PaloAPAN ACE Traininglto Training Print 01-30

Design and
Implementation of the
Palo Alto Networks
Firewall
PA-EDU-201 rev b
PaloAlto Training print.indd 1
3/8/10 12:24 PM
Agenda
Day 1
1.
Introduction
6.
SSL Decryption
2.
Firewall Deployment
7.
VPN
3.
Application Control
8.
4
4.
Content Identification
Advanced Deployment
Options
9.
Management
10.
Data Mining
5.
Page 2 |
Day 2
User Identification
2009 Palo Alto Networks. Proprietary and Confidential
3.0-a
3/8/10 12:24 PM
Intruduction
3/8/10 12:24 PM
Evasive Applications
Application Based Firewall

VWDWHIXOLQVSHFWLRQ
Port 5050
Blocked
tcp/443
tcp/443
Port 80
Open
Page 4 |
3.0-a
Page 5 |
F
I
R
E
W
A
L
L
Yahoo Messenger
PingFU - Proxy
Bittorrent Client
Port 6681
Blocked
3.0-a
3/8/10 12:24 PM
PA-4000 Series Specifications
Web Based Applications

Traditional Firewall sees
this all as Web Browsing
PA-4060
PA-4050
PA-4020
10 Gbps FW
5 Gbps threat prevention
2,000,000 sessions
4 XFP (10 Gig) I/O
4 SFP (1 Gig) I/O
10 Gbps FW
2,000,000 sessions
16 copper gigabit
8 SFP interfaces
2 Gbps FW
500,000 sessions
16 copper gigabit
8 SFP interfaces
PA-4000 Classification
= Business Application
= Media
Page 6 |
3.0-a
2U, 19 rack-mountable chassis
Dual hot swappable AC power supplies
Dedicated out-of-band management port
= Instant Messaging
2 dedicated HA ports
= Web Mail
DB9 console port
Page 7 |
3.0-a
3/8/10 12:24 PM
PA-2000 Series Specifications
4000 Series Architecture

RAM
Flash
Matching
Engine
Dedicated Control Plane

Highly available mgmt
High speed logging and
route updates
RAM
Dual-core
CPU
RAM
RAM
CPU
1
CPU
2
CPU
3
..
RAM
HDD
SSL
IPSec
QoS
Route,
ARP,
MAC
lookup
CPU
16
RAM
RAM
DeCompression
NAT
Control Plane
Page 8 |
Flash Matching HW Engine

Palo Alto Networks uniform signatures
Multiple memory banks memory
bandwidth scales performance
RAM
Multi-Core Security Processor

High density processing for flexible
security functionality
Hardware-acceleration for standardized
complex functions (SSL, IPSec,
decompression)
10 Gig Network Processor

Front-end network processing offloads
security processors
Hardware accelerated QoS, route lookup,
MAC lookup and NAT
PA-2050
PA-2020
1 Gbps FW
500 Mbps threat prevention
250,000 sessions
16 copper gigabit
4 SFP interfaces
500 Mbps FW
200 Mbps threat prevention
125,000 sessions
12 copper gigabit
2 SFP interfaces
1U rack-mountable chassis
Single non-modular power supply
80GB hard drive (cold swappable)
Dedicated out-of-band management port
RJ-45 console port, user definable HA port
Data Plane
3.0-a
Page 9 |
3.0-a
3/8/10 12:24 PM
PA-500 Specifications
2000 Series Architecture

RAM
Flash
Matching
Engine
Dedicated Control Plane

Highly available mgmt
High speed logging and
route updates
RAM
RAM
RAM
Flash Matching HW Engine

Palo Alto Networks uniform
signatures
Multiple memory banks memory
bandwidth scales performance
1Gbps
RAM
Dual-core
CPU
CPU
1
CPU
2
CPU
3
RAM
CPU
4
RAM
RAM
HDD
SSL
IPSec
Multi-Core Security Processor

High density processing for flexible
security functionality
Hardware-acceleration for standardized
complex functions (SSL, IPSec)
1Gbps
Route,
ARP,
MAC
lookup
Network Processor
Front-end network processing
offloads security processors
Hardware accelerated route lookup,
MAC lookup and NAT
NAT
Control Plane
Page 10 |
'
D&tDsWED
h
^
sWE
'

ZWEK^
Z:
Data Plane
3.0-a
Page 11 |
3.0-a
3/8/10 12:24 PM
Single-Pass Parallel Processing (SP3) Architecture
PA-500 Architecture
Single Pass
Operations once per packet
W
,
,
ZD

ZD
Wh
,
Wh Wh Wh Wh ZD
ZD
^^>
/W^
Control Plane
Page 12 |
D^W
,

,
^^>
/W^
^
Traffic classification (app

identification)
User/group mapping
Content scanning
threats, URLs,
confidential data
One policy
Parallel Processing
Function-specific hardware
engines
Separate data/control planes
Data Plane
3.0-a
Page 13 |
3.0-a
3/8/10 12:24 PM
Flexible Deployment Options

Visibility
Transparent In-Line
Firewall Replacement
Thank You
Application, user and content

visibility without inline
deployment
IPS with app visibility & control

Consolidation of IPS & URL
filtering
Firewall replacement with app

visibility & control
Firewall + IPS
Firewall + IPS + URL filtering
Page 14 |
3.0-a
3.0-a
Page 15 |
3/8/10 12:25 PM
Firewall Deployment
3/8/10 12:25 PM
Agenda
Security Zones
L3 Interface Configuration
Virtual Routers
Security Policy Basics
NAT Policy
Page 2 |
3.0-a
3/8/10 12:25 PM
Security Zones
Interfaces and Zones
Zones represent networks of differing trust levels
An Interface must be in a Security Zone

A Security Zone can have multiple Interfaces
DMZ
Internet - DMZ
Guests
Data Center
Users
Page 3 |
3.0-a
Internet - Data Canter
Internet
Page 4 |
Interface
Zone
Address
E 1/2
Internet
161.23.4.56
E 1/11
DMZ
172.16.1.254
E 1/12.10
Users
192.168.10.254
E 1/12.20
Users
192.168.20.254
E 1/12.30
VoIP
192.168.30.254
3.0-a
3/8/10 12:25 PM
Layer 3 Interfaces
Virtual Routers
Provide Routing and NAT Functions
L3 Interfaces are
All L3 interfaces in a Virtual Router share a routing table

Each L3 interface has an IP Address
added to Virtual
Routers (VR)
The VR contains all
routing information
E1/11
12.4.5.77
E1/9
10.1.1.254
PAN Device
Internet
Static Routes
Dynamic Routing
Protocol configuration
E1/10
192.168.100.254
LAN
10.1.1.0
DMZ
192.168.100.0
Vrouter A
Page 5 |
3.0-a
Page 6 |
3.0-a
3/8/10 12:26 PM
Configure L3 Interface
Configuring DHCP Server
Interface
Type
Select
Interface
IP Address
Range
Virtual
Router
IP Address
Zone
Page 7 |
3.0-a
Lease
Options
Page 8 |
3.0-a
3/8/10 12:26 PM
Introduction to Security Policy
Building Blocks of Policy
All traffic going between security zones require an allow
Address Objects
policy
Hosts ( /32 mask)
The policy list is evaluated from the top down
Networks
The first rule that matches the traffic is used
Can be named
No further rules are evaluated after the match
Can be added to groups
Users
Applications
-
Represent content
Includes Static and Dynamic Groups
Services
Page 9 |
3.0-a
Page 10 |
Represent L4 addresses
3.0-a
3/8/10 12:26 PM
Simple Policy Walkthrough
NAT Policy
Network Address Translation Policies define when and
how translation occurs

E 1/1 Zone Internet
E 1/2 Zone Users
Internet
Destination Translation is used to provide external access

192.168.41.22

Source Translation is commonly used for access to the
74.125.19.23
to servers in the private network
Private IPs
Public IPs
Page 11 |
3.0-a
Page 12 |
3.0-a
3/8/10 12:45 PM
Source Address Translation

SA
DA
10.1.1.47 4.2.2.2
SP
DP
43778
80
Post NAT From L3-trust -> L3-untrust
Page 13 |
Destination Address Translation
Pre NAT From L3-trust -> L3-untrust
SA
DA
64.3.1.22 4.2.2.2
3.0-a
SP
DP
1031
80
SA
DA
SP
DP
12.67.5.2
64.10.11.103
5467
80
Post NAT From L3-untrust -> L3-trust
Page 14 |
Pre NAT From L3-untrust -> L3-untrust
SA
DA
SP
DP
12.67.5.2
192.168.10.100
5467
80
3.0-a
3/8/10 12:46 PM
Thank You
3.0-a
Page 15 |
3/8/10 12:46 PM
Application
Identification
3/8/10 12:46 PM
Agenda
What is an Application?
Application Control Center (ACC)
Application Identification
Single Pass Architecture and Packet Flow
Application groups and Filters
Security Policy Examples
Application Override Policy
Page 2 |
3.0-a
3/8/10 12:46 PM
Application Control Center
What is an Application?
GMail
GTalk
Google Calendar
iGoogle
Central location to view

the state of the Network
Lotus Notes
eMule
UltraSurf
Page 3 |
3.0-a
Page 4 |
3.0-a
3/8/10 12:46 PM
Application Identification Components
Application Identification - Signatures
Protocol Decoders
Detect Protocol in Protocol
Provide context for signatures
Protocol Decoders
SSL
Forward proxy
Protocol Decryption
Decryption
HTTP
Application Signatures
Man in the middle SSL decryption
webex
Application Signatures
Mode shift
Detect applications initiating

Webex desktop sharing
Heuristics
Uses patterns of communication
Page 5 |
3.0-a
Page 6 |
3.0-a
3/8/10 12:46 PM
Flow Logic
Application identification - Heuristics
Encrypted Bittorrent
Protocol Decoders
Unknown
Examine communications
Heuristics
Initial
Packet
Processing
Source
Zone /
Address
Forwarding
Lookup
Security
Pre Policy
Check
Allowed
Ports
Session
Created
Application
Check for
SSL
Security
Policy
Post Policy
Processing
Destination
Zone
NAT Policy
SSL
Decryption
Policy
Application
Override
Policy
App ID
Check
Security
Policy
Check
Security
Profiles
SP3
SSL ReEncrypted
NAT
Applied
Packet
Forwarded
Encrypted Bittorent
Page 7 |
3.0-a
Page 8 |
3.0-a
3/8/10 12:46 PM
TCP Example
UDP Example
HTTP Connection to www.meebo.com
DNS Query for www.meebo.com

TCP syn
Source Address
Destination Address
Source Address
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45
Destination Address
00 30 d1 29 40 00 80 06 8f 60 0a 10 00 6e d0 51
bf 6e 3a 52 01 bb 31 d7 06 19 00 00 00 00 70 02
ff ff 74 e4 00 00 02 04 05 b4 01 01 04 02
Destination Port
Destination Port
00 1b 17 01 10 20 00 1c 23 07 42 5f 08 00 45 00
Application Data
00 3b d1 26 00 00 80 11 54 18 0a 10 00 6e 0a 00
Application Data
syn ack
00 f6 c1 76 00 35 00 27 c7 5a a3 24 01 00 00 01
ack
00 00 00 00 00 00 03 77 77 77 05 6d 65 65 62 6f
get
03 63 6f 6d 00 00 01 00 01
Meebo
1f 8b 08 00 00 00 00 00 00 03 b4 57 fd 6f db 36
13 fe 57 ae 1a 36 3b 99 2d 35 fb 00 da c4 f6 b0 .
26 e9 bb bc 48 9a 60 75 57 0c 7d 8b 81 92 4e 12
63 89 54 49 2a ae 57 e4 7f df 1d 25 39 b2 f7 91
fe b0 37 08 60 ea 78 3c de 3d 7c ee 78 9c 3d 39
bb 3e 5d fe 7a 73 0e 3f 2d af 2e e1 e6 cd 8b cb
...........................................
Page 10 |
3.0-a
Page 11 |
3.0-a
3/8/10 12:47 PM
Application Filters
Applications
Selecting all browser-based file-sharing applications

Dynamic Filter
Individual
Application
Static Group
Page 12 |
3.0-a
Page 13 |
3.0-a
3/8/10 12:47 PM
Sample Common Filters
Sample Security Policy Application Groups
Used to cover families of applications
Known_Good
Frequently used for policies that block traffic
Page 14 |
3.0-a
Page 15 |
Static Group of
Applications
Known_Bad
-
Static Group of filters

and applications
DNS
Games
Web-browsing
IM
SSL
P2P
Flash
Remote Access
Tunneling
3.0-a
3/8/10 12:47 PM
Security Policy Example
User Defined Application usage

Application Override
-
Bypasses App ID for internal port based applications
Customizing Application settings
First rule allows specific good applications

Second rule blocks applications that are obviously
unwanted
Third rule catches all other applications could be
allow or block based on environment
Changing time out
Adjusting Risk
Defining new HTTP applications

-
New App-ID signatures for specific HTTP based applications
User defined regexp
Contextual signature engine
Administrators track traffic effected by the third
rule and add it to Known_Good or Known_Bad

Page 16 |
3.0-a
Page 17 |
3.0-a
3/8/10 12:47 PM

PaloAPAN ACE Traininglto Training Print 01-30

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PaloAPAN ACE Traininglto Training Print 01-30

Uploaded by

Copyright:

Available Formats

Design and

PaloAlto Training print.indd 1

PaloAlto Training print.indd 2

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 4

Application Based Firewall

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 5

2009 Palo Alto Networks. Proprietary and Confidential

PA-4000 Series Specifications

Web Based Applications

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 6

2U, 19 rack-mountable chassis

Dual hot swappable AC power supplies

Dedicated out-of-band management port

DB9 console port

2009 Palo Alto Networks. Proprietary and Confidential

PA-2000 Series Specifications

4000 Series Architecture

Dedicated Control Plane

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 7

Flash Matching HW Engine

Multi-Core Security Processor

10 Gig Network Processor

Single non-modular power supply

80GB hard drive (cold swappable)

Dedicated out-of-band management port

RJ-45 console port, user definable HA port

2009 Palo Alto Networks. Proprietary and Confidential

2000 Series Architecture

Dedicated Control Plane

Flash Matching HW Engine

Multi-Core Security Processor

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 8

2009 Palo Alto Networks. Proprietary and Confidential

Single-Pass Parallel Processing (SP3) Architecture

Wh Wh Wh Wh ZD

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 9

Traffic classification (app

2009 Palo Alto Networks. Proprietary and Confidential

Flexible Deployment Options

Application, user and content

IPS with app visibility & control

Firewall replacement with app

Firewall + IPS + URL filtering

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 10

PaloAlto Training print.indd 12

PaloAlto Training print.indd 13

2009 Palo Alto Networks. Proprietary and Confidential

Interfaces and Zones

Zones represent networks of differing trust levels

An Interface must be in a Security Zone

2009 Palo Alto Networks. Proprietary and Confidential

PaloAlto Training print.indd 14

Internet - Data Canter

2009 Palo Alto Networks. Proprietary and Confidential

Provide Routing and NAT Functions

All L3 interfaces in a Virtual Router share a routing table

2009 Palo Alto Networks. Proprietary and Confidential

Wh Wh Wh Wh ZD