Palo Alto Network Overview

Rajesh Saini
CNSE6 #843274

23 April 2016

Course outline

PAN-201
23 April 2016

Module 1: Platforms and Architecture

Single Pass Architecture
Flow Logic

Module 2: Initial Configuration

Initial Access to the System
Configuration Management
Licensing and Software Updates
Account Administration

Module 3: Interface Configuration

Security Zones
Layer 2, Layer 3, Virtual Wire, and Tap
Sub-interfaces
DHCP
Virtual Routers

Module 4: Security and NAT Policies

Security Policy Configuration
Policy Administration
NAT (source and destination)
23 April 2016

Module 5: App-ID
App-ID Overview
Application Groups and Filters

Module 6: Content-ID
Antivirus
Anti-spyware
Vulnerability
URL Filtering

Module 7: File Blocking: WildFire

Security Profiles File Blocking
WildFire

Module 8: Decryption
Certificate Management
Outbound SSL Decryption
Inbound SSL Decryption

23 April 2016

Module 9: User-ID
Enumerating Users
Mapping Users to IP addresses
User-ID Agent

Module 10: Site-to-Site VPN

IPsec Tunnels

Module 11: Management & Reporting

Dashboard
Basic Logging
Basic Reports
Panorama

Module 12: Active/Passive High Availability

Configuring Active/Passive HA
23 April 2016

Module 1

Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel
Processing (SP3) Architecture which enables high-throughput, low-latency network
security.

Palo Alto Networks solves the performance problems that plague todays security
infrastructure with the SP3 architecture, which combines two complementary
components:
Single Pass software
Parallel Processing hardware

23 April 2016

Single Pass Software

Palo Alto Networks Single Pass software is designed to accomplish two key functions
within the Palo Alto Networks next-generation firewall.
1) The single pass software performs operations once per packet. As a packet is
processed, networking functions, policy lookup, application identification and
decoding, and signature matching for any and all threats and content are all performed
just once. This significantly reduces the amount of processing overhead required to
perform multiple functions in one security device.
2) The content scanning step in Palo Alto Networks Single Pass software is stream-based,
and uses uniform signature matching to detect and block threats. Instead of using
separate engines and signature sets (requiring multi-pass scanning) and instead of
using file proxies (requiring file download prior to scanning), the single pass software
in our next-generation firewalls scans content once and in a stream-based fashion to
avoid latency introduction.
This Single Pass traffic processing enables very high throughput and low latency with all
security functions active. It also offers the additional benefit of a single, fully integrated
policy, enabling simple, easier management of enterprise network security.
23 April 2016

Parallel Processing Hardware

The other critical piece of Palo Alto Networks SP3 Architecture is hardware. Palo Alto
Networks next-generation firewalls use Parallel Processing hardware to ensure that
the Single Pass software runs fast. First, Palo Alto Networks engineers designed
separate data and control planes. This separation means that heavy utilization of one
wont negatively impact the other.

For example, an administrator could be running a very processor-intensive report, and

yet the ability to process packets would be completely unhindered, due to the
separation of data and control planes.

23 April 2016

Networking: routing, flow lookup, stats counting, NAT, and similar functions are
performed on network-specific hardware
User-ID, App-ID, and policy all occur on a multi-core security engine with
hardware acceleration for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine
On the control plane, a dedicated management processor (with dedicated disk
and RAM) drives the configuration management, logging, and reporting without
touching data processing hardware.
The combination of Single Pass software and Parallel Processing hardware is
completely unique in network security, and enables Palo Alto Networks nextgeneration firewalls to restore visibility and control to enterprise networks at very
high levels of performance.

23 April 2016

23 April 2016

10

23 April 2016

11

Flow Logic

23 April 2016

12

23 April 2016

13

23 April 2016

14

Installing Licenses and Updating Software

Note: The firewall must have Internet access so that it can download licenses and the
latest version of PAN-OS. You should also ping the server from which you will
download licenses and updates: updates.paloaltonetworks.com.

23 April 2016

15

Perform Initial Configuration

Module 2

By default, the firewall has an IP address of 192.168.1.1 and a username/password of

admin/admin. For security reasons, you must change these settings before continuing
with other firewall configuration tasks

The device has the following default values:

MGT interface IP address 192.168.1.1

Username : admin
Password : admin
admin@PA-VM# set deviceconfig system ip-address 192.168.200.50 netmask
255.255.255.0 default-gateway 192.168.200.1
23 April 2016

16

You will now activate your licenses. Go to Device > Licenses. The following screen will
appear

Select Activate feature using authorization code. Locate the email you received
from Palo Alto Networks customer service that lists the subscriptions you
purchased, and the associated activation codes. Enter the codes now. After you
enter each code, confirm that the license was accepted as follows.

23 April 2016

17

23 April 2016

18

Confirm that the device is registered and has access to the update server.
Go to Device > Software. You will see the message Error: No update information
available. At the bottom of the page, click Check Now. If you receive an error that the
device is not registered, or some other error, you need to troubleshoot connectivity
before you proceed.
If there are no errors, a list of the latest versions of PAN-OS will appear:

23 April 2016

19

To download the latest databases, select Device > Dynamic Updates and click Check
Now. You will see an updated list of the various databases. Your screen will look similar
to the following:

23 April 2016

20

Administrative
A role defines the type of access the associated administrator has to the system.
There are two types of roles you can assign:

Dynamic RolesBuilt-in roles that provide Superuser, Superuser (read-only), Device

administrator, Device administrator (read-only), Virtual system administrator, and Virtual
system administrator (read-only) access to the firewall. With dynamic roles, you dont have
to worry about updating the role definitions as new features are added because the roles
automatically update.
Admin Role ProfilesAllow you to create your own role definitions in order to provide
more granular access control to the various functional areas of the web interface, CLI
and/or XML API.
For example, you could create an Admin Role Profile for your operations staff that provides
access to the device and network configuration areas of the web interface and a separate
profile for your security administrators that provides access to security policy definition,
logs, and reports.
23 April 2016

21

Module 3

23 April 2016

22

23 April 2016

23

23 April 2016

24

23 April 2016

25

23 April 2016

26

Virtual Routers
Virtual routers allow for you to segment routing updates in and from the
firewall/router.
The firewall uses virtual routers to obtain routes to other subnets by manually
defining a route (static routes) or through participation in Layer 3 routing
protocols (dynamic routes). The best routes obtained through these methods
are used to populate the firewalls IP route table. When a packet is destined
for a different subnet, the Virtual Router obtains the best route from this IP
route table and forwards the packet to the next hop router defined in the
table.

23 April 2016

27

23 April 2016

28

23 April 2016

29

Navigation GUI

23 April 2016

30

Module 4

Security Policy

23 April 2016

31

Test Your Security Policies

Test Your Security Policies to verify that you have set up your
basic policies effectively, test whether your security policies
are being evaluated and determine which security rule applies
to a traffic flow

23 April 2016

32

NAT
Network address translation (NAT) was designed to address the depletion of the IPv4
address space. Since then NAT is not only used to conserve available IP addresses, but
also as a security feature to hide the real IP addresses of hosts, securely providing
private LAN users access to the public addresses.

23 April 2016

33

Life of a packet.
The following diagram captures the packet processing sequence when NAT is involved.

23 April 2016

34

23 April 2016

35

23 April 2016

36

23 April 2016

37

23 April 2016

38

23 April 2016

39

23 April 2016

40

23 April 2016

41

23 April 2016

42

23 April 2016

43

23 April 2016

44

23 April 2016

45

23 April 2016

46

23 April 2016

47

23 April 2016

48

23 April 2016

49

23 April 2016

50

23 April 2016

51

23 April 2016

52

23 April 2016

53

23 April 2016

54

23 April 2016

55

23 April 2016

56

23 April 2016

57

23 April 2016

58

23 April 2016

59

23 April 2016

60

23 April 2016

61

23 April 2016

62

23 April 2016

63

23 April 2016

64

23 April 2016

65

23 April 2016

66

23 April 2016

67

23 April 2016

68

Module 5

APP ID
Traffic classification is at the heart of any firewall because your
classifications form the basis of your security policies.
Traditional firewalls classify traffic by port and protocol
Simply put, the traffic classification limitations of port-based
firewalls make them unable to protect today's networks. That's
why Palo Alto developed App-ID

23 April 2016

69

Classify traffic based on applications, not ports

Here's how App-ID identifies applications crossing your network:
1. Traffic is first classified based on the IP address and port.
2. Signatures are then applied to allowed traffic to identify the application
based on unique application properties and related transaction
characteristics.
3. If App-ID determines that encryption (SSL or SSH) is in use, and a
decryption policy is in place, the application is decrypted and
application signatures are applied again on the decrypted flow.
4. Decoders for known protocols are then used to apply additional
context-based signatures to detect other applications that may be
tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used
across HTTP).
5. For applications that are particularly evasive and cannot be identified
through advanced signature and protocol analysis, heuristics or
behavior analysis may be used to determine the identity of the
application.
23 April 2016

70

Systematic management of unknown traffic.

Every network has a small amount of unknown traffic. This traffic can be an
internally developed application, a commercial application with no App-ID, or it can
be a threat. App-ID categorizes all your unknown traffic, which allows you to analyze
it and make an informed policy decision. If the traffic is an internal application, a
custom App-ID can be created to identify it. If the traffic is a commercial application
with no App-ID, a PCAP can be taken and submitted for App-ID development.

Finally, App-ID's behavioral botnet report and logging tools can tell you if the traffic
is a threat and take an appropriate action if it is

23 April 2016

71

Module 6
Content-ID provides you with fully integrated protection from vulnerability exploits,
malware and malware-generated command-and-control traffic. Palo Alto Networks
analysis, threat prevention is applied in full application and protocol context across
all your traffic and ports to ensure that threats are detected and blocked, despite
evasion attempts.
Our threat prevention technologies include:

IPS IPS functionality blocks vulnerability exploits, buffer overflows, DoS attacks and
port scans. Additional capabilities, like blocking invalid or malformed packets, IP
defragmentation and TCP reassembly, protect you from the evasion and obfuscation
methods used by attackers.
Stream-based Network Antivirus Palo Alto Networks maintains a database of more
than 15 million samples of malware. Every day we analyze an additional 50,000 samples.
Malware is detected by a stream-based engine that blocks in-line at very high speeds.
Malware enforcement is available to you across a variety of protocols including HTTP,
SMTP, IMAP, POP3, FTP and SMB.

23 April 2016

72

Anti-Spyware In addition to controlling viruses and malware, Content-ID

stops spyware and malware communications including:
Botnet communications
Browser hijacks
Adware
Backdoor behavior
Keyloggers
Data theft
Net-worms
Peer-to-peer traffic
Our Anti-Spyware also passively analyzes DNS queries to identify the unique patterns of
botnets. This reveals infected users and prevents data from leaving your enterprise.
23 April 2016

URL Filtering

73

File and Data Filtering

The data filtering features in Content-ID enable you to implement policies that reduce the
risks associated with the transfer of unauthorized files and data.
File blocking by type: Control the flow of a wide range of file types by looking deep within
the payload to identify the file type (as opposed to looking only at the file extension).

Data filtering: Control the transfer of sensitive data patterns such as credit card and social
security numbers in application content or attachments.

File transfer function control: Control file transfer functionality within an individual
application, allowing application use while preventing undesired inbound or outbound file
transfers

23 April 2016

74

WildFire:

Module 7

Protection from unknown malware and zero-day exploits Criminals have increasingly
turned to unknown malware and exploits to avoid traditional security controls. Palo Alto
Networks has addressed this challenge with WildFire, which identifies unknown malware,
zero-day exploits, and Advanced Persistent Threats (APTs) by observing their actual
behavior in a virtualized environment, instead of relying solely on pre-existing signatures
Integration of Firewall and the Cloud: To support dynamic malware analysis across the
network at scale, WildFire is built on a cloud-based architecture that can be leveraged by
your existing Palo Alto Networks next-generation firewall, with no additional hardware. The
in-line firewall captures unknown files and performs enforcement while maintaining high
network throughput and low latency.
WildFire Virtualized Sandbox: WildFire is an advanced, virtual malware analysis
environment, purpose-built for high fidelity hardware emulation, analyzing suspicious
samples as they execute. The cloud-based service detects and blocks targeted and unknown
malware, exploits, and outbound C2 activity by observing their actual behavior, rather than
relying on pre-existing signatures.
Automated Signature Generator: When a sample is identified as malicious, WildFire
automatically generates protections and delivers them to all WildFire customers globally in
as little as 30 minutes.
23 April 2016

75

 Deep Visibility and Analysis:

WildFire users receive integrated logs, analysis, and visibility into WildFire events in the Palo
Alto Networks management interface, Panorama, or the WildFire portal, enabling teams to
quickly investigate and correlate events observed in their networks. This allows security staff
to quickly locate the data needed for timely investigations and incident response. Host-based
and network-based indicators of compromise become actionable through log analysis and
custom signatures.

23 April 2016

76

Module 7
Decryption
Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for
visibility, control, and granular security. Decryption on a Palo Alto Networks firewall
includes the capability to enforce security policies on encrypted traffic, where otherwise
the encrypted traffic might not be blocked and shaped according to your configured
security settings. Use decryption on a firewall to prevent malicious content from entering
your network or sensitive content from leaving your network concealed as encrypted
traffic
Decryption Concepts
To learn about keys and certificates for decryption, decryption policies, and
decryption port mirroring, see the following topics:

Keys and Certificates for Decryption Policies

SSL Forward Proxy
SSL Inbound Inspection
SSH Proxy
Decryption Exceptions
Decryption Port Mirroring

23 April 2016

77

SSL Forward Proxy

Use an SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from
internal users to the web. SSL Forward Proxy decryption prevents malware concealed
as SSL encrypted traffic from being introduced to your corporate network

For example, if an employee is using her Gmail account from her corporate office and
opens an email attachment that contains a virus, SSL Forward Proxy decryption will
prevent the virus from infecting the client system and entering the corporate network.

With SSL Forward Proxy decryption, the firewall resides between the internal client and
outside server. The firewall uses Forward Trust or Forward Untrust certificates to
establish itself as a trusted third party to the session between the client and the server

23 April 2016

78

23 April 2016

79

SSL Inbound Inspection

Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic from a client to a
targeted server (any server you have the certificate for and can import it onto the
firewall).

For example, if an employee is remotely connected to a web server hosted on the company
network and is attempting to add restricted internal documents to his Dropbox folder
(which uses SSL for data transmission), SSL Inbound Inspection can be used to ensure that
the sensitive data does not move outside the secure company network by blocking or
restricting the session.
Configuring SSL Inbound Inspection includes importing the targeted servers certificate
and key on to the firewall. Because the targeted servers certificate and key are imported
on the firewall, the firewall is able to access the SSL session between the server and the
client and decrypt and inspect traffic transparently, rather than functioning as a proxy. The
firewall is able to apply security policies to the decrypted traffic, detecting malicious
content and controlling applications running over this secure channel

23 April 2016

80

23 April 2016

81

SSH Proxy
SSH Proxy provides the capability for the firewall to decrypt inbound and outbound SSH
connections passing through the firewall, in order to ensure that SSH is not being used to
tunnel unwanted applications and content. SSH decryption does not require any
certificates and the key used for SSH decryption is automatically generated when the
firewall boots up. During the boot up process, the firewall checks to see if there is an
existing key. If not, a key is generated. This key is used for decrypting SSH sessions for all
virtual systems configured on the device. The same key is also used for decrypting all SSH
v2 sessions.

In an SSH Proxy configuration, the firewall resides between a client and a server. When
the client sends an SSH request to the server, the firewall intercepts the request and
forwards the SSH request to the server. The firewall then intercepts the servers response
and forwards the response to the client, establishing an SSH tunnel between the firewall
and the client and an SSH tunnel between the firewall and the server, with firewall
functioning as a proxy.

23 April 2016

82

Content and threat inspections are not performed on SSH tunnels; however, if SSH
tunnels are identified by the firewall, the SSH tunneled traffic is blocked and restricted
according to configured security policies.

23 April 2016

83

Decryption Exceptions
Traffic can also be excluded from decryption according to matching criteria (using a
encryption policy), a targeted servers traffic can be excluded from decryption.

You can use a decryption policy to exclude traffic from decryption based on source,
destination, service, and URL category.
For example, with SSL decryption enabled, you can exclude traffic that is categorized as
financial or health-related from decryption, using the URL category selection.
you can exclude those servers from decryption by importing the server certificate on to
the firewall and modifying the certificate to be an SSL Exclude Certificate

23 April 2016

84

Decryption Port Mirroring

Decryption Port Mirroring The Decryption Port mirror feature provides the capability to
create a copy of decrypted traffic from a firewall and send it to a traffic collection tool
that is capable of receiving raw packet capturessuch as Net Witness or Solerafor
archiving and analysis.

This feature is necessary for organizations that require comprehensive data capture for
forensic and historical purposes or data leak prevention (DLP) functionality. Decryption
port mirroring is available on PA-7050, PA-5000 Series and PA-3000 Series platforms only
and requires that a free license be installed to enable this feature

23 April 2016

85

Policy-Based Forwarding
Normally, the firewall uses the destination IP address in a packet to determine the
outgoing interface. The firewall uses the routing table associated with the virtual router
to which the interface is connected to perform the route lookup. Policy-Based
Forwarding (PBF) allows you to override the routing table, and specify the outgoing
or egress interface based on specific parameters such as source or destination IP
address, or type of traffic.

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs
Use Case: PBF for Routing Traffic Through Virtual Systems

23 April 2016

86

23 April 2016

87

PBF Example
NAT Rule

Security Rule

23 April 2016

88

PBF Rule

Routing
You need to configure the default route toward backup ISP 192.168.138.1 from
eth1/4

23 April 2016

89

DOS Protection
A Denial of Service (DoS) attack is an attempt to disrupt network services by
overloading the network with unwanted traffic. PAN-OS DoS protection features
protect your firewall and in turn your network resources and devices from being
exhausted or overwhelmed in the event of network floods, host sweeps, port scans and
packet based attacks. The DoS protection features provide flexibility by varying the
granularity of protection and provide usability through a variety of options that cover
most of the attacks in the current DoS landscape.

23 April 2016

90

DoS Protection in PAN-OS takes a two-pronged approach to mitigate DoS attacks:

1. Zone-Based Protection A broad-based comprehensive DoS template at the

edge to prevent the enterprise network from volumetric DoS attacks. It acts as a
first line of defense for the network.
2. End Host Protection (DoS Rule base and Profiles) A flexible policy rule base
that provides a scalpel-like granularity in protecting specific end hosts (web
servers, DNS servers, user subnets), which are critical or have been historically
prone to DoS attacks. It also protects from attacks originating within the private
network by filtering on compromised servers and rogue end hosts.

23 April 2016

91

DOS Protection
A DoS protection policy can be used to accomplish some of the same things a Zone protection
policy does but there are a few key differences:
A major difference is a DoS policy can be classified or aggregate. Zone protection policies can
be aggregate.

1) Classified profile allows the creation of a threshold that applies to a single source IP.
For example, a max session rate per IP can be created for all traffic matching the policy,
then block that single IP address once the threshold is triggered
2) Aggregate profile allows the creation of a max session rate for all packets matching
the policy. The threshold applies to new session rate for all IPs combined. Once the
threshold is triggered it would affect ALL traffic matching the policy.
Zone protection policies allow the use of flood protection and have the ability to protect
against port scanning\sweeps and packet based attacks.

A few examples are IP spoofing, fragments, overlapping segments, reject tcp-non-syn Zone
protection profiles may have less performance impact since they are applied pre-session and
dont engage the policy engine.
23 April 2016

92

DoS Protection Rules A DoS rule provides multiple keys or criteria to apply DoS
protection in a granular and flexible fashion. It also provides a way to have different
criteria than the ones used in a security rule to be applied for a DoS profile. However
there is an additional lookup involved in the process. DoS rules are applied before
security policy lookup (slow-path), but after destination zone determination.

DoS Rule Match Criteria

1. Source zone or source interface
2. Destination zone or destination interface
3. Source IP, ranges, address objects, address groups and countries
4. Destination IP, ranges, address objects, address groups and countries
5. Service (Port and Protocol)
Users DoS Rule Actions :Deny: Block all traffic hitting this rule. No protection thresholds are enforced.
Protect: Enforce protection subject to thresholds in the protection profile.
Allow: Allow all traffic hitting this rule. No protection thresholds are enforced

23 April 2016

93

Zone-Based Protection :- A zone protection profile offers protection against most

common floods, reconnaissance attacks and other packet-based attacks. It can be used as
a template configuration for applying similar settings to multiple zones. These settings
apply to the ingress zone (i.e. the zone where traffic enters the firewall). Zone protection
settings apply to all interfaces within the zone for which the profile is configured.

Note: Zone protection is only enforced when there is no session match for the packet. If
the packet matches an existing session, it will bypass the zone protection setting.

23 April 2016

94

Module 8
User ID
The Palo Alto Networks next-generation firewall supports monitoring of the following
enterprise services:

Microsoft Active Directory

Lightweight Directory Access Protocol (LDAP)
Novell eDirectory
Citrix Metaframe Presentation Server or XenApp
Microsoft Terminal Services

23 April 2016

95

23 April 2016

96

Configure User Mapping Using the Windows User-ID Agent

The following topics describe how to install and configure the User-ID Agent and how to
configure the firewall to retrieve user mapping information from the agent:
Install the User-ID Agent
Configure the User-ID Agent for User Mapping

23 April 2016

97

Module 9
VPN Deployments
The Palo Alto Networks firewall supports the following VPN deployments:
Site-to-Site VPN A simple VPN that connects a central site and a remote site, or a hub
and spoke VPN that connects a central site with multiple remote sites. The firewall uses
the IP Security (IPsec) set of protocols to set up a secure tunnel for the traffic between the
two sites. See Site-to-Site VPN Overview.
Remote User-to-Site VPNA solution that uses the GlobalProtect agent to allow a remote
user to establish a secure connection through the firewall. This solution uses SSL and IPSec
to establish a secure connection between the user and the site. Refer to the GlobalProtect
Administrators Guide.
Large Scale VPN The Palo Alto Networks GlobalProtect Large Scale VPN (LSVPN) provides
a simplified mechanism to roll out a scalable hub and spoke VPN with up to 1024 satellite
offices. The solution requires Palo Alto Networks firewalls to be deployed at the hub and
at every spoke. It uses certificates for device authentication, SSL for securing
communication between all components, and IPSec to secure data. See Large Scale VPN
(LSVPN).
23 April 2016

98

23 April 2016

99

Site-to-Site VPN Overview

A VPN connection that allows you to connect two Local Area Networks (LANs) is called a
site-to-site VPN. You can configure route-based VPNs to connect Palo Alto Networks
firewalls located at two sites or to connect a Palo Alto Networks firewall with a third-party
security device at another location. The firewall can also interoperate with third-party
policy-based VPN devices; the Palo Alto Networks firewall supports route-based
VPN.
The Palo Alto Networks firewall sets up a route-based VPN, where the firewall makes a
routing decision based on the destination IP address. If traffic is routed to a specific
destination through a VPN tunnel, then it is handled as VPN traffic

23 April 2016

100

Site-to-Site VPN Concepts

A VPN connection provides secure access to information between two or more sites. In
order to provide secure access to resources and reliable connectivity, a VPN connection
needs the following components:

IKE Gateway
Tunnel Interface
Tunnel Monitoring
Internet Key Exchange (IKE) for VPN

IKE Gateway
The Palo Alto Networks firewalls or a firewall and another security device that initiate and
terminate VPN connections across the two networks are called the IKE Gateways. To set
up the VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP
addressstatic or dynamicor FQDN. The VPN peers use preshared keys or certificates
to mutually authenticate each other.

23 April 2016

101

The peers must also negotiate the modemain or aggressivefor setting up the
VPN tunnel and the SA lifetime in IKE Phase 1. Main mode protects the identity of
the peers and is more secure because more packets are exchanged when setting
up the tunnel.
Main mode is the recommended mode for IKE negotiation if both peers support it.
Aggressive mode uses fewer packets to set up the VPN tunnel and is hence faster
but a less secure option for setting up the VPN tunnel
Tunnel Interface
To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel
interface for the firewall to connect to and establish a VPN tunnel
Typically, the Layer 3 interface that the tunnel interface is attached to belongs to an
external zone.
for example :the untrust zone. While the tunnel interface can be in the same security zone as the
physical interface, for added security and better visibility, you can create a separate zone
for the tunnel interface. If you create a separate zone for the tunnel interface, say a VPN
zone, you will need to create security policies to enable traffic to flow between the VPN
zone and the trust
23 April 2016

102

To route traffic between the sites, a tunnel interface does not require an IP address. An IP
address is only required if you want to enable tunnel monitoring or if you are using a
dynamic routing protocol to route traffic across the tunnel. With dynamic routing, the
tunnel IP address serves as the next hop IP address for routing traffic to the VPN tunnel.
If you are configuring the Palo Alto Networks firewall with a VPN peer that performs policybased VPN, you must configure a local and remote Proxy ID when setting up the IPSec
tunnel. Each peer compares the Proxy-IDs configured on it with what is actually received in
the packet in order to allow a successful IKE phase 2 negotiation. If multiple tunnels are
required, configure unique Proxy IDs for each tunnel interface; a tunnel interface can have
a maximum of 250 Proxy IDs.
Tunnel Monitoring
For a VPN tunnel, you can check connectivity to a destination IP address across the tunnel. The
network monitoring profile on the firewall allows you to verify connectivity (using ICMP) to a
destination IP address or a next hop at a specified polling interval, and to specify an action on
failure to access the monitored IP address.
If the destination IP is unreachable, you either configure the firewall to wait for the tunnel to
recover or configure automatic failover to another tunnel. In either case, the firewall generates a
system log that alerts you to a tunnel failure and renegotiates the IPSec keys to accelerate
recovery.
The default monitoring profile is configured to wait for the tunnel to recover; the polling interval
is 3 seconds and the failure threshold is 5.
23 April 2016

103

23 April 2016

104

IKE Phase 1
The IKE Phase 1 is responsible for tunnel up

The IKE-crypto profile defines the following options that are used in the IKE SA
negotiation:
Diffie-Hellman (DH) Group for generating symmetrical keys for IKE. The Diffie Hellman
algorithm uses the private key of one party and the public key of the other to create a
shared secret, which is an encrypted key that is shared by both VPN tunnel peers. The
DH groups supported on the firewall are: Group 1768 bits; Group 21024 bits (the
default); Group 51536 bits; Group 142048 bits.
Authentication optionssha1; sha 256; sha 384; sha 512; md5

Encryption algorithms3des; aes128; aes192; aes256

23 April 2016

105

IKE Phase 2
The IKE Phase 2 is responsible for data transfer

After the tunnel is secured and authenticated, in Phase 2 the channel is further secured
for the transfer of data between the networks. IKE Phase 2 uses the keys that were
established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec
protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
Encapsulating Security Payload (ESP)Allows you to encrypt the entire IP packet,
and authenticate the source and verify integrity of the data. While ESP requires that
you encrypt and authenticate the packet, you can choose to only encrypt or only
authenticate by setting the encryption option to Null; using encryption without
authentication is discouraged.
Authentication Header (AH)Authenticates the source of the packet and verifies
data integrity. AH does not encrypt the data payload and is unsuited for deployments
where data privacy is important. AH is commonly used when the main concern is to
verify the legitimacy of the peer, and data privacy is not required.
23 April 2016

106

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

IPSec VPN tunnels can be secured using manual keys or auto keys. In addition, IPSec
configuration options include Diffie-Hellman Group for key agreement, and/or an
encryption algorithm and a hash for message authentication.
Manual KeyManual key is typically used if the Palo Alto Networks firewall is establishing
a VPN tunnel with a legacy device, or if you want to reduce the overhead of generating
session keys. If using manual keys, the same key must be configured on both peers.
Manual keys are not recommended for establishing a VPN tunnel because the session keys
can be compromised when relaying the key information between the peers; if the keys are
compromised, the data transfer is no longer secure.
Auto Key Auto Key allows you to automatically generate keys for setting up and
maintaining the IPSec tunnel based on the algorithms defined in the IPSec Crypto profile

23 April 2016

107

Large Scale VPN (LSVPN)

The GlobalProtect Large Scale VPN (LSVPN) feature on the Palo Alto Networks nextgeneration firewall simplifies the deployment of traditional hub and spoke VPNs,
enabling you to quickly deploy enterprise networks with several branch offices with a
minimum amount of configuration required on the remote satellite devices. This
solution uses certificates for device authentication and IPSec to secure data.

23 April 2016

108

LSVPN Overview
GlobalProtect provides a complete infrastructure for managing secure access to corporate
resources from your remote sites. This infrastructure includes the following components:
GlobalProtect PortalProvides the management functions for your GlobalProtect LSVPN
infrastructure. Every satellite that participates in the GlobalProtect LSVPN receives
configuration information from the portal, including configuration information to enable the
satellites (the spokes) to connect to the gateways (the hubs). You configure the portal on an
interface on any Palo Alto Networks next-generation firewall.
GlobalProtect GatewaysA Palo Alto Networks firewall that provides the tunnel end point
for satellite connections. The resources that the satellites access is protected by security
policy on the gateway. It is not required to have a separate portal and gateway; a single
firewall can function both as portal and gateway.
GlobalProtect SatelliteA Palo Alto Networks firewall at a remote site that establishes IPSec
tunnels with the gateway(s) at your corporate office(s) for secure access to centralized
resources. Configuration on the satellite firewall is minimal, enabling you to quickly and
easily scale your VPN as you add new sites.
23 April 2016

109

Configure the Portal to Authenticate Satellites

There are two ways that the satellite can authenticate to the portal during its initial
connection:
Serial numberYou can configure the portal with the serial number of the satellite
firewalls that are authorized to join the LSVPN. During the initial satellite connection to
the portal, the satellite presents its serial number to the portal and if the portal has the
serial number in its configuration, the satellite will be successfully authenticated. You add
the serial numbers of authorized satellites when you configure the portal.
Username and password - If you would rather provision your satellites without manually
entering the serial numbers of the satellite devices into the portal configuration, you can
instead require the satellite administrator to authenticate when establishing the initial
connection to the portal.

23 April 2016

110

23 April 2016

111

Module 10
Reports and Logging
The firewall provides reports and logs that are useful for monitoring activity on your network.
You can monitor the logs and filter the information to generate reports with predefined or
customized views. You can, for example, use the predefined templates to generate reports on
a users activity or analyze the reports and logs to interpret unusual behavior on your network
and generate a custom report on the traffic pattern.
The following topics describe how to view, manage, customize, and generate the reports and
logs on the firewall:

23 April 2016

Use the Dashboard

Use the Application Command Center
Take Packet Captures
Monitor the Firewall
Forward Logs to External Services
Monitor the Firewall Using SNMP
Monitor the Firewall Using NetFlow
Manage Reporting
Syslog Field Descriptions
112

Module 11
High Availability
High availability (HA) is a configuration in which two firewalls are placed in a group and
their configuration is synchronized to prevent a single point to failure on your network
The Palo Alto Networks firewalls support stateful active/passive or active/active high
availability with session and configuration synchronization. Some models of the firewall,
such as the VM-Series firewall and the PA-200, only support HA lite without session
synchronization capability
When a failure occurs on the active device and the passive device takes over the task of securing
traffic, the event is called a failover. The conditions that trigger a failover are:
One or more of the monitored interfaces fail. (Link Monitoring)
One or more of the destinations specified on the device cannot be reached. (Path Monitoring)
The device does not respond to heartbeat polls. (Heartbeat Polling and Hello messages)

23 April 2016

113

HA Concepts
The following topics provide conceptual information about how HA works on a Palo Alto
Networks firewall:

HA Modes
HA Links and Backup Links
Device Priority and Preemption
Failover Triggers
HA Timers
HA Modes

You can set up the firewalls for HA in two modes:

Active/Passive One device actively manages traffic while the other is synchronized and
ready to transition to the active state, should a failure occur. In this configuration, both
devices share the same configuration settings, and one actively manages traffic until a
path, link, system, or network failure occurs. When the active device fails, the passive
device takes over seamlessly and enforces the same policies to maintain network security.
Active/passive HA is supported in the virtual wire, Layer 2 and Layer 3 deployments

23 April 2016

114

The PA-200 and the VM-Series firewalls support a lite version of active/passive HA.
HA lite provides configuration synchronization and some runtime data
synchronization such as IPSec security associations. It does not support any session
synchronization, and therefore, HA Lite does not offer stateful failover.
Active/Active Both the devices in the pair are active and processing traffic, and
work synchronously to handle session setup and session ownership. The active/active
deployment is supported in virtual wire and Layer 3 deployments, and is only
recommended for networks with asymmetric routing

23 April 2016

115

HA Links and Backup Links

The devices in an HA pair use HA links to synchronize data and maintain state information.
Some models of the firewall have dedicated HA portsControl link (HA1) and Data link
(HA2), while others require you to use the in-band ports as HA links.
On devices with dedicated HA ports such as the PA-3000 Series, PA-4000 Series, PA-5000
Series, and PA-7050

use the dedicated HA ports to manage communication and synchronization between the
devices. For devices without dedicated HA ports such as the PA-200, PA-500, and PA-2000
Series firewalls, as a best practice use the management port for the HA1 link to allow for a
direct connection between the management planes on the devices, and an in-band port for
the HA2 link

23 April 2016

116

Control Link: The HA1 link is used to exchange hellos, heartbeats, and HA state
information, and management plane sync for routing, and User-ID information. This
link is also used to synchronize configuration changes on either the active or passive
device with its peer. The HA1 link is a Layer 3 link and requires an IP address.
Ports used for HA1: TCP port 28769 and 28260 for clear text communication; port 28
for encrypted communication (SSH over TCP).
Data Link: The HA2 link is used to synchronize sessions, forwarding tables, IPSec
security associations and ARP tables between devices in an HA pair. Data flow on the
HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the
active device to the passive device.
Ports used for HA2: The HA data link can be configured to use either IP (protocol
number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link
to span subnets.
Additionally, an HA3 link is used in Active/Active HA deployments. When there is an
asymmetric route, the HA3 link is used for forwarding packets to the HA peer that owns
the session. The HA3 link is a Layer 2 link and it does not support Layer 3 addressing or
encryption
23 April 2016

117

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are
used as backup links for both HA1 and HA2.
Consider the following guidelines when configuring backup HA links:
The IP addresses of the primary and backup HA links must not overlap each other.
HA backup links must be on a different subnet from the primary HA links.
HA1-backup and HA2-backup ports must be configured on separate physical ports.
The HA1-backup link uses port 28770 and 28260.
Device Priority and Preemption
The devices in an HA pair can be assigned a device priority value to indicate a
preference for which device should assume the active role and manage traffic
The device with the lower numerical value, and therefore higher priority, is designated
as active and manages all traffic on the network.
By default, preemption is disabled on the firewalls and must be enabled on both
devices. When enabled, the preemptive behavior allows the firewall with the higher
priority (lower numerical value) to resume as active after it recovers from a failure
23 April 2016

118

Prerequisites for Active/Passive HA

To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls
that meet the following requirements:
The same modelboth the devices in the pair must be of the same hardware model or
virtual machine model.
The same PAN-OS versionboth the devices should be running the same PAN-OS version
and must each be up-to-date on the application, URL, and threat databases. They must also
both have the same multiple virtual systems capability (single or multi vsys).
The same type of interfacesdedicated HA links, or a combination of the management
port and in-band ports that are set to interface type HA.
The same set of licensesLicenses are unique to each device and cannot be shared between
the devices. Therefore, you must license both devices identically. If both devices do not have
an identical set of licenses, they cannot synchronize configuration information and maintain
parity for a seamless failover

23 April 2016

119

Configuration for Active/Passive HA

Identical Configuration Settings on PeerA and PeerB

HA must be enabled on both devices.
Both device must have the same Group ID value. The Group ID value is used to create a
virtual MAC address for all the configured interfaces.

The format of the virtual MAC is 00-1B-17:00: xx: yy where 00-1B-17: vendor ID; 00:
fixed; xx: HA group ID; yy: interface ID.
When a new active device takes over, Gratuitous ARPs are sent from each of the
connected interfaces of the new active member to inform the connected Layer 2
switches of the virtual MAC address new location.
If using in-band ports, the interfaces for the HA1 and HA2 links must be set to type HA.
The HA mode must be set to Active Passive.
If required, preemption must be enabled on both devices. The device priority value,
however, must not be identical.
If required, encryption on the HA1 link (for communication between the HA peers)
must be configured on both devices.
23 April 2016

120

Thank You
Rajesh Saini
+91 9999331177
23 April 2016

121