refertoArchitectingUser
IdentificationDeployments.
Onceyouhaveyourplan,youcanbeginconfiguringusermappingusingoneormoreofthefollowing
methodsasneededtoenableuserbasedaccessandvisibilitytoapplicationsandresources:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
WindowsclientsyoumustconfigureaUserIDagent:
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ConfigureUserMappingUsingtheWindowsUserIDAgent
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoMonitorSyslogSendersforUserMapping.
WhileyoucanconfigureeithertheWindowsagentorthePANOSintegratedUserIDagenton
thefirewalltolistenforauthenticationsyslogmessagesfromthenetworkservices,becauseonly
thePANOSintegratedagentsupportssysloglisteningoverTLS,itisthepreferredconfiguration.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.UsingCaptivePortalinconjunctionwithAuthenticationPolicyalsoensuresthatallusers
authenticatetoaccessyourmostsensitiveapplicationsanddata.
Forotherclientsthatyoucantmapusingtheothermethods,youcanSendUserMappingstoUserID
UsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
CreateaDedicatedServiceAccountfortheUserIDAgent
IfyouplantouseeithertheWindowsbasedUserIDagentorthePANOSintegratedUserIDagenttomap
usersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,orWindowsclients,
youmustcreateadedicatedserviceaccountfortheUserIDagentonadomaincontrollerineachdomain
thattheagentwillmonitor.
Therequiredpermissionsfortheserviceaccountdependonwhatusermappingmethodsandsettingsyou
plantouse.ToreducetheriskassociatedwithcompromiseoftheUserIDserviceaccount,alwaysconfigure
theaccountwiththeminimumsetofpermissionsnecessaryfortheagenttofunctionproperly.
UserIDprovidesmanymethodsforsafelycollectingusermappinginformation.Someofthelegacyfeatures,
whichweredesignedforenvironmentsthatonlyrequiredmappingofusersonWindowsdesktopsattachedto
thelocalnetwork,requireprivilegedserviceaccounts.Intheeventthattheprivilegedserviceaccountis
compromised,thiswouldopenyournetworktoattack.Asabestpractice,avoidusingtheselegacyfeaturessuch
asclientprobing,NTLMauthentication,andsessionmonitoringthatrequireprivilegesthatwouldposeathreat
ifcompromised.ThefollowingworkflowdetailsallprivilegesrequiredandprovideguidanceastowhichUserID
featuresrequireprivilegesthatcouldposeathreatsothatyoucandecidehowtobestidentifyuserswithout
compromisingyouroverallsecurityposture.
ConfigureanActiveDirectoryaccountfortheUserIDAgent
ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
ConfigureanActiveDirectoryaccountfortheUserIDAgent(Continued)
ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,locateyourUserIDagentsnear
theserversitwillmonitor(thatis,themonitoredserversandtheWindowsUserIDagentshouldnotbe
acrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccursbetweenthe
agentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofusermappingssincethe
lastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheWindowsBasedUserIDAgent
ConfiguretheWindowsBasedUserIDAgentforUserMapping
InstalltheWindowsBasedUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertothePaloAltoNetworks
CompatibilityMatrix.
InstalltheWindowsUserIDAgent
InstalltheWindowsUserIDAgent(Continued)
InstalltheWindowsUserIDAgent(Continued)
InstalltheWindowsUserIDAgent(Continued)
Step9 ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent.
TousetheWindowsbasedUserIDagenttodetectcredentialsubmissionsandPreventCredentialPhishing,
youmustinstalltheUserIDcredentialserviceontheWindowsbasedUserIDagent.Youcanonlyinstallthis
addononareadonlydomaincontroller(RODC).
ConfiguretheWindowsBasedUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
MAPIPADDRESSESTOUSERSUSINGTHEWINDOWSBASEDUSERIDAGENT(Continued)
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
ConfigureUserIDtoMonitorSyslogSendersforUserMapping
ToobtainIPaddresstousernamemappingsfromexistingnetworkservicesthatauthenticateusers,youcan
configurethePANOSintegratedUserIDagentorWindowsbasedUserIDagenttoparseSyslogmessages
fromthoseservices.Tokeepusermappingsuptodate,youcanalsoconfiguretheUserIDagenttoparse
syslogmessagesforlogouteventssothatthefirewallautomaticallydeletesoutdatedmappings.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ToconfigurethePANOSIntegratedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifysyslogsendersfortheUserIDagenttomonitor.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,youmustusecaution
whenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandassuchthereisnowayto
verifythatamessagewassentfromatrustedsyslogsender.Althoughyoucanrestrictsyslogmessagestospecific
sourceIPaddresses,anattackercanstillspooftheIPaddress,potentiallyallowingtheinjectionofunauthorized
syslogmessagesintothefirewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,if
youmustuseUDP,makesurethatthesyslogsenderandclientarebothonadedicated,securenetworkto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
4. ClickOKtwicetosavetheprofile.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
6. ClickOKtwicetosavetheprofile.
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
ConfigurethePANOSIntegratedUserIDAgentasaSyslogListener(Continued)
ConfiguretheWindowsUserIDAgentasaSyslogListener
ToconfiguretheWindowsbasedUserIDagenttocreatenewusermappingsandremoveoutdated
mappingsthroughsyslogmonitoring,startbydefiningSyslogParseprofiles.TheUserIDagentusesthe
profilestofindloginandlogouteventsinsyslogmessages.Inenvironmentswheresyslogsenders(the
networkservicesthatauthenticateusers)deliversyslogmessagesindifferentformats,configureaprofilefor
eachsyslogformat.SyslogmessagesmustmeetcertaincriteriaforaUserIDagenttoparsethem(see
Syslog).Thisprocedureusesexampleswiththefollowingformats:
Loginevents[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1
Source:192.168.3.212
AfterconfiguringtheSyslogParseprofiles,youspecifythesyslogsendersthattheUserIDagentmonitors.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogsender.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogsenderandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
4. ClickOKtwicetosavetheprofile.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
6. ClickOKtwicetosavetheprofile.
ConfiguretheWindowsBasedUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
MapIPAddressestoUsernamesUsingCaptivePortal
Whenauserinitiateswebtraffic(HTTPorHTTPS)thatmatchesanAuthenticationPolicyrule,thefirewall
promptstheusertoauthenticatethroughCaptivePortal.Thisensuresthatyouknowexactlywhois
accessingyourmostsensitiveapplicationsanddata.Basedonuserinformationcollectedduring
authentication,thefirewallcreatesanewIPaddresstousernamemappingorupdatestheexistingmapping
forthatuser.Thismethodofusermappingisusefulinenvironmentswherethefirewallcannotlearn
mappingsthroughothermethodssuchasmonitoringservers.Forexample,youmighthaveuserswhoare
notloggedintoyourmonitoreddomainservers,suchasusersonLinuxclients.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoauthenticateuserswhosewebrequestsmatchAuthentication
Policyrules:
AuthenticationMethod Description
KerberosSSO ThefirewallusesKerberossinglesignon(SSO)totransparentlyobtainuser
credentialsfromthebrowser.Tousethismethod,yournetworkrequiresa
Kerberosinfrastructure,includingakeydistributioncenter(KDC)withan
authenticationserverandticketgrantingservice.Thefirewallmusthavea
Kerberosaccount.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourAuthenticationpolicyandCaptivePortalconfiguration.
KerberosSSOispreferabletoNTLMauthentication.Kerberosisa
stronger,morerobustauthenticationmethodthanNTLManditdoesnot
requirethefirewalltohaveanadministrativeaccounttojointhedomain.
NTLANManager(NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourAuthenticationpolicyandCaptive
Portalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
AuthenticationMethod Description
WebForm Thefirewallredirectswebrequeststoawebformforauthentication.Forthis
method,youcanconfigureAuthenticationpolicytouseMultiFactor
Authentication(MFA),SAML,Kerberos,TACACS+,RADIUS,orLDAP
authentication.Althoughusershavetomanuallyentertheirlogincredentials,this
methodworkswithallbrowsersandoperatingsystems.
ClientCertificateAuthentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheAuthenticationpolicyruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,usethismodeonlywhenabsolutely
necessary,suchasinLayer 2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.Redirectmode
isalsorequiredifyouuseMultiFactorAuthenticationtoauthenticateCaptive
Portalusers.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtosetupCaptivePortalauthenticationbyconfiguringthePANOS
integratedUserIDagenttoredirectwebrequeststhatmatchanAuthenticationPolicyruletoafirewall
interface(redirecthost).Basedontheirsensitivity,theapplicationsthatusersaccessthroughCaptivePortal
requiredifferentauthenticationmethodsandsettings.Toaccommodateallauthenticationrequirements,
youcanusedefaultandcustomauthenticationenforcementobjects.Eachobjectassociatesan
AuthenticationrulewithanauthenticationprofileandaCaptivePortalauthenticationmethod.
DefaultauthenticationenforcementobjectsUsethedefaultobjectsifyouwanttoassociatemultiple
Authenticationruleswiththesameglobalauthenticationprofile.Youmustconfigurethisauthentication
profilebeforeconfiguringCaptivePortal,andthenassignitintheCaptivePortalSettings.For
AuthenticationrulesthatrequireMultiFactorAuthentication(MFA),youcannotusedefault
authenticationenforcementobjects.
CustomauthenticationenforcementobjectsUseacustomobjectforeachAuthenticationrulethat
requiresanauthenticationprofilethatdiffersfromtheglobalprofile.Customobjectsaremandatoryfor
AuthenticationrulesthatrequireMFA.Tousecustomobjects,createauthenticationprofilesandassign
themtotheobjectsafterconfiguringCaptivePortalwhenyouConfigureAuthenticationPolicy.
KeepinmindthatauthenticationprofilesarenecessaryonlyifusersauthenticatethroughaCaptivePortal
WebForm,KerberosSSO,orNTLANManager(NTLM).Alternatively,orinadditiontothesemethods,the
followingprocedurealsodescribeshowtoimplementClientCertificateAuthentication.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step6 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. Enable Captive Portal(defaultisenabled).
3. SpecifytheTimer,whichisthemaximumtimeinminutesthat
thefirewallretainsanIPaddresstousernamemappingfora
userafterthatuserauthenticatesthroughCaptivePortal
(defaultis60;rangeis1to1,440).AftertheTimerexpires,the
firewallremovesthemappingandanyassociated
AuthenticationTimestampsusedtoevaluatetheTimeoutin
Authenticationpolicyrules.
WhenevaluatingtheCaptivePortalTimerandthe
TimeoutvalueineachAuthenticationpolicyrule,the
firewallpromptstheusertoreauthenticatefor
whicheversettingexpiresfirst.Upon
reauthenticating,thefirewallresetsthetimecount
fortheCaptivePortalTimerandrecordsnew
authenticationtimestampsfortheuser.Therefore,to
enabledifferentTimeoutperiodsfordifferent
Authenticationrules,settheCaptivePortalTimertoa
valuethesameasorhigherthananyruleTimeout.
4. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.SeeConfigureanSSL/TLSServiceProfile.
5. SelecttheMode(inthisexample,Redirect).
6. (Redirectmodeonly)SpecifytheRedirect Host,whichisthe
intranethostname(ahostnamewithnoperiodinitsname)
thatresolvestotheIPaddressoftheLayer3interfaceonthe
firewalltowhichwebrequestsareredirected.
7. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
TouseglobalsettingsforinteractiveorSSOauthentication,
selecttheAuthentication Profileyouconfigured.
TouseAuthenticationpolicyrulespecificsettingsfor
interactiveorSSOauthentication,assignauthentication
profilestoauthenticationenforcementobjectswhenyou
ConfigureAuthenticationPolicy.
8. ClickOKandCommittheCaptivePortalconfiguration.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,refertothe
PaloAltoNetworksCompatibilityMatrix.
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectly
fromcommandlineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupports
RESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
NOTE:Anyspecialcharacters </response>
inthepasswordmustbe
URL/percentencoded.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtothePANOSintegratedUserIDagentordirectlytothefirewall.ThePANOSXML
APIusesstandardHTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommand
lineutilitiessuchascURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGET
requests.
ToenableanexternalsystemtosendusermappinginformationtothePANOSintegratedUserIDagent,
createscriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothePANOSXMLAPI
request.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall(usingcURL,for
example)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,refertothe
PANOSXMLAPIUsageGuide.
EnableUserandGroupBasedPolicy
AfteryouEnableUserID,youwillbeabletoconfigureSecurityPolicythatappliestospecificusersand
groups.Userbasedpolicycontrolscanalsoincludeapplicationinformation(includingwhichcategoryand
subcategoryitbelongsin,itsunderlyingtechnology,orwhattheapplicationcharacteristicsare).Youcan
definepolicyrulestosafelyenableapplicationsbasedonusersorgroupsofusers,ineitheroutboundor
inbounddirections.
Examplesofuserbasedpoliciesinclude:
EnableonlytheITdepartmenttousetoolssuchasSSH,telnet,andFTPonstandardports.
AllowtheHelpDeskServicesgrouptouseSlack.
AllowalluserstoreadFacebook,butblocktheuseofFacebookapps,andrestrictpostingtoemployees
inmarketing.
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
EnablePolicyforaUserwithMultipleAccounts(Continued)
VerifytheUserIDConfiguration
Afteryouconfigureuserandgroupmapping,enableUserIDinyourSecuritypolicy,andconfigure
Authenticationpolicy,youshouldverifythatUserIDworksproperly.
VerifytheUserIDConfiguration
Step1 AccessthefirewallCLI.
VerifytheUserIDConfiguration(Continued)
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesandapplications(such
asglobaldatacenterapplications).
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
associatedwithuserresponsestoauthenticationchallenges.Firewallsusethetimestampstoevaluatethe
timeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwhosuccessfullyauthenticatestolater
requestservicesandapplicationswithoutauthenticatingagainwithinthetimeoutperiods.Redistributing
timestampsenablesyoutoenforceconsistenttimeoutsforeachuserevenifthefirewallthatinitiallygrants
auseraccessisnotthesamefirewallthatlatercontrolsaccessforthatuser.
DeployUserIDforNumerousMappingInformationSources
RedistributeUserMappingsandAuthenticationTimestamps
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersMustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersMustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
ConfigureWindowsLogForwarding
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
ConfigureWindowsLogForwarding
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources(Continued)
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5. ClickOKandCommit.
RedistributeUserMappingsandAuthenticationTimestamps
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.Inalargescalenetwork,
insteadofconfiguringallyourfirewallstodirectlyquerythemappinginformationsources,youcan
streamlineresourceusagebyconfiguringsomefirewallstocollectmappinginformationthrough
redistribution.Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyon
localsourcesforauthentication(suchasregionaldirectoryservices)butneedaccesstoremoteservicesand
applications(suchasglobaldatacenterapplications).
YoucanredistributeusermappinginformationcollectedthroughanymethodexceptTerminalServices(TS)
agents.YoucannotredistributeGroupMappingorHIPmatchinformation.
IfyouusePanoramaandDedicatedLogCollectorstomanagefirewallsandaggregatefirewalllogs,youcanuse
PanoramatomanageUserIDredistribution.LeveragingPanoramaandyourdistributedlogcollection
infrastructureisasimplersolutionthancreatingextraconnectionsbetweenfirewallstoredistributeUserID
information.
IfyouConfigureAuthenticationPolicy,yourfirewallsmustalsoredistributetheAuthenticationTimestamps
thataregeneratedwhenusersauthenticatetoaccessapplicationsandservices.Firewallsusethe
timestampstoevaluatethetimeoutsforAuthenticationpolicyrules.Thetimeoutsallowauserwho
successfullyauthenticatestolaterrequestservicesandapplicationswithoutauthenticatingagainwithinthe
timeoutperiods.Redistributingtimestampsenablesyoutoenforceconsistenttimeoutsacrossallthe
firewallsinyournetwork.
Firewallsshareusermappingsandauthenticationtimestampsaspartofthesameredistributionflow;you
donthavetoconfigureredistributionforeachinformationtypeseparately.
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
ToaggregateUserIDinformation,organizetheredistributionsequenceinlayers,whereeachlayerhasone
ormorefirewalls.Inthebottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsand
WindowsbasedUserIDagentsrunningonWindowsserversmapIPaddressestousernames.Eachhigher
layerhasfirewallsthatreceivethemappinginformationandauthenticationtimestampsfromupto100
redistributionpointsinthelayerbeneathit.Thetoplayerfirewallsaggregatethemappingsandtimestamps
fromalllayers.Thisdeploymentprovidestheoptiontoconfigurepoliciesforallusersintoplayerfirewalls
andregionorfunctionspecificpoliciesforasubsetofusersinthecorrespondingdomainsservedby
lowerlayerfirewalls.
Figure:UserIDandTimestampRedistributionshowsadeploymentwiththreelayersoffirewallsthat
redistributemappingsandtimestampsfromlocalofficestoregionalofficesandthentoaglobaldatacenter.
Thedatacenterfirewallthataggregatesalltheinformationsharesitwithotherdatacenterfirewallssothat
theycanallenforcepolicyandgeneratereportsforusersacrossyourentirenetwork.Onlythebottomlayer
firewallsuseUserIDagentstoquerythedirectoryservers.
TheinformationsourcesthattheUserIDagentsquerydonotcounttowardsthemaximumoftenhopsin
thesequence.However,WindowsbasedUserIDagentsthatforwardmappinginformationtofirewallsdo
count.Therefore,inthisexample,redistributionfromtheEuropeanregiontoallthedatacenterfirewalls
requiresonlythreehops,whileredistributionfromtheNorthAmericanregionrequiresfourhops.Alsointhis
example,thetoplayerhastwohops:thefirsttoaggregateinformationinonedatacenterfirewallandthe
secondtosharetheinformationwithotherdatacenterfirewalls.
Figure:UserIDandTimestampRedistribution
ConfigureUserIDRedistribution
BeforeyouconfigureUserIDredistribution:
Plantheredistributionarchitecture.Somefactorstoconsiderare:
Whichfirewallswillenforcepoliciesforallusersandwhichfirewallswillenforceregionor
functionspecificpoliciesforasubsetofusers?
HowmanyhopsdoestheredistributionsequencerequiretoaggregateallUserIDinformation?The
maximumallowednumberofhopsisten.
Howcanyouminimizethenumberoffirewallsthatquerytheusermappinginformationsources?
Thefewerthenumberofqueryingfirewalls,thelowertheprocessingloadisonboththefirewalls
andsources.
ConfigureusermappingusingPANOSIntegratedUserIDagentsorWindowsbasedUserIDAgents.
ConfigureAuthenticationPolicy.
PerformthefollowingstepsonthefirewallsintheUserIDredistributionsequence.
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution(Continued)
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesforPendingAppIDs
ReviewNewAppIDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
Step2 DownloadthelatestApplicationsandThreatscontentupdate.Whenthecontentupdateisdownloaded,an
AppslinkwillappearintheFeaturescolumnforthatcontentupdate.
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.
ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step2 Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step4 UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesforPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesforPendingAppIDs.
DisableorEnableAppIDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
DisableallAppIDsinacontentreleaseorfor TodisableallnewAppIDsintroducedinacontentrelease,select
scheduledcontentupdates. Device > Dynamic UpdatesandInstallanApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
OntheDevice > Dynamic Updatespage,selectSchedule.
ChoosetoDisable new apps in content updatefordownloads
andinstallationsofcontentreleases.
DisableAppIDsforoneapplicationor Toquicklydisableasingleapplicationormultipleapplicationsat
multipleapplicationsatasingletime. thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applicationsand
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
PreparePolicyUpdatesforPendingAppIDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.
PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDlistedontheObjects > Applicationspage:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.
PerformSeamlessPolicyUpdatesforNewAppIDs
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
CreateanApplicationGroup
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.Insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
updateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
CreateanApplicationGroup
Step2 AddagroupandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5 Committheconfiguration.
CreateanApplicationFilter
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
CreateanApplicationFilter
Step2 AddafilterandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.
Step5 Committheconfiguration.
CreateaCustomApplication
Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentreleaseversion609:
FTP,HTTP,IMAP,POP3,SMB,andSMTP.
Thefollowingisabasicexampleofhowtocreateacustomapplication.
CreateaCustomApplication
CreateaCustomApplication(Continued)
CreateaCustomApplication(Continued)
5. Repeatstep3and4foreachmatchingcondition.
6. Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7. ClickOKtosavethesignaturedefinition.
CreateaCustomApplication(Continued)
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
595).
Table:ApplicationswithImplicitSupport
Application ImplicitlySupports
360safeguardupdate http
appleupdate http
aptget http
as2 http
avgupdate http
aviraantivirupdate http,ssl
blokus rtmp
bugzilla http
clubcooee http
corba http
cubby http,ssl
dropbox ssl
esignal http
evernote http,ssl
ezhelp http
facebook http,ssl
facebookchat jabber
facebooksocialplugin http
fastviewer http,ssl
forticlientupdate http
goodforenterprise http,ssl
googlecloudprint http,ssl,jabber
Application ImplicitlySupports
googledesktop http
googletalk jabber
googleupdate http
gotomypcdesktopsharing citrixjedi
gotomypcfiletransfer citrixjedi
gotomypcprinting citrixjedi
hipchat http
iheartradio ssl,http,rtmp
infront http
instagram http,ssl
issuu http,ssl
javaupdate http
jepptechupdates http
kerberos rpc
kik http,ssl
lastpass http,ssl
logmein http,ssl
mcafeeupdate http
megaupload http
metatrader http
mochardp t_120
mount rpc
msfrs msrpc
msrdp t_120
msscheduler msrpc
msservicecontroller msrpc
nfs rpc
oovoo http,ssl
paloaltoupdates ssl
panosglobalprotect http
panoswebinterface http
pastebin http
Application ImplicitlySupports
pastebinposting http
pinterest http,ssl
portmapper rpc
prezi http,ssl
rdp2tcp t_120
renrenim jabber
roboform http,ssl
salesforce http
stumbleupon http
supremo http
symantecavupdate http
trendmicro http
trillian http,ssl
twitter http
whatsapp http,ssl
xmradio rtsp
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
H.323(H.225andH.248)ALGisnotsupportedingatekeeperroutedmode.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefollowingtablelistsIPv4,NAT,IPv6,NPTv6andNAT64ALGsandindicateswithacheckmarkwhether
theALGsupportseachprotocol(suchasSIP).
SIP
SCCP
MGCP
FTP
RTSP
MySQL
Oracle/SQLNet/
TNS
RPC
RSH
UNIStim
H.225
H.248
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step2 Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3 SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step5 ClosetheApplicationdialogboxandCommitthechange.
SetUpAntivirus,AntiSpyware,andVulnerability
Protection
EveryPaloAltoNetworksnextgenerationfirewallcomeswithpredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtoSecuritypolicyrules.Thereisonepredefined
Antivirusprofile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtraffic
andalertonSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerability
Protectionprofiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
UsethefollowingworkflowtosetupthedefaultAntivirus,AntiSpyware,andVulnerabilityProtection
SecurityProfiles.
PaloAltoNetworksdefinesadefaultactionforallantispywareandvulnerabilityprotection
signatures.Toseethedefaultaction,selectObjects > Security Profiles > Anti-Spywareor
Objects > Security Profiles > Vulnerability Protectionandthenselectaprofile.Clickthe
ExceptionstabandthenclickShowallsignaturestoviewthelistofthesignaturesandthe
correspondingdefaultAction.Tochangethedefaultaction,createanewprofileandspecifyan
Action,and/oraddindividualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
Step6 Commityourchanges.
CreateThreatExceptions
PaloAltoNetworksdefinesarecommendeddefaultaction(suchasblockoralert)forthreatsignatures.You
canuseathreatIDtoexcludeathreatsignaturefromenforcementormodifytheactionthefirewallenforces
forthatthreatsignature.Forexample,youcanmodifytheactionforthreatsignaturesthataretriggering
falsepositivesonyournetwork.
Configurethreatexceptionsforantivirus,vulnerability,spyware,andDNSsignaturestoChangeFirewall
EnforcementforaThreat.However,beforeyoubegin,makesurethefirewallisdetectingandenforcing
threatsbasedonthedefaultsignaturesettings:
GetthelatestAntivirus,ThreatsandApplications,andWildFiresignatureupdates.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtectionandapplythesesecurityprofilestoyour
securitypolicy.
ChangeFirewallEnforcementforaThreat
4. ClickOK tosavetheAntivirusprofile.
ChangeFirewallEnforcementforaThreat(Continued)
Forsignaturesthatyouwanttoexcludefromenforcement
becausetheytriggerfalsepositives,settheActiontoAllow.
5. ClickOKtosaveyournewormodifiedAntiSpywareor
VulnerabilityProtectionprofile.
4. ClickOKtosaveyournewormodifiedAntiSpywareprofile.
SetUpDataFiltering
UseDataFilteringProfilestopreventsensitive,confidential,andproprietaryinformationfromleavingyour
network.First,createadatapatterntodefinetheinformationtypesforwhichyouwantthefirewalltofilter.
Predefinedpatternsandbuiltinsettingsmakeiteasyforyoutocreatecustompatternsforfilteringonsocial
securityandcreditcardnumbersoronfileproperties,suchasadocumenttitleorauthor.Continuetoadd
oneormoredatapatterntoaDataFilteringprofileandthenattachtheprofiletoaSecuritypolicyruleto
enabledatafiltering.
Ifyoureusingathirdparty,endpointdatalossprevention(DLP)solutionthatpopulatesfilepropertiesto
indicatesensitivecontent,thendatafilteringenablesthefirewalltoenforceyourDLPpolicy.Tosecurethis
confidentialdata,createacustomdatapatterntoidentifythefilepropertiesandvaluestaggedbyyourDLP
solutionandthenlogorblockthefilesthatyourDataFilteringprofiledetectsbasedonthatpattern.
EnableDataFiltering
EnableDataFiltering(Continued)
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
YoucandefineyourowncustomFileBlockingprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingfileblockingtoaSecuritypolicyrule.Thepredefinedprofiles,whichareavailablewith
contentreleaseversion653andlater,allowyoutoquicklyenablebestpracticefileblockingsettings:
basic file blockingAttachthisprofiletotheSecuritypolicyrulesthatallowtraffictoandfromless
sensitiveapplicationstoblockfilesthatarecommonlyincludedinmalwareattackcampaignsorthathave
norealusecaseforupload/download.ThisprofileblocksuploadanddownloadofPEfiles(.scr,.cpl,.dll,
.ocx,.pif,.exe),Javafiles(.class,.jar),Helpfiles(.chm,.hlp)andotherpotentiallymaliciousfiletypes,
including.vbe,.hta,.wsf,.torrent,.7z,.rar,.bat.Additionally,itpromptsuserstoacknowledgewhenthey
attempttodownloadencryptedrarorencryptedzipfiles.Thisrulealertsonallotherfiletypestogive
youcompletevisibilityintoallfiletypescominginandoutofyournetwork.
strict file blockingUsethisstricterprofileontheSecuritypolicyrulesthatallowaccesstoyourmost
sensitiveapplications.Thisprofileblocksthesamefiletypesastheotherprofile,andadditionallyblocks
flash,.tar,multilevelencoding,.cab,.msi,encryptedrar,andencryptedzipfiles.
Thesepredefinedprofilesaredesignedtoprovidethemostsecurepostureforyournetwork.However,if
youhavebusinesscriticalapplicationsthatrelyonsomeoftheapplicationsthatareblockedinthesedefault
profiles,youcanclonetheprofilesandmodifythemasnecessary.Makesurethatyouonlyusethemodified
profilesforthoseuserswhoneedtouploadand/ordownloadariskyfiletype.Additionally,toreduceyour
attacksurface,makesureyouareusingothersecuritymeasurestoensurethatthefilesyourusersare
uploadinganddownloadingdonotposeathreattoyourorganization.Forexample,ifyoumustallow
downloadofPEfiles,makesureyouaresendingallunknownPEfilestoWildFireforanalysis.Additionally,
maintainastrictURLfilteringpolicytoensurethatuserscannotdownloadcontentfromwebsitesthathave
beenknowntohostmaliciouscontent.
ConfigureFileBlocking
ConfigureFileBlocking(Continued)
Step4 Totestyourfileblockingconfiguration,accessanendpointPCinthetrustzoneofthefirewallandattemptto
downloadanexecutablefilefromawebsiteintheuntrustzone;aresponsepageshoulddisplay.ClickContinue
toconfirmthatyoucandownloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichdonot
provideanoptionfortheusertocontinuethedownload.Thefollowingshowsthedefaultresponsepagefor
FileBlocking:
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,andSeverityandistriggeredwhenapatternisrecorded.
Thepatternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;
somesignaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthe
patterntomatchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthe
defaultactionforthesignature.
Toenforceprotection:
AttachtheVulnerabilityProtectionprofiletoaSecuritypolicyrule.SeeSetUpAntivirus,AntiSpyware,
andVulnerabilityProtection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignaturesandchildsignatures.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinaspecifiedtimeinterval
andthatmatchesthetrafficpatterndefinedinthechildsignature.
Typically,thedefaultactionforachildsignatureisallowbecauseasingleeventisnotindicativeofanattack.
Thisensuresthatlegitimatetrafficisnotblockedandavoidsgeneratingthreatlogsfornonnoteworthy
events.PaloAltoNetworksrecommendsthatyoudonotchangethedefaultactionwithoutcareful
consideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventduetoitsrecurrentpattern.Ifneeded,you
candooneofthefollowingtocustomizetheactionforabruteforcesignature:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcanchoose
toallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforanddefineanexceptionfor
aCVE.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature,you
canmodifyonlytheaction.
Toeffectivelymitigateanattack,specifytheblockipaddressactioninsteadofthedroporreset
actionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
CustomizetheThresholdandActionforaSignature(Continued)
8. ClickOKtosavetheruleandtheprofile.
CustomizetheThresholdandActionforaSignature(Continued)
3. Settheaction:Allow,Alert,Block Ip,orDrop.Ifyouselect
Block Ip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. SpecifywhethertoTrack ByandblocktheIPaddressusing
theIP source ortheIP source and destination.
4. ClickOK.
5. Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
6. ClickOK.
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
ConfigureaDNSProxyObject.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcacheshostnametoIPaddress
mappingstoquicklyandefficientlyresolvefutureDNSqueries.
EnableEvasionSignatures
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscansendalertswhenclientsconnect
toadomainotherthanthedomainspecifiedintheoriginalDNSrequest.Makesuretoconfigure
DNSproxybeforeyouenableevasionsignatures.WithoutDNSproxy,evasionsignaturescan
triggeralertswhenaDNSserverintheDNSloadbalancingconfigurationreturnsdifferentIP
addressesforservershostingidenticalresourcestothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoallowonlytheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserver,settheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
createanewcustomservicethatincludesonlyport587andusethatnewserviceinyoursecuritypolicy
ruleinsteadofapplicationdefault.Additionally,makesureyourestrictaccesstospecificsourceand
destinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection:
AVulnerabilityProtectionprofiletoblockallvulnerabilitieswithlowandhigherseverity.
AnAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
AnAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
BlockallunknownapplicationsandtrafficusingtheSecuritypolicy.Typically,theonlyapplications
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetworkandpotentialthreats.
Unknowntrafficcanbeeithernoncompliantapplicationsorprotocolsthatareanomalousorabnormal
oritcanbeknownapplicationsthatareusingnonstandardports,bothofwhichshouldbeblocked.See
ManageCustomorUnknownApplications.
SetUpFileBlockingtoblockPortableExecutable(PE)filetypesforinternetbasedSMB(Server
MessageBlock)trafficfromtraversingtrusttountrustzones(msdssmbapplications).
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
SelecttheoptiontodropMalformedIPpackets(Packet Based Attack Protection > IP Drop).
IfyouconfigureIPv6addressesonyournetworkhosts,besuretoenablesupportforIPv6ifnotalready
enabled(Network > Interfaces > Ethernet> IPv6).
EnablingsupportforIPv6allowsaccesstoIPv6hostsandalsofiltersIPv6packetsencapsulatedinIPv4
packets,whichpreventsIPv6overIPv4multicastaddressesfrombeingleveragedfornetwork
reconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyonmulticasttraffic(Network >
Virtual Router > Multicast).
EnableEvasionSignatures
PaloAltoNetworksevasionsignaturesdetectcraftedHTTPorTLSrequests,andcanalerttoinstances
whereaclientconnectstoadomainotherthanthedomainspecifiedinaDNSquery.Evasionsignaturesare
effectiveonlywhenthefirewallisalsoenabledtotoactasaDNSproxyandresolvedomainnamequeries.
Asabestpractice,takethefollowingstepstoenableevasionsignatures.
EnableEvasionSignatures
PreventCredentialPhishing
Phishingsitesaresitesthatattackersdisguiseaslegitimatewebsiteswiththeaimtostealuserinformation,
especiallythecredentialsthatprovideaccesstoyournetwork.Whenaphishingemailentersanetwork,it
takesjustasingleusertoclickthelinkandentercredentialstosetabreachintomotion.Youcandetectand
preventinprogressphishingattacksbycontrollingsitestowhichuserscansubmitcorporatecredentials
basedonthesitesURLcategory.Thisallowsyoutoblockusersfromsubmittingcredentialstountrusted
siteswhileallowinguserstocontinuetosubmitcredentialstocorporateandsanctionedsites.
Credentialphishingpreventionworksbyscanningusernameandpasswordsubmissionstowebsitesand
comparingthosesubmissionsagainstvalidcorporatecredentials.Youcanchoosewhatwebsitesyouwant
toeitheralloworblockcorporatecredentialsubmissionstobasedontheURLcategoryofthewebsite.When
thefirewalldetectsauserattemptingtosubmitcredentialstoasiteinacategoryyouhaverestricted,it
eitherdisplaysablockresponsepagethatpreventstheuserfromsubmittingcredentials,orpresentsa
continuepagethatwarnsusersagainstsubmittingcredentialstositesclassifiedincertainURLcategories,
butstillallowsthemtocontinuewiththecredentialsubmission.Youcancustomizetheseblockpagesto
educateusersagainstreusingcorporatecredentials,evenonlegitimate,nonphishingsites.
ToenableCredentialphishingpreventionyoumustconfigurebothUserIDtodetectwhenuserssubmit
validcorporatecredentialstoasite(asopposedtopersonalcredentials)andURLFilteringtospecifytheURL
categoriesinwhichyouwanttopreventusersfromenteringtheircorporatecredentials.Thefollowingtopics
describethedifferentmethodsyoucanusetodetectcredentialsubmissionsandprovideinstructionsfor
configuringcredentialphishingprotection.
MethodstoCheckforCorporateCredentialSubmissions
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent
SetUpCredentialPhishingPrevention
MethodstoCheckforCorporateCredentialSubmissions
BeforeyouSetUpCredentialPhishingPrevention,decidewhichmethodyouwantthefirewalltouseto
checkifcredentialssubmittedtoawebpagearevalid,corporatecredentials.
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgent
DomainCredentialFilterdetectionenablesthefirewalltodetectpasswordssubmittedtowebpages.This
credentialdetectionmethodrequirestheWindowsbasedUserIDagentandtheUserIDcredentialservice,
anaddontotheUserIDagent,tobeinstalledonareadonlydomaincontroller(RODC).
AnRODCisaMicrosoftWindowsserverthatmaintainsareadonlycopyofanActiveDirectorydatabase
thatadomaincontrollerhosts.Whenthedomaincontrollerislocatedatacorporateheadquarters,for
example,RODCscanbedeployedinremotenetworklocationstoprovidelocalauthenticationservices.
InstallingtheUserIDagentonanRODCcanbeusefulforafewreasons:accesstothedomaincontroller
directoryisnotrequiredtoenablecredentialdetectionandyoucansupportcredentialdetectionforalimited
ortargetedsetofusers.BecausethedirectorytheRODChostsisreadonly,thedirectorycontentsremain
secureonthedomaincontroller.
AfteryouinstalltheUserIDagentonanRODC,theUserIDcredentialservicerunsinthebackgroundand
scansthedirectoryfortheusernamesandpasswordhashesofgroupmembersthatarelistedintheRODC
passwordreplicationpolicy(PRP)youcandefinewhoyouwanttobeonthislist.TheUserIDcredential
servicethentakesthecollectedusernamesandpasswordhashesanddeconstructsthedataintoatypeof
bitmaskcalledabloomfilter.Bloomfiltersarecompactdatastructuresthatprovideasecuremethodto
checkifanelement(ausernameorapasswordhash)isamemberofasetofelements(thesetsofcredentials
youhaveapprovedforreplicationtotheRODC).TheUserIDcredentialserviceforwardsthebloomfilterto
theUserIDagent;thefirewallretrievesthelatestbloomfilterfromtheUserIDagentatregularintervals
andusesittodetectusernamesandpasswordhashsubmissions.Dependingonyoursettings,thefirewall
thenblocks,alerts,orallowsonvalidpasswordsubmissionstowebpages,ordisplaysaresponsepageto
userswarningthemofthedangersofphishing,butallowingthemtocontinuewiththesubmission.
Throughoutthisprocess,theUserIDagentdoesnotstoreorexposeanypasswordhashes,nordoesit
forwardpasswordhashestothefirewall.Oncethepasswordhashesaredeconstructedintoabloomfilter,
thereisnowaytorecoverthem.
SetUpCredentialDetectionwithaUserIDAgentonanRODC
SetUpCredentialDetectionwithaUserIDAgentonanRODC(Continued)
Step2 EnabletheUserIDagentandtheUserAgentCredentialservice(whichrunsinthebackgroundtoscan
permittedcredentials)toshareinformation.
1. OntheRODCserver,launchtheUserIDAgent.
2. SelectSetupandedittheSetupsection.
3. SelecttheCredentialstab.ThistabonlydisplaysifyouhavealreadyinstalledtheUserIDAgentCredential
Service.
SetUpCredentialDetectionwithaUserIDAgentonanRODC(Continued)
Step4 ContinuetoSetUpCredentialPhishingPreventiononthefirewall.
SetUpCredentialPhishingPrevention
AfteryouhavedecidedwhichoftheMethodstoCheckforCorporateCredentialSubmissionsyouwantto
use,takethefollowingstepstoenablethefirewalltodetectwhenuserssubmitcorporatecredentialstoweb
pagesandeitheralertonthisaction,blockthecredentialsubmission,orrequireuserstoacknowledgethe
dangersofphishingbeforecontinuingwithcredentialsubmission.
EnableCredentialPhishingPrevention
EnableCredentialPhishingPrevention
EnableCredentialPhishingPrevention
Step6 Committheconfiguration.
(Todisplaythiscolumn,hoveroveranycolumnheaderandclickthe
arrowtoselectthecolumnsyoudliketodisplay).
Logentrydetailsalsoindicatecredentialsubmissions:
EnableCredentialPhishingPrevention
ShareThreatIntelligencewithPaloAltoNetworks
Telemetryistheprocessofcollectingandtransmittingdataforanalysis.Whenyouenabletelemetryonthe
firewall,thefirewallperiodicallycollectsandsendsinformationthatincludesapplications,threats,and
devicehealthtoPaloAltoNetworks.Sharingthreatintelligenceprovidesthefollowingbenefits:
Enhancedvulnerabilityandspywaresignaturesdeliveredtoyouandothercustomersworldwide.For
example,whenathreateventtriggersvulnerabilityorspywaresignatures,thefirewallsharestheURLs
associatedwiththethreatwiththePaloAltoNetworksthreatresearchteam,sotheycanproperlyclassify
theURLsasmalicious.
Rapidtestingandevaluationofexperimentalthreatsignatureswithnoimpacttoyournetwork,sothat
criticalthreatpreventionsignaturescanbereleasedtoallPaloAltoNetworkscustomersfaster.
ImprovedaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrol(C2)signatures,andWildFire.
PaloAltoNetworksusesthethreatintelligenceextractedfromtelemetrytodeliverthesebenefitstoyou
andotherPaloAltoNetworksusers.AllPaloAltoNetworksusersbenefitfromthetelemetrydatasharedby
eachuser,makingtelemetryacommunitydrivenapproachtothreatprevention.PaloAltoNetworksdoes
notshareyourtelemetrydatawithothercustomersorthirdpartyorganizations.
WhatTelemetryDataDoestheFirewallCollect?
PassiveDNSMonitoring
EnableTelemetry
WhatTelemetryDataDoestheFirewallCollect?
ThefirewallcollectsandforwardsdifferentsetsoftelemetrydatatoPaloAltoNetworksbasedonthe
Telemetrysettingsyouenable.Thefirewallcollectsthedatafromfieldsinyourlogentries(seeLogTypes
andSeverityLevels);thelogtypeandcombinationoffieldsvarybasedonthesetting.Reviewthefollowing
tablebeforeyouEnableTelemetry.
Setting Description
ApplicationReports Thenumberandsizeofknownapplicationsbydestinationport,unknownapplicationsby
destinationport,andunknownapplicationsbydestinationIPaddress.Thefirewall
generatesthesereportsfromTrafficlogsandforwardsthemevery4hours.
ThreatPreventionReports Attackerinformation,thenumberofthreatsforeachsourcecountryanddestination
port,andthecorrelationobjectsthatthreateventstriggered.Thefirewallgeneratesthese
reportsfromThreatlogsandforwardsthemevery4hours.
URLReports URLswiththefollowingPANDBURLcategories:malware,phishing,dynamicDNS,
proxyavoidance,questionable,parked,andunknown(URLsthatPANDBhasnotyet
categorized).ThefirewallgeneratesthesereportsfromURLFilteringlogs.
URLReportsalsoincludePANDBstatisticssuchastheversionoftheURLfiltering
databaseonthefirewallandonthePANDBcloud,thenumberofURLsinthose
databases,andthenumberofURLsthatthefirewallcategorized.Thesestatisticsare
basedonthetimethatthefirewallforwardedtheURLReports.
ThefirewallforwardsURLReportsevery4hours.
Setting Description
FileTypeIdentification Informationaboutfilesthatthefirewallhasblockedorallowedbasedondatafiltering
Reports andfileblockingsettings.ThefirewallgeneratesthesereportsfromDataFilteringlogs
andforwardsthemevery4hours.
ThreatPreventionData LogdatafromthreateventsthattriggeredsignaturesthatPaloAltoNetworksis
evaluatingforefficacy.ThreatPreventionDataprovidesPaloAltoNetworksmore
visibilityintoyournetworktrafficthanothertelemetrysettings.Whenenabled,the
firewallmaycollectinformationsuchassourceorvictimIPaddresses.
EnablingThreatPreventionDataalsoallowsunreleasedsignaturesthatPaloAlto
Networksiscurrentlytestingtoruninthebackground.Thesesignaturesdonotaffect
yoursecuritypolicyrulesandfirewalllogs,andhavenoimpacttoyourfirewall
performance.
ThefirewallforwardsThreatPreventionDataevery5minutes.
ThreatPreventionPacket Packetcaptures(ifyouhaveenabledyourfirewalltoTakeaThreatPacketCapture)of
Captures threateventsthattriggeredsignaturesthatPaloAltoNetworksisevaluatingforefficacy.
ThreatPreventionPacketCapturesprovidePaloAltoNetworksmorevisibilityintoyour
networktrafficthanothertelemetrysettings.Whenenabled,thefirewallmaycollect
informationsuchassourceorvictimIPaddresses.
ThefirewallforwardsThreatPreventionPacketCapturesevery5minutes.
ProductUsageStatistics Backtracesoffirewallprocessesthathavefailed,aswellasinformationaboutthe
firewallstatus.Backtracesoutlinetheexecutionhistoryofthefailedprocesses.These
reportsincludedetailsaboutthefirewallmodelandthePANOSandcontentrelease
versionsinstalledonyourfirewall.
ThefirewallforwardsProductUsageStatisticsevery5minutes.
PassiveDNSMonitoring DomaintoIPaddressmappingsbasedonfirewalltraffic.WhenyouenablePassiveDNS
Monitoring,thefirewallactsasapassiveDNSsensorandsendDNSinformationtoPalo
AltoNetworksforanalysis.
ThefirewallforwardsdatafromPassiveDNSMonitoringin1MBbatches.
PassiveDNSMonitoring
PassiveDNSmonitoringenablesthefirewalltoactasapassiveDNSsensorandsendDNSinformationto
PaloAltoNetworksforanalysistoimprovethreatintelligenceandthreatpreventioncapabilities.Thedata
collectedincludesnonrecursiveDNSquery(thatis,thewebbrowsersendsaquerytoaDNSserverto
translateadomaintoanIPaddress,andtheserverreturnsaresponsewithoutqueryingotherDNSservers)
andresponsepacketpayloads.SeeDNSOverviewformorebackgroundinformationaboutDNS.
ThethreatintelligencethatthefirewallcollectsfrompassiveDNSmonitoringconsistssolelyofdomaintoIP
addressmappings.PaloAltoNetworksretainsnorecordofthesourceofthisdataanddoesnothavethe
abilitytoassociateitwiththesubmitteratafuturedate.ThePaloAltoNetworksthreatresearchteamuses
passiveDNSinformationtogaininsightintomalwarepropagationandevasiontechniquesthatabusethe
DNSsystem.InformationgatheredthroughthisdatacollectionisusedtoimprovePANDBURLcategory
andDNSbasedC2signatureaccuracyandWildFiremalwaredetection.
ThefirewallforwardsDNSresponsesonlywhenthefollowingrequirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
EnableTelemetry
Whenyouenabletelemetry,youdefinewhatdatathefirewallcollectsandshareswithPaloAltoNetworks.
Forsometelemetrysettings,youcanpreviewwhatthedatathatyourfirewallsendswilllooklikebefore
committing.ThefirewallusesthePaloAltoNetworksServicesserviceroutetosendthedatayousharefrom
telemetrytoPaloAltoNetworks.
EnableTelemetry
Step2 SelectthetelemetrydatayouwanttosharewithPaloAltoNetworks.Formorespecificdescriptionsofthis
data,seeWhatTelemetryDataDoestheFirewallCollect?Bydefault,alltelemetrysettingsaredisabled.
ToenableThreatPreventionPacketCaptures,youmustalsoenableThreatPreventionData.
EnableTelemetry(Continued)
ApplicationReports,ThreatPreventionReports,URLReports,andFileTypeIdentificationReportseach
consistofmultiplereports.Inthereportsample,Typedescribesthenameofareport.Aggregateliststhelog
fieldsthatthefirewallcollectsforthereport(refertoSyslogFieldDescriptionstodeterminethenameofthe
fieldsastheyappearinthefirewalllogs).Valuesindicatestheunitsofmeasureusedinthereport(forexample,
thevaluecountfortheAttackers(threat)reportreferstothenumberoftimesthefirewalldetectedathreat
associatedwithaparticularthreatID).
Step4 ViewthetypeofdatathatthefirewallcollectsforProductUsageStatistics.
EnterthefollowingoperationalCLIcommand:show system info
Step5 ClickOKandCommityourchanges.
EnableTelemetry(Continued)
Step6 IfyouenabledThreatPreventionDataandThreatPreventionPacketCaptures,viewthedatathatthefirewall
collected.
1. EdittheTelemetrysettings.
2. ClickDownload Threat Prevention Data( )todownloadatarballfile(.tar.gz)withthemostrecent100
foldersofdatathatthefirewallcollectedforThreatPreventionDataandThreatPreventionPacket
Captures.Ifyouneverenabledthesesettingsorifyouenabledthembutnothreateventshavematched
theconditionsforthesesettings,thefirewalldoesnotgenerateafileandinsteadreturnsanerrormessage.
ThereiscurrentlynowaytoviewtheDNSinformationthatthefirewallcollectsthroughpassiveDNS
monitoring.
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNSSinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.
Figure:DNSSinkholingExample
ConfigureDNSSinkholingforaListofCustomDomains
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanExternalDynamicListthat
includesthedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoa
securitypolicyrule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthe
destinationIPaddressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddress
forsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallmodelsupportsamaximumof50,000domainnamestotalinoneormoreexternaldynamiclists
butnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
3. ClickOKtosavetheAntiSpywareprofile.
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5
ConfigureSinkholingtoaLocalServeronYourNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
IdentifyInfectedHosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
DNSSinkholeVerificationandReporting(Continued)
5. Toviewscheduledreportsthathaverun,selectMonitor >
Reports.
MonitorBlockedIPAddresses
ThefirewallmaintainsablocklistofsourceIPaddressesthatitsblocking.Whenthefirewallblocksasource
IPaddress,suchaswhenyouconfigureeitherofthefollowingpolicyrules,thefirewallblocksthattrafficin
hardwarebeforethosepacketsuseCPUorpacketbufferresources:
AclassifiedDoSProtectionpolicyrulewiththeactiontoProtect(aclassifiedDoSProtectionpolicy
specifiesthatincomingconnectionsmatchasourceIPaddress,destinationIPaddress,orsourceand
destinationIPaddresspair,andisassociatedwithaClassifiedDoSProtectionprofile,asdescribedinDoS
ProtectionAgainstFloodingofNewSessions)
ASecurityPolicyrulethatusesaVulnerabilityProtectionprofile
HardwareIPaddressblockingissupportedonPA3060firewalls,PA3050firewalls,andPA5000Series,
PA5200Series,andPA7000Seriesfirewalls.
Youcanviewtheblocklist,getdetailedinformationaboutanIPaddressontheblocklist,orviewcountsof
addressesthathardwareandsoftwareareblocking.YoucandeleteanIPaddressfromthelistifyouthinkit
shouldntbeblocked.Youcanchangethesourceofdetailedinformationaboutaddressesonthelist.You
canalsochangehowlonghardwareblocksIPaddresses.
MonitorIPAddressBlocking
Viewblocklistentries.
1. SelectMonitor > Block IP List.
EntriesontheblocklistindicateintheTypecolumnwhethertheywereblockedbyhardware(hw)orsoftware(sw).
2. Viewatthebottomofthescreen:
CountofTotal Blocked IPsoutofthenumberofblockedIPaddressesthefirewallsupports.
Percentageoftheblocklistthefirewallhasused.
3. Tofiltertheentriesdisplayed,selectavalueinacolumn(whichcreatesafilterintheFiltersfield)andApplyFilter
( ).Otherwise,thefirewalldisplaysthefirst1,000entries.
4. EnteraPagenumberorclickthearrowsatthebottomofthescreentoadvancethroughpagesofentries.
5. Toviewdetailsaboutanaddressontheblocklist,hoveroveraSourceIPaddressandclickthedownarrowlink.
ClicktheWho Islink,whichdisplaysNetworkSolutionsWhoIsinformationabouttheaddress.
MonitorIPAddressBlocking(Continued)
ViewcountsofsourceIPaddressesblockedby ViewthetotalsumofIPaddressentriesonthehardwareblock
hardwareandsoftware,forexampletoseethe tableandblocklist(blockedbyhardwareandsoftware):
rateofanattack. > show counter global name flow_dos_blk_num_entries
ViewthecountofIPaddressentriesonthehardwareblocktable
thatwereblockedbyhardware:
> show counter global name flow_dos_blk_hw_entries
ViewthecountofIPaddressentriesontheblocklistthatwere
blockedbysoftware:
> show counter global name flow_dos_blk_sw_entries
LearnMoreAboutandAssessThreats
FeaturesofThreatVaultandAutoFocusareintegratedintothefirewalltoprovidevisibilityintothenature
ofthethreatsthefirewalldetectsandtogiveamorecompletepictureofhowanartifactfitsintoyour
organizationsnetworktraffic(anartifactisproperty,activity,orbehaviorassociatedwithafile,emaillink,
orsession).Thesefeaturesduallyallowyougetimmediate,contextualinformationaboutathreatorto
seamlesslyshiftyourthreatinvestigationfromthefirewalltotheThreatVaultandAutoFocus.
Additionally,youcanusethreatcategorieswhichclassifytypesofthreateventstonarrowyourviewinto
acertaintypeofthreatactivityortobuildcustomreports.
AssessFirewallArtifactswithAutoFocus
LearnMoreAboutThreatSignatures
MonitorActivityandCreateCustomReportsBasedonThreatCategories
AssessFirewallArtifactswithAutoFocus
UsetheAutoFocusIntelligenceSummaryforanartifacttoassessitspervasivenessinyournetworkandthe
threatsassociatedwithit.
AutoFocusIntelligenceSummary
ViewandActonAutoFocusIntelligenceSummaryData
AutoFocusIntelligenceSummary
TheAutoFocusIntelligenceSummaryoffersacentralizedviewofinformationaboutanartifactthat
AutoFocushasextractedfromthreatintelligencegatheredfromotherAutoFocususers,WildFire,the
PANDBURLfilteringdatabase,Unit42,andopensourceintelligence.
AutoFocusIntelligenceSummary
AnalysisInformation TheAnalysisInformationtabdisplaysthefollowinginformation:
SessionsThenumberofsessionsloggedinyourfirewall(s)inwhichthefirewall
detectedsamplesassociatedwiththeartifact.
SamplesAcomparisonoforganizationandglobalsamplesassociatedwiththe
artifactandgroupedbyWildFireverdict(benign,malware,orgrayware).Globalrefers
tosamplesfromallWildFiresubmissions,whileorganizationrefersonlytosamples
submittedtoWildFirebyyourorganization.
MatchingTagsTheAutoFocustagsmatchedtotheartifact.AutoFocusTagsindicate
whetheranartifactislinkedtomalwareortargetedattacks.
PassiveDNS ThePassiveDNStabdisplayspassiveDNShistorythatincludestheartifact.Thispassive
DNShistoryisbasedonglobalDNSintelligenceinAutoFocus;itisnotlimitedtotheDNS
activityinyournetwork.PassiveDNShistoryconsistsof:
Thedomainrequest
TheDNSrequesttype
TheIPaddressordomaintowhichtheDNSrequestresolved(privateIPaddressesare
notdisplayed)
Thenumberoftimestherequestwasmade
Thedateandtimetherequestwasfirstseenandlastseen
AutoFocusIntelligenceSummary
MatchingHashes TheMatchingHashestabdisplaysthe5mostrecentlydetectedmatchingsamples.
Sampleinformationincludes:
TheSHA256hashofthesample
Thesamplefiletype
ThedateandtimethatWildFireanalyzedasampleandassignedaWildFireverdictto
it
TheWildFireverdictforthesample
ThedateandtimethatWildFireupdatedtheWildFireverdictforthesample(if
applicable)
ViewandActonAutoFocusIntelligenceSummaryData
InteractwiththeAutoFocusIntelligenceSummarytodisplaymoreinformationaboutanartifactorextend
yourartifactresearchtoAutoFocus.AutoFocustagsrevealiftheartifactisassociatedwithcertaintypesof
malwareormaliciousbehavior.
ViewandActonAutoFocusIntelligenceSummaryData
Step3 Hoveroveranartifacttoopenthedropdown,andclickAutoFocus.
TheAutoFocusIntelligenceSummaryisonlyavailableforthefollowingtypesofartifacts:
IPaddress
URL
Domain
Useragent
Threatname(onlyforthreatsofthesubtypesvirusandwildfirevirus)
Filename
SHA256hash
ViewandActonAutoFocusIntelligenceSummaryData
ViewandActonAutoFocusIntelligenceSummaryData
LearnMoreAboutThreatSignatures
FirewallThreatlogsrecordallthreatsthefirewalldetectsbasedonthreatsignatures(SetUpAntivirus,
AntiSpyware,andVulnerabilityProtection)andtheACCdisplaysanoverviewofthetopthreatsonyour
network.EacheventthefirewallrecordsincludesanIDthatidentifiestheassociatedthreatsignature.
YoucanusethethreatIDfoundwithaThreatlogorACCentryto:
Easilycheckifathreatsignatureisconfiguredasanexceptiontoyoursecuritypolicy(CreateThreat
Exceptions).
FindthelatestThreatVaultinformationaboutaspecificthreat.BecausetheThreatVaultisintegrated
withthefirewall,youcanviewthreatdetailsdirectlyinthefirewallcontextorlaunchaThreatVault
searchinanewbrowserwindowforathreatthefirewalllogged.
FindDetailsforDetectedThreats
Step2 FindthethreatIDforthreatsthefirewalldetects.
Toseeeachthreateventthefirewalldetectsbasedonthreatsignatures,selectMonitor > Logs > Threat.
YoucanfindtheIDforathreatentrylistedintheIDcolumn,orselectthelogentrytoviewlogdetails,
includingtheThreatID.
Toseeanoverviewoftopthreatsonthenetwork,select ACC > Threat ActivityandtakealookattheThreat
Activitywidget.TheIDcolumndisplaysthethreatIDforeachthreatdisplayed.
Toseedetailsforthreatsthatyoucanconfigureasthreatexceptions(meaning,thefirewallenforcesthe
threatdifferentlythanthedefaultactiondefinedforthethreatsignature),selectObjects > Security
Profiles > Anti-Spyware/Vulnerability Protection.Add ormodifyaprofileandclickthe Exceptions tabto
viewconfiguredexceptions.Ifnoexceptionsareconfigured,youcanfilterforthreatsignaturesorselect
Show all signatures.
FindDetailsforDetectedThreats
FindDetailsforDetectedThreats
MonitorActivityandCreateCustomReportsBasedonThreatCategories
Threatcategoriesclassifydifferenttypesofthreatsignaturestohelpyouunderstandanddrawconnections
betweeneventsthreatsignaturesdetect.Threatcategoriesaresubsetsofthemorebroadthreatsignature
types:spyware,vulnerability,antivirus,andDNSsignatures.ThreatlogentriesdisplaytheThreat Categoryfor
eachrecordedevent.
MonitorActivityandCreateCustomReportsBasedonThreatCategories
3. TofilterbasedonThreatCategory:
Usethelogquerybuildertoaddafilterwiththe Attribute
ThreatCategoryandintheValuefield,enteraThreat
Category.
SelecttheThreatCategoryofanylogentrytoaddthat
categorytothefilter:
MonitorActivityandCreateCustomReportsBasedonThreatCategories
2. SelecttheThreatCategorytofilterallACCtabs.
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
TheregionalURL/IPaddressesforWildFire
submissionqueuesareasfollows:
cas1.wildfire.paloaltonetworks.com:44or
54.241.34.71
vas1.wildfire.paloaltonetworks.com:443or
174.129.24.252
eus1.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs1.wildfire.paloaltonetworks.com:443or
54.251.33.241
jps1.wildfire.paloaltonetworks.com:443
or54.238.53.161
portal3.wildfire.paloaltonetworks.com:443
/80or54.241.8.199
cas3.wildfire.paloaltonetworks.com:443
or54.241.34.71
vas3.wildfire.paloaltonetworks.com:443
or23.21.208.35
eus3.wildfire.paloaltonetworks.com:443
or54.246.95.247
sgs3.wildfire.paloaltonetworks.com:443
or54.251.33.241
jps3.wildfire.paloaltonetworks.com:443
or54.238.53.161
wildfire.paloaltonetworks.com.jp:443/80
or180.37.183.53
wf1.wildfire.paloaltonetowrks.jp:443or
180.37.180.37
wf2.wildfire.paloaltonetworks.jp:443or
180.37.181.18
portal3.wildfire.paloaltonetworks.jp:443/8
0or180.37.183.53
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofthreatsandapplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoacorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionMirroring
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates
PerfectForwardSecrecy(PFS)SupportforSSLDecryption
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage Description
ForwardTrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheprivatekey
associatedwiththeforwardtrustcertificateonahardwaresecuritymodule(see
StorePrivateKeysonanHSM).
ForwardUntrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSLInboundInspection ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificatesand
privatekeysfortheserversforwhichyouareperformingSSLinboundinspection.For
addedsecurity,storetheprivatekeysonanHSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
SSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandprivatekeyonto
thefirewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,inmostcasesthe
firewallisabletoaccesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffic
transparently,ratherthanfunctioningasaproxy(inthecasewherethenegotiatedcipherincludesaPerfect
ForwardSecrecy(PFS)keyexchangealgorithm,thefirewallwillfunctionasatransparentproxy).The
firewallisabletoapplysecuritypoliciestothedecryptedtraffic,detectingmaliciouscontentandcontrolling
applicationsrunningoverthissecurechannel.
SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5200Series,PA5000SeriesandPA3000Seriesplatforms
onlyandrequiresthatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecounselbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
SSLDecryptionforEllipticalCurveCryptography(ECC)Certificates
ThefirewallautomaticallydecryptsSSLtrafficfromwebsitesandapplicationsusingECCcertificates,
includingEllipticalCurveDigitalSignatureAlgorithm(ECDSA)certificates.Asorganizationstransitionto
usingECCcertificatestobenefitfromthestrongkeysandsmallcertificatesize,youcancontinuetomaintain
visibilityintoandsafelyenableECCsecuredapplicationandwebsitetraffic.
DecryptionforwebsitesandapplicationsusingECCcertificatesisnotsupportedfortrafficthatismirroredtothe
firewall;encryptedtrafficusingECCcertificatesmustpassthroughthefirewalldirectlyforthefirewalltodecrypt
it.
Youcannotuseahardwaresecuritymodule(HSM)tostoreprivateECDSAkeysusedforSSLForwardProxyor
InboundInspectiondecryption.
PerfectForwardSecrecy(PFS)SupportforSSLDecryption
PFSisasecurecommunicationprotocolthatpreventsthecompromiseofoneencryptedsessionfrom
leadingtothecompromiseofmultipleencryptedsessions.WithPFS,aservergeneratesuniqueprivatekeys
foreachsecuresessionitestablisheswithaclient.Ifaserverprivatekeyiscompromised,onlythesingle
sessionestablishedwiththatkeyisvulnerableanattackercannotretrievedatafrompastandfuture
sessionsbecausetheserverestablisheseachconnectedwithauniquelygeneratedkey.Thefirewalldecrypts
SSLsessionsestablishedwithPFSkeyexchangealgorithms,andpreservesPFSprotectionforpastand
futuresessions.
SupportforDiffieHellman(DHE)basedPFSandellipticalcurveDiffieHellman(ECDHE)basedPFSis
enabledbydefault(Objects > Decryption Profile > SSL Decryption > SSL Protocol Settings).
IfyouusetheDHEorECDHEkeyexchangealgorithmstoenablePFS,youcannotuseahardware
securitymodule(HSM)tostoretheprivatekeysusedforSSLInboundInspection.
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuites,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
ConfigureaDecryptionProfileRule(Continued)
Step8 Committheconfiguration.
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionMirroring.
ConfigureaDecryptionPolicyRule
Step2 GivethepolicyruleadescriptiveName.
Step3 Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoDecryptionExclusions.Youcanexcludeapplications
runningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesameapplications
whentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoDecryptionExclusions.Forexample,you
couldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryoucouldexclude
financialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworksURLcategories.
Step6 ClickOKtosavethepolicy.
ConfigureaDecryptionPolicyRule
ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
ConfigureSSLForwardProxy
Step2 Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise 1. GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAsignedcertificateastheforward CAtosignandvalidate:
trustcertificate. a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2. ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
NOTE:LeaveExport private keyunselectedinorderto
ensurethattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3. ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4. ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5. Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6. ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
ConfigureSSLForwardProxy(Continued)
Useaselfsignedcertificateasthe 1. Generateanewcertificate:
forwardtrustcertificate. a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2. Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3. ClickOKtosavetheselfsignedforwardtrustcertificate.
ConfigureSSLForwardProxy(Continued)
Step7 EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.
Step8 Committheconfiguration.
ConfigureSSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
YoucanalsoenablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysisandsignature
generation.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
ConfigureSSLInboundInspection
Step4 EnablethefirewalltoforwarddecryptedSSLtrafficforWildFireanalysis.
ThisoptionrequiresanactiveWildFirelicenseandisaWildFirebestpractice.
Step5 Committheconfiguration.
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step3 Committheconfiguration.
Step4 (Optional)ContinuetoDecryptionExclusionstodisabledecryptionforcertaintypesoftraffic.
DecryptionExclusions
PaloAltoNetworksexcludescertainapplicationsandservicesfromSSLdecryptionbydefaultandyoucan
alsochoosetoexcludeatargetedserverfromdecryptionorexcludecertaintrafficfromdecryptionbased
onsource,destination,URLcategory,andservice.Thepredefineddecryptionexclusionsautomatically
excludeapplicationsandservicesfromdecryptionthatdonotfunctioncorrectlywhenthefirewalldecrypts
them,andcustomdecryptionexclusionsallowyoutoexcludetrafficfromdecryptionforlegalorprivacy
reasons.
PaloAltoNetworksPredefinedDecryptionExclusions
ExcludeaServerfromDecryption
CreateaPolicyBasedDecryptionExclusion
PaloAltoNetworksPredefinedDecryptionExclusions
PaloAltoNetworksdefinesdecryptionexclusionstoidentifyapplicationandservicesthatdonotfunction
correctlywhenthefirewalldecryptsthem.PaloAltoNetworksdeliversnewandupdatedpredefined
decryptionexclusionstothefirewallaspartoftheApplicationsandThreatscontentupdate(orthe
Applicationscontentupdate,ifyoudonothaveaThreatPreventionlicense).Predefineddecryption
exclusionsareenabledbydefaultthefirewalldoesnotdecrypttrafficmatchingthepredefinedexclusion
andallowstheencryptedtrafficbasedonyoursecuritypolicy.Becausethetrafficremainsencrypted,the
firewalldoesnotinspectandfurtherenforcethetraffic.Youcanalsochoosetodisableapredefined
exclusions;inthiscase,encryptedapplicationsorservicesthatthefirewallcannotdecryptarenotsupported
(youmightchoosetododisablepredefinedexclusionsinordertoenforceastrictsecuritypolicythatallows
onlyapplicationsandservicesthatthefirewallcaninspectandenforce).
YoucanviewandmanageallPaloAltoNetworkspredefineddecryptionexclusionsdirectlyonthefirewall
(Device > Certificate Management > Decryption Exclusions):
Thefirewallautomaticallyremovesenabledpredefineddecryptionexclusionsfromthelistwhenthey
becomeobsolete(whenanapplicationthatdecryptionpreviouslycausedtobreakisnowsupportedwith
decryption).Show Obsoletestocheckiftherearedisabled,predefinedexclusionsremainingonthelistthat
arenolongerneeded,asthefirewalldoesnotremovedisabledpredefineddecryptionexclusions
automatically.
Beyondthepredefineddecryptionexclusions,youcanalsocreatecustomdecryptionexclusions:Excludea
ServerfromDecryptiontoexcludetrafficfromdecryptionbasedonservercertificatesorCreatea
PolicyBasedDecryptionExclusiontoexcludetrafficfromdecryptionbasedonapplication,source,
destination,URLcategory,andservice.
ExcludeaServerfromDecryption
YoucanexcludetargetedservertrafficfromSSLdecryption.Forexample,ifyouhaveSSLdecryption
enabled,youcouldconfigureadecryptionexceptionfortheserveronyourcorporatenetworkthathoststhe
webservicesforyourHRsystems.Thistypeofdecryptionexclusionisbasedonthehostnamethatidentifies
theservertoothernetworkdevices.Theserverhostnamethatyouusetodefinethedecryptionexclusion
iscomparedagainstthecommonname(CN)inthecertificateaserverpresentsor,inthecasewhereasingle
serverishostingmultiplewebsitesusingdifferentcertificates,thehostnameiscomparedagainsttheserver
nameindication(SNI)thattheclientpresentstoindicatetheservertowhichitwantstoconnect.
ExcludeaServerfromDecryption
Step2 Addanewdecryptionexclusion,orselectanexistingcustomentrytomodifyit.
Step3 Enterthehostnameofthewebsiteorapplicationyouwanttoexcludefromdecryption.
Toexcludeallhostnamesassociatedwithacertaindomainfromdecryption,youcanuseawildcardasterisk
(*).Inthiscase,allsessionswheretheserverpresentsaCNthatcontainsthedomainareexcludedfrom
decryption.
Makesurethatthehostnamefieldisuniqueforeachcustomentry.Ifapredefinedexclusionmatchesa
customentry,thecustomentrytakesprecedence.
Step5 Excludetheapplicationfromdecryption.Alternatively,ifyouaremodifyinganexistingdecryptionexclusion,
youcanclearthischeckboxtostartdecryptinganentrythatwaspreviouslyexcludedfromdecryption.
CreateaPolicyBasedDecryptionExclusion
Excludecertaintrafficfromdecryptionbasedonapplication,source,destination,URLcategory,and/or
service.Forexample,leverageURLcategoriestoexcludetrafficthatisfinancialorhealthrelatedfrom
decryption,asthattrafficislikelytobepersonaltousers.
Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethatadecryption
exclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeCertainTrafficfromDecryption
EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
EnableUserstoOptOutofSSLDecryption
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring(Continued)
TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
TemporarilyDisableSSLDecryption
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintocategories.YoucanusetheseURLcategories
asamatchcriteriatoenforcesecuritypolicyandtosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.YoucanalsouseURLfilteringtoenforcesafesearchsettingsforyourusers,andto
PreventCredentialPhishingbasedonURLcategory.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URLFilteringVendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C2)communicationstoprotectyournetworkfromcyberthreats.TheURL
categoriesmalwareandphishingareupdatedeveryfiveminutes,toensurethatyoucanmanageaccess
tothesesiteswithinminutesofcategorization.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.thatisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.
InteractionBetweenAppIDandURLCategories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCases.
PANDBPrivateCloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveinternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URLCategories
EachwebsitedefinedintheURLfilteringdatabaseisassignedaURLcategory.Hereareafewwaysto
leverageURLcategories:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
EnforcepolicybasedonURLcategoryIfyouwantaspecificpolicyruletoapplyonlytowebtrafficto
sitesinaspecificcategory,usethesiteURLcategoryasmatchcriteriawhenyoucreatethepolicyrule.
Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicytoapplybandwidth
controlstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryasPolicyMatch
Criteriaformoreinformation.
BlockorallowcorporatecredentialsubmissionsbasedonURLcategoryPreventCredentialPhishingby
enablingthefirewalltodetectcorporatecredentialsubmissionstosites,andthenblockorallowthose
submissionsbasedonURLcategory.Blockusersfromsubmittingcredentialstomaliciousanduntrusted
sites,warnusersagainstenteringcorporatecredentialsonunknownsitesorwarnthemagainstreusing
corporatecredentialsonnoncorporatesites,andexplicitlyallowuserssubmitcredentialstocorporate
andsanctionedsites.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:
Category Description
notresolved IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
YoucansubmitURLcategorizationchangerequestsusingthePaloAltoNetworksdedicatedwebportal(Test
ASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlogonthefirewall.Eachchange
requestisautomaticallyprocessedeveryday,providedthewebsitesprovidesmachinereadablecontentthatisin
asupportedformatandlanguage.Sometimes,thecategorizationchangerequiresamemberofthePaloAlto
Networksengineeringstafftoperformamanualreview.Insuchcases,theprocessmaytakealittlelonger.
URLFilteringProfile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatyoucanapplytoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile.
YoucanthencustomizethenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalways
beblockedorallowed.Forexample,youmaywanttoblocksocialnetworkingsites,butallowsomewebsites
thatarepartofthesocialnetworkingcategory.
ConfigureabestpracticeURLFilteringprofiletoensureprotectionagainstURLsthat
havebeenobservedhostingmalwareorexploitivecontent.
URLFilteringProfileActions
TheURLFilteringprofilespecifieswebaccessandcredentialsubmissionpermissionsforeachURLcategory.
Bydefault,siteaccessforallURLcategoriesissettoallowwhenyouCreateanewURLFilteringprofile.This
meansthattheuserswillbeabletobrowsetoallsitesfreelyandthetrafficwillnotbelogged.Youcan
customizetheURLFilteringprofilewithcustomSite Accesssettingsforeachcategory,orusethepredefined
defaultURLfilteringprofileonthefirewalltoallowaccesstoallURLcategoriesexceptthefollowing
threatpronecategories,whichitblocks:abuseddrugs,adult,gambling,hacking,malware,phishing,
questionable,andweapons.
ForeachURLcategory,selecttheUser Credential Submissionstoallowordisallowusersfromsubmittingvalid
corporatecredentialstoaURLinthatcategoryinordertoPreventCredentialPhishing.Managingthesites
towhichuserscansubmitcredentialsrequiresUserIDandyoumustfirstSetUpCredentialPhishing
Prevention.URLcategorieswiththeSite Accesssettoblockareautomaticallysettoalsoblockuser
credentialsubmissions.
LearnmoreaboutconfiguringabestpracticeURLFilteringprofiletoensureprotection
againstURLsthathavebeenobservedhostingmalwareorexploitivecontent.
Action Description
SiteAccess
alert ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow Thewebsiteisallowedandnologentryisgenerated.
block Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
BlockingsiteaccessforaURLcategoryalsosetsUserCredentialSubmissionsforthatURL
categorytoblock.
Action Description
continue Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
NOTE:TheContinuepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
override Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeAllowPasswordAccesstoCertain
Sites.
NOTE:TheOverridepagedoesntdisplayproperlyonclientsystemsconfiguredtousea
proxyserver.
none ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
UserCredentialPermissions
NOTE:ThesesettingsrequireyoutofirstSetUpCredentialPhishingPrevention.
alert AllowuserstosubmitcorporatecredentialstositesinthisURLcategory,butgeneratea
URLFilteringalertlogeachtimethisoccurs.
allow(default) AllowuserstosubmitcorporatecredentialstowebsitesinthisURLcategory.
block Blockusersfromsubmittingcorporatecredentialstowebsitesinthiscateogry.Adefault
antiphishingresponsepageisdisplayedtouserswhentheyaccesssitestowhich
corporatecredentialsubmissionsareblocked.Youcanchoosetocreateacustomblock
pagetodisplay.
continue DisplayaresponsepagetousersthatpromptsthemtoselectContinuetoaccesstoaccess
thesite.Bydefault,theAntiPhishingContinuePageisshowntouserwhentheyaccess
sitestowhichcredentialsubmissionsarediscouraged.Youcanalsochoosetocreatea
customresponsepagetodisplayforexample,ifyouwanttowarnusersagainstphishing
attemptsorreusingtheircredentialsonotherwebsites.
BlockandAllowLists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefineBlockandAllowListstospecifywebsitesthatshouldalwaysbeblockedorallowed,
regardlessofURLcategory.
WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningthealloworblocklistentries.Forexample,enter
www.paloaltonetworks.comorpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample,topreventauserfromaccessinganywebsitewithinthepaloaltonetworks.comdomain,add
*.paloaltonetworks.comtotheblocklist.Thiswillblockallpaloaltoneworks.comURLs,evenifthe
addressincludesadomainprefix(http://,www)orasubdomainprefix(mail.paloaltonetworks.com).The
sameappliestothesubdomainsuffix.Forexample,ifyouwanttoblockpaloaltonetworks.com/en/US,
youwouldaddpaloaltonetworks.com/*totheblocklistaswell.
Further,toblockaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmustaddanentrywith
aslash(/)attheend.Inthisexample,youwouldadd*.paloaltonetworks.com/totheblocklist.
Theblockandallowlistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
Everysubstringseparatedbyacharacterlistedaboveisconsideredatoken.Atokencanbeanynumber
ofASCIIcharactersthatdoesnotcontainanyseparatorcharacteroranasterisks(*).Forexample,the
followingpatternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausetheasterisks(*)isnottheonlycharacterinthetoken:
ww*.yahoo.com
www.y*.com
ExternalDynamicListforURLs
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.
ContainerPages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
HTTPHeaderLogging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute Description
UserAgent ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
XForwardedFor(XFF) TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
URLFilteringResponsePages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenContainerPagesisenabled:
URLFilteringandCategoryMatchBlockPage
AccessblockedbyaURLFilteringProfileorbecausetheURLcategoryisblockedbyaSecuritypolicyrule.
URLFilteringContinueandOverridePage
PagewithinitialblockpolicythatallowsuserstobypasstheblockbyclickingContinue.WithURLAdmin
Overrideenabled,(AllowPasswordAccesstoCertainSites),afterclickingContinue,theusermustsupply
apasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPage
AccessblockedbyaSecuritypolicyrulewithaURLFilteringprofilethathastheSafeSearchEnforcement
optionenabled(seeSafeSearchEnforcement).Theuserwillseethispageifasearchisperformedusing
Google,Bing,Yahoo,orYandexandtheirbrowserorsearchengineaccountsettingforSafeSearchisnot
settostrict.
AntiPhishingBlockPage
Thispagedisplaystouserswhentheyattempttoentercorporatecredentials(usernamesorpasswords)
onawebpageinacategoryforwhichcredentialsubmissionsareblocked.Theusercancontinueto
accessthesitebutremainsunabletosubmitvalidcorporatecredentialstoanyassociatedwebforms.To
controlthesitestowhichuserscansubmitcorporatecredentials,thefirewallmustbeconfiguredwith
UserIDandenabledtoToPreventCredentialPhishingbasedonURLcategory.
AntiPhishingContinuePage
Thispagewarnsusersagainstsubmittingcredentials(usernamesandpasswords)toawebsite.Warning
usersagainstsubmittingcredentialscanhelptodiscouragethemfromreusingcorporatecredentialsand
toeducatethemaboutpossiblephishingattempts.TheymustselectContinuetoproceedtocredentials
onthesite.Tocontrolthesitestowhichuserscansubmitcorporatecredentials,thefirewallmustbe
configuredwithUserIDandenabledtoToPreventCredentialPhishingbasedonURLcategory.
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
Table:URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneof
thesupportedTable:ResponsePageReferencestoexternalimages,sounds,orstylesheets.
Table:URLFilteringResponsePageVariables
Variable Usage
<user/> Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/> ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/> ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/> HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
document.getElementById("warningText").innerHTML = "Message 2";
break;
case 'kids':
document.getElementById("warningText").innerHTML = "Message 3";
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
Table:ResponsePageReferences
ReferenceType ExampleHTMLCode
URLCategoryasPolicyMatchCriteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType Description
Authentication Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionforAuthenticationpolicyrules.
PolicyType Description
Decryption DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.In
thiscase,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
Security InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
ASecuritypolicyrulethatallowstheITSecuritygrouptoaccesscontentcategorized
ashacking.TheSecuritypolicyrulereferencesthehackingcategoryinthe
Services/URL CategorytabandITSecuritygroupintheUserstab.
AnotherSecuritypolicyrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.
PANDBCategorization
WhenauserrequestsaURLthefirewalldeterminestheURLcategorybycomparingtheURLwiththe
followingcomponents(inorder)untilitfindsamatch:
IfarequestedURLmatchesanexpiredentryinthedataplane(DP)URLcache,thecacherespondswiththe
expiredcategory,butalsosendsaURLcategorizationquerytothemanagementplane(MP)cache.This
preventsunnecessarydelaysintheDP,assumingthatthefrequencyofcategorychangeislow.Similarly,in
theMPURLcache,ifaURLqueryfromtheDPcachematchesanexpiredentryintheMPcache,theMP
respondstotheDPwiththeexpiredcategoryandwillalsosendaURLcategorizationrequesttothePANDB
clouddatabase.Upongettingtheresponsefromthecloud,thefirewallsendstheupdatedcategorytothe
DP.
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabaseisupdated.Each
timethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30minutes,the
databaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdatewillbe
performed.
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component Description
URLFilteringSeed Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
Database thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
Component Description
CloudService ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
SeeDifferencesBetween providesadistributed,highperformance,andstableenvironmentforseeddatabase
thePANDBPublicCloud downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
andPANDBPrivate performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
Cloud,forinformationon asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
theprivatecloud. mechanismtoupdatethelocalURLdatabaseonthefirewalliftheversiondoesnot
match.EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalso
checkforcriticalupdates.Iftherehavebeennoqueriestothecloudserversformore
than30minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
ManagementPlane(MP) WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
URLCache fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothelocaldriveonthe
firewalleveryeighthours,beforethefirewallisrebooted,orwhenthecloud
upgradestheURLdatabaseversiononthefirewall.Afterrebootingthefirewall,the
filethatwassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecently
used(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheis
full.Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbe
replacedbythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftime;thisexpirationperiodisnotconfigurable.
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
EnablePANDBURLFiltering
EnablePANDBURLFiltering
EnablePANDBURLFiltering(Continued)
NOTE:IfPANDBisalreadytheactiveURLfilteringvendor,
clickingRe-Downloadclearsthedataplaneandmanagement
planecachesandreplacesthemwithanewseeddatabase.
Youshouldavoiddoingthisunlessitisnecessary,asyouwill
loseyourcache,whichiscustomizedbasedonyourusersweb
traffic.
EnableBrightCloudURLFiltering
EnableBrightCloudURLFiltering
EnableBrightCloudURLFiltering(Continued)
EnableBrightCloudURLFiltering(Continued)
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
ConfigureURLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
InadditiontomanagingwebaccesswithaURLFilteringprofile,andifyouhaveUserIDconfigured,youcan
alsomanagethesitestowhichuserscansubmitcorporatecredentials.
ConfigureWebsiteAccessandCredentialSubmissionPermissions
ConfigureWebsiteAccessandCredentialSubmissionPermissions
ConfigureWebsiteAccessandCredentialSubmissionPermissions
Step6 EnableSafeSearchEnforcement.
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenthelistisupdatedonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
CustomizetheURLFilteringResponsePages
ThefirewallprovidespredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser:
Auserattemptstobrowsetoasiteinacategorywithrestrictedaccess.
Ausersubmitsvalidcorporatecredentialstoasiteforwhichcredentialdetectionisenabled(Prevent
CredentialPhishingbasedonURLcategory).
ContainerPagesblocksasearchattempt.
However,youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableuse
policies,andlinkstoyourinternalresources.
CustomizetheURLFilteringResponsePages
AllowPasswordAccesstoCertainSites
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
ConfigureURLAdminOverride
ConfigureURLAdminOverride(Continued)
SafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Youcanenablethefirewalltoblocksearchresultsiftheenduserisnotusingthestrictestsafe
searchsettings,andyoucanalsotransparentlyenablesafesearchforyourusers.Thefirewallsupportssafe
searchenforcementforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.
Considerthatsafesearchisabesteffortsettingandserviceprovidersdonotguaranteethatitworkswith
everywebsite,andsearchprovidersclassifysitesassafeorunsafe(notPaloAltoNetworks).
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallthenblocksanymatchingsearchqueryreturntrafficthatisnotusing
thestrictestsafesearchsettings.Therearetwomethodstoenforcesafesearch:
BlockSearchResultswhenStrictSafeSearchisnotEnabledWhenanenduserattemptstoperforma
searchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearchqueryresults
anddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovideaURLtothe
searchprovidersettingsforconfiguringsafesearch.
TransparentlyEnableSafeSearchforUsersWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
Assafesearchsettingsdifferbysearchprovider,getstartedbyreviewingthedifferentsafesearch
implementations.Therearethentwowaysyoucanenforcesafesearch:youcanblocksearchresultswhen
safesearchisdisabled,oryoucantransparentlyenablesafesearchforyourusers:
SafeSearchSettingsforSearchProviders
BlockSearchResultswhenStrictSafeSearchisnotEnabled
TransparentlyEnableSafeSearchforUsers
SafeSearchSettingsforSearchProviders
Safesearchsettingsdifferforeachsearchproviderreviewthefollowingsettingstolearnmore.
SearchProvider SafeSearchSettingDescription
Google/YouTube OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
SafeSearchEnforcementforGoogleSearchesonIndividualComputers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
SafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddress
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
NOTE:WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
Bing OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
BlockSearchResultswhenStrictSafeSearchisnotEnabled
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.Seefordetailsonhoweachsearchproviderimplementssafesearch.ThedefaultURLFiltering
SafeSearchBlockPageprovidesalinktothesearchsettingsforthecorrespondingsearchprovider.Youcan
optionallyCustomizetheURLFilteringResponsePages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoTransparentlyEnableSafeSearchforUsers.
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement(Continued)
EnableSafeSearchEnforcement(Continued)
4. Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5. PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
TransparentlyEnableSafeSearchforUsers
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
EnableTransparentSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
EnableTransparentSafeSearchEnforcement(Continued)
Step5 EdittheURLFilteringSafeSearchBlock 1. SelectDevice > Response Pages > URL Filtering Safe Search
Page,replacingtheexistingcodewith Block Page.
theJavaScriptforrewritingsearchquery 2. SelectPredefinedandthenclickExporttosavethefilelocally.
URLstoenforcesafesearch
transparently. 3. UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththetexthereandthensavethefile.
Copythetransparentsafesearchscriptandpasteit
intotheHTMLeditor,replacingtheentireblockpage.
EnableTransparentSafeSearchEnforcement(Continued)
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
MonitorWebActivityofNetworkUsers
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostNetwork ActivitywidgetsallowyoutosortonURLs.Forexample,intheApplicationUsagewidget,you
canseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencryptedtunnel,andssl.
YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
BlocklogInthisexample,theinsufficientcontentcategoryissettocontinue.Ifthecategoryhadbeen
settoblockinstead,thelogActionwouldbeblockurl.
AlertlogonencryptedwebsiteInthisexample,thecategoryisprivateipaddressesandtheapplication
iswebbrowsing.Thislogalsoindicatesthatthefirewalldecryptedthistraffic.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarecoverthe24hourperiodofthedateyouselectonthecalendar.Youcanalsoexport
thereporttoPDF,CSV,orXML.
ViewtheUserActivityReport
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1 ConfigureaUserActivityReport. 1. SelectMonitor > PDF Reports > User Activity Report.
2. AddareportandenteraNameforit.
3. SelectthereportType:
SelectUsertogenerateareportforoneperson.
SelectGroupforagroupofusers.
NOTE:YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,youcan
selectthetypeUserandentertheIPaddressoftheusers
computer.
4. EntertheUsername/IP Addressforauserreportorenterthe
groupnameforausergroupreport.
5. Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
6. SelecttheInclude Detailed Browsingcheckbox,sobrowsing
informationisincludedinthereport.
3. Afterdownloadingthereport,clickCancel.
4. Ifyouwanttosavetheuseractivityreportsettingssoyoucan
runthesamereportagainlater,clickOK;otherwiseclick
Cancel.
GenerateaUserActivityReport(Continued)
Step3 Viewtheuseractivityreportbyopeningthefilethatyoudownloaded.ThePDFversionofthereportshows
theuserorgrouponwhichyoubasedthereport,thereporttimeframe,andatableofcontents:
ConfigureCustomURLFilteringReports
Togenerateadetailedreportthatthatyoucanscheduletorunregularly,configureacustomURLFiltering
report.YoucanchooseanycombinationofURLFilteringlogfieldsonwhichtobasethereport.
ConfigureaCustomURLFilteringReport
ConfigureaCustomURLFilteringReport(Continued)
3. IfthefirewallisenabledtoPreventCredentialPhishing,select
theAttributeFlags,theOperatorhasandtheValue
Credential Detectedtoalsoincludeeventsinthereportthat
recordwhenausersubmittedavalidcorporatecredentialtoa
site.
4. (Optional)SelectaSort Byoptiontosettheattributetouseto
aggregatethereportdetails.Ifyoudonotselectanattributeto
sortby,thereportwillreturnthefirstNnumberofresults
withoutanyaggregation.SelectaGroup Byattributetouseas
ananchorforgroupingdata.Thefollowingexampleshowsa
reportwithGroup BysettoApp CategoryandSort Bysettoa
CountofTop 5.
ConfigureaCustomURLFilteringReport(Continued)
Step4 Committheconfiguration.
SetUpthePANDBPrivateCloud
TodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyournetworkordatacenter,
youmustcompletethefollowingtasks:
ConfigurethePANDBPrivateCloud
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
ConfigurethePANDBPrivateCloud
SetupthePANDBPrivateCloud
SetupthePANDBPrivateCloud
SetupthePANDBPrivateCloud
3. Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status: Up
URL database version: 20150417-220
SetupthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step7 ConfiguretheFirewallstoAccessthePANDBPrivateCloud.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> enable
Or,inthewebinterfaceforeachfirewall,selectDevice > Setup >Content-ID,edittheURLFilteringsection
andenterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstothe
privatecloud:
debug device-server pan-url-db cloud-static-list-enable <IP addresses> enable
NOTE:TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothe
PANDBpubliccloud,usethecommand:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthefirewall.The
firewallfirstchecksforthelistofPANDBprivatecloudserversandwhenitcannotfindone,thefirewall
accessesthePANDBserversintheAWScloudtodownloadthelistofeligibleserverstowhichitcan
connect.
Step2 Commityourchanges.
Step3 Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status: Up
URL database version: 20150417-220
URLFilteringUseCases
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
TheseusecasesrelyonUserIDtoimplementpoliciesbasedonusersandgroupsanda
DecryptiontoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
UseCase:ControlWebAccess
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstSecuritypolicyrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
ControlWebAccess(Continued)
3. ClickOKtosavetheprofile.
3. ClickOKtosave.
ControlWebAccess(Continued)
ControlWebAccess(Continued)
7. ClickOKtosavethesecurityprofile.
8. Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9. ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.
UseCase:UseURLCategoriesforPolicyMatching
YoucanalsouseURLcategoriesasmatchcriteriainthefollowingpolicytypes:Authentication,Decryption,
Security,andQoS.Inthisusecase,DecryptionpolicyrulesmatchonURLcategoriestocontrolwhichweb
categoriestodecryptornotdecrypt.Thefirstruleisanodecryptruleinstructingthefirewallnottodecrypt
outboundusertraffictofinancialservicesorhealthandmedicinesitesandthesecondruleinstructsthe
firewalltodecryptallothertraffic.
ConfigureaDecryptionPolicyBasedonURLCategory
8. ClickOKtosavethepolicyrule.
ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
6. Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
7. ClickOKtosavethepolicyrule.
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesor
healthandmedicineURLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
UsethefollowingworkflowtotroubleshootPANDBactivationissues.
TroubleshootPANDBActivationIssues
Step1 AccessthePANOSCLI.
Step2 VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
show system setting url-database
Iftheresponseispaloaltonetworks,PANDBistheactivevendor.
Step3 VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
request license info
YoushouldseethelicenseentryFeature: PAN_DB URL Filtering.Ifthelicenseisnotinstalled,youwill
needtoobtainandinstallalicense.SeeConfigureURLFiltering.
Step4 Afterinstallingthelicense,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
request url-filtering download paloaltonetworks region <region>
Step5 Checkthedownloadstatusbyrunningthefollowingcommand:
request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloud
ConnectivityIssues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedthe
URLseeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
3. Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.
PANDBCloudConnectivityIssues
TocheckconnectivitybetweenthefirewallandthePANDBcloud:
show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : s0000.urlcloud.paloaltonetworks.com
Cloud connection : connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Ifthecloudisnotaccessible,theexpectedresponseissimilartothefollowing:
show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Usethefollowingchecklisttoidentifyandresolveconnectivityissues:
DoesthePANDBURLFilteringlicensefieldshowsasinvalid?ObtainandinstallavalidPANDB
license.
DoestheURLdatabasestatusshowasoutofdate?Downloadanewseeddatabasebyrunningthe
followingcommand:
request url-filtering download paloaltonetworks region <region>
DoestheURLprotocolversionshowasnotcompatible?UpgradePANOStothelatestversion.
CanyoupingthePANDBcloudserverfromthefirewall?Runthefollowingcommandtocheck:
ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IsthefirewallinanHAconfiguration?VerifythattheHAstateofthefirewallsisintheactive,
activeprimary,oractivesecondarystate.AccesstothePANDBcloudwillbeblockedifthefirewallis
inadifferentstate.Runthefollowingcommandoneachfirewallinthepairtoseethestate:
show high-availability state
IfyoustillhaveproblemswithconnectivitybetweenthefirewallandthePANDBcloud,contactPaloAltoNetworks
support.
URLsClassifiedasNotResolved
UsethefollowingworkflowtotroubleshootwhysomeoralloftheURLsbeingidentifiedbyPANDBare
classifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1 CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
show url-cloud status
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2 Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
show system resources
YoucanalsoviewsystemresourcesontheSystemResourceswidgetontheDashboardintheweb
interface.
Step3 Iftheproblempersist,contactPaloAltoNetworkssupport.
IncorrectCategorization
SometimesyoumaycomeacrossaURLthatyoubelieveiscategorizedincorrectly.Usethefollowing
workflowtodeterminetheURLcategorizationforasiteandrequestacategorychange,ifappropriate.
TroubleshootIncorrectCategorizationIssues
Step1 Verifythecategoryinthedataplanebyrunningthefollowingcommand:
show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2 Verifyifthecategoryinthemanagementplanebyrunningthecommand:
test url-info-host <URL>
Forexample:
test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3 Verifythecategoryinthecloudbyrunningthefollowingcommand:
test url-info-cloud <URL>
TroubleshootIncorrectCategorizationIssues
Step4 IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5 Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltothePANDBcloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewall
istooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youmustredownloadaninitialseeddatabase(thisoperationis
notblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
Fromthewebinterface,selectDevice > LicensesandinthePAN-DB URL Filteringsectionclickthe
Re-Downloadlink.
FromtheCLI,runthefollowingcommand:
request url-filtering download paloaltonetworks region <region_name>
RedownloadingtheseeddatabasecausestheURLcacheinthemanagementplaneanddataplane
tobepurged.Themanagementplanecachewillthenberepopulatedwiththecontentsofthe
newseeddatabase.
UsethePaloAltoNetworksproductcomparisontooltoviewtheQoSfeaturessupportedon
yourfirewallplatform.Selecttwoormoreproductplatformsandclick Compare Nowtoview
QoSfeaturesupportforeachplatform(forexample,youcancheckifyourfirewallplatform
supportsQoSonsubinterfacesandifso,themaximumnumberofsubinterfacesonwhichQoS
canbeenabled).
QoSonAggregateEthernet(AE)interfacesissupportedonPA7000Series,PA5000Series,
andPA3000SeriesfirewallsrunningPANOS7.0orlaterreleaseversions.
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureFigure:QoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwith
QoSenabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
Figure:QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheFigure:QoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoS
policyruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.
ThematchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoSforApplicationsandUsers
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoSPolicy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.
QoSProfile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoSClasses
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
QoSPriorityQueuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoSBandwidthManagement
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.
QoSEgressInterface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoSforClearTextandTunneledTraffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:
ConfigureQoS(Continued)
ConfigureQoS(Continued)
Step4 AddaQoSprofilerule. 1. SelectNetwork > Network Profiles > QoS Profile andAdda
AQoSprofileruleallowsyoutodefine newprofile.
theeightclassesofservicethattraffic 2. EnteradescriptiveProfile Name.
canreceive,includingpriority,and
3. SettheoverallbandwidthlimitsfortheQoSprofilerule:
enablesQoSBandwidthManagement.
EnteranEgress Maxvaluetosettheoverallbandwidth
YoucaneditanyexistingQoSprofile,
allocationfortheQoSprofilerule.
includingthedefault,byclickingtheQoS
profilename. EnteranEgress Guaranteed valuetosettheguaranteed
bandwidthfortheQoSProfile.
NOTE:AnytrafficthatexceedstheEgressGuaranteed
valueisbesteffortandnotguaranteed.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailablefor
alltraffic.
4. IntheClassessection,specifyhowtotreatuptoeight
individualQoSclasses:
a. AddaclasstotheQoSProfile.
b. SelectthePriority fortheclass:realtime,high,medium,
andlow.
c. EntertheEgress Max andEgress Guaranteedbandwidth
fortrafficassignedtoeachQoSclass.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.
ConfigureQoS(Continued)
7. (Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8. ClickOK.
Step6 Committheconfiguration.
ConfigureQoS(Continued)
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
NOTE:BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertoVirtualSystemsforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
ConfigureQoSinaVirtualSystemEnvironment
Clickanyapplicationnametodisplaydetailedapplication
information.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.
ConfigureQoSinaVirtualSystemEnvironment
Step4 CreateaQoSProfile. 1. SelectNetwork > Network Profiles > QoS Profile andclickAdd
YoucaneditanyexistingQoSProfile, toopentheQoSProfiledialog.
includingthedefault,byclickingthe 2. EnteradescriptiveProfile Name.
profilename.
3. EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4. EnteranEgress Guaranteed tosettheguaranteedbandwidth
fortheQoSprofile.
NOTE:AnytrafficthatexceedstheQoSprofilesegress
guaranteedlimitisbesteffortbutisnotguaranteed.
5. IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6. ClickOKtosavetheQoSprofile.
ConfigureQoSinaVirtualSystemEnvironment
4. SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5. SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
7. ClickOKtosavetheQoSpolicyrule.
ConfigureQoSinaVirtualSystemEnvironment
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
Expedited Forwarding (EF):Canbeusedtorequestlowloss,lowlatencyandguaranteedbandwidthfor
traffic.PacketswithEFcodepointvaluesaretypicallyguaranteedhighestprioritydelivery.
Assured Forwarding (AF):Canbeusedtoprovidereliabledeliveryforapplications.PacketswithAF
codepointindicatearequestforthetraffictoreceivehigherprioritytreatmentthanbesteffortservice
provides(thoughpacketswithanEFcodepointwillcontinuetotakeprecedenceoverthosewithanAF
codepoint).
Class Selector (CS):CanbeusedtoprovidebackwardcompatibilitywithnetworkdevicesthatusetheIP
precedencefieldtomarkprioritytraffic.
IP Precedence (ToS):Canbeusedbylegacynetworkdevicestomarkprioritytraffic(theIPPrecedence
headerfieldwasusedtoindicatethepriorityforapacketbeforetheintroductionoftheDSCP
classification).
Custom Codepoint:CreateacustomcodepointtomatchtotrafficbyenteringaCodepoint NameandBinary
Value.
Forexample,selecttheAssured Forwarding (AF)toensuretrafficmarkedwithanAFcodepointvaluehas
higherpriorityforreliabledeliveryoverapplicationsmarkedtoreceivelowerpriority.Usethefollowingsteps
toenableSessionBasedDSCPClassification.StartbyconfiguringQoSbasedonDSCPmarkingdetectedat
thebeginningofasession.Youcanthencontinuetoenablethefirewalltomarkthereturnflowforasession
withthesameDSCPvalueusedtoenforceQoSfortheinitialoutboundflow.
ApplyQoSBasedonDSCP/ToSMarking
Step1 PerformthepreliminarystepstoConfigureQoS.
Step3 DefinetheQoSpriorityfortrafficto 1. SelectNetwork > Network Profiles > QoS Profile andAddor
receivewhenitismatchedtoaQoSrule modifyanexistingQoSprofile.Fordetailsonprofileoptions
basedtheDSCPmarkingdetectedatthe tosetpriorityandbandwidthfortraffic,seeQoSConcepts
beginningofasession. andConfigureQoS.
2. Add ormodifyaprofileclass.Forexample,because Step 2
showedstepstoclassifyAF11trafficasClass1traffic,you
couldaddormodifyaclass1entry.
3. SelectaPriority fortheclassoftraffic,suchashigh.
4. ClickOKtosavetheQoSProfile.
ApplyQoSBasedonDSCP/ToSMarking
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
UseCase:QoSforaSingleUser
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1 TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.
ApplyQoStoaSingleUser(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.
ApplyQoStoaSingleUser(Continued)
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation)andthenenableQoS
onthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadoftheexternalfacinginterface).
UseCase:QoSforVoiceandVideoApplications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.
Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1 TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.
EnsureQualityforVoiceandVideoApplications(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:
EnsureQualityforVoiceandVideoApplications(Continued)
Step3 BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreated,ensurevoicevideotraffic(Class2inthisprofileis
associatedwithpolicy,VoiceVideo)ontheexternalfacinginterface,inthiscase,ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.IfyouconfigureanyproxyIDs,theproxyIDiscountedtowardany
IPSectunnelcapacity.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
SeeSetUpTunnelMonitoringforconfigurationdetails.
InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes
IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP AH
DiffieHellman(DH)exchangeoptionssupported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryptionalgorithmssupported
3des TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc AESusingCBCwithasecuritystrengthof192bits
aes256cbc AESusingCBCwithasecuritystrengthof256bits
aes128ccm AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm AESusingGCMwithasecuritystrengthof256bits
des DataEncryptionStandard(DES)withasecuritystrengthof56bits
ESP AH
Authenticationalgorithmssupported
md5 md5
sha1 sha1
sha256 sha256
sha384 sha384
sha512 sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.
ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
TheCookie Activation ThresholdisaglobalVPNsessionsettingthatlimitsthenumberofsimultaneous
halfopenedIKESAs(defaultis500).WhenthenumberofhalfopenedIKESAsexceedstheCookie
Activation Threshold,theResponderwillrequestacookie,andtheInitiatormustrespondwithan
IKE_SA_INITcontainingacookietovalidatetheconnection.Ifthecookievalidationissuccessful,another
SAcanbeinitiated.Avalueof0meansthatcookievalidationisalwayson.
TheResponderdoesnotmaintainastateoftheInitiator,nordoesitperformaDiffieHellmankey
exchange,untiltheInitiatorreturnsthecookie.IKEv2cookievalidationmitigatesaDoSattackthatwould
trytoleavenumerousconnectionshalfopen.
TheCookie Activation ThresholdmustbelowerthantheMaximum Half Opened SAsetting.IfyouChangethe
CookieActivationThresholdforIKEv2toaveryhighnumber(forexample,65534)andtheMaximum Half
Opened SAsettingremainedatthedefaultvalueof65535,cookievalidationisessentiallydisabled.
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.
HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
SetUpanIKEGateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
SetUpanIKEGateway(Continued)
SetUpanIKEGateway(Continued)
SetUpanIKEGateway(Continued)
ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.
ImportaCertificateforIKEv2GatewayAuthentication
Step2 Configurecertificatebasedauthentication.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
ConfigureIKEv2TrafficSelectors
InIKEv2,youcanconfigureTrafficSelectors,whicharecomponentsofnetworktrafficthatareusedduring
IKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetupthe
tunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.Usethefollowingworkflowtoconfiguretrafficselectors.
ConfigureTrafficSelectorsforIKEv2
Step2 SelecttheIPv4orIPv6tab.
Step6 IntheProtocolfield,selectthetransportprotocol(TCPorUDP)fromthedropdown.
Step7 ClickOK.
DefineCryptographicProfiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatarereadyforuse.
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
SetUpanIPSecTunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
Step2 OntheGeneraltab,enteraNameforthenewtunnel.
SetUpanIPSecTunnel(Continued)
SetUpanIPSecTunnel(Continued)
SetUpTunnelMonitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
DefineaTunnelMonitoringProfile
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
DefineaTunnelMonitoringProfile
Step2 ClickAdd,andenteraNamefortheprofile.
Step3 SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4 SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5 AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.
ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorIPSecTunnel
RefreshandRestartBehaviors
RefreshorRestartanIKEGatewayorIPSecTunnel
EnableorDisableanIKEGatewayorIPSecTunnel
EnableorDisableanIKEGatewayorIPSecTunnel
EnableorDisableanIKEGatewayorIPSecTunnel(Continued)
RefreshandRestartBehaviors
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
RefreshorRestartanIKEGatewayorIPSecTunnel
RestartanIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
RefreshorRestartanIKEGatewayorIPSecTunnel
TestVPNConnectivity
TestVPNConnectivity
Step1 InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
Step2 enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step3 InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLI
command:
test vpn ipsec-sa tunnel <tunnel_name>
Step4 enterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlog
messagestointerpretthereasonforfailure.
Step5 ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
total tunnels configured: 1
filter - type IPSec, state any
InterpretVPNErrorMessages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis: Trythis:
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
SitetoSiteVPNwithStaticRouting
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.
QuickConfig:SitetoSiteVPNwithStaticRouting
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
SitetoSiteVPNwithOSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
SitetoSiteVPNwithStaticandDynamicRouting
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.GlobalProtectsupportsbothIPv6andIPv4
addressingforthetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.GlobalProtectsupportsbothIPv6andIPv4addressingforthetunnel
interface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:
DeploySSLServerCertificatestotheGlobalProtectComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.
SetUpSatelliteAuthentication
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfigureeachGlobalProtectgatewaytoparticipateintheLSVPNasfollows:
ConfiguretheGatewayforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
ConfiguretheGatewayforLSVPN(Continued)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
GlobalProtectPortalforLSVPNPrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
GlobalProtectPortalforLSVPNPrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedtheGlobalProtectPortalforLSVPNPrerequisiteTasks,configurethe
GlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
CreateaGlobalProtectSatelliteConfiguration(Continued)
CreateaGlobalProtectSatelliteConfiguration(Continued)
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
VerifytheLSVPNConfiguration
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
AdvancedLSVPNConfigurationwithiBGP
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.
QuickConfig:LSVPNwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting(Continued)
AdvancedLSVPNConfigurationwithiBGP
ThisusecaseillustrateshowGlobalProtectLSVPNsecurelyconnectsdistributedofficelocationswith
primaryanddisasterrecoverydatacentersthathousecriticalapplicationsforusersandhowinternalborder
gatewayprotocol(iBGP)easesdeploymentandupkeep.Usingthismethod,youcanextendupto500
satelliteofficesconnectingtoasinglegateway.
BGPisahighlyscalable,dynamicroutingprotocolthatisidealforhubandspokedeploymentssuchas
LSVPN.Asadynamicroutingprotocol,iteliminatesmuchoftheoverheadassociatedwithaccessroutes
(staticroutes)bymakingitrelativelyeasytodeployadditionalsatellitefirewalls.Duetoitsroutefiltering
capabilitiesandfeaturessuchasmultipletunabletimers,routedampening,androuterefresh,BGPscalesto
amuchhighernumberofroutingprefixeswithgreaterstabilitythanotherroutingprotocolslikeRIPand
OSPF.InthecaseofiBGP,apeergroup,whichincludesallthesatellitesandgatewaysintheLSVPN
deployment,establishesadjacenciesoverthetunnelendpoints.Theprotocolthenimplicitlytakescontrolof
routeadvertisements,updates,andconvergence.
Inthisexampleconfiguration,anactive/passiveHApairofPA5050firewallsisdeployedintheprimary
(active)datacenterandactsastheportalandprimarygateway.Thedisasterrecoverydatacenteralsohas
twoPA5050sinanactive/passiveHApairactingasthebackupLSVPNgateway.Theportalandgateways
serve500PA200sdeployedasLSVPNsatellitesinbranchoffices.
Bothdatacentersitesadvertiseroutesbutwithdifferentmetrics.Asaresult,thesatellitespreferandinstall
theactivedatacentersroutes.However,thebackuproutesalsoexistinthelocalroutinginformationbase
(RIB).Iftheactivedatacenterfails,theroutesadvertisedbythatdatacenterareremovedandreplacedwith
routesfromthedisasterrecoverydatacentersroutes.ThefailovertimedependsonselectionofiBGPtimes
androutingconvergenceassociatedwithiBGP.
Thefollowingworkflowshowsthestepsforconfiguringthisdeployment:
ConfigureLSVPNwithiBGP
ConfigureLSVPNwithiBGP
ConfigureLSVPNwithiBGP
ConfigureLSVPNwithiBGP
Step8 VerifytheLSVPNConfiguration.
ConfigureInterfaces
APaloAltoNetworksnextgenerationfirewallcanoperateinmultipledeploymentsatoncebecausethe
deploymentsoccurattheinterfacelevel.Forexample,youcanconfiguresomeinterfacesforLayer3
interfacestointegratethefirewallintoyourdynamicroutingenvironment,whileconfiguringotherinterfaces
tointegrateintoyourLayer2switchingnetwork.Thefollowingtopicsdescribeeachtypeofinterface
deploymentandhowtoconfigurethecorrespondinginterfacetypes:
TapInterfaces
VirtualWireInterfaces
Layer2Interfaces
Layer3Interfaces
ConfigureanAggregateInterfaceGroup
UseInterfaceManagementProfilestoRestrictAccess
TapInterfaces
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
VirtualWireInterfaces
VirtualWireDeploymentscanusevirtualwiresubinterfacestoseparatetrafficintozones.Inavirtualwire
deployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwoportstogetherand
shouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeployment:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
ConfigureVirtualWires
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethatthe
VLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisisessential
becauseavirtualwiredoesnotswitchVLANtags.
CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoaddadditional
subinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthecombinationofVLANtags
andaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewiththevlan
tag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
ConfigureVirtualWires
Thefollowingtaskshowshowtoconfigureapairofvirtualwireinterfaces.
ConfigureVirtualWires
Layer2Interfaces
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Devicesare
connectedtoaLayer2segment;thefirewallforwardstheframestotheproperport,whichisassociatedwith
theMACaddressidentifiedintheframe.ConfigureaLayer2Interfacewhenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
ACiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
ThefollowingtopicsdescribethedifferenttypesofLayer2interfacesyoucanconfigureforeachtypeof
deploymentyouneed,includingdetailsonusingvirtualLANs(VLANs)fortrafficandpolicyseparation
amonggroups.
Layer2InterfaceswithNoVLANs
Layer2InterfaceswithVLANs
ConfigureaLayer2Interface
ConfigureaLayer2Interface,Subinterface,andVLAN
Layer2InterfaceswithNoVLANs
ConfigureaLayer2Interfaceonthefirewallsoitcanactasaswitchinyourlayer2network(notattheedge
ofthenetwork).TheLayer2hostsareprobablygeographicallyclosetoeachotherandbelongtoasingle
broadcastdomain.ThefirewallprovidessecuritybetweentheLayer2hostswhenyouassigntheinterfaces
tosecurityzonesandapplysecurityrulestothezones.
ThehostscommunicatewiththefirewallandeachotheratLayer2oftheOSImodelbyexchangingframes.
AframecontainsanEthernetheaderthatincludesasourceanddestinationMediaAccessControl(MAC)
address,whichisaphysicalhardwareaddress.MACaddressesare48bithexadecimalnumbersformatted
assixoctetsseparatedbyacolonorhyphen(forexample,00857E46F1B2).
ThefollowingfigurehasafirewallwiththreeLayer2interfacesthateachconnecttoaLayer 2hostina
onetoonemapping.
ThefirewallbeginswithanemptyMACtable.Whenthehostwithsourceaddress0A76F260EA83
sendsaframetothefirewall,thefirewalldoesnthavedestinationaddress0B682D051276initsMAC
table,soitdoesntknowwhichinterfacetoforwardtheframeto;itbroadcaststheframetoallofitsLayer 2
interfaces.Thefirewallputssourceaddress0A76F260EA83andassociatedEth1/1intoitsMACtable.
Thehostat0C71D4E61344receivesthebroadcast,butthedestinationMACaddressisnotitsown
MACaddress,soitdropstheframe.
ThereceivinginterfaceEthernet1/2forwardstheframetoitshost.Whenhost0B682D051276
responds,itusesthedestinationaddress0A76F260EA83,andthefirewalladdstoitsMACtable
Ethernet1/2astheinterfacetoreach0B682D051276.
Layer2InterfaceswithVLANs
WhenyourorganizationwantstodivideaLANintoseparatevirtualLANs(VLANs)tokeeptrafficand
policiesfordifferentdepartmentsseparate,youcanlogicallygroupLayer2hostsintoVLANsandthusdivide
aLayer2networksegmentintobroadcastdomains.Forexample,youcancreateVLANsfortheFinanceand
Engineeringdepartments.Todoso,ConfigureaLayer2Interface,Subinterface,andVLAN.
ThefirewallactsasaswitchtoforwardaframewithanEthernetheadercontainingaVLANID,andthe
destinationinterfacemusthaveasubinterfacewiththatVLANIDinordertoreceivethatframeandforward
ittothehost.YouconfigureaLayer2interfaceonthefirewallandconfigureoneormorelogical
subinterfacesfortheinterface,eachwithaVLANtag(ID).
Inthefollowingfigure,thefirewallhasfourLayer2interfacesthatconnecttoLayer2hostsbelongingto
differentdepartmentswithinanorganization.Ethernetinterface1/3isconfiguredwithsubinterface.1
(taggedwithVLAN10)andsubinterface.2(taggedwithVLAN20),thustherearetwobroadcastdomainson
thatsegment.HostsinVLAN10belongtoFinance;hostsinVLAN20belongtoEngineering.
Inthisexample,thehostatMACaddress0A76F260EA83sendsaframewithVLANID10tothe
firewall,whichthefirewallbroadcaststoitsotherL2interfaces.Ethernetinterface1/3acceptstheframe
becauseitsconnectedtothehostwithdestination0C71D4E61344anditssubinterface.1isassigned
VLAN10.Ethernetinterface1/3forwardstheframetotheFinancehost.
ConfigureaLayer2Interface
ConfigureLayer2InterfaceswithNoVLANswhenyouwantLayer2switchingandyoudontneedto
separatetrafficamongVLANs.
ConfigureaLayer2Interface
ConfigureaLayer2Interface,Subinterface,andVLAN
ConfigureLayer2InterfaceswithVLANswhenyouwantLayer2switchingandtrafficseparationamong
VLANs.YoucanoptionallycontrolnonIPprotocolsbetweensecurityzonesonaLayer2interfaceor
betweeninterfaceswithinasinglezoneonaLayer2VLAN.
ConfigureaLayer2InterfaceandSubinterfaceandAssignaVLANID
ConfigureaLayer2InterfaceandSubinterfaceandAssignaVLANID(Continued)
Layer3Interfaces
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.BeforeyoucanConfigureLayer
3Interfaces,youmustconfiguretheVirtualRoutersthatyouwantthefirewalltousetoroutethetrafficfor
eachLayer3interface.
Figure:Layer3Deployment
ThefollowingtopicsdescribeshowtoconfigureLayer3interfaces.ThistopicexplainsRouter
Advertisements(RAs)thatthefirewallcansendcontainingDNSOptionstoconfigureyourIPv6hosts.This
topicdescribesNeighborDiscoveryProtocol(NDP)monitoring,whichyoucanusetoviewtheIPv6
addressesofdevicesonthelinklocalnetworkandquicklylocatedevices.
ConfigureLayer3Interfaces
ManageIPv6HostsUsingNDP
ConfigureLayer3Interfaces
ThefollowingprocedureisrequiredtoconfigureLayer3Interfaces(Ethernet,VLAN,loopback,andtunnel
interfaces)withIPv4orIPv6addressessothatthefirewallcanperformroutingontheseinterfaces.Ifa
tunnelisusedforroutingoriftunnelmonitoringisturnedon,thetunnelneedsanIPaddress.Before
performingthefollowingtask,defineoneormoreVirtualRouters.
Youwouldtypicallyusethefollowingproceduretoconfigureanexternalinterfacethatconnectstothe
internetandaninterfaceforyourinternalnetwork.YoucanconfigurebothIPv4andIPv6addressesona
singleinterface.
PANOSfirewallmodelssupportamaximumof16,000IPaddressesassignedtophysicalor
virtualLayer3interfaces;thismaximumincludesbothIPv4andIPv6addresses.
IfyoureusingIPv6routes,youcanconfigurethefirewalltoprovideIPv6RouterAdvertisementsforDNS
Configuration.ThefirewallprovisionsIPv6DNSclientswithRecursiveDNSServer(RDNS)addressesanda
DNSSearchListsothattheclientcanresolveitsIPv6DNSrequests.ThusthefirewallisactinglikeaDHCPv6server
foryou.
SetUpaLayer3InterfaceandZone
SetUpaLayer3InterfaceandZone(Continued)
SetUpaLayer3InterfaceandZone(Continued)
SetUpaLayer3InterfaceandZone(Continued)
SetUpaLayer3InterfaceandZone(Continued)
SetUpaLayer3InterfaceandZone(Continued)
Step13 ConfigureaStaticRoutetoconfigureadefaultroute.
ManageIPv6HostsUsingNDP
ThistopicdescribeshowthefirewallusesNDPtoprovisionIPv6hostsandmonitorIPv6addresses.
IPv6RouterAdvertisementsforDNSConfiguration
NDPMonitoring
EnableNDPMonitoring
IPv6RouterAdvertisementsforDNSConfiguration
ThefirewallimplementationofNeighborDiscovery(ND)isenhancedsothatyoucanprovisionIPv6hosts
withtheRecursiveDNSServer(RDNSS)OptionandDNSSearchList(DNSSL)OptionperRFC6106,IPv6
RouterAdvertisementOptionsforDNSConfiguration.WhenyouConfigureLayer3Interfaces,you
configuretheseDNSoptionsonthefirewallsothefirewallcanprovisionyourIPv6hosts;thereforeyou
dontneedaseparateDHCPv6servertoprovisionthehosts.ThefirewallsendsIPv6RouterAdvertisements
(RAs)containingtheseoptionstoIPv6hostsaspartoftheirDNSconfigurationtofullyprovisionthemto
reachinternetservices.Thus,yourIPv6hostsareconfiguredwith:
TheaddressesofRDNSserversthatcanresolveDNSqueries.
Alistofdomainnames(suffixes)thattheDNSclientappends(oneatatime)toanunqualifieddomain
namebeforeenteringthedomainnameintoaDNSquery.
IPv6RouterAdvertisementforDNSconfigurationissupportedforEthernetinterfaces,subinterfaces,
AggregatedEthernetinterfaces,andLayer3VLANinterfacesonallPANOSplatforms.
ThecapabilityofthefirewalltosendIPv6RAsforDNSconfigurationallowsthefirewalltoperformarolesimilar
toDHCP,andisunrelatedtothefirewallbeingaDNSproxy,DNSclientorDNSserver.
AfteryouconfigurethefirewallwiththeaddressesofRDNSservers,thefirewallprovisionsanIPv6host(the
DNSclient)withthoseaddresses.TheIPv6hostusesoneormoreofthoseaddressestoreachanRDNS
server.RecursiveDNSreferstoaseriesofDNSrequestsbyanRDNSServer,asshownwiththreepairsof
queriesandresponsesinthefollowingfigure.Forexample,whenausertriestoaccess
www.paloaltonetworks.com,thelocalbrowserseesthatitdoesnothavetheIPaddressforthatdomain
nameinitscache,nordoestheclientsoperatingsystemhaveit.Theclientsoperatingsystemlaunchesa
DNSquerytoaRecursiveDNSServerbelongingtothelocalISP.
AnIPv6RouterAdvertisementcancontainmultipleDNSRecursiveServerAddressoptions,eachwiththe
sameordifferentlifetimes.AsingleDNSRecursiveDNSServerAddressoptioncancontainmultiple
RecursiveDNSServeraddressesaslongastheaddresseshavethesamelifetime.
ADNSSearchListisalistofdomainnames(suffixes)thatthefirewalladvertisestoaDNSclient.Thefirewall
thusprovisionstheDNSclienttousethesuffixesinitsunqualifiedDNSqueries.TheDNSclientappends
thesuffixes,oneatatime,toanunqualifieddomainnamebeforeitentersthenameintoaDNSquery,
therebyusingafullyqualifieddomainname(FQDN)intheDNSquery.Forexample,ifauser(oftheDNS
clientbeingconfigured)triestosubmitaDNSqueryforthenamequalitywithoutasuffix,therouter
appendsaperiodandthefirstDNSsuffixfromtheDNSSearchListtothenameandtransmitsaDNSquery.
IfthefirstDNSsuffixonthelistiscompany.com,theresultingDNSqueryfromtherouterisfortheFQDN
quality.company.com.
IftheDNSqueryfails,theclientappendsthesecondDNSsuffixfromthelisttotheunqualifiednameand
transmitsanewDNSquery.TheclientusestheDNSsuffixesinorderuntilaDNSlookupsucceeds(ignoring
theremainingsuffixes)ortherouterhastriedallofthesuffixesonthelist.
YouconfigurethefirewallwiththesuffixesthatyouwanttoprovidetotheDNSclientrouterinanND
DNSSLoption;theDNSclientreceivingtheDNSSearchListoptionisprovisionedtousethesuffixesinits
unqualifiedDNSqueries.
ConfigureRDNSServersandDNSSearchList
NDPMonitoring
NeighborDiscoveryProtocol(NDP)forIPv6(RFC4861)performsfunctionssimilartoARPfunctionsfor
IPv4.ThefirewallbydefaultrunsNDP,whichusesICMPv6packetstodiscoverandtrackthelinklayer
addressesandstatusofneighborsonconnectedlinks.
EnableNDPMonitoringsoyoucanviewtheIPv6addressesofdevicesonthelinklocalnetwork,theirMAC
address,associatedusernamefromUserID(iftheuserofthatdeviceusedthedirectoryservicetologin),
reachabilityStatusoftheaddress,andLastReporteddateandtimetheNDPmonitorreceivedaRouter
AdvertisementfromthisIPv6address.Theusernameisonabestcasebasis;therecanbemanyIPv6devices
onanetworkwithnousername,suchasprinters,faxmachines,servers,etc.
Ifyouwanttoquicklytrackadeviceanduserwhohasviolatedasecurityrule,itisveryusefultohavethe
IPv6address,MACaddressandusernamedisplayedallinoneplace.YouneedtheMACaddressthat
correspondstotheIPv6addressinordertotracetheMACaddressbacktoaphysicalswitchorAccessPoint.
NDPmonitoringisnotguaranteedtodiscoveralldevicesbecausetherecouldbeothernetworkingdevices
betweenthefirewallandtheclientthatfilteroutNDPorDuplicateAddressDetection(DAD)messages.The
firewallcanmonitoronlythedevicesthatitlearnsaboutontheinterface.
NDPmonitoringalsomonitorsDuplicateAddressDetection(DAD)packetsfromclientsandneighbors.You
canalsomonitorIPv6NDlogstomaketroubleshootingeasier.
NDPmonitoringissupportedforEthernetinterfaces,subinterfaces,AggregatedEthernetinterfaces,and
VLANinterfacesonallPANOSmodels.
EnableNDPMonitoring
PerformthistasktoenableNDPMonitoringforaninterface.
EnableNDPMonitoring
TheNDPMonitoringsummaryfortheinterfacedisplaysthe
listofIPv6PrefixesthatthisinterfacewillsendintheRouter
Advertisement(RA)ifRAisenabled(theyaretheIPv6prefixes
oftheinterfaceitself).
ThesummaryalsoindicateswhetherDAD,Router
Advertisement,andDNSSupportareenabled;IPaddressesof
anyRecursiveDNSServersconfigured;andanyDNSsuffixes
configuredontheDNSSearchList.
3. ClickontheNDPMonitoringicontodisplaydetailed
information.
EnableNDPMonitoring(Continued)
EachrowofthedetailedNDPMonitoringtablefortheinterfacedisplaystheIPv6addressofaneighborthefirewall
hasdiscovered,thecorrespondingMACaddress,correspondingUserID(onabestcasebasis),reachabilityStatusof
theaddress,andLastReporteddateandtimethisNDPMonitorreceivedanRAfromthisIPaddress.AUserIDwillnot
displayforprintersorothernonuserbasedhosts.IfthestatusoftheIPaddressisStale,theneighborisnotknownto
bereachable,perRFC4861.
AtthebottomrightisthecountofTotal Devices Detectedonthelinklocalnetwork.
EnteranIPv6addressinthefilterfieldtosearchforanaddresstodisplay.
SelectthecheckboxestodisplayornotdisplayIPv6addresses.
Clickthenumbers,therightorleftarrow,ortheverticalscrollbartoadvancethroughmanyentries.
ClickClear All NDP Entriestocleartheentiretable.
ConfigureanAggregateInterfaceGroup
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesmodelssupportaggregategroups.Youcanadduptoeightaggregategroupsper
firewallandeachgroupcanhaveuptoeightinterfaces.
PANOSfirewallmodelssupportamaximumof16,000IPaddressesassignedtophysicalor
virtualLayer3interfaces;thismaximumincludesbothIPv4andIPv6addresses.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,and
PA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
ConfigureanAggregateInterfaceGroup
ConfigureanAggregateInterfaceGroup(Continued)
ConfigureanAggregateInterfaceGroup(Continued)
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningstaticroutesor
throughparticipationinoneormoreLayer3routingprotocols(dynamicroutes).Theroutesthatthefirewall
obtainsthroughthesemethodspopulatethefirewallsIProutinginformationbase(RIB).Whenapacketis
destinedforadifferentsubnetthantheoneitarrivedon,thevirtualrouterobtainsthebestroutefromthe
RIB,placesitintheforwardinginformationbase(FIB),andforwardsthepackettothenexthoprouter
definedintheFIB.ThefirewallusesEthernetswitchingtoreachotherdevicesonthesameIPsubnet.(An
exceptiontoonebestroutegoingintheFIBoccursifyouareusingECMP,inwhichcaseallequalcostroutes
gointheFIB.)
TheEthernet,VLAN,andtunnelinterfacesdefinedonthefirewallreceiveandforwardLayer 3packets.The
destinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andthefirewall
consultspolicyrulestoidentifythesecuritypoliciesthatitappliestoeachpacket.Inadditiontoroutingto
othernetworkdevices,virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthop
isspecifiedtopointtoanothervirtualrouter.
YoucanconfigureLayer3interfacesonavirtualroutertoparticipatewithdynamicroutingprotocols(BGP,
OSPF,OSPFv3,orRIP)aswellasaddstaticroutes.Youcanalsocreatemultiplevirtualrouters,each
maintainingaseparatesetofroutesthatarentsharedbetweenvirtualrouters,enablingyoutoconfigure
differentroutingbehaviorsfordifferentinterfaces.
EachLayer3Ethernet,loopback,VLAN,andtunnelinterfacedefinedonthefirewallmustbeassociatedwith
avirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,youcanconfiguremultiplerouting
protocolsandstaticroutesforavirtualrouter.Regardlessofthestaticroutesanddynamicroutingprotocols
youconfigureforavirtualrouter,onegeneralconfigurationisrequired:
DefineaVirtualRouter
DefineaVirtualRouter(Continued)
Step5 ConfigureLayer3Interfaces(Ethernet,
VLAN,loopback,ortunnelinterfaces).
ServiceRoutes
Thefirewallusesthemanagement(MGT)interfacebydefaulttoaccessexternalservices,suchasDNS
servers,externalauthenticationservers,PaloAltoNetworksservicessuchassoftware,URLupdates,
licensesandAutoFocus.AnalternativetousingtheMGTinterfaceistoconfigureadataport(aregular
interface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknownasaservice
route.Theservicepacketsexitthefirewallontheportassignedfortheexternalserviceandtheserversends
itsresponsetotheconfiguredsourceinterfaceandsourceIPaddress.
YoucanconfigureserviceroutesgloballyforthefirewallorCustomizeServiceRoutesforaVirtualSystem
onafirewallenabledformultiplevirtualsystemssothatyouhavetheflexibilitytouseinterfacesassociated
withavirtualsystem.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticularservice
inheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
Thefollowingprocedureenablesyoutochangetheinterfacethefirewallusestosendrequeststoexternal
services.
I
ConfigureServiceRoutesontheFirewall
2. ClicktheCustomizeradiobutton,andselectoneofthe
following:
Forapredefinedservice,selectIPv4orIPv6andclickthe
linkfortheserviceforwhichyouwanttomodifythe
Source Interface andselecttheinterface.Youcanspecify
bothIPv4andIPv6addressesforaservice.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,theSource Addressdropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3. ClickOKtosavethesettings.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
NOTE:Tousethesamesourceinterfaceandsourceaddress
formultipleservices,selectthecheckboxfortheservicesand
clickSet Selected Service Routestoeasilyupdatethe
selectedserviceroutes.
5. Commityourchanges.
StaticRoutes
Staticroutesaretypicallyusedinconjunctionwithdynamicroutingprotocols.Youmightconfigureastatic
routeforalocationthatadynamicroutingprotocolcantreach.Staticroutesrequiremanualconfiguration
oneveryrouterinthenetwork,ratherthanthefirewallenteringdynamicroutesinitsroutetables;even
thoughstaticroutesrequirethatconfigurationonallrouters,theymaybedesirableinsmallnetworksrather
thanconfiguringaroutingprotocol.
StaticRouteOverview
StaticRouteRemovalBasedonPathMonitoring
ConfigureaStaticRoute
ConfigurePathMonitoringforaStaticRoute
StaticRouteOverview
IfyoudecidethatyouwantspecificLayer3traffictotakeacertainroutewithoutparticipatinginIProuting
protocols,youcanConfigureaStaticRouteusingIPv4andIPv6routes.
Adefaultrouteisaspecificstaticroute.Ifyoudontusedynamicroutingtoobtainadefaultrouteforyour
virtualrouter,youmustconfigureastaticdefaultroute.Whenthevirtualrouterhasanincomingpacketand
findsnomatchforthepacketsdestinationinitsroutetable,thevirtualroutersendsthepackettothedefault
route.ThedefaultIPv4routeis0.0.0.0/0;thedefaultIPv6routeis::/0.YoucanconfigurebothanIPv4and
IPv6defaultroute
Staticroutesthemselvesdontchangeoradjusttochangesinnetworkenvironments,sotraffictypicallyisnt
reroutedifafailureoccursalongtheroutetoastaticallydefinedendpoint.However,youhaveoptionsto
backupstaticroutesintheeventofaproblem:
YoucanconfigureastaticroutewithaBidirectionalForwardingDetection(BFD)profilesothatifaBFD
sessionbetweenthefirewallandtheBFDpeerfails,thefirewallremovesthefailedstaticroutefromthe
RIBandFIBtablesandusesanalternatepathwithalowerpriority.
YoucanConfigurePathMonitoringforaStaticRoutesothatthefirewallcanuseanalternativeroute.
Bydefault,staticrouteshaveanadministrativedistanceof10.Whenthefirewallhastwoormoreroutesto
thesamedestination,itusestheroutewiththelowestadministrativedistance.Byincreasingthe
administrativedistanceofastaticroutetoavaluehigherthanadynamicroute,youcanusethestaticroute
asabackuprouteifthedynamicrouteisunavailable.
Whileyoureconfiguringastaticroute,youcanspecifywhetherthefirewallinstallsanIPv4staticroutein
theunicastormulticastroutetable(RIB),orbothtables,ordoesntinstalltherouteatall.Forexample,you
couldinstallanIPv4staticrouteinthemulticastroutetableonly,becauseyouwantonlymulticasttrafficto
usethatroute.Thisoptiongiveyoumorecontroloverwhichroutethetraffictakes.Youcanspecifywhether
thefirewallinstallsanIPv6staticrouteintheunicastroutetableornot.
StaticRouteRemovalBasedonPathMonitoring
WhenyouConfigurePathMonitoringforaStaticRoute,thefirewallusespathmonitoringtodetectwhen
thepathtooneormoremonitoreddestinationhasgonedown.Thefirewallcanthenreroutetrafficusingan
alternativeroutes.ThefirewallusespathmonitoringforstaticroutesmuchlikepathmonitoringforHAor
policybasedforwarding(PBF),asfollows:
ThefirewallsendsICMPpingmessages(heartbeatmessages)tooneormoremonitoreddestinations
thatyoudeterminearerobustandreflecttheavailabilityofthestaticroute.
Ifpingstoanyorallofthemonitoreddestinationsfail,thefirewallconsidersthestaticroutedowntoo
andremovesitfromtheRoutingInformationBase(RIB)andForwardingInformationBase(FIB).TheRIB
isthetableofstaticroutesthefirewallisconfiguredwithanddynamicroutesithaslearnedfromrouting
protocols.TheFIBistheforwardingtableofroutesthefirewallusesforforwardingpackets.Thefirewall
selectsanalternativestaticroutetothesamedestination(basedontheroutewiththelowestmetric)
fromtheRIBandplacesitintheFIB.
Thefirewallcontinuestomonitorthefailedroute.Whentheroutecomesbackup,and(basedonthe
AnyorAllfailurecondition)thepathmonitorreturnstoUpstate,thepreemptiveholdtimerbegins.The
pathmonitormustremainupforthedurationoftheholdtimer;thenthefirewallconsidersthestatic
routestableandreinstatesitintotheRIB.Thefirewallthencomparesmetricsofroutestothesame
destinationtodecidewhichroutegoesintheFIB.
Pathmonitoringisadesirablemechanismtoavoidblackholingtrafficfor:
Astaticordefaultroute.
Astaticordefaultrouteredistributedintoaroutingprotocol.
Astaticordefaultroutebetweentwovirtualroutersincaseonerouterhasaproblem(Bidirectional
ForwardingDetection[BFD]doesntfunctionbetweenvirtualrouters).
AstaticordefaultroutewhenonepeerdoesnotsupportBFD.(Thebestpracticeisnottoenableboth
BFDandpathmonitoringonasingleinterface.)
AstaticordefaultrouteinsteadofusingPBFpathmonitoring,whichdoesntremoveafailedstaticroute
fromtheRIB,FIB,orredistributionpolicy.
Inthefollowingfigure,thefirewallisconnectedtotwoISPsforrouteredundancytotheinternet.The
primarydefaultroute0.0.0.0(metric10)usesNextHop192.0.2.10;thesecondarydefaultroute0.0.0.0
(metric50)usesNextHop198.51.100.1.Thecustomerpremisesequipment(CPE)forISPAkeepsthe
primaryphysicallinkactive,evenafterinternetconnectivitygoesdown.Withthelinkartificiallyactive,the
firewallcantdetectthatthelinkisdownandthatitshouldreplacethefailedroutewiththesecondaryroute
initsRIB.
Toavoidblackholingtraffictoafailedlink,configurepathmonitoringof192.0.2.20,192.0.2.30,and
192.0.2.40andifall(orany)ofthepathstothesedestinationsfail,thefirewallpresumesthepathtoNext
Hop192.0.2.10isalsodown,removesthestaticroute0.0.0.0(thatusesNextHop192.0.2.10)fromitsRIB,
andreplacesitwiththesecondaryroutetothesamedestination0.0.0.0(thatusesNextHop198.51.100.1),
whichalsoaccessestheinternet.
WhenyouConfigureaStaticRoute,oneoftherequiredfieldsistheNextHoptowardthatdestination.The
typeofnexthopyouconfiguredeterminestheactionthefirewalltakesduringpathmonitoring,asfollows:
IfNextHopTypein FirewallActionforICMPPing
StaticRouteis:
IP Address ThefirewallusesthesourceIPaddressandegressinterfaceofthestaticrouteasthe
sourceaddressandegressinterfaceintheICMPping.ItusestheconfiguredDestination
IPaddressofthemonitoreddestinationasthepingsdestinationaddress.Itusesthe
staticroutesnexthopaddressasthepingsnexthopaddress.
Next VR ThefirewallusesthesourceIPaddressofthestaticrouteasthesourceaddressinthe
ICMPping.Theegressinterfaceisbasedonthelookupresultfromthenexthopsvirtual
router.TheconfiguredDestinationIPaddressofthemonitoreddestinationisthepings
destinationaddress.
None ThefirewallusesthedestinationIPaddressofthepathmonitorasthenexthopandsends
theICMPpingtotheinterfacespecifiedinthestaticroute.
Whenpathmonitoringforastaticordefaultroutefails,thefirewalllogsacriticalevent
(pathmonitorfailure).Whenthestaticordefaultrouterecovers,thefirewalllogsanothercriticalevent
(pathmonitorrecovery).
Firewallssynchronizepathmonitoringconfigurationsforanactive/passiveHAdeployment,butthefirewall
blocksegressICMPpingpacketsonapassiveHApeerbecauseitisnotactivelyprocessingtraffic.The
firewalldoesntsynchronizepathmonitoringconfigurationsforactive/activeHAdeployments.
ConfigureaStaticRoute
Performthefollowingtasktoconfigureastaticrouteordefaultrouteforavirtualrouteronthefirewall.
ConfigureaStaticRoute
ConfigureaStaticRoute(Continued)
ConfigurePathMonitoringforaStaticRoute
UsethefollowingproceduretoconfigureStaticRouteRemovalBasedonPathMonitoring.
ConfigurePathMonitoringforaStaticRoute
ConfigurePathMonitoringforaStaticRoute(Continued)
ConfigurePathMonitoringforaStaticRoute(Continued)
ConfigurePathMonitoringforaStaticRoute(Continued)
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
ConfigureRIP(Continued)
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType Description
BackboneArea Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.
OSPFAreaType Description
NormalOSPFArea InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
StubOSPFArea Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSAArea TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF
ConfigureOSPF(Continued)
ConfigureOSPF(Continued)
ConfigureOSPF(Continued)
ConfigureOSPFv3
OSPFv3supportsbothIPv4andIPv6.YoumustuseOSPFv3ifyouareusingIPv6.
ConfigureOSPFv3
ConfigureOSPFv3(Continued)
ConfigureOSPFv3(Continued)
ConfigureOSPFv3(Continued)
ConfigureOSPFGracefulRestart
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGrace Period.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMax Neighbor Restart Time.Whenthefirewallreceives
theGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborandadvertise
routesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.Ifneither
expiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithoutnetwork
disruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexithelper
modeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypassthe
neighbor.
ConfigureOSPFGracefulRestart
Step3 Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
show routing route
show routing fib
Ifyouareusingthewebinterfacetoviewtheroutingtable,usethefollowingworkflow:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
UsethefollowingworkflowtoconfirmthatOSPFadjacencieshavebeenestablished:
ViewtheNeighborTabtoConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
ViewtheSystemlogtoconfirmthatthefirewallhasestablishedOSPFconnections.
ExaminetheSystemLog
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
BGPOverview
MPBGP
ConfigureBGP
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast
ConfigureaBGPPeerwithMPBGPforIPv4Multicast
BGPOverview
BGPfunctionsbetweenautonomoussystems(exteriorBGPoreBGP)orwithinanAS(interiorBGPoriBGP)
toexchangeroutingandreachabilityinformationwithBGPspeakers.ThefirewallprovidesacompleteBGP
implementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
BGPsettingspervirtualrouter,whichincludebasicparameterssuchaslocalrouteIDandlocalAS,and
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteAS,andadvancedoptions
suchasneighborattributesandconnections.
Routepoliciestocontrolrouteimport,exportandadvertisement;prefixbasedfiltering;andaddress
aggregation.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.Authentication
helpspreventrouteleakingandsuccessfulDoSattacks.
MultiprotocolBGP(MPBGP)toallowBGPpeerstocarryIPv6unicastroutesandIPv4multicastroutes
inUpdatepackets,andtoallowthefirewallandaBGPpeertocommunicatewitheachotherusingIPv6
addresses.
MPBGP
BGPsupportsIPv4unicastprefixes,butaBGPnetworkthatusesIPv4multicastroutesorIPv6unicast
prefixesneedsmultiprotocolBGP(MPBGP)inordertoexchangeroutesofaddresstypesotherthanIPv4
unicast.MPBGPallowsBGPpeerstocarryIPv4multicastroutesandIPv6unicastroutesinUpdatepackets,
inadditiontotheIPv4unicastroutesthatBGPpeerscancarrywithoutMPBGPenabed.
Inthisway,MPBGPprovidesIPv6connectivitytoyourBGPnetworksthatuseeithernativeIPv6ordual
stackIPv4andIPv6.ServiceproviderscanofferIPv6servicetotheircustomers,andenterprisescanuseIPv6
servicefromserviceproviders.ThefirewallandaBGPpeercancommunicatewitheachotherusingIPv6
addresses.
InorderforBGPtosupportmultiplenetworklayerprotocols(otherthanBGPforIPv4),Multiprotocol
ExtensionsforBGP4(RFC4760)useNetworkLayerReachabilityInformation(NLRI)inaMultiprotocol
ReachableNLRIattributethatthefirewallsendsandreceivesinBGPUpdatepackets.Thatattributecontains
informationaboutthedestinationprefix,includingthesetwoidentifiers:
TheAddressFamilyIdentifier(AFI),asdefinedbytheIANAinAddressFamilyNumbers,indicatesthat
thedestinationprefixisanIPv4orIPv6address.(PANOSsupportsIPv4andIPv6AFIs.)
TheSubsequentAddressFamilyIdentifier(SAFI)inPANOSindicatesthatthedestinationprefixisa
unicastormulticastaddress(iftheAFIisIPv4),orthatthedestinationprefixisaunicastaddress(ifthe
AFIisIPv6).PANOSdoesnotsupportIPv6multicast.
IfyouenableMPBGPforIPv4multicastorifyouconfigureamulticaststaticroute,thefirewallsupports
separateunicastandmulticastroutetablesforstaticroutes.Youmightwanttoseparatetheunicastand
multicasttrafficgoingtothesamedestination.Themulticasttrafficcantakeadifferentpathfromunicast
trafficbecause,forexample,yourmulticasttrafficiscritical,soyouneedittobemoreefficientbyhavingit
takefewerhopsorundergolesslatency.
YoucanalsoexercisemorecontroloverhowBGPfunctionsbyconfiguringBGPtouseroutesfromonlythe
unicastormulticastroutetable(orboth)whenBGPimportsorexportsroutes,sendsconditional
advertisements,orperformsrouteredistributionorrouteaggregation.
YoucandecidetouseadedicatedmulticastRIB(routetable)byenablingMPBGPandselectingtheAddress
FamilyofIPv4andSubsequentAddressFamilyofmulticastorbyinstallinganIPv4staticrouteinthe
multicastroutetable.AfteryoudoeitherofthosemethodstousethemulticastRIB,thefirewallusesthe
multicastRIBforallmulticastroutingandreversepathforwarding(RPF).IfyouprefertousetheunicastRIB
forallrouting(unicastandmulticast),youshouldnotenablethemulticastRIBbyeithermethod.
Inthefollowingfigure,astaticrouteto192.168.10.0/24isinstalledintheunicastroutetable,anditsnext
hopis198.51.100.2.However,multicasttrafficcantakeadifferentpathtoaprivateMPLScloud;thesame
staticrouteisinstalledinthemulticastroutetablewithadifferentnexthop(198.51.100.4)sothatitspath
isdifferent.
Usingseparateunicastandmulticastroutetablesgivesyoumoreflexibilityandcontrolwhenyouconfigure
theseBGPfunctions:
InstallanIPv4staticrouteintotheunicastormulticastroutetable,orboth,asdescribedinthepreceding
example.(YoucaninstallanIPv6staticrouteintotheunicastroutetableonly).
CreateanImportrulesothatanyprefixesthatmatchthecriteriaareimportedintotheunicastor
multicastroutetable,orboth.
CreateanExportrulesothatprefixesthatmatchthecriteriaareexported(senttoapeer)fromtheunicast
ormulticastroutetable,orboth.
ConfigureaconditionaladvertisementwithaNonExistfiltersothatthefirewallsearchestheunicastor
multicastroutetable(orboth)toensuretheroutedoesntexistinthattable,andsothefirewalladvertises
adifferentroute.
ConfigureaconditionaladvertisementwithanAdvertisefiltersothatthefirewalladvertisesroutes
matchingthecriteriafromtheunicastormulticastroutetable,orboth.
Redistributearoutethatappearsintheunicastormulticastroutetable,orboth.
Configurerouteaggregationwithanadvertisefiltersothataggregatedroutestobeadvertisedcome
fromtheunicastormulticastroutetable,orboth.
Conversely,configurerouteaggregationwithasuppressfiltersothataggregatedroutesthatshouldbe
suppressed(notadvertised)comefromtheunicastormulticastroutetable,orboth.
WhenyouconfigureapeerwithMPBGPusinganAddressFamilyofIPv6,youcanuseIPv6addressesin
theAddressPrefixandNextHopfieldsofanImportrule,Exportrule,ConditionalAdvertisement(Advertise
FilterandNonExistFilter),andAggregaterule(AdvertiseFilter,SuppressFilter,andAggregateRoute
Attribute).
ConfigureBGP
PerformthefollowingtasktoconfigureBGP.
ConfigureBGP
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast
AfteryouConfigureBGP,configureaBGPpeerwithMPBGPforIPv4orIPv6unicastforeitherofthe
followingreasons:
TohaveyourBGPpeercarryIPv6unicastroutes,configureMPBGPwiththeAddressFamilyTypeof
IPv6andSubsequentAddressFamilyofUnicastsothatthepeercansendBGPupdatesthatincludeIPv6
unicastroutes.BGPpeering(LocalAddressandPeerAddress)canstillbothbeIPv4addresses,orthey
canbothbeIPv6addresses.
ToperformBGPpeeringoverIPv6addresses(Local AddressandPeer AddressuseIPv6addresses).
ThefollowingtaskshowshowtoenableaBGPpeerwithMPBGPsoitcancarryIPv6unicastroutes,and
soitcanpeerusingIPv6addresses.
Thetaskalsoshowshowtoviewtheunicastormulticastroutetables,andhowtoviewtheforwardingtable,
theBGPlocalRIB,andBGPRIBOut(routessenttoneighbors)toseeroutesfromtheunicastormulticast
routetableoraspecificaddressfamily(IPv4orIPv6).
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast(Continued)
ConfigureaBGPPeerwithMPBGPforIPv4orIPv6Unicast(Continued)
ConfigureaBGPPeerwithMPBGPforIPv4Multicast
AfteryouConfigureBGP,configureaBGPpeerwithMPBGPforIPv4multicastifyouwantyourBGPpeer
tobeabletolearnandpassIPv4multicastroutesinBGPupdates.Youllbeabletoseparateunicastfrom
multicasttraffic,oremploythefeatureslistedinMPBGPtouseonlyroutesfromtheunicastormulticast
routetable,orroutesfrombothtables.
Ifyouwanttosupportmulticasttrafficonly,youmustuseafiltertoeliminateunicasttraffic.
ThefirewalldoesntsupportECMPformulticasttraffic.
ConfigureaBGPPeerwithMPBGPforIPv4Multicast
ConfigureaBGPPeerwithMPBGPforIPv4Multicast(Continued)
Step5 ToviewtheForwardingtable,BGPLocal
RIB,orBGPRIBOuttable,seeConfigure
aBGPPeerwithMPBGPforIPv4or
IPv6Unicast.
RouteRedistribution
Routeredistributiononthefirewallistheprocessofmakingroutesthatthefirewalllearnedfromonerouting
protocol(orastaticorconnectedroute)availabletoadifferentroutingprotocol,therebyincreasing
accessibilityofnetworktraffic.Withoutrouteredistribution,arouterorvirtualrouteradvertisesandshares
routesonlywithotherroutersthatrunthesameroutingprotocol.YoucanredistributeIPv6BGP,connected,
orstaticroutesintotheOSPFRIBandredistributeOSPFv3,connected,orstaticroutesintotheBGPRIB.
Thismeans,forexample,youcanmakespecificnetworksthatwereonceavailableonlybymanualstatic
routeconfigurationonspecificroutersavailabletoBGPautonomoussystemsorOSPFareas.Youcanalso
advertiselocallyconnectedroutes,suchasroutestoaprivatelabnetwork,intoBGPautonomoussystems
orOSPFareas.
YoumightwanttogiveusersonyourinternalOSPFv3networkaccesstoBGPsotheycanaccessdevices
ontheinternet.InthiscaseyouwouldredistributeBGProutesintotheOSPFv3RIB.
Conversely,youmightwanttogiveyourexternalusersaccesstosomepartsofyourinternalnetwork,so
youmakeinternalOSPFv3networksavailablethroughBGPbyredistributingOSPFv3routesintotheBGP
RIB.
RedistributeIPv6Routes
RedistributeIPv6Routes(Continued)
7. (Optional)ForInterface,Addoneormoreegressinterfacesof
associatedroutestomatchforredistribution.Toremovean
entry,clickDelete.
8. (Optional)ForDestination,AddoneormoreIPv6destinations
ofroutestomatchforredistribution.Toremoveanentry,click
Delete.
9. (Optional)ForNext Hop,AddoneormorenexthopIPv6
addressesofroutestomatchforredistribution.Toremovean
entry,clickDelete.
10. ClickOK.
RedistributeIPv6Routes(Continued)
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCPOverview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
FirewallasaDHCPServerandClient
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCPMessages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.
DHCPMessage Description
DHCPDISCOVER ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCPAddressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface <interface> expired-onlycommandtoclearexpiredleases,making
thoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface <interface> ip
<ip_address> commandtoreleaseaparticularIPaddress.Usethe clear dhcp lease interface <interface>
mac <mac_address> commandtoreleaseaparticularMACaddress.
DHCPOptions
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption DHCPOptionName
51 Leaseduration
3 Gateway
1 IPPoolSubnet(mask)
6 DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44 WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41 NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42 NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70 PostOfficeProtocolVersion3(POP3)serveraddress
69 SimpleMailTransferProtocol(SMTP)serveraddress
DHCPOption DHCPOptionName
15 DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
43 VendorSpecific Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
Information beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55 ParameterRequestList Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.
60 VendorClassIdentifier Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
(VCI) DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
ConfigureanInterfaceasaDHCPServer
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPServer(Continued)
ConfigureanInterfaceasaDHCPServer(Continued)
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
ConfigureanInterfaceasaDHCPServer(Continued)
ConfigureanInterfaceasaDHCPClient
BeforeconfiguringafirewallinterfaceasaDHCPclient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
YoucanalsoConfiguretheManagementInterfaceasaDHCPClient.
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramamodelsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallmodels(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingrestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
YoucannotusethedynamicIPaddressofthemanagementinterfacetoconnecttoaHardwareSecurity
Module(HSM).TheIPaddressontheHSMclientfirewallmustbeastaticIPaddressbecauseHSM
authenticatesthefirewallusingtheIPaddress,andoperationsonHSMwouldstopworkingiftheIP
addressweretochangeduringruntime.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
ConfiguretheManagementInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
ConfigureanInterfaceasaDHCPRelayAgent
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheDHCPserverhasassigned,thecorrespondingMACaddress,
stateanddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip mac state duration lease_time
192.168.3.11 f0:2f:af:42:70:cf committed 0 Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface GW DNS1 DNS2 DNS-Suffix Inherit source
-------------------------------------------------------------------------------------
ethernet1/2 192.168.3.1 10.43.2.10 10.44.2.10 ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state <interface_name>commandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface State IP Gateway Leased-until
---------------------------------------------------------------------------
ethernet1/1 Bound 10.43.14.80 10.43.14.1 70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd
DNS
DomainNameSystem(DNS)isaprotocolthattranslates(resolves)auserfriendlydomainname,suchas
www.paloaltonetworks.com,toanIPaddresssothatuserscanaccesscomputers,websites,services,or
otherresourcesontheinternetorprivatenetworks.
DNSOverview
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Reference:DNSProxyRuleandFQDNMatching
DNSOverview
DNSperformsacrucialroleinenablinguseraccesstonetworkresourcessothatusersneednotremember
IPaddressesandindividualcomputersneednotstoreahugevolumeofdomainnamesmappedtoIP
addresses.DNSemploysaclient/servermodel;aDNSserverresolvesaqueryforaDNSclientbylooking
upthedomaininitscacheandifnecessarysendingqueriestootherserversuntilitcanrespondtotheclient
withthecorrespondingIPaddress.
TheDNSstructureofdomainnamesishierarchical;thetopleveldomain(TLD)inadomainnamecanbea
genericTLD(gTLD):com,edu,gov,int,mil,net,ororg(govandmilarefortheUnitedStatesonly)oracountry
code(ccTLD),suchasau(Australia)orus(UnitedStates).ccTLDsaregenerallyreservedforcountriesand
dependentterritories.
Afullyqualifieddomainname(FQDN)includesataminimumahostname,asecondleveldomain,andaTLD
tocompletelyspecifythelocationofthehostintheDNSstructure.Forexample,
www.paloaltonetworks.comisanFQDN.
WhereveraPaloAltoNetworksfirewallusesanFQDNintheuserinterfaceorCLI,thefirewallmustresolve
thatFQDNusingDNS.DependingonwheretheFQDNqueryoriginates,thefirewalldetermineswhichDNS
settingstousetoresolvethequery.ThefollowingfirewalltasksarerelatedtoDNS:
ConfigureyourfirewallwithatleastoneDNSserversoitcanresolvehostnames.Configureprimaryand
secondaryDNSserversoraDNSProxyobjectthatspecifiessuchservers,asshowninUseCase1:
FirewallRequiresDNSResolutionforManagementPurposes.
CustomizehowthefirewallhandlesDNSresolutioninitiatedbySecuritypolicyrules,reporting,and
managementservices(suchasemail,Kerberos,SNMP,syslog,andmore)foreachvirtualsystem,as
showninUseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,
Reporting,andServiceswithinitsVirtualSystem.
ConfigurethefirewalltoactasaDNSserverforaclient,asshowninUseCase3:FirewallActsasDNS
ProxyBetweenClientandServer.
ConfigureanAntiSpywareprofiletoUseDNSQueriestoIdentifyInfectedHostsontheNetwork.
EnablePassiveDNSMonitoring,whichallowsthefirewalltoautomaticallysharedomaintoIPaddress
mappingsbasedonyournetworktrafficwithPaloAltoNetworks.ThePaloAltoNetworksthreat
researchteamusesthisinformationtogaininsightintomalwarepropagationandevasiontechniquesthat
abusetheDNSsystem.
EnableEvasionSignaturesandthenenableevasionsignaturesforthreatprevention.
ConfigureanInterfaceasaDHCPServer.ThisenablesthefirewalltoactasaDHCPServerandsends
DNSinformationtoitsDHCPclientssotheprovisionedDHCPclientscanreachtheirrespectiveDNS
servers.
DNSProxyObject
WhenconfiguredasaDNSproxy,thefirewallisanintermediarybetweenDNSclientsandservers;itactsas
aDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifitdoesntfindthedomainnameinits
DNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthespecific
DNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived).Thefirewallforwardsthequerytothe
appropriateDNSserverbasedonthematchresults.Ifnomatchisfound,thefirewallusesdefaultDNS
servers.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
Whenconfiguringmultipletenants(ISPsubscribers)withDNSservices,eachtenantshouldhave
itsownDNSproxydefined,whichkeepsthetenantsDNSserviceseparatefromothertenants
services.
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
WhenyouConfigureaDNSProxyObject,youcansupplytheDNSproxywithstaticFQDNtoaddress
mappings.YoucanalsocreateDNSproxyrulesthatcontroltowhichDNSserverthedomainnamequeries
(thatmatchtheproxyrules)aredirected.Youcanconfigureamaximumof256DNSproxyobjectsona
firewall.
WhenthefirewallreceivesanFQDNquery(andthedomainnameisnotintheDNSproxycache),thefirewall
comparesthedomainnamefromtheFQDNquerytothedomainnamesinDNSProxyrulesoftheDNS
Proxyobject.IfyouspecifymultipledomainnamesinasingleDNSProxyrule,aquerythatmatchesanyone
ofthedomainnamesintherulemeansthequerymatchestherule.Reference:DNSProxyRuleandFQDN
MatchingdescribeshowthefirewalldetermineswhetheranFQDNmatchesadomainnameinaDNSproxy
rule.ADNSquerythatmatchesaruleissenttotheprimaryDNSserverconfiguredfortheproxyobjectto
beresolved.
DNSServerProfile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutetableofthevirtualrouterwherethesourceinterfaceisassigned.Itspossiblethatthe
resultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegressout
ofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddresswould
betheaddressconfigured.ThesourceaddressisusedasthedestinationaddressinthereplyfromtheDNS
server.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
YouConfigureaDNSServerProfileforavirtualsystemonly;itisnotforaglobalSharedlocation.
MultiTenantDNSDeployments
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.An
environmentwhereanISPhasmultipletenantsonafirewallisknownasmultitenancy.Therearethreeuse
casesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,therequestcomesfromthemanagementplanetoresolveanFQDNforamanagementevent
suchasasoftwareupdateservice.ThefirewallusestheserviceroutetogettoaDNSserverbecause
DNSrequestisntcominginonaspecificvirtualrouter.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesfromasecuritypolicy,a
report,oraservice,youcanspecifyasetofDNSserversspecifictothevirtualsystem(tenant)oryoucan
defaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNSserverspervirtual
system,youmustconfigureaDNSProxyObject.Theresolutionisspecifictothevirtualsystemtowhich
theDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtualsystem,the
firewallusestheglobalDNSsettings.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyObjectrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoits
DNSservers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryand
secondaryDNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethe
defaultDNSsettings.
ThefollowingtablesummarizestheDNSresolutiontypes.ThebindinglocationdetermineswhichDNS
proxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshowhowaserviceprovider
mightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueriesrequiredonthefirewalland
fortenant(subscriber)virtualsystems.
DNSproxyresolutionforDNSclienthosts Binding:Interface
connectedtointerfaceonfirewall,goingthrough ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequest
thefirewalltoaDNSServerperformedby wasreceived.
dataplane IllustratedinUseCase3
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
ConfigureaDNSProxyObject
IfyourfirewallistoactasaDNSproxy,performthistasktoconfigureaDNSProxyObject.Theproxyobject
caneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtualsystem.
WhenthefirewallisenabledtoactasaDNSproxy,evasionsignaturesthatdetectedcraftedHTTPorTLS
requestscanalerttoinstanceswhereaclientconnectstoadomainotherthanthedomainsspecifiedinthe
originalDNSquery.Asabestpractices,EnableEvasionSignaturesafterconfiguringDNSproxy.
ConfigureaDNSProxyObject
ConfigureaDNSProxyObject(Continued)
ConfigureaDNSServerProfile
ConfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.ThePrimary DNSor
Secondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstotheDNSserver.
ConfigureaDNSServerProfile
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.
ConfigureDNSServicesfortheFirewall
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
ObjecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Any
servicewithaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminethe
primary(orsecondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.
ConfigureaDNSProxyforaVirtualSystem
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
ThisscenariohappenstousesplitDNS,aconfigurationwhereDNSProxyrulesareconfiguredtoredirect
DNSrequeststoasetofDNSserversbasedonadomainnamematch.Ifthereisnomatch,theserverprofile
determinestheDNSserverstowhichtosendtherequest,hencethetwo,splitDNSresolutionmethods.
FordataplaneDNSresolutions,thesourceIPaddressfromtheDNSproxyinPANOStothe
outsideDNSserverwouldbetheaddressoftheproxy(thedestinationIPoftheoriginalrequest).
AnyserviceroutesdefinedintheDNSServerProfilearenotused.Forexample,iftherequestis
fromhost1.1.1.1totheDNSproxyat2.2.2.2,thentherequesttotheDNSserver(at3.3.3.3)
woulduseasourceof2.2.2.2andadestinationof3.3.3.3.
ConfigureaDNSProxyandDNSProxyRules
Reference:DNSProxyRuleandFQDNMatching
WhenyouconfigurethefirewallwithaDNSProxyObjectthatusesDNSproxyrules,thefirewallcompares
anFQDNfromaDNSquerytothedomainnameofaDNSproxyrule.Thefirewallcomparisonworksas
follows:
FQDNComparisontoDNSProxyRule ForExample
ThefirewallfirsttokenizestheFQDNsandthe *.boat.fish.comconsistsoffourtokens:
domainsnamesintheDNSproxyrules.Inadomain [*][boat][fish][com]
name,astringdelimitedbyaperiod(.)isatoken.
FQDNComparisontoDNSProxyRule ForExample
Rule: www.boat.*
FQDN:www.boat.comMatch
FQDN:www.boat.fish.comMatch
Whenwildcardsareusedinconsecutivetokens,the Consecutivewildcardsprecedingtokens:
first*matchesoneormoretokens;thesecond* Rule: *.*.boat.com
matchesonetoken. FQDN:www.blue.boat.comMatch
Thismeansaruleconsistingofonly*.*matchesany FQDN:www.blue.sail.boat.comMatch
FQDNwithtwoormoretokens.
Consecutivewildcardsbetweentokens:
Rule: www.*.*.boat.com
FQDN:www.blue.sail.boat.comMatch
FQDN:www.big.blue.sail.boat.comMatch
Consecutivewildcardstrailingtokens:
Rule: www.boat.*.*
FQDN:www.boat.fish.comMatch
FQDN:www.boat.fish.ocean.comMatch
Consecutivewildcardsonly:
Rule: *.*
FQDN:boatNotaMatch
FQDN:boat.com Match
FQDN:www.boat.com Match
FQDNComparisontoDNSProxyRule ForExample
Rule1: *.fish.comNotaMatch
Rule2: *.comMatch
Rule3: boat.fish.comNotaMatch
FQDN:fish.com
FQDNdoesnotmatchRule1becausethe*doesnot
haveatokentomatch.
Rule1: *.fish.comMatchandTieBreaker
Rule2: *.comMatch
Rule3: boat.fish.comNotaMatch
FQDN:blue.boat.fish.com
FQDNmatchesRule1andRule2(becausethe*
matchesoneormoretokens).ThefirewallusesRule1
becauseitisthemostspecific.
Whenworkingwithwildcards(*)and Replacethis:
Implicittailmatchrules,therecanbecaseswhenthe Rule:www.boat
FQDNmatchesmorethanoneruleandthe withthis:
tiebreakingalgorithmweighstherulesequally.
Rule:www.boat.com
Toavoidambiguity,ifruleswithanImplicittailmatch
orawildcard(*)canoverlap,replacean
Implicittailmatchrulebyspecifyingthetailtoken.
WhencreatingDNSproxyrules,thefollowingbestpracticeswillhelpyouavoidambiguityandunexpected
results:
BestPracticesforCreatingDNSProxyRules ForExample
AvoidinvokinganImplicittailmatchbyincludinga boat.com
topleveldomaininthedomainname.
Ifyouuseawildcard(*),useitonlyastheleftmost *.boat.com
token.
Thispracticefollowsthecommonunderstandingof
wildcardDNSrecordsandthehierarchicalnatureof
DNS.
Usenomorethanone*inarule.
Usethe*toestablishabaseruleassociatedwitha Rule:*.corporation.comDNSserverA
DNSserver,anduseruleswithmoretokenstobuild Rule:www.corporation.comDNSserverB
exceptionstotherule,whichyouassociatewith Rule:*.internal.corporation.comDNSserverC
differentservers.
Rule:www.internal.corporation.comDNSserverD
Thetiebreakingalgorithmwillselectthemost
FQDN:mail.internal.corporation.commatchesDNS
specificmatch,basedonthenumberofmatched
serverC
tokens.
FQDN:mail.corporation.commatchesDNSserverA
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyRules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destination Destination IP address
+ destination-port Destination port
+ from From zone
+ ha-device-id HA Active/Active device ID
+ protocol IP protocol value
+ source Source IP address
+ source-port Source port
+ to To Zone
+ to-interface Egress interface to use
| Pipe through a command
<Enter> Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443
NATAddressPoolsIdentifiedasAddressObjects
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.
SourceNATandDestinationNAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
DestinationNAT
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NATRuleCapacities
ThenumberofNATrulesallowedisbasedonthefirewallmodel.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
modelspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,evenifthemodelsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
DynamicIPandPortNATOversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedonthemodel.Theoversubscriptionrateisglobal;it
appliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionrateforthemodelapplies,asshowninthetablebelow.ThePlatform Defaultsettingallows
foranupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachmodel.
Model DefaultOversubscriptionRate
PA200 2
PA220 2
PA500 2
Model DefaultOversubscriptionRate
PA820 2
PA850 2
PA3020 2
PA3050 2
PA3060 2
PA5020 4
PA5050 8
PA5060 8
PA5220 4
PA5250 8
PA5260 8
PA7050 8
PA7080 8
VM50 2
VM100 1
VM200 1
VM300 2
VM500 8
VM700 8
VM1000HV 2
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachmodelsupportsa
maximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesforthemodel,thecommitwillfail.
DataplaneNATMemoryStatistics
ConfigureNAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology:
Basedonthistopology,therearethreeNATpoliciesweneedtocreateasfollows:
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
ConfigureSourceNAT(Continued)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1 ViewtheDIPPNAToversubscription 1. SelectDevice > Setup > Session > Session Settings.Viewthe
rate. NAT Oversubscription Ratesetting.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddresses
ReservedynamicIPNATaddressesfora Enterthefollowingcommands:
firewall. admin@PA-3020# set setting nat reserve-ip yes
admin@PA-3020# set setting nat reserve-time <1-604800
secs>
ReservedynamicIPNATaddressesfora Enterthefollowingcommands:
virtualsystem. admin@PA-3020# set vsys <vsysid> setting nat reserve-ip
yes
admin@PA-3020# set vsys <vsysid> setting nat
reserve-time <1-604800 secs>
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
setting nat reserve-ip no commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.
NATConfigurationExamples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination NextHop
3.1.1.0/24 2.1.1.2
RouteonR2:
Destination NextHop
1.1.1.0/24 2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination NextHop
2.1.1.8/29 2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
ModelSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
ModelSupportforNPTv6
NPTv6issupportedonthefollowingmodels(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5200Series,PA5000Series,PA3060firewall,andPA3050firewall,PA800
firewallandPA220firewall.Modelssupportedwithnoabilitytohavehardwareperformasessionlookup:
PA3020firewall,PA500firewall,PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivatenetwork,
andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavetheconvenienceof
privateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.
HowNPTv6Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDPProxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).
NPTv6andNDPProxyExample
ThefollowingfigureillustrateshowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
TheNDPProxyinNPTv6Example
TheNPTv6TranslationinNPTv6Example
NeighborsintheNDCacheareNotTranslated
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
TheNPTv6TranslationinNPTv6Example
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanNPTv6Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
ConfigureanNPTv6Policy(Continued)
ConfigureanNPTv6Policy(Continued)
NAT64
NAT64providesawaytotransitiontoIPv6whileyoustillneedtocommunicatewithIPv4networks.When
youneedtocommunicatefromanIPv6onlynetworktoanIPv4network,youuseNAT64totranslate
sourceanddestinationaddressesfromIPv6toIPv4andviceversa.NAT64allowsIPv6clientstoaccessIPv4
serversandallowsIPv4clientstoaccessIPv6servers.YoushouldunderstandNATbeforeconfiguring
NAT64.
NAT64Overview
IPv4EmbeddedIPv6Address
DNS64Server
PathMTUDiscovery
IPv6InitiatedCommunication
ConfigureNAT64forIPv6InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
NAT64Overview
YoucanconfiguretwotypesofNAT64translationonaPaloAltoNetworksfirewall;eachoneisdoinga
bidirectionaltranslationbetweenthetwoIPaddressfamilies:
ThefirewallsupportsstatefulNAT64forIPv6InitiatedCommunication,whichmapsmultipleIPv6
addressestooneIPv4address,thuspreservingIPv4addresses.(ItdoesnotsupportstatelessNAT64,
whichmapsoneIPv6addresstooneIPv4addressandthereforedoesnotpreserveIPv4addresses.)
ConfigureNAT64forIPv6InitiatedCommunication.
PaloAltoNetworksalsosupportsIPv4initiatedcommunicationwithastaticbindingthatmapsanIPv4
addressandportnumbertoanIPv6address.ConfigureNAT64forIPv4InitiatedCommunication.Italso
supportsportrewrite,whichpreservesevenmoreIPv4addressesbytranslatinganIPv4addressandport
numbertoanIPv6addresswithmultipleportnumbers.ConfigureNAT64forIPv4Initiated
CommunicationwithPortTranslation.
AsingleIPv4addresscanbeusedforNAT44andNAT64;youdontreserveapoolofIPv4addressesfor
NAT64only.
NAT64operatesonLayer3interfaces,subinterfaces,andtunnelinterfaces.TouseNAT64onaPaloAlto
NetworksfirewallforIPv6initiatedcommunication,youmusthaveathirdpartyDNS64Serverorasolution
inplacetoseparatetheDNSqueryfunctionfromtheNATfunction.TheDNS64servertranslatesbetween
yourIPv6hostandanIPv4DNSserverbyencodingtheIPv4addressitreceivesfromapublicDNSserver
intoanIPv6addressfortheIPv6host.
PaloAltoNetworkssupportsthefollowingNAT64features:
Hairpinning(NATUTurn);additionally,NAT64preventshairpinningloopattacksbydroppingall
incomingIPv6packetsthathaveasourceprefixof64::/n.
TranslationofTCP/UDP/ICMPpacketsperRFC6146andthefirewallmakesabestefforttotranslate
otherprotocolsthatdontuseanapplicationlevelgateway(ALG).Forexample,thefirewallcantranslate
aGREpacket.ThistranslationhasthesamelimitationasNAT44:ifyoudonthaveanALGforaprotocol
thatcanuseaseparatecontrolanddatachannel,thefirewallmightnotunderstandthereturntrafficflow.
TranslationbetweenIPv4andIPv6oftheICMPlengthattributeoftheoriginaldatagramfield,perRFC
4884.
IPv4EmbeddedIPv6Address
NAT64usesanIPv4embeddedIPv6addressasdescribedinRFC6052,IPv6AddressingofIPv4/IPv6
Translators.AnIPv4embeddedIPv6addressisanIPv6addressinwhich32bitshaveanIPv4address
encodedinthem.TheIPv6prefixlength(PLinthefigure)determineswhereintheIPv6addresstheIPv4
addressisencoded,asfollows:
Thefirewallsupportstranslationfor/32,/40,/48,/56,/64,and/96subnetsusingtheseprefixes.Asingle
firewallsupportsmultipleprefixes;eachNAT64ruleusesoneprefix.TheprefixcanbetheWellKnown
Prefix(64:FF9B::/96)oraNetworkSpecificPrefix(NSP)thatisuniquetotheorganizationthatcontrolsthe
addresstranslator(theDNS64device).AnNSPisusuallyanetworkwithintheorganizationsIPv6prefix.The
DNS64devicetypicallysetstheufieldandsuffixtozeros;thefirewallignoresthosefields.
DNS64Server
IfyouwanttoperformNAT64translationusingIPv6InitiatedCommunication,youmustuseathirdparty
DNS64serverorotherDNS64solutionthatissetupwiththeWellKnownPrefixoryourNSP.Whenan
IPv6hostattemptstoaccessanIPv4hostordomainontheinternet,theDNS64serverqueriesan
authoritativeDNSserverfortheIPv4addressmappedtothathostname.TheDNSserverreturnsan
Addressrecord(Arecord)totheDNS64servercontainingtheIPv4addressforthehostname.
TheDNS64serverinturnconvertstheIPv4addresstohexadecimalandencodesitintotheappropriate
octetsoftheIPv6prefixitissetuptouse(theWellKnownPrefixoryourNSP)basedontheprefixlength,
whichresultsinanIPv4EmbeddedIPv6Address.TheDNS64serversendsanAAAArecordtotheIPv6host
thatmapstheIPv4embeddedIPv6addresstotheIPv4hostname.
PathMTUDiscovery
IPv6doesnotfragmentpackets,sothefirewallusestwomethodstoreducetheneedtofragmentpackets:
WhenthefirewallistranslatingIPv4packetsinwhichtheDF(dontfragment)bitiszero,thatindicates
thesenderexpectsthefirewalltofragmentpacketsthataretoolarge,butthefirewalldoesntfragment
packetsfortheIPv6network(aftertranslation)becauseIPv6doesntfragmentpackets.Instead,youcan
configuretheminimumsizeintowhichthefirewallwillfragmentIPv4packetsbeforetranslatingthem.
TheNAT64 IPv6 Minimum Network MTU valueisthissetting,whichcomplieswithRFC6145,IP/ICMP
TranslationAlgorithm.YoucansettheNAT64 IPv6 Minimum Network MTUtoitsmaximumvalue(Device >
Setup > Session),whichcausesthefirewalltofragmentIPv4packetstotheIPv6minimumsizebefore
translatingthemtoIPv6.(TheNAT64 IPv6 Minimum Network MTUdoesnotchangetheinterfaceMTU.)
TheothermethodthefirewallusestoreducefragmentationisPathMTUDiscovery(PMTUD).Inan
IPv4initiatedcommunication,ifanIPv4packettobetranslatedhastheDFbitsetandtheMTUforthe
egressinterfaceissmallerthanthepacket,thefirewallusesPMTUDtodropthepacketandreturnan
ICMPDestinationUnreachablefragmentationneededmessagetothesource.Thesourcelowersthe
pathMTUforthatdestinationandresendsthepacketuntilsuccessivereductionsinthepathMTUallow
packetdelivery.
IPv6InitiatedCommunication
IPv6initiatedcommunicationtothefirewallissimilartosourceNATforanIPv4topology.ConfigureNAT64
forIPv6InitiatedCommunicationwhenyourIPv6hostneedstocommunicationwithanIPv4server.
IntheNAT64policyrule,configuretheoriginalsourcetobeanIPv6hostaddressorAny.Configurethe
destinationIPv6addressaseithertheWellKnownPrefixortheNSPthattheDNS64serveruses.(Youdo
notconfigurethefullIPv6destinationaddressintherule.)
Asshownintheexampletopologybelow,IPv6initiatedcommunicationrequiresaDNS64Server.The
DNS64servermustbesetuptousetheWellKnownPrefix64:FF9B::/96oryourNetworkSpecificPrefix,
whichmustcomplywithRFC6052(/32,/40,/48,/56,/64,or/96).
Onthetranslatedsideofthefirewall,thetranslationtypemustbeDynamicIPandPortinordertoimplement
statefulNAT64.YouconfigurethesourcetranslatedaddresstobetheIPv4addressoftheegressinterface
onthefirewall.Youdonotconfigurethedestinationtranslationfield;thefirewalltranslatestheaddressby
firstfindingtheprefixlengthintheoriginaldestinationaddressoftheruleandthenbasedontheprefix,
extractingtheencodedIPv4addressfromtheoriginaldestinationIPv6addressintheincomingpacket.
BeforethefirewalllooksattheNAT64rule,thefirewallmustdoaroutelookuptofindthedestination
securityzoneforanincomingpacket.YoumustensurethattheNAT64prefixcanbereachedthroughthe
destinationzoneassignmentbecausetheNAT64prefixshouldnotberoutablebythefirewall.Thefirewall
wouldlikelyassigntheNAT64prefixtothedefaultrouteordroptheNAT64prefixbecausethereisnoroute
forit.ThefirewallwillnotfindadestinationzonebecausetheNAT64prefixisnotinitsroutingtable,
associatedwithanegressinterfaceandzone.
Youmustalsoconfigureatunnelinterface(withnoterminationpoint).YouapplytheNAT64prefixtothe
tunnelandapplytheappropriatezonetoensurethatIPv6trafficwiththeNAT64prefixisassignedtothe
properdestinationzone.ThetunnelalsohastheadvantageofdroppingIPv6trafficwiththeNAT64prefix
ifthetrafficdoesnotmatchtheNAT64rule.Yourconfiguredroutingprotocolonthefirewalllooksupthe
IPv6prefixinitsroutingtabletofindthedestinationzoneandthenlooksattheNAT64rule.
ThefigurebelowillustratestheroleoftheDNS64serverinthenameresolutionprocess.Inthisexample,the
DNS64serverisconfiguredtouseWellKnownPrefix64:FF9B::/96.
1.AuserattheIPv6hostenterstheURLwww.abc.com,whichgeneratesanameserverlookup(nslookup)
totheDNS64server.
2.TheDNS64ServersendsannslookuptothepublicDNSserverforwww.abc.com,requestingitsIPv4
address.
3.TheDNSserverreturnsanArecordthatprovidestheIPv4addresstotheDNS64server.
4.TheDNS64serversendsanAAAArecordtotheIPv6user,convertingtheIPv4dotteddecimaladdress
198.51.100.1intoC633:6401hexadecimalandembeddingitintoitsownIPv6prefix,64:FF9B::/96.[198=
C6hex;51=33hex;100=64hex;1=01hex.]TheresultisIPv4EmbeddedIPv6Address
64:FF9B::C633:6401.
Keepinmindthatina/96prefix,theIPv4addressisthelastfouroctetsencodedintheIPv6address.Ifthe
DNS64serverusesa/32,/40,/48,/56or/64prefix,theIPv4addressisencodedasshowninRFC6052.
Uponthetransparentnameresolution,theIPv6hostsendsapackettothefirewallcontainingitsIPv6source
addressanddestinationIPv6address64:FF9B::C633:6401asdeterminedbytheDNS64server.Thefirewall
performstheNAT64translationbasedonyourNAT64rule.
ConfigureNAT64forIPv6InitiatedCommunication
ThisconfigurationtaskanditsaddressescorrespondtothefiguresinIPv6InitiatedCommunication.
ConfigureNAT64forIPv6InitiatedCommunication
ConfigureNAT64forIPv6InitiatedCommunication
ConfigureNAT64forIPv6InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunication
IPv4initiatedcommunicationtoanIPv6serverissimilartodestinationNATinanIPv4topology.The
destinationIPv4addressmapstothedestinationIPv6addressthroughaonetoone,staticIPtranslation
(notamanytoonetranslation).
ThefirewallencodesthesourceIPv4addressintoWellKnownPrefix64:FF9B::/96asdefinedinRFC6052.
ThetranslateddestinationaddressistheactualIPv6address.TheusecaseforIPv4initiatedcommunication
istypicallywhenanorganizationisprovidingaccessfromthepublic,untrustzonetoanIPv6serverinthe
organizationsDMZzone.ThistopologydoesnotuseaDNS64server.
ConfigureNAT64forIPv4InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunication
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
ThistaskbuildsonthetasktoConfigureNAT64forIPv4InitiatedCommunication,buttheorganization
controllingtheIPv6networkpreferstotranslatethepublicdestinationportnumbertoaninternal
destinationportnumberandtherebykeepitprivatefromusersontheIPv4untrustsideofthefirewall.In
thisexample,port8080istranslatedtoport80.Todothat,intheOriginalPacketoftheNAT64policyrule,
createanewServicethatspecifiesthedestinationportis8080.FortheTranslatedPacket,thetranslated
portis80.
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
ConfigureNAT64forIPv4InitiatedCommunicationwithPortTranslation
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPModel,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMPLoadBalancingAlgorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
HashbasedalgorithmsprioritizesessionstickinessTheIP ModuloandIP Hashalgorithmsusehashes
basedoninformationinthepacketheader,suchassourceanddestinationaddress.Becausetheheader
ofeachflowinagivensessioncontainsthesamesourceanddestinationinformation,theseoptions
Assignlowerspeedorlowercapacitylinkswithalowerweight.Assignhigherspeedor
highercapacitylinkswithahigherweight.Inthismanner,thefirewallcandistributesessions
basedontheseratios,ratherthanoverdrivealowcapacitylinkthatisoneoftheequalcostpaths.
ECMPModel,Interface,andIPRoutingSupport
ECMPissupportedonallPaloAltoNetworksfirewallmodels,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
ConfigureECMPonaVirtualRouter
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
ConfigureECMPonaVirtualRouter
ConfigureECMPonaVirtualRouter(Continued)
EnableECMPforMultipleBGPAutonomousSystems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
EnableECMPforBGPAutonomousSystems(Continued)
VerifyECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.ToverifyECMP,usethefollowingproceduretolookattheFIBand
confirmthatsomeroutesareequalcostmultiplepaths.
ConfirmThatRoutesAreEqualCostMultiplePaths
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDPOverview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireappliancearenotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
SupportedTLVsinLLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
ChassisIDTLV 1 Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksmodelswill
usetheMACaddressofEth0toensureuniqueness.
PortIDTLV 2 IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Timetolive(TTL) 3 Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
TLV retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
EndofLLDPDU 0 IndicatestheendoftheTLVsintheLLDPEthernetframe.
TLV
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
PortDescriptionTLV 4 Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
SystemNameTLV 5 Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
SystemDescription 6 Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
TLV
SystemCapabilities 7 Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management 8 OneormoreIPaddressesusedforfirewallmanagement,asfollows:
Address IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDPSyslogMessagesandSNMPTraps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.
ConfigureLLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
ConfigureLLDP(Continued)
Step3 CreateanLLDPprofile. 1. SelectNetwork > Network Profiles > LLDP Profile andAdda
FordescriptionsoftheoptionalTLVs, NamefortheLLDPprofile.
seeSupportedTLVsinLLDP. 2. ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
3. SelectSNMP Syslog Notification toenableSNMPnotifications
andsyslogmessages.Ifenabled,theglobalNotification
Intervalisused.ThefirewallwillsendbothanSNMPtrapand
asyslogeventasconfiguredintheDevice > Log Settings >
System > SNMP Trap ProfileandSyslog Profile.
4. ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
5. (Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
6. SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
7. SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
8. ClickOK.
9. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
10. ClickOK.
ViewLLDPSettingsandStatus
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
ViewLLDPSettingsandStatus
ViewLLDPSettingsandStatus(Continued)
ClearLLDPStatistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFDOverview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDModel,Interface,andClientSupport
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDModel,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA5200Series,PA7000Series,andVMSeries
firewalls.EachmodelsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
IfyouimplementbothBFDforBGPandHApathmonitoring,PaloAltoNetworksrecommends
younotimplementBGPGracefulRestart.WhentheBFDpeersinterfacefailsandpath
monitoringfails,BFDcanremovetheaffectedroutesfromtheroutingtableandsynchronizethis
changetothepassiveHAfirewallbeforeGracefulRestartcantakeeffect.Ifyoudecideto
implementBFDforBGP,GracefulRestartforBGP,andHApathmonitoring,youshouldconfigure
BFDwithalargerDesiredMinimumTxIntervalandlargerDetectionTimeMultiplierthanthe
defaultvalues.
ConfigureBFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
ConfiguredoneormoreVirtualRouters.
ConfiguredoneormoreStaticRoutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.
ConfigureBFD
Step1 CreateaBFDprofile. 1. SelectNetwork > Network Profiles > BFD Profile andAdda
NOTE:IfyouchangeasettinginaBFD NamefortheBFDprofile.Thenameiscasesensitiveand
profilethatanexistingBFDsessionis mustbeuniqueonthefirewall.Useonlyletters,numbers,
usingandyoucommitthechange,before spaces,hyphens,andunderscores.
thefirewalldeletesthatBFDsessionand 2. SelecttheMode inwhichBFDoperates:
recreatesitwiththenewsetting,the ActiveBFDinitiatessendingcontrolpacketstopeer
firewallsendsaBFDpacketwiththe (default).AtleastoneoftheBFDpeersmustbeActive;
localstatesettoadmindown.Thepeer bothcanbeActive.
devicemayormaynotflaptherouting
PassiveBFDwaitsforpeertosendcontrolpacketsand
protocolorstaticroute,dependingon
respondsasrequired.
thepeersimplementationofRFC 5882,
Section3.2. 3. EntertheDesired Minimum Tx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichyouwanttheBFD
protocol(referredtoasBFD)tosendBFDcontrolpackets;you
arethusnegotiatingthetransmitintervalwiththepeer.
MinimumonPA7000,PA5200Series,andPA5000Series
firewallsis50;minimumonPA3000Seriesfirewallis100;
minimumonVMSeriesfirewallis200.Maximumis2000;
defaultis1000.
Ifyouhavemultipleroutingprotocolsthatuse
differentBFDprofilesonthesameinterface,configure
theBFDprofileswiththesameDesired Minimum Tx
Interval.
4. EntertheRequired Minimum Rx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichBFDcanreceive
BFDcontrolpackets.MinimumonPA7000,PA5200Series,
andPA5000Seriesfirewallsis50;minimumonPA3000
Seriesfirewallis100;minimumonVMSeriesfirewallis200.
Maximumis2000;defaultis1000.
5. EntertheDetection Time Multiplier.Thetransmitinterval
(negotiatedfromtheDesired Minimum Tx Interval)multiplied
bytheDetection Time Multiplierequalsthedetectiontime.If
BFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.
Rangeis250;defaultis3.
Forexample,atransmitintervalof300msx3(DetectionTime
Multiplier)=900msdetectiontime.
WhenconfiguringaBFDprofile,takeinto
considerationthatthefirewallisasessionbased
devicetypicallyattheedgeofanetworkordatacenter
andmayhaveslowerlinksthanadedicatedrouter.
Therefore,thefirewalllikelyneedsalongerinterval
andahighermultiplierthanthefastestsettings
allowed.Adetectiontimethatistooshortcancause
falsefailuredetectionswhentheissueisreallyjust
trafficcongestion.
ConfigureBFD(Continued)
ConfigureBFD(Continued)
ConfigureBFD(Continued)
ConfigureBFD(Continued)
ConfigureBFD(Continued)
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andCaptivePortalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TransportLayerSessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
YoucanuseZoneProtectionProfilesonthefirewalltoconfigurepacketbasedattackprotectionand
therebydropIP,TCP,andIPv6packetswithundesirablecharacteristicsorstripundesirableoptionsfrom
packetsbeforeallowingthemintothezone.Youcanalsoconfigurefloodprotection,specifyingtherateof
SYNconnectionspersecond(notmatchinganexistingsession)thattriggeranalarm,causethefirewallto
randomlydropSYNpacketsoruseSYNcookies,andcausethefirewalltodropSYNpacketsthatexceedthe
maximumrate.
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.
TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.
ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.
YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 10inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AUDPdatagramisencapsulatedinanIPpacket.AlthoughUDPusesachecksumfordataintegrity,it
performsnoerrorcheckingatthenetworkinterfacelevel.Errorcheckingisassumedtobeunnecessaryor
isperformedbytheapplicationratherthanUDPitself.UDPhasnomechanismtohandleflowcontrolof
packets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
YoucanuseZoneProtectionProfilesonthefirewalltoconfigurefloodprotectionandtherebyspecifythe
rateofUDPconnectionspersecond(notmatchinganexistingsession)thattriggeranalarm,triggerthe
firewalltorandomlydropUDPpackets,andcausethefirewalltodropUDPpacketsthatexceedthe
maximumrate.(AlthoughUDPisconnectionless,thefirewalltracksUDPdatagramsinIPpacketsona
sessionbasis;thereforeiftheUDPpacketdoesntmatchanexistingsession,itisconsideredanewsession
anditcountsasaconnectiontowardthethresholds.)
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.YoucancontrolICMPv4andICMPv6packetsin
severalways:
CreateSecurityPolicyRulesBasedonICMPandICMPv6Packetsandselecttheicmporipv6-icmp
applicationintherule.
ControlICMPv6RateLimitingwhenyouConfigureSessionSettings.
UseZoneProtectionProfilestoconfigurefloodprotection,specifyingtherateofICMPorICMPv6
connectionspersecond(notmatchinganexistingsession)thattriggeranalarm,triggerthefirewallto
randomlydropICMPorICMPv6packets,andcausethefirewalltodropICMPorICMPv6packetsthat
exceedthemaximumrate.
UseZoneProtectionProfilestoconfigurepacketbasedattackprotection:
ForICMP,youcandropcertaintypesofpacketsorsuppressthesendingofcertainpackets.
ForICMPv6packets(Types1,2,3,4,and137),youcanspecifythatthefirewallusetheICMP
sessionkeytomatchasecuritypolicyrule,whichdetermineswhethertheICMPv6packetisallowed
ornot.(Thefirewallusesthesecuritypolicyrule,overridingthedefaultbehaviorofusingthe
embeddedpackettodetermineasessionmatch.)WhenthefirewalldropsICMPv6packetsthat
matchasecuritypolicyrule,thefirewalllogsthedetailsinTrafficlogs.
SecurityPolicyRulesBasedonICMPandICMPv6Packets
ThefirewallforwardsICMPorICMPv6packetsonlyifasecuritypolicyruleallowsthesession(asthefirewall
doesforotherpackettypes).Thefirewalldeterminesasessionmatchinoneoftwoways,dependingon
whetherthepacketisanICMPorICMPv6errorpacketorredirectpacketasopposedtoanICMPorICMPv6
informationalpacket:
ICMPTypes3,5,11,and12andICMPv6Types1,2,3,4,and137Thefirewallbydefaultlooksupthe
embeddedIPpacketbytesofinformationfromtheoriginaldatagramthatcausedtheerror(theinvoking
packet).Iftheembeddedpacketmatchesanexistingsession,thefirewallforwardsordropstheICMPor
ICMPv6packetaccordingtotheactionspecifiedinthesecuritypolicyrulethatmatchesthatsame
session.(YoucanuseZoneProtectionProfileswithpacketbasedattackprotectiontooverridethis
defaultbehaviorfortheICMPv6types.)
RemainingICMPorICMPv6PacketTypesThefirewalltreatstheICMPorICMPv6packetasifit
belongstoanewsession.Ifasecuritypolicyrulematchesthepacket(whichthefirewallrecognizesasan
icmporipv6-icmpsession),thefirewallforwardsordropsthepacketbasedonthesecuritypolicyrule
action.Securitypolicycountersandtrafficlogsreflecttheactions.
Ifnosecuritypolicyrulematchesthepacket,thefirewallappliesitsdefaultsecuritypolicyrules,which
allowintrazonetrafficandblockinterzonetraffic(loggingisdisabledbydefaultfortheserules).
Althoughyoucanoverridethedefaultrulestoenableloggingorchangethedefaultaction,we
dontrecommendyouchangethedefaultbehaviorforaspecificcasebecauseitwillimpactall
trafficthatthosedefaultrulesaffect.Instead,createsecuritypolicyrulestocontrolandlogICMP
orICMPv6packetsexplicitly.
TherearetwowaystocreateexplicitsecuritypolicyrulestohandleICMPorICMPv6packetsthatare
noterrororredirectpackets:
Createasecuritypolicyruletoallow(ordeny)allICMPorICMPv6packetsInthesecuritypolicy
rule,specifytheapplicationicmporipv6-icmp;thefirewallallows(ordenies)allIPpacketsmatching
theICMPprotocolnumber(1)orICMPv6protocolnumber(58),respectively,throughthefirewall.
Createacustomapplicationandasecuritypolicyruletoallow(ordeny)packetsfromortothat
applicationThismoregranularapproachallowsyoutoControlSpecificICMPorICMPv6Typesand
Codes.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdontfloodthenetworksegmentsprotectedbythefirewall.
FirsttheglobalICMPv6 Error Packet Rate (per sec) controlstherateatwhichICMPv6errorpacketsareallowed
throughthefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.If
thefirewallreachestheICMPv6errorpacketrate,thenthetokenbucketcomesintoplayandthrottling
occurs,asfollows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPv6messagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPv6messageissent;whenthebucketreacheszero
tokens,nomoreICMPv6messagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsize
ofthetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ControlSpecificICMPorICMPv6TypesandCodes
UsethistasktocreateacustomICMPorICMPv6applicationandthencreateasecuritypolicyruletoallow
ordenythatapplication.
ControlSpecificICMPorICMPv6TypesandCodes
ConfigureSessionTimeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
ChangeSessionTimeouts(Continued)
ConfigureSessionSettings
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
ConfigureSessionSettings
ConfigureSessionSettings(Continued)
ConfigureSessionSettings(Continued)
ConfigureSessionSettings(Continued)
PreventTCPSplitHandshakeSessionEstablishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
TunnelContentInspection
Thefirewallcaninspectthetrafficcontentofcleartexttunnelprotocols:
GenericRoutingEncapsulation(GRE)(RFC2784)
NonencryptedIPSectraffic[NULLEncryptionAlgorithmforIPSec(RFC2410)andtransportmodeAH
IPSec]
GeneralPacketRadioService(GPRS)TunnelingProtocolforUserData(GTPU)
YoucanusetunnelcontentinspectiontoenforceSecurity,DoSProtection,andQoSpoliciesontrafficin
thesetypesoftunnelsandtrafficnestedwithinanothercleartexttunnel(forexample,aNullEncryptedIPSec
tunnelinsideaGREtunnel).YoucanviewtunnelinspectionlogsandtunnelactivityintheACCtoverifythat
tunneledtrafficcomplieswithyourcorporatesecurityandusagepolicies.
AllfirewallmodelssupporttunnelcontentinspectionofGREandnonencryptedIPSec.Tunnelcontent
inspectionofGTPUissupportedonlyonthePA5200SeriesandVMSeriesfirewalls.Thefirewallsdont
terminateGRE,nonencryptedIPSec,orGTPUtunnels.
Tunnelcontentinspectionisforcleartexttunnels,notforVPNorLSVPNtunnels,whichcarryencrypted
traffic.
TunnelContentInspectionOverview
ConfigureTunnelContentInspection
ViewInspectedTunnelActivity
ViewTunnelInformationinLogs
CreateaCustomReportBasedonTaggedTunnelTraffic
TunnelContentInspectionOverview
Yourfirewallcaninspecttunnelcontentanywhereonthenetworkwhereyoudonothavetheopportunity
toterminatethetunnelfirst.AslongasthefirewallisinthepathofaGRE,nonencryptedIPSec,orGTPU
tunnel,thefirewallcaninspectthetunnelcontent.
Enterprisecustomerswhowanttunnelcontentinspectioncanhavesomeorallofthetrafficonthe
firewalltunneledusingGREornonencryptedIPSec.Forsecurity,QoS,andreportingreasons,youwant
toinspectthetrafficinsidethetunnel.
ServiceProvidercustomersuseGTPUtotunneldatatrafficfrommobiledevices.Youwanttoinspect
theinnercontentwithoutterminatingthetunnelprotocol,andyouwanttorecorduserdatafromyour
users.
ThefirewallsupportstunnelcontentinspectiononEthernetinterfacesandsubinterfaces,AEinterfaces,
VLANinterfaces,andVPNandLSVPNtunnelinterfaces.(Thecleartexttunnelthatthefirewallinspectscan
beinsideaVPNorLSVPNtunnelthatterminatesatthefirewall,henceaVPNorLSVPNtunnelinterface.In
otherwords,whenthefirewallisaVPNorLSVPNendpoint,thefirewallcaninspectthetrafficofany
nonencryptedtunnelprotocolsthattunnelcontentinspectionsupports.)
TunnelcontentinspectionissupportedinLayer3,Layer2,virtualwire,andtapdeployments.Tunnelcontent
inspectionworksonsharedgatewaysandonvirtualsystemtovirtualsystemcommunications.
Theprecedingfigureillustratesthetwolevelsoftunnelinspectionthefirewallcanperform.Whenafirewall
configuredwithTunnelInspectionpolicyrulesreceivesapacket:
ThefirewallfirstperformsaSecuritypolicychecktodeterminewhetherthetunnelprotocol(Application)
inthepacketispermittedordenied.(IPv4andIPv6packetsaresupportedprotocolsinsidethetunnel.)
IftheSecuritypolicyallowsthepacket,thefirewallmatchesthepackettoaTunnelInspectionpolicyrule
basedonsourcezone,sourceaddress,sourceuser,destinationzone,anddestinationaddress.TheTunnel
Inspectionpolicyruledeterminesthetunnelprotocolsthatthefirewallinspects,themaximumlevelof
encapsulationallowed(asingletunneloratunnelwithinatunnel),whethertoallowpacketscontaining
atunnelprotocolthatdoesntpassstrictheaderinspectionperRFC2780,andwhethertoallowpackets
containingunknownprotocols.
IfthepacketpassestheTunnelInspectionpolicyrulesmatchcriteria,thefirewallinspectstheinner
content,whichissubjecttoyourSecuritypolicy(required)andoptionalpoliciesyoucanspecify.(The
supportedpolicytypesfortheoriginalsessionarelistedinthefollowingtable).
Ifthefirewallinsteadfindsanothertunnel,thefirewallrecursivelyparsesthepacketforthesecond
headerandisnowatleveltwoofencapsulation,sothesecondtunnelinspectionpolicyrule,which
matchesatunnelzone,mustallowamaximumtunnelinspectionleveloftwolevelsforthefirewallto
continueprocessingthepacket.
Ifyourruleallowstwolevelsofinspection,thefirewallperformsaSecuritypolicycheckonthisinner
tunnelandthentheTunnelInspectionpolicycheck.Thetunnelprotocolyouuseinaninnertunnel
candifferfromthetunnelprotocolyouuseintheoutertunnel.
Ifyourruledoesntallowtwolevelsofinspection,thefirewallbasesitsactiononwhetheryou
configuredittodroppacketsthathavemorelevelsofencapsulationthanthemaximumtunnel
inspectionlevelyouconfigured.
Bydefault,thecontentencapsulatedinatunnelbelongstothesamesecurityzoneasthetunnel,andis
subjecttotheSecuritypolicyrulesthatprotectthatzone.However,youcanconfigureatunnelzone,which
givesyoutheflexibilitytoconfigureSecuritypolicyrulesforinsidecontentthatdifferfromtheSecurity
policyrulesforthetunnel.Ifyouuseadifferenttunnelinspectionpolicyforthetunnelzone,itmustalways
haveamaximumtunnelinspectionleveloftwolevelsbecausebydefinitionthefirewallislookingatthe
secondlevelofencapsulation.
Althoughtunnelcontentinspectionworksonsharedgatewaysandonvirtualsystemtovirtual
systemcommunications,youcantassigntunnelzonestosharedgatewaysorvirtual
systemtovirtualsystemcommunications;theyaresubjecttothesameSecuritypolicyrulesas
thezonestowhichtheybelong.
Thefollowingtableindicateswithacheckmarkwhichtypesofpolicyyoucanapplytoanoutertunnel
session,aninnertunnelsession,andtheinside,originalsession:
AppOverride
DoSProtection
NAT
PolicyBasedForwarding(PBF)
andSymmetricReturn
QoS
Security(required)
UserID
ZoneProtection
Theinnertunnelsessionsandoutertunnelsessionscounttowardthemaximumsessioncapacityforthe
firewallmodel.
WhenyouenableoreditaTunnelInspectionpolicy(toaddaprotocol,increasemaximumlevelsof
inspection,orenablesecurityoptions),youaffectexistingtunnelsessions.ThefirewalltreatsexistingTCP
sessionsinsidethetunnelasnonSYNTCPflows.Topreventthefirewallfromdroppingallexistingsessions
whenyouenableoreditaTunnelInspectionpolicy,youcancreateaZoneProtectionprofilethatdisables
Reject Non-SYN TCPandapplytheprofiletothezonesthatcontrolyourtunnelssecuritypolicies.Thetaskto
ConfigureTunnelContentInspectionincludesthesesteps.
ThefirewalldoesntsupportaTunnelInspectionpolicyrulethatmatchestrafficforatunnelthatterminates
onthefirewall;thefirewalldiscardspacketsthatmatchtheinnertunnelsession.Forexample,whenanIPSec
tunnelterminatesonthefirewall,dontcreateaTunnelInspectionpolicyrulethatmatchesthetunnelyou
terminate.Thefirewallalreadyinspectstheinnertunneltraffic,sonoTunnelInspectionpolicyruleis
necessary.
YoucanViewInspectedTunnelActivityontheACCorViewTunnelInformationinLogs.Tofacilitatequick
viewing,configureaMonitortagsoyoucanmonitortunnelactivityandfilterlogresultsbythattag.
TheACCtunnelactivityprovidesdatainvariousviews.FortheTunnelIDUsage,TunnelMonitorTag,and
TunnelApplicationUsage,thedataforbytes,sessions,threats,content,andURLscomefromtheTraffic
Summarydatabase.FortheTunnelUser,TunneledSourceIPandTunneledDestinationIPActivity,datafor
bytesandsessionscomefromTrafficSummarydatabase,dataforthreatscomefromtheThreatSummary,
dataforURLscomefromtheURLSummary,anddataforcontentscomefromtheDatadatabase,whichisa
subsetoftheThreatlogs.
IfyouenableNetFlowontheinterface,NetFlowwillcapturestatisticsfortheoutertunnelonly,toavoid
doublecounting(countingbytesofbothouterandinnerflows).
FortheTunnelInspectionpolicyruleandtunnelzonecapacitiesforyourfirewallmodel,seetheProduction
Selectiontool.
ThefollowingfigureillustratesacorporationthatrunsmultipledivisionsandusesdifferentSecuritypolicies
andaTunnelInspectionpolicy.ACentralITteamprovidesconnectivitybetweenregions.Atunnelconnects
SiteAtoSiteC;anothertunnelconnectsSiteAtoSiteD.CentralITplacesafirewallinthepathofeach
tunnel;thefirewallinthetunnelbetweenSitesAandCperformstunnelinspection;thefirewallinthetunnel
betweenSitesAandDhasnotunnelinspectionpolicybecausethetrafficisverysensitive.
ConfigureTunnelContentInspection
Performthistasktoconfiguretunnelcontentinspectionforatunnelprotocolthatyouallowinatunnel.
ConfigureTunnelContentInspection
ConfigureTunnelContentInspection(Continued)
ConfigureTunnelContentInspection(Continued)
ConfigureTunnelContentInspection(Continued)
ConfigureTunnelContentInspection(Continued)
ConfigureTunnelContentInspection(Continued)
ConfigureTunnelContentInspection(Continued)
ViewInspectedTunnelActivity
Performthefollowingtasktoviewactivityofinspectedtunnels.
ViewInspectedTunnelActivity
ViewTunnelInformationinLogs
YoucanviewTunnelInspectionlogsthemselvesorviewtunnelinspectioninformationinothertypesoflogs.
ViewTunnelInformationinLogs
CreateaCustomReportBasedonTaggedTunnelTraffic
Youcancreateareporttogatherinformationbasedonthetagyouappliedtotunneltraffic.
CreateaCustomReportBasedonTaggedTunnelTraffic
Reference:BFDDetails
ToseethefollowingBFDinformationforavirtualrouter,youcanViewBFDsummaryanddetails.
SessionID 1 IDnumberoftheBFDsession.
MultihopTTL TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
ReceivedMultiplier 3 DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
Errors 0 NumberofBFDerrors.
LastPacketCausingStateChange
Version 1 BFDversion.
PollBit 0 BFDpollbit;0indicatesnotset.
DetectMultiplier 3 DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator 1 Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
Length 24 LengthofBFDcontrolpacketinbytes.
DemandBit 0 PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit 0 PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit 0 Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1 Ifsetto1,thetransmittingsystemsBFDimplementationdoes
Bit notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0 PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
PolicyType Description
Security Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
PolicyBasedForwarding Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
ApplicationOverride IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
Authentication Identifytrafficthatrequiresuserstoauthenticate.Formoredetails,see
AuthenticationPolicy.
DoSProtection Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualSecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Toensurethatendusersauthenticatewhentheytrytoaccessyournetworkresources,thefirewallevaluates
AuthenticationPolicybeforeSecuritypolicy.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
Securitypolicyrule.Whenasessionmatchoccurs,thefirewallappliesthematchingSecuritypolicyruleto
bidirectionaltraffic(clienttoserverandservertoclient)inthatsession.Fortrafficthatdoesntmatchany
definedrules,thedefaultrulesapply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebase
arepredefinedtoallowallintrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.
Althoughtheserulesarepartofthepredefinedconfigurationandarereadonlybydefault,youcanoverride
themandchangealimitednumberofsettings,includingthetags,action(alloworblock),logsettings,and
securityprofiles.
Securitypolicyrulesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirst
rulethatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.
Therefore,themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatch
criteria.Trafficthatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,iflogging
isenabledforthatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfigured
tologatthestartofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
ComponentsofaSecurityPolicyRule
TheSecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields
RequiredFields
RequiredField Description
Name Alabelthatsupportsupto31characters,usedtoidentifytherule.
Application Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField Description
Tag Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description Atextfield,upto255characters,usedtodescribetherule.
OptionalField Description(Continued)
User Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
Service AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
NOTE:Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsandprotocols.
Applicationdefaultisthedefaultoption;whilethefirewallstillchecksforallapplications
onallports,withthisconfiguration,applicationsareonlyallowedontheirstandard
ports/protocols.
Options Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.
SecurityPolicyActions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action Description
Allow(defaultaction) Allowsthetraffic.
Deny BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthat
isbeingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,view
theapplicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Reset client SendsaTCPresettotheclientsidedevice.
NOTE:Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbeforea3wayhandshakeis
completed,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMPUnreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheckboxisselected,thefirewallsends
anICMPmessagetotheclient.
CreateaSecurityPolicyRule
CreateaSecurityPolicyRule
CreateaSecurityPolicyRule(Continued)
CreateaSecurityPolicyRule(Continued)
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddress
grouppolicyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject Description
Address/AddressGroup, Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
Region policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/UserGroup Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
ApplicationGroupand AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
ApplicationFilter filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/ServiceGroups Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
NOTE:Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,
spyware,andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurity
profile(s)thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecks
anddatafiltering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeSecurityProfilesformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup
AntivirusProfiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action Description
Default ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow Permitstheapplicationtraffic.
Alert Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop Dropstheapplicationtraffic.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheinternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
AntiSpywareProfiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasinternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.
StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionforlowand
informationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
VulnerabilityProtectionProfiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URLFilteringProfiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.
DataFilteringProfiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
YoucancreatecustomdatapatternobjectsandattachthemtoaDataFilteringprofiletodefinethetypeof
informationonwhichyouwanttofilter.Createdatapatternobjectsbasedon:
Predefined PatternsFilterforcreditcardandsocialsecuritynumbers(withorwithoutdashes)using
predefinedpatterns.
Regular ExpressionsFilterforastringofcharacters.
File PropertiesFilterforfilepropertiesandvaluesbasedonfiletype.
Ifyoureusingathirdparty,endpointdatalossprevention(DLP)solutionstopopulatefilepropertiestoindicate
sensitivecontent,thisoptionenablesthefirewalltoenforceyourDLPpolicy.
Togetstarted,SetUpDataFiltering.
FileBlockingProfiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
YoucandefineyourowncustomFileBlockingprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingfileblockingtoaSecuritypolicyrule.Thepredefinedprofiles,whichareavailablewith
contentreleaseversion653andlater,allowyoutoquicklyenablebestpracticefileblockingsettings:
basic file blockingAttachthisprofiletotheSecuritypolicyrulesthatallowtraffictoandfromless
sensitiveapplicationstoblockfilesthatarecommonlyincludedinmalwareattackcampaignsorthathave
norealusecaseforupload/download.ThisprofileblocksuploadanddownloadofPEfiles(.scr,.cpl,.dll,
.ocx,.pif,.exe),Javafiles(.class,.jar),Helpfiles(.chm,.hlp)andotherpotentiallymaliciousfiletypes,
including.vbe,.hta,.wsf,.torrent,.7z,.rar,.bat.Additionally,itpromptsuserstoacknowledgewhenthey
attempttodownloadencryptedrarorencryptedzipfiles.Thisrulealertsonallotherfiletypestogive
youcompletevisibilityintoallfiletypescominginandoutofyournetwork.
strict file blockingUsethisstricterprofileontheSecuritypolicyrulesthatallowaccesstoyourmost
sensitiveapplications.Thisprofileblocksthesamefiletypesastheotherprofile,andadditionallyblocks
flash,.tar,multilevelencoding,.cab,.msi,encryptedrar,andencryptedzipfiles.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
Togetstarted,SetUpFileBlocking.
WildFireAnalysisProfiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.IfaprofileruleissettoforwardfilestotheWildFirepubliccloud,thefirewallalso
forwardsfilesthatmatchexistingantivirussignatures,inadditiontounknownfiles.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoSProtectionProfiles
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.
ZoneProtectionProfiles
ZoneProtectionProfilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.
SecurityProfileGroup
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup
CreateaSecurityProfileGroup
Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
CreateaSecurityProfileGroup
5. ClickOKtosavetheprofilegroup.
5. ClickOK tosavethepolicyandCommityourchanges.
SetUporOverrideaDefaultSecurityProfileGroup
Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
SetUporOverrideaDefaultSecurityProfileGroup
5. ClickOKtosavetheprofilegroup.
6. Addthesecurityprofilegrouptoasecuritypolicy.
7. AddormodifyasecuritypolicyruleandselecttheActionstab.
8. SelectGroup fortheProfile Type.
9. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selecttheThreatsgroup):
SetUporOverrideaDefaultSecurityProfileGroup
3. ClickOKandCommit.
4. Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup. Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheinternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeinternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
Thefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeinternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
Abestpracticeinternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateitherblock
everythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,abest
practicesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeinternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeinternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology Whyisthisimportant?
InspectAllTrafficforVisibility Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
BestPracticeMethodology Whyisthisimportant?
ReducetheAttackSurface Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,enableattachFileBlockingandURLFiltering
profilestoallrulesthatallowapplicationtraffictopreventusersfromvisiting
threatpronewebsitesandpreventthemfromuploadingordownloadingdangerous
filetypes(eitherknowinglyorunknowingly).Topreventattackersfromexecuting
successfulphishingattacks(thecheapestandeasiestwayforthemtomaketheirway
intoyournetwork),configurecredentialphishingprevention.
PreventKnownThreats Enablethefirewalltoscanallallowedtrafficforknownthreatsbyattachingsecurity
profilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
InadditiontoapplicationbasedSecuritypolicyrules,createrulesforblockingknown
maliciousIPaddressesbasedonthreatintelligencefromPaloAltoNetworksand
reputablethirdpartyfeeds.
DetectUnknownThreats ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithin
filesbydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWildFireappliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifitfindsmalware,itautomaticallydevelopsasignature
anddeliversittoyouinaslittleasfiveminutes(andnowthatunknownthreatisa
knownthreat).
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeinternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateaninternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,phishingattacks,APTsarealldeliveredvialegitimateapplications.Toprotectagainst
knownandunknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallow
rules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincluderulesforblocking
knownmaliciousIPaddresses,aswellastemporaryrulestopreventotherapplicationsyoumightnot
haveknownaboutfrombreakingandtoidentifypolicygapsandsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeinternetgatewaysecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
IdentifyWhitelistApplications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceinternetgatewaysecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess
(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.
ApplicationType BestPracticeforSecuring
SanctionedApplications ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inaninternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionandadminister
foryourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
GeneralTypesof Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
Applications userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,andweb
services,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
CustomApplications Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
SpecifictoYour nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
Environment youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.
CreateUserGroupsforAccesstoWhitelistApplications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
Itjusttakesoneendusertoclickonaphishinglinkandsupplytheircredentialstoenableanattackerto
gainaccesstoyournetwork.Todefendagainstthisverysimpleandeffectiveattacktechnique,SetUp
CredentialPhishingPreventiononallofyourSecuritypolicyrulesthatallowuseraccesstotheinternet.
ConfigureCredentialDetectionwiththeWindowsbasedUserIDAgenttoensurethatyoucandetect
whenyourusersaresubmittingtheircorporatecredentialstoasiteinanunauthorizedcategory.
DecryptTrafficforFullVisibilityandThreatInspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:
BestPracticeDecryptionProfile
BestPracticeDecryptionProfile(Continued)
CreateBestPracticeSecurityProfiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.
SecurityProfile BestPracticeSettings
FileBlocking Usethepredefinedstrictfileblockingprofiletoblockfilesthatarecommonlyincludedin
malwareattackcampaignsorthathavenorealusecaseforupload/download.Thepredefined
strictprofileblocksbatchfiles,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),and
BitTorrentfilesaswellasWindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,
.ocx,.sys,.scr,.drv,.efi,.fon,and.piffiles.Thisprofileallowsdownload/uploadofexecutables
andarchivefiles(.zipand.rar),butforceuserstoclickcontinuebeforetransferringafiletogive
thempause.Thepredefinedprofilealertsonallotherfiletypesforvisibilityintowhatotherfile
transfersarehappeningsothatyoucandetermineifyouneedtomakepolicychanges.
WhydoIneedthisprofile?
Therearemanywaysforattackerstodelivermaliciousfiles:asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.Attachingthestrictfileblocking
profilereducesyourattacksurfacebypreventingthesetypesofattacks.
WhatifIcantblockallofthefiletypescoveredinthepredefinedstrictprofile?
Ifyouhavemissioncriticalapplicationsthatpreventyoufromblockingallofthefiletypes
includedinthepredefinedstrictprofile,youcanclonetheprofileandmodifyitforthoseusers
whomusttransferafiletypecoveredbythepredefinedprofile.Ifyouchoosenottoblockall
PEfilespertherecommendation,makesureyousendallunknownfilestoWildFireforanalysis.
Additionally,settheActiontocontinuetopreventdrivebydownloads,whichiswhenanend
userdownloadscontentthatinstallsmaliciousfiles,suchasJavaappletsorexecutables,without
knowingtheyaredoingit.Drivebydownloadscanoccurwhenusersvisitwebsites,viewemail
messages,orclickintopopupwindowsmeanttodeceivethem.Educateyourusersthatifthey
arepromptedtocontinuewithafiletransfertheydidntknowinglyinitiate,theymaybesubject
toamaliciousdownload.Inaddition,usingfileblockinginconjunctionwithURLfilteringtolimit
thecategoriesinwhichuserscantransferfilesisanothergoodwaytoreducetheattacksurface
whenyoufinditnecessarytoallowfiletypesthatmaycarrythreats.
SecurityProfile BestPracticeSettings
Antivirus AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
WhydoIneedthisprofile?
ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.
Vulnerability AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
Protection overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
WhydoIneedthisprofile?
Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.
SecurityProfile BestPracticeSettings
AntiSpyware AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNSsinkhole
andpacketcapturetohelpyoutrackdowntheendpointthatattemptedtoresolvethemalicious
domain.
SecurityProfile BestPracticeSettings
URLFiltering Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,extremism,copyrightinfringement,andparked.Failuretoblockthesedangerous
categoriesputsyouatriskforexploitinfiltration,malwaredownload,commandandcontrol
activity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
WhatifIcantblockalloftherecommendedcategories?
Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Oncategoriesyoudecidetoallow,
makesureyouSetUpCredentialPhishingPreventiontoensurethatusersarentsubmitting
theircorporatecredentialstoasitethatmaybehostingaphishingattack.
Allowingtraffictoarecommendedblockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatallowsillegaldownloadof
softwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.
SecurityProfile BestPracticeSettings
WildFire Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
Analysis yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
DefinetheInitialInternetGatewaySecurityPolicy
Theoverallgoalofabestpracticeinternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockknownmaliciousIPaddresses,badapplicationsaswellassome
temporaryallowrulesthataredesignedtohelpyourefineyourpolicyandpreventapplicationsyourusers
mayneedfrombreakingwhileyoutransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreateRulesBasedonTrustedThreatIntelligenceSources
Step2:CreatetheApplicationWhitelistRules
Step3:CreatetheApplicationBlockRules
Step4:CreatetheTemporaryTuningRules
Step5:EnableLoggingforTrafficthatDoesntMatchAnyRules
Step1:CreateRulesBasedonTrustedThreatIntelligenceSources
Beforeyouallowandblocktrafficbyapplication,itisadvisabletoblocktrafficfromIPaddressesthatPalo
AltoNetworksandtrustedthirdpartysourceshaveproventobemalicious.Therulesbelowensurethat
yournetworkisalwaysprotectedagainsttheIPaddressesfromthePaloAltoNetworksMaliciousIPAddress
Feedsandotherfeeds,whicharecompiledanddynamicallyupdatedbasedonthelatestthreatintelligence.
CreateRulesBasedonTrustedThreatIntelligenceSources
Step1 BlocktraffictoandfromIPaddressesthatPaloAltoNetworkshasidentifiedasmalicious.
WhydoIneedtheserules? RuleHighlights
ThisruleprotectsyouagainstIPaddresses OneruleblocksoutboundtraffictoknownmaliciousIP
thatPaloAltoNetworkshasproventobe addresses,whileanotherruleblocksinboundtraffictothose
usedalmostexclusivelytodistribute addresses.
malware,initiatecommandandcontrol SettheexternaldynamiclistPalo Alto Networks - Known
activity,andlaunchattacks. malicious IP addressesastheDestinationaddressforthe
outboundtrafficrule,andastheSourceaddressfortheinbound
trafficrule.
Denytrafficthatmatchtheserules.
Enableloggingfortrafficmatchingtheserulessothatyoucan
investigatepotentialthreatsonyournetwork.
Becausetheserulesareintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
Step2 LogtraffictoandfromhighriskIPaddressesfromtrustedthreatadvisories.
WhydoIneedtheserules? RuleHighlights
AlthoughPaloAltoNetworkshasnodirect OnerulelogsoutboundtraffictohighriskIPaddresses,while
evidenceofthemaliciousnessoftheIP anotherrulelogsinboundtraffictothoseaddresses.
addressesinthehighriskIPaddressfeed, SettheexternaldynamiclistPalo Alto Networks - High risk IP
youshouldmonitortheseIPaddressessince addressesastheDestinationaddressfortheoutboundtraffic
threatadvisorieshavelinkedthemto rule,andastheSourceaddressfortheinboundtrafficrule.
maliciousbehavior. Allowaccessfortrafficmatchingthisrule,butenableloggingso
YoucanusetheserulestofilteryourTraffic thatyoucaninvestigateapotentialthreatonyournetwork.
logsanddecidewhethertoblockhighriskIP Becausethisruleisintendedtocatchmalicioustraffic,it
addressesbasedonthelogactivity. matchestotrafficfromanyuserrunningonanyport.
CreateRulesBasedonTrustedThreatIntelligenceSources(Continued)
Step3 (MineMeldusersonly)BlocktrafficfrominboundIPaddressesthattrustedthirdpartyfeedshaveidentified
asmalicious.
WhydoIneedthisrule? RuleHighlights
BlocktrafficfrommaliciousIPaddresses Toenforcethisrule:
basedonblocklistscompiledbySpamhaus a. UseMineMeldtoforwardtheIPaddressesfromthe
andtheInternetStormCenter,abranchof followingsources(knownasminersinMineMeld),
theSANSInstitute.ThelistscontainIP spamhaus.DROP,spamhaus.EDROP,anddshield.block,to
addressesthatattackersusetospread anexternaldynamiclist.
malware,Trojans,andbotnets,andtocarry b. ConfiguretheFirewalltoAccessanExternalDynamicList,
outlargescaleinfrastructureattacks. usingtheURLthatMineMeldprovidesforthelist.
c. SettheexternaldynamiclistastheSourceaddressforthe
rule.
UsetheDropActiontosilentlydropthetrafficwithoutsending
asignaltotheclientortheserver.
Enableloggingfortrafficmatchingthisrulesothatyoucan
investigatemisuseofapplicationsandpotentialthreatsonyour
network.
Becausethisruleisintendedtocatchmalicioustraffic,it
matchestotrafficfromanyuserrunningonanyport.
Step2:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethenextpartofthebestpracticeinternet
gatewaysecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1 AllowaccesstoyourcorporateDNSservers.
WhydoIneedthisrule? RuleHighlights
AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly rulebase.
exploitedbyattackers. Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface. center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2 AllowaccesstootherrequiredITinfrastructureresources.
WhydoIneedthisrule? RuleHighlights
Enabletheapplicationsthatprovideyour Becausetheseapplicationsrunonthedefaultport,allowaccess
networkinfrastructureandmanagement toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
functions,suchasNTP,OCSP,STUN,and theseservicesareneeded),andallhaveadestinationaddressof
ping. any,containtheminasingleapplicationgroupandcreatea
WhileDNStrafficallowedinthepreceding singleruletoenableaccesstoallofthem.
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore accesstoanyuser.
requireaseparaterule.
Step3 AllowaccesstoITsanctionedSaaSapplications.
WhydoIneedthisrule? RuleHighlights
WithSaaSapplications,yourproprietarydata GroupallsanctionedSaaSapplicationsinanapplicationgroup.
isinthecloud.Thisruleensuresthatonly SaaSapplicationsshouldalwaysrunontheapplicationdefault
yourknownusershaveaccesstothese port.
applications(andtheunderlyingdata). Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
ScanallowedSaaStrafficforthreats. AccesstoWhitelistApplications.
Step4 AllowaccesstoITprovisionedonpremiseapplications.
CreatetheApplicationWhitelistRules(Continued)
WhydoIneedthisrule? RuleHighlights
Businesscriticaldatacenterapplicationsare Groupalldatacenterapplicationsinanapplicationgroup.
oftenleveragedinattacksduringthe Createanaddressgroupforyourdatacenterserveraddresses.
exfiltrationstage,usingapplicationssuchas Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
FTP,orinthelateralmovementstageby AccesstoWhitelistApplications.
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5 Allowaccesstoapplicationsyouradministrativeusersneed.
WhydoIneedthisrule? RuleHighlights
Toreduceyourattacksurface,CreateUser ThisrulerestrictsaccesstousersintheIT_adminsgroup.
GroupsforAccesstoWhitelistApplications. Createcustomapplicationsforinternalapplicationsor
Becauseadministratorsoftenneedaccessto applicationsthatrunonnonstandardportssothatyoucan
sensitiveaccountdataandremoteaccessto enforcethemontheirdefaultportsratherthanopening
othersystems(forexampleRDP),youcan additionalportsonyournetwork.
greatlyreduceyourattacksurfacebyonly Ifyouhavedifferentusergroupsfordifferentapplications,
allowingaccesstotheadministratorswho createseparaterulesforgranularcontrol.
haveabusinessneed.
Step6 Allowaccesstogeneralbusinessapplications.
WhydoIneedthisrule? RuleHighlights
Beyondtheapplicationsyousanctionforuse Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
andadministerforyourusers,therearea AccesstoWhitelistApplications.
varietyofapplicationsthatusersmay Forvisibility,createseparateapplicationfiltersforeachtypeof
commonlyuseforbusinesspurposes,for applicationyouwanttoallow.
exampletointeractwithpartners,suchas Attachthebestpracticesecurityprofilestoensurethatalltraffic
WebEx,Adobeonlineservices,orEvernote, isfreeofknownandunknownthreats.SeeCreateBestPractice
butwhichyoumaynotofficiallysanction. SecurityProfiles.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.
CreatetheApplicationWhitelistRules(Continued)
Step7 (Optional)Allowaccesstopersonalapplications.
WhydoIneedthisrule? RuleHighlights
Asthelinesblurbetweenworkandpersonal Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
devices,youwanttoensurethatall AccesstoWhitelistApplications.
applicationsyourusersaccessaresafely Forvisibility,createseparateapplicationfiltersforeachtypeof
enabledandfreeofthreats. applicationyouwanttoallow.
Byusingapplicationfilters,youcansafely Scanalltrafficforthreatsbyattachingyourbestpractice
enableaccesstopersonalapplicationswhen securityprofilegroup.SeeCreateBestPracticeSecurity
youcreatethisinitialrulebase.Afteryou Profiles.
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.
Step8 Allowgeneralwebbrowsing.
WhydoIneedthisrule? RuleHighlights
Whilethepreviousruleallowedaccessto Thisruleusesthesamebestpracticesecurityprofilesastherest
personalapplications(manyofthem oftherules,exceptfortheFileBlockingprofile,whichismore
browserbased),thisruleallowsgeneralweb stringentbecausegeneralwebbrowsingtrafficismore
browsing. vulnerabletothreats.
Generalwebbrowsingismoreriskprone Thisruleallowsonlyknownuserstopreventdeviceswith
thanothertypesofapplicationtraffic.You malwareorembeddeddevicesfromreachingtheinternet.
mustCreateBestPracticeSecurityProfiles Useapplicationfilterstoallowaccesstogeneraltypesof
andattachthemtothisruleinordertosafely applications.
enablewebbrowsing. MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
Becausethreatsoftenhideinencrypted youwanttoallowuserstobeabletobrowsetoHTTPSsites.
traffic,youmustDecryptTrafficforFull thatareexcludedfromdecryption.
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.
Step3:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep4:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
CreatetheApplicationBlockRules
Step1 Blockapplicationsthatdonothavealegitimateusecase.
WhydoIneedthisrule? RuleHighlights
Blocknefariousapplicationssuchas UsetheDropActiontosilentlydropthetrafficwithoutsending
encryptedtunnelsandpeertopeerfile asignaltotheclientortheserver.
sharing,aswellaswebbasedfilesharing Enableloggingfortrafficmatchingthisrulesothatyoucan
applicationsthatarenotITsanctioned. investigatemisuseofapplicationsandpotentialthreatsonyour
Becausethetuningrulesthatfolloware network.
designedtoallowtrafficwithmaliciousintent Becausethisruleisintendedtocatchmalicioustraffic,it
orlegitimatetrafficthatisnotmatchingyour matchestotrafficfromanyuserrunningonanyport.
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2 BlockpublicDNSandSMTPapplications.
WhydoIneedthisrule? RuleHighlights
BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
DNStunneling,commandandcontroltraffic, messagetoboththeclientsideandserversidedevices.
andremoteadministration. Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.
Step4:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
CreateTemporaryTuningRules
Step1 AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyoudetermineifyouhaveany Unlikethewhitelistrulesthatallowapplicationsonthedefault
gapsinyourpolicywhereusersareunableto portonly,thisruleallowswebbrowsingandSSLtrafficonany
accesslegitimateapplicationsbecausethey portsothatyoucanfindgapsinyourwhitelist.
arerunningonnonstandardports. Becausethisruleisintendedtofindgapsinpolicy,limititto
Youmustmonitoralltrafficthatmatchesthis knownusersonyournetwork.SeeCreateUserGroupsfor
rule.Foranytrafficthatislegitimate,you AccesstoWhitelistApplications.
shouldtunetheappropriateallowruleto MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
includetheapplication,perhapscreatinga youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
customapplicationwhereappropriate. arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
CreateTemporaryTuningRules
Step2 AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyoudeterminewhetheryou Whilethemajorityoftheapplicationwhitelistrulesapplyto
havegapsinyourUserIDcoverage. knownusersorspecificusergroups,thisruleexplicitlymatches
Thisrulealsohelpsyouidentifycompromised trafficfromunknownusers.
orembeddeddevicesthataretryingtoreach Notethatthisrulemustgoabovetheapplicationblockrulesor
theinternet. trafficwillneverhitit.
Itisimportanttoblocknonstandardport Becauseitisanallowrule,youmustattachthebestpractice
usage,evenforwebbrowsingtraffic, securityprofilestoscanforthreats.
becauseitisusuallyanevasiontechnique.
Step3 Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
WhydoIneedthisrule? RuleHighlights
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
thatyouwerentawarewererunningonyour theapplicationblockrulestopreventbadapplicationsfrom
networksothatyoucanfinetuneyour runningonyournetwork.
applicationwhitelist. IfyouarerunningPANOS7.0.xorearlier,toappropriately
Monitoralltrafficmatchingthisruleto identifyunexpectedapplications,youmustuseanapplication
determinewhetheritrepresentsapotential filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour allowanyapplication.
whitelistrulestoallowthetraffic.
Step4 Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
applicationsrunningonunknownports. fromanyuseronanyport,itmustcomeattheendofyour
Thisrulealsohelpsyouidentifyunknown rulebase.
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
customapplicationtoaddtoyourapplication investigateformisuseofapplicationsandpotentialthreatson
whitelist. yournetworkoridentifylegitimateapplicationsthatrequirea
Anytrafficmatchingthisruleisactionable customapplication.
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.
Step5:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1 SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2 Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step4 Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5 Committhechangesyoumadetotherulebase.
MonitorandFineTunethePolicyRulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.
IdentifyPolicyGaps
Step1 Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
IdentifyPolicyGaps(Continued)
Step2 Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
RemovetheTemporaryRules
Afterseveralmonthsofmonitoringyourinitialinternetgatewaybestpracticesecuritypolicy,youshouldsee
lessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
RemovetheTemporaryRules
Step2 SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3 Committhechanges.
MaintaintheRulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1 Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2 DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3 TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
ViewtheOrderedListofRulesWithinaRulebase(Continued)
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step3 Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step4 IntheDestinationdropdown,selectthenewvirtualsystemorShared.
Step7 ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
CreateandApplyTags
CreateandApplyTags
6. ClickOKandCommittosavethechanges.
CreateandApplyTags(Continued)
ModifyTags
ModifyTags
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
UsetheTagBrowser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orinternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.
UsetheTagBrowser
6. Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7. Expandorcollapsethetagbrowser.
UsetheTagBrowser(Continued)
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
3. Committhechanges.
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,selectoneormore
YoucanfilterrulesbasedontagswithanAND tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
oranORoperator. includeanyofthecurrentlyselectedtags.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags. Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule. HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.
UsetheTagBrowser(Continued)
Reorderrulesusingtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouoranothersourcehostson
anexternalwebserversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforce
policyontheentriesinthelist.Asthelistisupdated,thefirewalldynamicallyimportsthelistatthe
configuredintervalandenforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthe
firewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
PaloAltoNetworksMaliciousIPAddressFeeds
ConfiguretheFirewalltoAccessanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
ViewExternalDynamicListEntries
ExcludeEntriesfromanExternalDynamicList
EnforcePolicyonanExternalDynamicList
FindExternalDynamicListsThatFailedAuthentication
DisableAuthenticationforanExternalDynamicList
ExternalDynamicList
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver,butonlyifthelistisnotsecuredwithSSL.Toretrievetheexternaldynamic
list,thefirewallusesinterfaceconfiguredwiththePalo Alto Networks Servicesserviceroute.
Thefirewallsupportsfourtypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall(seeUseanExternalDynamicListofTypeIPorPredefinedIPasaSource
orDestinationAddressObjectinaSecurityPolicyRule.)Ifyouneedagilityinenforcingpolicyforalistof
sourceordestinationIPaddressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIP
addressasasourceordestinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyor
allowaccesstotheIPaddresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.The
firewalltreatsanexternaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddresses
includedinalistarehandledasoneaddressobject.
PredefinedIPAddressApredefinedIPaddresslistisatypeofIPaddresslistthatreferstoanyofthe
twoPaloAltoNetworksMaliciousIPAddressFeedsthathavefixedorpredefinedcontents.These
feedsareautomaticallyaddedtoyourfirewallifyouhaveanactiveThreatPreventionlicense.A
predefinedIPaddresslistcanalsorefertoanyexternaldynamiclistyoucreatethatusesaPaloAlto
NetworksIPaddressfeedasasource.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule(seeUseanExternalDynamicListin
aURLFilteringProfile).
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligencefeedsandwanttoprotectyournetworkfromnewsourcesofthreator
malwareassoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamic
list,thefirewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.
TheDNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallmodel,youcanuseamaximumof30externaldynamiclistswithuniquesourcestoenforce
policy;predefinedIPaddressfeedsdonotcounttowardthislimit.Theexternaldynamiclistlimitisnot
applicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledformultiplevirtual
systems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.AsourceisaURLthat
includestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamiclist.Thefirewall
matchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000Series,PA5200Series,andthePA7000Seriesfirewallssupportamaximum
of150,000totalIPaddresses;allothermodelssupportamaximumof50,000totalIPaddresses.Nolimits
areenforcedforthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitis
reachedonthefirewall,thefirewallgeneratesasyslogmessage.TheIPaddressesinpredefinedIP
addresslistsdonotcounttowardthelimit.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachmodel,with
nolimitsenforcedonthenumberofentriesperlist.
Listentriesonlycounttowardthefirewalllimitsiftheybelongtoanexternaldynamiclistthatisreferenced
inpolicy.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedforthemodel.Toensurethattheentriesdonotexceedthelimit,checkthe
numberofentriescurrentlyusedinpolicy.SelectObjects > External Dynamic ListsandclickList
Capacities.
FormattingGuidelinesforanExternalDynamicList
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
TheentriesinapredefinedIPaddresslistcomplywiththeformattingguidelinesforIPaddresslists.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Asubnet
oranIPaddressrange,suchas92.168.20.0/24or192.168.20.40192.168.20.50,countasoneIPaddress
entryandnotasmultipleIPaddresses.Ifyouaddcomments,thecommentmustbeonthesamelineasthe
IPaddress/range/subnet.ThespaceattheendoftheIPaddressisthedelimiterthatseparatesacomment
fromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
PaloAltoNetworksMaliciousIPAddressFeeds
WithanactiveThreatPreventionlicense,PaloAltoNetworksprovidestwofeedswithmaliciousIP
addressesthatyoucanusetosecureyournetworkagainstmalicioushosts.
PaloAltoNetworksKnownMaliciousIPAddressesContainsIPaddressesthatareverifiedmalicious
basedonWildFireanalysis,Unit42research,anddatagatheredfromtelemetry(ShareThreatIntelligence
withPaloAltoNetworks).AttackersusetheseIPaddressesalmostexclusivelytodistributemalware,
initiatecommandandcontrolactivity,andlaunchattacks.
PaloAltoNetworksHighRiskIPAddressesContainsmaliciousIPaddressesfromthreatadvisories
issuedbytrustedthirdpartyorganizations.PaloAltoNetworkscompilesthelistofthreatadvisories,but
doesnothavedirectevidenceofthemaliciousnessoftheIPaddresses.
Thefirewallreceivesupdatesforthesefeedsthroughdailyantiviruscontentupdates,allowingyouto
enforcesecuritypolicyonthefirewallbasedonthelatestthreatintelligencefromPaloAltoNetworks.The
PaloAltoNetworksIPaddressfeedsarepredefined,whichmeansthatyoucannotmodifytheircontents.
Youcanusethemasis(seeEnforcePolicyonanExternalDynamicList),orcreateacustomexternaldynamic
listthatuseseitherfeedasasource(seeConfiguretheFirewalltoAccessanExternalDynamicList)and
excludeentriesfromthelistasneeded.
ConfiguretheFirewalltoAccessanExternalDynamicList
Youmustestablishtheconnectionbetweenthefirewallandthesourcethathoststheexternaldynamiclist
beforeyoucanEnforcePolicyonanExternalDynamicList.
ConfiguretheFirewalltoAccessanExternalDynamicList
Step1 (Optional)Customizetheserviceroutethatthefirewallusestoretrieveexternaldynamiclists.
SelectDevice > Setup > Services > Service Route Configuration > CustomizeandmodifytheExternal
DynamicListsserviceroute.
NOTE:ThefirewalldoesnotusetheExternalDynamicListsserviceroutetoretrievethePaloAltoNetworks
MaliciousIPAddressFeeds;itdynamicallyreceivesupdatestothesefeedsthroughdailyantiviruscontent
updates(activeThreatPreventionlicenserequired).
Step2 Findanexternaldynamiclisttousewiththefirewall.
Createanexternaldynamiclistandhostitonawebserver.EnterIPaddresses,domains,orURLsinablank
textfile.Eachlistentrymustbeonaseparateline.Forexample:
financialtimes.co.in
www.wallaby.au/joey
www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
*.example.com/*
abc?*/abc.com
*&*.net
SeetheFormattingGuidelinesforanExternalDynamicListtoensurethatthefirewalldoesnotskiplist
entries.Topreventcommiterrorsandinvalidentries,donotprefixhttp://orhttps://toanyoftheentries.
UseanexternaldynamiclisthostedbyanothersourceandverifythatitfollowstheFormattingGuidelines
foranExternalDynamicList.
Step4 ClickAddandenteradescriptiveNameforthelist.
Step5 (Optional)SelectSharedtosharethelistwithallvirtualsystemsonadevicethatisenabledformultiplevirtual
systems.Bydefault,theobjectiscreatedonthevirtualsystemthatiscurrentlyselectedintheVirtual
Systemsdropdown.
ConfiguretheFirewalltoAccessanExternalDynamicList
Step8 EntertheSourceforthelistyoujustcreatedonthewebserver.Thesourcemustincludethefullpathto
accessthelist.Forexample,https://1.2.3.4/EDL_IP_2015.
IfyouarecreatingalistoftypePredefinedIP,selectaPaloAltoNetworksmaliciousIPaddressfeedtouseas
asource.
Step9 IfthelistsourceissecuredwithSSL(i.e.listswithanHTTPSURL),enableserverauthentication.Selecta
Certificate ProfileorcreateaNew Certificate Profile forauthenticatingtheserverthathoststhelist.The
certificateprofileyouselectmusthaverootCA(certificateauthority)andintermediateCAcertificatesthat
matchthecertificatesinstalledontheserveryouareauthenticating.
Maximizethenumberofexternaldynamicliststhatyoucanusetoenforcepolicy.Usethesame
certificateprofiletoauthenticateexternaldynamiclistsfromthesamesourceURL.Ifyouassign
differentcertificateprofilestoexternaldynamiclistsfromthesamesourceURL,thefirewallcounts
eachlistasauniqueexternaldynamiclist.
Step10 EnableclientauthenticationifthelistsourcehasanHTTPSURLandrequiresbasicHTTPauthenticationfor
listaccess.
1. SelectClient Authentication.
2. EnteravalidUsernametoaccessthelist.
3. EnterthePasswordandConfirm Password.
Step12 (Optional)SpecifytheRepeatfrequencyatwhichthefirewallretrievesthelist.Bydefault,thefirewall
retrievesthelistonceeveryhourandcommitsthechanges.
NOTE:Theintervalisrelativetothelastcommit.So,forthefiveminuteinterval,thecommitoccursin5
minutesifthelastcommitwasanhourago.Toretrievethelistimmediately,seeRetrieveanExternalDynamic
ListfromtheWebServer.
ConfiguretheFirewalltoAccessanExternalDynamicList
Step13 ClickOKandCommit.
Step14 EnforcePolicyonanExternalDynamicList.
Iftheserverorclientauthenticationfails,thefirewallceasestoenforcepolicybasedonthelast
successfullyretrievedexternaldynamiclist.FindExternalDynamicListsThatFailedAuthentication
andviewthereasonsforauthenticationfailure.
RetrieveanExternalDynamicListfromtheWebServer
WhenyouConfiguretheFirewalltoAccessanExternalDynamicList,youcanconfigurethefirewallto
retrievethelistfromthewebserveronanhourly,daily,weekly,ormonthlybasis.Ifyouhaveaddedor
deletedIPaddressesfromthelistandneedtotriggeranimmediaterefresh,usethefollowingprocessto
fetchtheupdatedlist.
RetrieveanExternalDynamicList
Step3 ToviewthestatusofthejobintheTaskManager,seeManageandMonitorAdministrativeTasks.
Step4 (Optional)Afterthefirewallretrievesthelist,ViewExternalDynamicListEntries.
ViewExternalDynamicListEntries
BeforeyouEnforcePolicyonanExternalDynamicList,youcanviewthecontentsofanexternaldynamic
listdirectlyonthefirewalltocheckifitcontainscertainIPaddresses,domains,orURLs.Theentries
displayedarebasedontheversionoftheexternaldynamiclistthatthefirewallmostrecentlyretrieved.
ViewExternalDynamicListEntries
Step2 Clicktheexternaldynamiclistyouwanttoview.
ViewExternalDynamicListEntries
Thelistmightbeemptyif:
Thefirewallhasnotyetretrievedtheexternaldynamiclist.Toforcethefirewalltoretrieveanexternal
dynamiclistimmediately,RetrieveanExternalDynamicListfromtheWebServer.
Thefirewallisunabletoaccesstheserverthathoststheexternaldynamiclist.ClickTest Source URLto
verifythatthefirewallcanconnecttotheserver.
Step5 (Optional)ViewtheAutoFocusIntelligenceSummaryforalistentry.Hoveroveranentrytoopenthe
dropdownandthenclickAutoFocus.
ExcludeEntriesfromanExternalDynamicList
Asyouviewtheentriesofanexternaldynamiclist,youcanexcludeupto100entriesfromthelist.Theability
toexcludeentriesfromanexternaldynamiclistgivesyoutheoptiontoenforcepolicyonsome(butnotall)
oftheentriesinalist.Thisishelpfulifyoucannoteditthecontentsofanexternaldynamiclist(suchasthe
PaloAltoNetworksHighRiskIPAddressesfeed)becauseitcomesfromathirdpartysource.
ExcludeEntriesfromanExternalDynamicList
Step1 ViewExternalDynamicListEntries.
ExcludeEntriesfromanExternalDynamicList
Step3 ClickOKandCommittosaveyourchanges.
Step4 (Optional)EnforcePolicyonanExternalDynamicList.
EnforcePolicyonanExternalDynamicList
BlockorallowtrafficbasedonIPaddressesorURLsinanexternaldynamiclist,oruseandynamicdomain
listwithaDNSsinkholetopreventaccesstomaliciousdomains.Refertothetablebelowforthewaysyou
canuseexternaldynamicliststoenforcepolicyonthefirewall.
EnforcePolicyonEntriesinanExternalDynamicList
ConfigureDNSSinkholingforaListofCustomDomains.
UseanExternalDynamicListinaURLFilteringProfile.
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
Tipsforenforcingpolicyonthefirewallwithexternaldynamiclists:
Whenviewingexternaldynamiclistsonthefirewall(Objects > External Dynamic Lists),clickList
CapacitiestocomparehowmanyIPaddresses,domains,andURLsarecurrentlyusedinpolicywiththetotal
numberofentriesthatthefirewallsupportsforeachlisttype.
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServerforadomain,IPaddress,orURLthat
belongstooneormoreexternaldynamiclistsisusedinpolicy.Thisisusefulfordeterminingwhichexternal
dynamiclist(referencedinaSecuritypolicyrule)iscausingthefirewalltoblockorallowacertaindomain,IP
address,orURL.
FindExternalDynamicListsThatFailedAuthentication
WhenanexternaldynamiclistthatrequiresSSLfailsclientorserverauthentication,thefirewallgeneratesa
systemlogofcriticalseverity.Thelogiscriticalbecausethefirewallceasestoenforcepolicybasedonthe
externaldynamiclistafteritfailsauthentication.Usethefollowingprocesstoviewcriticalsystemlog
messagesnotifyingyouofauthenticationfailurerelatedtoexternaldynamiclists.
FindExternalDynamicListsThatFailedAuthentication
Step2 Constructthefollowingfilterstoviewallmessagesrelatedtoauthenticationfailure,andapplythefilters.For
moreinformation,reviewthecompleteworkflowtoFilterLogs.
Serverauthenticationfailure(eventid eq tls-edl-auth-failure)
Clientauthenticationfailure(eventid eq edl-cli-auth-failure)
Step3 Reviewthesystemlogmessages.Themessagedescriptionincludesthenameoftheexternaldynamiclist,the
sourceURLforthelist,andthereasonfortheauthenticationfailure.
Theserverthathoststheexternaldynamiclistfailsauthenticationifthecertificateisexpired.Ifyouhave
configuredthecertificateprofiletocheckcertificaterevocationstatusviaCertificateRevocationList(CRL)or
OnlineCertificateStatusProtocol(OCSP),theservermayalsofailauthenticationif:
Thecertificateisrevoked.
Therevocationstatusofthecertificateisunknown.
TheconnectiontimesoutasthefirewallisattemptingtoconnecttotheCRL/OCSPservice.
Formoreinformationoncertificateprofilesettings,refertothestepstoConfigureaCertificateProfile.
VerifythatyouaddedtherootCAandintermediateCAoftheservertothecertificateprofile
configuredwiththeexternaldynamiclist.Otherwise,thefirewallwillnotauthenticatethelist
properly.
Clientauthenticationfailsifyouhaveenteredtheincorrectusernameandpasswordcombinationfor
theexternaldynamiclist.
Step4 (Optional)DisableAuthenticationforanExternalDynamicListthatfailedauthenticationasastopgap
measureuntilthelistownerrenewsthecertificate(s)oftheserverthathoststhelist.
DisableAuthenticationforanExternalDynamicList
PaloAltoNetworksrecommendsthatyouenableauthenticationfortheserversthathosttheexternal
dynamiclistsconfiguredonyourfirewall.However,ifyouFindExternalDynamicListsThatFailed
Authenticationandprefertodisableserverauthenticationforthoselists,youcandosothroughtheCLI.The
procedurebelowonlyappliestoexternaldynamiclistssecuredwithSSL(i.e.,listswithanHTTPSURL);the
firewalldoesnotenforceserverauthenticationonlistswithanHTTPURL.
Disablingserverauthenticationforanexternaldynamiclistalsodisablesclientauthentication.
Withclientauthenticationdisabled,thefirewallwillnotbeabletoconnecttoanexternaldynamic
listthatrequiresausernameandpasswordforaccess.
DisableServerAuthenticationforanExternalDynamicList
Step1 LaunchtheCLIandswitchtoconfigurationmodeasfollows:
username@hostname> configure
Entering configuration mode
[edit]
username@hostname#
Thechangefromthe>tothe#symbolindicatesthatyouarenowinconfigurationmode.
Step2 EntertheappropriateCLIcommandforthelisttype:
IPAddress
set external-list <external dynamic list name> type ip certificate-profile None
Domain
set external-list <external dynamic list name> type domain certificate-profile None
URL
set external-list <external dynamic list name> type url certificate-profile None
Step3 Verifythatauthenticationisdisabledfortheexternaldynamiclist.
Triggerarefreshforthelist(seeRetrieveanExternalDynamicListfromtheWebServer).Ifthefirewall
retrievesthelistsuccessfully,serverauthenticationisdisabled.
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedmodelsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.YoucanalsoautomaticallyremovetagsonthesourceordestinationIPaddress
includedinafirewalllog.
Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowingoptions:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPCto
retrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
AutoTagTagthesourceordestinationIPaddressautomaticallywhenalogisgeneratedonthefirewall,
andregistertheIPaddressandtagmappingtoaUserIDagentonthefirewallorPanorama,ortoa
remoteUserIDagentusinganHTTPserverprofile.Forexample,wheneverthefirewallgeneratesa
threatlog,youcanconfigurethefirewalltotagthesourceIPaddressinthethreatlogwithaspecifictag
name.SeeForwardLogstoanHTTP(S)Destination.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.
SetuptheVMMonitoringAgent
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatusdisplaysasconnected.
SetuptheVMMonitoringAgent(Continued)
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource InterfacefortheVM
Monitorservice).
AttributesMonitoredintheAWSandVMwareEnvironments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation InstanceState
Version InstanceType
NetworkVirtualSwitchName,PortGroup KeyName
Name,andVLANID
ContainerNamevCenterName,DataCenter PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress. PublicDNSName
SubnetID
Tag(key,value);upto18tagssupportedperinstance
VPCID
UseDynamicAddressGroupsinPolicy
Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachmodelisdifferent.Usethefollowing
tableforspecificsonyourmodel:
PA7000Series,PA5060,VM300,VM500, 100,000
VM700,VM1000HV
PA5050 50,000
PA5020 25,000
PA3000Series 5,000
VM100 2,500
PA500,PA200, 1000
VM200,VM50
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
UseDynamicAddressGroupsinPolicy
6. ClickCommit.
Step3 Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.Ubuntu
Linux64bit'and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthe
nameoftheserverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or
'black')
UseDynamicAddressGroupsinPolicy(Continued)
Step5 Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccessto
webservers.
Step6 Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
1. SelectPolicies > Security,andselecttherule.
2. Selectthedropdownarrownexttotheaddressgrouplink,andselectInspect.Youcanalsoverifythatthe
matchcriteriaisaccurate.
3. ClickthemorelinkandverifythatthelistofregisteredIPaddressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongtothisaddressgroup,andaredisplayedhere.
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example CLICommand
Example CLICommand
Viewalltagsregisteredfromaspecificdata ToviewtagsregisteredfromtheCLI:
source,forexamplefromtheVMMonitoring show log iptag datasource_type equal unknown
Agentonthefirewall,theXMLAPI,Windows ToviewtagsregisteredfromtheXMLAPI:
UserIDAgentortheCLI. show log iptag datasource_type equal xml-api
ToviewtagsregisteredfromVMInformationsources:
show log iptag datasource_type equal vm-monitor
ToviewtagsregisteredfromtheWindowsUserIDagent:
show log iptag datasource_type equal xml-api
datasource_subtype equal user-id-agent
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
UseXFFValuesforPoliciesandLoggingSourceUsers
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoEnableUserID.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
UseXFFValuesforPoliciesandLoggingSourceUsers
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
AddXFFValuestoURLFilteringLogs
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperinternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheinternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
PathMonitoringforPBF
ServiceVersusApplicationsinPBF
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,connectivityissuesoccurwhen
trafficarrivesatoneinterfaceonthefirewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsaredifferent,thefirewallisunabletotrackthe
stateoftheentiresessionandthiscausesaconnectionfailure.Toensurethatthetrafficusesasymmetrical
path,whichmeansthatthetrafficarrivesatandleavesfromthesameinterfaceonwhichthesessionwas
created,youcanenabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupforreturntrafficandinsteaddirectsthe
flowbacktotheMACaddressfromwhichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egressinterfacesIPaddress,aroutelookupis
performedandsymmetricreturnisnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.
PathMonitoringforPBF
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
fail-overUsepathdeterminedby fail-overUsepathdeterminedbyrouting
routingtable(noPBF) table(noPBF)
fail-overUsepathdeterminedby fail-overChecktheremainingPBFrules.If
routingtable(noPBF) nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
Youcannotusecustomapplications,applicationfiltersorapplicationgroupsinPBFrules.
CreateaPolicyBasedForwardingRule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
CreateaPBFRule(Continued)
Step3 Savethepoliciestotherunningconfigurationonthefirewall.
ClickCommit.ThePBFruleisineffect.
UseCase:PBFforOutboundAccesswithDualISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantinternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantinternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.
PBFforOutboundAccesswithDualISPs
5. ClickOKtwicetosavethevirtualrouterconfiguration.
PBFforOutboundAccesswithDualISPs(Continued)
PBFforOutboundAccesswithDualISPs(Continued)
Step4 Specifywheretoforwardtraffic.
1. IntheForwardingtab,specifytheinterfacetowhichyouwanttoforwardtrafficandenablepath
monitoring.
2. Toforwardtraffic,settheActiontoForward,andselecttheEgress InterfaceandspecifytheNext Hop.In
thisexample,theegressinterfaceisethernet1/1,andthenexthopIPaddressis1.1.1.1(youcannotusea
FQDNforthenexthop).
3. EnableMonitorandattachthedefaultmonitoringprofile,totriggerafailovertothebackupISP.Inthis
example,wedonotspecifyatargetIPaddresstomonitor.ThefirewallwillmonitorthenexthopIPaddress;
ifthisIPaddressisunreachablethefirewallwilldirecttraffictothedefaultroutespecifiedonthevirtual
router.
4. (Requiredifyouhaveasymmetricroutes).SelectEnforce Symmetric Returntoensurethatreturntraffic
fromthetrustzonetotheinternetisforwardedoutonthesameinterfacethroughwhichtrafficingressed
fromtheinternet.
5. NATensuresthatthetrafficfromtheinternetisreturnedtothecorrectinterface/IPaddressonthefirewall.
6. ClickOKtosavethechanges.
PBFforOutboundAccesswithDualISPs(Continued)
Step5 CreateNATrulesbasedontheegressinterfaceandISP.TheserulesensurethatthecorrectsourceIPaddress
isusedforoutboundconnections.
1. SelectPolicies > NATandclickAdd.
2. Inthisexample,theNATrulewecreateforeachISPisasfollows:
NATforPrimaryISP
IntheOriginal Packettab,
Source Zone:trust
Destination Zone:ISPWest
IntheTranslated Packettab,underSourceAddressTranslation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/1
IP Address:1.1.1.2/30
NATforBackupISP
IntheOriginal Packettab,
Source Zone:trust
Destination Zone:ISPEast
IntheTranslated Packettab,underSourceAddressTranslation
Translation Type:DynamicIPandPort
Address Type:InterfaceAddress
Interface:ethernet1/2
IP Address:2.2.2.2/30
PBFforOutboundAccesswithDualISPs(Continued)
Step8 VerifythatthePBFruleisactiveandthattheprimaryISPisusedforinternetaccess.
1. Launchawebbrowserandaccessawebserver.Onthefirewallcheckthetrafficlogforwebbrowsing
activity.
2. Fromaclientonthenetwork,usethepingutilitytoverifyconnectivitytoawebserverontheinternet.and
checkthetrafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Reply from 4.2.2.1: bytes=32 time=13ms TTL=117
Reply from 4.2.2.1: bytes=32 time=25ms TTL=117
Reply from 4.2.2.1: bytes=32 time=3ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3. ToconfirmthatthePBFruleisactive,usethefollowingCLIcommand:
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ==============
Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
Step9 VerifythatthefailovertothebackupISPoccursandthattheSourceNATiscorrectlyapplied.
1. UnplugtheconnectiontotheprimaryISP.
2. ConfirmthatthePBFruleisinactivewiththefollowingCLIcommand:
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ============== ===
Use ISP-Pr 1 Disabled Forward ethernet1/1 1.1.1.1
3. Accessawebserver,andcheckthetrafficlogtoverifythattrafficisbeingforwardedthroughthebackup
ISP.
PBFforOutboundAccesswithDualISPs(Continued)
4. ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
---------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
---------------------------------------------------------
87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5. Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session 87212
c2s flow:
source: 192.168.54.56 [Trust]
dst: 204.79.197.200
proto: 6
sport: 53236 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 204.79.197.200 [ISP-East]
dst: 2.2.2.2
proto: 6
sport: 443 dport: 12896
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Nov5 11:16:10 2014
timeout : 1800 sec
time to live : 1757 sec
total byte count(c2s) : 1918
total byte count(s2c) : 4333
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 7
vsys : vsys1
application : ssl
rule : Trust2ISP
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source
nat-rule : NAT-Backup ISP(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : search-engines
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(Security,NAT,QoS,PolicybasedForwarding,Decryption,Application
Override,Authentication,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement
Serverprofiles
Logging,reporting,andvisibilityfunctions
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA3000Series,PA5000Series,PA5200Series,andPA7000Series
firewalls.Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.A
VirtualSystemslicenseisrequiredtosupportmultiplevirtualsystemsonthePA3000Seriesfirewalls,and
tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA220,PA500,PA800Series,orVMSeries
firewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
InterVSYSTrafficThatMustLeavetheFirewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.
InterVSYSTrafficThatRemainsWithintheFirewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
InterVSYSCommunicationUsesTwoSessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportSecurity,DoSpolicies,QoS,Decryption,ApplicationOverride,orAuthentication
policies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA3000Seriesfirewall,orifyouarecreatingmore
thanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupportandLicensing
forVirtualSystems.
ConfigureaVirtualSystem
ConfigureaVirtualSystem
ConfigureaVirtualSystem
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
ConfigureaSharedGateway
CustomizeServiceRoutesforaVirtualSystem
Whenafirewallisenabledformultiplevirtualsystems,thevirtualsystemsinherittheglobalserviceand
serviceroutesettings.Forexample,thefirewallcanuseasharedemailservertooriginateemailalertstoall
virtualsystems.Insomescenarios,youdwanttocreatedifferentserviceroutesforeachvirtualsystem.
OneusecaseforconfiguringserviceroutesatthevirtualsystemlevelisifyouareanISPwhoneedsto
supportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.Eachtenantrequirescustom
serviceroutestoaccessservicesuchasDNS,Kerberos,LDAP,NetFlow,RADIUS,TACACS+,MultiFactor
Authentication,email,SNMPtrap,syslog,HTTP,UserIDAgent,VMMonitor,andPanorama(deploymentof
contentandsoftwareupdates).AnotherusecaseisanITorganizationthatwantstoprovidefullautonomy
togroupsthatsetserversforservices.Eachgroupcanhaveavirtualsystemanddefineitsownservice
routes.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.After
youselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewallselectstheegress
interfacebasedonthedestinationIPaddress.Therefore,Ifavirtualsystemhasmultiplevirtualrouters,packets
toalloftheserversforaservicemustegressoutofonlyonevirtualrouter.Apacketwithaninterfacesource
addressmayegressadifferentinterface,butthereturntrafficwouldbeontheinterfacethathasthesourceIP
address,creatingasymmetrictraffic.
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
WhenyouenableMultiVirtualSystemCapability,anyvirtualsystemthatdoesnothavespecificservice
routesconfiguredinheritstheglobalserviceandserviceroutesettingsforthefirewall.Youcaninstead
configureavirtualsystemtouseadifferentserviceroute,asdescribedinthefollowingworkflow.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Thefirewallsupportssyslogforwardingonavirtualsystembasis.Whenmultiplevirtualsystems
onafirewallareconnectingtoasyslogserverusingSSLtransport,thefirewallcangenerateonly
onecertificateforsecurecommunication.Thefirewalldoesnotsupporteachvirtualsystem
havingitsowncertificate.
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1 Customizeserviceroutesforavirtual 1. SelectDevice > Setup > Services > Virtual Systems,andselect
system. thevirtualsystemyouwanttoconfigure.
2. ClicktheService Route Configurationlink.
3. Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4. IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5. ClickOK.
6. Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7. ClickOK.
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,Syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.For
informationabouttheLPCitself,seethePA7000SeriesHardwareReferenceGuide.
IfyouhaveenabledmultivirtualsystemcapabilityonyourPA7000Seriesfirewall,youcanconfigure
loggingfordifferentvirtualsystemsasdescribedinthefollowingworkflow.
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem(Continued)
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,youcancreateandconfiguregranularpermissionsfora
vsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
VirtualSystemFunctionalitywithOtherFeatures
Manyfirewallfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreportedper
virtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthedocumentation
andthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seeVirtualWireInterfaces.
NetworkSegmentationUsingZones
Thelargerthenetwork,themoredifficultitistoprotect.Alarge,unsegmentednetworkpresentsalarge
attacksurfacewithmoreweaknessesandvulnerabilities.Becausetrafficandapplicationshaveaccesstothe
entirenetwork,onceanattackergainsentrytoanetwork,theattackercanmovelaterallythroughthe
networktoaccesscriticaldata.Alargenetworkisalsomoredifficulttomonitorandcontrol.Segmentingthe
networklimitsanattackersabilitytomovethroughthenetworkbypreventinglateralmovementbetween
zones.
Asecurityzoneisagroupofoneormorephysicalorvirtualfirewallinterfacesandthenetworksegments
connectedtothezonesinterfaces.Youcontrolprotectionforeachzoneindividuallysothateachzone
receivesthespecificprotectionsitneeds.Forexample,azoneforthefinancedepartmentmaynotneedto
allowalloftheapplicationsthatazoneforITallows.
Tofullyprotectyournetwork,alltrafficmustflowthroughthefirewall.ConfigureInterfacesandZonesto
createseparatezonesfordifferentfunctionalareassuchastheinternetgateway,sensitivedatastorage,and
businessapplications,andfordifferentorganizationalgroupssuchasfinance,IT,marketing,andengineering.
Whereverthereisalogicaldivisionoffunctionality,applicationusage,oruseraccessprivileges,youcan
createaseparatezonetoisolateandprotecttheareaandapplytheappropriatesecuritypolicyrulesto
preventunnecessaryaccesstodataandapplicationsthatonlyoneorsomegroupsneedtoaccess.Themore
granularthezones,thegreaterthevisibilityandcontrolyouhaveovernetworktraffic.Dividingyournetwork
intozoneshelpstocreateaZeroTrustarchitecturethatexecutesasecurityphilosophyoftrustingnousers,
devices,applications,orpackets,andverifyingeverything.Theendgoalistocreateanetworkthatallows
accessonlytotheusers,devices,andapplicationsthathavelegitimatebusinessneeds,andtodenyallother
traffic.
Howtoappropriatelyrestrictandpermitaccesstozonesdependsonthenetworkenvironment.For
example,environmentssuchassemiconductormanufacturingfloorsorroboticassemblyplants,wherethe
workstationscontrolsensitivemanufacturingequipment,orhighlyrestrictedaccessareas,mayrequire
physicalsegmentationthatpermitsnoaccessfromoutsidedevices(nomobiledeviceaccess).
Inenvironmentswhereuserscanaccessthenetworkwithmobiledevices,enablingUserIDandAppIDin
conjunctionwithsegmentingthenetworkintozonesensuresthatusersreceivetheappropriateaccess
privilegesregardlessofwheretheyaccessthenetwork,becauseaccessprivilegesaretiedtoauserorauser
groupinsteadoftoadeviceinoneparticularzone.
Theprotectionrequirementsfordifferentfunctionalareasandgroupsmayalsodiffer.Forexample,azone
thathandlesalargeamountoftrafficmayrequiredifferentfloodprotectionthresholdsthanazonethat
normallyhandleslesstraffic.Theabilitytodefinetheappropriateprotectionforeachzoneisanotherreason
tosegmentthenetwork.Whatappropriateprotectionisdependsonyournetworkarchitecture,whatyou
wanttoprotect,andwhattrafficyouwanttopermitanddeny.
HowDoZonesProtecttheNetwork?
Zonesnotonlyprotectyournetworkbysegmentingitintosmaller,moreeasilycontrolledareas,zonesalso
protectthenetworkbecauseyoucancontrolaccesstozonesandtrafficmovementbetweenzones.
Zonespreventuncontrolledtrafficfromflowingthroughthefirewallinterfacesintoyournetworkbecause
firewallinterfacescantprocesstrafficuntilyouassignthemtozones.Thefirewallapplieszoneprotection
oningressinterfaces,wheretrafficentersthefirewallinthedirectionofflowfromtheoriginatingclientto
therespondingserver(c2s),tofiltertrafficbeforeitentersazone.
Thefirewallinterfacetypeandthezonetype(Tap,virtualwire,L2,L3,Tunnel,orExternal)mustmatch,
whichhelpstoprotectthenetworkagainstadmittingtrafficthatdoesntbelonginazone.Forexample,you
canassignanL2interfacetoanL2zoneoranL3interfacetoanL3zone,butyoucantassignanL2interface
toanL3zone.
Inaddition,afirewallinterfacecanbelongtoonezoneonly.Trafficdestinedfordifferentzonescantusethe
sameinterface,whichhelpstopreventinappropriatetrafficfromenteringazoneandenablesyouto
configuretheprotectionappropriateforeachindividualzone.Youcanconnectmorethanonefirewall
interfacetoazonetoincreasebandwidth,buteachinterfacecanconnecttoonlyonezone.
Afterthefirewalladmitstraffictoazone,trafficflowsfreelywithinthatzoneandisnotlogged.Thesmaller
youmakeeachzone,thegreaterthecontrolyouhaveoverthetrafficthataccesseseachzone,andthemore
difficultitisformalwaretomovelaterallyacrossthenetworkbetweenzones.Trafficcantflowbetween
zonesunlessasecuritypolicyruleallowsitandthezonesareofthesamezonetype(Tap,virtualwire,L2,
L3,Tunnel,orExternal).Forexample,asecuritypolicyrulecanallowtrafficbetweentwoL3zones,butnot
betweenanL3zoneandanL2zone.Thefirewalllogstrafficthatflowsbetweenzoneswhenasecuritypolicy
rulepermitsinterzonetraffic.
Bydefault,securitypolicyrulespreventlateralmovementoftrafficbetweenzones,somalwarecantgain
accesstoonezoneandthenmovefreelythroughthenetworktoothertargets.
Tunnelzonesarefornonencryptedtunnels.Youcanapplydifferentsecuritypolicyrulestothe
tunnelcontentandtothezoneoftheoutertunnel,asdescribedintheTunnelContentInspection
Overview.
ZoneDefense
Zoneprotectiondefendszonesfromflooding,reconnaissance,packetbased,andprotocolbasedattacks
withzoneprotectionprofiles,andfromtargetedfloodingandresourceattackswithdenialofservice(DoS)
protectionprofilesandDosprotectionpolicyrules,tocomplementnextgenerationfirewallfeaturessuchas
AppIDandUserID.ADoSattackoverloadsthenetworkwithlargeamountsofunwantedtrafficanattempt
todisruptnetworkservices.
Unlikesecuritypolicyrules,therearenodefaultzoneprotectionprofilesorDoSprotectionprofilesandDoS
protectionpolicyrules.Youconfigureandapplyzoneprotectionbasedonthewayyousegmentyour
networkintozonesandonwhatyouwanttoprotectineachzone.
ZoneDefenseTools
HowDotheZoneDefenseToolsWork?
ZoneProtectionProfiles
PacketBufferProtection
DoSProtectionProfilesandPolicyRules
ZoneDefenseTools
PaloAltoNetworksfirewallsprovidethreecomplementarytoolstoprotectthezonesinyournetwork:
Zoneprotectionprofilesdefendthezoneattheingresszoneedgeagainstreconnaissanceportscanand
hostsweepattacks,IPpacketbasedattacks,nonIPprotocolattacks,andagainstfloodattacksbylimiting
thenumberofconnectionspersecondofdifferentpackettypes.Theingresszoneiswheretrafficenters
thefirewallinthedirectionofflowfromtheclienttotheserver(c2s),wheretheclientistheoriginator
oftheflowandtheserveristheresponder.Theegresszoneiswheretrafficentersthefirewallinthe
directionofflowfromtheservertotheclient(s2c).
Zoneprotectionprofilesprovidebroaddefenseoftheentirezonebasedontheaggregatetrafficentering
thezone,protectingagainstfloodattacksandundesirablepackettypesandoptions.Zoneprotection
profilesdontcontroltrafficbetweenzones,theycontroltrafficonlyattheingresszone.Zoneprotection
profilesdonttakeindividualIPaddressesintoaccountbecausetheyapplytotheaggregatetraffic
enteringthezone(DoSprotectionpolicyrulesdefendindividualIPaddressesinazone).
Usezoneprotectionprofilesasafirstpasstodetectandremovenoncomplianttraffic.Zoneprotection
profilesdefendthenetworkasthesessionisformed,beforethefirewallperformsDoSprotectionpolicy
andsecuritypolicyrulelookups,andconsumefewerCPUcyclesthanaDoSprotectionpolicyorsecurity
policyrulelookup.Ifazoneprotectionprofiledeniestraffic,thefirewalldoesntspendCPUcycleson
policyrulelookups.
DoSprotectionprofilesandDoSprotectionpolicyrulesdefendagainstfloodattacksandprotectspecific
individualendpointsandresources.Thedifferencebetweenfloodprotectionusingazoneprotection
profileandusingaDoSprotectionprofileisthatazoneprotectionprofiledefendsanentireingresszone
basedontheaggregatetrafficflowingintothezone,whileaDoSprotectionpolicyruleappliesaDoS
protectionprofilethatcanprotectspecificIPaddressesandaddressgroups,users,zones,andinterfaces,
soDoSprotectionismoregranularandtargetedthanazoneprotectionprofile.
ADoSprotectionprofilesetsfloodprotectionthresholds(connectionspersecondlimits),resource
protectionthresholds(sessionlimitsforspecifiedendpointsandresources),andwhethertheprofile
appliestoaggregateorclassifiedtraffic.
ADoSprotectionpolicyrulespecifies:
Source,destination,andservicesmatchcriteria.
Theactiontotakewhentrafficmatchestherule.
Loggingandschedulingoptions.
TheaggregateorclassifiedDoSprotectionprofiletheruleappliestomatchingtrafficwhen
protectingresources.
AggregateDoSprotectionprofilesandpolicyrulesapplytoallofthetrafficthatmatchesthespecified
source,destination,andservices.ClassifiedDoSprotectionprofilesandpolicyrulesprotectonlythe
trafficthatmatchesthesource,destination,orsourceanddestinationpairIPaddressesandtheservices
specifiedintheDoSprotectionpolicyrule.
Securitypolicyrulesaffectboththeingress(c2s)andegress(s2c)flowsofasession.Toestablisha
session,theincomingtrafficmustmatchanexistingsecuritypolicyrule(includingthedefaultrules).If
thereisnomatch,thefirewalldiscardsthepacket.
ASecurityPolicycanprotectzonesbycontrollingtrafficbetweenzones(interzone)andwithinzones
(intrazone)usingcriteriaincludingzones,IPaddresses,users,applications,services,andURLcategories.
Thedefaultsecuritypolicyrulesdonotpermittraffictotravelbetweenzones,soyouneedtoconfigure
asecurityruleifyouwanttoallowinterzonetraffic.Allintrazonetrafficisallowedbydefault.Youcan
configuresecuritypolicyrulestomatchandcontrolintrazone,interzone,oruniversal(intrazoneand
interzone)traffic.
Zoneprotectionprofiles,DoSprotectionprofilesandpolicyrules,andsecuritypolicyrulesonlyaffectdataplane
trafficonthefirewall.Trafficoriginatingonthefirewallmanagementinterfacedoesnotcrossthedataplane,so
thefirewalldoesnotmatchmanagementtrafficagainsttheseprofilesorpolicyrules.
HowDotheZoneDefenseToolsWork?
Whenapacketarrivesatthefirewall,thefirewallattemptstomatchthepackettoanexistingsession,based
ontheingresszone,egresszone,sourceIPaddress,destinationIPaddress,protocol,andapplicationderived
fromthepacketheader.Ifthefirewallfindsamatch,thenthepacketusesthesecuritypolicyrulesthat
alreadycontrolthesession.
Ifthepacketdoesnotmatchanexistingsession,thefirewalluseszoneprotectionprofiles,DoSprotection
profilesandpolicyrules,andsecuritypolicyrulestodeterminewhethertoestablishasessionordiscardthe
packet,andthelevelofaccessthepacketreceives.
Thefirstprotectionthefirewallappliesisthebroadedgedefenseofthezoneprotectionprofile,ifoneexists
forthezone.Thefirewalldeterminesthezonefromtheinterfaceonwhichthepacketarrives(eachinterface
isassignedtoonezoneonlyandallinterfacesthatcarrytrafficmustbelongtoazone).Ifthezoneprotection
profiledeniesthepacket,thepacketisdiscardedandnoDoSprotectionpolicyruleorsecuritypolicylookup
occurs.Thefirewallapplieszoneprotectionprofilesonlytopacketsthatdonotmatchanexistingsession.
Afterthefirewallestablishesasession,thefirewallbypassesthezoneprotectionprofilelookupfor
succeedingpacketsinthatsession.
ThesecondprotectionthefirewallappliesisaDoSprotectionpolicyrulelookup.Evenifazoneprotection
profileallowsapacketbasedonthetotalamountoftrafficgoingtothezone,aDoSprotectionpolicyrule
andprotectionprofilemaydenythepacketifitisgoingtoaparticulardestinationorcomingfromaparticular
sourcethathasexceededthefloodprotectionorresourceprotectionsettingsintherulesDoSprotection
profile.IfthepacketmatchesaDoSprotectionpolicyrule,thefirewallappliestheruletothepacket.Ifthe
ruledeniesaccess,thefirewalldiscardsthepacketanddoesnotperformasecuritypolicylookup.Iftherule
allowsaccess,thefirewallperformsasecuritypolicylookup.TheDoSprotectionpolicyruleisenforcedonly
onnewsessions.
ThethirdprotectionthefirewallappliesisaSecurityPolicylookup,whichhappensonlyifthezone
protectionprofileandDoSprotectionpolicyrulesallowthepacket.Ifthefirewallfindsnosecuritypolicy
rulematchforthepacket,thefirewalldiscardsthepacket.Ifthefirewallfindsamatchingsecuritypolicyrule,
thefirewallappliestheruletothepacket.Thefirewallenforcesthesecuritypolicyruleontrafficinboth
directions(c2sands2c)forthelifeofthesession.
ZoneProtectionProfiles
Applyazoneprotectionprofiletoazonetodefendtheentirezonebasedontheaggregatetrafficentering
theingresszone:
FloodProtection
ReconnaissanceProtection
PacketBasedAttackProtection
ProtocolProtection
FloodProtection
AzoneprotectionprofilewithfloodprotectionconfigureddefendsanentireingresszoneagainstSYN,
ICMP,ICMPv6,UDP,andotherIPfloods.Thefirewallmeasurestheaggregateamountofeachfloodtype
ingressingthezoneinconnectionspersecondandcomparesthetotaltothethresholdsconfiguredinthe
zoneprotectionprofile.
Foreachfloodtype,yousetthreethresholds:
AlarmRateThenumberofconnectionspersecondtotriggeranalarm.
ActivateThenumberofconnectionspersecondtoactivatethefloodprotectionmechanism.ForICMP,
ICMPv6,UDP,andotherIPfloods,theprotectionmechanismisRandomEarlyDrop(RED,alsoknownas
RandomEarlyDetection),andpacketsbegintodropwhenthenumberofconnectionspersecond
reachestheActivatethreshold.ForSYNfloods,theprotectionmechanismcanbeREDorSYNcookies.
SYNcookiesdoesnotdroppackets.Asthenumberofconnectionspersecondincreasesabovethe
Activatethreshold,thefirewalldropsmorepacketswhenREDistheprotectionmechanism.
MaximumThenumberofconnectionspersecondtodropincomingpacketswhenREDisthe
protectionmechanism.
Ifthenumberofconnectionspersecondexceedsathreshold,thefirewallgeneratesanalarm,activatesthe
dropmechanism,ordropsallpacketswhenREDistheprotectionmechanism.
ForSYNpacketsonly,youcanselectSYN CookiesinsteadofdroppingthepacketswithRED.Whenyouuse
SYN Cookies,thefirewallactsasaproxyforthetargetserverandrespondstotheSYNrequestbygenerating
aSYNACKpacketandcorrespondingcookieonbehalfofthetarget.WhenthefirewallreceivesanACK
packetfromtheinitiatorwiththecorrectcookie,thefirewallforwardstheSYNpackettothetargetserver.
TheadvantagetousingSYNcookiesinsteadofREDisthatthefirewalldropstheoffendingpacketsand
treatslegitimateconnectionsfairly.BecauseREDrandomlydropsconnections,REDimpactssomelegitimate
traffic.However,usingSYNcookiesinsteadofREDusesmorefirewallresourcesbecausethefirewall
handlesthethreewaySYNhandshakeforthetarget.Thetradeoffisusingmorefirewallresourcesversus
notdroppinglegitimatetrafficwithREDandoffloadingtheSYNhandshakefromthetarget.
Adjustthedefaultthresholdvaluesinazoneprotectionprofiletothelevelsappropriateforyournetwork.
Thedefaultvaluesarehighsothatactivatingazoneprotectionprofiledoesnotunexpectedlydroplegitimate
traffic.
Adjustthethresholdsforyourenvironmentbytakingabaselinemeasurementofthepeaktrafficloadfor
eachfloodtypetodeterminethenormaltrafficloadforthezone.SetAlarm Ratethresholdsat1520percent
abovethebaselinenumberofconnectionspersecondandmonitorthealarmstoseeifthethresholdis
reasonableforthelegitimatetrafficload.Becausethenormaltrafficloadexperiencessomefluctuation,itis
bestnottodroppacketstooaggressively.
WhiledeterminingabaselineandtestingtheAlarm Ratethreshold,settheActivateandMaximumthresholds
toahighnumbertoavoiddroppinglegitimatepacketsifthethresholdsaretooaggressive.Afteryou
determineareasonableAlarm Ratethreshold,setActivateandMaximumthresholdstodroppacketswhen
trafficincreasesenoughbeyondnormaltoindicateafloodattack.Continuetomonitortrafficandadjustthe
thresholdstomeetyoursecurityobjectivesandtoensurethatthethresholdsdontdroplegitimatetraffic
butdopreventunwantedspikesintrafficvolume.
AmajordifferencebetweenfloodprotectionusingazoneprotectionprofileandaDoSprotectionprofileis
wherethefirewallappliesfloodprotection.Zoneprotectionprofilesapplytoanentirezone,whileDoS
protectionprofilesapplyonlytotheIPaddresses,zones,andusersspecifiedintheDoSprotectionpolicy
ruleassociatedwiththeprofile.
ReconnaissanceProtection
Similartothemilitarydefinitionofreconnaissance,thenetworksecuritydefinitionofreconnaissanceis
whenattackersattempttogaininformationaboutyournetworksvulnerabilitiesbysecretlyprobingthe
networktofindweaknesses.Reconnaissanceactivitiesareoftenpreludestoanetworkattack.
Zoneprotectionprofileswithreconnaissanceprotectionenableddefendagainstportscansandhostsweeps:
Portscansdiscoveropenportsonanetwork.Aportscanningtoolsendsclientrequeststoarangeofport
numbersonahost,withthegoaloflocatinganactiveporttoexploitinanattack.Zoneprotectionprofiles
defendagainstbothTCPandUDPportscans.
Hostsweepsexaminemultiplehoststodetermineifaspecificportisopenandvulnerable.
Youcanusereconnaissancetoolsforlegitimatepurposessuchaswhitehattestingofnetworksecurityor
thestrengthofafirewall.Youcanspecifyupto20IPaddressesornetmaskaddressobjectstoexcludefrom
reconnaissanceprotectionsothatyourinternalITdepartmentcanconductwhitehatteststofindandfix
networkvulnerabilities.
Youcansettheactiontotakewhenreconnaissancetraffic(excludingwhitehattraffic)exceedsthe
configuredthresholdwhenyouConfigureReconnaissanceProtection.
PacketBasedAttackProtection
Packetbasedattackstakemanyforms.ZoneprotectionprofilescheckIP,TCP,ICMP,IPv6,andICMPv6
packetheaderparametersandprotectazoneby:
Droppingpacketswithundesirablecharacteristics.
Strippingundesirableoptionsfrompacketsbeforeadmittingthemtothezone.
YouselectthedropcharacteristicsforeachpackettypewhenyouConfigurePacketBasedAttack
Protection.
Forexample,youcandropmalformedIPpackets,TCPSYNandSYNACKpacketsthatcontaindata,
fragmentedICMPpackets,andsoon.Eachpackettypehasasetofcharacteristicsandoptionsthatyou
selecttocontrolwhetherthefirewalldropsapacket.BestPracticesforSecuringYourNetworkfromLayer 4
andLayer 7Evasionsincludessomespecificrecommendationsforconfiguringpacketbasedattack
protection.
ProtocolProtection
WhilepacketbasedattackprotectiondefendsagainstLayer 3packetbasedattacks,protocolprotection
defendsagainstnonIPprotocolpackets.Theprotocolprotectionportionofazoneprotectionprofileblocks
orallowsnonIPprotocolpacketsbetweensecurityzonesonaLayer 2VLANoronavirtualwireorbetween
interfaceswithinasinglezoneonaLayer 2VLAN.ConfigureProtocolProtectiontoreducesecurityrisksand
facilitateregulatorycompliancebypreventinglesssecureprotocolpacketsfromenteringazone,oran
interfaceinazone,wheretheydontbelong.
ExamplesofnonIPprotocolsthatyoucanblock(exclude)orallow(include)areAppleTalk,BanyanVINES,
LLDP,NetBEUI,SpanningTree,andSupervisoryControlandDataAcquisition(SCADA)systemssuchas
GenericObjectOrientedSubstationEvent(GOOSE),amongmanyothers.
YoucanrunAppIDreportstodeterminewhetheranynonIPprotocolpacketsarearrivingatLayer 2
interfacesonthefirewall.Applythezoneprotectionprofiletoaningresssecurityzoneforphysicalinterfaces
orAEinterfaces,therebycontrollinginterzonetraffic(wheretheprotocolpacketsattempttoenteronezone
fromanother)orintrazonetraffic(wheretheprotocolpacketstraverseasinglezoneVLANbetweenits
interfaces).
EachIncludeListorExcludeListyouconfiguresupportsupto64Ethertypeentries,eachidentifiedbyits
IEEEhexadecimalEthertypecode.OthersourcesofEthertypecodesare
standards.ieee.org/develop/regauth/ethertype/eth.txtand
http://www.cavebear.com/archive/cavebear/Ethernet/type.html.
ProtocolprotectiondoesntletyoublockIPv4(Ethertype0x0800),IPv6(0x86DD),ARP(0x0806),or
VLANtaggedframes(0x8100).ThesefourEthertypesarealwaysimplicitlyallowedinanIncludeListwithout
listingthem.TheyrealsoimplicitlyallowedevenifyouconfigureanExcludeList;youcantexcludethem.
WhenyouconfigurezoneprotectionfornonIPprotocolsonzonesthathaveAggregatedEthernet(AE)
interfaces,youcantblockorallowanonIPprotocolononlyoneAEinterfacebecauseAEinterfacesare
treatedasagroup.
PacketBufferProtection
PacketbufferprotectionallowsyoutoprotectyourfirewallandnetworkfromsinglesessionDoSattacks
thatcanoverwhelmthefirewallspacketbufferandcauselegitimatetraffictodrop.Althoughyoudont
ConfigurePacketBufferProtectioninazoneprotectionprofileorinaDoSprotectionprofileorpolicyrule,
packetbufferprotectiondefendszonesandyouenableitwhenyouconfigureoreditazone(Network >
Zones).
Whenyouenablepacketbufferprotection,thefirewallmonitorssessionsfromallzonesandhoweach
sessionutilizesthepacketbuffer.Ifasessionexceedsaconfiguredpercentageofpacketbufferutilization
andtraversesaningresszonewithpacketbufferprotectionenabled,thenthefirewalltakesactionagainst
thatsession.ThefirewallbeginsbycreatinganalertlogintheSystemlogwhenasessionreachesthefirst
threshold.Ifasessionreachesthesecondthreshold,thefirewallmitigatestheabusebyimplementing
RandomEarlyDrop(RED)tothrottlethesession.Ifthefirewallcannotreducepacketbufferutilizationusing
RED,theBlockHoldTimetimerbeginscountingdown.Whenthetimerexpires,thefirewalltakesadditional
mitigationsteps(sessiondiscardorIPblock).Theblockdurationdefineshowlongasessionremains
discardedoranIPaddressremainsblockedafterreachingtheblockholdtime.
Inadditiontomonitoringthebufferutilizationofindividualsessions,packetbufferprotectioncanalsoblock
anIPaddressifcertaincriteriaaremet.Whilethefirewallmonitorsthepacketbuffers,ifitdetectsasource
IPaddressrapidlycreatingsessionsthatwouldnotindividuallybeseenasanattack,itblocksthatIPaddress.
DoSProtectionProfilesandPolicyRules
DoSprotectionprofilesandDoSprotectionpolicyrulescombinetoprotectspecificareasofyournetwork
againstpacketfloodattacksandtoprotectindividualresourcesagainstsessionfloods.
DoSprotectionprofilessettheprotectionthresholdstoprovideDoSProtectionAgainstFloodingofNew
SessionsforIPfloods(connectionspersecondlimits),toprovideresourceprotection(maximumconcurrent
sessionlimitsforspecifiedendpointsandresources),andtoconfigurewhethertheprofileappliesto
aggregateorclassifiedtraffic.DoSprotectionpolicyrulescontrolwheretoapplyDoSprotectionandwhat
actiontotakewhentrafficmatchesthecriteriadefinedintherule.
Unlikeazoneprotectionprofile,whichprotectsonlytheingresszone,DoSprotectionprofilesandpolicy
rulescanprotectspecificresourcesinsideazoneandtrafficflowingbetweendifferentendpointsandareas.
Alsounlikeazoneprotectionprofile,whichsupportsonlyaggregatetraffic,youcanconfigureaggregateor
classifiedDoSprotectionprofilesandpolicyrules.
DoSProtectionPolicyRules
DoSProtectionProfiles
DoSProtectionPolicyRules
DoSprotectionpolicyrulesprovidegranularmatchingcriteriasothatyouhaveflexibilityindefiningwhat
youwanttoprotect:
Sourcezoneorinterface
Destinationzoneorinterface
SourceIPaddressesandaddressranges,addressgroupobjects,andcountries
DestinationIPaddressesandaddressranges,addressgroupobjects,andcountries
Services(byportandprotocol)
Users
Theflexiblematchingcriteriaenableyoutoprotectentirezonesorsubnets,asingleserver,oranythingin
between.WhentrafficmatchesaDoSprotectionpolicyrule,thefirewalltakesoneofthreeactions:
DenyThefirewalldeniesaccessanddoesntapplyaDoSprotectionprofile.Denyingessentially
blackliststrafficthatmatchestherule.
AllowThefirewallpermitsaccessanddoesntapplyaDoSprotectionprofile.Allowingessentially
whiteliststrafficthatmatchestherule.
ProtectThefirewallappliesthespecifiedDoSprotectionprofileorprofiles.ADoSprotectionpolicyrule
canhaveoneaggregateDoSprotectionprofileandoneclassifiedDoSprotectionprofile.Incoming
packetscountagainstbothDoSprotectionprofilesifthetheymatchtherule.TheProtectactionprotects
againstfloodsbyapplyingthethresholdssetintheDoSprotectionprofileorprofilestotrafficthat
matchestherule.
ThefirewallonlyappliesDoSprotectionprofilesiftheActionisProtect.IftheDoSprotectionpolicyrules
ActionisProtect,specifytheappropriateaggregateand/orclassifiedDoSprotectionprofileintherulesothat
thefirewallappliestheDoSprotectionprofiletotrafficthatmatchestherule.
YoucanattachbothanaggregateandaclassifiedDoSprotectionprofiletoaDoSprotectionpolicyrule.The
firewallchecksandenforcestheaggregateratelimitsbeforeitcheckstheclassifiedratelimits,soifthematch
criteriamatchesbothprofiles,thethresholdsintheaggregateprofileareusedfirst.
DoSProtectionProfiles
WhenyoucreateDoSprotectionpolicyrules,youapplyDoSprotectionprofilestothepolicyrulesifthe
ruleshaveanactionofProtect(iftheactionisDenyorAllow,noDoSprotectionprofileisused).
ConfiguringfloodprotectionthresholdsinaDoSprotectionprofileissimilartoconfiguringFloodProtection
inazoneprotectionprofile.Thedifferenceiswhereyouapplyfloodprotection.Applyingfloodprotection
withazoneprotectionprofileprotectstheingresszone,whileapplyingfloodprotectionwithaDoS
protectionprofileandpolicyruleismoregranularandtargeted,andcanevenbeclassifiedtoasingleIP
address.
ForbothaggregateandclassifiedDoSprotectionprofiles,aswithzoneprotectionprofiles,youcan:
ConfigureSYN,UDP,ICMP,ICMPv6,andotherIPfloodprotection.
Setalarm,activate,andmaximumconnectionspersecondthresholds.Whenincoming
connectionspersecondreachtheactivatethreshold,thefirewallbeginstodroppackets.Whenthe
incomingconnectionspersecondreachthemaximumthreshold,thefirewalldropsadditionalincoming
connections.
UseSYNcookiesinsteadofREDforSYNfloodpackets.
TheadviceinzoneprotectionprofileFloodProtectionaboutadjustingthedefaultfloodthresholdvaluesfor
yournetworkstrafficisvalidforsettingDoSprotectionprofilefloodprotectionthresholds.Takeabaseline
measurementofpeaktrafficloadsoveraperiodoftimeandadjustthefloodthresholdstoallowthe
expectedlegitimatetrafficloadandtothrottleordroptrafficwhentheloadindicatesafloodattack.Monitor
thetrafficandcontinuetoadjustthethresholdsuntiltheymeetyourprotectionobjectives.
ConfiguringresourceprotectionthresholdsinaDoSprotectionprofilesetsthemaximumnumberof
concurrentsessionsthataresourcesupports.Whenthenumberofconcurrentsessionsreachesits
maximumlimit,newsessionsaredropped.YoudefinetheresourceyouareprotectinginaDoSprotection
policyrulebytheresourcessourceIPaddress,destinationIPaddress,orthesourceanddestinationIP
addresspair.
AnaggregateDoSprotectionprofileappliestoallofthetrafficthatmatchestheassociatedDoSprotection
policyrule,forallsources,destinations,andservicesallowedforthatrule.AclassifiedDoSprotectionprofile
canenforcedifferentsessionratelimitsfordifferentgroupsofendhostsorevenforoneparticularendhost.
HerearesomeexamplesofwhatyoucandowithaclassifiedDoSprotectionprofile:
TopreventhostsonyournetworkfromstartingaDoSattack,youcanmonitortherateoftrafficeach
hostinasourceaddressgroupinitiates.Todothis,setanappropriatealarmthresholdinaDoSprotection
profiletonotifyyouifahostinitiatesanunusuallylargeamountoftraffic,andcreateaDoSprotection
policyrulethatappliestheprofiletothesourceaddressgroup.Investigateanyhoststhatinitiateenough
traffictosetoffthealarm.
ToprotectcriticalweborDNSserversonyournetwork,protecttheindividualservers.Todothis,set
appropriatefloodingandresourceprotectionthresholdsinaDoSprotectionprofile,andcreateaDoS
protectionpolicyrulethatappliestheprofiletoeachserversIPaddressbyaddingtheIPaddressesas
therulesdestinationcriteria.
TracktheflowbetweenapairofendpointsbysettingappropriatethresholdsintheDoSprotection
profileandcreatingaDoSprotectionpolicyrulethatspecifiesthesourceanddestinationIPaddressesof
theendpointsasthematchingcriteria.
DonotusesourceIPclassificationforinternetfacingzonesinclassifiedDoSprotectionpolicy
rules.ThefirewalldoesnothavethecapacitytostorecountersforeverypossibleIPaddresson
theinternet.
ConfigureZoneProtectiontoIncreaseNetworkSecurity
Thefollowingtopicsprovidezoneprotectionconfigurationexamples:
ConfigureReconnaissanceProtection
ConfigurePacketBasedAttackProtection
ConfigureProtocolProtection
ConfigurePacketBufferProtection
ConfigureReconnaissanceProtection
ConfigureoneofthefollowingReconnaissanceProtectionactionsforthefirewalltotakeinresponsetothe
correspondingreconnaissanceattempt:
AllowThefirewallallowstheportscanorhostsweepreconnaissancetocontinue.
AlertThefirewallgeneratesanalertforeachportscanorhostsweepthatmatchestheconfigured
thresholdwithinthespecifiedtimeinterval.Alertisthedefaultaction.
BlockThefirewalldropsallsubsequentpacketsfromthesourcetothedestinationfortheremainderof
thespecifiedtimeinterval.
BlockIPThefirewalldropsallsubsequentpacketsforthespecifiedDuration,inseconds(therangeis
13,600).Track Bydetermineswhetherthefirewallblockssourceorsourceanddestinationtraffic.
ConfigureReconnaissanceProtection
ConfigurePacketBasedAttackProtection
Toenhancesecurityforazone,PacketBasedAttackProtectionallowsyoutospecifywhetherthefirewall
dropsIP,IPv6,TCP,ICMP,orICMPv6packetsthathavecertaincharacteristicsorstripscertainoptionsfrom
thepackets.
Forexample,youcandropTCPSYNandSYNACKpacketsthatcontaindatainthepayloadduringaTCP
threewayhandshake.AZoneProtectionprofilebydefaultissettodropSYNandSYNACKpacketswith
data(youmustapplytheprofiletothezone).
TheTCPFastOpenoption(RFC7413)preservesthespeedofaconnectionsetupbyincludingdatainthe
payloadofSYNandSYNACKpackets.AZoneProtectionprofiletreatshandshakesthatusetheTCPFast
OpenoptionseparatelyfromotherSYNandSYNACKpackets;theprofilebydefaultissettoallowthe
handshakepacketsiftheycontainavalidFastOpencookie.
IfyouhaveexistingZoneProtectionprofilesinplacewhenyouupgradetoPANOS8.0,thethreedefaultsettings
willapplytoeachprofileandthefirewallwillactaccordingly.
ConfigurePacketBasedAttackProtection
ConfigureProtocolProtection
ProtectvirtualwireorLayer2securityzonesfromnonIPprotocolpacketsbyusingProtocolProtection.
UseCase:NonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
UseCase:NonIPProtocolProtectionWithinaSecurityZoneonLayer2Interfaces
UseCase:NonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
Inthisusecase,thefirewallisinaLayer2VLANdividedintotwosubinterfaces.VLAN100is
192.168.100.1/24,subinterface.6.VLAN200is192.168.100.1/24,subinterface.7.NonIPprotocol
protectionappliestoingresszones.Inthisusecase,iftheInternetzoneistheingresszone,thefirewall
blockstheGenericObjectOrientedSubstationEvent(GOOSE)protocol.IftheUserzoneistheingresszone,
thefirewallallowstheGOOSEprotocol.ThefirewallimplicitlyallowsIPv4,IPv6,ARP,andVLANtagged
framesinbothzones.
ProvideNonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces
ProvideNonIPProtocolProtectionBetweenSecurityZonesonLayer2Interfaces(Continued)
Step2 ConfigureprotocolprotectioninaZone 1. SelectNetwork > Network Profiles > Zone Protection and
ProtectionprofiletoblockGOOSE Addaprofile.
protocolpackets. 2. EntertheNameBlockGOOSE.
3. SelectProtocol Protection.
4. ChooseRule TypeofExclude List.
5. EntertheProtocol Name, GOOSE,toeasilyidentifythe
Ethertypeonthelist.Thefirewalldoesntverifythatthename
youentermatchestheEthertypecode;itusesonlythe
Ethertypecodetofilter.
6. EnterEthertype code0x88B8.TheEthertypemustbe
precededby0xtoindicateahexadecimalvalue.Rangeis
0x0000to0xFFFF.
7. SelectEnabletoenforcetheprotocolprotection.Youcan
disableaprotocolonthelist,forexample,fortesting.
8. ClickOK.
UseCase:NonIPProtocolProtectionWithinaSecurityZoneonLayer2Interfaces
IfyoudontimplementaZoneProtectionprofilewithnonIPprotocolprotection,thefirewallallowsnonIP
protocolsinasinglezonetogofromoneLayer2interfacetoanother.Inthisusecase,blacklistingLLDP
packetsensuresthatLLDPforonenetworkdoesntdiscoveranetworkreachablethroughanotherinterface
inthezone.
Inthefollowingfigure,theLayer2VLANnamedDatacenterisdividedintotwosubinterfaces:
192.168.1.1/24,subinterface.7and192.168.1.2/24,subinterface.8.TheVLANbelongstotheUserzone.
ByapplyingaZoneProtectionprofilethatblocksLLDPtotheUserzone:
Subinterface.7blocksLLDPfromitsswitchtothefirewallattheredXontheleft,preventingthattraffic
fromreachingsubinterface.8.
Subinterface.8blocksLLDPfromitsswitchtothefirewallattheredXontheright,preventingthattraffic
fromreachingsubinterface.7.
ProvideNonIPProtocolProtectionWithinaSingleZoneonLayer2Interfaces
ProvideNonIPProtocolProtectionWithinaSingleZoneonLayer2Interfaces(Continued)
Step4 BlocknonIPprotocolpacketsinaZone 1. SelectNetwork > Network Profiles > Zone Protection and
Protectionprofile. Addaprofile.
2. EntertheName,inthisexample,BlockLLDP.
3. EnteraprofileDescriptionBlockLLDPpacketsfroman
LLDPnetworktootherinterfacesinthezone(intrazone).
4. SelectProtocol Protection.
5. ChooseRule TypeofExclude List.
6. EnterProtocol NameLLDP.
7. EnterEthertype code0x88cc.TheEthertypemustbe
precededby0xtoindicateahexadecimalvalue.
8. SelectEnable.
9. ClickOK.
ConfigurePacketBufferProtection
YouconfigurePacketBufferProtectionsettingsgloballyandthenapplythemperingresszone.Whenthe
firewalldetectshighbufferutilization,thefirewallonlymonitorsandtakesactionagainstsessionsfrom
zoneswithpacketbufferprotectionenabled.Therefore,iftheabusivesessionisfromazonewithoutpacket
bufferprotection,thehighpacketbufferutilizationcontinues.Packetbufferprotectioncanbeappliedtoa
zonebutitisnotactiveuntilglobalsettingsareconfiguredandenabled.
EnablePacketBufferProtection
DoSProtectionAgainstFloodingofNewSessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsagainstDoSattacksofnewsessionsonly,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
DoSProtectionProfilesandPolicyRulesworktogethertoprovideprotectionagainstfloodingofmany
incomingSYN,UDP,ICMP,andICMPv6packets,andothertypesofIPpackets.Youdeterminewhat
thresholdsconstituteflooding.Ingeneral,theDoSProtectionprofilesetsthethresholdsatwhichthefirewall
generatesaDoSalarm,takesactionsuchasRandomEarlyDrop,anddropsadditionalincomingconnections.
ADoSProtectionpolicyrulethatissettoprotect(ratherthantoallowordenypackets)determinesthe
criteriaforpacketstomatch(suchassourceaddress)inordertobecountedtowardthethresholds.This
flexibilityallowsyoutoblacklistcertaintraffic,orwhitelistcertaintrafficandtreatothertrafficasDoStraffic.
Whentheincomingrateexceedsyourmaximumthreshold,thefirewallblocksincomingtrafficfromthe
sourceaddress.
MultipleSessionDoSAttack
SingleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessions
EndaSingleSessionDoSAttack
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheProtectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheActivateRate,thefirewalltakesthe
actionspecifiedintheDoSProtectionprofile.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSProtectionpolicyrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamically
puttheDoSProtectionprofilesettingsintoeffect.TheDoSProtectionprofilespecifiesthataMaxRateof
3000packetspersecondisallowed.WhenincomingpacketsmatchtheDoSProtectionpolicyrule,new
connectionspersecondarecountedtowardtheAlert,Activate,andMax Ratethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMax Ratethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlock Durationisspecified,and
ClassifiedissettoincludesourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
SequenceofEventsasFirewallQuarantinesanIPAddress(Continued)
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheblocklistsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdontmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheblocklistwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrules(theaddressremains
ontheblocklist)untiltheBlockDurationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
evaluation.YoumustconfigureaSecuritypolicyruletoallowordenytrafficbecausewithoutone,animplicit
Denyruledeniesalltraffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatmatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlockDuration
expires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblockedagain.
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyordrop
ruleinplace.Hence,asinglesessionattackrequiresaSecuritypolicydenyordropruleinorder
foreachpackettocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivityfromthatsourceIPaddress,
suchaspacketswithadifferentapplication.QuarantiningtheIPaddressfromallactivityprotectsagainsta
modernattackerwhoattemptsarotatingapplicationattack,inwhichtheattackersimplychanges
applicationstostartanewattackorusesacombinationofdifferentattacksinahybridDoSattack.Youcan
MonitorBlockedIPAddressestoviewtheblocklist,removeentriesfromit,andgetadditionalinformation
aboutanIPaddressontheblocklist.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
toSecuritypolicyenforcement.TheattacktrafficthatmatchedtheDoSProtectionprofileand
DoSProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyEndaSingleSessionDoSAttack.
ConfigureDoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
6. Oneachofthefloodtabs,specifytheBlock Duration(in
seconds),whichisthelengthoftimethefirewallblocks
packetsthatmatchtheDoSProtectionpolicyrulethat
referencesthisprofile.Specifyavaluegreaterthanzero.
(Rangeis121,600;defaultis300.)
SetalowBlock Durationvalueifyouareconcerned
thatpacketsyouincorrectlyidentifyasattacktraffic
willbeblockedunnecessarily.
SetahighBlock Durationvalueifyouaremore
concernedaboutblockingvolumetricattacksthanyou
areaboutincorrectlyblockingpacketsthatarentpart
ofanattack.
7. ClickOK.
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
EndaSingleSessionDoSAttack
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
UsetheCLItoEndaSingleAttackingSession
Step1 IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,usetheACCtofilterondestinationaddresstoviewthe
activitytothetargethostbeingattacked.
Step2 CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3 CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallmodel(notaVMSeriesfirewall)toidentify,for
eachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1 Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> show running resource-monitor ingress-backlogs
-- SLOT:s1, DP:dp1 -- USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:SESS-ID PCT GRP-ID COUNT
6 92% 1 156 7 1732
SESSION DETAILS
SESS-ID PROTO SZONESRC SPORT DST DPORT IGR-IF EGR-IF APP
6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesmodelonly,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1
admin@PA-7050> show running resource-monitor ingress-backlogs slot s1 dp dp1
OnPA5000Series,PA5200Series,andPA7000Seriesmodelsonly,youcanlimitoutputtoadataplane.
Forexample:
admin@PA-5060> show running resource-monitor ingress-backlogs dp dp1
ViewFirewallResourceUsage,TopSessions,andSessionDetails(Continued)
Step2 UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanEndaSingle
SessionDoSAttack.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNewSessions.
Onahardwaremodelthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstraffictothe
FPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthesession
doesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshouldinstead
DiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usetheshow session id <session-id>operationalcommand
intheCLIasshowninthefollowingexample.The layer7 processing valueindicatescompletedfor
sessionsoffloadedorenabledforsessionsnotoffloaded.
DiscardaSessionWithoutaCommit
Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
DiscardaSessionWithoutaCommit
Step1 IntheCLI,executethefollowingoperationalcommandonanyhardwaremodel:
admin@PA-7050> request session-discard [timeout <seconds>] [reason <reason-string>] id
<session-id>
Thedefaulttimeoutis3,600seconds.
Step2 Verifythatsessionshavebeendiscarded.
admin@PA-7050> show session all filter state discard
EnableFIPSandCommonCriteriaSupport
UsethefollowingprocedurestoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
FIPSCCmodeissupportedonallPaloAltoNetworksnextgenerationfirewallsandappliancesincluding
VMSeriesfirewalls.ToenableFIPSCCmode,firstbootthefirewallintotheMaintenanceRecoveryTool
(MRT)andthenchangetheoperationalmodefromnormal modetoFIPS-CC mode.Theproceduretochange
theoperationalmodeisthesameforallfirewallsandappliancesbuttheproceduretoaccesstheMRTvaries.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
AccesstheMaintenanceRecoveryTool(MRT)
ChangetheOperationalModetoFIPSCCMode
AccesstheMaintenanceRecoveryTool(MRT)
TheMaintenanceRecoveryTool(MRT)enablesyoutoperformseveraltasksonPaloAltoNetworksfirewalls
andappliances.Forexample,youcanrevertthefirewallorappliancetofactorydefaultsettings,revert
PANOSoracontentupdatetoapreviousversion,rundiagnosticsonthefilesystem,gathersystem
information,andextractlogs.Additionally,youcanusetheMRTtoChangetheOperationalModeto
FIPSCCModeorfromFIPSCCmodetonormalmode.
ThefollowingproceduresdescribehowtoaccesstheMaintenanceRecoveryTool(MRT)onvariousPalo
AltoNetworksproducts.
AccesstheMaintenanceRecoveryTool(MRT)
AccesstheMRTon 1. Establishaserialconsolesessiontothefirewallorappliance.
hardwarefirewallsand a. Connectaserialcablefromtheserialportonyourcomputertotheconsole
appliances(suchas portonthefirewallorappliance.
PA200firewalls, NOTE:Ifyourcomputerdoesnothavea9pinserialportbutdoeshaveaUSB
PA7000Seriesfirewalls, port,useaserialtoUSBconvertertoestablishtheconnection.Ifthefirewall
orMSeriesappliances). hasamicroUSBconsoleport,connecttotheportusingastandardTypeA
USBtomicroUSBcable.
b. Openandsettheterminalemulationsoftwareonyourcomputerto
96008N1andthenconnecttotheappropriateCOMport.
OnaWindowssystem,youcangototheControlPaneltoviewthe
COMportsettingsforDeviceandPrinterstodeterminewhichCOM
portisassignedtotheconsole.
c. Loginusinganadministratoraccount.(Thedefaultusername/passwordis
admin/admin.)
2. EnterthefollowingCLIcommandandpressytoconfirm:
debug system maintenance-mode
3. AfterthefirewallorappliancebootstotheMRTwelcomescreen(in
approximately2to3minutes),pressEnteronContinuetoaccesstheMRT
mainmenu.
YoucanalsoaccesstheMRTbyrebootingthefirewallorapplianceand
enteringmaintatthemaintenancemodeprompt.Adirectserialconsole
connectionisrequired.
AfterthefirewallorappliancebootsintotheMRT,youcanaccessthe
MRTremotelybyestablishinganSSHconnectiontothemanagement
(MGT)interfaceIPaddressandthenlogginginusingmaintasthe
usernameandthefirewallorapplianceserialnumberasthepassword.
AccesstheMaintenanceRecoveryTool(MRT)(Continued)
AccesstheMRTon 1. EstablishanSSHsessiontothemanagementIPaddressofthefirewallandlogin
VMSeriesfirewalls usinganadministratoraccount.
deployedinaprivate 2. EnterthefollowingCLIcommandandpressytoconfirm:
cloud(suchasona
debug system maintenance-mode
VMwareESXiorKVM
NOTE:Itwilltakeapproximately2to3minutesforthefirewalltoboottothe
hypervisor).
MRT.Duringthistime,yourSSHsessionwilldisconnect.
3. AfterthefirewallbootstotheMRTwelcomescreen,loginbasedonthe
operationalmode:
NormalmodeEstablishanSSHsessiontothemanagementIPaddressofthe
firewallandloginusingmaintastheusernameandthefirewallorappliance
serialnumberasthepassword.
FIPSCCmodeAccessthevirtualmachinemanagementutility(suchasthe
vSphereclient)andconnecttothevirtualmachineconsole.
4. FromtheMRTwelcomescreen,pressEnteronContinuetoaccesstheMRT
mainmenu.
AccesstheMRTon 1. EstablishanSSHsessiontothemanagementIPaddressofthefirewallandlogin
VMSeriesfirewalls usinganadministratoraccount.
deployedinthepublic 2. EnterthefollowingCLIcommandandpressytoconfirm:
cloud(suchasAWSor
debug system maintenance-mode
Azure).
NOTE:Itwilltakeapproximately2to3minutesforthefirewalltoboottothe
MRT.Duringthistime,yourSSHsessionwilldisconnect.
3. AfterthefirewallbootstotheMRTwelcomescreen,loginbasedonthevirtual
machinetype:
AWSLoginasec2-userandselecttheSSHpublickeyassociatedwiththe
virtualmachinewhenyoudeployedit.
AzureEnterthecredentialsyoucreatedwhenyoudeployedtheVMSeries
firewall.
4. FromtheMRTwelcomescreen,pressEnteronContinuetoaccesstheMRT
mainmenu.
ChangetheOperationalModetoFIPSCCMode
ThefollowingproceduredescribeshowtochangetheoperationalmodeofaPaloAltoNetworksproduct
fromnormalmodetoFIPSCCmode.
ChangetheOperationalModetoFIPSCCMode
Step1 ConnecttothefirewallorapplianceandAccesstheMaintenanceRecoveryTool(MRT).
Step4 Whenprompted,selectReboot.
IfyouchangetheoperationalmodeonaVMSeriesfirewalldeployedinthepubliccloud(AWSor
Azure)andyouloseyourSSHconnectiontotheMRTbeforeyouareabletoReboot,youmustwait
1015minutesforthemodechangetocomplete,logbackintotheMRT,andthenrebootthefirewall
tocompletetheoperation.
AfteryouswitchtoFIPSCCmode,youseethefollowingstatus:FIPS-CC mode enabled
successfully.Inaddition,thefollowingchangesareineffect:
FIPS-CCdisplaysatalltimesinthestatusbaratthebottomofthewebinterface.
Thedefaultadministratorlogincredentialschangetoadmin/paloalto.
SeeFIPSCCSecurityFunctionsfordetailsonthesecurityfunctionsthatareenforcedinFIPSCC
mode.
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforcedonallfirewallsandappliances:
Tologin,thebrowsermustbeTLS1.1(orlater)compatible;onaWF500appliance,youmanagethe
applianceonlythroughtheCLIandyoumustconnectusinganSSHv2compatibleclientapplication.
Allpasswordsmustbeatleastsixcharacters.
YoumustensurethatFailed AttemptsandLockout Time (min) aregreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustensurethattheIdle Timeoutisgreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedtime,theadministratorisautomaticallyloggedout.
Thefirewallorapplianceautomaticallydeterminestheappropriatelevelofselftestingandenforcesthe
appropriatelevelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPSCCalgorithmsarenotdecryptedtheyareignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2,048bits(or
more)orECDSA256bits(ormore);youmustalsouseadigestofSHA256orgreater.
Youcannotuseahardwaresecuritymodule(HSM)tostoretheprivateECDSAkeysusedforSSL
ForwardProxyorSSLInboundInspection.
Telnet,TFTP,andHTTPmanagementconnectionsarenotavailable.
Highavailability(HA)portencryptionisrequired.
TheserialconsoleportinFIPSCCmodefunctionsasalimitedstatusoutputportonly;CLIaccessisnot
available.
TheserialconsoleportonhardwareandprivatecloudVMSeriesfirewallsbootedintotheMRT
providesinteractiveaccesstotheMRT.
InteractiveconsoleaccessisnotsupportedinthehypervisorenvironmentprivatecloudVMSeries
firewallsbootedintotheMRT;youcanaccesstheMRTonlyusingSSH.