Professional Documents
Culture Documents
Administrators
Guide
Version7.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidetakesyouthroughtheconfigurationandmaintenanceofyourPaloAltoNetworksnextgeneration
firewall.Foradditionalinformation,refertothefollowingresources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.1releasenotes,goto
https://www.paloaltonetworks.com/documentation/71/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May19,2016
2 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
GettingStarted...................................................... 17
IntegratetheFirewallintoYourManagementNetwork.................................18
DetermineYourManagementStrategy ...........................................18
PerformInitialConfiguration ....................................................19
SetUpNetworkAccessforExternalServices......................................23
RegistertheFirewall ...............................................................27
ActivateLicensesandSubscriptions .................................................28
InstallContentandSoftwareUpdates................................................30
SegmentYourNetworkUsingInterfacesandZones ...................................34
NetworkSegmentationforaReducedAttackSurface..............................34
ConfigureInterfacesandZones..................................................35
SetUpaBasicSecurityPolicy .......................................................38
AssessNetworkTraffic ............................................................42
EnableBasicThreatPreventionFeatures .............................................44
EnableBasicWildFireForwarding ...............................................44
ScanTrafficforThreats.........................................................46
ControlAccesstoWebContent.................................................50
EnableAutoFocusThreatIntelligence............................................53
BestPracticesforCompletingtheFirewallDeployment................................55
FirewallAdministration ............................................... 57
ManagementInterfaces ............................................................58
UsetheWebInterface .............................................................59
LaunchtheWebInterface ......................................................59
ConfigureBanners,MessageoftheDay,andLogos ................................60
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse ............62
ManageandMonitorAdministrativeTasks ........................................64
Commit,Validate,andPreviewFirewallConfigurationChanges......................64
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer .............66
ManageLocksforRestrictingConfigurationChanges...............................67
ManageConfigurationBackups .....................................................69
BackUpaConfiguration ........................................................69
RestoreaConfiguration ........................................................70
ManageFirewallAdministrators .....................................................72
AdministrativeRoles...........................................................72
AdministrativeAuthentication ...................................................73
ConfigureAdministrativeAccountsandAuthentication .............................74
ConfigureanAdministrativeAccount.............................................74
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators ......75
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface .......76
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI ..................78
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication .......78
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 3
TableofContents
Reference:WebInterfaceAdministratorAccess....................................... 80
WebInterfaceAccessPrivileges ................................................. 80
PanoramaWebInterfaceAccess ................................................120
Reference:PortNumberUsage.....................................................124
PortsUsedforManagementFunctions ..........................................124
PortsUsedforHA ............................................................125
PortsUsedforPanorama ......................................................125
PortsUsedforUserID ........................................................126
ResettheFirewalltoFactoryDefaultSettings ........................................128
BootstraptheFirewall.............................................................129
USBFlashDriveSupport .......................................................129
Sampleinitcfg.txtFiles ........................................................130
PrepareaUSBFlashDriveforBootstrappingaFirewall ............................131
BootstrapaFirewallUsingaUSBFlashDrive .....................................134
Authentication..................................................... 137
ConfigureanAuthenticationProfileandSequence ....................................138
ConfigureKerberosSingleSignOn .................................................141
ConfigureLocalDatabaseAuthentication ............................................142
ConfigureExternalAuthentication ..................................................143
ConfigureAuthenticationServerProfiles.........................................143
ConfigureaRADIUSServerProfile ..............................................143
RADIUSVendorSpecificAttributesSupport .....................................144
ConfigureaTACACS+ServerProfile ............................................145
ConfigureanLDAPServerProfile ...............................................146
ConfigureaKerberosServerProfile.............................................148
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers ................148
EnableExternalAuthenticationforUsersandServices .............................149
TestAuthenticationServerConnectivity.............................................150
RuntheTestAuthenticationCommand ..........................................150
TestaLocalDatabaseAuthenticationProfile.....................................151
TestaRADIUSAuthenticationProfile ...........................................152
TestaTACACS+AuthenticationProfile ..........................................154
TestanLDAPAuthenticationProfile ............................................155
TestaKerberosAuthenticationProfile...........................................156
TroubleshootAuthenticationIssues .................................................158
CertificateManagement............................................ 159
KeysandCertificates..............................................................160
CertificateRevocation.............................................................162
CertificateRevocationList(CRL) ................................................162
OnlineCertificateStatusProtocol(OCSP) ........................................163
CertificateDeployment............................................................164
SetUpVerificationforCertificateRevocationStatus ..................................165
ConfigureanOCSPResponder .................................................165
ConfigureRevocationStatusVerificationofCertificates ...........................166
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption.166
4 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
ConfiguretheMasterKey......................................................... 168
ObtainCertificates ............................................................... 169
CreateaSelfSignedRootCACertificate ........................................ 169
GenerateaCertificate ......................................................... 170
ImportaCertificateandPrivateKey............................................. 171
ObtainaCertificatefromanExternalCA ........................................ 172
ExportaCertificateandPrivateKey ................................................ 174
ConfigureaCertificateProfile...................................................... 175
ConfigureanSSL/TLSServiceProfile ............................................... 177
ReplacetheCertificateforInboundManagementTraffic.............................. 178
ConfiguretheKeySizeforSSLForwardProxyServerCertificates...................... 179
RevokeandRenewCertificates .................................................... 180
RevokeaCertificate .......................................................... 180
RenewaCertificate ........................................................... 180
SecureKeyswithaHardwareSecurityModule....................................... 181
SetupConnectivitywithanHSM ............................................... 181
EncryptaMasterKeyUsinganHSM ............................................ 186
StorePrivateKeysonanHSM.................................................. 187
ManagetheHSMDeployment ................................................. 188
HighAvailability....................................................189
HAOverview.................................................................... 190
HAConcepts .................................................................... 191
HAModes ................................................................... 191
HALinksandBackupLinks..................................................... 192
DevicePriorityandPreemption ................................................ 195
Failover ..................................................................... 195
LACPandLLDPPreNegotiationforActive/PassiveHA........................... 196
FloatingIPAddressandVirtualMACAddress.................................... 196
ARPLoadSharing ............................................................ 198
RouteBasedRedundancy ..................................................... 200
HATimers................................................................... 200
SessionOwner............................................................... 203
SessionSetup................................................................ 203
NATinActive/ActiveHAMode ................................................ 205
ECMPinActive/ActiveHAMode ............................................... 206
SetUpActive/PassiveHA ......................................................... 207
PrerequisitesforActive/PassiveHA............................................. 207
ConfigurationGuidelinesforActive/PassiveHA.................................. 208
ConfigureActive/PassiveHA................................................... 210
DefineHAFailoverConditions ................................................. 215
VerifyFailover ............................................................... 216
SetUpActive/ActiveHA .......................................................... 217
PrerequisitesforActive/ActiveHA.............................................. 217
ConfigureActive/ActiveHA ................................................... 218
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy.............. 224
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses .................. 225
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 5
TableofContents
UseCase:ConfigureA/AHAwithARPLoadSharing ..............................226
UseCase:ConfigureA/AHAwithFloatingIPAddressBoundtoAPFirewall.........227
UseCase:ConfigureA/AHAwithSourceDIPPNATUsingFloatingIPAddresses .....231
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforA/AHAFirewalls ....234
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNAT ...........235
UseCase:ConfigureA/AHAforARPLoadSharingwithDestinationNATinLayer3 ..238
HAFirewallStates................................................................241
Reference:HASynchronization.....................................................243
WhatSettingsDontSyncinActive/PassiveHA?..................................243
WhatSettingsDontSyncinActive/ActiveHA?...................................245
SynchronizationofSystemRuntimeInformation..................................247
6 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
UserID ...........................................................369
UserIDOverview ................................................................ 370
UserIDConcepts................................................................ 372
GroupMapping............................................................... 372
UserMapping ................................................................ 372
EnableUserID................................................................... 376
MapUserstoGroups............................................................. 377
MapIPAddressestoUsers........................................................ 380
ConfigureUserMappingUsingtheWindowsUserIDAgent....................... 380
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent.............. 386
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender ................. 389
MapIPAddressestoUsernamesUsingCaptivePortal ............................. 398
ConfigureUserMappingforTerminalServerUsers ............................... 405
SendUserMappingstoUserIDUsingtheXMLAPI............................... 412
EnableUserandGroupBasedPolicy ............................................... 413
EnablePolicyforUserswithMultipleAccounts ...................................... 415
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 7
TableofContents
VerifytheUserIDConfiguration ...................................................417
DeployUserIDinaLargeScaleNetwork............................................419
DeployUserIDforNumerousMappingInformationSources .......................419
ConfigureFirewallstoRedistributeUserMappingInformation......................423
8 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
Decryption .........................................................485
DecryptionOverview ............................................................. 486
DecryptionConcepts ............................................................. 487
KeysandCertificatesforDecryptionPolicies..................................... 487
SSLForwardProxy............................................................ 488
SSLInboundInspection........................................................ 489
SSHProxy................................................................... 490
DecryptionExceptions ........................................................ 491
DecryptionMirroring.......................................................... 492
DefineTraffictoDecrypt.......................................................... 493
CreateaDecryptionProfile.................................................... 493
CreateaDecryptionPolicyRule................................................ 495
ConfigureSSLForwardProxy ...................................................... 497
ConfigureSSLInboundInspection .................................................. 502
ConfigureSSHProxy ............................................................. 504
ConfigureDecryptionExceptions................................................... 505
ExcludeTrafficfromDecryption ................................................ 505
ExcludeaServerfromDecryption .............................................. 506
EnableUserstoOptOutofSSLDecryption ......................................... 507
ConfigureDecryptionPortMirroring................................................ 509
TemporarilyDisableSSLDecryption ................................................ 511
URLFiltering.......................................................513
URLFilteringOverview ........................................................... 514
URLFilteringVendors ......................................................... 514
InteractionBetweenAppIDandURLCategories................................. 515
PANDBPrivateCloud........................................................ 515
URLFilteringConcepts............................................................ 518
URLCategories............................................................... 518
URLFilteringProfile .......................................................... 520
URLFilteringProfileActions ................................................... 520
BlockandAllowLists.......................................................... 521
ExternalDynamicListforURLs ................................................. 522
SafeSearchEnforcement ...................................................... 522
ContainerPages .............................................................. 524
HTTPHeaderLogging ......................................................... 524
URLFilteringResponsePages .................................................. 525
URLCategoryasPolicyMatchCriteria .......................................... 527
PANDBCategorization ........................................................... 529
PANDBURLCategorizationComponents ....................................... 529
PANDBURLCategorizationWorkflow ......................................... 530
EnableaURLFilteringVendor ..................................................... 532
EnablePANDBURLFiltering.................................................. 532
EnableBrightCloudURLFiltering............................................... 533
DetermineURLFilteringPolicyRequirements........................................ 536
UseanExternalDynamicListinaURLFilteringProfile ................................ 538
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 9
TableofContents
MonitorWebActivity .............................................................540
MonitorWebActivityofNetworkUsers .........................................540
ViewtheUserActivityReport..................................................542
ConfigureCustomURLFilteringReports .........................................544
ConfigureURLFiltering ...........................................................545
CustomizetheURLFilteringResponsePages.........................................547
ConfigureURLAdminOverride.....................................................548
EnableSafeSearchEnforcement ...................................................550
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings ..................550
EnableTransparentSafeSearchEnforcement ....................................553
SetUpthePANDBPrivateCloud..................................................558
URLFilteringUseCaseExamples...................................................563
UseCase:ControlWebAccess .................................................563
UseCase:UseURLCategoriesforPolicyMatching ................................567
TroubleshootURLFiltering ........................................................569
ProblemsActivatingPANDB...................................................569
PANDBCloudConnectivityIssues..............................................570
URLsClassifiedasNotResolved ................................................571
IncorrectCategorization.......................................................572
URLDatabaseOutofDate .....................................................573
10 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
LargeScaleVPN(LSVPN)............................................645
LSVPNOverview................................................................. 646
CreateInterfacesandZonesfortheLSVPN.......................................... 647
EnableSSLBetweenGlobalProtectLSVPNComponents .............................. 649
AboutCertificateDeployment.................................................. 649
DeployServerCertificatestotheGlobalProtectLSVPNComponents................ 649
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP ............... 652
ConfigurethePortaltoAuthenticateSatellites ....................................... 655
ConfigureGlobalProtectGatewaysforLSVPN....................................... 657
PrerequisiteTasks ............................................................ 657
ConfiguretheGateway ........................................................ 657
ConfiguretheGlobalProtectPortalforLSVPN ....................................... 660
PrerequisiteTasks ............................................................ 660
ConfigurethePortal .......................................................... 660
DefinetheSatelliteConfigurations.............................................. 661
PreparetheSatellitetoJointheLSVPN ............................................. 665
VerifytheLSVPNConfiguration.................................................... 667
LSVPNQuickConfigs ............................................................. 668
BasicLSVPNConfigurationwithStaticRouting ...................................... 669
AdvancedLSVPNConfigurationwithDynamicRouting ............................... 672
Networking ........................................................675
InterfaceDeployments ............................................................ 676
VirtualWireDeployments ..................................................... 676
Layer2Deployments ......................................................... 679
Layer3Deployments ......................................................... 679
TapModeDeployments ....................................................... 680
ConfigureanAggregateInterfaceGroup ............................................ 682
UseInterfaceManagementProfilestoRestrictAccess................................ 685
VirtualRouters ................................................................... 687
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 11
TableofContents
StaticRoutes .....................................................................689
RIP .............................................................................691
OSPF ...........................................................................693
OSPFConcepts ...............................................................693
ConfigureOSPF ..............................................................695
ConfigureOSPFv3............................................................700
ConfigureOSPFGracefulRestart ...............................................702
ConfirmOSPFOperation ......................................................703
BGP.............................................................................705
SessionSettingsandTimeouts .....................................................710
TransportLayerSessions.......................................................710
TCP.........................................................................710
UDP.........................................................................715
ICMP ........................................................................715
ConfigureSessionTimeouts ....................................................716
ConfigureSessionSettings.....................................................718
PreventTCPSplitHandshakeSessionEstablishment ..............................720
DHCP ...........................................................................722
DHCPOverview ..............................................................722
FirewallasaDHCPServerandClient ............................................723
DHCPMessages ..............................................................723
DHCPAddressing .............................................................724
DHCPOptions................................................................726
ConfigureanInterfaceasaDHCPServer ........................................728
ConfigureanInterfaceasaDHCPClient .........................................732
ConfiguretheManagementInterfaceasaDHCPClient ............................733
ConfigureanInterfaceasaDHCPRelayAgent ...................................735
MonitorandTroubleshootDHCP...............................................735
NAT ............................................................................737
NATPolicyRules..............................................................737
SourceNATandDestinationNAT ...............................................740
NATRuleCapacities...........................................................741
DynamicIPandPortNATOversubscription ......................................741
DataplaneNATMemoryStatistics ..............................................743
ConfigureNAT ...............................................................744
NATConfigurationExamples ...................................................751
NPTv6 ..........................................................................759
NPTv6Overview .............................................................759
HowNPTv6Works ...........................................................761
NDPProxy ...................................................................762
NPTv6andNDPProxyExample ................................................764
CreateanNPTv6Policy........................................................765
ECMP ...........................................................................768
ECMPLoadBalancingAlgorithms ...............................................768
ECMPPlatform,Interface,andIPRoutingSupport ................................769
ConfigureECMPonaVirtualRouter ............................................770
EnableECMPforMultipleBGPAutonomousSystems.............................771
VerifyECMP .................................................................773
12 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
Policy..............................................................795
PolicyTypes ..................................................................... 796
SecurityPolicy................................................................... 797
ComponentsofaSecurityPolicyRule........................................... 797
SecurityPolicyActions........................................................ 800
CreateaSecurityPolicyRule ................................................... 800
PolicyObjects ................................................................... 803
SecurityProfiles.................................................................. 804
AntivirusProfiles ............................................................. 805
AntiSpywareProfiles......................................................... 805
VulnerabilityProtectionProfiles................................................ 806
URLFilteringProfiles.......................................................... 806
DataFilteringProfiles......................................................... 807
FileBlockingProfiles .......................................................... 808
WildFireAnalysisProfiles ...................................................... 808
DoSProtectionProfiles........................................................ 808
ZoneProtectionProfiles ....................................................... 809
SecurityProfileGroup ......................................................... 809
BestPracticeInternetGatewaySecurityPolicy....................................... 813
WhatIsaBestPracticeInternetGatewaySecurityPolicy?......................... 813
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?.................. 815
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy? ................ 816
IdentifyWhitelistApplications.................................................. 817
CreateUserGroupsforAccesstoWhitelistApplications .......................... 820
DecryptTrafficforFullVisibilityandThreatInspection ............................ 820
CreateBestPracticeSecurityProfiles ........................................... 822
DefinetheInitialInternetGatewaySecurityPolicy ................................ 826
MonitorandFineTunethePolicyRulebase...................................... 834
RemovetheTemporaryRules.................................................. 835
MaintaintheRulebase......................................................... 836
EnumerationofRulesWithinaRulebase ............................................ 837
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtualSystem .................... 838
UseTagstoGroupandVisuallyDistinguishObjects .................................. 839
CreateandApplyTags ........................................................ 839
ModifyTags ................................................................. 840
UsetheTagBrowser .......................................................... 840
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 13
TableofContents
UseanExternalDynamicListinPolicy ..............................................845
ExternalDynamicList .........................................................845
FormattingGuidelinesforanExternalDynamicList ...............................846
EnforcePolicyonEntriesinanExternalDynamicList ..............................847
ViewtheListofEntriesinanExternalDynamicList ...............................850
RetrieveanExternalDynamicListfromtheWebServer ...........................851
RegisterIPAddressesandTagsDynamically .........................................852
MonitorChangesintheVirtualEnvironment .........................................853
EnableVMMonitoringtoTrackChangesontheVirtualNetwork ...................853
AttributesMonitoredintheAWSandVMwareEnvironments ......................855
UseDynamicAddressGroupsinPolicy..........................................856
CLICommandsforDynamicIPAddressesandTags...................................859
IdentifyUsersConnectedthroughaProxyServer.....................................861
UseXFFValuesforPoliciesandLoggingSourceUsers .............................861
AddXFFValuestoURLFilteringLogs ...........................................862
PolicyBasedForwarding ..........................................................863
PBF.........................................................................863
CreateaPolicyBasedForwardingRule..........................................866
UseCase:PBFforOutboundAccesswithDualISPs ...............................867
DoSProtectionAgainstFloodingofNewSessions....................................875
DoSProtectionAgainstFloodingofNewSessions ................................875
ConfigureDoSProtectionAgainstFloodingofNewSessions.......................878
UsetheCLItoEndaSingleAttackingSession ....................................881
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer ............881
DiscardaSessionWithoutaCommit ............................................884
VirtualSystems.................................................... 885
VirtualSystemsOverview .........................................................886
VirtualSystemComponentsandSegmentation ...................................886
BenefitsofVirtualSystems .....................................................887
UseCasesforVirtualSystems..................................................887
PlatformSupportandLicensingforVirtualSystems ...............................888
AdministrativeRolesforVirtualSystems .........................................888
SharedObjectsforVirtualSystems ..............................................888
CommunicationBetweenVirtualSystems............................................889
InterVSYSTrafficThatMustLeavetheFirewall..................................889
InterVSYSTrafficThatRemainsWithintheFirewall ..............................890
InterVSYSCommunicationUsesTwoSessions ...................................892
SharedGateway ..................................................................893
ExternalZonesandSharedGateway.............................................893
NetworkingConsiderationsforaSharedGateway.................................894
ServiceRoutesforVirtualSystems ..................................................895
UseCasesforServiceRoutesforaVirtualSystem.................................895
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers.896
DNSProxyObject ............................................................896
DNSServerProfile ............................................................897
MultiTenantDNSDeployments ................................................897
14 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
TableofContents
Certifications .......................................................919
EnableFIPSandCommonCriteriaSupport .......................................... 920
FIPSCCSecurityFunctions........................................................ 921
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 15
TableofContents
16 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted
ThefollowingtopicsprovidedetailedstepstohelpyoudeployanewPaloAltoNetworksnextgeneration
firewall.Theyprovidedetailsforintegratinganewfirewallintoyournetwork,registeringthefirewall,
activatinglicensesandsubscriptions,andconfiguringbasicsecuritypoliciesandthreatpreventionfeatures.
Afteryouperformthebasicconfigurationstepsrequiredtointegratethefirewallintoyournetwork,youcan
usetherestofthetopicsinthisguidetohelpyoudeploythecomprehensivesecurityplatformfeaturesas
necessarytoaddressyournetworksecurityneeds.
IntegratetheFirewallintoYourManagementNetwork
RegistertheFirewall
ActivateLicensesandSubscriptions
InstallContentandSoftwareUpdates
SegmentYourNetworkUsingInterfacesandZones
SetUpaBasicSecurityPolicy
AssessNetworkTraffic
EnableBasicThreatPreventionFeatures
BestPracticesforCompletingtheFirewallDeployment
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 17
IntegratetheFirewallintoYourManagementNetwork GettingStarted
IntegratetheFirewallintoYourManagementNetwork
AllPaloAltoNetworksfirewallsprovideanoutofbandmanagementport(MGT)thatyoucanuseto
performthefirewalladministrationfunctions.ByusingtheMGTport,youseparatethemanagement
functionsofthefirewallfromthedataprocessingfunctions,safeguardingaccesstothefirewalland
enhancingperformance.Whenusingthewebinterface,youmustperformallinitialconfigurationtasksfrom
theMGTportevenifyouplantouseaninbanddataportformanagingyourfirewallgoingforward.
Somemanagementtasks,suchasretrievinglicensesandupdatingthethreatandapplicationsignatureson
thefirewallrequireaccesstotheInternet.IfyoudonotwanttoenableexternalaccesstoyourMGTport,
youwillneedtoeithersetupaninbanddataporttoprovideaccesstorequiredexternalservices(using
serviceroutes)orplantomanuallyuploadupdatesregularly.
Thefollowingtopicsdescribehowtoperformtheinitialconfigurationstepsthatarenecessarytointegrate
anewfirewallintothemanagementnetworkanddeployitinabasicsecurityconfiguration.
DetermineYourManagementStrategy
PerformInitialConfiguration
SetUpNetworkAccessforExternalServices
ThefollowingtopicsdescribehowtointegrateasinglePaloAltoNetworksnextgeneration
firewallintoyournetwork.However,forredundancy,considerdeployingapairoffirewallsina
HighAvailabilityconfiguration.
DetermineYourManagementStrategy
ThePaloAltoNetworksfirewallcanbeconfiguredandmanagedlocallyoritcanbemanagedcentrallyusing
Panorama,thePaloAltoNetworkscentralizedsecuritymanagementsystem.Ifyouhavesixormorefirewalls
deployedinyournetwork,usePanoramatoachievethefollowingbenefits:
Reducethecomplexityandadministrativeoverheadinmanagingconfiguration,policies,softwareand
dynamiccontentupdates.UsingdevicegroupsandtemplatesonPanorama,youcaneffectivelymanage
firewallspecificconfigurationlocallyonafirewallandenforcesharedpoliciesacrossallfirewallsor
devicegroups.
Aggregatedatafromallmanagedfirewallsandgainvisibilityacrossallthetrafficonyournetwork.The
ApplicationCommandCenter(ACC)onPanoramaprovidesasingleglasspaneforunifiedreporting
acrossallthefirewalls,allowingyoutocentrallyanalyze,investigateandreportonnetworktraffic,
securityincidentsandadministrativemodifications.
Theproceduresthatfollowdescribehowtomanagethefirewallusingthelocalwebinterface.Ifyouwant
tousePanoramaforcentralizedmanagement,firstPerformInitialConfigurationandverifythatthefirewall
canestablishaconnectiontoPanorama.FromthatpointonyoucanusePanoramatoconfigureyourfirewall
centrally.
18 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
PerformInitialConfiguration
Bydefault,thefirewallhasanIPaddressof192.168.1.1andausername/passwordofadmin/admin.For
securityreasons,youmustchangethesesettingsbeforecontinuingwithotherfirewallconfigurationtasks.
YoumustperformtheseinitialconfigurationtaskseitherfromtheMGTinterface,evenifyoudonotplanto
usethisinterfaceforyourfirewallmanagement,orusingadirectserialconnectiontotheconsoleporton
thefirewall.
SetUpNetworkAccesstotheFirewall
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 19
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
20 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccesstotheFirewall(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 21
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpNetworkAccesstotheFirewall(Continued)
22 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpNetworkAccessforExternalServices
Bydefault,thefirewallusestheMGTinterfacetoaccessremoteservices,suchasDNSservers,content
updates,andlicenseretrieval.Ifyoudonotwanttoenableexternalnetworkaccesstoyourmanagement
network,youmustsetupaninbanddataporttoprovideaccesstorequiredexternalservicesandsetup
serviceroutestoinstructthefirewallwhatporttousetoaccesstheexternalservices.
Thistaskrequiresfamiliaritywithfirewallinterfaces,zones,andpolicies.Formoreinformationon
thesetopics,seeConfigureInterfacesandZonesandSetUpaBasicSecurityPolicy.
SetUpaDataPortforAccesstoExternalServices
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 23
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
24 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted IntegratetheFirewallintoYourManagementNetwork
SetUpaDataPortforAccesstoExternalServices(Continued)
Step5 Configuretheserviceroutes. 1. SelectDevice > Setup > Services > Global andclickService
Bydefault,thefirewallusestheMGT Route Configuration.
interfacetoaccesstheexternalservices
itrequires.Tochangetheinterfacethe
firewallusestosendrequeststoexternal
services,youmustedittheservice Forthepurposesofactivatingyourlicensesand
routes. gettingthemostrecentcontentandsoftwareupdates,
Thisexampleshowshowtoset youwillwanttochangetheservicerouteforDNS,
upglobalserviceroutes.For Palo Alto Updates,URL Updates,WildFire,and
informationonsettingup AutoFocus.
networkaccesstoexternal 2. ClicktheCustomizeradiobutton,andselectoneofthe
servicesonavirtualsystembasis following:
ratherthanaglobalbasis,see
Forapredefinedservice,selectIPv4orIPv6andclickthe
PerVirtualSystemService
linkfortheserviceforwhichyouwanttomodifythe
Routes.
Source Interface andselecttheinterfaceyoujust
configured.
IfmorethanoneIPaddressisconfiguredfortheselected
interface,the Source Address dropdownallowsyouselect
anIPaddress.
Tocreateaservicerouteforacustomdestination,select
Destination,andclick Add.EnteraDestinationnameand
selectaSource Interface.IfmorethanoneIPaddressis
configuredfortheselectedinterface,the Source Address
dropdownallowsyouselectanIPaddress.
3. ClickOKtosavethesettings.
4. Repeatsteps23aboveforeachservicerouteyouwantto
modify.
5. Commityourchanges.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 25
IntegratetheFirewallintoYourManagementNetwork GettingStarted
SetUpaDataPortforAccesstoExternalServices(Continued)
26 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted RegistertheFirewall
RegistertheFirewall
Beforeyoucanactivatesupportandotherlicensesandsubscriptions,youmustfirstregisterthefirewall.
IfyouareregisteringaVMSeriesfirewall,refertotheVMSeriesDeploymentGuide.
RegistertheFirewall
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 27
ActivateLicensesandSubscriptions GettingStarted
ActivateLicensesandSubscriptions
Beforeyoucanstartusingyourfirewalltosecurethetrafficonyournetwork,youmustactivatethelicenses
foreachoftheservicesyoupurchased.Availablelicensesandsubscriptionsincludethefollowing:
ThreatPreventionProvidesantivirus,antispyware,andvulnerabilityprotection.
DecryptionMirroringProvidestheabilitytocreateacopyofdecryptedtrafficfromafirewallandsend
ittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitnessor
Soleraforarchivingandanalysis.
URLFilteringAllowsyoucreatesecuritypolicytoenforcewebaccessbasedondynamicURL
categories.YoumustpurchaseandinstallasubscriptionforoneofthesupportedURLfilteringdatabases:
PANDBorBrightCloud.WithPANDB,youcansetupaccesstothePANDBpubliccloudortothe
PANDBprivatecloud.FormoreinformationaboutURLfiltering,seeControlAccesstoWebContent.
VirtualSystemsThislicenseisrequiredtoenablesupportformultiplevirtualsystemsonPA2000and
PA3000Seriesfirewalls.Inaddition,youmustpurchaseaVirtualSystemslicenseifyouwanttoincrease
thenumberofvirtualsystemsbeyondthebasenumberprovidedbydefaultonPA4000Series,PA5000
Series,andPA7000Seriesfirewalls(thebasenumbervariesbyplatform).ThePA500,PA200,and
VMSeriesfirewallsdonotsupportvirtualsystems.
WildFireAlthoughbasicWildFiresupportisincludedaspartoftheThreatPreventionlicense,the
WildFiresubscriptionserviceprovidesenhancedservicesfororganizationsthatrequireimmediate
coverageforthreats,frequentWildFiresignatureupdates,advancedfiletypeforwarding(APK,PDF,
MicrosoftOffice,andJavaApplet),aswellastheabilitytouploadfilesusingtheWildFireAPI.AWildFire
subscriptionisalsorequiredifyourfirewallswillbeforwardingfilestoaWF500appliance.
GlobalProtectProvidesmobilitysolutionsand/orlargescaleVPNcapabilities.Bydefault,youcan
deployGlobalProtectportalsandgateways(withoutHIPchecks)withoutalicense.IfyouwanttouseHIP
checks,youwillalsoneedgatewaylicenses(subscription)foreachgateway.
AutoFocusProvidesagraphicalanalysisoffirewalltrafficlogsandidentifiespotentialriskstoyour
networkusingthreatintelligencefromtheAutoFocusportal.Withanactivelicense,youcanalsoopen
anAutoFocussearchbasedonlogsrecordedonthefirewall.
ActivateLicensesandSubscriptions
28 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted ActivateLicensesandSubscriptions
ActivateLicensesandSubscriptions(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 29
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates
Inordertostayaheadofthechangingthreatandapplicationlandscape,PaloAltoNetworksmaintainsa
ContentDeliveryNetwork(CDN)infrastructurefordeliveringcontentupdatestoPaloAltoNetworks
firewalls.ThefirewallsaccessthewebresourcesintheCDNtoperformvariousAppIDandContentID
functions.Bydefault,thefirewallsusethemanagementporttoaccesstheCDNinfrastructureforapplication
updates,threatandantivirussignatureupdates,BrightCloudandPANDBdatabaseupdatesandlookups,
andaccesstothePaloAltoNetworksWildFirecloud.Toensurethatyouarealwaysprotectedfromthe
latestthreats(includingthosethathavenotyetbeendiscovered),youmustensurethatyoukeepyour
firewallsuptodatewiththelatestcontentandsoftwareupdatespublishedbyPaloAltoNetworks.
Thefollowingcontentupdatesareavailable,dependingonwhichsubscriptionsyouhave:
Althoughyoucanmanuallydownloadandinstallcontentupdatesatanytime,asabestpractice
youshouldScheduleeachcontentupdate.Scheduledupdatesoccurautomatically.
AntivirusIncludesnewandupdatedantivirussignatures,includingsignaturesdiscoveredbythe
WildFirecloudservice.YoumusthaveaThreatPreventionsubscriptiontogettheseupdates.New
antivirussignaturesarepublisheddaily.
ApplicationsIncludesnewandupdatedapplicationsignatures.Thisupdatedoesnotrequireany
additionalsubscriptions,butitdoesrequireavalidmaintenance/supportcontract.Newapplication
updatesarepublishedweekly.Toreviewthepolicyimpactofnewapplicationupdates,seeManageNew
AppIDsIntroducedinContentReleases.
ApplicationsandThreatsIncludesnewandupdatedapplicationandthreatsignatures.Thisupdateis
availableifyouhaveaThreatPreventionsubscription(andyougetitinsteadoftheApplicationsupdate).
NewApplicationsandThreatsupdatesarepublishedweekly.Toreviewthepolicyimpactofnew
applicationupdates,seeManageNewAppIDsIntroducedinContentReleases.
GlobalProtectDataFileContainsthevendorspecificinformationfordefiningandevaluatinghost
informationprofile(HIP)datareturnedbyGlobalProtectagents.YoumusthaveaGlobalProtectgateway
licenseandcreateanupdatescheduleinordertoreceivetheseupdates.
BrightCloudURLFilteringProvidesupdatestotheBrightCloudURLFilteringdatabaseonly.Youmust
haveaBrightCloudsubscriptiontogettheseupdates.NewBrightCloudURLdatabaseupdatesare
publisheddaily.IfyouhaveaPANDBlicense,scheduledupdatesarenotrequiredasfirewallsremain
insyncwiththeserversautomatically.
WildFireProvidesnearrealtimemalwareandantivirussignaturescreatedasaresultoftheanalysis
donebytheWildFirecloudservice.Withoutthesubscription,youmustwait24to48hoursforthe
signaturestorollintotheApplicationsandThreatsupdate.
30 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 31
InstallContentandSoftwareUpdates GettingStarted
InstallContentandSoftwareUpdates(Continued)
Youcannotdownloadtheantivirusupdateuntilyou
haveinstalledtheApplicationandThreatsupdate.
UpgradeIndicatesthatanewversionoftheBrightCloud
databaseisavailable.Clickthelinktobeginthedownloadand
installationofthedatabase.Thedatabaseupgradebeginsinthe
background;whencompletedacheckmarkdisplaysinthe
Currently Installedcolumn.NotethatifyouareusingPANDB
asyourURLfilteringdatabaseyouwillnotseeanupgradelink
becausethePANDBdatabaseonthefirewallautomatically
synchronizeswiththePANDBcloud.
Tocheckthestatusofanaction,clickTasks(onthe
lowerrighthandcornerofthewindow).
RevertIndicatesthatapreviouslyinstalledversionofthe
contentorsoftwareversionisavailable.Youcanchooseto
reverttothepreviouslyinstalledversion.
32 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted InstallContentandSoftwareUpdates
InstallContentandSoftwareUpdates(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 33
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SegmentYourNetworkUsingInterfacesandZones
Trafficmustpassthroughthefirewallinorderforthefirewalltomanageandcontrolit.Physically,traffic
entersandexitsthefirewallthroughinterfaces.Thefirewalldetermineshowtoactonapacketbasedon
whetherthepacketmatchesaSecuritypolicyrule.Atthemostbasiclevel,eachSecuritypolicyrulemust
identifywherethetrafficcamefromandwhereitisgoing.OnaPaloAltoNetworksnextgenerationfirewall,
Securitypolicyrulesareappliedbetweenzones.Azoneisagroupingofinterfaces(physicalorvirtual)that
representsasegmentofyournetworkthatisconnectedto,andcontrolledby,thefirewall.Becausetraffic
canonlyflowbetweenzonesifthereisaSecuritypolicyruletoallowit,thisisyourfirstlineofdefense.The
moregranularthezonesyoucreate,thegreatercontrolyouhaveoveraccesstosensitiveapplicationsand
dataandthemoreprotectionyouhaveagainstmalwaremovinglaterallythroughoutyournetwork.For
example,youmightwanttosegmentaccesstothedatabaseserversthatstoreyourcustomerdataintoa
zonecalledCustomerData.Youcanthendefinesecuritypoliciesthatonlypermitcertainusersorgroupsof
userstoaccesstheCustomerDatazone,therebypreventingunauthorizedinternalorexternalaccesstothe
datastoredinthatsegment.
NetworkSegmentationforaReducedAttackSurface
ConfigureInterfacesandZones
NetworkSegmentationforaReducedAttackSurface
Thefollowingdiagramshowsaverybasicexampleofhowyoucancreatezonestosegmentyournetwork.
Themoregranularyoumakeyourzones(andthecorrespondingsecuritypolicyrulesthatallowstraffic
betweenzones),themoreyoureducetheattacksurfaceonyournetwork.Thisisbecausetrafficcanflow
freelywithinazone(intrazonetraffic),buttrafficcannotflowbetweenzones(interzonetraffic)untilyou
defineaSecuritypolicyrulethatallowsit.Additionally,aninterfacecannotprocesstrafficuntilyouhave
assignedittoazone.Therefore,bysegmentingyournetworkintogranularzonesyouhavemorecontrolover
accesstosensitiveapplicationsordataandyoucanpreventmalicioustrafficfromestablishinga
communicationchannelwithinyournetwork,therebyreducingthelikelihoodofasuccessfulattackonyour
network.
34 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
ConfigureInterfacesandZones
Afteryouidentifyhowyouwanttosegmentyournetworkandthezonesyouwillneedtocreatetoachieve
thesegmentation(aswellastheinterfacestomaptoeachzone),youcanbeginconfiguringtheinterfaces
andzonesonthefirewall.EachinterfaceonthefirewallsupportsallInterfaceDeploymentsandthe
deploymentyouwillusedependsonthetopologyofeachpartofthenetworkyouareconnectingto.The
followingworkflowshowshowtoconfigureLayer3interfacesandassignthemtozones.Fordetailson
integratingthefirewallusingadifferenttypeofinterfacedeployments(forexampleVirtualWire
DeploymentsorLayer2Deployments),seeNetworking.
ThefirewallcomespreconfiguredwithadefaultvirtualwireinterfacebetweenportsEthernet
1/1andEthernet1/2(andacorrespondingdefaultsecuritypolicyandvirtualrouter).Ifyoudo
notplantousethedefaultvirtualwire,youmustmanuallydeletetheconfigurationandcommit
thechangebeforeproceedingtopreventitfrominterferingwithothersettingsyoudefine.For
instructionsonhowtodeletethedefaultvirtualwireanditsassociatedsecuritypolicyandzones,
seeStep 3inSetUpaDataPortforAccesstoExternalServices.
SetUpInterfacesandZones
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 35
SegmentYourNetworkUsingInterfacesandZones GettingStarted
SetUpInterfacesandZones(Continued)
36 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SegmentYourNetworkUsingInterfacesandZones
SetUpInterfacesandZones(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 37
SetUpaBasicSecurityPolicy GettingStarted
SetUpaBasicSecurityPolicy
Nowthatyouhavedefinedsomezonesandattachedthemtointerfaces,youarereadytobegincreating
yourSecurityPolicy.Thefirewallwillnotallowanytraffictoflowfromonezonetoanotherunlessthereis
aSecuritypolicyruletoallowit.Whenapacketentersafirewallinterface,thefirewallmatchestheattributes
inthepacketagainsttheSecuritypolicyrulestodeterminewhethertoblockorallowthesessionbasedon
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Thefirewallevaluatesincomingtrafficagainstthesecuritypolicyrulebase
fromlefttorightandfromtoptobottomandthentakestheactionspecifiedinthefirstsecurityrulethat
matches(forexample,whethertoallow,deny,ordropthepacket).Thismeansthatyoumustordertherules
inyoursecuritypolicyrulebasesothatmorespecificrulesareatthetopoftherulebaseandmoregeneral
rulesareatthebottomtoensurethatthefirewallisenforcingpolicyasexpected.
ThefollowingworkflowshowshowtosetupaverybasicInternetgatewaysecuritypolicythatenables
accesstothenetworkinfrastructure,todatacenterapplications,andtotheInternet.Thiswillenableyouto
getthefirewallupandrunningsothatyoucanverifythatyouhavesuccessfullyconfiguredthefirewall.This
policyisnotcomprehensiveenoughtoprotectyournetwork.Afteryouverifythatyouhavesuccessfully
configuredthefirewallandintegrateditintoyournetwork,proceedtoPolicytolearnhowtocreateaBest
PracticeInternetGatewaySecurityPolicythatwillsafelyenableapplicationaccesswhileprotectingyour
networkfromattack.
DefineBasicSecurityPolicyRules
38 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 39
SetUpaBasicSecurityPolicy GettingStarted
DefineBasicSecurityPolicyRules(Continued)
40 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted SetUpaBasicSecurityPolicy
DefineBasicSecurityPolicyRules(Continued)
"Network Infrastructure" {
from Users;
source any;
source-region none;
to Data_Center;
destination any;
destination-region none;
user any;
category any;
application/service dns/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 41
AssessNetworkTraffic GettingStarted
AssessNetworkTraffic
Nowthatyouhaveabasicsecuritypolicy,youcanreviewthestatisticsanddataintheApplicationCommand
Center(ACC),trafficlogs,andthethreatlogstoobservetrendsonyournetwork.Usethisinformationto
identifywhereyouneedtocreatemoregranularsecuritypolicyrules.
MonitorNetworkTraffic
UsetheApplicationCommandCenterandUse IntheACC,reviewthemostusedapplicationsandthehighrisk
theAutomatedCorrelationEngine. applicationsonyournetwork.TheACCgraphicallysummarizesthe
loginformationtohighlighttheapplicationstraversingthe
network,whoisusingthem(withUserIDenabled),andthe
potentialsecurityimpactofthecontenttohelpyouidentifywhat
ishappeningonthenetworkinrealtime.Youcanthenusethis
informationtocreateappropriatesecuritypolicyrulesthatblock
unwantedapplications,whileallowingandenablingapplicationsin
asecuremanner.
TheCompromisedHostswidgetinACC > Threat Activitydisplays
potentiallycompromisedhostsonyournetworkandthelogsand
matchevidencethatcorroboratestheevents.
Determinewhatupdates/modificationsare Forexample:
requiredforyournetworksecuritypolicyrules Evaluatewhethertoallowwebcontentbasedonschedule,
andimplementthechanges. users,orgroups.
Alloworcontrolcertainapplicationsorfunctionswithinan
application.
Decryptandinspectcontent.
Allowbutscanforthreatsandexploits.
Forinformationonrefiningyoursecuritypoliciesandforattaching
customsecurityprofiles,seeEnableBasicThreatPrevention
Features.
42 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted AssessNetworkTraffic
MonitorNetworkTraffic
ViewAutoFocusThreatDataforLogs. ReviewtheAutoFocusintelligencesummaryforartifactsinyour
logs.Anartifactisanitem,property,activity,orbehavior
associatedwithloggedeventsonthefirewall.Theintelligence
summaryrevealsthenumberofsessionsandsamplesinwhich
WildFiredetectedtheartifact.UseWildFireverdictinformation
(benign,grayware,malware)andAutoFocusmatchingtagstolook
forpotentialrisksinyournetwork.
AutoFocustagscreatedbyUnit42,thePaloAltoNetworks
threatintelligenceteam,callattentiontoadvanced,
targetedcampaignsandthreatsinyournetwork.
FromtheAutoFocusintelligencesummary,youcanstartan
AutoFocussearchforartifactsandassesstheir
pervasivenesswithinglobal,industry,andnetwork
contexts.
MonitorWebActivityofNetworkUsers. ReviewtheURLfilteringlogstoscanthroughalerts,denied
categories/URLs.URLlogsaregeneratedwhenatrafficmatchesa
securityrulethathasaURLfilteringprofileattachedwithanaction
ofalert,continue,overrideorblock.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 43
EnableBasicThreatPreventionFeatures GettingStarted
EnableBasicThreatPreventionFeatures
ThePaloAltoNetworksnextgenerationfirewallhasuniquethreatpreventioncapabilitiesthatallowitto
protectyournetworkfromattackdespitetheuseofevasion,tunneling,orcircumventiontechniques.The
threatpreventionfeaturesonthefirewallincludetheWildFireservice,SecurityProfilesthatsupport
Antivirus,AntiSpyware,VulnerabilityProtection,URLFiltering,FileBlockingandDataFilteringcapabilities,
theDenialofService(DoS)andZoneprotectionfunctionality,andAutoFocusthreatintelligence.
ThreatPreventioncontainsmoreindepthinformationonhowtoprotectyournetworkfromthreats.For
detailsonhowtoscanencrypted(SSHorSSL)trafficforthreats,seeDecryption.VisitApplipediaandThreat
VaulttolearnmoreabouttheapplicationsandthreatsthatPaloAltoNetworksproductscanidentify,
respectively.
Beforeyoucanapplythreatpreventionfeatures,youmustfirstconfigurezonestoidentifyone
ormoresourceordestinationinterfacesandsecuritypolicyrules.Toconfigureinterfaces,zones,
andthepoliciesthatareneededtoapplythreatpreventionfeatures,seeConfigureInterfacesand
ZonesandSetUpaBasicSecurityPolicy.
Tobeginprotectingyournetworkfromthreats,starthere:
EnableBasicWildFireForwarding
ScanTrafficforThreats
ControlAccesstoWebContent
EnableAutoFocusThreatIntelligence
EnableBasicWildFireForwarding
WildFireisacloudbasedvirtualenvironmentthatanalyzesandexecutesunknownsamples(filesandemail
links)anddeterminesthesamplestobemalicious,grayware,orbenign.WithWildFireenabled,aPaloAlto
NetworksfirewallcanforwardunknownsamplestoWildFireforanalysis.Fornewlydiscoveredmalware,
WildFiregeneratesasignaturetodetectthemalwareanddistributesittoallfirewallswithactiveWildFire
licenses.Thisenablesglobalfirewallstodetectandpreventmalwarefoundbyasinglefirewall.
AbasicWildFireserviceisincludedaspartofthePaloAltoNetworksnextgenerationfirewallanddoesnot
requireaWildFiresubscription.WiththebasicWildFireservice,youcanenablethefirewalltoforward
portableexecutable(PE)files.Additionally,ifdonothaveaWildFiresubscription,butyoudohaveaThreat
Preventionsubscription,youcanreceivesignaturesformalwareWildFireidentifiesevery2448hours(as
partoftheantivirusupdates).
BeyondthebasicWildFireservice,aWildFiresubscriptionisrequiredforthefirewallto:
GetthelatestWildFiresignatureseveryfiveminutes.
Forwardadvancedfiletypesandemaillinksforanalysis.
UsetheWildFireAPI.
UseaWF500appliancetohostaWildFireprivatecloudoraWildFirehybridcloud.
IfyouhaveaWildFiresubscription,goaheadandgetstartedwithWildFiretogetthemostoutofyour
subscription.Otherwise,takethefollowingstepstoenablebasicWildFireforwarding:
44 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures
EnableBasicWildFireForwarding
BeforeYouBegin: 1. GotothePaloAltoNetworksCustomerSupportwebsite,log
Confirmthatyourfirewallisregisteredandthat in,andselectMy Devices.
youhaveavalidsupportaccountaswellasany 2. Verifythatthefirewallislisted.Ifitisnotlisted,seeRegister
subscriptionsyourequire. theFirewall.
3. (Optional)IfyouhaveaThreatPreventionsubscription,be
suretoActivateLicensesandSubscriptions.
Step2 EnablethefirewalltoforwardPEsfor 1. SelectObjects > Security Profiles > WildFire Analysis and
analysis. Addanewprofilerule.
2. Namethenewprofilerule.
3. ClickAddtocreateaforwardingruleandenteraname.
4. IntheFile Types column,addpefilestotheforwardingrule.
5. IntheAnalysiscolumn,selectpublic-cloudtoforwardPEsto
theWildFirepubliccloud.
6. ClickOK.
Step4 ClickCommittosaveyourconfigurationupdates.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 45
EnableBasicThreatPreventionFeatures GettingStarted
ScanTrafficforThreats
SecurityProfilesprovidethreatprotectioninsecuritypolicies.Forexample,youcanapplyanantivirusprofile
toasecuritypolicyandalltrafficthatmatchesthesecuritypolicywillbescannedforviruses.
Thefollowingsectionsprovidestepsforsettingupabasicthreatpreventionconfiguration:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpFileBlocking
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
EveryPaloAltoNetworksnextgenerationfirewallcomeswithredefinedAntivirus,AntiSpyware,and
VulnerabilityProtectionprofilesthatyoucanattachtosecuritypolicies.ThereisonepredefinedAntivirus
profile,default,whichusesthedefaultactionforeachprotocol(blockHTTP,FTP,andSMBtrafficandalert
onSMTP,IMAP,andPOP3traffic).TherearetwopredefinedAntiSpywareandVulnerabilityProtection
profiles:
defaultAppliesthedefaultactiontoallclientandservercritical,high,andmediumseverity
spyware/vulnerabilityprotectionevents.Itdoesnotdetectlowandinformationalevents.
strictAppliestheblockresponsetoallclientandservercritical,highandmediumseverity
spyware/vulnerabilityprotectioneventsandusesthedefaultactionforlowandinformationalevents.
Toensurethatthetrafficenteringyournetworkisfreefromthreats,attachthepredefinedprofilestoyour
basicwebaccesspolicies.Asyoumonitorthetrafficonyournetworkandexpandyourpolicyrulebase,you
canthendesignmoregranularprofilestoaddressyourspecificsecurityneeds.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
46 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
RecommendationsforHAConfigurations:
Active/PassiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewallso
thateachfirewalldownloadsandinstallscontentindependently.Ifthefirewallsareusingadataportforcontent
updates,thepassivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscasesetaschedule
oneachpeerandenableSync To Peertoensurethatcontentupdatesontheactivepeersynctothepassivepeer.
Active/ActiveHAIfthefirewallsusetheMGTportforcontentupdates,configureascheduleoneachfirewall,but
donotenableSync To Peer.Ifthefirewallsareusingadataportforcontentupdates,schedulecontentupdateson
eachfirewallandselectSync To Peertoenabletheactiveprimaryfirewalltodownloadandinstallthecontent
updatesandthenpushthecontentupdatetotheactivesecondarypeer.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 47
EnableBasicThreatPreventionFeatures GettingStarted
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
SetUpFileBlocking
FileBlockingProfilesallowyoutoidentifyspecificfiletypesthatyouwanttowanttoblockormonitor.For
mosttraffic(includingtrafficonyourinternalnetwork)youwillwanttoblockfilesthatareknowntocarry
threatsorthathavenorealusecaseforupload/download.Currently,theseincludebatchfiles,DLLs,Java
classfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfiles.Additionally,toprovidedriveby
downloadprotection,allowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),butforceusers
toacknowledgethattheyaretransferringafilesothattheywillnoticethatthebrowserisattemptingto
downloadsomethingtheywerenotawareof.Forpolicyrulesthatallowgeneralwebbrowsing,bemore
strictwithyourfileblockingbecausetheriskofusersunknowinglydownloadingmaliciousfilesismuch
higher.Forthistypeoftrafficyouwillwanttoattachamorestrictfileblockingprofilethatalsoblocks
portableexecutable(PE)files.
48 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures
ConfigureFileBlocking
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 49
EnableBasicThreatPreventionFeatures GettingStarted
ConfigureFileBlocking(Continued)
ControlAccesstoWebContent
URLFilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.WithURLfilteringenabled,
thefirewallcancategorizewebtrafficintooneormore(fromapproximately60)categories.Youcanthen
createpoliciesthatspecifywhethertoallow,block,orlog(alert)trafficbasedonthecategorytowhichit
belongs.ThefollowingworkflowshowshowtoenablePANDBforURLfiltering,createsecurityprofiles,
andattachthemtosecuritypoliciestoenforceabasicURLfilteringpolicy.
50 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures
ConfigureURLFiltering
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 51
EnableBasicThreatPreventionFeatures GettingStarted
ConfigureURLFiltering(Continued)
2. ClickOKtosavetheURLfilteringprofile.
52 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted EnableBasicThreatPreventionFeatures
ConfigureURLFiltering(Continued)
EnableAutoFocusThreatIntelligence
WithavalidAutoFocussubscription,youcancomparetheactivityonyournetworkwiththelatestthreat
dataavailableontheAutoFocusportal.ConnectingyourfirewallandAutoFocusunlocksthefollowing
features:
AbilitytoviewanAutoFocusintelligencesummaryforsessionartifactsrecordedinthefirewalllogs.
AbilitytoopenanAutoFocussearchforlogartifactsfromthefirewall.
TheAutoFocusintelligencesummaryrevealstheprevalenceofanartifactonyournetworkandonaglobal
scale.TheWildFireverdictsandAutoFocustagslistedfortheartifactindicatewhethertheartifactposesa
securityrisk.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 53
EnableBasicThreatPreventionFeatures GettingStarted
EnableAutoFocusThreatIntelligenceontheFirewall
54 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
GettingStarted BestPracticesforCompletingtheFirewallDeployment
BestPracticesforCompletingtheFirewallDeployment
Nowthatyouhaveintegratedthefirewallintoyournetworkandenabledthebasicsecurityfeatures,you
canbeginconfiguringmoreadvancedfeatures.Herearesomethingstoconsidernext:
LearnaboutthedifferentManagementInterfacesthatareavailabletoyouandhowtoaccessanduse
them.
ReplacetheCertificateforInboundManagementTraffic.Bydefault,thefirewallshipswithadefault
certificatethatenablesHTTPSaccesstothewebinterfaceoverthemanagement(MGT)interfaceorany
otherinterfacethatsupportsHTTPSmanagementtraffic.Toimprovethesecurityofinbound
managementtraffic,replacethedefaultcertificatewithanewcertificateissuedspecificallyforyour
organization.
Configureabestpracticesecuritypolicyrulebasetosafelyenableapplicationsandprotectyour
networkfromattack.SeeBestPracticeInternetGatewaySecurityPolicyfordetails.
SetupHighAvailabilityHighavailability(HA)isaconfigurationinwhichtwofirewallsareplacedina
groupandtheirconfigurationandsessiontablesaresynchronizedtopreventasinglepointtofailureon
yournetwork.Aheartbeatconnectionbetweenthefirewallpeersensuresseamlessfailoverintheevent
thatapeergoesdown.Settingupatwofirewallclusterprovidesredundancyandallowsyoutoensure
businesscontinuity.
ConfiguretheMasterKeyEveryPaloAltoNetworksfirewallhasadefaultmasterkeythatencryptsall
privatekeysonthefirewallusedforcryptographicprotocols.Asabestpracticetosafeguardthekeys,
configurethemasterkeyoneachfirewalltobeunique.
ManageFirewallAdministratorsEveryPaloAltoNetworksfirewallandapplianceispreconfiguredwith
adefaultadministrativeaccount(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuser
access)tothefirewall.Asabestpractice,createaseparateadministrativeaccountforeachpersonwho
needsaccesstotheadministrativeorreportingfunctionsofthefirewall.Thisallowsyoutobetter
protectthefirewallfromunauthorizedconfiguration(ormodification)andtoenableloggingofthe
actionsofeachindividualadministrator.
EnableUserIdentification(UserID)UserIDisaPaloAltoNetworksnextgenerationfirewallfeature
thatallowsyoutocreatepoliciesandperformreportingbasedonusersandgroupsratherthan
individualIPaddresses.
EnableDecryptionPaloAltoNetworksfirewallsprovidethecapabilitytodecryptandinspecttrafficfor
visibility,control,andgranularsecurity.Usedecryptiononafirewalltopreventmaliciouscontentfrom
enteringyournetworkorsensitivecontentfromleavingyournetworkconcealedasencryptedor
tunneledtraffic.
EnablePassiveDNSCollectionforImprovedThreatIntelligenceEnablethisoptinfeaturetoenable
thefirewalltoactasapassiveDNSsensorandsendselectDNSinformationtoPaloAltoNetworksfor
analysisinordertoimprovethreatintelligenceandthreatpreventioncapabilities.
FollowtheBestPracticesforSecuringYourNetworkfromLayer4andLayer7Evasions.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 55
BestPracticesforCompletingtheFirewallDeployment GettingStarted
56 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration
Administratorscanconfigure,manage,andmonitorPaloAltoNetworksfirewallsusingthewebinterface,
CLI,andAPImanagementinterface.Youcancustomizerolebasedadministrativeaccesstothemanagement
interfacestodelegatespecifictasksorpermissionstocertainadministrators.
ManagementInterfaces
UsetheWebInterface
ManageConfigurationBackups
ManageFirewallAdministrators
Reference:WebInterfaceAdministratorAccess
Reference:PortNumberUsage
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 57
ManagementInterfaces FirewallAdministration
ManagementInterfaces
YoucanusethefollowinguserinterfacestomanagethePaloAltoNetworksfirewallandPanorama:
UsetheWebInterfacetocompleteadministrativetasksandgeneratereportsfromthewebinterface
withrelativeease.ThisgraphicalinterfaceallowsyoutoaccessthefirewallusingHTTPSanditisthebest
waytoperformadministrativetasks.
UsetheCommandLineInterface(CLI)toentercommandsinrapidsuccessiontocompleteaseriesof
tasks.TheCLIisanofrillsinterfacethatsupportstwocommandmodesandeachmodehasitsown
hierarchyofcommandsandstatements.Whenyoubecomefamiliarwiththenestingstructureandsyntax
ofthecommands,theCLIprovidesquickresponsetimesandadministrativeefficiency.
UsetheXMLAPItostreamlineyouroperationsandintegratewithexisting,internallydeveloped
applicationsandrepositories.TheXMLAPIisawebserviceimplementedusingHTTP/HTTPSrequests
andresponses.
58 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
UsetheWebInterface
Thefollowingtopicsdescribehowtousethefirewallwebinterface.Fordetailedinformationaboutspecific
tabsandfieldsinthewebinterface,refertotheWebInterfaceReferenceGuide.
LaunchtheWebInterface
ConfigureBanners,MessageoftheDay,andLogos
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
ManageandMonitorAdministrativeTasks
Commit,Validate,andPreviewFirewallConfigurationChanges
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
ManageLocksforRestrictingConfigurationChanges
LaunchtheWebInterface
Thefollowingwebbrowsersaresupportedforaccesstothewebinterface:
InternetExplorer7+
Firefox3.6+
Safari5+
Chrome11+
LaunchtheWebInterface
Step1 LaunchanInternetbrowserandentertheIPaddressofthefirewallintheURLfield(https://<IPaddress>).
Bydefault,themanagement(MGT)interfaceallowsonlyHTTPSaccesstothewebinterface.To
enableotherprotocols,selectDevice > Setup > ManagementandedittheManagementInterface
Settings.
Step2 EnteryouruserNameandPassword.Ifthisisyourfirstloginsession,enterthedefaultadminforbothfields.
Step3 Ifthelogindialoghasabanner,readit.Ifthedialogrequiresyoutoacknowledgereadingthebanner,selectI
Accept and Acknowledge the Statement Below.
Step4 Logintothewebinterface.
Step5 ReadandClosethemessagesoftheday.
YoucanselectDo not show againformessagesyoudontwanttoseeinfutureloginsessions.
Ifyouwanttochangethelanguagethatthewebinterfaceuses,clickLanguageatthebottomofthe
webinterface,selectaLanguagefromthedropdown,andclickOK.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 59
UsetheWebInterface FirewallAdministration
ConfigureBanners,MessageoftheDay,andLogos
Aloginbannerisoptionaltextthatyoucanaddtotheloginpagesothatadministratorswillseeinformation
theymustknowbeforetheylogin.Forexample,youcouldaddamessagetonotifyusersofrestrictionson
unauthorizeduseofthefirewall.
Youcanaddcoloredbandsthathighlightoverlaidtextacrossthetop(headerbanner)andbottom(footer
banner)ofthewebinterfacetoensureadministratorsseecriticalinformation,suchastheclassificationlevel
forfirewalladministration.
Amessageofthedaydialogautomaticallydisplaysafteryoulogin.ThedialogdisplaysmessagesthatPalo
AltoNetworksembedstohighlightimportantinformationassociatedwithasoftwareorcontentrelease.You
canalsoaddonecustommessagetoensureadministratorsseeinformation,suchasanimpendingsystem
restart,thatmightaffecttheirtasks.
Youcanreplacethedefaultlogosthatappearontheloginpageandintheheaderofthewebinterfacewith
thelogosofyourorganization.
ConfigureBanners,MessageoftheDay,andLogos
60 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
ConfigureBanners,MessageoftheDay,andLogos(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 61
UsetheWebInterface FirewallAdministration
UsetheAdministratorLoginActivityIndicatorstoDetectAccountMisuse
Thelastlogintimeandfailedloginattemptsindicatorsprovideavisualwaytodetectmisuseofyour
administratoraccountonaPaloAltoNetworksfirewallorPanoramamanagementserver.Usethelastlogin
informationtodetermineifsomeoneelseloggedinusingyourcredentialsandusethefailedloginattempts
indicatortodetermineifyouraccountisbeingtargetedinabruteforceattack.
UsetheLoginActivityIndicatorstoDetectAccountMisuse
3. Lookforacautionsymboltotherightofthelastlogintime
informationforfailedloginattempts.
Thefailedloginindicatorappearsifoneormorefailedlogin
attemptsoccurredusingyouraccountsincethelastsuccessful
login.
a. Ifyouseethecautionsymbol,hoveroverittodisplaythe
numberoffailedloginattempts.
b. Clickthecautionsymboltoviewthefailedloginattempts
summary.Detailsincludetheadminaccountname,the
reasonfortheloginfailure,thesourceIPaddress,andthe
dateandtime.
Afteryousuccessfullyloginandthenlogout,the
failedlogincounterresetstozerosoyouwillsee
newfailedlogindetails,ifany,thenexttimeyoulog
in.
62 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
UsetheLoginActivityIndicatorstoDetectAccountMisuse(Continued)
4. Locatehoststhatarecontinuallyattemptingtologintoyour
firewallorPanoramamanagementserver.
a. Clickthefailedlogincautionsymboltoviewthefailedlogin
attemptssummary.
b. LocateandrecordthesourceIPaddressofthehostthat
attemptedtologin.Forexample,thefollowingfigure
showsmultiplefailedloginattemptsfromtheIPaddress
192.168.2.10.
c. Workwithyournetworkadministratortolocatetheuser
andhostthatisusingtheIPaddressthatyouidentified.
Ifyoucannotlocatethesystemthatisperformingthe
bruteforceattack,considerrenamingtheaccountto
preventfutureattacks.
Usethefollowingbestpracticestohelppreventbruteforceattacksonprivilegedaccounts.
Limitthenumberoffailedattemptsallowedbeforethefirewalllocksaprivilegedaccountbysettingthe
numberofFailedAttemptsandtheLockoutTime(min)intheauthenticationprofileorintheAuthentication
SettingsfortheManagementinterface(Device > Setup > Management > Authentication Settings).
UseInterfaceManagementProfilestoRestrictAccess.
Enforcecomplexpasswordsforprivilegedaccounts.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 63
UsetheWebInterface FirewallAdministration
ManageandMonitorAdministrativeTasks
TheTaskManagerdisplaysdetailsaboutalltheoperationsthatyouandotheradministratorsinitiated(such
asmanualcommits)orthatthefirewallinitiated(suchasscheduledreportgeneration)sincethelastfirewall
reboot.YoucanusetheTaskManagertotroubleshootfailedoperations,investigatewarningsassociated
withcompletedcommits,viewdetailsaboutqueuedcommits,orcancelpendingcommits.
YoucanalsoviewSystemLogstomonitorsystemeventsonthefirewallorviewConfigLogstomonitorfirewall
configurationchanges.
ManageandMonitorAdministrativeTasks
Step1 ClickTasksatthebottomofthewebinterface.
Step2 ShowonlyRunningtasks(inprogress)orAlltasks(default).Optionally,filterthetasksbytype:
JobsAdministratorinitiatedcommits,firewallinitiatedcommits,andsoftwareorcontentdownloadsand
installations.
ReportsScheduledreports.
Log RequestsLogqueriesthatyoutriggerbyaccessingtheDashboardoraMonitorpage.
Step3 Performanyofthefollowingactions:
DisplayorhidetaskdetailsBydefault,theTaskManagerdisplaystheType,Status,StartTime,and
Messagesforeachtask.ToseetheEndTimeandJobIDforatask,youmustmanuallyconfigurethedisplay
toexposethosecolumns.Todisplayorhideacolumn,openthedropdowninanycolumnheader,select
Columns,andselectordeselectthecolumnnamesasneeded.
InvestigatewarningsorfailuresReadtheentriesintheMessagescolumnfortaskdetails.Ifthecolumn
saysToo many messages,clickthecorrespondingentryintheTypecolumntoseemoreinformation.
DisplayacommitdescriptionIfanadministratorenteredadescriptionwhenconfiguringacommit,you
canclickCommit DescriptionintheMessagescolumntodisplaythedescription.
CheckthepositionofacommitinthequeueTheMessagescolumnindicatesthequeuepositionof
commitsthatareinprogress.
CancelpendingcommitsClickClear Commit Queuetocancelallpendingcommits(availableonlyto
predefinedadministrativeroles).Tocancelanindividualcommit,clickxintheActioncolumnforthat
commit(thecommitremainsinthequeueuntilthefirewalldequeuesit).Youcannotcancelcommitsthat
areinprogress.
Commit,Validate,andPreviewFirewallConfigurationChanges
Acommitistheprocessofactivatingchangesthatyoumadetothefirewallconfiguration.Thefirewall
queuescommitoperationsintheorderyouandotheradministratorsinitiatethem.Ifthequeuealreadyhas
themaximumnumberofcommits(whichvariesbyplatform),youmustwaitforthefirewalltoprocessa
pendingcommitbeforeinitiatinganewcommit.Tocancelpendingcommitsorviewdetailsaboutcommits
ofanystatus,seeManageandMonitorAdministrativeTasks.Tocheckwhichchangesacommitwillactivate,
youcanrunacommitpreview.
Fordetailsoncandidateandrunningconfigurations,seeManageConfigurationBackups.
Topreventmultipleadministratorsfrommakingconfigurationchangesduringconcurrentsessions,seeManage
LocksforRestrictingConfigurationChanges.
64 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
Whenyouinitiateacommit,thefirewallchecksthevalidityofthechangesbeforeactivatingthem.The
validationoutputdisplaysconditionsthateitherblockthecommit(errors)orthatareimportanttoknowbut
thatdonotblockthecommit(warnings).Forexample,validationcouldindicateaninvalidroutedestination
thatyouneedtofixforthecommittosucceed.Toidentifyandfixconfigurationerrorsbeforeinitiatinga
commit,youcanvalidatechangeswithoutcommitting.Aprecommitvalidationdisplaysthesameerrorsand
warningsasacommit,includingreferenceerrors,ruleshadowing,andapplicationdependencywarnings.
Precommitvalidationsareusefulifyourorganizationallowscommitsonlywithincertaintimewindows;you
canfindandfixerrorstoavoidfailuresthatcouldcauseyoutomissacommitwindow.
Preview,Validate,orCommitFirewallConfigurationChanges
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 65
UsetheWebInterface FirewallAdministration
Preview,Validate,orCommitFirewallConfigurationChanges(Continued)
UseGlobalFindtoSearchtheFirewallorPanoramaManagementServer
GlobalFindenablesyoutosearchthecandidateconfigurationonafirewalloronPanoramaforaparticular
string,suchasanIPaddress,objectname,policyrulename,threatID,orapplicationname.Thesearchresults
aregroupedbycategoryandprovidelinkstotheconfigurationlocationinthewebinterface,sothatyoucan
easilyfindalloftheplaceswherethestringisreferenced.Thesearchresultsalsohelpyouidentifyother
objectsthatdependonormakereferencetothesearchtermorstring.Forexample,whendeprecatinga
securityprofileentertheprofilenameinGlobalFindtolocateallinstancesoftheprofileandthenclickeach
instancetonavigatetotheconfigurationpageandmakethenecessarychange.Afterallreferencesare
removed,youcanthendeletetheprofile.Youcandothisforanyconfigurationitemthathasdependencies.
GlobalFindwillnotsearchdynamiccontent(suchaslogs,addressranges,orallocatedDHCP
addresses).InthecaseofDHCP,youcansearchonaDHCPserverattribute,suchastheDNS
entry,butyoucannotsearchforindividualaddressesallocatedtousers.GlobalFindalsodoesnot
searchforindividualuserorgroupnamesidentifiedbyUserIDunlesstheuser/groupisdefined
inapolicy.Ingeneral,youcanonlysearchcontentthatthefirewallwritestotheconfiguration.
UseGlobalFind
LaunchGlobalFindbyclickingtheSearchiconlocatedontheupperrightofthewebinterface.
ToaccesstheGlobalFindfromwithinaconfigurationarea,clickthedropdownnexttoanitemand
selectGlobal Find:
66 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration UsetheWebInterface
UseGlobalFind(Continued)
Forexample,clickGlobal Findonazonenamedl3-vlan-trusttosearchthecandidate
configurationforeachlocationwherethezoneisreferenced.Thefollowingscreencaptureshowsthe
searchresultsforthezonel3vlantrust:
Searchtips:
IfyouinitiateasearchonafirewallthathasmultiplevirtualsystemsenabledorifcustomAdministrativeRoles
aredefined,GlobalFindwillonlyreturnresultsforareasofthefirewallinwhichtheadministratorhas
permissions.ThesameappliestoPanoramadevicegroups.
SpacesinsearchtermsarehandledasANDoperations.Forexample,ifyousearchoncorp policy,the
searchresultsincludeinstanceswherecorpandpolicyexistintheconfiguration.
Tofindanexactphrase,enclosethephraseinquotationmarks.
Torerunaprevioussearch,clickSearch(locatedontheupperrightofthewebinterface)toseealistofthe
last20searches.Clickaniteminthelisttorerunthatsearch.Searchhistoryisuniquetoeachadministrator
account.
ManageLocksforRestrictingConfigurationChanges
Lockingthecandidateorrunningconfigurationpreventsotheradministratorsfromchangingthe
configurationuntilyoumanuallyremovethelock,asuperuserremovesthelock,orthefirewallautomatically
removesit(afteracommit).Locksensurethatadministratorsdontmakeconflictingchangestothesame
settingsorinterdependentsettingsduringconcurrentloginsessions.
Thefirewallqueuescommitrequestsandperformsthemintheorderthatadministratorsinitiatethecommits.
Fordetails,seeCommit,Validate,andPreviewFirewallConfigurationChanges.Toviewthestatusofqueued
commits,seeManageandMonitorAdministrativeTasks.
ManageLocksforRestrictingConfigurationChanges
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 67
UsetheWebInterface FirewallAdministration
ManageLocksforRestrictingConfigurationChanges(Continued)
Lockaconfiguration. 1. Clickthelockatthetopofthewebinterface.
Thelockimagevariesbasedonwhetherexistinglocks
are orarenot set.
2. Take a LockandselectthelockType:
ConfigBlocksotheradministratorsfromchangingthe
candidateconfiguration.
CommitBlocksotheradministratorsfromchangingthe
runningconfiguration.
3. (Firewallwithmultiplevirtualsystemsonly)SelectaLocation
tolocktheconfigurationforaspecificvirtualsystemorthe
Sharedlocation.
4. (Optional)Asabestpractice,enteraCommentsothatother
administratorswillunderstandthereasonforthelock.
5. ClickOKandClose.
68 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups
ManageConfigurationBackups
Therunningconfigurationcomprisesallsettingsyouhavecommittedandthatarethereforeactive,suchas
policyrulesthatcurrentlyblockorallowvarioustypesoftrafficinyournetwork.Thecandidateconfiguration
isacopyoftherunningconfigurationplusanyinactivechangesthatyoumadeafterthelastcommit.Backing
upversionsoftherunningorcandidateconfigurationenablesyoutolaterrestorethoseversionsonthe
firewall.Forexample,ifacommitvalidationshowsthatthecurrentcandidateconfigurationhasmoreerrors
thanyouareableorhavetimetofix,thenyoucanrestoreapreviouscandidateconfigurationorrevertto
therunningconfiguration.
SeeCommit,Validate,andPreviewFirewallConfigurationChangesforrelatedinformation.
BackUpaConfiguration
RestoreaConfiguration
BackUpaConfiguration
CreatingconfigurationbackupsenablesyoutolaterRestoreaConfiguration.Thisisusefulwhenyouwant
torevertthefirewalltoallthesettingsofanearlierconfigurationbecauseyoucanperformtherestoration
asasingleoperationinsteadofmanuallyreconfiguringeachsettinginthecurrentconfiguration.Youcan
eithersavebackupslocallyonthefirewallorexportbackupstoanexternalhost.
Whenyoucommitchanges,thefirewallautomaticallysavesanewversionoftherunningconfiguration.Ifa
systemeventoradministratoractioncausesthefirewalltoreboot,itautomaticallyrevertstothecurrent
versionoftherunningconfiguration,whichthefirewallstoresinafilenamedrunningconfig.xml.However,
thefirewalldoesnotautomaticallysaveabackupofthecandidateconfiguration;youmustmanuallysavea
backupofthecandidateconfigurationasasnapshotfileusingeitherthedefaultname(.snapshot.xml)ora
customname.
WhenyoueditasettingandclickOK,thefirewallupdatesthecandidateconfigurationbutdoes
notsaveabackupsnapshot.
Additionally,savingchangesdoesnotactivatethem.Toactivatechanges,performacommit(see
Commit,Validate,andPreviewFirewallConfigurationChanges).
Asabestpractice,backupanyimportantconfigurationtoahostexternaltothefirewall.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 69
ManageConfigurationBackups FirewallAdministration
BackUpaConfiguration
RestoreaConfiguration
Restoringafirewallconfigurationoverwritesthecurrentcandidateconfigurationwithanother
configuration.Thisisusefulwhenyouwanttorevertallfirewallsettingsusedinanearlierconfiguration;you
canperformthisrestorationasasingleoperationinsteadofmanuallyreconfiguringeachsettinginthe
currentconfiguration.
Thefirewallautomaticallysavesanewversionoftherunningconfigurationwheneveryoucommitchanges
andyoucanrestoreanyofthoseversions.However,youmustmanuallysaveacandidateconfigurationto
laterrestoreit(seeBackUpaConfiguration).
RestoreaConfiguration
70 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageConfigurationBackups
RestoreaConfiguration(Continued)
Restorestateinformationthatyouexported Importstateinformation:
fromafirewall. 1. SelectDevice > Setup > Operations,clickImport device state,
Besidestherunningconfiguration,thestate Browsetothestatebundle,andclickOK.
informationincludesdevicegroupandtemplate
2. (Optional)ClickCommittoapplytheimportedstate
settingspushedfromPanorama.Ifthefirewallis
informationtotherunningconfiguration.
aGlobalProtectportal,theinformationalso
includescertificateinformation,alistof
satellites,andsatelliteauthentication
information.Ifyoureplaceafirewallorportal,
canyoucanrestoretheinformationonthe
replacementbyimportingthestatebundle.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 71
ManageFirewallAdministrators FirewallAdministration
ManageFirewallAdministrators
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.EveryPaloAltoNetworksfirewallhasapredefineddefaultadministrativeaccount
(admin)thatprovidesfullreadwriteaccess(alsoknownassuperuseraccess)tothefirewall.
Asabestpractice,createaseparateadministrativeaccountforeachpersonwhoneedsaccessto
theadministrativeorreportingfunctionsofthefirewall.Thisenablesyoutobetterprotectthe
firewallfromunauthorizedconfigurationandenablesloggingoftheactionsofindividual
administrators.
AdministrativeRoles
AdministrativeAuthentication
ConfigureAdministrativeAccountsandAuthentication
AdministrativeRoles
Aroledefinesthetypeofaccessthatanadministratorhastothefirewall.
AdministrativeRoleTypes
ConfigureanAdminRoleProfile
AdministrativeRoleTypes
Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstothefirewall.Whennewfeaturesare
added,thefirewallautomaticallyupdatesthedefinitionsofdynamicroles;youneverneedtomanually
updatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamicroles.
DynamicRole Privileges
Superuser Fullaccesstothefirewall,includingdefiningnewadministratoraccountsand
virtualsystems.Youmusthavesuperuserprivilegestocreatean
administrativeuserwithsuperuserprivileges.
Superuser(readonly) Readonlyaccesstothefirewall.
Virtualsystemadministrator Fullaccesstoaselectedvirtualsystem(vsys)onthefirewall.
Virtualsystemadministrator(readonly) Readonlyaccesstoaselectedvsysonthefirewall.
Deviceadministrator Fullaccesstoallfirewallsettingsexceptfordefiningnewaccountsorvirtual
systems.
Deviceadministrator(readonly) Readonlyaccesstoallfirewallsettingsexceptpasswordprofiles(noaccess)
andadministratoraccounts(onlytheloggedinaccountisvisible).
72 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
AdminRoleProfilesCustomrolesyoucanconfigureformoregranularaccesscontroloverthe
functionalareasofthewebinterface,CLI,andXMLAPI.Forexample,youcancreateanAdminRole
profileforyouroperationsstaffthatprovidesaccesstothefirewallandnetworkconfigurationareasof
thewebinterfaceandaseparateprofileforyoursecurityadministratorsthatprovidesaccesstosecurity
policydefinitions,logs,andreports.Onamultivsysfirewall,youcanselectwhethertheroledefines
accessforallvirtualsystemsorforaspecificvsys.Whennewfeaturesareaddedtotheproduct,youmust
updatetheroleswithcorrespondingaccessprivileges:thefirewalldoesnotautomaticallyaddnew
featurestocustomroledefinitions.Fordetailsontheprivilegesyoucanconfigureforcustom
administratorroles,seeReference:WebInterfaceAdministratorAccess.
ConfigureanAdminRoleProfile
AdminRoleprofilesenableyoutodefinegranularadministrativeaccessprivilegestoensureprotectionfor
sensitivecompanyinformationandprivacyforendusers.
Asabestpractice,createAdminRoleprofilesthatallowadministratorstoaccessonlytheareasofthe
managementinterfacesthattheyneedtoaccesstoperformtheirjobs.
ConfigureanAdminRoleProfile
Step2 EnteraNametoidentifytherole.
Step6 ClickOKtosavetheprofile.
Step7 Assigntheroletoanadministrator.SeeConfigureanAdministrativeAccount.
AdministrativeAuthentication
Youcanconfigurethefollowingtypesofadministratorauthentication:
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 73
ManageFirewallAdministrators FirewallAdministration
ConfigureAdministrativeAccountsandAuthentication
IfyouhavealreadyconfiguredAdministrativeRolesandexternalauthenticationservices(ifapplicable),you
canConfigureanAdministrativeAccount.Otherwise,performoneoftheotherprocedureslistedbelowto
configureadministrativeaccountsforspecifictypesofauthentication.
Administrativeaccountsspecifyhowadministratorsauthenticatetothefirewall.Toconfigurehowthefirewall
authenticatestoadministrators,seeReplacetheCertificateforInboundManagementTraffic.
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication
ConfigureanAdministrativeAccount
AdministrativeaccountsspecifyrolesandauthenticationmethodsfortheadministratorsofPaloAlto
Networksfirewalls.
74 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ConfigureanAdministrativeAccount
ConfigureKerberosSSOandExternalorLocalAuthenticationfor
Administrators
YoucanconfigurethefirewalltofirsttryKerberossinglesignon(SSO)authenticationand,ifthatfails,fall
backtoExternalserviceorLocaldatabaseauthentication.
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 75
ManageFirewallAdministrators FirewallAdministration
ConfigureKerberosSSOandExternalorLocalAuthenticationforAdministrators(Continued)
ConfigureCertificateBasedAdministratorAuthenticationtotheWeb
Interface
AsamoresecurealternativetopasswordbasedauthenticationtothewebinterfaceofaPaloAltoNetworks
firewall,youcanconfigurecertificatebasedauthenticationforadministratoraccountsthatarelocaltothe
firewall.Certificatebasedauthenticationinvolvestheexchangeandverificationofadigitalsignatureinstead
ofapassword.
Configuringcertificatebasedauthenticationforanyadministratordisablesthe
username/passwordloginsforalladministratorsonthefirewall;administratorsthereafterrequire
thecertificatetologin.
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
76 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface(Continued)
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 77
ManageFirewallAdministrators FirewallAdministration
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ForadministratorswhouseSecureShell(SSH)toaccesstheCLIofaPaloAltoNetworksfirewall,SSHkeys
provideamoresecureauthenticationmethodthanpasswords.SSHkeysalmosteliminatetheriskof
bruteforceattacks,providetheoptionfortwofactorauthentication(keyandpassphrase),anddontsend
passwordsoverthenetwork.SSHkeysalsoenableautomatedscriptstoaccesstheCLI.
ConfigureSSHKeyBasedAdministratorAuthenticationtotheCLI
ConfigureRADIUSVendorSpecificAttributesforAdministrator
Authentication
ThefollowingprocedureprovidesanoverviewofthetasksrequiredtouseRADIUSVendorSpecific
Attributes(VSAs)foradministratorauthenticationtoPaloAltoNetworksfirewalls.Fordetailedinstructions,
refertothefollowingKnowledgeBasearticles:
ForWindows2003Server,Windows2008(andlater),andCiscoACS4.0RADIUSVendorSpecific
Attributes(VSAs)
ForCiscoACS5.2ConfiguringCiscoACS5.2forusewithPaloAltoVSA
78 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration ManageFirewallAdministrators
Beforestartingthisprocedure,youmust:
Createtheadministrativeaccountsinthedirectoryservicethatyournetworkuses(forexample,Active
Directory).
SetupaRADIUSserverthatcancommunicatewiththatdirectoryservice.
UseRADIUSVendorSpecificAttributesforAccountAuthentication
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 79
Reference:WebInterfaceAdministratorAccess FirewallAdministration
Reference:WebInterfaceAdministratorAccess
Youcanconfigureprivilegesforanentirefirewallorforoneormorevirtualsystems(onplatformsthat
supportmultiplevirtualsystems).WithinthatDeviceorVirtual Systemdesignation,youcanconfigure
privilegesforcustomadministratorroles,whicharemoregranularthanthefixedprivilegesassociatedwith
adynamicadministratorrole.
Configuringprivilegesatagranularlevelensuresthatlowerleveladministratorscannotaccesscertain
information.Youcancreatecustomrolesforfirewalladministrators(seeConfigureanAdministrative
Account),Panoramaadministrators,orDeviceGroupandTemplateadministrators(refertothePanorama
AdministratorsGuide).Youapplytheadminroletoacustomrolebasedadministratoraccountwhereyou
canassignoneormorevirtualsystems.Thefollowingtopicsdescribetheprivilegesyoucanconfigurefor
custom administratorroles.
WebInterfaceAccessPrivileges
PanoramaWebInterfaceAccess
WebInterfaceAccessPrivileges
Ifyouwanttopreventarolebasedadministratorfromaccessingspecifictabsonthewebinterface,youcan
disablethetabandtheadministratorwillnotevenseeitwhenlogginginusingtheassociatedrolebased
administrativeaccount.Forexample,youcouldcreateanAdminRoleProfileforyouroperationsstaffthat
providesaccesstotheDeviceandNetworktabsonlyandaseparateprofileforyoursecurityadministrators
thatprovidesaccesstotheObject,Policy,andMonitortabs.
AnadminrolecanapplyattheDevicelevelorVirtual Systemlevel;thechoiceismadeintheAdminRole
ProfilebyclickingtheDeviceorVirtual Systemradiobutton.IftheVirtual Systembuttonisselected,theadmin
assignedthisprofileisrestrictedtothevirtualsystem(s)heorsheisassignedto.Furthermore,onlytheDevice
> Setup > Services > Virtual Systems tabisavailabletothatadmin,nottheGlobaltab.
Thefollowingtabledescribesthetablevelaccessprivilegesyoucanassigntotheadminroleprofileatthe
Devicelevel.Italsoprovidescrossreferencestoadditionaltablesthatdetailgranularprivilegeswithinatab.
YoucanalsoconfigureanAdminRoleprofileto:
DefineUserPrivacySettingsintheadministratorRoleProfile
RestrictAdministratorAccesstoCommitFunctions
RestrictAdministratorAccesstoValidateFunctions
ProvideGranularAccesstoGlobalSettings
80 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 81
Reference:WebInterfaceAdministratorAccess FirewallAdministration
ProvideGranularAccesstotheMonitorTab
InsomecasesyoumightwanttoenabletheadministratortoviewsomebutnotallareasoftheMonitortab.
Forexample,youmightwanttorestrictoperationsadministratorstotheConfigandSystemlogsonly,
becausetheydonotcontainsensitiveuserdata.Althoughthissectionoftheadministratorroledefinition
specifieswhatareasoftheMonitortabtheadministratorcansee,youcanalsocoupleprivilegesinthis
sectionwithprivacyprivileges,suchasdisablingtheabilitytoseeusernamesinlogsandreports.Onething
tokeepinmind,however,isthatanysystemgeneratedreportswillstillshowusernamesandIPaddresses
evenifyoudisablethatfunctionalityintherole.Forthisreason,ifyoudonotwanttheadministratortosee
anyoftheprivateuserinformation,disableaccesstothespecificreportsasdetailedinthefollowingtable.
ThefollowingtableliststheMonitortabaccesslevelsandtheadministratorrolesforwhichtheyareavailable.
DeviceGroupandTemplaterolescanseelogdataonlyforthedevicegroupsthatarewithinthe
accessdomainsassignedtothoseroles.
82 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 83
Reference:WebInterfaceAdministratorAccess FirewallAdministration
84 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 85
Reference:WebInterfaceAdministratorAccess FirewallAdministration
86 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstothePolicyTab
IfyouenablethePolicyoptionintheAdminRoleprofile,youcanthenenable,disable,orprovidereadonly
accesstospecificnodeswithinthetabasnecessaryfortheroleyouaredefining.Byenablingaccesstoa
specificpolicytype,youenabletheabilitytoview,add,ordeletepolicyrules.Byenablingreadonlyaccess
toaspecificpolicy,youenabletheadministratortoviewthecorrespondingpolicyrulebase,butnotaddor
deleterules.Disablingaccesstoaspecifictypeofpolicypreventstheadministratorfromseeingthepolicy
rulebase.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 87
Reference:WebInterfaceAdministratorAccess FirewallAdministration
Becausepolicythatisbasedonspecificusers(byusernameorIPaddress)mustbeexplicitlydefined,privacy
settingsthatdisabletheabilitytoseefullIPaddressesorusernamesdonotapplytothePolicytab.
Therefore,youshouldonlyallowaccesstothePolicytabtoadministratorsthatareexcludedfromuser
privacyrestrictions.
88 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheObjectsTab
AnobjectisacontainerthatgroupsspecificpolicyfiltervaluessuchasIPaddresses,URLs,applications,or
servicesforsimplifiedruledefinition.Forexample,anaddressobjectmightcontainspecificIPaddress
definitionsforthewebandapplicationserversinyourDMZzone.
Whendecidingwhethertoallowaccesstotheobjectstabasawhole,determinewhethertheadministrator
willhavepolicydefinitionresponsibilities.Ifnot,theadministratorprobablydoesnotneedaccesstothetab.
If,however,theadministratorwillneedtocreatepolicy,youcanenableaccesstothetabandthenprovide
granularaccessprivilegesatthenodelevel.
Byenablingaccesstoaspecificnode,yougivetheadministratortheprivilegetoview,add,anddeletethe
correspondingobjecttype.Givingreadonlyaccessallowstheadministratortoviewthealreadydefined
objects,butnotcreateordeleteany.Disablinganodepreventstheadministratorfromseeingthenodein
thewebinterface.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 89
Reference:WebInterfaceAdministratorAccess FirewallAdministration
90 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
ProvideGranularAccesstotheNetworkTab
WhendecidingwhethertoallowaccesstotheNetworktabasawhole,determinewhethertheadministrator
willhavenetworkadministrationresponsibilities,includingGlobalProtectadministration.Ifnot,the
administratorprobablydoesnotneedaccesstothetab.
YoucanalsodefineaccesstotheNetworktabatthenodelevel.Byenablingaccesstoaspecificnode,you
givetheadministratortheprivilegetoview,add,anddeletethecorrespondingnetworkconfigurations.
Givingreadonlyaccessallowstheadministratortoviewthealreadydefinedconfiguration,butnotcreate
ordeleteany.Disablinganodepreventstheadministratorfromseeingthenodeinthewebinterface.
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 91
Reference:WebInterfaceAdministratorAccess FirewallAdministration
92 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 93
Reference:WebInterfaceAdministratorAccess FirewallAdministration
ProvideGranularAccesstotheDeviceTab
94 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 95
Reference:WebInterfaceAdministratorAccess FirewallAdministration
96 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 97
Reference:WebInterfaceAdministratorAccess FirewallAdministration
HIPMatch ControlsaccesstotheLog Settings > HIP Match node. Yes Yes Yes
Ifyoudisablethisprivilege,theadministratorwillnot
seetheLog Settings > HIP Match nodeorbeableto
specifytheHostInformationProfile(HIP)matchlog
settingsthatareusedtoprovideinformationon
securityrulesthatapplytoGlobalProtectclients
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLog Settings > HIP configurationforthe
firewallbutisnotallowedtocreateoredita
configuration.
98 PANOS7.1AdministratorsGuide PaloAltoNetworks,Inc.
FirewallAdministration Reference:WebInterfaceAdministratorAccess
PaloAltoNetworks,Inc. PANOS7.1AdministratorsGuide 99
Reference:WebInterfaceAdministratorAccess FirewallAdministration
Users Controlsaccesstothe Local User Database > Users Yes Yes Yes
node.Ifyoudisablethisprivilege,theadministrator
willnotseethe Local User Database > Users nodeor
setupalocaldatabaseonthefirewalltostore
authenticationinformationforremoteaccessusers,
firewalladministrators,andcaptiveportalusers.
Ifyousetthisprivilegetoreadonly,theadministrator
canviewtheLocal User Database > Users
informationbutcannotsetupalocaldatabaseonthe
firewalltostoreauthenticationinformation.
DefineUserPrivacySettingsintheadministratorRoleProfile
RestrictAdministratorAccesstoCommitFunctions
RestrictAdministratorAccesstoValidateFunctions
ProvideGranularAccesstoGlobalSettings
ProvideGranularAccesstothePanoramaTab
ThefollowingtableliststhePanoramatabaccesslevelsandthecustomPanoramaadministratorrolesfor
whichtheyareavailable.Firewalladministratorscannotaccessanyoftheseprivileges.
PanoramaWebInterfaceAccess
ThecustomPanoramaadministratorrolesallowyoutodefineaccesstotheoptionsonPanoramaandthe
abilitytoonlyallowaccesstoDeviceGroupsandTemplates(Policies,Objects,Network,Devicetabs).
Reference:PortNumberUsage
ThefollowingtableslisttheportsthatfirewallsandPanoramausetocommunicatewitheachother,orwith
otherservicesonthenetwork.
PortsUsedforManagementFunctions
PortsUsedforHA
PortsUsedforPanorama
PortsUsedforUserID
PortsUsedforManagementFunctions
22 TCP UsedforcommunicationfromaclientsystemtothefirewallCLIinterface.
80 TCP TheportthefirewalllistensonforOnlineCertificateStatusProtocol(OCSP)
updateswhenactingasanOCSPresponder.
PortsUsedforHA
FirewallsconfiguredasHighAvailability(HA)peersmustbeabletocommunicatewitheachotherto
maintainstateinformation(HA1controllink)andsynchronizedata(HA2datalink).InActive/ActiveHA
deploymentsthepeerfirewallsmustalsoforwardpacketstotheHApeerthatownsthesession.TheHA3
linkisaLayer2(MACinMAC)linkanditdoesnotsupportLayer3addressingorencryption.
28 TCP UsedfortheHA1controllinkforencryptedcommunication(SSHoverTCP)
betweentheHApeerfirewalls.
99 IP UsedfortheHA2linktosynchronizesessions,forwardingtables,IPSecsecurity
29281 UDP associationsandARPtablesbetweenfirewallsinanHApair.Dataflowonthe
HA2linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromthe
activefirewall(Active/Passive)oractiveprimary(Active/Active)tothepassive
firewall(Active/Passive)oractivesecondary(Active/Active).TheHA2linkisa
Layer2link,anditusesethertype0x7261bydefault.
TheHAdatalinkcanalsobeconfiguredtouseeitherIP(protocolnumber99)or
UDP(port29281)asthetransport,andtherebyallowtheHAdatalinktospan
subnets.
PortsUsedforPanorama
22 TCP UsedforcommunicationfromaclientsystemtothePanoramaCLIinterface.
49160(5.0and TCP
earlier)
28 TCP UsedfortheHAconnectivityandsynchronizationbetweenPanoramaHApeers
usingencryptedcommunication(SSHoverTCP).Communicationcanbeinitiated
byeitherpeer.
PortsUsedforUserID
UserIDisafeaturethatenablesmappingofuserIPaddressestousernamesandgroupmemberships,
enablinguserorgroupbasedpolicyandvisibilityintouseractivityonyournetwork(forexample,tobeable
toquicklytrackdownauserwhomaybethevictimofathreat).Toperformthismapping,thefirewall,the
UserIDagent(eitherinstalledonaWindowsbasedsystemorthePANOSintegratedagentrunningonthe
firewall),and/ortheTerminalServicesagentmustbeabletoconnecttodirectoryservicesonyournetwork
toperformGroupMappingandUserMapping.Additionally,iftheagentsarerunningonsystemsexternalto
thefirewall,theymustbeabletoconnecttothefirewalltocommunicatetheIPaddresstousername
mappingstothefirewall.ThefollowingtableliststhecommunicationrequirementsforUserIDalongwith
theportnumbersrequiredtoestablishconnections.
88 UDP/TCP PorttheUserIDagentusestoauthenticatetoaKerberosserver.Thefirewall
triesUDPfirstandfallsbacktoTCP.
49 TCP PorttheUserIDagentusestoauthenticatetoaTACACS+server.
ResettheFirewalltoFactoryDefaultSettings
Resettingthefirewalltofactorydefaultswillresultinthelossofallconfigurationsettingsandlogs.
ResettheFirewalltoFactoryDefaultSettings
BootstraptheFirewall
Bootstrappingspeedsuptheprocessofconfiguringandlicensingthefirewalltomakeitoperationalonthe
networkwithorwithoutInternetaccess.Bootstrappingallowsyoutochoosewhethertoconfigurethe
firewallwithabasicconfigurationfile(initcfg.txt)sothatitcanconnecttoPanoramaandobtainthe
completeconfigurationortofullyconfigurethefirewallwiththebasicconfigurationandtheoptional
bootstrap.xmlfile.
USBFlashDriveSupport
Sampleinitcfg.txtFiles
PrepareaUSBFlashDriveforBootstrappingaFirewall
BootstrapaFirewallUsingaUSBFlashDrive
USBFlashDriveSupport
TheUSBflashdrivethatbootstrapsahardwarebasedPaloAltoNetworksfirewallmustsupportoneofthe
following:
FileAllocationTable32(FAT32)
ThirdExtendedFileSystem(ext3)
ThefirewallcanbootstrapfromthefollowingflashdriveswithUSB2.0orUSB3.0connectivity:
USBFlashDrivesSupported
Kingston KingstonSE98GB(2.0)
KingstonSE916GB(3.0)
KingstonSE932GB(3.0)
SanDisk SanDiskCruzerFitCZ338GB(2.0)
SanDiskCruzerFitCZ3316GB(2.0)
SanDiskCruzerCZ3616GB(2.0)
SanDiskCruzerCZ3632GB(2.0)
SanDiskExtremeCZ8032GB(3.0)
SiliconPower SiliconPowerJewel32GB(3.0)
SiliconPowerBlaze16GB(3.0)
PNY PNYAttache16GB(2.0)
PNYTurbo32GB(3.0)
Sampleinitcfg.txtFiles
Aninitcfg.txtfileisrequiredforthebootstrapprocess;thisfileisabasicconfigurationfilethatyoucreate
usingatexteditor.YoucreatethisfileisStep 5inPrepareaUSBFlashDriveforBootstrappingaFirewall.
Thefollowingsampleinitcfg.txtfilesshowtheparametersthataresupportedinthefile;theparametersthat
youmustprovideareinbold.
Sampleinitcfg.txt(StaticIPAddress) Sampleinitcfg.txt(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2 ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=multi-vsys,jumbo-frame op-command-modes=multi-vsys,jumbo-frame
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetypeisrequired;ifthetypeisstatic,theIP
address,defaultgatewayandnetmaskarerequired,ortheIPv6addressandIPv6defaultgatewayare
required.
Fieldsintheinitcfg.txtFile
Field Description
type (Required)TypeofmanagementIPaddress:staticordhcpclient.
ipaddress (RequiredforIPv4staticmanagementaddress)IPv4address.Thefirewallignoresthis
fieldifthetypeisdhcpclient.
defaultgateway (RequiredforIPv4staticmanagementaddress)IPv4defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
netmask (RequiredforIPv4staticmanagementaddress)IPv4netmask.Thefirewallignores
thisfieldifthetypeisdhcpclient.
ipv6address (RequiredforIPv6staticmanagementaddress)IPv6addressand/prefixlengthofthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
ipv6defaultgateway (RequiredforIPv6staticmanagementaddress)IPv6defaultgatewayforthe
managementinterface.Thefirewallignoresthisfieldifthetypeisdhcpclient.
hostname (Optional)Hostnameforthefirewall.
Fieldsintheinitcfg.txtFile
Field Description
panoramaserver (Recommended)IPv4orIPv6addressoftheprimaryPanoramaserver.
panoramaserver2 (Optional)IPv4orIPv6addressofthesecondaryPanoramaserver.
tplname (Recommended)Panoramatemplatename.
dgname (Recommended)Panoramadevicegroupname.
dnsprimary (Optional)IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary (Optional)IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey (VMSeriesfirewallsonly)Virtualmachineauthenticationkey.
opcommandmodes (Optional)Entermultivsys,jumboframe,orbothseparatedbyacommaonly.
Enablesmultiplevirtualsystemsandjumboframeswhilebootstrapping.
dhcpsendhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitshostnametotheDHCPserver.
dhcpsendclientid (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallsendsitsclientIDtotheDHCPserver.
dhcpacceptserverhostname (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitshostnamefromtheDHCPserver.
dhcpacceptserverdomain (DHCPclienttypeonly)TheDHCPserverdeterminesavalueofyesorno.Ifyes,the
firewallacceptsitsDNSserverfromtheDHCPserver.
PrepareaUSBFlashDriveforBootstrappingaFirewall
YoucanuseaUSBflashdrivetobootstrapaphysicalfirewall.However,todosoyoumustupgradeto
PANOS7.1andResettheFirewalltoFactoryDefaultSettings.Forsecurityreasons,youcanbootstrapa
firewallonlywhenitisinfactorydefaultstateorhasallprivatedatadeleted.
PrepareaUSBFlashDriveforBootstrappingaFirewall
Step1 Obtainserialnumbers(S/Ns)andauth
codesforsupportsubscriptionsfrom
yourorderfulfillmentemail.
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
PrepareaUSBFlashDriveforBootstrappingaFirewall(Continued)
BootstrapaFirewallUsingaUSBFlashDrive
AfteryoureceiveanewPaloAltoNetworksfirewallandaUSBflashdriveloadedwithbootstrapfiles,you
canbootstrapthefirewall.
MicrosoftWindowsandAppleMacoperatingsystemsareunabletoreadthebootstrapUSBflash
drivebecausethedriveisformattedusinganext4filesystem.Youmustinstallthirdparty
softwareoruseaLinuxsystemtoreadtheUSBdrive.
BootstrapaFirewallUsingaUSBFlashDrive
Step1 Thefirewallmustbeinafactorydefaultstateormusthaveallprivatedatadeleted.
Step2 Toensureconnectivitywithyourcorporateheadquarters,cablethefirewallbyconnectingthe
managementinterface(MGT)usinganEthernetcabletooneofthefollowing:
Anupstreammodem
Aportontheswitchorrouter
AnEthernetjackinthewall
Step3 InserttheUSBflashdriveintotheUSBportonthefirewallandpoweronthefirewall.Thefactorydefault
firewallbootstrapsitselffromtheUSBflashdrive.
ThefirewallStatuslightturnsfromyellowtogreenwhenthefirewallisconfigured;autocommitis
successful.
BootstrapaFirewallUsingaUSBFlashDrive
Step4 Verifybootstrapcompletion.Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucan
verifythattheprocessiscomplete.
1. IfyouincludedPanoramavalues(panoramaserver,tplname,anddgname)inyourinitcfg.txtfile,check
Panoramamanageddevices,devicegroup,andtemplatename.
2. Verifythegeneralsystemsettingsandconfigurationbyaccessingthewebinterfaceandselecting
Dashboard > Widgets > System orbyusingtheCLIoperationalcommandsshow system info andshow
config running.
3. VerifythelicenseinstallationbyselectingDevice > Licenses orbyusingtheCLIoperationalcommand
request license info.
4. IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.
IfyoudonothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsand
softwareversions.
ConfigureanAuthenticationProfileandSequence
Anauthenticationprofiledefinestheauthenticationservicethatvalidatesthelogincredentialsofan
administratoraccountthatislocaltothefirewallorPanorama.Theauthenticationservicecanbealocal
database(firewallsonly),anexternalservice(RADIUS,TACACS+,LDAP,orKerberosserver),orKerberos
singlesignon(SSO).
Somenetworkshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatthefirewallorPanoramamatches
anadministratoragainstduringlogin.ThefirewallorPanoramachecksagainsteachprofileinsequenceuntil
onesuccessfullyauthenticatestheadministrator(thefirewallalwayschecksthelocaldatabasefirstifthe
sequenceincludesone).Anadministratorisdeniedaccessonlyifanauthenticationfailureoccursforallthe
profilesintheauthenticationsequence.
ConfigureanAuthenticationProfileandSequence
ConfigureanAuthenticationProfileandSequence(Continued)
ConfigureanAuthenticationProfileandSequence(Continued)
ConfigureKerberosSingleSignOn
PaloAltoNetworksfirewallsandPanoramasupportKerberosV5singlesignon(SSO)toauthenticate
administratorstothewebinterfaceandenduserstoCaptivePortal.AnetworkthatsupportsKerberosSSO
promptsausertologinonlyforinitialaccesstothenetwork(forexample,loggingintoMicrosoftWindows).
Afterthisinitiallogin,theusercanaccessanybrowserbasedserviceinthenetwork(forexample,thefirewall
webinterface)withouthavingtologinagainuntiltheSSOsessionexpires.(YourKerberosadministratorsets
thedurationofSSOsessions.)IfyouenablebothKerberosSSOandexternalauthenticationservices(for
example,aRADIUSserver),thefirewallorPanoramafirsttriesSSOand,onlyifthatfails,fallsbacktothe
externalserviceforauthentication.
TosupportKerberosSSO,yournetworkrequires:
AKerberosinfrastructure,includingakeydistributioncenter(KDC)withanauthenticationserver(AS)
andticketgrantingservice(TGS).
AKerberosaccountforthefirewallorPanoramathatwillauthenticateusers.Anaccountisrequiredto
createaKerberoskeytab,whichisafilethatcontainstheprincipalnameandhashedpasswordofthe
firewallorPanorama.TheSSOprocessrequiresthekeytab.
ConfigureKerberosSingleSignOn
ConfigureLocalDatabaseAuthentication
Youcanusealocalfirewalldatabaseinsteadofanexternalservicetomanageuseraccountcredentialsand
authentication.Forexample,youmightcreatealocaldatabaseofusersandusergroupsforspecialized
purposesifyoudonthavepermissiontoaddthemtothedirectoryserversthatyourorganizationusesto
manageregularaccountsandgroups.Localdatabaseauthenticationisavailableforfirewalladministrators
andforCaptivePortalandGlobalProtectendusers.
IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigurelocalauthenticationas
afallbackincaseSSOfails.Fordetails,seeConfigureKerberosSSOandExternalorLocal
AuthenticationforAdministrators.
YoucanalsoConfigureanAdministrativeAccounttouselocalaccountmanagementand
authenticationwithoutalocaldatabase,butonlyforfirewalladministrators.
ConfigureLocalDatabaseAuthentication
Step2 Configureausergroup. 1. SelectDevice > Local User Database > User Groupsandclick
Requiredifyourusersrequiregroup Add.
membership. 2. EnteraNametoidentifythegroup.
3. AddeachuserwhoisamemberofthegroupandclickOK.
ConfigureExternalAuthentication
PaloAltoNetworksfirewallsandPanoramacanuseexternalserversformanyservicesthatrequire
authentication,includingadministratoraccesstothewebinterfaceandenduseraccesstoCaptivePortal,
GlobalProtectportalsandGlobalProtectgateways.TheserverprotocolsthatfirewallsandPanorama
supportincludeLightweightDirectoryAccessProtocol(LDAP),Kerberos,TerminalAccessController
AccessControlSystemPlus(TACACS+),andRemoteAuthenticationDialInUserService(RADIUS).Ifyou
enablebothexternalauthenticationandKerberossinglesignon(SSO),thefirewallorPanoramafirsttries
SSOand,onlyifthatfails,fallsbacktotheexternalserverforauthentication.Toconfigureexternal
authentication,youcreateanauthenticationserverprofile,assignittoanauthenticationprofile,andthen
enableauthenticationforanadministratoraccountorfirewall/Panoramaservicebyassigningthe
authenticationprofiletoit.
ConfigureAuthenticationServerProfiles
EnableExternalAuthenticationforUsersandServices
ConfigureAuthenticationServerProfiles
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
ConfigureaTACACS+ServerProfile
ConfigureanLDAPServerProfile
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
ConfigureaRADIUSServerProfile
YoucanconfigurethefirewallorPanoramatouseaRADIUSserverformanagingadministratoraccounts(if
theyarenotlocal).YoucanalsoconfigurethefirewalltouseaRADIUSserverforauthenticatingendusers
andcollectingRADIUSVendorSpecificAttributes(VSAs)fromGlobalProtectclients.TouseaRADIUS
serverformanagingadministratoraccountsorcollectingGlobalProtectclientsVSAs,youmustdefineVSAs
ontheRADIUSserver.Fordetails,seethelistofsupportedRADIUSVendorSpecificAttributesSupport.
Bydefault,whenauthenticatingtotheRADIUSserver,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
WhensendingauthenticationrequeststoaRADIUSserver,thefirewallandPanoramausethe
authenticationprofilenameasthenetworkaccessserver(NAS)identifier,eveniftheprofileis
assignedtoanauthenticationsequencefortheservicethatinitiatestheauthenticationprocess.
ConfigureaRADIUSServerProfile
RADIUSVendorSpecificAttributesSupport
PaloAltoNetworksfirewallsandPanoramasupportthefollowingRADIUSVendorSpecificAttributes
(VSAs).TodefineVSAsonaRADIUSserver,youmustspecifythevendorcode(25461forPaloAlto
NetworksfirewallsorPanorama)andtheVSAnameandnumber.SomeVSAsalsorequireavalue.
VSAsforadministratoraccountmanagementandauthentication
PaloAltoAdminRole 1 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonthefirewall.
PaloAltoAdminAccessDomain 2 Thenameofanaccessdomainforfirewalladministrators
(configuredintheDevice > Access Domainspage).Definethis
VSAifthefirewallhasmultiplevirtualsystems.
PaloAltoPanoramaAdminRole 3 Adefault(dynamic)administrativerolenameoracustom
administrativerolenameonPanorama.
PaloAltoPanoramaAdminAccessDomain 4 ThenameofanaccessdomainforDeviceGroupandTemplate
administrators(configuredinthePanorama > Access Domains
page).
PaloAltoUserGroup 5 Thenameofausergroupthatanauthenticationprofile
references.
VSAsforwardedfromGlobalProtectclientstotheRADIUSserver
PaloAltoUserDomain 6 DontspecifyavaluewhenyoudefinetheseVSAs.
PaloAltoClientSourceIP 7
PaloAltoClientOS 8
PaloAltoClientHostname 9
PaloAltoGlobalProtectClientVersion 10
ConfigureaTACACS+ServerProfile
TerminalAccessControllerAccessControlSystemPlus(TACACS+)protocolprovidesbetterAuthentication
securitythanRADIUSbecauseitencryptsusernamesandpasswords(insteadofjustpasswords),andisalso
morereliable(itusesTCPinsteadofUDP).
Bydefault,whenauthenticatingtotheTACACS+server,thefirewallorPanoramafirsttries
ChallengeHandshakeAuthenticationProtocol(CHAP)andfallsbacktoPasswordAuthentication
Protocol(PAP)undercertainconditions.Optionally,youcanoverridethisautomaticprotocol
selectionandconfigurethefirewallorPanoramatoalwaysuseaspecificprotocol.Fordetails,see
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers.
ConfigureaTACACS+ServerProfile
ConfigureaTACACS+ServerProfile(Continued)
ConfigureanLDAPServerProfile
AnLDAPserverprofileenablesyouto:
AuthenticateadministratorsandendusersofPaloAltoNetworksfirewallsandPanorama.
Definesecurityrulesbasedonuserorusergroup.TheLDAPserverprofileinstructsthefirewallhowto
connectandauthenticatetotheserverandhowtosearchthedirectoryforuserandgroupinformation.
YoumustalsoconfigureUserIDtoMapUserstoGroups.Thenyoucanselectusersorgroupswhen
definingpolicyrules.
ConfigureanLDAPServerProfile
ConfigureanLDAPServerProfile(Continued)
ConfigureaKerberosServerProfile
AKerberosserverprofileenablesuserstonativelyauthenticatetoanActiveDirectorydomaincontrolleror
aKerberosV5compliantauthenticationserver.Thisauthenticationmethodisinteractive,requiringusersto
enterusernamesandpasswords,incontrastwithKerberossinglesignon(SSO),whichinvolvestransparent
authentication.
TouseaKerberosserverforauthentication,theservermustbeaccessibleoveranIPv4address.
IPv6addressesarenotsupported.
ConfigureaKerberosServerProfile
SetCHAPorPAPAuthenticationforRADIUSandTACACS+Servers
WhenyouconfigureaPaloAltoNetworksfirewallorPanoramatouseRADIUSorTACACS+server
authenticationforaparticularservice(suchasCaptivePortal),itfirsttriestoauthenticatetotheserverusing
ChallengeHandshakeAuthenticationProtocol(CHAP).ThefirewallorPanoramafallsbacktoPassword
AuthenticationProtocol(PAP)iftheserverrejectstheCHAPrequest.Thiswillhappenif,forexample,the
serverdoesntsupportCHAPorisntconfiguredforCHAP.CHAPisthepreferredprotocolbecauseitis
moresecurethanPAP.AfterthefirewallorPanoramafallsbacktoPAPforaparticularRADIUSorTACACS+
server,itusesonlyPAPinsubsequentattemptstoauthenticatetothatserver.PANOSrecordsafallback
toPAPasamediumseverityeventintheSystemlogs.IfyoumodifyanyfieldsintheRADIUSorTACACS+
serverprofileandthencommitthechanges,thefirewallorPanoramarevertstofirsttryingCHAPforthat
server.
IfyouwantthefirewallorPanoramatoalwaysuseaspecificprotocolforauthenticatingtotheRADIUSor
TACACS+server,enterthefollowingoperationalCLIcommand(theautooptionrevertstothedefault
automaticselection):
set authentication radius-auth-type [ auto | chap | pap ]
WhenconfiguringaRADIUSorTACACS+serverforCHAP,youmustdefineuseraccountswith
reversiblyencryptedpasswords.Otherwise,CHAPauthenticationwillfail.
EnableExternalAuthenticationforUsersandServices
PaloAltoNetworksfirewallsandPanoramacanuseexternalservicestoauthenticateadministrators,end
users,andotherdevices.
EnableExternalAuthentication
TestAuthenticationServerConnectivity
AfteryouconfigureanauthenticationprofileonaPaloAltoNetworksfirewallorPanorama,youcanusethe
testauthenticationfeaturetodetermineifitcancommunicatewiththebackendauthenticationserverand
iftheauthenticationrequestsucceeded.Youcanadditionallytestauthenticationprofilesusedfor
GlobalProtectandCaptivePortalauthentication.Youcanperformauthenticationtestsonthecandidate
configuration,sothatyouknowtheconfigurationiscorrectbeforecommitting.
Authenticationserverconnectivitytestingissupportedforlocaldatabase,RADIUS,TACACS+,LDAP,and
Kerberosauthentication.
Thefollowingtopicsdescribehowtousethetestauthenticationcommandandprovidesexamples:
RuntheTestAuthenticationCommand
TestaLocalDatabaseAuthenticationProfile
TestaRADIUSAuthenticationProfile
TestaTACACS+AuthenticationProfile
TestanLDAPAuthenticationProfile
TestaKerberosAuthenticationProfile
RuntheTestAuthenticationCommand
RuntheTestAuthenticationCommand
Step1 OnthePANOSfirewallorPanoramaserver,Configureanauthenticationprofile.Youdonotneedtocommit
theauthenticationorserverprofileconfigurationpriortotesting.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
RuntheTestAuthenticationCommand
Step4 Testanauthenticationprofilebyenteringthefollowingcommand:
admin@PA-3060> testauthenticationauthenticationprofile<authenticationprofilename>username
<username>password
Forexample,totestanauthenticationprofilenamedmyprofileforausernamedbsimpson,runthefollowing
command:
admin@PA-3060> testauthenticationauthenticationprofilemyprofileusernamebsimpson
password
Whenenteringauthenticationprofilenamesandserverprofilenamesinthetestcommand,thenames
arecasesensitive.Also,iftheauthenticationprofilehasausernamemodifierdefined,youmustenter
themodifierwiththeusername.Forexample,ifyouaddtheusernamemodifier
%USERINPUT%@%USERDOMAIN%forausernamedbsimpsonandthedomainnameis
mydomain.com,enterbsimpson@mydomain.comastheusername.Thiswillensurethatthecorrect
credentialsaresenttotheauthenticationserver.Inthisexample,mydomain.comisthedomainthat
youdefineintheUserDomainfieldintheAuthenticationprofile.
Step5 Viewtheoutputofthetestresults.
Iftheauthenticationprofileisconfiguredcorrectly,theoutputdisplaysAuthentication succeeded.Ifthere
isaconfigurationissue,theoutputdisplaysinformationtohelpyoutroubleshoottheconfiguration.
Forexampleusecasesonthesupportedauthenticationprofiletypes,seeTestAuthenticationServer
Connectivity.
Theoutputresultsvarybasedonseveralfactorsrelatedtotheauthenticationtypethatyouaretesting
aswellasthetypeofissue.Forexample,RADIUSandTACACS+usedifferentunderlyinglibraries,so
thesameissuethatexistsforbothofthesetypeswillproducedifferenterrors.Also,ifthereisa
networkproblem,suchasusinganincorrectportorIPaddressintheauthenticationserverprofile,the
outputerrorisnotspecific.Thisisbecausethetestcommandcannotperformtheinitialhandshake
betweenthefirewallandtheauthenticationservertodeterminedetailsabouttheissue.
TestaLocalDatabaseAuthenticationProfile
ThefollowingexampleshowshowtotestaLocalDatabaseauthenticationprofilenamedLocalDBforauser
namedUser1LocalDBandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LocalDatabaseAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ensurethatyouhaveanadministratorconfiguredwiththetypeLocalDatabase.For
informationonadministratoraccounts,refertoManageFirewallAdministrators.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
LocalDatabaseAuthenticationProfileTestExample
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLocalDBProfileusernameUser1LocalDB
password
Step5 Whenprompted,enterthepasswordfortheUser1LocalDBaccount.Thefollowingoutputshowsthatthe
testfailed:
Allow list check error:
Do allow list check before sending out authentication request...
User User1-LocalDB is not allowed with authentication profile LocalDB-Profile
Inthiscase,thelastlineoftheoutputshowsthattheuserisnotallowed,whichindicatesaconfiguration
problemintheauthenticationprofile.
Step6 Toresolvethisissue,modifytheauthenticationprofileandaddtheusertotheAllowList.
1. Onthefirewall,selectDevice > Authentication ProfileandmodifytheprofilenamedLocalDBProfile.
2. ClicktheAdvancedtabandaddUser1LocalDBtotheAllowList.
3. ClickOKtosavethechange.
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User1-LocalDB" has an exact match in allow list
Authentication by Local User Database for user "User1-LocalDB"
Authentication succeeded for Local User Database user "User1-LocalDB"
TestaRADIUSAuthenticationProfile
ThefollowingexampleshowshowtotestaRADIUSprofilenamedRADIUSProfileforausernamed
User2RADIUSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
RADIUSAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaRADIUSServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewRADIUSserverprofileintheServer Profiledropdown.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
RADIUSAuthenticationProfileTestExample
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> set system setting target-vsys <vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> set system setting target-vsys vsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileRADIUSProfileusernameUser2RADIUS
password
Step5 Whenprompted,enterthepasswordfortheUser2RADIUSaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS error: Invalid RADIUS response received - Bad MD5
Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Inthiscase,theoutputshowsBad MD5,whichindicatesthattheremaybeanissuewiththesecretdefinedin
theRADIUSserverprofile.
Step6 Toresolvethisissue,modifytheRADIUSserverprofileandensurethatthesecretdefinedontheRADIUS
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > RADIUSandmodifytheprofilenamedRADIUSProfile.
2. IntheServerssection,locatetheRADIUSserverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-RADIUS" is in group "all"
Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Egress: 10.5.104.98
Authentication type: CHAP
Now send request to remote server ...
RADIUS CHAP auth request is NOT accepted, try PAP next
Authentication type: PAP
Now send request to remote server ...
Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS"
Authentication succeeded for user "User2-RADIUS"
TestaTACACS+AuthenticationProfile
ThefollowingexampleshowshowtotestaTACACS+profilenamedTACACSProfileforausernamed
User3TACACSandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
TACACS+AuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaTACACS+ServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewTACACS+serverprofileintheServer Profiledropdown.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileTACACSProfileusernameUser3TACACS
password
Step5 Whenprompted,enterthepasswordfortheUser3TACASCaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: Network read timed out
Attempting PAP authentication ...
PAP authentication request is created
Failed to send PAP authentication request: Network read timed out
Returned status: -1
Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS
Authentication failed for user "User2-TACACS"
TheoutputshowserrorNetwork read timed out, whichindicatesthattheTACACS+servercouldnot
decrypttheauthenticationrequest.Inthiscase,theremaybeanissuewiththesecretdefinedintheTACACS+
serverprofile.
Step6 Toresolvethisissue,modifytheTACACS+serverprofileandensurethatthesecretdefinedontheTACACS+
servermatchesthesecretintheserverprofile.
1. Onthefirewall,selectDevice > Server Profiles > TACACS+andmodifytheprofilenamedTACACSProfile.
2. IntheServerssection,locatetheTACACS+serverandmodifytheSecretfield.
3. Typeinthecorrectsecretandthenretypetoconfirm.
4. ClickOKtosavethechange.
TACACS+AuthenticationProfileTestExample
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User2-TACACS" is in group "all"
Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS'
Server port: 49, timeout: 30, flag: 0
Egress: 10.5.104.98
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authentication succeeded!
Authentication succeeded for user "User2-TACACS"
TestanLDAPAuthenticationProfile
ThefollowingexampleshowshowtotestaLDAPauthenticationprofilenamedLDAPProfileforauser
namedUser4LDAPandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
LDAPAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureanLDAPServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewLDAPserverprofileintheServer Profiledropdown.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileLDAPProfileusernameUser4LDAPpassword
LDAPAuthenticationProfileTestExample
Step5 Whenprompted,enterthepasswordfortheUser4LDAPaccount.Thefollowingoutputshowsthatthetest
failed:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
parse error of dn and attributes for user "User4-LDAP"
Authentication failed against LDAP server at 10.5.104.99:389 for user "User4-LDAP"
Authentication failed for user "User4-LDAP"
Theoutputshowsparse error of dn and attributes for user User4-LDAP, whichindicatesaBIND
DNvalueissuesintheLDAPserverprofile.Inthiscase,aDomainComponent(DC)valueisincorrect.
Step6 Toresolvethisissue,modifytheLDAPserverprofileandensurethattheBindDNDCvalueiscorrectby
comparingtheDCvaluewiththeDCvalueoftheLDAPserver.
1. Onthefirewall,selectDevice > Server Profiles > LDAPandmodifytheprofilenamedLDAPProfile.
2. IntheServersettingssection,enterthecorrectvaluefortheDCintheBind DNfield.Inthiscase,the
correctvaluefortheDCisMGMTGROUP
3. ClickOKtosavethechange.
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User4-LDAP" is in group "all"
Authentication to LDAP server at 10.5.104.99 for user "User4-LDAP"
Egress: 10.5.104.98
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=User4-LDAP,CN=Users,DC=MGMT-GROUP,DC=local
User expires in days: never
Authentication succeeded for user "User4-LDAP"
TestaKerberosAuthenticationProfile
ThefollowingexampleshowshowtotestaKerberosprofilenamedKerberosProfileforausernamed
User5Kerberosandhowtotroubleshooterrorconditionsthatarise.Fordetailsonusingthetest
authenticationcommand,seeRuntheTestAuthenticationCommand.
KerberosAuthenticationProfileTestExample
Step1 OnthePANOSfirewall,ConfigureaKerberosServerProfileandConfigureanauthenticationprofile.Inthe
authenticationprofile,youselectthenewKerberosserverprofileintheServer Profiledropdown.
Step2 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
KerberosAuthenticationProfileTestExample
Step3 (Firewallswithvirtualsystemsconfigured)Definethetargetvirtualsystemthatthetestcommandwillaccess.
Thisisrequiredonfirewallswithmultiplevirtualsystems(vsys)configured,sothetestauthentication
commandcanlocatetheuser(GlobalProtectorCaptivePortal,forexample)inthecorrectvsys.
Todefinethetargetvsys:
admin@PA-3060> setsystemsettingtargetvsys<vsysname>
Forexample,iftheuserisdefinedinvsys2,runthefollowingcommand:
admin@PA-3060> setsystemsettingtargetvsysvsys2
Thetarget-vsys commandisperloginsession,sothesystemclearstheoptionwhenyoulogoff.
Step4 RunthefollowingCLIcommand:
admin@PA-3060> testauthenticationauthenticationprofileKerberosProfileusernameUser5Kerberos
password
Step5 Whenprompted,enterthepasswordfortheUser5Kerberosaccount.Thefollowingoutputshowsthatthe
testfailed:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'Bad-MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication failure: Wrong realm: 'Bad-MGMT-GROUP.LOCAL' (code: -1765328316)
Authentication failed against KERBEROS server at 10.5.104.99:88 for user "User5-Kerberos"
Authentication failed for user "User5-Kerberos"
Inthiscase,theoutputshowsWrong realm, whichindicatesthattheKerberosrealmhasanincorrectvalue.
Step6 Toresolvethisissue,modifytheKerberosserverprofileandensurethattheRealmvalueiscorrectby
comparingtherealmnameontheKerberosserver.
1. Onthefirewall,selectDevice > Authentication Profiles andmodifytheprofilenamedKerberosProfile.
2. IntheKerberosRealmfield,enterthecorrectvalue.Inthiscase,thecorrectrealmismgmtgroup.local.
3. ClickOKtosavethechange.
Step7 Runthetestcommandagain.Thefollowingoutputshowsthatthetestissuccessful:
Do allow list check before sending out authentication request...
name "User5-Kerberos" is in group "all"
Authentication to KERBEROS server at '10.5.104.99' for user 'User5-Kerberos'
Realm: 'MGMT-GROUP.LOCAL'
Egress: 10.5.104.98
KERBEROS configuration file is created
KERBEROS authcontext is created. Now authenticating ...
Kerberos principal is created
Sending authentication request to KDC...
Authentication succeeded!
Authentication succeeded for user "User5-Kerberos"
TroubleshootAuthenticationIssues
WhenusersfailtoauthenticatetoaPaloAltoNetworksfirewallorPanorama,ortheAuthenticationprocess
takeslongerthanexpected,analyzingauthenticationrelatedinformationcanhelpyoudeterminewhether
thefailureordelayresultedfrom:
UserbehaviorForexample,usersarelockedoutafterenteringthewrongcredentialsorahighvolume
ofusersaresimultaneouslyattemptingaccess.
SystemornetworkissuesForexample,anauthenticationserverisinaccessible.
ConfigurationissuesForexample,theAllowListofanauthenticationprofiledoesnthavealltheusers
itshouldhave.
ThefollowingCLIcommandsdisplayinformationthatcanhelpyoutroubleshoottheseissues:
Task Command
KeysandCertificates
Toensuretrustbetweenpartiesinasecurecommunicationsession,PaloAltoNetworksfirewallsand
Panoramausedigitalcertificates.Eachcertificatecontainsacryptographickeytoencryptplaintextor
decryptcyphertext.Eachcertificatealsoincludesadigitalsignaturetoauthenticatetheidentityoftheissuer.
Theissuermustbeinthelistoftrustedcertificateauthorities(CAs)oftheauthenticatingparty.Optionally,
theauthenticatingpartyverifiestheissuerdidnotrevokethecertificate(seeCertificateRevocation).
PaloAltoNetworksfirewallsandPanoramausecertificatesinthefollowingapplications:
UserauthenticationforCaptivePortal,GlobalProtect,MobileSecurityManager,andwebinterface
accesstoafirewallorPanorama.
DeviceauthenticationforGlobalProtectVPN(remoteusertositeorlargescale).
DeviceauthenticationforIPSecsitetositeVPNwithInternetKeyExchange(IKE).
DecryptinginboundandoutboundSSLtraffic.
Afirewalldecryptsthetraffictoapplypolicyrules,thenreencryptsitbeforeforwardingthetraffictothe
finaldestination.Foroutboundtraffic,thefirewallactsasaforwardproxyserver,establishinganSSL/TLS
connectiontothedestinationserver.Tosecureaconnectionbetweenitselfandtheclient,thefirewall
usesasigningcertificatetoautomaticallygenerateacopyofthedestinationservercertificate.
ThefollowingtabledescribesthekeysandcertificatesthatPaloAltoNetworksfirewallsandPanoramause.
Asabestpractice,usedifferentkeysandcertificatesforeachusage.
Table:PaloAltoNetworksDeviceKeys/Certificates
Key/CertificateUsage Description
AdministrativeAccess SecureaccesstofirewallorPanoramaadministrationinterfaces(HTTPSaccesstotheweb
interface)requiresaservercertificatefortheMGTinterface(oradesignatedinterfaceon
thedataplaneifthefirewallorPanoramadoesnotuseMGT)and,optionally,acertificate
toauthenticatetheadministrator.
CaptivePortal IndeploymentswhereCaptivePortalidentifiesuserswhoaccessHTTPSresources,
designateaservercertificatefortheCaptivePortalinterface.IfyouconfigureCaptive
Portaltousecertificates(insteadof,orinadditionto,username/passwordcredentials)for
useridentification,designateausercertificatealso.FormoreinformationonCaptive
Portal,seeMapIPAddressestoUsernamesUsingCaptivePortal.
ForwardTrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxytruststheCAthat
signedthecertificateofthedestinationserver,thefirewallusestheforwardtrustCA
certificatetogenerateacopyofthedestinationservercertificatetopresenttotheclient.
Tosettheprivatekeysize,seeConfiguretheKeySizeforSSLForwardProxyServer
Certificates.Foraddedsecurity,storethekeyonahardwaresecuritymodule(fordetails,
seeSecureKeyswithaHardwareSecurityModule).
ForwardUntrust ForoutboundSSL/TLStraffic,ifafirewallactingasaforwardproxydoesnottrusttheCA
thatsignedthecertificateofthedestinationserver,thefirewallusestheforwarduntrust
CAcertificatetogenerateacopyofthedestinationservercertificatetopresenttothe
client.
SSLInboundInspection ThekeysthatdecryptinboundSSL/TLStrafficforinspectionandpolicyenforcement.For
thisapplication,importontothefirewallaprivatekeyforeachserverthatissubjectto
SSL/TLSinboundinspection.SeeConfigureSSLInboundInspection.
Key/CertificateUsage Description
SSLExcludeCertificate CertificatesforserverstoexcludefromSSL/TLSdecryption.Forexample,ifyouenable
SSLdecryptionbutyournetworkincludesserversforwhichthefirewallshouldnot
decrypttraffic(forexample,webservicesforyourHRsystems),importthecorresponding
certificatesontothefirewallandconfigurethemasSSLExcludeCertificates.See
ConfigureDecryptionExceptions.
GlobalProtect AllinteractionamongGlobalProtectcomponentsoccursoverSSL/TLSconnections.
Therefore,aspartoftheGlobalProtectdeployment,deployservercertificatesforall
GlobalProtectportals,gateways,andMobileSecurityManagers.Optionally,deploy
certificatesforauthenticatingusersalso.
NotethattheGlobalProtectLargeScaleVPN(LSVPN)featurerequiresaCAsigning
certificate.
SitetoSiteVPNs(IKE) InasitetositeIPSecVPNdeployment,peerdevicesuseInternetKeyExchange(IKE)
gatewaystoestablishasecurechannel.IKEgatewaysusecertificatesorpresharedkeysto
authenticatethepeerstoeachother.Youconfigureandassignthecertificatesorkeys
whendefininganIKEgatewayonafirewall.SeeSitetoSiteVPNOverview.
MasterKey Thefirewallusesamasterkeytoencryptallprivatekeysandpasswords.Ifyournetwork
requiresasecurelocationforstoringprivatekeys,youcanuseanencryption(wrapping)
keystoredonahardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,
seeEncryptaMasterKeyUsinganHSM.
SecureSyslog Thecertificatetoenablesecureconnectionsbetweenthefirewallandasyslogserver.See
SyslogFieldDescriptions.
TrustedRootCA ThedesignationforarootcertificateissuedbyaCAthatthefirewalltrusts.Thefirewall
canuseaselfsignedrootCAcertificatetoautomaticallyissuecertificatesforother
applications(forexample,SSLForwardProxy).
Also,ifafirewallmustestablishsecureconnectionswithotherfirewalls,therootCAthat
issuestheircertificatesmustbeinthelistoftrustedrootCAsonthefirewall.
CertificateRevocation
PaloAltoNetworksfirewallsandPanoramausedigitalcertificatestoensuretrustbetweenpartiesinasecure
communicationsession.ConfiguringafirewallorPanoramatochecktherevocationstatusofcertificates
providesadditionalsecurity.Apartythatpresentsarevokedcertificateisnottrustworthy.Whena
certificateispartofachain,thefirewallorPanoramachecksthestatusofeverycertificateinthechain
excepttherootCAcertificate,forwhichitcannotverifyrevocationstatus.
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthoritythatissuedthecertificatemustrevokeit.
ThefirewallandPanoramasupportthefollowingmethodsforverifyingcertificaterevocationstatus.Ifyou
configurebothmethods,thefirewallorPanoramafirsttriestheOCSPmethod;iftheOCSPserveris
unavailable,itusestheCRLmethod.
CertificateRevocationList(CRL)
OnlineCertificateStatusProtocol(OCSP)
InPANOS,certificaterevocationstatusverificationisanoptionalfeature.Itisabestpracticeto
enableitforcertificateprofiles,whichdefineuseranddeviceauthenticationforCaptivePortal,
GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewallorPanorama.
CertificateRevocationList(CRL)
Eachcertificateauthority(CA)periodicallyissuesacertificaterevocationlist(CRL)toapublicrepository.The
CRLidentifiesrevokedcertificatesbyserialnumber.AftertheCArevokesacertificate,thenextCRLupdate
willincludetheserialnumberofthatcertificate.
ThePaloAltoNetworksfirewalldownloadsandcachesthelastissuedCRLforeveryCAlistedinthetrusted
CAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidatedacertificate,
thefirewallcachedoesnotstoretheCRLfortheissuingCA.Also,thecacheonlystoresaCRLuntilitexpires.
ThefirewallsupportsCRLsonlyinDistinguishedEncodingRules(DER)format.Ifthefirewalldownloadsa
CRLinanyotherformatforexample,PrivacyEnhancedMail(PEM)formatanyrevocationverification
processthatusesthatCRLwillfailwhenauserperformsanactivitythattriggerstheprocess(forexample,
sendingoutboundSSLdata).Thefirewallwillgenerateasystemlogfortheverificationfailure.Ifthe
verificationwasforanSSLcertificate,thefirewallwillalsodisplaytheSSLCertificateErrorsNotifyresponse
pagetotheuser.
TouseCRLsforverifyingtherevocationstatusofcertificatesusedforthedecryptionofinboundand
outboundSSL/TLStraffic,seeConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
TouseCRLsforverifyingtherevocationstatusofcertificatesthatauthenticateusersanddevices,configure
acertificateprofileandassignittotheinterfacesthatarespecifictotheapplication:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,orwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.Fordetails,seeConfigureRevocationStatusVerificationof
Certificates.
OnlineCertificateStatusProtocol(OCSP)
WhenestablishinganSSL/TLSsession,clientscanuseOnlineCertificateStatusProtocol(OCSP)tocheck
therevocationstatusoftheauthenticationcertificate.Theauthenticatingclientsendsarequestcontaining
theserialnumberofthecertificatetotheOCSPresponder(server).Therespondersearchesthedatabaseof
thecertificateauthority(CA)thatissuedthecertificateandreturnsaresponsecontainingthestatus(good,
revokedorunknown)totheclient.TheadvantageoftheOCSPmethodisthatitcanverifystatusinrealtime,
insteadofdependingontheissuefrequency(hourly,daily,orweekly)ofCRLs.
ThePaloAltoNetworksfirewalldownloadsandcachesOCSPstatusinformationforeveryCAlistedinthe
trustedCAlistofthefirewall.Cachingonlyappliestovalidatedcertificates;ifafirewallnevervalidateda
certificate,thefirewallcachedoesnotstoretheOCSPinformationfortheissuingCA.Ifyourenterprisehas
itsownpublickeyinfrastructure(PKI),youcanconfigurethefirewallasanOCSPresponder(seeConfigure
anOCSPResponder).
TouseOCSPforverifyingtherevocationstatusofcertificateswhenthefirewallfunctionsasanSSLforward
proxy,performthestepsunderConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption.
Thefollowingapplicationsusecertificatestoauthenticateusersand/ordevices:CaptivePortal,
GlobalProtect(remoteusertositeorlargescale),sitetositeIPSecVPN,andwebinterfaceaccesstoPalo
AltoNetworksfirewallsorPanorama.TouseOCSPforverifyingtherevocationstatusofthecertificates:
ConfigureanOCSPresponder.
EnabletheHTTPOCSPserviceonthefirewall.
Createorobtainacertificateforeachapplication.
Configureacertificateprofileforeachapplication.
Assignthecertificateprofiletotherelevantapplication.
TocoversituationswheretheOCSPresponderisunavailable,configureCRLasafallbackmethod.For
details,seeConfigureRevocationStatusVerificationofCertificates.
CertificateDeployment
ThebasicapproachestodeploycertificatesforPaloAltoNetworksfirewallsorPanoramaare:
ObtaincertificatesfromatrustedthirdpartyCAThebenefitofobtainingacertificatefromatrusted
thirdpartycertificateauthority(CA)suchasVeriSignorGoDaddyisthatendclientswillalreadytrustthe
certificatebecausecommonbrowsersincluderootCAcertificatesfromwellknownCAsintheirtrusted
rootcertificatestores.Therefore,forapplicationsthatrequireendclientstoestablishsecureconnections
withthefirewallorPanorama,purchaseacertificatefromaCAthattheendclientstrusttoavoidhaving
topredeployrootCAcertificatestotheendclients.(SomesuchapplicationsareaGlobalProtectportal
orGlobalProtectMobileSecurityManager.)However,notethatmostthirdpartyCAscannotissue
signingcertificates.Therefore,thistypeofcertificateisnotappropriateforapplications(forexample,
SSL/TLSdecryptionandlargescaleVPN)thatrequirethefirewalltoissuecertificates.SeeObtaina
CertificatefromanExternalCA.
ObtaincertificatesfromanenterpriseCAEnterprisesthathavetheirowninternalCAcanuseittoissue
certificatesforfirewallapplicationsandimportthemontothefirewall.Thebenefitisthatendclients
probablyalreadytrusttheenterpriseCA.Youcaneithergeneratetheneededcertificatesandimport
themontothefirewall,orgenerateacertificatesigningrequest(CSR)onthefirewallandsendittothe
enterpriseCAforsigning.Thebenefitofthismethodisthattheprivatekeydoesnotleavethefirewall.
AnenterpriseCAcanalsoissueasigningcertificate,whichthefirewallusestoautomaticallygenerate
certificates(forexample,forGlobalProtectlargescaleVPNorsitesrequiringSSL/TLSdecryption).See
ImportaCertificateandPrivateKey.
GenerateselfsignedcertificatesYoucanCreateaSelfSignedRootCACertificateonthefirewalland
useittoautomaticallyissuecertificatesforotherfirewallapplications.Notethatifyouusethismethod
togeneratecertificatesforanapplicationthatrequiresanendclienttotrustthecertificate,enduserswill
seeacertificateerrorbecausetherootCAcertificateisnotintheirtrustedrootcertificatestore.To
preventthis,deploytheselfsignedrootCAcertificatetoallendusersystems.Youcandeploythe
certificatesmanuallyoruseacentralizeddeploymentmethodsuchasanActiveDirectoryGroupPolicy
Object(GPO).
SetUpVerificationforCertificateRevocationStatus
Toverifytherevocationstatusofcertificates,thefirewallusesOnlineCertificateStatusProtocol(OCSP)
and/orcertificaterevocationlists(CRLs).Fordetailsonthesemethods,seeCertificateRevocationIfyou
configurebothmethods,thefirewallfirsttriesOCSPandonlyfallsbacktotheCRLmethodiftheOCSP
responderisunavailable.Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanconfigurethe
firewalltofunctionastheOCSPresponder.
Thefollowingtopicsdescribehowtoconfigurethefirewalltoverifycertificaterevocationstatus:
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfigureanOCSPResponder
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofcertificates,youmust
configurethefirewalltoaccessanOCSPresponder(server).TheentitythatmanagestheOCSPresponder
canbeathirdpartycertificateauthority(CA)or,ifyourenterprisehasitsownpublickeyinfrastructure(PKI),
thefirewallitself.FordetailsonOCSP,seeCertificateRevocation
ConfigureanOCSPResponder
ConfigureanOCSPResponder
ConfigureRevocationStatusVerificationofCertificates
ThefirewallandPanoramausecertificatestoauthenticateusersanddevicesforsuchapplicationsasCaptive
Portal,GlobalProtect,sitetositeIPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.To
improvesecurity,itisabestpracticetoconfigurethefirewallorPanoramatoverifytherevocationstatusof
certificatesthatitusesfordevice/userauthentication.
ConfigureRevocationStatusVerificationofCertificates
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLS
Decryption
ThefirewalldecryptsinboundandoutboundSSL/TLStraffictoapplysecurityrulesandrules,then
reencryptsthetrafficbeforeforwardingit.(Fordetails,seeSSLInboundInspectionandSSLForwardProxy.)
Youcanconfigurethefirewalltoverifytherevocationstatusofcertificatesusedfordecryptionasfollows.
EnablingrevocationstatusverificationforSSL/TLSdecryptioncertificateswilladdtimetothe
processofestablishingthesession.Thefirstattempttoaccessasitemightfailiftheverification
doesnotfinishbeforethesessiontimesout.Forthesereasons,verificationisdisabledbydefault.
ConfigureRevocationStatusVerificationofCertificatesUsedforSSL/TLSDecryption
ConfiguretheMasterKey
EveryfirewallandPanoramamanagementserverhasadefaultmasterkeythatencryptsprivatekeysand
othersecrets(suchaspasswordsandsharedkeys).Theprivatekeysauthenticateuserswhentheyaccess
administrativeinterfacesonthefirewall.Asabestpracticetosafeguardthekeys,configurethemasterkey
oneachfirewalltobeuniqueandperiodicallychangeit.Foraddedsecurity,useawrappingkeystoredona
hardwaresecuritymodule(HSM)toencryptthemasterkey.Fordetails,seeEncryptaMasterKeyUsingan
HSM.
Inahighavailability(HA)configuration,ensurebothfirewallsorPanoramamanagementservers
inthepairusethesamemasterkeytoencryptprivatekeysandcertificates.Ifthemasterkeys
differ,HAconfigurationsynchronizationwillnotworkproperly.
WhenyouexportafirewallorPanoramaconfiguration,themasterkeyencryptsthepasswords
ofusersmanagedonexternalservers.Forlocallymanagedusers,thefirewallorPanoramahashes
thepasswordsbutthemasterkeydoesnotencryptthem.
ConfigureaMasterKey
Step6 (Optional)SelectwhethertouseanHSMtoencryptthemasterkey.Fordetails,seeEncryptaMasterKey
UsinganHSM.
Step7 ClickOKandCommit.
ObtainCertificates
CreateaSelfSignedRootCACertificate
GenerateaCertificate
ImportaCertificateandPrivateKey
ObtainaCertificatefromanExternalCA
CreateaSelfSignedRootCACertificate
Aselfsignedrootcertificateauthority(CA)certificateisthetopmostcertificateinacertificatechain.A
firewallcanusethiscertificatetoautomaticallyissuecertificatesforotheruses.Forexample,thefirewall
issuescertificatesforSSL/TLSdecryptionandforsatellitesinaGlobalProtectlargescaleVPN.
Whenestablishingasecureconnectionwiththefirewall,theremoteclientmusttrusttherootCAthatissued
thecertificate.Otherwise,theclientbrowserwilldisplayawarningthatthecertificateisinvalidandmight
(dependingonsecuritysettings)blocktheconnection.Topreventthis,aftergeneratingtheselfsignedroot
CAcertificate,importitintotheclientsystems.
OnaPaloAltoNetworksfirewallorPanorama,youcangenerateselfsignedcertificatesonlyif
theyareCAcertificates.
GenerateaSelfsignedRootCACertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step6 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step10 ClickGenerateandCommit.
GenerateaCertificate
PaloAltoNetworksfirewallsandPanoramausecertificatestoauthenticateclients,servers,users,and
devicesinseveralapplications,includingSSL/TLSdecryption,CaptivePortal,GlobalProtect,sitetosite
IPSecVPN,andwebinterfaceaccesstothefirewall/Panorama.Generatecertificatesforeachusage:for
details,seeKeysandCertificates.
Togenerateacertificate,youmustfirstCreateaSelfSignedRootCACertificateorimportone(Importa
CertificateandPrivateKey)tosignit.TouseOnlineCertificateStatusProtocol(OCSP)forverifying
certificaterevocationstatus,ConfigureanOCSPResponderbeforegeneratingthecertificate.
GenerateaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 ClickGenerate.
Step7 Ifthefirewallhasmorethanonevsysandyouwantthecertificatetobeavailabletoeveryvsys,selectthe
Sharedcheckbox.
Step12 SelecttheDigestalgorithm.Frommosttoleastsecure,theoptionsare:sha512,sha384,sha256(default),
sha1,andmd5.
Step13 FortheExpiration,enterthenumberofdays(defaultis365)forwhichthecertificateisvalid.
Step15 ClickGenerateand,intheDeviceCertificatespage,clickthecertificateName.
Regardlessofthetimezoneonthefirewall,italwaysdisplaysthecorrespondingGreenwichMean
Time(GMT)forcertificatevalidityandexpirationdates/times.
GenerateaCertificate(Continued)
Step16 Selectthecheckboxesthatcorrespondtotheintendeduseofthecertificateonthefirewall.
Forexample,ifthefirewallwillusethiscertificatetosecureforwardingofsyslogstoanexternalsyslogserver,
selecttheCertificate for Secure Syslog checkbox.
Step17 ClickOKandCommit.
ImportaCertificateandPrivateKey
Ifyourenterprisehasitsownpublickeyinfrastructure(PKI),youcanimportacertificateandprivatekeyinto
thefirewallfromyourenterprisecertificateauthority(CA).EnterpriseCAcertificates(unlikemost
certificatespurchasedfromatrusted,thirdpartyCA)canautomaticallyissueCAcertificatesforapplications
suchasSSL/TLSdecryptionorlargescaleVPN.
OnaPaloAltoNetworksfirewallorPanorama,youcanimportselfsignedcertificatesonlyifthey
areCAcertificates.
InsteadofimportingaselfsignedrootCAcertificateintoalltheclientsystems,itisabestpractice
toimportacertificatefromtheenterpriseCAbecausetheclientswillalreadyhaveatrust
relationshipwiththeenterpriseCA,whichsimplifiesthedeployment.
Ifthecertificateyouwillimportispartofacertificatechain,itisabestpracticetoimportthe
entirechain.
ImportaCertificateandPrivateKey
Step1 FromtheenterpriseCA,exportthecertificateandprivatekeythatthefirewallwilluseforauthentication.
Whenexportingaprivatekey,youmustenterapassphrasetoencryptthekeyfortransport.Ensurethe
managementsystemcanaccessthecertificateandkeyfiles.Whenimportingthekeyontothefirewall,you
mustenterthesamepassphrasetodecryptit.
Step2 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step5 Tomakethecertificateavailabletoallvirtualsystems,selecttheSharedcheckbox.Thischeckboxappears
onlyifthefirewallsupportsmultiplevirtualsystems.
Step8 Enterandreenter(confirm)thePassphraseusedtoencrypttheprivatekey.
ImportaCertificateandPrivateKey
Step9 ClickOK.TheDeviceCertificatespagedisplaystheimportedcertificate.
ObtainaCertificatefromanExternalCA
Theadvantageofobtainingacertificatefromanexternalcertificateauthority(CA)isthattheprivatekey
doesnotleavethefirewall.ToobtainacertificatefromanexternalCA,generateacertificatesigningrequest
(CSR)andsubmitittotheCA.AftertheCAissuesacertificatewiththespecifiedattributes,importitonto
thefirewall.TheCAcanbeawellknown,publicCAoranenterpriseCA.
TouseOnlineCertificateStatusProtocol(OCSP)forverifyingtherevocationstatusofthecertificate,
ConfigureanOCSPResponderbeforegeneratingtheCSR.
ObtainaCertificatefromanExternalCA
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
PaloAltoNetworksrecommendsthatyouuseyourenterprisepublickeyinfrastructure(PKI)todistributea
certificateandprivatekeyinyourorganization.However,ifnecessary,youcanalsoexportacertificateand
privatekeyfromthefirewallorPanorama.Youcanuseanexportedcertificateandprivatekeyinthe
followingcases:
ConfigureCertificateBasedAdministratorAuthenticationtotheWebInterface
GlobalProtectagent/appauthenticationtoportalsandgateways
SSLForwardProxydecryption
ObtainaCertificatefromanExternalCA
ExportaCertificateandPrivateKey
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(aspecificvsysorShared)forthe
certificate.
Step5 ClickOKandsavethecertificate/keyfiletoyourcomputer.
ConfigureaCertificateProfile
CertificateprofilesdefineuseranddeviceauthenticationforCaptivePortal,GlobalProtect,sitetositeIPSec
VPN,MobileSecurityManager,andwebinterfaceaccesstoPaloAltoNetworksfirewallsorPanorama.The
profilesspecifywhichcertificatestouse,howtoverifycertificaterevocationstatus,andhowthatstatus
constrainsaccess.Configureacertificateprofileforeachapplication.
ItisabestpracticetoenableOnlineCertificateStatusProtocol(OCSP)and/orCertificate
RevocationList(CRL)statusverificationforcertificateprofiles.Fordetailsonthesemethods,see
CertificateRevocation.
ConfigureaCertificateProfile
ConfigureaCertificateProfile
ConfigureanSSL/TLSServiceProfile
PaloAltoNetworksfirewallsandPanoramauseSSL/TLSserviceprofilestospecifyacertificateandthe
allowedprotocolversionsforSSL/TLSservices.ThefirewallandPanoramauseSSL/TLSforCaptivePortal,
GlobalProtectportalsandgateways,inboundtrafficonthemanagement(MGT)interface,theURLAdmin
Overridefeature,andtheUserIDsysloglisteningservice.Bydefiningtheprotocolversions,youcanuse
aprofiletorestricttheciphersuitesthatareavailableforsecuringcommunicationwiththeclientsrequesting
theservices.ThisimprovesnetworksecuritybyenablingthefirewallorPanoramatoavoidSSL/TLSversions
thathaveknownweaknesses.Ifaservicerequestinvolvesaprotocolversionthatisoutsidethespecified
range,thefirewallorPanoramadowngradesorupgradestheconnectiontoasupportedversion.
ConfigureanSSL/TLSServiceProfile
Step1 Foreachdesiredservice,generateorimportacertificateonthefirewall(seeObtainCertificates).
Useonlysignedcertificates,notcertificateauthority(CA)certificates,forSSL/TLSservices.
Step3 Ifthefirewallhasmorethanonevirtualsystem(vsys),selecttheLocation(vsysorShared)wheretheprofile
isavailable.
Step4 ClickAddandenteraNametoidentifytheprofile.
Step5 SelecttheCertificateyoujustobtained.
Step6 Definetherangeofprotocolsthattheservicecanuse:
FortheMin Version,selecttheearliestallowedTLSversion:TLSv1.0(default),TLSv1.1,orTLSv1.2.
FortheMax Version,selectthelatestallowedTLSversion:TLSv1.0,TLSv1.1,TLSv1.2,orMax(latest
availableversion).ThedefaultisMax.
Step7 ClickOKandCommit.
ReplacetheCertificateforInboundManagementTraffic
WhenyoufirstbootupthefirewallorPanorama,itautomaticallygeneratesadefaultcertificatethatenables
HTTPSaccesstothewebinterfaceandXMLAPIoverthemanagement(MGT)interfaceand(onthefirewall
only)overanyotherinterfacethatsupportsHTTPSmanagementtraffic(fordetails,seeUseInterface
ManagementProfilestoRestrictAccess).Toimprovethesecurityofinboundmanagementtraffic,replace
thedefaultcertificatewithanewcertificateissuedspecificallyforyourorganization.
Youcannotview,modify,ordeletethedefaultcertificate.
Securingmanagementtrafficalsoinvolvesconfiguringhowadministratorsauthenticatetothefirewallorto
Panorama.
ReplacetheCertificateforInboundManagementTraffic
ConfiguretheKeySizeforSSLForwardProxyServer
Certificates
WhenrespondingtoaclientinanSSLForwardProxysession,thefirewallcreatesacopyofthecertificate
thatthedestinationserverpresentsandusesthecopytoestablishaconnectionwiththeclient.Bydefault,
thefirewallgeneratescertificateswiththesamekeysizeasthecertificatethatthedestinationserver
presented.However,youcanchangethekeysizeforthefirewallgeneratedcertificateasfollows:
ConfiguretheKeySizeforSSLForwardProxyServerCertificates
Step3 ClickOKandCommit.
RevokeandRenewCertificates
RevokeaCertificate
RenewaCertificate
RevokeaCertificate
Variouscircumstancescaninvalidateacertificatebeforetheexpirationdate.Someexamplesareachange
ofname,changeofassociationbetweensubjectandcertificateauthority(forexample,anemployee
terminatesemployment),andcompromise(knownorsuspected)oftheprivatekey.Undersuch
circumstances,thecertificateauthority(CA)thatissuedthecertificatemustrevokeit.Thefollowingtask
describeshowtorevokeacertificateforwhichthefirewallistheCA.
RevokeaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallsupportsmultiplevirtualsystems,thetabdisplaysaLocationdropdown.Selectthevirtual
systemtowhichthecertificatebelongs.
Step3 Selectthecertificatetorevoke.
Step4 ClickRevoke.PANOSimmediatelysetsthestatusofthecertificatetorevokedandaddstheserialnumberto
theOnlineCertificateStatusProtocol(OCSP)respondercacheorcertificaterevocationlist(CRL).Youneed
notperformacommit.
RenewaCertificate
Ifacertificateexpires,orsoonwill,youcanresetthevalidityperiod.Ifanexternalcertificateauthority(CA)
signedthecertificateandthefirewallusestheOnlineCertificateStatusProtocol(OCSP)toverifycertificate
revocationstatus,thefirewallusestheOCSPresponderinformationtoupdatethecertificatestatus(see
ConfigureanOCSPResponder).IfthefirewallistheCAthatissuedthecertificate,thefirewallreplacesit
withanewcertificatethathasadifferentserialnumberbutthesameattributesastheoldcertificate.
RenewaCertificate
Step1 SelectDevice > Certificate Management > Certificates > Device Certificates.
Step2 Ifthefirewallhasmorethanonevirtualsystem(vsys),selectaLocation(vsysorShared)forthecertificate.
Step3 SelectacertificatetorenewandclickRenew.
Step5 ClickOKandCommit.
SecureKeyswithaHardwareSecurityModule
Ahardwaresecuritymodule(HSM)isaphysicaldevicethatmanagesdigitalkeys.AnHSMprovidessecure
storageandgenerationofdigitalkeys.Itprovidesbothlogicalandphysicalprotectionofthesematerialsfrom
nonauthorizeduseandpotentialadversaries.
HSMclientsintegratedwithPaloAltoNetworksfirewallsorPanoramaenableenhancedsecurityforthe
privatekeysusedinSSL/TLSdecryption(bothSSLforwardproxyandSSLinboundinspection).Inaddition,
youcanusetheHSMtoencryptmasterkeys.
ThefollowingtopicsdescribehowtointegrateanHSMwithyourfirewallorPanorama:
SetupConnectivitywithanHSM
EncryptaMasterKeyUsinganHSM
StorePrivateKeysonanHSM
ManagetheHSMDeployment
SetupConnectivitywithanHSM
HSMclientsareintegratedwithPA3000Series,PA4000Series,PA5000Series,PA7000Series,and
VMSeriesfirewallsandonPanorama(virtualapplianceandMSeriesappliance)forusewiththefollowing
HSMs:
SafeNetNetwork5.2.1orlater
ThalesnShieldConnect11.62orlater
TheHSMserverversionmustbecompatiblewiththeseclientversions.RefertotheHSMvendor
documentationfortheclientserverversioncompatibilitymatrix.
ThefollowingtopicsdescribehowtosetupconnectivitytooneofthesupportedHSMs:
SetUpConnectivitywithaSafeNetNetworkHSM
SetUpConnectivitywithaThalesnShieldConnectHSM
SetUpConnectivitywithaSafeNetNetworkHSM
TosetupconnectivitybetweenthePaloAltoNetworksfirewallandaSafeNetNetworkHSM,youmust
specifytheaddressoftheHSMserverandthepasswordforconnectingtoitinthefirewallconfiguration.In
addition,youmustregisterthefirewallwiththeHSMserver.Beforestartingtheconfiguration,makesure
youhavecreatedapartitionforthePaloAltoNetworksfirewallsontheHSMserver.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
InActivePassiveHAdeployments,youmustmanuallyperformonefailovertoconfigureand
authenticateeachHApeerindividuallytotheHSM.Afterthismanualfailoverhasbeen
performed,userinteractionisnotrequiredforthefailoverfunction.
SetupaConnectivitywithaSafeNetNetworkHSM
SetupaConnectivitywithaSafeNetNetworkHSM(Continued)
SetUpConnectivitywithaThalesnShieldConnectHSM
ThefollowingworkflowdescribeshowtoconfigurethefirewalltocommunicatewithaThalesnShield
ConnectHSM.Thisconfigurationrequiresthatyousetuparemotefilesystem(RFS)touseasahubtosync
keydataforallfirewallsinyourorganizationthatareusingtheHSM.
HSMconfigurationisnotsyncedbetweenhighavailabilityfirewallpeers.Consequently,youmust
configuretheHSMmoduleseparatelyoneachofthepeers.
Ifthefirewallisinanactive/passivehighavailabilityconfiguration,youmustmanuallyperform
onefailovertoconfigureandauthenticateeachHApeerindividuallytotheHSM.Afteryou
performthisinitialmanualfailover,nofurtheruserinteractionisrequiredforfailoverfunction.
SetupConnectivitywithaThalesnShieldConnectHSM
SetupConnectivitywithaThalesnShieldConnectHSM(Continued)
EncryptaMasterKeyUsinganHSM
AmasterkeyisconfiguredonaPaloAltoNetworksfirewalltoencryptallprivatekeysandpasswords.Ifyou
havesecurityrequirementstostoreyourprivatekeysinasecurelocation,youcanencryptthemasterkey
usinganencryptionkeythatisstoredonanHSM.ThefirewallthenrequeststheHSMtodecryptthemaster
keywheneveritisrequiredtodecryptapasswordorprivatekeyonthefirewall.Typically,theHSMislocated
inahighlysecurelocationthatisseparatefromthefirewallforgreatersecurity.
TheHSMencryptsthemasterkeyusingawrappingkey.Tomaintainsecurity,thisencryptionkeymust
occasionallybechanged.Forthisreason,acommandisprovidedonthefirewalltorotatethewrappingkey
whichchangesthemasterkeyencryption.Thefrequencyofthiswrappingkeyrotationdependsonyour
application.
MasterkeyencryptionusinganHSMisnotsupportedonfirewallsconfiguredinFIPS/CCmode.
Thefollowingtopicsdescribehowtoencryptthemasterkeyinitiallyandhowtorefreshthemasterkey
encryption:
EncrypttheMasterKey
RefreshtheMasterKeyEncryption
EncrypttheMasterKey
Ifyouhavenotpreviouslyencryptedthemasterkeyonafirewall,usethefollowingproceduretoencryptit.
Usethisprocedureforfirsttimeencryptionofakey,orifyoudefineanewmasterkeyandyouwantto
encryptit.Ifyouwanttorefreshtheencryptiononapreviouslyencryptedkey,seeRefreshtheMasterKey
Encryption.
EncryptaMasterKeyUsinganHSM
Step2 Specifythekeythatiscurrentlyusedtoencryptalloftheprivatekeysandpasswordsonthefirewallinthe
Master Keyfield.
Step3 Ifchangingthemasterkey,enterthenewmasterkeyandconfirm.
Step4 SelecttheHSMcheckbox.
Life Time:Thenumberofdaysandhoursafterwhichthemasterkeyexpires(range1730days).
Time for Reminder:Thenumberofdaysandhoursbeforeexpirationwhentheuserisnotifiedofthe
impendingexpiration(range1365days).
Step5 ClickOK.
RefreshtheMasterKeyEncryption
Asabestpractice,refreshthemasterkeyencryptiononaregularbasisbyrotatingthemasterkeywrapping
keyontheHSM.ThiscommandisthesameforboththeSafeNetNetworkandThalesnShieldConnect
HSMs.
RefreshtheMasterKeyEncryption
Step1 UsethefollowingCLIcommandtorotatethewrappingkeyforthemasterkeyonanHSM:
> request hsm mkey-wrapping-key-rotation
IfthemasterkeyisencryptedontheHSM,theCLIcommandwillgenerateanewwrappingkeyontheHSM
andencryptthemasterkeywiththenewwrappingkey.
IfthemasterkeyisnotencryptedontheHSM,theCLIcommandwillgeneratenewwrappingkeyontheHSM
forfutureuse.
Theoldwrappingkeyisnotdeletedbythiscommand.
StorePrivateKeysonanHSM
Foraddedsecurity,youcanuseanHSMtosecuretheprivatekeysusedinSSL/TLSdecryptionfor:
SSLforwardproxyTheHSMcanstoretheprivatekeyoftheCAcertificatethatisusedtosign
certificatesinSSL/TLSforwardproxyoperations.Thefirewallwillthensendthecertificatesthatit
generatesduringsuchoperationstotheHSMforsigningbeforeforwardingthemtotheclient.
SSLinboundinspectionTheHSMcanstoretheprivatekeysfortheinternalserversforwhichyouare
performingSSL/TLSinboundinspection.
StorePrivateKeysonanHSM
Step3 Importthecertificatethat 1. SelectDevice > Certificate Management > Certificates > Device
correspondstotheHSMstored CertificatesandclickImport.
keyontothefirewall. 2. EntertheCertificate Name.
3. EnterthefilenameoftheCertificate FileyouimportedtotheHSM.
4. SelectaFile Format.
5. SelectthePrivate Key resides on Hardware Security Modulecheck
box.
6. ClickOKandCommit.
StorePrivateKeysonanHSM(Continued)
Step4 (Forwardtrustcertificatesonly) 1. SelectDevice > Certificate Management > Certificates > Device
Enablethecertificateforusein Certificates.
SSL/TLSForwardProxy. 2. OpenthecertificateyouimportedinStep 3forediting.
3. SelecttheForward Trust Certificate checkbox.
4. ClickOKandCommit.
Step5 Verifythatyousuccessfully 1. SelectDevice > Certificate Management > Certificates > Device
importedthecertificateontothe Certificates.
firewall. 2. LocatethecertificateyouimportedinStep 3andchecktheiconinthe
Keycolumn:
LockiconTheprivatekeyforthecertificateisontheHSM.
ErroriconTheprivatekeyisnotontheHSMortheHSMisnot
properlyauthenticatedorconnected.
ManagetheHSMDeployment
ManageHSM
HAOverview
YoucansetuptwoPaloAltoNetworksfirewallsasanHApair.HAallowsyoutominimizedowntimeby
makingsurethatanalternatefirewallisavailableintheeventthatthepeerfirewallfails.Thefirewallsinan
HApairusededicatedorinbandHAportsonthefirewalltosynchronizedatanetwork,object,andpolicy
configurationsandtomaintainstateinformation.Firewallspecificconfigurationsuchasmanagement
interfaceIPaddressoradministratorprofiles,HAspecificconfiguration,logdata,andtheApplication
CommandCenter(ACC)informationisnotsharedbetweenpeers.Foraconsolidatedapplicationandlog
viewacrosstheHApair,youmustusePanorama,thePaloAltoNetworkscentralizedmanagementsystem.
WhenafailureoccursonafirewallinanHApairandthepeerfirewalltakesoverthetaskofsecuringtraffic,
theeventiscalledaFailover.Theconditionsthattriggerafailoverare:
Oneormoreofthemonitoredinterfacesfail.(LinkMonitoring)
Oneormoreofthedestinationsspecifiedonthefirewallcannotbereached.(PathMonitoring)
Thefirewalldoesnotrespondtoheartbeatpolls.(HeartbeatPollingandHellomessages)
Acriticalchiporsoftwarecomponentfails,knownaspacketpathhealthmonitoring.
YoucanusePanoramatomanageHAfirewalls.SeeContextSwitchFirewallorPanoramainthePanorama
AdministratorsGuide.
AfteryouunderstandtheHAConcepts,proceedtoSetUpActive/PassiveHAorSetUpActive/ActiveHA.
HAConcepts
ThefollowingtopicsprovideconceptualinformationabouthowHAworksonaPaloAltoNetworksfirewall:
HAModes
HALinksandBackupLinks
DevicePriorityandPreemption
Failover
LACPandLLDPPreNegotiationforActive/PassiveHA
FloatingIPAddressandVirtualMACAddress
ARPLoadSharing
RouteBasedRedundancy
HATimers
SessionOwner
SessionSetup
NATinActive/ActiveHAMode
ECMPinActive/ActiveHAMode
HAModes
YoucansetupthefirewallsforHAinoneoftwomodes:
Active/PassiveOnefirewallactivelymanagestrafficwhiletheotherissynchronizedandreadyto
transitiontotheactivestate,shouldafailureoccur.Inthismode,bothfirewallssharethesame
configurationsettings,andoneactivelymanagestrafficuntilapath,link,system,ornetworkfailure
occurs.Whentheactivefirewallfails,thepassivefirewalltransitionstotheactivestateandtakesover
seamlesslyandenforcesthesamepoliciestomaintainnetworksecurity.Active/passiveHAissupported
inthevirtualwire,Layer2,andLayer3deployments.
ThePA200firewallsupportsHALiteonly.
HALiteisanactive/passivedeploymentthatprovidesconfigurationsynchronizationandsomeruntimedata
synchronizationsuchasIPSecsecurityassociations.Itdoesnotsupportanysessionsynchronization(HA2),and
thereforedoesnotofferstatefulfailover.
Active/ActiveBothfirewallsinthepairareactiveandprocessingtrafficandworksynchronouslyto
handlesessionsetupandsessionownership.Bothfirewallsindividuallymaintainsessiontablesand
routingtablesandsynchronizetoeachother.Active/activeHAissupportedinvirtualwireandLayer3
deployments.
Anactive/activeconfigurationdoesnotloadbalancetraffic.Althoughyoucanloadsharebysendingtrafficto
thepeer,noloadbalancingoccurs.WaystoloadsharesessionstobothfirewallsincludeusingECMP,multiple
ISPs,andloadbalancers.
Inactive/activeHAmode,thefirewalldoesnotsupportDHCPclient.Furthermore,onlythe
activeprimaryfirewallcanfunctionasaDHCPRelay.IftheactivesecondaryfirewallreceivesDHCP
broadcastpackets,itdropsthem.
Whendecidingwhethertouseactive/passiveoractive/activemode,considerthefollowingdifferences:
Active/passivemodehassimplicityofdesign;itissignificantlyeasiertotroubleshootroutingandtraffic
flowissuesinactive/passivemode.Active/passivemodesupportsaLayer2deployment;active/active
modedoesnot.
Active/activemoderequiresadvanceddesignconceptsthatcanresultinmorecomplexnetworks.
Dependingonhowyouimplementactive/activeHA,itmightrequireadditionalconfigurationsuchas
activatingnetworkingprotocolsonbothfirewalls,replicatingNATpools,anddeployingfloatingIP
addressestoprovideproperfailover.Becausebothfirewallsareactivelyprocessingtraffic,thefirewalls
useadditionalconceptsofsessionownerandsessionsetuptoperformLayer7contentinspection.
Active/activemodeisrecommendedifeachfirewallneedsitsownroutinginstancesandyourequirefull,
realtimeredundancyoutofbothfirewallsallthetime.Active/activemodehasfasterfailoverandcan
handlepeaktrafficflowsbetterthanactive/passivemodebecausebothfirewallsareactivelyprocessing
traffic.
Inactive/activemode,theHApaircanbeusedtotemporarilyprocessmoretrafficthanwhatonefirewallcan
normallyhandle.However,thisshouldnotbethenormbecauseafailureofonefirewallcausesalltraffictobe
redirectedtotheremainingfirewallintheHApair.
Yourdesignmustallowtheremainingfirewalltoprocessthemaximumcapacityofyourtrafficloadswithcontent
inspectionenabled.Ifthedesignoversubscribesthecapacityoftheremainingfirewall,highlatencyand/or
applicationfailurecanoccur.
Forinformationonsettingupyourfirewallsinactive/passivemode,seeSetUpActive/PassiveHA.For
informationonsettingupyourfirewallsinactive/activemode,seeSetUpActive/ActiveHA.
HALinksandBackupLinks
ThefirewallsinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.Somemodelsof
thefirewallhavededicatedHAportsControllink(HA1)andDatalink(HA2),whileothersrequireyouto
usetheinbandportsasHAlinks.
OnfirewallswithdedicatedHAportssuchasthePA3000Series,PA4000Series,PA5000Series,and
PA7000Seriesfirewalls(seeHAPortsonthePA7000SeriesFirewall),usethededicatedHAportsto
managecommunicationandsynchronizationbetweenthefirewalls.ForfirewallswithoutdedicatedHA
portssuchasthePA200,PA500,andPA2000Seriesfirewalls,asabestpracticeusethemanagementport
fortheHA1linktoallowforadirectconnectionbetweenthemanagementplanesonthefirewalls,andan
inbandportfortheHA2link.
TheHA1andHA2linksprovidesynchronizationforfunctionsthatresideonthemanagement
plane.UsingthededicatedHAinterfacesonthemanagementplaneismoreefficientthanusing
theinbandportsasthiseliminatestheneedtopassthesynchronizationpacketsoverthe
dataplane.
HALinksand Description
BackupLinks
ControlLink TheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforrouting,andUserIDinformation.Thefirewallsalsouse
thislinktosynchronizeconfigurationchangeswithitspeer.TheHA1linkisaLayer3
linkandrequiresanIPaddress.
PortsusedforHA1TCPport28769and28260forcleartextcommunication;port
28forencryptedcommunication(SSHoverTCP).
DataLink TheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurity
associationsandARPtablesbetweenfirewallsinanHApair.DataflowontheHA2
linkisalwaysunidirectional(exceptfortheHA2keepalive);itflowsfromtheactive
oractiveprimaryfirewalltothepassiveoractivesecondaryfirewall.TheHA2linkis
aLayer2link,anditusesethertype0x7261bydefault.
PortsusedforHA2TheHAdatalinkcanbeconfiguredtouseeitherIP(protocol
number99)orUDP(port29281)asthetransport,andtherebyallowtheHAdatalink
tospansubnets.
BackupLinks ProvideredundancyfortheHA1andtheHA2links.Inbandportsareusedasbackup
linksforbothHA1andHA2.Considerthefollowingguidelineswhenconfiguring
backupHAlinks:
TheIPaddressesoftheprimaryandbackupHAlinksmustnotoverlapeachother.
HAbackuplinksmustbeonadifferentsubnetfromtheprimaryHAlinks.
HA1backupandHA2backupportsmustbeconfiguredonseparatephysical
ports.TheHA1backuplinkusesport28770and28260.
PaloAltoNetworksrecommendsenablingheartbeatbackup(usesport
28771ontheMGTinterface)ifyouuseaninbandportfortheHA1orthe
HA1backuplinks.
PacketForwardingLink InadditiontoHA1andHA2links,anactive/activedeploymentalsorequiresa
dedicatedHA3link.Thefirewallsusethislinkforforwardingpacketstothepeer
duringsessionsetupandasymmetrictrafficflow.TheHA3linkisaLayer2linkthat
usesMACinMACencapsulation.ItdoesnotsupportLayer3addressingor
encryption.PA7000SeriesfirewallssynchronizesessionsacrosstheNPCs
oneforone.OnPA3000Series,PA4000Series,andPA5000Seriesfirewalls,you
canconfigureaggregateinterfacesasanHA3link.Theaggregateinterfacescanalso
provideredundancyfortheHA3link;youcannotconfigurebackuplinksfortheHA3
link.OnPA7000Seriesfirewalls,thededicatedHSCIportssupporttheHA3link.The
firewalladdsaproprietarypacketheadertopacketstraversingtheHA3link,sothe
MTUoverthislinkmustbegreaterthanthemaximumpacketlengthforwarded.
HAPortsonthePA7000SeriesFirewall
HAconnectivityonthePA7000SeriesmandatestheuseofspecificportsontheSwitchManagementCard
(SMC)forcertainfunctions;forotherfunctions,youcanusetheportsontheNetworkProcessingCard
(NPC).PA7000SeriesfirewallssynchronizesessionsacrosstheNPCsoneforone.
ThefollowingtabledescribestheSMCportsthataredesignedforHAconnectivity:
DevicePriorityandPreemption
ThefirewallsinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichfirewall
shouldassumetheactiveoractiveprimaryrole.IfyouneedtouseaspecificfirewallintheHApairfor
activelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsandassignadevice
priorityvalueforeachfirewall.Thefirewallwiththelowernumericalvalue,andthereforehigherpriority,is
designatedasactiveoractiveprimary.Theotherfirewallistheactivesecondaryorpassivefirewall.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothfirewalls.Whenenabled,
thepreemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeas
activeoractiveprimaryafteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthe
systemlogs.
Failover
Whenafailureoccursononefirewallandthepeertakesoverthetaskofsecuringtraffic,theeventiscalled
afailover.Afailoveristriggered,forexample,whenamonitoredmetriconafirewallintheHApairfails.The
metricsthataremonitoredfordetectingafirewallfailureare:
HeartbeatPollingandHellomessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerfirewallisresponsiveand
operational.HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverify
thestateofthefirewall.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeer
respondstothepingtoestablishthatthefirewallsareconnectedandresponsive.FordetailsontheHA
timersthattriggerafailover,seeHATimers.
LinkMonitoring
Thephysicalinterfacestobemonitoredaregroupedintoalinkgroupandtheirstate(linkuporlinkdown)
ismonitored.Alinkgroupcancontainoneormorephysicalinterfaces.Afirewallfailureistriggeredwhen
anyoralloftheinterfacesinthegroupfail.Thedefaultbehaviorisfailureofanyonelinkinthelinkgroup
willcausethefirewalltochangetheHAstatetononfunctional(ortotentativestateinactive/active
mode)toindicateafailureofamonitoredobject.
PathMonitoring
MonitorsthefullpaththroughthenetworktomissioncriticalIPaddresses.ICMPpingsareusedtoverify
reachabilityoftheIPaddress.Thedefaultintervalforpingsis200ms.AnIPaddressisconsidered
unreachablewhen10consecutivepings(thedefaultvalue)fail,andafirewallfailureistriggeredwhen
anyoralloftheIPaddressesmonitoredbecomeunreachable.ThedefaultbehaviorisanyoneoftheIP
addressesbecomingunreachablewillcausethefirewalltochangetheHAstatetononfunctional(orto
tentativestateinactive/activemode)toindicateafailureofamonitoredobject.
Inadditiontothefailovertriggerslistedabove,afailoveralsooccurswhentheadministratorsuspendsthe
firewallorwhenpreemptionoccurs.
OnthePA3000Series,PA5000Series,andPA7000Seriesfirewalls,afailovercanoccurwhenaninternal
healthcheckfails.Thishealthcheckisnotconfigurableandisenabledtomonitorthecriticalcomponents,
suchastheFPGAandCPUs.Additionally,generalhealthchecksoccuronanyplatformcausingfailover.
LACPandLLDPPreNegotiationforActive/PassiveHA
IfafirewallusesLACPorLLDP,negotiationofthoseprotocolsuponfailoverpreventssubsecondfailover.
However,youcanenableaninterfaceonapassivefirewalltonegotiateLACPandLLDPpriortofailover.
Thus,afirewallinPassiveorNonfunctionalHAstatecancommunicatewithneighboringdevicesusing
LACPorLLDP.Suchprenegotiationspeedsupfailover.
ThePA3000Series,PA5000Series,andPA7000Seriesfirewallssupportaprenegotiationconfiguration
dependingonwhethertheEthernetorAEinterfaceisinaLayer2,Layer3,orvirtualwiredeployment.An
HApassivefirewallhandlesLACPandLLDPpacketsinoneoftwoways:
ActiveThefirewallhasLACPorLLDPconfiguredontheinterfaceandactivelyparticipatesinLACPor
LLDPprenegotiation,respectively.
PassiveLACPorLLDPisnotconfiguredontheinterfaceandthefirewalldoesnotparticipateinthe
protocol,butallowsthepeersoneithersideofthefirewalltoprenegotiateLACPorLLDP,respectively.
Prenegotiationisnotsupportedonsubinterfacesortunnelinterfaces.
ToconfigureLACPorLLDPprenegotiation,seeStep 14ofConfigureActive/PassiveHA.
FloatingIPAddressandVirtualMACAddress
InaLayer3deploymentofHAactive/activemode,youcanassignfloatingIPaddresses,whichmovefrom
oneHAfirewalltotheotherifalinkorfirewallfails.TheinterfaceonthefirewallthatownsthefloatingIP
addressrespondstoARPrequestswithavirtualMACaddress.
FloatingIPaddressesarerecommendedwhenyouneedfunctionalitysuchasVirtualRouterRedundancy
Protocol(VRRP).FloatingIPaddressescanalsobeusedtoimplementVPNsandsourceNAT,allowingfor
persistentconnectionswhenafirewallofferingthoseservicesfails.
Asshowninthefigurebelow,eachHAfirewallinterfacehasitsownIPaddressandfloatingIPaddress.The
interfaceIPaddressremainslocaltothefirewall,butthefloatingIPaddressmovesbetweenthefirewalls
uponfirewallfailure.YouconfiguretheendhoststouseafloatingIPaddressasitsdefaultgateway,allowing
youtoloadbalancetraffictothetwoHApeers.Youcanalsouseexternalloadbalancerstoloadbalance
traffic.
Ifalinkorfirewallfailsorapathmonitoringeventcausesafailover,thefloatingIPaddressandvirtualMAC
addressmoveovertothefunctionalfirewall.(Inthefigurebelow,eachfirewallhastwofloatingIPaddresses
andvirtualMACaddresses;theyallmoveoverifthefirewallfails.)Thefunctioningfirewallsendsagratuitous
ARPtoupdatetheMACtablesoftheconnectedswitchestoinformthemofthechangeinfloatingIPaddress
andMACaddressownershiptoredirecttraffictoitself.
Afterthefailedfirewallrecovers,bydefaultthefloatingIPaddressandvirtualMACaddressmovebackto
firewallwiththeDeviceID[0or1]towhichthefloatingIPaddressisbound.Morespecifically,afterthe
failedfirewallrecovers,itcomesonline.Thecurrentlyactivefirewalldeterminesthatthefirewallisback
onlineandcheckswhetherthefloatingIPaddressitishandlingbelongsnativelytoitselfortheotherfirewall.
IfthefloatingIPaddresswasoriginallyboundtotheotherDeviceID,thefirewallautomaticallygivesitback.
(Foranalternativetothisdefaultbehavior,seeUseCase:ConfigureActive/ActiveHAwithFloatingIP
AddressBoundtoActivePrimaryFirewall.)
EachfirewallintheHApaircreatesavirtualMACaddressforeachofitsinterfacesthathasafloatingIP
addressorARPLoadSharingIPaddress.
TheformatofthevirtualMACaddress(onfirewallsotherthanPA7000Seriesfirewalls)is
001B1700xxyy,where001B17isthevendorID(ofPaloAltoNetworksinthiscase),00isfixed,xx
indicatestheDeviceIDandGroupIDasshowninthefollowingfigure,andyyistheInterfaceID:
TheformatofthevirtualMACaddressonPA7000Seriesfirewallsis001B17xxxxxx,where001B17
isthevendorID(ofPaloAltoNetworksinthiscase),andthenext24bitsindicatetheDeviceID,GroupID
andInterfaceIDasfollows:
Whenanewactivefirewalltakesover,itsendsgratuitousARPsfromeachofitsconnectedinterfacesto
informtheconnectedLayer2switchesofthenewlocationofthevirtualMACaddress.Toconfigurefloating
IPaddresses,seeUseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses.
ARPLoadSharing
InaLayer3interfacedeploymentandactive/activeHAconfiguration,ARPloadsharingallowsthefirewalls
toshareanIPaddressandprovidegatewayservices.UseARPloadsharingonlywhennoLayer3device
existsbetweenthefirewallandendhosts,thatis,whenendhostsusethefirewallastheirdefaultgateway.
Insuchascenario,allhostsareconfiguredwithasinglegatewayIPaddress.Oneofthefirewallsresponds
toARPrequestsforthegatewayIPaddresswithitsvirtualMACaddress.Eachfirewallhasauniquevirtual
MACaddressgeneratedforthesharedIPaddress.Theloadsharingalgorithmthatcontrolswhichfirewall
willrespondtotheARPrequestisconfigurable;itisdeterminedbycomputingthehashormoduloofthe
sourceIPaddressoftheARPrequest.
AftertheendhostreceivestheARPresponsefromthegateway,itcachestheMACaddressandalltraffic
fromthehostisroutedviathefirewallthatrespondedwiththevirtualMACaddressforthelifetimeofthe
ARPcache.ThelifetimeoftheARPcachedependsontheendhostoperatingsystem.
Ifalinkorfirewallfails,thefloatingIPaddressandvirtualMACaddressmoveovertothefunctionalfirewall.
ThefunctionalfirewallsendsgratuitousARPstoupdatetheMACtableoftheconnectedswitchestoredirect
trafficfromthefailedfirewalltoitself.SeeUseCase:ConfigureActive/ActiveHAwithARPLoadSharing.
YoucanconfigureinterfacesontheWANsideoftheHAfirewallswithfloatingIPaddresses,andconfigure
interfacesontheLANsideoftheHAfirewallswithasharedIPaddressforARPloadsharing.Forexample,
thefigurebelowillustratesfloatingIPaddressesfortheupstreamWANedgeroutersandanARP
loadsharingaddressforthehostsontheLANsegment.
RouteBasedRedundancy
InaLayer3interfacedeploymentandactive/activeHAconfiguration,thefirewallsareconnectedtorouters,
notswitches.Thefirewallsusedynamicroutingprotocolstodeterminethebestpath(asymmetricroute)and
toloadsharebetweentheHApair.Insuchascenario,nofloatingIPaddressesarenecessary.Ifalink,
monitoredpath,orfirewallfails,orifBidirectionalForwardingDetection(BFD)detectsalinkfailure,the
routingprotocol(RIP,OSPF,orBGP)handlesthereroutingoftraffictothefunctioningfirewall.You
configureeachfirewallinterfacewithauniqueIPaddress.TheIPaddressesremainlocaltothefirewall
wheretheyareconfigured;theydonotmovebetweendeviceswhenafirewallfails.SeeUseCase:Configure
Active/ActiveHAwithRouteBasedRedundancy.
HATimers
Highavailability(HA)timersfacilitateafirewalltodetectafirewallfailureandtriggerafailover.Toreduce
thecomplexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressiveand
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
Thefollowingtabledescribeseachtimerincludedintheprofilesandthecurrentpresetvaluesacrossthe
differenthardwaremodels;thesevaluesareforcurrentreferenceonlyandcanchangeinasubsequent
release.
PA3000Series
VMSeries
PA3000Series
VMSeries
SessionOwner
InanHAactive/activeconfiguration,bothfirewallsareactivesimultaneously,whichmeanspacketscanbe
distributedbetweenthem.Suchdistributionrequiresthefirewallstofulfilltwofunctions:sessionownership
andsessionsetup.Typically,eachfirewallofthepairperformsoneofthesefunctions,therebyavoidingrace
conditionsthatcanoccurinasymmetricallyroutedenvironments.
YouconfigurethesessionownerofsessionstobeeitherthefirewallthatreceivestheFirstPacketofanew
sessionfromtheendhostorthefirewallthatisinactiveprimarystate(thePrimarydevice).IfPrimarydevice
isconfigured,butthefirewallthatreceivesthefirstpacketisnotinactiveprimarystate,thefirewall
forwardsthepackettothepeerfirewall(thesessionowner)overtheHA3link.
ThesessionownerperformsallLayer7processing,suchasAppID,ContentID,andthreatscanningforthe
session.Thesessionowneralsogeneratesalltrafficlogsforthesession.
Ifthesessionownerfails,thepeerfirewallbecomesthesessionowner.Theexistingsessionsfailovertothe
functioningfirewallandnoLayer7processingisavailableforthosesessions.Whenafirewallrecoversfrom
afailure,bydefault,allsessionsitownedbeforethefailurerevertbacktothatoriginalfirewall;Layer7
processingdoesnotresume.
IfyouconfiguresessionownershiptobePrimarydevice,thesessionsetupdefaultstoPrimarydevicealso.
PaloAltoNetworksrecommendssettingtheSessionOwnertoFirstPacketandtheSessionSetuptoIPModulo
unlessotherwiseindicatedinaspecificusecase.
SettingSessionOwnerandSessionSetuptoPrimaryDevicecausestheactiveprimaryfirewalltoperformall
trafficprocessing.Youmightwanttoconfigurethisforoneofthesereasons:
Youaretroubleshootingandcapturinglogsandpcaps,sothatpacketprocessingisnotsplitbetweenthe
firewalls.
Youwanttoforcetheactive/activeHApairtofunctionlikeanactive/passiveHApair.SeeUseCase:
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall.
SessionSetup
ThesessionsetupfirewallperformstheLayer2throughLayer4processingnecessarytosetupanew
session.ThesessionsetupfirewallalsoperformsNATusingtheNATpoolofthesessionowner.You
determinethesessionsetupfirewallinanactive/activeconfigurationbyselectingoneofthefollowing
sessionsetuploadsharingoptions.
SessionSetupOption Description
IP Modulo ThefirewalldistributesthesessionsetuploadbasedonparityofthesourceIP
address.Thisisadeterministicmethodofsharingthesessionsetup.
IP Hash ThefirewallusesahashofthesourceanddestinationIPaddressestodistribute
sessionsetupresponsibilities.
Ifyouwanttoloadsharethesessionownerandsessionsetupresponsibilities,setsessionownertoFirst
PacketandsessionsetuptoIPmodulo.Thesearetherecommendedsettings.
Ifyouwanttodotroubleshootingorcapturelogsorpcaps,orifyouwantanactive/activeHApairtofunction
likeanactive/passiveHApair,setboththesessionownerandsessionsetuptoPrimarydevicesothatthe
activeprimarydeviceperformsalltrafficprocessing.SeeUseCase:ConfigureActive/ActiveHAwithFloating
IPAddressBoundtoActivePrimaryFirewall.
ThefirewallusestheHA3linktosendpacketstoitspeerforsessionsetupifnecessary.Thefollowingfigure
andtextdescribethepathofapacketthatfirewallFW1receivesforanewsession.Thereddottedlines
indicateFW1forwardingthepackettoFW2andFW2forwardingthepacketbacktoFW1overtheHA3link.
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthereisnosessionmatch,
FW1determinesthatithasreceivedthefirstpacketforanewsessionandthereforebecomesthe
sessionowner(assumingSession Owner SelectionissettoFirst Packet).
FW1usestheconfiguredsessionsetuploadsharingoptiontoidentifythesessionsetupfirewall.Inthis
example,FW2isconfiguredtoperformsessionsetup.
FW1usestheHA3linktosendthefirstpackettoFW2.
FW2setsupthesessionandreturnsthepackettoFW1forLayer7processing,ifany.
FW1thenforwardsthepacketouttheegressinterfacetothedestination.
Thefollowingfigureandtextdescribethepathofapacketthatmatchesanexistingsession:
TheendhostsendsapackettoFW1.
FW1examinesthecontentsofthepackettomatchittoanexistingsession.Ifthesessionmatchesan
existingsession,FW1processesthepacketandsendsthepacketouttheegressinterfacetothe
destination.
NATinActive/ActiveHAMode
Inanactive/activeHAconfiguration:
YoumustbindeachDynamicIP(DIP)NATruleandDynamicIPandPort(DIPP)NATruletoeitherDevice
ID0orDeviceID1.
YoumustbindeachstaticNATruletoeitherDeviceID0,DeviceID1,bothDeviceIDs,orthefirewallin
activeprimarystate.
Thus,whenoneofthefirewallscreatesanewsession,theDeviceID0orDeviceID1bindingdetermines
whichNATrulesmatchthefirewall.Thedevicebindingmustincludethesessionownerfirewalltoproduce
amatch.
ThesessionsetupfirewallperformstheNATpolicymatch,buttheNATrulesareevaluatedbasedonthe
sessionowner.Thatis,thesessionistranslatedaccordingtoNATrulesthatareboundtothesessionowner
firewall.WhileperformingNATpolicymatching,afirewallskipsallNATrulesthatarenotboundtothe
sessionownerfirewall.
Forexample,supposethefirewallwithDeviceID1isthesessionownerandsessionsetupfirewall.When
thefirewallwithDeviceID1triestomatchasessiontoaNATrule,itskipsallrulesboundtoDeviceID0.
ThefirewallperformstheNATtranslationonlyifthesessionownerandtheDeviceIDintheNATrulematch.
YouwilltypicallycreatedevicespecificNATruleswhenthepeerfirewallsusedifferentIPaddressesfor
translation.
Ifoneofthepeerfirewallsfails,theactivefirewallcontinuestoprocesstrafficforsynchronizedsessions
fromthefailedfirewall,includingNATtraffic.InasourceNATconfiguration,whenonefirewallfails:
ThefloatingIPaddressthatisusedastheTranslatedIPaddressoftheNATruletransferstothesurviving
firewall.Hence,theexistingsessionsthatfailoverwillstillusethisIPaddress.
AllnewsessionswillusethedevicespecificNATrulesthatthesurvivingfirewallnaturallyowns.Thatis,
thesurvivingfirewalltranslatesnewsessionsusingonlytheNATrulesthatmatchitsDeviceID;itignores
anyNATrulesboundtothefailedDeviceID.
IfyouwantthefirewallstoperformdynamicNATusingthesameIPaddresssimultaneously,abestpractice
istocreateaduplicateNATrulethatisboundtothepeerfirewallalso.TheresultistwoNATruleswiththe
sametranslationIPaddresses,oneboundtoDeviceID0andoneboundtoDeviceID1.Thus,the
configurationallowsthecurrentfirewalltoperformnewsessionsetupandperformNATpolicymatchingfor
NATrulesthatareboundtoitsDeviceID.WithouttheduplicateNATrule,thefirewallwillnotfinditsown
devicespecificrulesandwillskipallNATrulesthatarenotboundtoitsDeviceIDwhenitattemptstomatch
aNATpolicy.
Forexamplesofactive/activeHAwithNAT,see:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ECMPinActive/ActiveHAMode
Whenanactive/activeHApeerfails,itssessionstransfertothenewactiveprimaryfirewall,whichtriesto
usethesameegressinterfacethatthefailedfirewallwasusing.Ifthefirewallfindsthatinterfaceamongthe
ECMPpaths,thetransferredsessionswilltakethesameegressinterfaceandpath.Thisbehavioroccurs
regardlessoftheECMPalgorithminuse;usingthesameinterfaceisdesirable.
OnlyifnoECMPpathmatchestheoriginalegressinterfacewilltheactiveprimaryfirewallselectanew
ECMPpath.
Ifyoudidnotconfigurethesameinterfacesontheactive/activepeers,uponfailovertheactiveprimary
firewallselectsthenextbestpathfromtheFIBtable.Consequently,theexistingsessionsmightnotbe
distributedaccordingtotheECMPalgorithm.
SetUpActive/PassiveHA
PrerequisitesforActive/PassiveHA
ConfigurationGuidelinesforActive/PassiveHA
ConfigureActive/PassiveHA
DefineHAFailoverConditions
VerifyFailover
PrerequisitesforActive/PassiveHA
TosetuphighavailabilityonyourPaloAltoNetworksfirewalls,youneedapairoffirewallsthatmeetthe
followingrequirements:
ThesamemodelBoththefirewallsinthepairmustbeofthesamehardwaremodelorvirtualmachine
model.
ThesamePANOSversionBoththefirewallsshouldberunningthesamePANOSversionandmusteach
beuptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
DeterminetheIPaddressfortheHA1(control)connectionbetweentheHApeers.TheHA1IP
addressforbothpeersmustbeonthesamesubnetiftheyaredirectlyconnectedorareconnected
tothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
Asabestpractice,ifyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHA
purposesandthenewfirewallhasanexistingconfiguration,ResettheFirewalltoFactoryDefault
Settingsonthenewfirewall.Thisensuresthatthenewfirewallhasacleanconfiguration.After
HAisconfigured,youwillthensynctheconfigurationontheprimaryfirewalltothenewly
introducedfirewallwiththecleanconfiguration.
ConfigurationGuidelinesforActive/PassiveHA
Tosetupanactive(PeerA)passive(PeerB)pairinHA,youmustconfiguresomeoptionsidenticallyonboth
firewallsandsomeindependently(nonmatching)oneachfirewall.TheseHAsettingsarenotsynchronized
betweenthefirewalls.Fordetailsonwhatis/isnotsynchronized,seeReference:HASynchronization.
Thefollowingtableliststhesettingsthatyoumustconfigureidenticallyonbothfirewalls:
IdenticalConfigurationSettings
HAmustbeenabledonbothfirewalls.
BothfirewallsmusthavethesameGroupIDvalue.TheGroupIDvalueisusedtocreateavirtualMACaddressfor
alltheconfiguredinterfaces.SeeFloatingIPAddressandVirtualMACAddressforinformationaboutvirtualMAC
addresses.
Whenanewactivefirewalltakesover,GratuitousARPmessagesaresentfromeachoftheconnectedinterfaces
ofthenewactivemembertoinformtheconnectedLayer2switchesofthevirtualMACaddressnewlocation.
Ifusinginbandports,theinterfacesfortheHA1andHA2linksmustbesettotypeHA.
TheHAModemustbesettoActive Passive.
Ifrequired,preemptionmustbeenabledonbothfirewalls.Thedevicepriorityvalue,however,mustnotbe
identical.
Ifrequired,configureencryptionontheHA1link(forcommunicationbetweentheHApeers)onbothfirewalls.
BasedonthecombinationofHA1andHA1Backupportsyouareusing,usethefollowingrecommendationsto
decidewhetheryoushouldenableheartbeatbackup:
HAfunctionality(HA1andHA1backup)isnotsupportedonthemanagementinterfaceifit'sconfiguredfor
DHCPaddressing(IP TypesettoDHCP Client),exceptforAWS.
HA1:DedicatedHA1port
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:DedicatedHA1port
HA1Backup:Managementport
Recommendation:DonotenableHeartbeatBackup
HA1:Inbandport
HA1Backup:Inbandport
Recommendation:EnableHeartbeatBackup
HA1:Managementport
HA1Backup:Inbandport
Recommendation:DonotenableHeartbeatBackup
ThefollowingtableliststheHAsettingsthatyoumustconfigureindependentlyoneachfirewall.See
Reference:HASynchronizationformoreinformationaboutotherconfigurationsettingsarenot
automaticallysynchronizedbetweenpeers.
ForfirewallswithoutdedicatedHAports,usethemanagementportIPaddressforthecontrol
link.
ConfigureActive/PassiveHA
Thefollowingprocedureshowshowtoconfigureapairoffirewallsinanactive/passivedeploymentas
depictedinthefollowingexampletopology.
ConnectandConfiguretheFirewalls
Pickafirewallinthepairandcompletethefollowingsteps:
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
ConnectandConfiguretheFirewalls(Continued)
Onthepassivefirewall:thestateofthelocal Ontheactivefirewall:Thestateofthelocalfirewallshoulddisplay
firewallshoulddisplaypassive andtheRunning active andtheRunningConfigshouldshowassynchronized.
Configshouldshowassynchronized.
DefineHAFailoverConditions
ConfiguretheFailoverTriggers
Step1 Toconfigurelinkmonitoring,definethe 1. SelectDevice > High Availability > Link and Path Monitoring
interfacesyouwanttomonitor.A andAddaLinkGroup.
changeinthelinkstateofthese 2. NametheLink Group,Add theinterfacestomonitor,and
interfaceswilltriggerafailover. selectthe Failure Condition forthegroup.TheLinkgroupyou
defineisaddedtothe Link Group section.
IfyouareusingSNMPv3tomonitorthefirewalls,notethattheSNMPv3EngineIDisuniquetoeachfirewall;the
EngineIDisnotsynchronizedbetweentheHApairand,therefore,allowsyoutoindependentlymonitoreach
firewallintheHApair.ForinformationonsettingupSNMP,seeForwardTrapstoanSNMPManager.
BecausetheEngineIDisgeneratedusingthefirewallserialnumber,ontheVMSeriesfirewallyoumustapplya
validlicenseinordertoobtainauniqueEngineIDforeachfirewall.
VerifyFailover
TotestthatyourHAconfigurationworksproperly,triggeramanualfailoverandverifythatthefirewalls
transitionstatessuccessfully.
VerifyFailover
Step1 Suspendtheactivefirewall. SelectDevice > High Availability > Operational Commands and
clicktheSuspend local device link.
SetUpActive/ActiveHA
PrerequisitesforActive/ActiveHA
ConfigureActive/ActiveHA
PrerequisitesforActive/ActiveHA
Tosetupactive/activeHAonyourfirewalls,youneedapairoffirewallsthatmeetthefollowing
requirements:
ThesamemodelThefirewallsinthepairmustbeofthesamehardwaremodel.
ThesamePANOSversionThefirewallsshouldberunningthesamePANOSversionandmusteachbe
uptodateontheapplication,URL,andthreatdatabases.
ThesamemultivirtualsystemcapabilityBothfirewallsmusthaveMulti Virtual System Capabilityeither
enabledornotenabled.Whenenabled,eachfirewallrequiresitsownmultiplevirtualsystemslicenses.
ThesametypeofinterfacesDedicatedHAlinks,oracombinationofthemanagementportandinband
portsthataresettointerfacetypeHA.
TheHAinterfacesmustbeconfiguredwithstaticIPaddressesonly,notIPaddressesobtainedfrom
DHCP(exceptAWScanuseDHCPaddresses).DeterminetheIPaddressfortheHA1(control)
connectionbetweentheHApeers.TheHA1IPaddressforthepeersmustbeonthesamesubnet
iftheyaredirectlyconnectedorareconnectedtothesameswitch.
ForfirewallswithoutdedicatedHAports,youcanusethemanagementportforthecontrol
connection.Usingthemanagementportprovidesadirectcommunicationlinkbetweenthe
managementplanesonbothfirewalls.However,becausethemanagementportswillnotbedirectly
cabledbetweenthepeers,makesurethatyouhavearoutethatconnectsthesetwointerfaces
acrossyournetwork.
IfyouuseLayer3asthetransportmethodfortheHA2(data)connection,determinetheIPaddress
fortheHA2link.UseLayer3onlyiftheHA2connectionmustcommunicateoveraroutednetwork.
TheIPsubnetfortheHA2linksmustnotoverlapwiththatoftheHA1linksorwithanyothersubnet
assignedtothedataportsonthefirewall.
EachfirewallneedsadedicatedinterfacefortheHA3link.PA7000SeriesfirewallsusetheHSCI
port.Ontheremainingplatforms,youcanconfigureaggregateinterfacesastheHA3linkfor
redundancy.
ThesamesetoflicensesLicensesareuniquetoeachfirewallandcannotbesharedbetweenthefirewalls.
Therefore,youmustlicensebothfirewallsidentically.Ifbothfirewallsdonothaveanidenticalsetof
licenses,theycannotsynchronizeconfigurationinformationandmaintainparityforaseamlessfailover.
IfyouhaveanexistingfirewallandyouwanttoaddanewfirewallforHApurposesandthenew
firewallhasanexistingconfiguration,itisrecommendedthatyouResettheFirewalltoFactory
DefaultSettingsonthenewfirewall.Thiswillensurethatthenewfirewallhasaclean
configuration.AfterHAisconfigured,youwillthensynctheconfigurationontheprimaryfirewall
tothenewlyintroducedfirewallwiththecleanconfig.YouwillalsohavetoconfigurelocalIP
addresses.
ConfigureActive/ActiveHA
Determinewhichtypeofusecaseyouhaveandthenselectthecorrespondingproceduretoconfigure
active/activeHA.IfyouareusingRouteBasedRedundancy,FloatingIPAddressandVirtualMACAddress,
orARPLoadSharing,selectthecorrespondingprocedure:
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
IfyouwantaLayer3active/activeHAdeploymentthatbehaveslikeanactive/passivedeployment,select
thefollowingprocedure:
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
IfyouareconfiguringNATinActive/ActiveHAMode,seethefollowingprocedures:
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddresses
UseCase:ConfigureSeparateSourceNATIPAddressPoolsforActive/ActiveHAFirewalls
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
ConfigureActive/ActiveHA
Pickafirewallinthepairandcompletethefollowingsteps:
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
ConfigureActive/ActiveHA(Continued)
Step22 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithRouteBasedRedundancy
ThefollowingLayer3topologyillustratestwoPA7050firewallsinanactive/activeHAenvironmentthat
useRouteBasedRedundancy.ThefirewallsbelongtoanOSPFarea.Whenalinkorfirewallfails,OSPF
handlestheredundancybyredirectingtraffictothefunctioningfirewall.
ConfigureActive/ActiveHAwithRouteBasedRedundancy
Step5 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddresses
InthisLayer3interfaceexample,theHAfirewallsconnecttoswitchesandusefloatingIPaddressesto
handlelinkorfirewallfailures.Theendhostsareeachconfiguredwithagateway,whichisthefloatingIP
addressofoneoftheHAfirewalls.SeeFloatingIPAddressandVirtualMACAddress.
ConfigureActive/ActiveHAwithFloatingIPAddresses
ConfigureActive/ActiveHAwithFloatingIPAddresses(Continued)
Step7 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithARPLoadSharing
Inthisexample,hostsinaLayer3deploymentneedgatewayservicesfromtheHAfirewalls.Thefirewalls
areconfiguredwithasinglesharedIPaddress,whichallowsARPLoadSharing.Theendhostsareconfigured
withthesamegateway,whichisthesharedIPaddressoftheHAfirewalls.
ConfigureActive/ActiveHAwithARPLoadSharing
ConfigureActive/ActiveHAwithARPLoadSharing(Continued)
Step2 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
ThevirtualaddressisthesharedIP Virtual Address andclickAdd.
addressthatallowsARPLoadSharing. 2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandclickAdd.
4. EnteranIPv4 Address orIPv6 Address.
5. ForType,selectARP Load Sharing,whichallowsbothpeers
tousethevirtualIPaddressforARPLoadSharing.
Step7 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithFloatingIPAddressBoundto
ActivePrimaryFirewall
Inmissioncriticaldatacenters,youmaywantbothLayer3HAfirewallstoparticipateinpathmonitoringso
thattheycandetectpathfailuresupstreamfrombothfirewalls.Additionally,youprefertocontrolifand
whenthefloatingIPaddressreturnstotherecoveredfirewallafteritcomesbackup,ratherthanthefloating
IPaddressreturningtothedeviceIDtowhichitisbound.(ThatdefaultbehaviorisdescribedinFloatingIP
AddressandVirtualMACAddress.)
Inthisusecase,youcontrolwhenthefloatingIPaddressandthereforetheactiveprimaryrolemoveback
toarecoveredHApeer.Theactive/activeHAfirewallsshareasinglefloatingIPaddressthatyoubindto
whicheverfirewallisintheactiveprimarystate.WithonlyonefloatingIPaddress,networktrafficflows
predominantlytoasinglefirewall,sothisactive/activedeploymentfunctionslikeanactive/passive
deployment.
Inthisusecase,CiscoNexus7010switcheswithvirtualPortChannels(vPCs)operatinginLayer3connect
tothefirewalls.YoumustconfiguretheLayer3switches(routerpeers)northandsouthofthefirewallswith
aroutepreferencetothefloatingIPaddress.Thatis,youmustdesignyournetworksotheroutetablesof
therouterpeershavethebestpathtothefloatingIPaddress.Thisexampleusesstaticrouteswiththeproper
metricssothattheroutetothefloatingIPaddressusesalowermetric(theroutetothefloatingIPaddress
ispreferred)andreceivesthetraffic.Analternativetousingstaticrouteswouldbetodesignthenetworkto
redistributethefloatingIPaddressintotheOSPFroutingprotocol(ifyouareusingOSPF).
ThefollowingtopologyillustratesthefloatingIPaddressboundtotheactiveprimaryfirewall,whichis
initiallyPeerA,thefirewallontheleft.
Uponafailover,whentheactiveprimaryfirewall(PeerA)goesdownandtheactivesecondaryfirewall(Peer
B)takesoverastheactiveprimarypeer,thefloatingIPaddressmovestoPeerB(showninthefollowing
figure).PeerBremainstheactiveprimaryfirewallandtrafficcontinuestogotoPeerB,evenwhenPeer A
recoversandbecomestheactivesecondaryfirewall.YoudecideifandwhentomakePeerAthe
activeprimaryfirewallagain.
BindingthefloatingIPaddresstotheactiveprimaryfirewallprovidesyouwithmorecontroloverhowthe
firewallsdeterminefloatingIPaddressownershipastheymovebetweenvariousHAFirewallStates.The
followingadvantagesresult:
Youcanhaveanactive/activeHAconfigurationforpathmonitoringoutofbothfirewalls,buthavethe
firewallsfunctionlikeanactive/passiveHAconfigurationbecausetrafficdirectedtothefloatingIP
addressalwaysgoestotheactiveprimaryfirewall.
Whenyoudisablepreemptiononbothfirewalls,youhavethefollowingadditionalbenefits:
ThefloatingIPaddressdoesnotmovebackandforthbetweenHAfirewallsiftheactivesecondary
firewallflapsupanddown.
Youcanreviewthefunctionalityoftherecoveredfirewallandtheadjacentcomponentsbeforemanually
directingtraffictoitagain,whichyoucandoataconvenientdowntime.
YouhavecontroloverwhichfirewallownsthefloatingIPaddresssothatyoukeepallflowsofnewand
existingsessionsontheactiveprimaryfirewall,therebyminimizingtrafficontheHA3link.
WestronglyrecommendedyouconfigureHAlinkmonitoringontheinterface(s)thatsupportthefloatingIP
address(es)toalloweachHApeertoquicklydetectalinkfailureandfailovertoitspeer.BothHApeersmust
havelinkmonitoringforittofunction.
WestronglyrecommendyouconfigureHApathmonitoringtonotifyeachHApeerwhenapathhasfailedso
afirewallcanfailovertoitspeer.BecausethefloatingIPaddressisalwaysboundtotheactiveprimary
firewall,thefirewallcannotautomaticallyfailovertothepeerwhenapathgoesdownandpathmonitoringis
notenabled.
YoucannotconfigureNATforafloatingIPaddressthatisboundtoanactiveprimaryfirewall.
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall
ConfigureActive/ActiveHAwithFloatingIPAddressBoundtoActivePrimaryFirewall(Continued)
Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual Address andclickAdd.
2. EnterorselectanInterface.
3. SelecttheIPv4orIPv6tabandAddanIPv4 Address orIPv6
Address.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
5. ClickOK.
Step9 Configurethepeerfirewallinthesame
way,exceptinStep 5,ifyouselected
DeviceID0forthefirstfirewall,select
DeviceID1forthepeerfirewall.
UseCase:ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloating
IPAddresses
ThisLayer3interfaceexampleusessourceNATinActive/ActiveHAMode.TheLayer 2switchescreate
broadcastdomainstoensureuserscanreacheverythingnorthandsouthofthefirewalls.
PA30501hasDeviceID0anditsHApeer,PA30502,hasDeviceID1.Inthisusecase,NATtranslates
thesourceIPaddressandportnumbertothefloatingIPaddressconfiguredontheegressinterface.Each
hostisconfiguredwithadefaultgatewayaddress,whichisthefloatingIPaddressonEthernet1/1ofeach
firewall.TheconfigurationrequirestwosourceNATrules,oneboundtoeachDeviceID,althoughyou
configurebothNATrulesonasinglefirewallandtheyaresynchronizedtothepeerfirewall.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress
OnPA30502(DeviceID1),completethefollowingsteps:
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step5 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual Address andclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAdd anIPv4 Addressof10.1.1.101.
4. ForType,selectFloating,whichconfiguresthevirtualIP
addresstobeafloatingIPaddress.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
Step10 Configurethepeerfirewall,PA30501,
withthesamesettings,exceptforthe
followingchanges:
SelectDevice ID 0.
ConfigureanHAvirtualaddressof
10.1.1.100.
ForDevice 1 Priority,enter255.For
Device 0 Priority,enter0.
Inthisexample,DeviceID0hasa
lowerpriorityvaluesoahigher
priority;therefore,thefirewallwith
DeviceID0(PA30501)ownsthe
floatingIPaddress10.1.1.100.
ConfigureActive/ActiveHAwithSourceDIPPNATUsingFloatingIPAddress(Continued)
UseCase:ConfigureSeparateSourceNATIPAddressPoolsfor
Active/ActiveHAFirewalls
IfyouwanttouseIPaddresspoolsforsourceNATinActive/ActiveHAMode,eachfirewallmusthaveits
ownpool,whichyouthenbindtoaDeviceIDinaNATrule.
AddressobjectsandNATrulesaresynchronized(inbothactive/passiveandactive/activemode),sothey
needtobeconfiguredononlyoneofthefirewallsintheHApair.
ThisexampleconfiguresanaddressobjectnamedDynIPPooldev0containingtheIPaddresspool
10.1.1.14010.1.1.150.ItalsoconfiguresanaddressobjectnamedDynIPPooldev1containingtheIP
addresspool10.1.1.16010.1.1.170.ThefirstaddressobjectisboundtoDeviceID0;thesecondaddress
objectisboundtoDeviceID1.
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration
CreateAddressObjectsforIPAddressPoolsforSourceNATinanActive/ActiveHAConfiguration(Continued)
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNAT
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharingwithdestination
NAT.BothHAfirewallsrespondtoanARPrequestforthedestinationNATaddresswiththeingress
interfaceMACaddress.DestinationNATtranslatesthepublic,sharedIPaddress(inthisexample,
10.1.1.200)totheprivateIPaddressoftheserver(inthisexample,192.168.2.200).
WhentheHAfirewallsreceivetrafficforthedestination10.1.1.200,bothfirewallscouldpossiblyrespond
totheARPrequest,whichcouldcausenetworkinstability.Toavoidthepotentialissue,configurethefirewall
thatisinactiveprimarystatetorespondtotheARPrequestbybindingthedestinationNATruletothe
activeprimaryfirewall.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT
OnPA30502(DeviceID1),completethefollowingsteps:
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNAT(Continued)
Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual Address andclickAdd.
2. SelectInterfaceeth1/1.
3. SelectIPv4andAdd anIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
UseCase:ConfigureActive/ActiveHAforARPLoadSharingwith
DestinationNATinLayer3
ThisLayer3interfaceexampleusesNATinActive/ActiveHAModeandARPLoadSharing.PA30501has
DeviceID0anditsHApeer,PA30502,hasDeviceID1.
Inthisusecase,bothoftheHAfirewallsmustrespondtoanARPrequestforthedestinationNATaddress.
TrafficcanarriveateitherfirewallfromeitherWANrouterintheuntrustzone.DestinationNATtranslates
thepublicfacing,sharedIPaddresstotheprivateIPaddressoftheserver.Theconfigurationrequiresone
destinationNATruleboundtobothDeviceIDssothatbothfirewallscanrespondtoARPrequests.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3
OnPA30502(DeviceID1),completethefollowingsteps:
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
Step2 Enableactive/activeHA. 1. SelectDevice > High Availability > General > Setupandedit.
2. SelectEnable HA.
3. EnteraGroup ID,whichmustbethesameforbothfirewalls.
ThefirewallusestheGroupIDtocalculatethevirtualMAC
address(rangeis163).
4. (Optional)EnteraDescription.
5. ForMode,selectActive Active.
6. SelectDevice IDtobe1.
7. SelectEnable Config Sync.Thissettingisrequiredto
synchronizethetwofirewallconfigurations(enabledby
default).
8. EnterthePeer HA1 IP Address,whichistheIPaddressofthe
HA1controllinkonthepeerfirewall.
9. (Optional)EnteraBackup Peer HA1 IP Address,whichisthe
IPaddressofthebackupcontrollinkonthepeerfirewall.
10. ClickOK.
Step4 ConfigureanHAvirtualaddress. 1. SelectDevice > High Availability > Active/Active Config >
Virtual Address andclickAdd.
2. SelectInterfaceeth1/2.
3. SelectIPv4andAdd anIPv4 Addressof10.1.1.200.
4. ForType,selectARP Load Sharing,whichconfiguresthe
virtualIPaddresstobeforbothpeerstouseforARP
LoadSharing.
Step9 Configurethepeerfirewall,PA30501
(DeviceID0),withthesamesettings,
exceptinStep 2selectDevice ID 0.
ConfigureActive/ActiveHAforARPLoadSharingwithDestinationNATinLayer3(Continued)
HAFirewallStates
AnHAfirewallcanbeinoneofthefollowingstates:
Reference:HASynchronization
IfyouhaveenabledconfigurationsynchronizationonbothpeersinanHApair,mostoftheconfiguration
settingsyouconfigureononepeerwillautomaticallysynctotheotherpeeruponcommit.Toavoid
configurationconflicts,alwaysmakeconfigurationchangesontheactive(active/passive)oractiveprimary
(active/active)peerandwaitforthechangestosynctothepeerbeforemakinganyadditionalconfiguration
changes.
OnlycommittedconfigurationssynchronizebetweenHApeers.Anyconfigurationinthecommitqueueatthe
timeofanHAsyncwillnotbesynchronized.
Thefollowingtopicsidentifywhichconfigurationsettingsyoumustconfigureoneachfirewallindependently
(thesesettingsarenotsynchronizedfromtheHApeer).
WhatSettingsDontSyncinActive/PassiveHA?
WhatSettingsDontSyncinActive/ActiveHA?
SynchronizationofSystemRuntimeInformation
WhatSettingsDontSyncinActive/PassiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/passivedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Passive?
ManagementInterface Allmanagementconfigurationsettingsmustbeconfiguredindividuallyoneach
Settings firewall,including:
Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPType,
IP Address,Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6
Gateway,Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,
Ping,SNMP,UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
ConfigurationItem WhatDoesntSyncinActive/Passive?
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
StatisticsCollection Device > Setup > Operations > Statistics Service Setup
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
MasterKeySecuredby Device > Setup > HSM > Hardware Security Module Provider > Master Key
HSM Secured by HSM
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,andDashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
WhatSettingsDontSyncinActive/ActiveHA?
YoumustconfigurethefollowingsettingsoneachfirewallinanHApairinanactive/activedeployment.
Thesesettingsdonotsyncfromonepeertoanother.
ConfigurationItem WhatDoesntSyncinActive/Active?
ManagementInterface Youmustconfigureallmanagementsettingsindividuallyoneachfirewall,including:
Settings Device > Setup > Management > General SettingsHostname,Domain,Login
Banner,SSL/TLSServiceProfile,TimeZone,Locale,Date,Time,Latitude,
Longitude.
TheconfigurationfortheassociatedSSL/TLSServiceprofile(Device >
Certificate Management > SSL/TLS Service Profileandtheassociated
certificates(Device > Certificate Management > Certificates)is
synchronized.ItisjustthesettingofwhichSSL/TLSServiceProfiletouse
ontheManagementinterfacethatdoesnotsync.
Device > Setup > Management > Management Interface SettingsIPAddress,
Netmask,DefaultGateway,IPv6Address/PrefixLength,DefaultIPv6Gateway,
Speed,MTU,andServices(HTTP,HTTPOCSP,HTTPS,Telnet,SSH,Ping,SNMP,
UserID,UserIDSyslogListenerSSL,UserIDSyslogListenerUDP)
MultivsysCapability Toenablemultivsys,youmustactivatetheVirtualSystemslicense(requiredto
enablesupportformultiplevirtualsystemsonPA2000SeriesandPA3000Series
firewallsortoincreasethenumberofvirtualsystemsbeyondthebasenumber
providedbydefaultonPA4000Series,PA5000Series,andPA7000Series
firewalls)oneachfirewallinthepair.
YoumustalsoenableMulti Virtual System Capabilityoneachfirewall(Device >
Setup > Management > General Settings).
Administrator Youmustdefinetheauthenticationprofileandcertificateprofileforadministrative
AuthenticationSettings accesstothefirewalllocallyoneachfirewall(Device > Setup > Management >
Authentication).
StatisticsCollection Device > Setup > Operations > Statistics Service Setup
GlobalServiceRoutes Device > Setup > Services > Service Route Configuration
DataProtection Device > Setup > Content-ID > Manage Data Protection
JumboFrames Device > Setup > Session > Session Settings > Enable Jumbo Frame
ForwardProxyServer Device > Setup > Session > Decryption Settings > SSL Forward Proxy Settings
CertificateSettings
ConfigurationItem WhatDoesntSyncinActive/Active?
SoftwareUpdates Withsoftwareupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Software
GlobalProtectAgent WithGlobalProtectclientupdates,youcaneitherdownloadandinstallthem
Package separatelyoneachfirewall,ordownloadthemtoonepeerandsynctheupdatetothe
otherpeer.Youmustactivateseparatelyoneachpeer.
Device > GlobalProtect Client
ContentUpdates Withcontentupdates,youcaneitherdownloadandinstallthemseparatelyoneach
firewall,ordownloadthemononepeerandsynctheupdatetotheotherpeer.You
mustinstalltheupdateoneachpeer.
Device > Dynamic Updates
EthernetInterfaceIP AllEthernetinterfaceconfigurationsettingssyncexceptfortheIPaddress(Network
Addresses > Interface > Ethernet).
LoopbackInterfaceIP AllLoopbackinterfaceconfigurationsettingssyncexceptfortheIPaddress
Addresses (Network > Interface > Loopback).
LACPSystemPriority EachpeermusthaveauniqueLACPSystemIDinanactive/activedeployment
(Network > Interface > Ethernet > Add Aggregate Group > System Priority).
IPSecTunnels IPSectunnelconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestouseFloatingIPaddresses(Device > High
Availability > Active/Active Config > Virtual Address).Ifyouhaveconfigureda
floatingIPaddress,thesesettingssyncautomatically.Otherwise,youmustconfigure
thesesettingsindependentlyoneachpeer.
GlobalProtectPortal GlobalProtectportalconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Portals).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectportalconfigurationsettingssyncautomatically.Otherwise,youmust
configuretheportalsettingsindependentlyoneachpeer.
GlobalProtectGateway GlobalProtectgatewayconfigurationsynchronizationisdependentonwhetheryou
Configuration haveconfiguredtheVirtualAddressestouseFloatingIPaddresses(Network >
GlobalProtect > Gateways).IfyouhaveconfiguredafloatingIPaddress,the
GlobalProtectgatewayconfigurationsettingssyncautomatically.Otherwise,you
mustconfigurethegatewaysettingsindependentlyoneachpeer.
ConfigurationItem WhatDoesntSyncinActive/Active?
LLDP NoLLDPstateorindividualfirewalldataissynchronizedinanactive/active
configuration(Network > Network Profiles > LLDP).
BFD NoBFDconfigurationorBFDsessiondataissynchronizedinanactive/active
configuration(Network > Network Profiles > BFD Profile).
IKEGateways IKEgatewayconfigurationsynchronizationisdependentonwhetheryouhave
configuredtheVirtualAddressestousefloatingIPaddresses(Network > IKE
Gateways).IfyouhaveconfiguredafloatingIPaddress,theIKEgateway
configurationsettingssyncautomatically.Otherwise,youmustconfiguretheIKE
gatewaysettingsindependentlyoneachpeer.
MasterKey ThemasterkeymustbeidenticaloneachfirewallintheHApair,butyoumust
manuallyenteritoneachfirewall(Device > Master Key and Diagnostics).
Beforechangingthemasterkey,youmustdisableconfigsynconbothpeers(Device
> High Availability > General > SetupandcleartheEnable Config Synccheckbox)
andthenreenableitafteryouchangethekeys.
Reports,logs,and Logdata,reports,anddashboarddataandsettings(columndisplay,widgets)arenot
DashboardSettings syncedbetweenpeers.Reportconfigurationsettings,however,aresynced.
SynchronizationofSystemRuntimeInformation
A/P A/A
ManagementPlane
DNSCache No No N/A
FQDNRefresh No No N/A
BrightCloudURLDatabase No No N/A
A/P A/A
Dataplane
UsetheDashboard
TheDashboardtabwidgetsshowgeneralfirewallinformation,suchasthesoftwareversion,theoperational
statusofeachinterface,resourceutilization,andupto10ofthemostrecententriesinthethreat,
configuration,andsystemlogs.Alloftheavailablewidgetsaredisplayedbydefault,buteachadministrator
canremoveandaddindividualwidgets,asneeded.Clicktherefreshicon toupdatethedashboardoran
individualwidget.Tochangetheautomaticrefreshinterval,selectanintervalfromthedropdown(1 min,2
mins,5 mins,orManual).Toaddawidgettothedashboard,clickthewidgetdropdown,selectacategoryand
thenthewidgetname.Todeleteawidget,click inthetitlebar.Thefollowingtabledescribesthe
dashboardwidgets.
DashboardCharts Descriptions
TopApplications Displaystheapplicationswiththemostsessions.Theblocksizeindicatestherelative
numberofsessions(mouseovertheblocktoviewthenumber),andthecolorindicatesthe
securityriskfromgreen(lowest)tored(highest).Clickanapplicationtoviewits
applicationprofile.
TopHighRiskApplications SimilartoTopApplications,exceptthatitdisplaysthehighestriskapplicationswiththe
mostsessions.
GeneralInformation Displaysthefirewallname,model,PANOSsoftwareversion,theapplication,threat,and
URLfilteringdefinitionversions,thecurrentdateandtime,andthelengthoftimesince
thelastrestart.
InterfaceStatus Indicateswhethereachinterfaceisup(green),down(red),orinanunknownstate(gray).
ThreatLogs DisplaysthethreatID,application,anddateandtimeforthelast10entriesintheThreat
log.ThethreatIDisamalwaredescriptionorURLthatviolatestheURLfilteringprofile.
ConfigLogs Displaystheadministratorusername,client(WeborCLI),anddateandtimeforthelast10
entriesintheConfigurationlog.
DataFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheDataFilteringlog.
URLFilteringLogs Displaysthedescriptionanddateandtimeforthelast60minutesintheURLFilteringlog.
SystemLogs Displaysthedescriptionanddateandtimeforthelast10entriesintheSystemlog.
AConfig installedentryindicatesconfigurationchangeswerecommitted
successfully.
SystemResources DisplaystheManagementCPUusage,DataPlaneusage,andtheSessionCount,which
displaysthenumberofsessionsestablishedthroughthefirewall.
LoggedInAdmins DisplaysthesourceIPaddress,sessiontype(WeborCLI),andsessionstarttimeforeach
administratorwhoiscurrentlyloggedin.
ACCRiskFactor Displaystheaverageriskfactor(1to5)forthenetworktrafficprocessedoverthepast
week.Highervaluesindicatehigherrisk.
HighAvailability Ifhighavailability(HA)isenabled,indicatestheHAstatusofthelocalandpeerfirewall
green(active),yellow(passive),orblack(other).FormoreinformationaboutHA,seeHigh
Availability.
Locks Showsconfigurationlockstakenbyadministrators.
UsetheApplicationCommandCenter
TheApplicationCommandCenter(ACC)isaninteractive,graphicalsummaryoftheapplications,users,
URLs,threats,andcontenttraversingyournetwork.TheACCusesthefirewalllogstoprovidevisibilityinto
trafficpatternsandactionableinformationonthreats.TheACClayoutincludesatabbedviewofnetwork
activity,threatactivity,andblockedactivityandeachtabincludespertinentwidgetsforbettervisualization
ofnetworktraffic.Thegraphicalrepresentationallowsyoutointeractwiththedataandvisualizethe
relationshipsbetweeneventsonthenetwork,sothatyoucanuncoveranomaliesorfindwaystoenhance
yournetworksecurityrules.Forapersonalizedviewofyournetwork,youcanalsoaddacustomtaband
includewidgetsthatallowyoutodrilldownintotheinformationthatismostimportanttoyou.
ACCFirstLook
ACCTabs
ACCWidgets(WidgetDescriptions)
ACCFilters
InteractwiththeACC
UseCase:ACCPathofInformationDiscovery
ACCFirstLook
TakeaquicktouroftheACC.
ACCFirstLook
Tabs TheACCincludesthreepredefinedtabsthatprovidevisibilityintonetworktraffic,
threatactivity,andblockedactivity.Forinformationoneachtab,seeACCTabs.
Widgets Eachtabincludesadefaultsetofwidgetsthatbestrepresenttheevents/trends
associatedwiththetab.Thewidgetsallowyoutosurveythedatausingthefollowing
filters:
bytes(inandout)
sessions
content(filesanddata)
URLcategories
threats(andcount)
Forinformationoneachwidget,seeACCWidgets.
ACCFirstLook(Continued)
Time Thechartsorgraphsineachwidgetprovideasummaryandhistoricview.Youcan
chooseacustomrangeorusethepredefinedtimeperiodsthatrangefromthelast
15minutesuptothelast30daysorlast30calendardays.Theselectedtimeperiod
appliesacrossalltabsintheACC.
Thetimeperiodusedtorenderdata,bydefault,istheLast Hourupdatedin15
minuteintervals.Thedateandtimeintervalaredisplayedonscreen,forexampleat
11:40,thetimerangeis01/1210:30:0001/1211:29:59.
Source Thedatasegmentusedforthedisplay.Theoptionsvaryonthefirewallandon
Panorama.
Onthefirewall,ifenabledformultiplevirtualsystems,youcanusetheVirtual
SystemdropdowntochangetheACCdisplaytoincludeallvirtualsystemsorjusta
selectedvirtualsystem.
OnPanorama,youcanselecttheDevice GroupdropdowntochangetheACC
displaytoincludealldevicegroupsorjustaselecteddevicegroup.
Additionally,onPanorama,youcanchangetheData Source asPanoramadataor
Remote Device Data.Remote Device Dataisonlyavailablewhenallthemanaged
firewallsareonPANOS7.0.0orlater.Whenyoufilterthedisplayforaspecific
devicegroup,Panoramadataisusedasthedatasource.
Export YoucanexportthewidgetsdisplayedinthecurrentlyselectedtabasaPDF.ThePDF
isdownloadedandsavedtothedownloadsfolderassociatedwithyourwebbrowser,
onyourcomputer.
ACCTabs
TheACCincludesthefollowingpredefinedtabsforviewingnetworkactivity,threatactivity,andblocked
activity.
Tab Description
Tab Description
YoucanalsoInteractwiththeACCtocreatecustomizedtabswithcustomlayoutandwidgetsthatmeetyour
networkmonitoringneeds.
ACCWidgets
Thewidgetsoneachtabareinteractive;youcansettheACCFiltersanddrilldownintothedetailsforeach
tableorgraph,orcustomizethewidgetsincludedinthetabtofocusontheinformationyouneed.Fordetails
onwhateachwidgetdisplays,seeWidgetDescriptions.
Widgets
View Youcansortthedatabybytes,sessions,threats,count,content,URLs,malicious,
benign,files,data,profiles,objects.Theavailableoptionsvarybywidget.
Graph Thegraphicaldisplayoptionsaretreemap,linegraph,horizontalbargraph,stackedarea
graph,stackedbargraph,andmap.Theavailableoptionsvarybywidget;theinteraction
experiencealsovarieswitheachgraphtype.Forexample,thewidgetforApplications
usingNonStandardPortsallowsyoutochoosebetweenatreemapandalinegraph.
Todrilldownintothedisplay,clickintothegraph.Theareayouclickintobecomesa
filterandallowsyoutozoomintotheselectionandviewmoregranularinformationon
theselection.
Table Thedetailedviewofthedatausedtorenderthegraphisprovidedinatablebelowthe
graph.Youcaninteractwiththetableinseveralways:
Clickandsetalocalfilterforanattributeinthetable.Thegraphisupdatedandthe
tableissortedusingthelocalfilter.Theinformationdisplayedinthegraphandthe
tablearealwayssynchronized.
Hoverovertheattributeinthetableandusetheoptionsavailableinthedropdown.
Actions MaximizeviewAllowsyouenlargethewidgetandviewthetableinalarger
screenspaceandwithmoreviewableinformation.
SetuplocalfiltersAllowsyoutoaddACCFilterstorefinethedisplaywithinthe
widget.Usethesefilterstocustomizethewidgets;thesecustomizationsare
retainedbetweenlogins.
JumptologsAllowsyoutodirectlynavigatetothelogs(Monitor > Logs > Log type
tab).Thelogsarefilteredusingthetimeperiodforwhichthegraphisrendered.
Ifyouhavesetlocalandglobalfilters,thelogqueryconcatenatesthetimeperiod
andthefiltersandonlydisplayslogsthatmatchthecombinedfilterset.
ExportAllowsyoutoexportthegraphasaPDF.ThePDFisdownloadedand
savedonyourcomputer.ItissavedintheDownloadsfolderassociatedwithyour
webbrowser.
WidgetDescriptions
EachtabontheACCincludesadifferentsetofwidgets.
Widget Description
Network ActivityDisplaysanoverviewoftrafficanduseractivityonyournetwork.
Widget Description
Widget Description
Threat ActivityDisplaysanoverviewofthethreatsonthenetwork
Widget Description
Blocked ActivityFocusesontrafficthatwaspreventedfromcomingintothenetwork
Widget Description
ACCFilters
ThegraphsandtablesontheACCwidgetsallowyoutousefilterstonarrowthescopeofdatathatis
displayed,sothatyoucanisolatespecificattributesandanalyzeinformationyouwanttoviewingreater
detail.TheACCsupportsthesimultaneoususeofwidgetandglobalfilters.
WidgetFiltersApplyawidgetfilter,whichisafilterthatislocaltoaspecificwidget.Awidgetfilter
allowsyoutointeractwiththegraphandcustomizethedisplaysothatyoucandrilldownintothedetails
andaccesstheinformationyouwanttomonitoronaspecificwidget.Tocreateawidgetfilterthatis
persistentacrossreboots,youmustusetheSet Local Filteroption.
GlobalfiltersApplyglobalfiltersacrossallthetabsintheACC.Aglobalfilterallowsyoutopivotthe
displayaroundthedetailsyoucareaboutrightnowandexcludetheunrelatedinformationfromthe
currentdisplay.Forexample,toviewalleventsrelatingtoaspecificuserandapplication,youcanapply
theusernameandtheapplicationasaglobalfilterandviewonlyinformationpertainingtotheuserand
theapplicationthroughallthetabsandwidgetsontheACC.Globalfiltersarenotpersistent.
Youcanapplyglobalfiltersinthreeways:
SetaglobalfilterfromatableSelectanattributefromatableinanywidgetandapplytheattribute
asaglobalfilter.
AddawidgetfiltertoaglobalfilterHoverovertheattributeandclickthearrowicontotheright
oftheattribute.Thisoptionallowsyoutoelevatealocalfilterusedinawidget,andapplythe
attributegloballytoupdatethedisplayacrossallthetabsontheACC.
DefineaglobalfilterDefineafilterusingtheGlobal FilterspaneontheACC.
SeeInteractwiththeACCfordetailsonusingthesefilters.
InteractwiththeACC
TocustomizeandrefinetheACCdisplay,youcanaddanddeletetabs,addanddeletewidgets,setlocaland
globalfilters,andinteractwiththewidgets.
WorkwiththeTabsandWidgets
Editatab. Selectthetab,andclickthepenciliconnexttothetabname,toedit
thetab.Forexample .
Editingataballowsyoutoaddordeleteorresetthewidgetsthat
aredisplayedinthetab.Youcanalsochangethewidgetlayoutin
thetab.
Seewhatwidgetsareincludedinatab. 1. Selectthetab,andclickonthepencilicontoeditit.
2. SelecttheAdd Widget dropdownandverifythewidgetsthat
havethecheckboxesselected.
WorkwiththeTabsandWidgets(Continued)
Addawidgetorawidgetgroup. 1. Addanewtaboreditapredefinedtab.
2. SelectAdd Widget,andthenselectthecheckboxthat
correspondstothewidgetyouwanttoadd.Youcanselectup
toamaximumof12widgets.
3. (Optional)Tocreatea2columnlayout,selectAdd Widget
Group.Youcandraganddropwidgetsintothe2column
display.Asyoudragthewidgetintothelayout,aplaceholder
willdisplayforyoutodropthewidget.
Youcannotnameawidgetgroup.
Deleteataborawidgetgroup/widget. 1. Todeleteacustomtab,selectthetabandclicktheXicon.
Youcannotdeleteapredefinedtab.
2. Todeleteawidgetgroup/widget,editthetabandinthe
workspacesection,clickthe[X]iconontheright.Youcannot
undoadeletion.
Zoominonthedetailsinanarea,column,orline Clickanddraganareainthegraphtozoomin.Forexample,when
graph. youzoomintoalinegraph,ittriggersarequeryandthefirewall
Watchhowthezoomincapabilityworks. fetchesthedatafortheselectedtimeperiod.Itisnotamere
magnification.
Usethetabledropdowntofindmore 1. Hoveroveranattributeinatabletoseethedropdown.
informationonanattribute. 2. Clickintothedropdowntoviewtheavailableoptions.
Global FindUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferencestothe
attribute(username/IPaddress,objectname,policyrule
name,threatID,orapplicationname)anywhereinthe
candidateconfiguration.
ValueDisplaysthedetailsofthethreatID,orapplication
name,oraddressobject.
Who IsPerformsadomainname(WHOIS)lookupforthe
IPaddress.Thelookupqueriesdatabasesthatstorethe
registeredusersorassigneesofanInternetresource.
Search HIP ReportUsestheusernameorIPaddressto
findmatchesinaHIPMatchreport.
WorkwiththeTabsandWidgets(Continued)
Setaglobalfilterfromatable. Hoveroveranattributeinthetablebelowthechartandclickthe
arrowicontotherightoftheattribute.
2. Clickthe icontoviewthelistoffiltersyoucanapply.
Promoteawidgetfiltertoaglobalfilter. 1. Onanytableinawidget,clickthelinkforanattribute.This
setstheattributeasawidgetfilter.
2. Topromotethefiltertobeaglobalfilter,selectthearrowto
therightofthefilter.
WorkwiththeTabsandWidgets(Continued)
Seewhatfiltersareinuse. Forglobalfilters:Thenumberofglobalfiltersappliedare
displayedontheleftpaneunderGlobalFilters.
Forwidgetfilters:Thenumberofwidgetfiltersappliedona
widgetaredisplayednexttothewidgetname.Toviewthefilters,
clickthe icon.
Resetthedisplayonawidget. Ifyousetawidgetfilterordrillintoagraph,clicktheHomelink
toresetthedisplayinthewidget.
UseCase:ACCPathofInformationDiscovery
TheACChasawealthofinformationthatyoucanuseasastartingpointforanalyzingnetworktraffic.Lets
lookatanexampleonusingtheACCtouncovereventsofinterest.Thisexampleillustrateshowyoucanuse
theACCtoensurethatlegitimateuserscanbeheldaccountablefortheiractions,detectandtrack
unauthorizedactivity,anddetectanddiagnosecompromisedhostsandvulnerablesystemsonyournetwork.
ThewidgetsandfiltersintheACCgiveyouthecapabilitytoanalyzethedataandfiltertheviewsbasedon
eventsofinterestorconcern.Youcantraceeventsthatpiqueyourinterest,directlyexportaPDFofatab,
accesstherawlogs,andsaveapersonalizedviewoftheactivitythatyouwanttotrack.Thesecapabilities
makeitpossibleforyoutomonitoractivityanddeveloppoliciesandcountermeasuresforfortifyingyour
networkagainstmaliciousactivity.Inthissection,youwillInteractwiththeACCwidgetsacrossdifferent
tabs,drilldownusingwidgetfilters,andpivottheACCviewsusingglobalfilters,andexportaPDFforsharing
withincidenceresponseorITteams.
Atfirstglance,youseetheApplicationUsageandUserActivitywidgetsintheACC > Network Activity tab.The
UserActivitywidgetshowsthatuserMarshaWirthhastransferred718Megabytesofdataduringthelast
hour.Thisvolumeisnearlysixtimesmorethananyotheruseronthenetwork.Toseethetrendoverthe
pastfewhours,expandtheTimeperiodtotheLast 6 Hrs,andnowMarshasactivityhasbeen6.5Gigabytes
over891sessionsandhastriggered38threatssignatures.
BecauseMarshahastransferredalargevolumeofdata,applyherusernameasaglobalfilter(ACCFilters)
andpivotalltheviewsintheACCtoMarshastrafficactivity.
TheApplicationUsagetabnowshowsthatthetopapplicationthatMarthausedwasrapidshare,a
SwissownedfilehostingsitethatbelongstothefilesharingURLcategory.Forfurtherinvestigation,add
rapidshareasaglobalfilter,andviewMarshasactivityinthecontextofrapidshare.
Considerwhetheryouwanttosanctionrapidshareforcompanyuse.Shouldyouallowuploadsto
thissiteanddoyouneedaQoSpolicytolimitbandwidth?
ToviewwhichIPaddressesMarshahascommunicatedwith,checktheDestination IP Activitywidget,and
viewthedatabybytesandbyURLs.
ToknowwhichcountriesMarshacommunicatedwith,sortonsessionsintheDestination Regionswidget.
Fromthisdata,youcanconfirmthatMarsha,auseronyournetwork,hasestablishedsessionsinKoreaand
theEuropeanUnion,andshelogged19threatsinhersessionswithintheUnitedStates.
TolookatMarshasactivityfromathreatperspective,removetheglobalfilterfor
rapidshare.IntheThreat ActivitywidgetontheThreat Activitytab,viewthethreats.The
widgetdisplaysthatheractivityhadtriggeredamatchfor26vulnerabilitiesinthe
overflow,DoSandcodeexecutionthreatcategory.Severalofthesevulnerabilitiesareof
criticalseverity.
Tofurtherdrilldownintoeachvulnerability,clickintothegraphandnarrowthescopeofyourinvestigation.
Eachclickautomaticallyappliesalocalfilteronthewidget.
NoticethatthisMicrosoftcodeexecutionvulnerabilitywastriggeredoveremail,bytheimapapplication.
YoucannowestablishthatMarthahasIEvulnerabilitiesandemailattachmentvulnerabilities,andperhaps
hercomputerneedstobepatched.YoucannoweithernavigatetotheBlocked ThreatswidgetintheBlocked
Activitytabtocheckhowmanyofthesevulnerabilitieswereblocked.
Or,youcanchecktheRule UsagewidgetontheNetwork Activitytabtodiscoverhowmanyvulnerabilities
madeitintoyournetworkandwhichsecurityruleallowedthistraffic,andnavigatedirectlytothesecurity
ruleusingtheGlobal Findcapability.
Then,drillintowhyimapusedanonstandardport43206insteadofport143,whichisthedefaultportfor
theapplication.Considermodifyingthesecuritypolicyruletoallowapplicationstoonlyusethedefaultport
fortheapplication,orassesswhetherthisportshouldbeanexceptiononyournetwork.
Toreviewifanythreatswereloggedoverimap,checkMarshasactivityintheWildFire
Activity by ApplicationwidgetintheThreat Activitytab.YoucanconfirmthatMarshahad
nomaliciousactivity,buttoverifythatothernootheruserwascompromisedbythe
imapapplication,negateMarshaasaglobalfilterandlookforotheruserswhotriggered
threatsoverimap.
Clickintothebarforimapinthegraphanddrillintotheinboundthreatsassociatedwiththeapplication.To
findoutwhoanIPaddressisregisteredto,hoverovertheattackerIPaddressandselecttheWho Islinkin
thedropdown.
YouhavenowusedtheACCtoreviewnetworkdata/trendstofindwhichapplicationsorusersare
generatingthemosttraffic,andhowmanyapplicationareresponsibleforthethreatsseenonthenetwork.
Youwereabletoidentifywhichapplication(s),user(s)generatedthetraffic,determinewhetherthe
applicationwasonthedefaultport,andwhichpolicyrule(s)allowedthetrafficintothenetwork,and
determinewhetherthethreatisspreadinglaterallyonthenetwork.YoualsoidentifiedthedestinationIP
addresses,geolocationswithwhichhostsonthenetworkarecommunicatingwith.Usetheconclusions
fromyourinvestigationtocraftgoalorientedpoliciesthatcansecureusersandyournetwork.
AppScope
TheAppScopereportsprovidevisibilityandanalysistoolstohelppinpointproblematicbehavior,helping
youunderstandchangesinapplicationusageanduseractivity,usersandapplicationsthattakeupmostof
thenetworkbandwidth,andidentifynetworkthreats.
WiththeAppScopereports,youcanquicklyseeifanybehaviorisunusualorunexpected.Eachreport
providesadynamic,usercustomizablewindowintothenetwork;hoveringthemouseoverandclicking
eitherthelinesorbarsonthechartsopensdetailedinformationaboutthespecificapplication,application
category,user,orsourceontheACC.TheAppScopechartsonMonitor > App Scopegiveyoutheabilityto:
Toggletheattributesinthelegendtoonlyviewchartdetailsthatyouwanttoreview.Theabilityto
includeorexcludedatafromthechartallowsyoutochangethescaleandreviewdetailsmoreclosely.
ClickintoanattributeinabarchartanddrilldowntotherelatedsessionsintheACC.Clickintoan
Applicationname,ApplicationCategory,ThreatName,ThreatCategory,SourceIPaddressorDestination
IPaddressonanybarcharttofilterontheattributeandviewtherelatedsessionsintheACC.
ExportachartormaptoPDForasanimage.Forportabilityandofflineviewing,youcanExportcharts
andmapsasPDFsorPNGimages.
ThefollowingAppScopereportsareavailable:
SummaryReport
ChangeMonitorReport
ThreatMonitorReport
ThreatMapReport
NetworkMonitorReport
TrafficMapReport
SummaryReport
ChangeMonitorReport
TheChangeMonitorReportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Gainers Displaysmeasurementsofitemsthathaveincreasedoverthe
measuredperiod.
Losers Displaysmeasurementsofitemsthathavedecreasedoverthe
measuredperiod.
New Displaysmeasurementsofitemsthatwereaddedoverthemeasured
period.
Dropped Displaysmeasurementsofitemsthatwerediscontinuedoverthe
measuredperiod.
Button Description
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Sort Determineswhethertosortentriesbypercentageorrawgrowth.
Export Exportsthegraphasa.pngimageorasaPDF.
Compare Specifiestheperiodoverwhichthechangemeasurementsaretaken.
ThreatMonitorReport
Eachthreattypeiscolorcodedasindicatedinthelegendbelowthechart.TheThreatMonitorreport
containsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Threats Determinesthetypeofitemmeasured:Threat,ThreatCategory,
Source,orDestination.
Button Description
Filter Appliesafiltertodisplayonlytheselectedtypeofitems.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Export Exportsthegraphasa.pngimageorasaPDF.
Specifiestheperiodoverwhichthemeasurementsaretaken.
ThreatMapReport
TheThreatMapreportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Filer Appliesafiltertodisplayonlytheselectedtypeofitems.
Export Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthemeasurementsaretaken.
NetworkMonitorReport
TheNetworkMonitorreportcontainsthefollowingbuttonsandoptions.
Button Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Application Determinesthetypeofitemreported:Application,Application
Category,Source,orDestination.
Filter Appliesafiltertodisplayonlytheselecteditem.Nonedisplaysall
entries.
Determineswhethertodisplaysessionorbyteinformation.
Export Exportsthegraphasa.pngimageorasaPDF.
Determineswhethertheinformationispresentedinastacked
columnchartorastackedareachart.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
TrafficMapReport
Eachtraffictypeiscolorcodedasindicatedinthelegendbelowthechart.TheTrafficMapreportcontains
thefollowingbuttonsandoptions.
Buttons Description
Top 10 Determinesthenumberofrecordswiththehighestmeasurement
includedinthechart.
Determineswhethertodisplaysessionorbyteinformation.
Export Exportsthegraphasa.pngimageorasaPDF.
Indicatestheperiodoverwhichthechangemeasurementsaretaken.
UsetheAutomatedCorrelationEngine
Theautomatedcorrelationengineisananalyticstoolthatusesthelogsonthefirewalltodetectactionable
eventsonyournetwork.Theenginecorrelatesaseriesofrelatedthreateventsthat,whencombined,
indicatealikelycompromisedhostonyournetworkorsomeotherhigherlevelconclusion.Itpinpointsareas
ofrisk,suchascompromisedhostsonthenetwork,allowsyoutoassesstheriskandtakeactiontoprevent
exploitationofnetworkresources.Theautomatedcorrelationengineusescorrelationobjectstoanalyzethe
logsforpatternsandwhenamatchoccurs,itgeneratesacorrelatedevent.
Theautomatedcorrelationengineissupportedonthefollowingplatforms:
PanoramaMSeriesapplianceandthevirtualappliance
PA7000Seriesfirewall
PA5000Seriesfirewall
PA3000Seriesfirewall
AutomatedCorrelationEngineConcepts
ViewtheCorrelatedObjects
InterpretCorrelatedEvents
UsetheCompromisedHostsWidgetintheACC
AutomatedCorrelationEngineConcepts
Theautomatedcorrelationengineusescorrelationobjectstoanalyzethelogsforpatternsandwhenamatch
occurs,itgeneratesacorrelatedevent.
CorrelationObject
CorrelatedEvents
CorrelationObject
Acorrelationobjectisadefinitionfilethatspecifiespatternstomatchagainst,thedatasourcestousefor
thelookups,andtimeperiodwithinwhichtolookforthesepatterns.Apatternisabooleanstructureof
conditionsthatqueriesthefollowingdatasources(orlogs)onthefirewall:applicationstatistics,traffic,
trafficsummary,threatsummary,threat,datafiltering,andURLfiltering.Eachpatternhasaseverityrating,
andathresholdforthenumberoftimesthepatternmatchmustoccurwithinadefinedtimelimittoindicate
maliciousactivity.Whenthematchconditionsaremet,acorrelatedeventislogged.
Acorrelationobjectcanconnectisolatednetworkeventsandlookforpatternsthatindicateamore
significantevent.Theseobjectsidentifysuspicioustrafficpatternsandnetworkanomalies,including
suspiciousIPactivity,knowncommandandcontrolactivity,knownvulnerabilityexploits,orbotnetactivity
that,whencorrelated,indicatewithahighprobabilitythatahostonthenetworkhasbeencompromised.
CorrelationobjectsaredefinedanddevelopedbythePaloAltoNetworksThreatResearchteam,andare
deliveredwiththeweeklydynamicupdatestothefirewallandPanorama.Toobtainnewcorrelationobjects,
thefirewallmusthaveaThreatPreventionlicense.Panoramarequiresasupportlicensetogettheupdates.
Thepatternsdefinedinacorrelationobjectcanbestaticordynamic.Correlatedobjectsthatincludepatterns
observedinWildFirearedynamic,andcancorrelatemalwarepatternsdetectedbyWildFirewith
commandandcontrolactivityinitiatedbyahostthatwastargetedwiththemalwareonyournetwork.For
example,whenahostsubmitsafiletotheWildFirecloudandtheverdictismalicious,thecorrelationobject
looksforotherhostsorclientsonthenetworkthatexhibitthesamebehaviorseeninthecloud.Ifthe
malwaresamplehadperformedaDNSqueryandbrowsedtoamalwaredomain,thecorrelationobjectwill
parsethelogsforasimilarevent.Whentheactivityonahostmatchestheanalysisinthecloud,ahigh
severitycorrelatedeventislogged.
CorrelatedEvents
Acorrelatedeventisloggedwhenthepatternsandthresholdsdefinedinacorrelationobjectmatchthe
trafficpatternsonyournetwork.ToInterpretCorrelatedEventsandtoviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ViewtheCorrelatedObjects
ViewtheCorrelationObjectsAvailableontheFirewall
ViewtheCorrelationObjectsAvailableontheFirewall
Step2 Viewthedetailsoneachcorrelationobject.Eachobjectprovidesthefollowinginformation:
Name and TitleThenameandtitleindicatethetypeofactivitythatthecorrelationobjectdetects.The
namecolumnishiddenfromview,bydefault.Toviewthedefinitionoftheobject,unhidethecolumnand
clickthenamelink.
IDAuniquenumberthatidentifiesthecorrelationobject;thiscolumnisalsohiddenbydefault.TheIDs
areinthe6000series.
CategoryAclassificationofthekindofthreatorharmposedtothenetwork,user,orhost.Fornow,all
theobjectsidentifycompromisedhostsonthenetwork.
StateIndicateswhetherthecorrelationobjectisenabled(active)ordisabled(inactive).Alltheobjectsin
thelistareenabledbydefault,andarehenceactive.Becausetheseobjectsarebasedonthreat
intelligencedataandaredefinedbythePaloAltoNetworksThreatResearchteam,keeptheobjects
activeinordertotrackanddetectmaliciousactivityonyournetwork.
DescriptionSpecifiesthematchconditionsforwhichthefirewallorPanoramawillanalyzelogs.It
describesthesequenceofconditionsthatarematchedontoidentifyaccelerationorescalationof
maliciousactivityorsuspicioushostbehavior.Forexample,theCompromise Lifecycleobjectdetectsa
hostinvolvedinacompleteattacklifecycleinathreestepescalationthatstartswithscanningorprobing
activity,progressingtoexploitation,andconcludingwithnetworkcontacttoaknownmaliciousdomain.
Formoreinformation,seeAutomatedCorrelationEngineConceptsandUsetheAutomatedCorrelation
Engine.
InterpretCorrelatedEvents
CorrelatedEventsincludesthefollowingdetails:
Field Description
Field Description
Severity Aratingthatindicatestheurgencyandimpactofthematch.Theseveritylevel
To indicatestheextentofdamageorescalationpattern,andthefrequencyof
configure occurrence.Becausecorrelationobjectsareprimarilyfordetectingthreats,the
the correlatedeventstypicallyrelatetoidentifyingcompromisedhostsonthenetwork
firewallor andtheseverityimpliesthefollowing:
Panoramatosend CriticalConfirmsthatahosthasbeencompromisedbasedoncorrelatedevents
alertsusingemail, thatindicateanescalationpattern.Forexample,acriticaleventisloggedwhena
SNMPorsyslog hostthatreceivedafilewithamaliciousverdictbyWildFireexhibitsthesame
messagesfora commandandcontrolactivitythatwasobservedintheWildFiresandboxforthat
desiredseverity maliciousfile.
level,seeUse HighIndicatesthatahostisverylikelycompromisedbasedonacorrelation
ExternalServices betweenmultiplethreatevents,suchasmalwaredetectedanywhereonthe
forMonitoring. networkthatmatchesthecommandandcontrolactivitygeneratedbya
particularhost.
MediumIndicatesthatahostislikelycompromisedbasedonthedetectionof
oneormultiplesuspiciousevents,suchasrepeatedvisitstoknownmalicious
URLs,whichsuggestsascriptedcommandandcontrolactivity.
LowIndicatesthatahostispossiblycompromisedbasedonthedetectionofone
ormultiplesuspiciousevents,suchasavisittoamaliciousURLoradynamicDNS
domain.
InformationalDetectsaneventthatmaybeusefulinaggregateforidentifying
suspiciousactivity,buttheeventisnotnecessarilysignificantonitsown.
Summary Adescriptionthatsummarizestheevidencegatheredonthecorrelatedevent.
Clickthe icontoseethedetailedlogview,whichincludesalltheevidenceonamatch:
Tab Description
Match ObjectDetails:PresentsinformationontheCorrelationObjectthattriggeredthematch.
Information
MatchDetails:Asummaryofthematchdetailsthatincludesthematchtime,lastupdatetimeonthe
matchevidence,severityoftheevent,andaneventsummary.
Match Presentsalltheevidencethatcorroboratesthecorrelatedevent.Itlistsdetailedinformationonthe
Evidence evidencecollectedforeachsession.
UsetheCompromisedHostsWidgetintheACC
Formoredetails,seeUsetheAutomatedCorrelationEngineandUsetheApplicationCommandCenter.
TakePacketCaptures
AllPaloAltoNetworksfirewallsallowyoutotakepacketcaptures(pcaps)oftrafficthattraversesthe
managementinterfaceandnetworkinterfacesonthefirewall.Whentakingpacketcapturesonthe
dataplane,youmayneedtoDisableHardwareOffloadtoensurethatthefirewallcapturesalltraffic.
PacketcapturecanbeveryCPUintensiveandcandegradefirewallperformance.Onlyusethisfeaturewhennecessary
andmakesureyouturnitoffafteryouhavecollectedtherequiredpackets.
TypesofPacketCaptures
DisableHardwareOffload
TakeaCustomPacketCapture
TakeaThreatPacketCapture
TakeanApplicationPacketCapture
TakeaPacketCaptureontheManagementInterface
TypesofPacketCaptures
Therearefourdifferenttypesofpacketcapturesyoucanenable,dependingonwhatyouneedtodo:
CustomPacketCaptureThefirewallcapturespacketsforalltrafficorforspecifictrafficbasedonfilters
thatyoudefine.Forexample,youcanconfigurethefirewalltoonlycapturepacketstoandfromaspecific
sourceanddestinationIPaddressorport.Youthenusethepacketcapturesfortroubleshooting
networkrelatedissuesorforgatheringapplicationattributestoenableyoutowritecustomapplication
signaturesortorequestanapplicationsignaturefromPaloAltoNetworks.SeeTakeaCustomPacket
Capture.
ThreatPacketCaptureThefirewallcapturespacketswhenitdetectsavirus,spyware,orvulnerability.
YouenablethisfeatureinAntivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.Alink
tovieworexportthepacketcaptureswillappearinthesecondcolumnoftheThreatlog.Thesepacket
capturesprovidecontextaroundathreattohelpyoudetermineifanattackissuccessfulortolearnmore
aboutthemethodsusedbyanattacker.YoucanalsosubmitthistypeofpcaptoPaloAltoNetworksto
haveathreatreanalyzedifyoufeelitsafalsepositiveorfalsenegative.SeeTakeaThreatPacket
Capture.
ApplicationPacketCaptureThefirewallcapturespacketsbasedonaspecificapplicationandfiltersthat
youdefine.AlinktovieworexportthepacketcaptureswillappearinthesecondcolumnoftheTraffic
logsfortrafficthatmatchesthepacketcapturerule.SeeTakeanApplicationPacketCapture.
ManagementInterfacePacketCaptureThefirewallcapturespacketsonthemanagementinterface
(MGT)Thepacketcapturesareusefulwhentroubleshootingservicesthattraversetheinterface,suchas
firewallmanagementauthenticationtoexternalservers(LDAPandRADIUSforexample),softwareand
contentupdates,logforwarding,communicationwithSNMPservers,andauthenticationrequestsfor
GlobalProtectandCaptivePortal.SeeTakeaPacketCaptureontheManagementInterface.
DisableHardwareOffload
PacketcapturesonaPaloAltoNetworksfirewallareperformedinthedataplaneCPU,unlessyouconfigure
thefirewalltoTakeaPacketCaptureontheManagementInterface,inwhichcasethepacketcaptureis
performedonthemanagementplane.Whenapacketcaptureisperformedonthedataplane,duringthe
ingressstage,thefirewallperformspacketparsingchecksanddiscardsanypacketsthatdonotmatchthe
packetcapturefilter.Anytrafficthatisoffloadedtothefieldprogrammablegatearray(FPGA)offload
processorisalsoexcluded,unlessyouturnoffhardwareoffload.Forexample,encryptedtraffic(SSL/SSH),
networkprotocols(OSPF,BGP,RIP),applicationoverrides,andterminatingapplicationscanbeoffloadedto
theFPGAandthereforeareexcludedfrompacketcapturesbydefault.Sometypesofsessionswillneverbe
offloaded,suchasARP,allnonIPtraffic,IPSec,VPNsessions,SYN,FIN,andRSTpackets.
Hardwareoffloadissupportedonthefollowingfirewalls:PA2000Series,PA3050,PA4000Series,PA5000Series,
andPA7000Seriesfirewall.
DisablinghardwareoffloadincreasesthedataplaneCPUusage.IfdataplaneCPUusageisalreadyhigh,youmaywant
toscheduleamaintenancewindowbeforedisablinghardwareoffload.
Enable/DisableHardwareOffload
Step1 DisablehardwareoffloadbyrunningthefollowingCLIcommand:
admin@PA-7050> set session offload no
Step2 Afterthefirewallcapturestherequiredtraffic,enablehardwareoffloadbyrunningthefollowingCLI
command:
admin@PA-7050> set session offload yes
TakeaCustomPacketCapture
Custompacketcapturesallowyoutodefinethetrafficthatthefirewallwillcapture.Toensurethatyou
capturealltraffic,youmayneedtoDisableHardwareOffload.
TakeaCustomPacketCapture
Step1 Beforeyoustartapacketcapture,identifytheattributesofthetrafficthatyouwanttocapture.
Forexample,todeterminethesourceIPaddress,sourceNATIPaddress,andthedestinationIPaddressfor
trafficbetweentwosystems,performapingfromthesourcesystemtothetothedestinationsystem.After
thepingiscomplete,gotoMonitor > Trafficandlocatethetrafficlogforthetwosystems.ClicktheDetailed
Log Viewiconlocatedinthefirstcolumnofthelogandnotethesourceaddress,sourceNATIP,andthe
destinationaddress.
Intheexamplethatfollows,wewilluseapacketcapturetotroubleshootaTelnetconnectivityissuefroma
userintheTrustzonetoaserverintheDMZzone.
TakeaCustomPacketCapture(Continued)
Step2 Setpacketcapturefilters,sothefirewallonlycapturestrafficyouareinterestedin.
Filterswillmakeiteasierforyoutolocatetheinformationyouneedinthepacketcaptureandwillreducethe
processingpowerrequiredbythefirewalltotakethepacketcapture.Tocapturealltraffic,donotdefine
filtersandleavethefilteroptionoff.
Forexample,ifyouconfiguredNATonthefirewall,youwillneedtoapplytwofilters.Thefirstonefilterson
thepreNATsourceIPaddresstothedestinationIPaddressandthesecondonefilterstrafficfromthe
destinationservertothesourceNATIPaddress.
1. SelectMonitor > Packet Capture.
2. ClickClear All Settingsatthebottomofthewindowtoclearanyexistingcapturesettings.
3. ClickManage FiltersandclickAdd.
4. SelectId 1andintheSourcefieldenterthesourceIPaddressyouareinterestedinandintheDestination
fieldenteradestinationIPaddress.
Forexample,enterthesourceIPaddress192.168.2.10andthedestinationIPaddress10.43.14.55.To
furtherfilterthecapture,setNon-IPtoexcludenonIPtraffic,suchasbroadcasttraffic.
5. AddthesecondfilterandselectId 2.
Forexample,intheSourcefieldenter10.43.14.55andintheDestinationfieldenter10.43.14.25.In
theNon-IPdropdownmenuselectexclude.
6. ClickOK.
Step3 SetFilteringtoOn.
TakeaCustomPacketCapture(Continued)
Step4 Specifythetrafficstage(s)thattriggerthepacketcaptureandthefilename(s)tousetostorethecaptured
content.Foradefinitionofeachstage,clicktheHelpicononthepacketcapturepage.
Forexample,toconfigureallpacketcapturestagesanddefineafilenameforeachstage,performthefollowing
procedure:
1. AddaStagetothepacketcaptureconfigurationanddefineaFilenamefortheresultingpacketcapture.
Forexample,selectreceiveastheStageandsettheFilenametotelnet-test-received.
Step6 Generatetrafficthatmatchesthefiltersthatyoudefined.
Forthisexample,generatetrafficfromthesourcesystemtotheTelnetenabledserverbyrunningthe
followingcommandfromthesourcesystem(192.168.2.10):
telnet 10.43.14.55
TakeaCustomPacketCapture(Continued)
Step7 TurnpacketcaptureOFFandthenclicktherefreshicontoseethepacketcapturefiles.
Noticethatinthiscase,therewerenodroppedpackets,sothefirewalldidnotcreateafileforthedropstage.
Step8 DownloadthepacketcapturesbyclickingthefilenameintheFileNamecolumn.
Step9 Viewthepacketcapturefilesusinganetworkpacketanalyzer.
Inthisexample,thereceived.pcappacketcaptureshowsafailedTelnetsessionfromthesourcesystemat
192.168.2.10totheTelnetenabledserverat10.43.14.55.ThesourcesystemsenttheTelnetrequesttothe
server,buttheserverdidnotrespond.Inthisexample,theservermaynothaveTelnetenabled,socheckthe
server.
Step10 EnabletheTelnetserviceonthedestinationserver(10.43.14.55)andturnonpacketcapturetotakeanew
packetcapture.
Step11 Generatetrafficthatwilltriggerthepacketcapture.
RuntheTelnetsessionagainfromthesourcesystemtotheTelnetenabledserver
telnet 10.43.14.55
Step12 Downloadandopenthereceived.pcapfileandviewitusinganetworkpacketanalyzer.
ThefollowingpacketcapturenowshowsasuccessfulTelnetsessionfromthehostuserat192.168.2.10to
theTelnetenabledserverat10.43.14.55.NotethatyoualsoseetheNATaddress10.43.14.25.Whenthe
serverresponds,itdoessototheNATaddress.Youcanseethesessionissuccessfulasindicatedbythe
threewayhandshakebetweenthehostandtheserverandthenyouseeTelnetdata.
TakeaThreatPacketCapture
Toconfigurethefirewalltotakeapacketcapture(pcap)whenitdetectsathreat,enablepacketcaptureon
Antivirus,AntiSpyware,andVulnerabilityProtectionsecurityprofiles.
TakeaThreatPacketCapture
TakeaThreatPacketCapture(Continued)
Step3 View/exportthepacketcapturefromtheThreatlogs.
1. SelectMonitor > Logs > Threat.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.View
thepacketcapturedirectlyorExportittoyoursystem.
TakeanApplicationPacketCapture
Thefollowingtopicsdescribetwowaysthatyoucanconfigurethefirewalltotakeapplicationpacket
captures:
TakeaPacketCaptureforUnknownApplications
TakeaCustomApplicationPacketCapture
TakeaPacketCaptureforUnknownApplications
PaloAltoNetworksfirewallsautomaticallygenerateapacketcaptureforsessionsthatcontainanapplication
thatitcannotidentify.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcparecommerciallyavailableapplicationsthatdonotyethaveAppIDsignatures,areinternalor
customapplicationsonyournetwork,orpotentialthreats.Youcanusethesepacketcapturestogathermore
contextrelatedtotheunknownapplicationorusetheinformationtoanalyzethetrafficforpotentialthreats.
YoucanalsoManageCustomorUnknownApplicationsbycontrollingthemthroughsecuritypolicyorby
writingacustomapplicationsignatureandcreatingasecurityrulebasedonthecustomsignature.Ifthe
applicationisacommercialapplication,youcansubmitthepacketcapturetoPaloAltoNetworkstohavean
AppIDsignaturecreated.
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures
Step1 Verifythatunknownapplicationpacketcaptureisenabled.Thisoptionisonbydefault.
1. Toviewtheunknownapplicationcapturesetting,runthefollowingCLIcommand:
admin@PA-200> show running application setting | match Unknown capture
2. Iftheunknowncapturesettingoptionisoff,enableit:
admin@PA-200> set application dump-unknown yes
IdentifyUnknownApplicationsinTrafficLogsandViewPacketCaptures(Continued)
Step2 Locateunknownapplicationbyfilteringthetrafficlogs.
1. SelectMonitor > Logs > Traffic.
2. ClickAdd Filterandselectthefiltersasshowninthefollowingexample.
3. ClickAddandApply Filter.
TakeaCustomApplicationPacketCapture
YoucanconfigureaPaloAltoNetworksfirewalltotakeapacketcapturebasedonanapplicationnameand
filtersthatyoudefine.Youcanthenusethepacketcapturetotroubleshootissueswithcontrollingan
application.Whenconfiguringanapplicationpacketcapture,youmustusetheapplicationnamedefinedin
theAppIDdatabase.YoucanviewalistofallAppIDapplicationsusingApplipediaorfromtheweb
interfaceonthefirewallinObjects > Applications.
TakeaCustomApplicationPacketCapture
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 Turnontheapplicationpacketcaptureanddefinefilters.
admin@PA-200> set application dump on application <application-name> rule <rule-name>
Forexample,tocapturepacketsforthefacebookbaseapplicationthatmatchesthesecurityrulenamedrule1,
runthefollowingCLIcommand:
admin@PA-200> set application dump on application facebook-base rule rule1
Youcanalsoapplyotherfilters,suchassourceIPaddressanddestinationIPaddress.
Step3 Viewtheoutputofthepacketcapturesettingstoensurethatthecorrectfiltersareapplied.Theoutput
appearsafterenablingthepacketcapture.
Inthefollowingoutput,youseethatapplicationfilteringisnowonbasedonthefacebookbaseapplication
fortrafficthatmatchesrule1.
Application setting:
Application cache : yes
Supernode : yes
Heuristics : yes
Cache Threshold : 16
Bypass when exceeds queue limit: no
Traceroute appid : yes
Traceroute TTL threshold : 30
Use cache for appid : no
Unknown capture : on
Max. unknown sessions : 5000
Current unknown sessions : 0
Application capture : on
Max. application sessions : 5000
Current application sessions : 0
Application filter setting:
Rule : rule1
From : any
To : any
Source : any
Destination : any
Protocol : any
Source Port : any
Dest. Port : any
Application : facebook-base
Current APPID Signature
Signature Usage : 21 MB (Max. 32 MB)
TCP 1 C2S : 15503 states
TCP 1 S2C : 5070 states
TCP 2 C2S : 2426 states
TCP 2 S2C : 702 states
UDP 1 C2S : 11379 states
UDP 1 S2C : 2967 states
UDP 2 C2S : 755 states
UDP 2 S2C : 224 states
Step4 AccessFacebook.comfromawebbrowsertogenerateFacebooktrafficandthenturnoffapplicationpacket
capturebyrunningthefollowingCLIcommand:
admin@PA-200> set application dump off
TakeaCustomApplicationPacketCapture(Continued)
Step5 View/exportthepacketcapture.
1. LogintothewebinterfaceonthefirewallandselectMonitor > Logs > Traffic.
2. Inthelogentrythatyouareinterestedin,clickthegreenpacketcaptureicon inthesecondcolumn.
3. ViewthepacketcapturedirectlyorExportittoyourcomputer.Thefollowingscreencaptureshowsthe
facebookbasepacketcapture.
TakeaPacketCaptureontheManagementInterface
ThetcpdumpCLIcommandenablesyoutocapturepacketsthattraversethemanagementinterface(MGT)
onaPaloAltoNetworksfirewall.
Eachplatformhasadefaultnumberofbytesthattcpdumpcaptures.ThePA200,PA500,andPA2000Series
firewallscapture68bytesofdatafromeachpacketandanythingoverthatistruncated.ThePA3000,PA4000,
PA5000Series,thePA7000Seriesfirewalls,andVMSeriesfirewallscapture96bytesofdatafromeachpacket.To
definethenumberofpacketsthattcpdumpwillcapture,usethesnaplen(snaplength)option(range065535).
Settingthesnaplento0willcausethefirewalltousethemaximumlengthrequiredtocapturewholepackets.
TakeaManagementInterfacePacketCapture
Step1 Usingaterminalemulationapplication,suchasPuTTY,launchanSSHsessiontothefirewall.
Step2 TostartapacketcaptureontheMGTinterface,runthefollowingcommand:
admin@PA-200> tcpdump filter <filter-option> <IP-address> snaplen length
Forexample,tocapturethetrafficthatisgeneratedwhenandadministratorauthenticatestothefirewall
usingRADIUS,filteronthedestinationIPaddressoftheRADIUSserver(10.5.104.99inthisexample):
admin@PA-200> tcpdump filter dst 10.5.104.99 snaplen 0
Youcanalsofilteronsrc(sourceIPaddress),host,net,andyoucanexcludecontent.Forexample,tofilteron
asubnetandexcludeallSCP,SFTP,andSSHtraffic(whichusesport22),runthefollowingcommand:
admin@PA-200> tcpdump filter net 10.5.104.0/24 and not port 22 snaplen 0
Eachtimetcpdump takesapacketcapture,itstoresthecontentinafilenamedmgmt.pcap.Thisfile
isoverwritteneachtimeyouruntcpdump.
Step3 AfterthetrafficyouareinterestedinhastraversedtheMGTinterface,pressCtrl+Ctostopthecapture.
TakeaManagementInterfacePacketCapture(Continued)
Step4 Viewthepacketcapturebyrunningthefollowingcommand:
admin@PA-200> view-pcap mgmt-pcap mgmt.pcap
ThefollowingoutputshowsthepacketcapturefromtheMGTport(10.5.104.98)totheRADIUSserver
(10.5.104.99):
09:55:29.139394 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 89
09:55:29.144354 arp reply 10.5.104.98 is-at 00:25:90:23:94:98 (oui Unknown)
09:55:29.379290 IP 10.5.104.98.43063 > 10.5.104.99.radius: RADIUS, Access Request (1), id:
0x00 length: 70
09:55:34.379262 arp who-has 10.5.104.99 tell 10.5.104.98
Step5 (Optional)ExportthepacketcapturefromthefirewallusingSCP(orTFTP).Forexample,toexportthepacket
captureusingSCP,runthefollowingcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to <username@host:path>
Forexample,toexportthepcaptoanSCPenabledserverat10.5.5.20toatempfoldernamedtempSCP,run
thefollowingCLIcommand:
admin@PA-200> scp export mgmt-pcap from mgmt.pcap to admin@10.5.5.20:c:/temp-SCP
EntertheloginnameandpasswordfortheaccountontheSCPservertoenablethefirewalltocopythepacket
capturetothec:\tempSCPfolderontheSCPenabled.
Step6 Youcannowviewthepacketcapturefilesusinganetworkpacketanalyzer,suchasWireshark.
MonitorApplicationsandThreats
AllPaloAltoNetworksnextgenerationfirewallscomeequippedwiththeAppIDtechnology,which
identifiestheapplicationstraversingyournetwork,irrespectiveofprotocol,encryption,orevasivetactic.
YoucanthenUsetheApplicationCommandCentertomonitortheapplications.TheACCgraphically
summarizesthedatafromavarietyoflogdatabasestohighlighttheapplicationstraversingyournetwork,
whoisusingthem,andtheirpotentialsecurityimpact.ACCisdynamicallyupdated,usingthecontinuous
trafficclassificationthatAppIDperforms;ifanapplicationchangesportsorbehavior,AppIDcontinuesto
seethetraffic,displayingtheresultsinACC.AdditionalvisibilityintoURLcategories,threats,anddata
providesacompleteandwellroundedpictureofnetworkactivity.WithACC,youcanveryquicklylearn
moreaboutthetraffictraversingthenetworkandthentranslatethatinformationintoamoreinformed
securitypolicy
YoucanalsoUsetheDashboardtomonitorthenetwork.
ViewAutoFocusThreatDataforLogstocheckwhetherloggedeventsonthefirewallposeasecurityrisk.
TheAutoFocusintelligencesummaryshowstheprevalenceofproperties,activities,orbehaviorsassociated
withlogsinyournetworkandonaglobalscale,aswellastheWildFireverdictandAutoFocustagslinkedto
them.WithanactiveAutoFocussubscription,youcanusethisinformationtocreatecustomizedAutoFocus
Alertsthattrackspecificthreatsonyournetwork.
MonitorandManageLogs
Alogisanautomaticallygenerated,timestampedfilethatprovidesanaudittrailforsystemeventsonthe
firewallornetworktrafficeventsthatthefirewallmonitors.Logentriescontainartifacts,whichare
properties,activities,orbehaviorsassociatedwiththeloggedevent,suchastheapplicationtypeortheIP
addressofanattacker.Eachlogtyperecordsinformationforaseparateeventtype.Forexample,thefirewall
generatesaThreatlogtorecordtrafficthatmatchesaspyware,vulnerability,orvirussignatureoraDoS
attackthatmatchesthethresholdsconfiguredforaportscanorhostsweepactivityonthefirewall.
LogTypesandSeverityLevels
WorkwithLogs
ConfigureLogStorageQuotasandExpirationPeriods
ScheduleLogExportstoanSCPorFTPServer
LogTypesandSeverityLevels
TrafficLogs
Trafficlogsdisplayanentryforthestartandendofeachsession.Eachentryincludesthefollowing
information:dateandtime;sourceanddestinationzones,addressesandports;applicationname;security
ruleappliedtothetrafficflow;ruleaction(allow,deny,ordrop);ingressandegressinterface;numberof
bytes;andsessionendreason.
TheTypecolumnindicateswhethertheentryisforthestartorendofthesession.TheActioncolumn
indicateswhetherthefirewallallowed,denied,ordroppedthesession.Adropindicatesthesecurityrulethat
blockedthetrafficspecifiedanyapplication,whileadenyindicatestheruleidentifiedaspecificapplication.
Ifthefirewalldropstrafficbeforeidentifyingtheapplication,suchaswhenaruledropsalltrafficfora
specificservice,theApplicationcolumndisplaysnotapplicable.
Click besideanentrytoviewadditionaldetailsaboutthesession,suchaswhetheranICMPentry
aggregatesmultiplesessionsbetweenthesamesourceanddestination(inwhichcasetheCountcolumn
valueisgreaterthanone).
ThreatLogs
ThreatlogsdisplayentrieswhentrafficmatchesoneoftheSecurityProfilesattachedtoasecurityruleon
thefirewall.Eachentryincludesthefollowinginformation:dateandtime;typeofthreat(suchasvirusor
spyware);threatdescriptionorURL(Namecolumn);sourceanddestinationzones,addresses,andports;
applicationname;alarmaction(suchasalloworblock);andseveritylevel.
ToseemoredetailsonindividualThreatlogentries:
Click besideathreatentrytoviewdetailssuchaswhethertheentryaggregatesmultiplethreatsofthe
sametypebetweenthesamesourceanddestination(inwhichcasetheCountcolumnvalueisgreater
thanone).
IfyouconfiguredthefirewalltoTakePacketCaptures,click besideanentrytoaccessthecaptured
packets.
ThefollowingtablesummarizestheThreatseveritylevels:
Severity Description
Critical Seriousthreats,suchasthosethataffectdefaultinstallationsofwidelydeployedsoftware,resultin
rootcompromiseofservers,andtheexploitcodeiswidelyavailabletoattackers.Theattackerusually
doesnotneedanyspecialauthenticationcredentialsorknowledgeabouttheindividualvictimsandthe
targetdoesnotneedtobemanipulatedintoperforminganyspecialfunctions.
High Threatsthathavetheabilitytobecomecriticalbuthavemitigatingfactors;forexample,theymaybe
difficulttoexploit,donotresultinelevatedprivileges,ordonothavealargevictimpool.
Medium Minorthreatsinwhichimpactisminimized,suchasDoSattacksthatdonotcompromisethetargetor
exploitsthatrequireanattackertoresideonthesameLANasthevictim,affectonlynonstandard
configurationsorobscureapplications,orprovideverylimitedaccess.Inaddition,WildFire
SubmissionslogentrieswithamalwareverdictareloggedasMedium.
Low Warninglevelthreatsthathaveverylittleimpactonanorganization'sinfrastructure.Theyusually
requirelocalorphysicalsystemaccessandmayoftenresultinvictimprivacyorDoSissuesand
informationleakage.DataFilteringprofilematchesareloggedasLow.
Informational Suspiciouseventsthatdonotposeanimmediatethreat,butthatarereportedtocallattentionto
deeperproblemsthatcouldpossiblyexist.URLFilteringlogentriesandWildFireSubmissionslog
entrieswithabenignverdictareloggedasInformational.
URLFilteringLogs
URLFilteringlogsdisplayentriesfortrafficthatmatchesURLFilteringProfilesattachedtosecurityrules.For
example,thefirewallgeneratesalogifaruleblocksaccesstospecificwebsitesandwebsitecategoriesor
ifyouconfiguredaruletogenerateanalertwhenauseraccessesawebsite.
WildFireSubmissionsLogs
Thefirewallforwardssamples(filesandemailslinks)totheWildFirecloudforanalysisbasedonWildFire
Analysisprofilessettings(Objects > Security Profiles > WildFire Analysis).ThefirewallgeneratesWildFire
SubmissionslogentriesforeachsampleitforwardsafterWildFirecompletesstaticanddynamicanalysisof
thesample.WildFireSubmissionslogentriesincludetheWildFireverdictforthesubmittedsample.
ThefollowingtablesummarizestheWildFireverdicts:
Severity Description
Benign IndicatesthattheentryreceivedaWildFireanalysisverdictofbenign.Filescategorizedasbenignare
safeanddonotexhibitmaliciousbehavior.
Grayware IndicatesthattheentryreceivedaWildFireanalysisverdictofgrayware.Filescategorizedasgrayware
donotposeadirectsecuritythreat,butmightdisplayotherwiseobtrusivebehavior.Graywarecan
include,adware,spyware,andBrowserHelperObjects(BHOs).
Malicious IndicatesthattheentryreceivedaWildFireanalysisverdictofmalicious.Samplescategorizedas
maliciousarecanposeasecuritythreat.Malwarecanincludeviruses,worms,Trojans,RemoteAccess
Tools(RATs),rootkits,andbotnets.Forsamplesthatareidentifiedasmalware,theWildFirecloud
generatesanddistributesasignaturetopreventagainstfutureexposure.
DataFilteringLogs
DataFilteringlogsdisplayentriesforthesecurityrulesthathelppreventsensitiveinformationsuchascredit
cardnumbersfromleavingtheareathatthefirewallprotects.SeeSetUpDataFilteringforinformationon
definingDataFilteringprofiles.
ThislogtypealsoshowsinformationforFileBlockingProfiles.Forexample,ifaruleblocks.exefiles,thelog
showstheblockedfiles.
CorrelationLogs
ThefirewalllogsacorrelatedeventwhenthepatternsandthresholdsdefinedinaCorrelationObjectmatch
thetrafficpatternsonyournetwork.ToInterpretCorrelatedEventsandviewagraphicaldisplayofthe
events,seeUsetheCompromisedHostsWidgetintheACC.
ThefollowingtablesummarizestheCorrelationlogseveritylevels:
Severity Description
Critical Confirmsthatahosthasbeencompromisedbasedoncorrelatedeventsthatindicateanescalation
pattern.Forexample,acriticaleventisloggedwhenahostthatreceivedafilewithamaliciousverdict
byWildFire,exhibitsthesamecommandandcontrolactivitythatwasobservedintheWildFire
sandboxforthatmaliciousfile.
High Indicatesthatahostisverylikelycompromisedbasedonacorrelationbetweenmultiplethreatevents,
suchasmalwaredetectedanywhereonthenetworkthatmatchesthecommandandcontrolactivity
beinggeneratedfromaparticularhost.
Severity Description
Medium Indicatesthatahostislikelycompromisedbasedonthedetectionofoneormultiplesuspiciousevents,
suchasrepeatedvisitstoknownmaliciousURLsthatsuggestsascriptedcommandandcontrol
activity.
Low Indicatesthatahostispossiblycompromisedbasedonthedetectionofoneormultiplesuspicious
events,suchasavisittoamaliciousURLoradynamicDNSdomain.
Informational Detectsaneventthatmaybeusefulinaggregateforidentifyingsuspiciousactivity;eacheventisnot
necessarilysignificantonitsown.
ConfigLogs
Configlogsdisplayentriesforchangestothefirewallconfiguration.Eachentryincludesthedateandtime,
theadministratorusername,theIPaddressfromwheretheadministratormadethechange,thetypeofclient
(Web,CLI,orPanorama),thetypeofcommandexecuted,thecommandstatus(succeededorfailed),the
configurationpath,andthevaluesbeforeandafterthechange.
SystemLogs
Systemlogsdisplaysentriesforeachsystemeventonthefirewall.Eachentryincludesthedateandtime,
eventseverity,andeventdescription.ThefollowingtablesummarizestheSystemlogseveritylevels.Fora
partiallistofSystemlogmessagesandtheircorrespondingseveritylevels,refertoSystemLogEvents.
Severity Description
Critical Hardwarefailures,includinghighavailability(HA)failoverandlinkfailures.
High Seriousissues,includingdroppedconnectionswithexternaldevices,suchasLDAPandRADIUS
servers.
Medium Midlevelnotifications,suchasantiviruspackageupgrades.
Low Minorseveritynotifications,suchasuserpasswordchanges.
Informational Login/logoff,administratornameorpasswordchange,anyconfigurationchange,andallotherevents
notcoveredbytheotherseveritylevels.
HIPMatchLogs
TheGlobalProtectHostInformationProfile(HIP)featureenablesyoutocollectinformationaboutthe
securitystatusoftheenddevicesaccessingyournetwork(suchaswhethertheyhavediskencryption
enabled).ThefirewallcanallowordenyaccesstoaspecifichostbasedonadherencetotheHIPbased
securityrulesyoudefine.HIPMatchlogsdisplaytrafficflowsthatmatchaHIPObjectorHIPProfilethat
youconfiguredfortherules.
AlarmsLogs
Analarmisafirewallgeneratedmessageindicatingthatthenumberofeventsofaparticulartype(for
example,encryptionanddecryptionfailures)hasexceededthethresholdconfiguredforthateventtype.To
enablealarmsandconfigurealarmthresholds,selectDevice > Log SettingsandedittheAlarmSettings.
Whengeneratinganalarm,thefirewallcreatesanAlarmlogandopenstheSystemAlarmsdialogtodisplay
thealarm.AfteryouClosethedialog,youcanreopenitanytimebyclickingAlarms( )atthebottomofthe
webinterface.Topreventthefirewallfromautomaticallyopeningthedialogforaparticularalarm,selectthe
alarmintheUnacknowledgedAlarmslistandAcknowledgethealarm.
UnifiedLogs
UnifiedlogsareentriesfromtheTraffic,Threat,URLFiltering,WildFireSubmissions,andDataFilteringlogs
displayedinasingleview.Unifiedlogviewenablesyoutoinvestigateandfilterthelatestentriesfrom
differentlogtypesinoneplace,insteadofsearchingthrougheachlogtypeseparately.ClickEffective
Queries( )inthefilterareatoselectwhichlogtypeswilldisplayentriesinUnifiedlogview.
TheUnifiedlogviewdisplaysonlyentriesfromlogsthatyouhavepermissiontosee.Forexample,an
administratorwhodoesnothavepermissiontoviewWildFireSubmissionslogswillnotseeWildFire
SubmissionslogentrieswhenviewingUnifiedlogs.AdministrativeRolesdefinethesepermissions.
WhenyouSetUpRemoteSearchinAutoFocustoperformatargetedsearchonthefirewall,thesearchresults
aredisplayedinUnifiedlogview.
WorkwithLogs
ViewLogs
FilterLogs
ExportLogs
ViewAutoFocusThreatDataforLogs
ViewLogs
Youcanviewthedifferentlogtypesonthefirewallinatabularformat.Thefirewalllocallystoresalllogfiles
andautomaticallygeneratesConfigurationandSystemlogsbydefault.Tolearnmoreaboutthesecurity
rulesthattriggerthecreationofentriesfortheothertypesoflogs,seeLogTypesandSeverityLevels.
Toconfigurethefirewalltoforwardlogsassyslogmessages,emailnotifications,orSimpleNetwork
ManagementProtocol(SNMP)traps,UseExternalServicesforMonitoring.
ViewLogs
NextSteps... FilterLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ConfigureLogStorageQuotasandExpirationPeriods.
FilterLogs
Eachloghasafilterareathatallowsyoutosetacriteriaforwhichlogentriestodisplay.Theabilitytofilter
logsisusefulforfocusingoneventsonyourfirewallthatpossessparticularpropertiesorattributes.Filter
logsbyartifactsthatareassociatedwithindividuallogentries.
FilterLogs
FilterLogs
NextSteps... ViewLogs.
ExportLogs.
ViewAutoFocusThreatDataforLogs.
ExportLogs
Youcanexportthecontentsofalogtypetoacommaseparatedvalue(CSV)formattedreport.Bydefault,
thereportcontainsupto2,000rowsoflogentries.
ExportLogs
NextStep... ScheduleLogExportstoanSCPorFTPServer.
ViewAutoFocusThreatDataforLogs
Traffic,Threat,URLFiltering,WildFireSubmissions,DataFiltering,andUnifiedlogsincludeAutoFocus
threatintelligencedatatoprovidecontextforthefollowingartifactsfoundinthelogentries:
IPaddress
URL
Useragent
Threatname
Filename
SHA256hash
YoucanalsoopenanAutoFocussearchforlogartifacts.
ViewAutoFocusThreatDataforLogs
Step1 ConnectthefirewalltoAutoFocustoEnableAutoFocusThreatIntelligence.
EnableAutoFocusinPanoramatoviewAutoFocusthreatdataforallPanoramalogentries,including
thosefromfirewallsthatarenotconnectedtoAutoFocusand/orarerunningPANOS7.0andearlier
releaseversions(Panorama > Setup > Management > AutoFocus).
Step4 ReviewthelogsandstatisticsintheAutoFocusIntelligenceSummarytoassessthepervasivenessandriskof
theartifact:
ViewAutoFocusThreatDataforLogs
ViewrecentpassiveDNShistoryforIPaddress,domain,and
URLartifacts.
Reviewthematchingtagsfortheartifact.AutoFocusTags
indicatewhetheranartifactislinkedtomalwareortargeted
attacks.
CreateAutoFocusAlertsfortagsissuedbyUnit42,the
PaloAltoNetworksthreatresearchteam.Alertsfor
Unit42tagshelpyoudetectadvancedsecuritythreats
andcampaignsastheyoccuronyournetwork.
Viewthenumberofsessionsloggedinyourfirewall(s)where
samplesassociatedwiththeartifactweredetected.
ComparetheWildFireverdicts(benign,malware,grayware)
forglobalandprivatesamplesthatcontaintheartifact.Global
referstosamplesfromallWildFiresubmissions,whileprivate
referstoonlysamplessubmittedtoWildFirebyyour
organization.
ViewthelatestprivatesampleswithwhichWildFirefoundthe
artifact.ArtifactsfoundwiththesamplesincludeSHA256
hash,thefiletype,thedatethatthesamplewasfirstanalyzed
byWildFire,theWildFireverdictforthesample,andthedate
thattheWildFireverdictwasupdated(ifapplicable).
ViewAutoFocusThreatDataforLogs
Step5 AddartifactsfromthefirewalltoanAutoFocusSearch.
Clickthelinkforthelogartifact.TheAutoFocussearcheditoropensinanewbrowsertab,withthelog
artifactaddedasasearchcondition.
ClickanylinkedartifactinthetablesorchartstoadditasasearchconditiontoanAutoFocussearch.
ViewAutoFocusThreatDataforLogs
NextStep... LearnmoreaboutAutoFocusSearch.
ConfigureLogStorageQuotasandExpirationPeriods
Thefirewallautomaticallydeleteslogsthatexceedtheexpirationperiod.Whenthefirewallreachesthe
storagequotaforalogtype,itautomaticallydeletesolderlogsofthattypetocreatespaceevenifyoudont
setanexpirationperiod.
ConfigureLogStorageQuotasandExpirationPeriods
Step4 ClickOKandCommit.
ScheduleLogExportstoanSCPorFTPServer
YoucanscheduleexportsofTraffic,Threat,URLFiltering,DataFiltering,HIPMatch,andWildFire
SubmissionlogstoaSecureCopy(SCP)serverorFileTransferProtocol(FTP)server.Performthistaskfor
eachlogtypeyouwanttoexport.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthefollowingplatforms,theydonotsupporttheseoptions:PA7000
Seriesfirewalls(allPANOSreleases),PanoramavirtualappliancerunningPanorama6.0orlater
releases,andPanoramaMSeriesappliances(allPanoramareleases).
ScheduleLogExportstoanSCPorFTPServer
Step2 EnteraNameforthescheduledlogexportandEnableit.
ScheduleLogExportstoanSCPorFTPServer
Step5 SelecttheProtocoltoexportthelogs:SCP(secure)orFTP.
Step6 EntertheHostnameorIPaddressoftheserver.
Step7 EnterthePortnumber.Bydefault,FTPusesport21andSCPusesport22.
Step8 EnterthePathordirectoryinwhichtosavetheexportedlogs.
Step12 ClickOKandCommit.
ManageReporting
Thereportingcapabilitiesonthefirewallallowyoutokeepapulseonyournetwork,validateyourpolicies,
andfocusyoureffortsonmaintainingnetworksecurityforkeepingyouruserssafeandproductive.
ReportTypes
ViewReports
ConfiguretheReportExpirationPeriod
DisablePredefinedReports
GenerateCustomReports
GenerateBotnetReports
GeneratetheSaaSApplicationUsageReport
ManagePDFSummaryReports
GenerateUser/GroupActivityReports
ManageReportGroupsScheduleReportsforEmailDelivery
ReportTypes
Thefirewallincludespredefinedreportsthatyoucanuseasis,oryoucanbuildcustomreportsthatmeet
yourneedsforspecificdataandactionabletasks,oryoucancombinepredefinedandcustomreportsto
compileinformationyouneed.Thefirewallprovidesthefollowingtypesofreports:
PredefinedReportsAllowyoutoviewaquicksummaryofthetrafficonyournetwork.Asuiteof
predefinedreportsareavailableinfourcategoriesApplications,Traffic,Threat,andURLFiltering.See
ViewReports.
UserorGroupActivityReportsAllowyoutoscheduleorcreateanondemandreportonthe
applicationuseandURLactivityforaspecificuserorforausergroup.ThereportincludestheURL
categoriesandanestimatedbrowsetimecalculationforindividualusers.SeeGenerateUser/Group
ActivityReports.
CustomReportsCreateandschedulecustomreportsthatshowexactlytheinformationyouwanttosee
byfilteringonconditionsandcolumnstoinclude.Youcanalsoincludequerybuildersformorespecific
drilldownonreportdata.SeeGenerateCustomReports.
PDFSummaryReportsAggregateupto18predefinedorcustomreports/graphsfromThreat,
Application,Trend,Traffic,andURLFilteringcategoriesintoonePDFdocument.SeeManagePDF
SummaryReports.
BotnetReportsAllowyoutousebehaviorbasedmechanismstoidentifypotentialbotnetinfected
hostsinthenetwork.SeeGenerateBotnetReports.
ReportGroupsCombinecustomandpredefinedreportsintoreportgroupsandcompileasinglePDF
thatisemailedtooneormorerecipients.SeeManageReportGroups.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
ViewReports
Thefirewallprovidesanassortmentofover40predefinedreportsthatitgenerateseveryday.Youcanview
thesereportsdirectlyonthefirewall.Youcanalsoviewcustomreportsandsummaryreports.
About200MBofstorageisallocatedforsavingreportsonthefirewall.Youcantconfigurethislimitbutyou
canConfiguretheReportExpirationPeriod:thefirewallwillautomaticallydeletereportsthatexceedthe
period.Keepinmindthatwhenthefirewallreachesitsstoragelimit,itautomaticallydeletesolderreportsto
createspaceevenifyoudontsetanexpirationperiod.Anotherwaytoconservesystemresourcesonthe
firewallistoDisablePredefinedReports.Forlongtermretentionofreports,youcanexportthereports(as
describedbelow)orScheduleReportsforEmailDelivery.
Unlikeotherreports,youcantsaveUser/GroupActivityreportsonthefirewall.Youmust
GenerateUser/GroupActivityReportsondemandorschedulethemforemaildelivery.
ViewReports
Step2 Selectareporttoview.Thereportspagethendisplaysthereportforthepreviousday.
Toviewreportsforotherdays,selectadateinthecalendaratthebottomrightofthepageandselectareport.
Ifyouselectareportinanothersection,thedateselectionresetstothecurrentdate.
ConfiguretheReportExpirationPeriod
ConfigureReportExpirationPeriods
Step3 ClickOKandCommit.
DisablePredefinedReports
Thefirewallincludesabout40predefinedreportsthatitautomaticallygeneratesdaily.Ifyoudonotuse
someorallofthese,youcandisableselectedreportstoconservesystemresourcesonthefirewall.
MakesurethatnoreportgrouporPDFsummaryreportincludesthepredefinedreportsyouwilldisable.
Otherwise,thefirewallwillrenderthePDFsummaryreportorreportgroupwithoutanydata.
DisablePredefinedReports
Step3 ClickOKandCommit.
GenerateCustomReports
Inordertocreatepurposefulcustomreports,youmustconsidertheattributesorkeypiecesofinformation
thatyouwanttoretrieveandanalyze.Thisconsiderationguidesyouinmakingthefollowingselectionsina
customreport:
Selection Description
DataSource Thedatafilethatisusedtogeneratethereport.Thefirewallofferstwotypesofdata
sourcesSummarydatabasesandDetailedlogs.
Summarydatabasesareavailablefortraffic,threat,andapplicationstatistics.The
firewallaggregatesthedetailedlogsontraffic,application,andthreatat15minute
intervals.Thedataiscondensedduplicatesessionsaregroupedtogetherand
incrementedwitharepeatcounter,andsomeattributes(orcolumns)arenotincluded
inthesummarytoallowfasterresponsetimewhengeneratingreports.
Detailedlogsareitemizedandareacompletelistingofalltheattributes(orcolumns)
thatpertaintothelogentry.Reportsbasedondetailedlogstakemuchlongertorun
andarenotrecommendedunlessabsolutelynecessary.
Attributes Thecolumnsthatyouwanttouseasthematchcriteria.Theattributesarethecolumns
thatareavailableforselectioninareport.FromthelistofAvailable Columns,youcanadd
theselectioncriteriaformatchingdataandforaggregatingthedetails(theSelected
Columns).
Selection Description
Thecolumnscircledinred(above)depictthecolumnsselected,whicharetheattributes
thatyoumatchagainstforgeneratingthereport.Eachlogentryfromthedatasourceis
parsedandthesecolumnsarematchedon.Ifmultiplesessionshavethesamevaluesfor
theselectedcolumns,thesessionsareaggregatedandtherepeatcount(orsessions)is
incremented.
Thecolumncircledinblueindicatesthechosensortorder.Whenthesortorder(Sort By)
isspecified,thedataissorted(andaggregated)bytheselectedattribute.
ThecolumncircledingreenindicatestheGroup Byselection,whichservesasananchor
forthereport.TheGroup By columnisusedasamatchcriteriatofilterforthetopN
groups.Then,foreachofthetopNgroups,thereportenumeratesthevaluesforallthe
otherselectedcolumns.
Selection Description
Forexample,ifareporthasthefollowingselections:
Theoutputwilldisplayasfollows:
ThereportisanchoredbyDayandsortedbySessions.Itliststhe5days(5 Groups)with
maximumtrafficintheLast 7 Daystimeframe.ThedataisenumeratedbytheTop 5
sessionsforeachdayfortheselectedcolumnsApp Category,App Subcategoryand
Risk.
TimePeriod Thedaterangeforwhichyouwanttoanalyzedata.Youcandefineacustomrangeor
selectatimeperiodrangingfromlast15minutestothelast30days.Thereportscanbe
runondemandorscheduledtorunatadailyorweeklycadence.
QueryBuilder Thequerybuilderallowsyoutodefinespecificqueriestofurtherrefinetheselected
attributes.Itallowsyouseejustwhatyouwantinyourreportusingandandoroperators
andamatchcriteria,andthenincludeorexcludedatathatmatchesornegatesthequery
inthereport.Queriesenableyoutogenerateamorefocusedcollationofinformationina
report.
GenerateCustomReports
Step2 ClickAddandthenenteraNameforthereport.
Tobaseareportonanpredefinedtemplate,clickLoad Template andchoosethetemplate.Youcan
theneditthetemplateandsaveitasacustomreport.
Step3 SelecttheDatabasetouseforthereport.
Eachtimeyoucreateacustomreport,alogviewreportisautomaticallycreated.Thisreportshowthe
logsthatwereusedtobuildthecustomreport.Thelogviewreportusesthesamenameasthecustom
report,butappendsthephrase(LogView)tothereportname.
Whencreatingareportgroup,youcanincludethelogviewreportwiththecustomreport.Formore
information,seeManageReportGroups.
Step4 SelecttheScheduledcheckboxtorunthereporteachnight.Thereportisthenavailableforviewinginthe
Reportscolumnontheside.
Step8 ClickOKtosavethecustomreport.
GenerateCustomReports
ExamplesofCustomReports
Ifyouwanttosetupasimplereportinwhichyouusethetrafficsummarydatabasefromthelast30days,
andsortthedatabythetop10sessionsandthesesessionsaregroupedinto5groupsbydayoftheweek.
Youwouldsetupthecustomreporttolooklikethis:
AndthePDFoutputforthereportwouldlookasfollows:
GenerateCustomReports
Now,ifyouwanttousethequerybuildertogenerateacustomreportthatrepresentsthetopconsumersofnetwork
resourceswithinausergroup,youwouldsetupthereporttolooklikethis:
Thereportwoulddisplaythetopusersintheproductmanagementusergroupsortedbybytes.
GenerateBotnetReports
Thebotnetreportenablesyoutouseheuristicandbehaviorbasedmechanismstoidentifypotential
malwareorbotnetinfectedhostsinyournetwork.Toevaluatebotnetactivityandinfectedhosts,the
firewallcorrelatesuserandnetworkactivitydatainThreat,URL,andDataFilteringlogswiththelistof
malwareURLsinPANDB,knowndynamicDNSdomainproviders,anddomainsregisteredwithinthelast
30days.Youcanconfigurethereporttoidentifyhoststhatvisitedthosesites,aswellashoststhat
communicatedwithInternetRelayChat(IRC)serversorthatusedunknownapplications.Malwareoftenuse
dynamicDNStoavoidIPblacklisting,whileIRCserversoftenusebotsforautomatedfunctions.
ThefirewallrequiresThreatPreventionandURLFilteringlicensestousethebotnetreport.
YoucanUsetheAutomatedCorrelationEnginetomonitorsuspiciousactivitiesbasedon
additionalindicatorsbesidesthosethatthebotnetreportuses.However,thebotnetreportisthe
onlytoolthatusesnewlyregistereddomainsasanindicator.
ConfigureaBotnetReport
InterpretBotnetReportOutput
ConfigureaBotnetReport
Youcanscheduleabotnetreportorrunitondemand.Thefirewallgeneratesscheduledbotnetreportsevery
24hoursbecausebehaviorbaseddetectionrequirescorrelatingtrafficacrossmultiplelogsoverthat
timeframe.
ConfigureaBotnetReport
InterpretBotnetReportOutput
Thebotnetreportdisplaysalineforeachhostthatisassociatedwithtrafficyoudefinedassuspiciouswhen
configuringthereport.Foreachhost,thereportdisplaysaconfidencescoreof1to5toindicatethe
likelihoodofbotnetinfection,where5indicatesthehighestlikelihood.Thescorescorrespondtothreat
severitylevels:1isinformational,2islow,3ismedium,4ishigh,and5iscritical.Thefirewallbasesthescores
on:
TraffictypeCertainHTTPtraffictypesaremorelikelytoinvolvebotnetactivity.Forexample,thereport
assignsahigherconfidencetohoststhatvisitknownmalwareURLsthantohoststhatbrowsetoIP
domainsinsteadofURLs,assumingyoudefinedboththoseactivitiesassuspicious.
NumberofeventsHoststhatareassociatedwithahighernumberofsuspiciouseventswillhavehigher
confidencescoresbasedonthethresholds(Countvalues)youdefinewhenyouConfigureaBotnet
Report.
ExecutabledownloadsThereportassignsahigherconfidencetohoststhatdownloadexecutablefiles.
Executablefilesareapartofmanyinfectionsand,whencombinedwiththeothertypesofsuspicious
traffic,canhelpyouprioritizeyourinvestigationsofcompromisedhosts.
Whenreviewingthereportoutput,youmightfindthatthesourcesthefirewallusestoevaluatebotnet
activity(forexample,thelistofmalwareURLsinPANDB)havegaps.Youmightalsofindthatthesesources
identifytrafficthatyouconsidersafe.Tocompensateinbothcases,youcanaddqueryfilterswhenyou
ConfigureaBotnetReport.
GeneratetheSaaSApplicationUsageReport
TheSaaSApplicationUsagePDFreportisatwopartreportthatisbasedonthenotionofsanctionedand
unsanctionedapplications.Asanctionedapplicationisanapplicationthatyouformallyapproveforuseon
yournetwork;aSaaSapplicationisanapplicationthathasthecharacteristicSaaS=yesintheapplications
detailspageinObjects > Applications, allotherapplicationsareconsideredasnonSaaS.Toindicatethatyou
havesanctionedaSaaSornonSaaSapplication,youmusttagitwiththenewpredefinedtagnamed
Sanctioned.ThefirewallandPanoramaconsideranyapplicationwithoutthispredefinedtagasunsanctioned
foruseonthenetwork.
Thefirstpartofthereport(8pages)focusesontheSaaSapplicationsusedonyournetworkduringthe
reportingperiod.ItpresentsacomparisonofsanctionedversusunsanctionedSaaSapplicationsbytotal
numberofapplicationsusedonyournetwork,bandwidthconsumedbytheseapplications,andthe
numberofusersusingtheseapplications.ThisfirstpartofthereportalsohighlightsthetopSaaS
applicationsubcategorieslistedinorderbymaximumnumberofapplicationsused,thenumberofusers,
andtheamountofdata(bytes)transferredineachapplicationsubcategory.
ThesecondpartofthereportfocusesonthedetailedbrowsinginformationforSaaSandnonSaaS
applicationsforeachapplicationsubcategorylistedinthefirstpartofthereport.Foreachapplicationin
asubcategory,italsoincludesinformationaboutthetopuserswhotransferreddata,thetopblockedor
alertedfiletypes,andthetopthreatsforeachapplication.Inaddition,thissectionofthereporttallies
samplesforeachapplicationthatthefirewallsubmittedforWildFireanalysis,andthenumberofsamples
determinedtobebenignandmalicious.
UsetheinsightsfromthisreporttoconsolidatethelistofbusinesscriticalandapprovedSaaSapplications
andtoenforcepoliciesforcontrollingunsanctionedapplicationsthatposeanunnecessaryriskformalware
propagationanddataleaks.
ThepredefinedSaaSapplicationusagereportintroducedinPANOS7.0isstillavailableasadailyreportthatliststhe
top100SaaSapplications(withtheSaaSapplicationcharacteristic,SaaS=yes)runningonyournetworkonagivenday.
GeneratetheSaaSApplicationUsageReport
4. ClickOKandClosetoexitallopendialogs.
Step2 ConfiguretheSaaSApplicationUsage 1. SelectMonitor > PDF Reports > SaaS Application Usage.
report. 2. ClickAdd,enteraName,andselectaTime Periodforthe
report(defaultisLast 7 Days).
Bydefault,thereportincludesdetailedinformationon
thetopSaaSandnonSaaSapplicationsubcategories,
whichcanmakethereportlargebypagecountandfile
size.CleartheInclude detailed application category
information in reportcheckboxifyouwanttoreduce
thefilesizeandrestrictthepagecounttoeightpages.
3. Togeneratethereportondemand,clickRun Now.Makesure
thatthepopupblockerisdisabledonyourbrowserbecause
thereportopensinanewtab.
4. ClickOKtosaveyourchanges.
ManagePDFSummaryReports
PDFsummaryreportscontaininformationcompiledfromexistingreports,basedondataforthetop5in
eachcategory(insteadoftop50).Theyalsocontaintrendchartsthatarenotavailableinotherreports.
GeneratePDFSummaryReports
Step1 SetupaPDF Summary Report. 1. SelectMonitor > PDF Reports > Manage PDF Summary.
2. ClickAddandthenenteraNameforthereport.
3. Usethedropdownforeachreportgroupandselectoneor
moreoftheelementstodesignthePDFSummaryReport.You
canincludeamaximumof18reportelements.
Toremoveanelementfromthereport,clickthexiconor
cleartheselectionfromthedropdownfortheappropriate
reportgroup.
Torearrangethereports,draganddroptheelementicons
toanotherareaofthereport.
4. ClickOK tosavethereport.
5. Committhechanges.
GeneratePDFSummaryReports
GenerateUser/GroupActivityReports
User/GroupActivityreportssummarizethewebactivityofindividualusersorusergroups.Bothreports
includethesameinformationexceptfortheBrowsing Summary by URL CategoryandBrowse time calculations,
whichonlytheUserActivityreportincludes.
YoumustconfigureUserIDonthefirewalltoaccessthelistofusersandusergroups.
GenerateUser/GroupActivityReports
Step2 GeneratetheUser/GroupActivity 1. SelectMonitor > PDF Reports > User Activity Report.
report. 2. ClickAddandthenenteraNameforthereport.
3. Createthereport:
UserActivityReportSelectUserandentertheUsername
orIP address(IPv4orIPv6)oftheuser.
GroupActivityReportSelectGroupandselecttheGroup
Nameoftheusergroup.
4. SelecttheTime Periodforthereport.
5. Optionally,selecttheInclude Detailed Browsingcheckbox
(defaultiscleared)toincludedetailedURLlogsinthereport.
Thedetailedbrowsinginformationcanincludealargevolume
oflogs(thousandsoflogs)fortheselecteduserorusergroup
andcanmakethereportverylarge.
6. Torunthereportondemand,clickRun Now.
7. Tosavethereportconfiguration,clickOK.Youcantsavethe
outputofUser/GroupActivityreportsonthefirewall.To
schedulethereportforemaildelivery,seeScheduleReports
forEmailDelivery.
ManageReportGroups
Reportgroupsallowyoutocreatesetsofreportsthatthesystemcancompileandsendasasingleaggregate
PDFreportwithanoptionaltitlepageandalltheconstituentreportsincluded.
SetupReportGroups
TheLog Viewreportisareporttypethatisautomatically
createdeachtimeyoucreateacustomreportandusesthe
samenameasthecustomreport.Thisreportwillshowthe
logsthatwereusedtobuildthecontentsofthecustom
report.
Toincludethelogviewdata,whencreatingareportgroup,
addyourcustomreportundertheCustom Reportslistand
thenaddthelogviewreportbyselectingthematching
reportnamefromtheLog Viewlist.Thereportwillinclude
thecustomreportdataandthelogdatathatwasusedto
createthecustomreport.
e. ClickOKtosavethesettings.
f. Tousethereportgroup,seeScheduleReportsforEmail
Delivery.
ScheduleReportsforEmailDelivery
Reportscanbescheduledfordailydeliveryordeliveredweeklyonaspecifiedday.Scheduledreportsare
executedstartingat2:00AM,andemaildeliverystartsafterallscheduledreportshavebeengenerated.
ScheduleReportsforEmailDelivery
Step2 EnteraNametoidentifytheschedule.
Step5 SelectthefrequencyatwhichtogenerateandsendthereportinRecurrence.
Step7 ClickOKandCommit.
UseExternalServicesforMonitoring
Usinganexternalservicetomonitorthefirewallenablesyoutoreceivealertsforimportantevents,archive
monitoredinformationonsystemswithdedicatedlongtermstorage,andintegratewiththirdpartysecurity
monitoringtools.Thefollowingaresomecommonscenariosforusingexternalservices:
Forimmediatenotificationaboutimportantsystemeventsorthreats,youcanMonitorStatisticsUsing
SNMP,ForwardTrapstoanSNMPManager,orConfigureEmailAlerts.
Forlongtermlogstorageandcentralizedfirewallmonitoring,youcanConfigureSyslogMonitoringto
sendlogdatatoasyslogserver.Thisenablesintegrationwiththirdpartysecuritymonitoringtoolssuch
asSplunk!orArcSight.
FormonitoringstatisticsontheIPtrafficthattraversesfirewallinterfaces,youcanConfigureNetFlow
ExportstoviewthestatisticsinaNetFlowcollector.
YoucanConfigureLogForwardingfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwardingOptionsfor
thefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucantaggregateNetFlowrecordsonPanorama;youmustsendthemdirectlyfromthe
firewallstoaNetFlowcollector.
ConfigureLogForwarding
TousePanoramaorUseExternalServicesforMonitoringthefirewall,youmustconfigurethefirewallto
forwarditslogs.Beforeforwardingtoexternalservices,thefirewallautomaticallyconvertsthelogstothe
necessaryformat:syslogmessages,SNMPtraps,oremailnotifications.Beforestartingthisprocedure,
ensurethatPanoramaortheexternalserverthatwillreceivethelogdataisalreadysetup.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservices.However,
whenyouusePanoramatomonitorlogsorgeneratereportsforadevicegroupthatincludesa
PA7000Seriesfirewall,PanoramaqueriesthePA7000Seriesfirewallinrealtimetodisplayits
logdata.
Youcanforwardlogsfromthefirewallsdirectlytoexternalservicesorfromthefirewallsto
PanoramaandthenconfigurePanoramatoforwardlogstotheservers.RefertoLogForwarding
Optionsforthefactorstoconsiderwhendecidingwheretoforwardlogs.
YoucanuseSecureCopy(SCP)commandsfromtheCLItoexporttheentirelogdatabasetoan
SCPserverandimportittoanotherfirewall.Becausethelogdatabaseistoolargeforanexport
orimporttobepracticalonthePA7000Seriesfirewall,itdoesnotsupporttheseoptions.You
canalsousethewebinterfaceonallplatformstoManageReporting,butonlyonaperlogtype
basis,nottheentirelogdatabase.
ConfigureLogForwarding
ConfigureLogForwarding(Continued)
ConfigureLogForwarding(Continued)
ConfigureEmailAlerts
YoucanconfigureemailalertsforSystem,Config,HIPMatch,Correlation,Threat,WildFireSubmission,and
Trafficlogs.
ConfigureEmailAlerts
UseSyslogforMonitoring
Syslogisastandardlogtransportmechanismthatenablestheaggregationoflogdatafromdifferentnetwork
devicessuchasrouters,firewalls,printersfromdifferentvendorsintoacentralrepositoryforarchiving,
analysis,andreporting.PaloAltoNetworksfirewallscanforwardeverytypeoflogtheygeneratetoan
externalsyslogserver.YoucanuseTCPorSSLforreliableandsecurelogforwarding,orUDPfornonsecure
forwarding.
ConfigureSyslogMonitoring
SyslogFieldDescriptions
ConfigureSyslogMonitoring
ToUseSyslogforMonitoringaPaloAltoNetworksfirewall,createaSyslogserverprofileandassignittothe
logsettingsforeachlogtype.Optionally,youcanconfiguretheheaderformatusedinsyslogmessagesand
enableclientauthenticationforsyslogoverSSL.
ConfigureSyslogMonitoring
ConfigureSyslogMonitoring(Continued)
ConfigureSyslogMonitoring(Continued)
SyslogFieldDescriptions
ThefollowingtopicslistthestandardfieldsofeachlogtypethatPaloAltoNetworksfirewallscanforward
toanexternalserver,aswellastheseveritylevels,customformats,andescapesequences.Tofacilitate
parsing,thedelimiterisacomma:eachfieldisacommaseparatedvalue(CSV)string.TheFUTURE_USEtag
appliestofieldsthatthefirewallsdonotcurrentlyimplement.
WildFireSubmissionlogsareasubtypeofThreatlogandusethesamesyslogformat.
TrafficLogs
ThreatLogs
HIPMatchLogs
ConfigLogs
SystemLogs
CorrelatedEvents(Logs)
CustomLog/EventFormat
EscapeSequences
TrafficLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Bytes,BytesSent,BytesReceived,Packets,StartTime,
ElapsedTime,Category,FUTURE_USE,SequenceNumber,ActionFlags,SourceLocation,Destination
Location,FUTURE_USE,PacketsSent,PacketsReceived,SessionEndReason,DeviceGroupHierarchy
Level 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,
VirtualSystemName,DeviceName,ActionSource
FieldName Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial) Serialnumberofthefirewallthatgeneratedthelog
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) Subtypeoftrafficlog;valuesarestart,end,drop,anddeny
Startsessionstarted
Endsessionended
Dropsessiondroppedbeforetheapplicationisidentifiedandthereisno
rulethatallowsthesession.
Denysessiondroppedaftertheapplicationisidentifiedandthereisarule
toblockornorulethatallowsthesession.
GeneratedTime(time_generated) Timethelogwasgeneratedonthedataplane
SourceIP(src) OriginalsessionsourceIPaddress
DestinationIP(dst) OriginalsessiondestinationIPaddress
NATSourceIP(natsrc) IfSourceNATperformed,thepostNATSourceIPaddress
NATDestinationIP(natdst) IfDestinationNATperformed,thepostNATDestinationIPaddress
RuleName(rule) Nameoftherulethatthesessionmatched
SourceUser(srcuser) Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser) Usernameoftheusertowhichthesessionwasdestined
Application(app) Applicationassociatedwiththesession
VirtualSystem(vsys) VirtualSystemassociatedwiththesession
SourceZone(from) Zonethesessionwassourcedfrom
DestinationZone(to) Zonethesessionwasdestinedto
IngressInterface(inbound_if) Interfacethatthesessionwassourcedform
EgressInterface(outbound_if) Interfacethatthesessionwasdestinedto
FieldName Description
LogForwardingProfile(logset) LogForwardingProfilethatwasappliedtothesession
SessionID(sessionid) Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt) NumberofsessionswithsameSourceIP,DestinationIP,Application,and
Subtypeseenwithin5seconds;usedforICMPonly
SourcePort(sport) Sourceportutilizedbythesession
DestinationPort(dport) Destinationportutilizedbythesession
NATSourcePort(natsport) PostNATsourceport
NATDestinationPort(natdport) PostNATdestinationport
Flags(flags) 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedby
ANDingthevalueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptive
portal(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuser
field
0x00040000logcorrespondstoatransactionwithinahttpproxysession
(ProxyTransaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicit
applicationdependencyhandling.AvailableinPANOS5.0.0andabove.
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto) IPprotocolassociatedwiththesession
Action(action) Actiontakenforthesession;possiblevaluesare:
Allowsessionwasallowedbypolicy
Denysessionwasdeniedbypolicy
Dropsessionwasdroppedsilently
DropICMPsessionwassilentlydroppedwithanICMPunreachable
messagetothehostorapplication
ResetbothsessionwasterminatedandaTCPresetissenttoboththesides
oftheconnection
ResetclientsessionwasterminatedandaTCPresetissenttotheclient
ResetserversessionwasterminatedandaTCPresetissenttotheserver
Bytes(bytes) Numberoftotalbytes(transmitandreceive)forthesession
BytesSent(bytes_sent) Numberofbytesintheclienttoserverdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
BytesReceived(bytes_received) Numberofbytesintheservertoclientdirectionofthesession
AvailableonallmodelsexceptthePA4000Series
FieldName Description
Packets(packets) Numberoftotalpackets(transmitandreceive)forthesession
StartTime(start) Timeofsessionstart
ElapsedTime(elapsed) Elapsedtimeofthesession
Category(category) URLcategoryassociatedwiththesession(ifapplicable)
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasa
uniquenumberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama
SourceLocation(srcloc) SourcecountryorInternalregionforprivateaddresses;maximumlengthis32
bytes
DestinationLocation(dstloc) DestinationcountryorInternalregionforprivateaddresses.Maximumlength
is32bytes
PacketsSent(pkts_sent) Numberofclienttoserverpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
PacketsReceived(pkts_received) Numberofservertoclientpacketsforthesession
AvailableonallmodelsexceptthePA4000Series
FieldName Description
SessionEndReason Thereasonasessionterminated.Iftheterminationhadmultiplecauses,this
(session_end_reason) fielddisplaysonlythehighestpriorityreason.Thepossiblesessionendreason
valuesareasfollows,inorderofpriority(wherethefirstishighest):
threatThefirewalldetectedathreatassociatedwithareset,drop,orblock
(IPaddress)action.
policydenyThesessionmatchedasecurityrulewithadenyordropaction.
decryptcertvalidationThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesclientauthenticationorwhenthesessionusesa
servercertificatewithanyofthefollowingconditions:expired,untrusted
issuer,unknownstatus,orstatusverificationtimeout.Thissessionend
reasonalsodisplayswhentheservercertificateproducesafatalerroralert
oftypebad_certificate,unsupported_certificate,certificate_revoked,
access_denied,orno_certificate_RESERVED(SSLv3only).
decryptunsupportparamThesessionterminatedbecauseyouconfigured
thefirewalltoblockSSLforwardproxydecryptionorSSLinboundinspection
whenthesessionusesanunsupportedprotocolversion,cipher,orSSH
algorithm.Thissessionendreasonisdisplayswhenthesessionproducesa
fatalerroralertoftypeunsupported_extension,unexpected_message,or
handshake_failure.
decrypterrorThesessionterminatedbecauseyouconfiguredthefirewall
toblockSSLforwardproxydecryptionorSSLinboundinspectionwhen
firewallresourcesorthehardwaresecuritymodule(HSM)wereunavailable.
Thissessionendreasonisalsodisplayedwhenyouconfiguredthefirewallto
blockSSLtrafficthathasSSHerrorsorthatproducedanyfatalerroralert
otherthanthoselistedforthedecryptcertvalidationand
decryptunsupportparamendreasons.
tcprstfromclientTheclientsentaTCPresettotheserver.
tcprstfromserverTheserversentaTCPresettotheclient.
resourcesunavailableThesessiondroppedbecauseofasystemresource
limitation.Forexample,thesessioncouldhaveexceededthenumberof
outoforderpacketsallowedperflowortheglobaloutoforderpacket
queue.
tcpfinOnehostorbothhostsintheconnectionsentaTCPFINmessage
toclosethesession.
tcpreuseAsessionisreusedandthefirewallclosestheprevioussession.
decoderThedecoderdetectsanewconnectionwithintheprotocol(such
asHTTPProxy)andendsthepreviousconnection.
agedoutThesessionagedout.
unknownThisvalueappliesinthefollowingsituations:
Sessionterminationsthattheprecedingreasonsdonotcover(for
example,aclear session allcommand).
ForlogsgeneratedinaPANOSreleasethatdoesnotsupportthe
sessionendreasonfield(releasesolderthanPANOS6.1),thevaluewill
beunknownafteranupgradetothecurrentPANOSreleaseorafterthe
logsareloadedontothefirewall.
InPanorama,logsreceivedfromfirewallsforwhichthePANOSversion
doesnotsupportsessionendreasonswillhaveavalueofunknown.
n/aThisvalueapplieswhenthetrafficlogtypeisnotend.
FieldName Description
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocation
(dg_hier_level_1todg_hier_level_4) withinadevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthe
logincludestheidentificationnumberofeachancestorinitsdevicegroup
hierarchy.Theshareddevicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbya
firewall(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare
34,and12.Toviewthedevicegroupnamesthatcorrespondtothevalue12,
34or45,useoneofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></sh
ow>
VirtualSystemName(vsys_name) Thenameofthevirtualsystemassociatedwiththesession;onlyvalidon
firewallsenabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
ActionSource(action_source) Specifieswhethertheactiontakentoalloworblockanapplicationwasdefined
intheapplicationorinpolicy.Theactionscanbeallow,deny,drop,reset
server,resetclientorresetbothforthesession.
ThreatLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
IP,DestinationIP,NATSourceIP,NATDestinationIP,RuleName,SourceUser,DestinationUser,
Application,VirtualSystem,SourceZone,DestinationZone,IngressInterface,EgressInterface,Log
ForwardingProfile,FUTURE_USE,SessionID,RepeatCount,SourcePort,DestinationPort,NATSource
Port,NATDestinationPort,Flags,Protocol,Action,Miscellaneous,ThreatID,Category,Severity,Direction,
SequenceNumber,ActionFlags,SourceLocation,DestinationLocation,FUTURE_USE,ContentType,
PCAP_id,Filedigest,Cloud,URLIndex,UserAgent,FileType,XForwardedFor,Referer,Sender,Subject,
Recipient,ReportID,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroup
HierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName,FUTURE_USE,
FieldName Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial) Serialnumberofthefirewallthatgeneratedthelog
Type(type) Specifiestypeoflog;valuesaretraffic,threat,config,systemandhipmatch
FieldName Description
Subtype(subtype) Subtypeofthreatlog.Valuesincludethefollowing:
dataDatapatternmatchingaDataFilteringprofile.
fileFiletypematchingaFileBlockingprofile.
floodFlooddetectedviaaZoneProtectionprofile.
packetPacketbasedattackprotectiontriggeredbyaZoneProtectionprofile.
scanScandetectedviaaZoneProtectionprofile.
spywareSpywaredetectedviaanAntiSpywareprofile.
urlURLfilteringlog.
virusVirusdetectedviaanAntivirusprofile.
vulnerabilityVulnerabilityexploitdetectedviaaVulnerabilityProtectionprofile.
wildfireAWildFireverdictgeneratedwhenthefirewallsubmitsafiletoWildFire
peraWildFireAnalysisprofileandaverdict(malicious,grayware,orbenign,
dependingonwhatyouarelogging)isloggedintheWildFireSubmissionslog.
wildfirevirusVirusdetectedviaanAntivirusprofile.
GeneratedTime Timethelogwasgeneratedonthedataplane
(time_generated)
SourceIP(src) OriginalsessionsourceIPaddress
DestinationIP(dst) OriginalsessiondestinationIPaddress
NATSourceIP(natsrc) IfsourceNATperformed,thepostNATsourceIPaddress
NATDestinationIP(natdst) IfdestinationNATperformed,thepostNATdestinationIPaddress
RuleName(rule) Nameoftherulethatthesessionmatched
SourceUser(srcuser) Usernameoftheuserwhoinitiatedthesession
DestinationUser(dstuser) Usernameoftheusertowhichthesessionwasdestined
Application(app) Applicationassociatedwiththesession
VirtualSystem(vsys) VirtualSystemassociatedwiththesession
SourceZone(from) Zonethesessionwassourcedfrom
DestinationZone(to) Zonethesessionwasdestinedto
IngressInterface Interfacethatthesessionwassourcedfrom
(inbound_if)
EgressInterface Interfacethatthesessionwasdestinedto
(outbound_if)
LogForwardingProfile LogForwardingProfilethatwasappliedtothesession
(logset)
SessionID(sessionid) Aninternalnumericalidentifierappliedtoeachsession
RepeatCount(repeatcnt) NumberofsessionswithsameSourceIP,DestinationIP,Application,andSubtype
seenwithin5seconds;usedforICMPonly
SourcePort(sport) Sourceportutilizedbythesession
DestinationPort(dport) Destinationportutilizedbythesession
FieldName Description
NATSourcePort(natsport) PostNATsourceport
NATDestinationPort PostNATdestinationport
(natdport)
Flags(flags) 32bitfieldthatprovidesdetailsonsession;thisfieldcanbedecodedbyANDingthe
valueswiththeloggedvalue:
0x80000000sessionhasapacketcapture(PCAP)
0x02000000IPv6session
0x01000000SSLsessionwasdecrypted(SSLProxy)
0x00800000sessionwasdeniedviaURLfiltering
0x00400000sessionhasaNATtranslationperformed(NAT)
0x00200000userinformationforthesessionwascapturedviathecaptiveportal
(CaptivePortal)
0x00080000XForwardedForvaluefromaproxyisinthesourceuserfield
0x00040000logcorrespondstoatransactionwithinahttpproxysession(Proxy
Transaction)
0x00008000sessionisacontainerpageaccess(ContainerPage)
0x00002000sessionhasatemporarymatchonaruleforimplicitapplication
dependencyhandling.AvailableinPANOS5.0.0andabove
0x00000800symmetricreturnwasusedtoforwardtrafficforthissession
Protocol(proto) IPprotocolassociatedwiththesession
Action(action) Actiontakenforthesession;valuesarealert,allow,deny,drop,dropallpackets,
resetclient,resetserver,resetboth,blockurl.
AlertthreatorURLdetectedbutnotblocked
Allowflooddetectionalert
Denyflooddetectionmechanismactivatedanddenytrafficbasedon
configuration
Dropthreatdetectedandassociatedsessionwasdropped
Dropallpacketsthreatdetectedandsessionremains,butdropsallpackets
ResetclientthreatdetectedandaTCPRSTissenttotheclient
ResetserverthreatdetectedandaTCPRSTissenttotheserver
ResetboththreatdetectedandaTCPRSTissenttoboththeclientandthe
server
BlockurlURLrequestwasblockedbecauseitmatchedaURLcategorythatwas
settobeblocked
Miscellaneous(misc) Fieldwithvariablelengthwithamaximumof1023characters
TheactualURIwhenthesubtypeisURL
Filenameorfiletypewhenthesubtypeisfile
Filenamewhenthesubtypeisvirus
FilenamewhenthesubtypeisWildFire
FieldName Description
ThreatID(threatid) PaloAltoNetworksidentifierforthethreat.Itisadescriptionstringfollowedbya
64bitnumericalidentifierinparenthesesforsomeSubtypes:
80008099scandetection
85008599flooddetection
9999URLfilteringlog
1000019999sypwarephonehomedetection
2000029999spywaredownloaddetection
3000044999vulnerabilityexploitdetection
5200052999filetypedetection
6000069999datafilteringdetection
1000002999999virusdetection
30000003999999WildFiresignaturefeed
40000004999999DNSBotnetsignatures
Category(category) ForURLSubtype,itistheURLCategory;ForWildFiresubtype,itistheverdictonthe
fileandiseithermalicious,grayware,orbenign;Forothersubtypes,thevalueis
any.
Severity(severity) Severityassociatedwiththethreat;valuesareinformational,low,medium,high,
critical
Direction(direction) Indicatesthedirectionoftheattack,clienttoserverorservertoclient:
0directionofthethreatisclienttoserver
1directionofthethreatisservertoclient
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially.Eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
SourceLocation(srcloc) SourcecountryorInternalregionforprivateaddresses.Maximumlengthis32bytes.
DestinationLocation(dstloc) DestinationcountryorInternalregionforprivateaddresses.Maximumlengthis32
bytes.
ContentType(contenttype) ApplicableonlywhenSubtypeisURL.
ContenttypeoftheHTTPresponsedata.Maximumlength32bytes.
PCAPID(pcap_id) Thepacketcapture(pcap)IDisa64bitunsignedintegraldenotinganIDtocorrelate
threatpcapfileswithextendedpcapstakenasapartofthatflow.Allthreatlogswill
containeitherapcap_idof0(noassociatedpcap),oranIDreferencingtheextended
pcapfile.
FileDigest(filedigest) OnlyforWildFiresubtype;allothertypesdonotusethisfield
Thefiledigeststringshowsthebinaryhashofthefilesenttobeanalyzedbythe
WildFireservice.
Cloud(cloud) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
ThecloudstringdisplaystheFQDNofeithertheWildFireappliance(private)orthe
WildFirecloud(public)fromwherethefilewasuploadedforanalysis.
FieldName Description
URLIndex(url_idx) UsedinURLFilteringandWildFiresubtypes.
WhenanapplicationusesTCPkeepalivestokeepaconnectionopenforalengthof
time,allthelogentriesforthatsessionhaveasinglesessionID.Insuchcases,when
youhaveasinglethreatlog(andsessionID)thatincludesmultipleURLentries,the
url_idxisacounterthatallowsyoutocorrelatetheorderofeachlogentrywithinthe
singlesession.
Forexample,tolearntheURLofafilethatthefirewallforwardedtoWildFirefor
analysis,locatethesessionIDandtheurl_idxfromtheWildFireSubmissionslogand
searchforthesamesessionIDandurl_idxinyourURLfilteringlogs.Thelogentry
thatmatchesthesessionIDandurl_idxwillcontaintheURLofthefilethatwas
forwardedtoWildFire.
UserAgent(user_agent) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheUserAgentfieldspecifiesthewebbrowserthattheuserusedtoaccesstheURL,
forexampleInternetExplorer.ThisinformationissentintheHTTPrequesttothe
server.
FileType(filetype) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthetypeoffilethatthefirewallforwardedforWildFireanalysis.
XForwardedFor(xff) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheXForwardedForfieldintheHTTPheadercontainstheIPaddressoftheuser
whorequestedthewebpage.ItallowsyoutoidentifytheIPaddressoftheuser,
whichisusefulparticularlyifyouhaveaproxyserveronyournetworkthatreplaces
theuserIPaddresswithitsownaddressinthesourceIPaddressfieldofthepacket
header.
Referer(referer) OnlyfortheURLFilteringsubtype;allothertypesdonotusethisfield.
TheRefererfieldintheHTTPheadercontainstheURLofthewebpagethatlinked
theusertoanotherwebpage;itisthesourcethatredirected(referred)theuserto
thewebpagethatisbeingrequested.
Sender(sender) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthesenderofanemailthatWildFiredeterminedtobemalicious
whenanalyzinganemaillinkforwardedbythefirewall.
Subject(subject) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthesubjectofanemailthatWildFiredeterminedtobemaliciouswhen
analyzinganemaillinkforwardedbythefirewall.
Recipient(recipient) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
SpecifiesthenameofthereceiverofanemailthatWildFiredeterminedtobe
maliciouswhenanalyzinganemaillinkforwardedbythefirewall.
ReportID(reportid) OnlyforWildFiresubtype;allothertypesdonotusethisfield.
IdentifiestheanalysisrequestontheWildFirecloudortheWildFireappliance.
FieldName Description
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithin
(dg_hier_level_1to adevicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludes
dg_hier_level_4) theidentificationnumberofeachancestorinitsdevicegrouphierarchy.Theshared
devicegroup(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall
(orvirtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.
Toviewthedevicegroupnamesthatcorrespondtothevalue12,34or45,useone
ofthefollowingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
HIPMatchLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Source
User,VirtualSystem,Machinename,OS,SourceAddress,HIP,RepeatCount,HIPType,FUTURE_USE,
FUTURE_USE,SequenceNumber,ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchy
Level2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,Device
Name
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane
(receive_time)
SerialNumber(serial) Serialnumberofthefirewallthatgeneratedthelog
Type(type) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) SubtypeofHIPmatchlog;unused
GeneratedTime Timethelogwasgeneratedonthedataplane
(time_generated)
SourceUser(srcuser) Usernameoftheuserwhoinitiatedthesession
VirtualSystem(vsys) VirtualSystemassociatedwiththeHIPmatchlog
MachineName Nameoftheusersmachine
(machinename)
OS Theoperatingsysteminstalledontheusersmachineordevice(orontheclientsystem)
SourceAddress(src) IPaddressofthesourceuser
HIP(matchname) NameoftheHIPobjectorprofile
RepeatCount(repeatcnt) NumberoftimestheHIPprofilematched
HIPType(matchtype) WhetherthehipfieldrepresentsaHIPobjectoraHIPprofile
FieldName Description
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
(vsys_name) formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
(device_name)
ConfigLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Host,
VirtualSystem,Command,Admin,Client,Result,ConfigurationPath,SequenceNumber,ActionFlags,
BeforeChangeDetail,AfterChangeDetail,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel
2,DeviceGroupHierarchyLevel3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName Description
ReceiveTime Timethelogwasreceivedatthemanagementplane
(receive_time)
SerialNumber(serial) Serialnumberofthedevicethatgeneratedthelog
Type(type) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) Subtypeofconfigurationlog;unused
GeneratedTime Timethelogwasgeneratedonthedataplane
(time_generated)
Host(host) HostnameorIPaddressoftheclientmachine
VirtualSystem(vsys) VirtualSystemassociatedwiththeconfigurationlog
Command(cmd) CommandperformedbytheAdmin;valuesareadd,clone,commit,delete,edit,move,
rename,set.
Admin(admin) UsernameoftheAdministratorperformingtheconfiguration
Client(client) ClientusedbytheAdministrator;valuesareWebandCLI
FieldName Description
Result(result) Resultoftheconfigurationaction;valuesareSubmitted,Succeeded,Failed,and
Unauthorized
ConfigurationPath(path) Thepathoftheconfigurationcommandissued;upto512bytesinlength
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasauniquenumber
space.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama.
BeforeChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(before_change_detail) Itcontainsthefullxpathbeforetheconfigurationchange.
AfterChangeDetail Thisfieldisincustomlogsonly;itisnotinthedefaultformat.
(after_change_detail) Itcontainsthefullxpathaftertheconfigurationchange.
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthefollowing
methods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewallsenabled
(vsys_name) formultiplevirtualsystems.
DeviceName Thehostnameofthefirewallonwhichthesessionwaslogged.
(device_name)
SystemLogs
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName Description
ReceiveTime(receive_time) Timethelogwasreceivedatthemanagementplane
SerialNumber(serial) Serialnumberofthefirewallthatgeneratedthelog
Type(type) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
Subtype(subtype) Subtypeofthesystemlog;referstothesystemdaemongeneratingthelog;valuesare
crypto,dhcp,dnsproxy,dos,general,globalprotect,ha,hw,nat,ntpd,pbf,port,pppoe,
ras,routing,satd,sslmgr,sslvpn,userid,urlfiltering,vpn
FieldName Description
GeneratedTime Timethelogwasgeneratedonthedataplane
(time_generated)
VirtualSystem(vsys) VirtualSystemassociatedwiththeconfigurationlog
EventID(eventid) Stringshowingthenameoftheevent
Object(object) Nameoftheobjectassociatedwiththesystemevent
Module(module) ThisfieldisvalidonlywhenthevalueoftheSubtypefieldisgeneral.Itprovides
additionalinformationaboutthesubsystemgeneratingthelog;valuesaregeneral,
management,auth,ha,upgrade,chassis
Severity(severity) Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
Description(opaque) Detaileddescriptionoftheevent,uptoamaximumof512bytes
SequenceNumber(seqno) A64bitlogentryidentifierincrementedsequentially;eachlogtypehasaunique
numberspace.ThisfieldisnotsupportedonPA7000Seriesfirewalls.
ActionFlags(actionflags) AbitfieldindicatingifthelogwasforwardedtoPanorama
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
VirtualSystemName Thenameofthevirtualsystemassociatedwiththesession;onlyvalidonfirewalls
(vsys_name) enabledformultiplevirtualsystems.
DeviceName(device_name) Thehostnameofthefirewallonwhichthesessionwaslogged.
CorrelatedEvents(Logs)
Format:FUTURE_USE,ReceiveTime,SerialNumber,Type,Subtype,FUTURE_USE,GeneratedTime,Virtual
System,EventID,Object,FUTURE_USE,FUTURE_USE,Module,Severity,Description,SequenceNumber,
ActionFlags,DeviceGroupHierarchyLevel 1,DeviceGroupHierarchyLevel2,DeviceGroupHierarchy
Level3,DeviceGroupHierarchyLevel 4,VirtualSystemName,DeviceName
FieldName Description
LogID(logid) Timethelogwasreceivedatthemanagementplane
ID(id) Serialnumberofthedevicethatgeneratedthelog
MatchOID(match_oid) Typeoflog;valuesaretraffic,threat,config,systemandhipmatch
FieldName Description
ObjectID(objectid) Nameoftheobjectassociatedwiththesystemevent
Version(version) TheversionoftheCorrelationobjectscontentupdate,aspushedbyPaloAltoNetworks.
VirtualSystem(vsys) VirtualSystemassociatedwiththeconfigurationlog
DeviceGroupHierarchy Asequenceofidentificationnumbersthatindicatethedevicegroupslocationwithina
(dg_hier_level_1to devicegrouphierarchy.Thefirewall(orvirtualsystem)generatingthelogincludesthe
dg_hier_level_4) identificationnumberofeachancestorinitsdevicegrouphierarchy.Theshareddevice
group(level0)isnotincludedinthisstructure.
Ifthelogvaluesare12,34,45,0,itmeansthatthelogwasgeneratedbyafirewall(or
virtualsystem)thatbelongstodevicegroup45,anditsancestorsare34,and12.Toview
thedevicegroupnamesthatcorrespondtothevalue12,34or45,useoneofthe
followingmethods:
CLIcommandinconfiguremode:show readonly dg-meta-data
APIquery:/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Window(window)
SourceUser(srcuser) Usernameoftheuserwhoinitiatedtheevent.
Source(src) IPaddressoftheuserwhoinitiatedtheevent.
LastUpdateTime Thelasttimetheeventsinthecorrelatedeventwereupdatedwithmoreinformation.
(last_update_time)
Severity(severity) Severityassociatedwiththeevent;valuesareinformational,low,medium,high,critical
MatchTime(match_time) Thetimethattheeventmatchwasrecorded.
ObjectName(objectname) Nameofthecorrelationobjectthatwasmatchedon
Summary(summary) Asummarystatementthatindicateshowmanytimesthehosthasmatchedagainstthe
conditionsdefinedinthecorrelationobject.Forexample,Hostvisitedknownmalware
URl(19times).
SyslogSeverity
Thesyslogseverityissetbasedonthelogtypeandcontents.
LogType/Severity SyslogSeverity
Traffic Info
Config Info
Threat/SystemInformational Info
Threat/SystemLow Notice
Threat/SystemMedium Warning
Threat/SystemHigh Error
Threat/SystemCritical Critical
CustomLog/EventFormat
Tofacilitatetheintegrationwithexternallogparsingsystems,thefirewallallowsyoutocustomizethelog
format;italsoallowsyoutoaddcustomKey:Valueattributepairs.Custommessageformatscanbe
configuredunderDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
ToachieveArcSightCommonEventFormat(CEF)compliantlogformatting,refertotheCEFConfiguration
Guide.
EscapeSequences
Anyfieldthatcontainsacommaoradoublequoteisenclosedindoublequotes.Furthermore,ifa
doublequoteappearsinsideafielditisescapedbyprecedingitwithanotherdoublequote.Tomaintain
backwardcompatibility,theMiscfieldinthreatlogisalwaysenclosedindoublequotes.
SNMPMonitoringandTraps
ThefollowingtopicsdescribehowPaloAltoNetworksfirewalls,Panorama,andWF500appliances
implementSimpleNetworkManagementProtocol(SNMP),andtheprocedurestoconfigureSNMP
monitoringandtrapdelivery.
SNMPSupport
UseanSNMPManagertoExploreMIBsandObjects
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ForwardTrapstoanSNMPManager
SupportedMIBs
SNMPSupport
YoucanuseaSimpleNetworkManagementProtocol(SNMP)managertomonitoreventdrivenalertsand
operationalstatisticsforthefirewall,Panorama,orWF500applianceandforthetraffictheyprocess.The
statisticsandtrapscanhelpyouidentifyresourcelimitations,systemchangesorfailures,andmalware
attacks.Youconfigurealertsbyforwardinglogdataastraps,andenablethedeliveryofstatisticsinresponse
toGETmessages(requests)fromyourSNMPmanager.Eachtrapandstatistichasanobjectidentifier(OID).
RelatedOIDsareorganizedhierarchicallywithintheManagementInformationBases(MIBs)thatyouload
intotheSNMPmanagertoenablemonitoring.
WhenaneventtriggersSNMPtrapgeneration(forexample,aninterfacegoesdown),thefirewall,Panorama
virtualappliance,MSeriesappliance,andWF500appliancerespondbyupdatingthecorrespondingSNMP
object(forexample,theinterfacesMIB)insteadofwaitingfortheperiodicupdateofallobjectsthatoccursevery
tenseconds.ThisensuresthatyourSNMPmanagerdisplaysthelatestinformationwhenpollinganobjectto
confirmanevent.
Thefirewall,Panorama,andWF500appliancesupportSNMPVersion2candVersion3.Decidewhichto
usebasedontheversionthatotherdevicesinyournetworksupportandonyournetworksecurity
requirements.SNMPv3ismoresecureandenablesmoregranularaccesscontrolforsystemstatisticsthan
SNMPv2c.Thefollowingtablesummarizesthesecurityfeaturesofeachversion.Youselecttheversionand
configurethesecurityfeatureswhenyouMonitorStatisticsUsingSNMPandForwardTrapstoanSNMP
Manager.
Figure:SNMPImplementationillustratesadeploymentinwhichfirewallsforwardtrapstoanSNMP
managerwhilealsoforwardinglogstoLogCollectors.Alternatively,youcouldconfiguretheLogCollectors
toforwardthefirewalltrapstotheSNMPmanager.Fordetailsonthesedeployments,refertoLog
ForwardingOptions.Inalldeployments,theSNMPmanagergetsstatisticsdirectlyfromthefirewall,
Panorama,orWF500appliance.Inthisexample,asingleSNMPmanagercollectsbothtrapsandstatistics,
thoughyoucanuseseparatemanagersforthesefunctionsifthatbettersuitsyournetwork.
Figure:SNMPImplementation
UseanSNMPManagertoExploreMIBsandObjects
TouseSNMPformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,youmustfirst
loadtheSupportedMIBsintoyourSNMPmanageranddeterminewhichobjectidentifiers(OIDs)
correspondtothesystemstatisticsandtrapsyouwanttomonitor.Thefollowingtopicsprovideanoverview
ofhowtofindOIDsandMIBsinanSNMPmanager.Forthespecificstepstoperformthesetasks,referto
yourSNMPmanagementsoftware.
IdentifyaMIBContainingaKnownOID
WalkaMIB
IdentifytheOIDforaSystemStatisticorTrap
IdentifyaMIBContainingaKnownOID
IfyoualreadyknowtheOIDforaparticularSNMPobject(statisticortrap)andwanttoknowtheOIDsof
similarobjectssoyoucanmonitorthem,youcanexploretheMIBthatcontainstheknownOID.
IdentifyaMIBContainingaKnownOID
Step1 LoadalltheSupportedMIBsintoyourSNMPmanager.
Step2 SearchtheentireMIBtreefortheknownOID.ThesearchresultdisplaystheMIBpathfortheOID,aswellas
informationabouttheOID(forexample,name,status,anddescription).YoucanthenselectotherOIDsinthe
sameMIBtoseeinformationaboutthem.
Step3 Optionally,WalkaMIBtodisplayallitsobjects.
WalkaMIB
IfyouwanttoseewhichSNMPobjects(systemstatisticsandtraps)areavailableformonitoring,displaying
alltheobjectsofaparticularMIBcanbeuseful.Todothis,loadtheSupportedMIBsintoyourSNMP
managerandperformawalkonthedesiredMIB.TolistthetrapsthatPaloAltoNetworksfirewalls,
Panorama,andWF500appliancesupport,walkthepanCommonEventEventsV2MIB.Inthefollowing
example,walkingthePANCOMMONMIB.mydisplaysthefollowinglistofOIDsandtheirvaluesforcertain
statistics:
IdentifytheOIDforaSystemStatisticorTrap
TouseanSNMPmanagerformonitoringPaloAltoNetworksfirewalls,Panorama,orWF500appliances,
youmustknowtheOIDsofthesystemstatisticsandtrapsyouwanttomonitor.
IdentifytheOIDforaStatisticorTrap
Step1 ReviewtheSupportedMIBstodeterminewhichonecontainsthetypeofstatisticyouwant.Forexample,
thePANCOMMONMIB.mycontainshardwareversioninformation.ThepanCommonEventEventsV2MIB
containsallthetrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.
IdentifytheOIDforaStatisticorTrap(Continued)
Step3 InaMIBbrowser,searchtheMIBtreefortheidentifiedobjectnametodisplayitsOID.Forexample,the
panSysHwVersionobjecthasanOIDof1.3.6.1.4.1.25461.2.1.2.1.2.
EnableSNMPServicesforFirewallSecuredNetworkElements
IfyouwilluseSimpleNetworkManagementProtocol(SNMP)tomonitorormanagenetworkelements(for
example,switchesandrouters)thatarewithinthesecurityzonesofPaloAltoNetworksfirewalls,youmust
createasecurityrulethatallowsSNMPservicesforthoseelements.
YoudontneedasecurityruletoenableSNMPmonitoringofPaloAltoNetworksfirewalls,
Panorama,orWF500appliances.Fordetails,seeMonitorStatisticsUsingSNMP.
EnableSNMPServicesforFirewallSecuredNetworkElements
MonitorStatisticsUsingSNMP
ThestatisticsthataSimpleNetworkManagementProtocol(SNMP)managercollectsfromPaloAlto
Networksfirewallscanhelpyougaugethehealthofyournetwork(systemsandconnections),identify
resourcelimitations,andmonitortrafficorprocessingloads.Thestatisticsincludeinformationsuchas
interfacestates(upordown),activeusersessions,concurrentsessions,sessionutilization,temperature,and
systemuptime.
YoucantconfigureanSNMPmanagertocontrolPaloAltoNetworksfirewalls(usingSET
messages),onlytocollectstatisticsfromthem(usingGETmessages).
FordetailsonhowSNMPisimplementedforPaloAltoNetworksfirewalls,seeSNMPSupport.
MonitorStatisticsUsingSNMP
MonitorStatisticsUsingSNMP(Continued)
ForwardTrapstoanSNMPManager
SimpleNetworkManagementProtocol(SNMP)trapscanalertyoutosystemevents(failuresorchangesin
hardwareorsoftwareofPaloAltoNetworksfirewalls)ortothreats(trafficthatmatchesafirewallsecurity
rule)thatrequireimmediateattention.
ToseethelistoftrapsthatPaloAltoNetworksfirewallssupport,useyourSNMPManagerto
accessthepanCommonEventEventsV2MIB.Fordetails,seeUseanSNMPManagertoExplore
MIBsandObjects.
FordetailsonhowforPaloAltoNetworksfirewallsimplementSNMP,seeSNMPSupport.
ForwardFirewallTrapstoanSNMPManager
SupportedMIBs
ThefollowingtableliststheSimpleNetworkManagementProtocol(SNMP)managementinformationbases
(MIBs)thatPaloAltoNetworksfirewalls,Panorama,andWF500appliancessupport.Youmustloadthese
MIBsintoyourSNMPmanagertomonitortheobjects(systemstatisticsandtraps)thataredefinedinthe
MIBs.Fordetails,seeUseanSNMPManagertoExploreMIBsandObjects.
MIBType SupportedMIBs
StandardTheInternetEngineeringTaskForce(IETF) MIBII
maintainsmoststandardMIBs.Youcandownloadthe IFMIB
MIBsfromtheIETFwebsite. HOSTRESOURCESMIB
PaloAltoNetworksfirewalls,Panorama,and ENTITYMIB
WF500appliancesdontsupporteveryobject
ENTITYSENSORMIB
(OID)ineveryoneoftheseMIBs.Seethe
SupportedMIBslinksforanoverviewofthe ENTITYSTATEMIB
supportedOIDs. IEEE802.3LAGMIB
LLDPV2MIB.my
BFDSTDMIB
EnterpriseYoucandownloadtheenterpriseMIBsfrom PANCOMMONMIB.my
thePaloAltoNetworksTechnicalDocumentationsite. PANGLOBALREGMIB.my
PANGLOBALTCMIB.my
PANLCMIB.my
PANPRODUCTMIB.my
PANENTITYEXTMIB.my
PANTRAPS.my
MIBII
MIBIIprovidesobjectidentifiers(OIDs)fornetworkmanagementprotocolsinTCP/IPbasednetworks.Use
thisMIBtomonitorgeneralinformationaboutsystemsandinterfaces.Forexample,youcananalyzetrends
inbandwidthusagebyinterfacetype(ifTypeobject)todetermineifthefirewallneedsmoreinterfacesof
thattypetoaccommodatespikesintrafficvolume.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlythefollowingobjectgroups:
ObjectGroup Description
system Providessysteminformationsuchasthehardwaremodel,systemuptime,FQDN,and
physicallocation.
interfaces Providesstatisticsforphysicalandlogicalinterfacessuchastype,currentbandwidth
(speed),operationalstatus(forexample,upordown),anddiscardedpackets.Logical
interfacesupportincludesVPNtunnels,aggregategroups,Layer2subinterfaces,Layer3
subinterfaces,loopbackinterfaces,andVLANinterfaces.
RFC1213definesthisMIB.
IFMIB
IFMIBsupportsinterfacetypes(physicalandlogical)andlargercounters(64K)beyondthosedefinedin
MIBII.UsethisMIBtomonitorinterfacestatisticsinadditiontothosethatMIBIIprovides.Forexample,to
monitorthecurrentbandwidthofhighspeedinterfaces(greaterthan2.2Gps)suchasthe10Ginterfacesof
thePA5000Seriesfirewalls,youmustchecktheifHighSpeedobjectinIFMIBinsteadoftheifSpeedobject
inMIBII.IFMIBstatisticscanbeusefulwhenevaluatingthecapacityofyournetwork.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlytheifXTableinIFMIB,which
providesinterfaceinformationsuchasthenumberofmulticastandbroadcastpacketstransmittedand
received,whetheraninterfaceisinpromiscuousmode,andwhetheraninterfacehasaphysicalconnector.
RFC2863definesthisMIB.
HOSTRESOURCESMIB
HOSTRESOURCESMIBprovidesinformationforhostcomputerresources.UsethisMIBtomonitorCPU
andmemoryusagestatistics.Forexample,checkingthecurrentCPUload(hrProcessorLoadobject)canhelp
youtroubleshootperformanceissuesonthefirewall.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportportionsofthefollowingobject
groups:
ObjectGroup Description
hrDevice ProvidesinformationsuchasCPUload,storagecapacity,andpartitionsize.The
hrProcessorLoadOIDsprovideanaverageofthecoresthatprocesspackets.Forthe
PA5060firewall,whichhasmultipledataplanes(DPs),theaverageisofthecoresacross
allthethreeDPsthatprocesspackets.
hrSystem Providesinformationsuchassystemuptime,numberofcurrentusersessions,andnumber
ofcurrentprocesses.
hrStorage Providesinformationsuchastheamountofusedstorage.
RFC2790definesthisMIB.
ENTITYMIB
ENTITYMIBprovidesOIDsformultiplelogicalandphysicalcomponents.UsethisMIBtodeterminewhat
physicalcomponentsareloadedonasystem(forexample,fansandtemperaturesensors)andseerelated
informationsuchasmodelsandserialnumbers.Youcanalsousetheindexnumbersforthesecomponents
todeterminetheiroperationalstatusintheENTITYSENSORMIBandENTITYSTATEMIB.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhysicalTablegroup:
Object Description
entPhysicalIndex Asinglenamespacethatincludesdiskslotsanddiskdrives.
entPhysicalDescr Thecomponentdescription.
Object Description
entPhysicalVendorType ThesysObjectID(seePANPRODUCTMIB.my)whenitisavailable(chassisandmodule
objects).
entPhysicalContainedIn ThevalueofentPhysicalIndexforthecomponentthatcontainsthiscomponent.
entPhysicalClass Chassis(3),container(5)foraslot,powersupply(6),fan(7),sensor(8)foreach
temperatureorotherenvironmental,andmodule(9)foreachlinecard.
entPhysicalParentRelPos Therelativepositionofthischildcomponentamongitssiblingcomponents.Sibling
componentsaredefinedasentPhysicalEntrycomponentsthatsharethesameinstance
valuesofeachoftheentPhysicalContainedInandentPhysicalClassobjects.
entPhysicalName Supportedonlyifthemanagement(MGT)interfaceallowsfornamingthelinecard.
entPhysicalHardwareRev Thevendorspecifichardwarerevisionofthecomponent.
entPhysicalFirwareRev Thevendorspecificfirmwarerevisionofthecomponent.
entPhysicalSoftwareRev Thevendorspecificsoftwarerevisionofthecomponent.
entPhysicalSerialNum Thevendorspecificserialnumberofthecomponent.
entPhysicalMfgName Thenameofthemanufacturerofthecomponent.
entPhysicalMfgDate Thedatewhenthecomponentwasmanufactured.
entPhysicalModelName Thediskmodelnumber.
entPhysicalAlias Analiasthatthenetworkmanagerspecifiedforthecomponent.
entPhysicalAssetID Auserassignedassettrackingidentifierthatthenetworkmanagerspecifiedforthe
component.
entPhysicalIsFRU Indicateswhetherthecomponentisafieldreplaceableunit(FRU).
entPhysicalUris TheCommonLanguageEquipmentIdentifier(CLEI)numberofthecomponent(for
example,URN:CLEI:CNME120ARA).
RFC4133definesthisMIB.
ENTITYSENSORMIB
ENTITYSENSORMIBaddssupportforphysicalsensorsofnetworkingequipmentbeyondwhat
ENTITYMIBdefines.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstatusofthe
physicalcomponentsofasystem(forexample,fansandtemperaturesensors).Forexample,totroubleshoot
issuesthatmightresultfromenvironmentalconditions,youcanmaptheentityindexesfromthe
ENTITYMIB(entPhysicalDescrobject)tooperationalstatusvalues(entPhysSensorOperStatusobject)inthe
ENTITYSENSORMIB.Inthefollowingexample,allthefansandtemperaturesensorsforaPA3020firewall
areworking:
ThesameOIDmightrefertodifferentsensorsondifferentplatforms.UsetheENTITYMIBfor
thetargetedplatformtomatchthevaluetothedescription.
PaloAltoNetworksfirewalls,Panorama,andWF500appliancessupportonlyportionsofthe
entPhySensorTablegroup.Thesupportedportionsvarybyplatformandincludeonlythermal(temperature
inCelsius)andfan(inRPM)sensors.
RFC3433definestheENTITYSENSORMIB.
ENTITYSTATEMIB
ENTITYSTATEMIBprovidesinformationaboutthestateofphysicalcomponentsbeyondwhat
ENTITYMIBdefines,includingtheadministrativeandoperationalstateofcomponentsinchassisbased
platforms.UsethisMIBintandemwiththeENTITYMIBtomonitortheoperationalstateofthecomponents
ofaPA7000Seriesfirewall(forexample,linecards,fantrays,andpowersupplies).Forexample,to
troubleshootlogforwardingissuesforThreatlogs,youcanmapthelogprocessingcard(LPC)indexesfrom
theENTITYMIB(entPhysicalDescrobject)tooperationalstatevalues(entStateOperobject)inthe
ENTITYSTATEMIB.Theoperationalstatevaluesusenumberstoindicatestate:1forunknown,2for
disabled,3forenabled,and4fortesting.ThePA7000SeriesfirewallistheonlyPaloAltoNetworksfirewall
thatsupportsthisMIB.
RFC4268definestheENTITYSTATEMIB.
IEEE802.3LAGMIB
UsetheIEEE802.3LAGMIBtomonitorthestatusofaggregategroupsthathaveLinkAggregationControl
Protocol(ECMP)enabled.WhenthefirewalllogsLACPevents,italsogeneratestrapsthatareusefulfor
troubleshooting.Forexample,thetrapscantellyouwhethertrafficinterruptionsbetweenthefirewalland
anLACPpeerresultedfromlostconnectivityorfrommismatchedinterfacespeedandduplexvalues.
PANOSimplementsthefollowingSNMPtablesforLACP.Notethatthedot3adTablesLastChangedobject
indicatesthetimeofthemostrecentchangetodot3adAggTable,dot3adAggPortListTable,and
dot3adAggPortTable.
Table Description
AggregatorConfiguration Thistablecontainsinformationabouteveryaggregategroupthatisassociatedwitha
Table(dot3adAggTable) firewall.Eachaggregategrouphasoneentry.
Sometableobjectshaverestrictions,whichthedot3adAggIndexobjectdescribes.This
indexistheuniqueidentifierthatthelocalsystemassignstotheaggregategroup.It
identifiesanaggregategroupinstanceamongthesubordinatemanagedobjectsofthe
containingobject.Theidentifierisreadonly.
TheifTableMIB(alistofinterfaceentries)doesnotsupportlogicalinterfacesand
thereforedoesnothaveanentryfortheaggregategroup.
AggregationPortList Thistableliststheportsassociatedwitheachaggregategroupinafirewall.Eachaggregate
Table grouphasoneentry.
(dot3adAggPortListTable) Thedot3adAggPortListPortsattributeliststhecompletesetofportsassociatedwithan
aggregategroup.Eachbitsetinthelistrepresentsaportmember.Fornonchassis
platforms,thisisa64bitvalue.Forchassisplatforms,thevalueisanarrayofeight64bit
entries.
AggregationPortTable ThistablecontainsLACPconfigurationinformationabouteveryportassociatedwithan
(dot3adAggPortTable) aggregategroupinafirewall.Eachporthasoneentry.Thetablehasnoentriesforports
thatarenotassociatedwithanaggregategroup.
LACPStatisticsTable Thistablecontainslinkaggregationinformationabouteveryportassociatedwithan
(dot3adAggPortStatsTable aggregategroupinafirewall.Eachporthasonerow.Thetablehasnoentriesforportsthat
) arenotassociatedwithanaggregategroup.
TheIEEE802.3LAGMIBincludesthefollowingLACPrelatedtraps:
TrapName Description
panLACPLostConnectivityTrap Thepeerlostconnectivitytothefirewall.
panLACPUnresponsiveTrap Thepeerdoesnotrespondtothefirewall.
panLACPNegoFailTrap LACPnegotiationwiththepeerfailed.
panLACPSpeedDuplexTrap Thelinkspeedandduplexsettingsonthefirewallandpeerdonotmatch.
panLACPLinkDownTrap Aninterfaceintheaggregategroupisdown.
panLACPLacpDownTrap Aninterfacewasremovedfromtheaggregategroup.
panLACPLacpUpTrap Aninterfacewasaddedtotheaggregategroup.
FortheMIBdefinitions,refertoIEEE802.3LAGMIB.
LLDPV2MIB.my
UsetheLLDPV2MIBtomonitorLinkLayerDiscoveryProtocol(LLDP)events.Forexample,youcancheck
thelldpV2StatsRxPortFramesDiscardedTotalobjecttoseethenumberofLLDPframesthatwerediscarded
foranyreason.ThePaloAltoNetworksfirewallusesLLDPtodiscoverneighboringdevicesandtheir
capabilities.LLDPmakestroubleshootingeasier,especiallyforvirtualwiredeploymentswherethepingor
tracerouteutilitieswontdetectthefirewall.
PaloAltoNetworksfirewallssupportalltheLLDPV2MIBobjectsexcept:
ThefollowinglldpV2Statisticsobjects:
lldpV2StatsRemTablesLastChangeTime
lldpV2StatsRemTablesInserts
lldpV2StatsRemTablesDeletes
lldpV2StatsRemTablesDrops
lldpV2StatsRemTablesAgeouts
ThefollowinglldpV2RemoteSystemsDataobjects:
ThelldpV2RemOrgDefInfoTabletable
InthelldpV2RemTabletable:lldpV2RemTimeMark
RFC4957definesthisMIB.
BFDSTDMIB
UsetheBidirectionalForwardingDetection(BFD)MIBtomonitorandreceivefailurealertsforthe
bidirectionalpathbetweentwoforwardingengines,suchasinterfaces,datalinks,ortheactualengines.For
example,youcancheckthebfdSessStateobjecttoseethestateofaBFDsessionbetweenforwarding
engines.InthePaloAltoNetworksimplementation,oneoftheforwardingenginesisafirewallinterfaceand
theotherisanadjacentconfiguredBFDpeer.
RFC7331definesthisMIB.
PANCOMMONMIB.my
UsethePANCOMMONMIBtomonitorthefollowinginformationforPaloAltoNetworksfirewalls,
Panorama,andWF500appliances:
ObjectGroup Description
panSys Containssuchobjectsassystemsoftware/hardwareversions,dynamiccontentversions,
serialnumber,HAmode/state,andglobalcounters.
TheglobalcountersincludethoserelatedtoDenialofService(DoS),IPfragmentation,
TCPstate,anddroppedpackets.Trackingthesecountersenablesyoutomonitortraffic
irregularitiesthatresultfromDoSattacks,systemorconnectionfaults,orresource
limitations.PANCOMMONMIBsupportsglobalcountersforfirewallsbutnotfor
Panorama.
panChassis ChassistypeandMSeriesappliancemode(PanoramaorLogCollector).
panSession Sessionutilizationinformation.Forexample,thetotalnumberofactivesessionsonthe
firewalloraspecificvirtualsystem.
panMgmt StatusoftheconnectionfromthefirewalltothePanoramamanagementserver.
panGlobalProtect GlobalProtectgatewayutilizationasapercentage,maximumtunnelsallowed,andnumber
ofactivetunnels.
panLogCollector LogCollectorinformationsuchastheloggingrate,logdatabasestorageduration(indays),
andRAIDdiskusage.
PANGLOBALREGMIB.my
PANGLOBALREGMIB.mycontainsglobal,toplevelOIDdefinitionsforvarioussubtreesofPaloAlto
NetworksenterpriseMIBmodules.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonly
forreferencingbyotherMIBs.
PANGLOBALTCMIB.my
PANGLOBALTCMIB.mydefinesconventions(forexample,characterlengthandallowedcharacters)for
thetextvaluesofobjectsinPaloAltoNetworksenterpriseMIBmodules.AllPaloAltoNetworksproducts
usetheseconventions.ThisMIBdoesntcontainobjectsforyoutomonitor;itisrequiredonlyfor
referencingbyotherMIBs.
PANLCMIB.my
PANLCMIB.mycontainsdefinitionsofmanagedobjectsthatLogCollectors(MSeriesappliancesinLog
Collectormode)implement.UsethisMIBtomonitortheloggingrate,logdatabasestorageduration(indays),
anddiskusage(inMB)ofeachlogicaldisk(uptofour)onaLogCollector.Forexample,youcanusethis
informationtodeterminewhetheryoushouldaddmoreLogCollectorsorforwardlogstoanexternalserver
(forexample,asyslogserver)forarchiving.
PANPRODUCTMIB.my
PANPRODUCTMIB.mydefinessysObjectIDOIDsforallPaloAltoNetworksproducts.ThisMIBdoesnt
containobjectsforyoutomonitor;itisrequiredonlyforreferencingbyotherMIBs.
PANENTITYEXTMIB.my
UsePANENTITYEXTMIB.myintandemwiththeENTITYMIBtomonitorpowerusageforthephysical
componentsofaPA7000Seriesfirewall(forexample,fantrays,andpowersupplies),whichistheonlyPalo
AltoNetworksfirewallthatsupportsthisMIB.Forexample,whentroubleshootinglogforwardingissues,you
mightwanttocheckthepowerusageofthelogprocessingcards(LPCs):youcanmaptheLPCindexesfrom
theENTITYMIB(entPhysicalDescrobject)tovaluesinthePANENTITYEXTMIB
(panEntryFRUModelPowerUsedobject).
PANTRAPS.my
UsePANTRAPS.mytoseeacompletelistingofallthegeneratedtrapsandinformationaboutthem(for
example,adescription).ForalistoftrapsthatPaloAltoNetworksfirewalls,Panorama,andWF500
appliancessupport,refertothePANCOMMONMIB.my > panCommonEvents > panCommonEventsEvents >
panCommonEventEventsV2object.
NetFlowMonitoring
NetFlowisanindustrystandardprotocolthatthefirewallcanusetoexportstatisticsabouttheIPtrafficthat
traversesitsinterfaces.ThefirewallexportsthestatisticsasNetFlowfieldstoaNetFlowcollector.The
NetFlowcollectorisaserveryouusetoanalyzenetworktrafficforsecurity,administration,accountingand
troubleshooting.AllPaloAltoNetworksfirewallssupportNetFlow(Version9)exceptthePA4000Series
andPA7000Seriesfirewalls.ThefirewallssupportonlyunidirectionalNetFlow,notbidirectional.Youcan
enableNetFlowexportsonallinterfacetypesexceptHA,logcard,ordecryptmirror.Toidentifyfirewall
interfacesinaNetFlowcollector,seeFirewallInterfaceIdentifiersinSNMPManagersandNetFlow
Collectors.Thefirewallsupportsstandardandenterprise(PANOSspecific)NetFlowtemplates.
ConfigureNetFlowExports
NetFlowTemplates
ConfigureNetFlowExports
ConfigureNetFlowExports
NetFlowTemplates
NetFlowcollectorsusetemplatestodecipherthefieldsthatthefirewallexports.Thefirewallselectsa
templatebasedonthetypeofexporteddata:IPv4orIPv6traffic,withorwithoutNAT,andwithstandard
orenterprisespecific(PANOSspecific)fields.Thefirewallperiodicallyrefreshestemplatestoreevaluate
whichonetouse(incasethetypeofexporteddatachanges)andtoapplyanychangestothefieldsinthe
selectedtemplate.WhenyouConfigureNetFlowExports,yousettherefreshfrequencyaccordingtothe
requirementsofyourNetFlowcollector.
ThePaloAltoNetworksfirewallsupportsthefollowingNetFlowtemplates:
Template ID
IPv4Standard 256
IPv4Enterprise 257
IPv6Standard 258
IPv6Enterprise 259
IPv4withNATStandard 260
IPv4withNATEnterprise 261
IPv6withNATStandard 262
IPv6withNATEnterprise 263
ThefollowingtableliststheNetFlowfieldsthatthefirewallcansend,alongwiththetemplatesthatdefine
them:
FirewallInterfaceIdentifiersinSNMPManagersand
NetFlowCollectors
WhenyouuseaNetFlowcollector(seeNetFlowMonitoring)orSNMPmanager(seeSNMPMonitoringand
Traps)tomonitorthePaloAltoNetworksfirewall,aninterfaceindex(SNMPifindexobject)identifiesthe
interfacethatcarriedaparticularflow(seeFigure:InterfaceIndexesinanSNMPManager).Incontrast,the
firewallwebinterfaceusesinterfacenamesasidentifiers(forexample,ethernet1/1),notindexes.To
understandwhichstatisticsthatyouseeinaNetFlowcollectororSNMPmanagerapplytowhichfirewall
interface,youmustbeabletomatchtheinterfaceindexeswithinterfacenames.
Figure:InterfaceIndexesinanSNMPManager
Youcanmatchtheindexeswithnamesbyunderstandingtheformulasthatthefirewallusestocalculate
indexes.Theformulasvarybyplatformandinterfacetype:physicalorlogical.
Physicalinterfaceindexeshavearangeof19999,whichthefirewallcalculatesasfollows:
Logicalinterfaceindexesforallplatformsareninedigitnumbersthatthefirewallcalculatesasfollows:
UserIDOverview
UserIDseamlesslyintegratesPaloAltoNetworksfirewallswitharangeofenterprisedirectoryandterminal
servicesofferings,enablingyoutotieapplicationactivityandpolicyrulestousersandgroupsnotjustIP
addresses.Furthermore,withUserIDenabled,theApplicationCommandCenter(ACC),AppScope,reports,
andlogsallincludeusernamesinadditiontouserIPaddresses.
PaloAltoNetworksfirewallssupportmonitoringofthefollowingenterpriseservices:
MicrosoftActiveDirectory
LightweightDirectoryAccessProtocol(LDAP)
NovelleDirectory
CitrixMetaframePresentationServerorXenApp
MicrosoftTerminalServices
Foruserandgroupbasedpolicies,thefirewallrequiresalistofallavailableusersandtheircorresponding
groupmappingsthatyoucanselectwhendefiningyourpolicies.ThefirewallcollectsGroupMapping
informationbyconnectingdirectlytoyourLDAPdirectoryserver.
Toenforceuserandgroupbasedpolicies,thefirewallmustbeabletomaptheIPaddressesinthepackets
itreceivestousernames.UserIDprovidesmanymechanismstocollectthisUserMappinginformation.For
example,theUserIDagentmonitorsserverlogsforloginevents,probesclients,andlistensforsyslog
messagesfromauthenticatingservices.ToidentifymappingsforIPaddressesthattheagentdidntmap,you
canconfigurethefirewalltoredirectHTTPrequeststoaCaptivePortallogin.Youcantailortheuser
mappingmechanismstosuityourenvironment,andevenusedifferentmechanismsatdifferentsites.
UserIDdoesnotworkinenvironmentswherethesourceIPaddressesofusersaresubjectto
NATtranslationbeforethefirewallmapstheIPaddressestousernames.
Figure:UserID
SeeUserIDConceptsforinformationonhowUserIDworksandEnableUserIDforinstructionsonsetting
upUserID.
UserIDConcepts
GroupMapping
UserMapping
GroupMapping
Todefinepolicyrulesbasedonuserorgroup,firstyoucreateanLDAPserverprofilethatdefineshowthe
firewallconnectsandauthenticatestoyourdirectoryserver.Thefirewallsupportsavarietyofdirectory
servers,includingMicrosoftActiveDirectory(AD),NovelleDirectory,andSunONEDirectoryServer.The
serverprofilealsodefineshowthefirewallsearchesthedirectorytoretrievethelistofgroupsandthe
correspondinglistofmembers.NextyoucreateagroupmappingconfigurationtoMapUserstoGroups.
ThenyoucanEnableUserandGroupBasedPolicy.
Definingpolicyrulesbasedongroupmembershipratherthanonindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevernewusersareaddedtoagroup.Whenconfiguring
groupmapping,youcanlimitwhichgroupswillbeavailableinpolicyrules.Youcanspecifygroupsthat
alreadyexistinyourdirectoryserviceordefinecustomgroupsbasedonLDAPfilters.Definingcustom
groupscanbequickerthancreatingnewgroupsorchangingexistingonesonanLDAPserver,anddoesnt
requireanLDAPadministratortointervene.UserIDmapsalltheLDAPdirectoryuserswhomatchthefilter
tothecustomgroup.Forexample,youmightwantasecuritypolicythatallowscontractorsintheMarketing
Departmenttoaccesssocialnetworkingsites.IfnoActiveDirectorygroupexistsforthatdepartment,you
canconfigureanLDAPfilterthatmatchesusersforwhomtheLDAPattributeDepartmentissetto
Marketing.Logqueriesandreportsthatarebasedonusergroupswillincludecustomgroups.
UserMapping
Havingthenamesoftheusersandgroupsisonlyonepieceofthepuzzle.Thefirewallalsoneedstoknow
whichIPaddressesmaptowhichuserssothatsecurityrulescanbeenforcedappropriately.Figure:UserID
illustratesthedifferentmethodsthatareusedtoidentifyusersandgroupsonyournetworkandshowshow
usermappingandgroupmappingworktogethertoenableuserandgroupbasedsecurityenforcementand
visibility.
Thefollowingtopicsdescribethedifferentmethodsofusermapping:
ServerMonitoring
ClientProbing
PortMapping
Syslog
CaptivePortal
GlobalProtect
PANOSXMLAPI
ServerMonitoring
WithservermonitoringaUserIDagenteitheraWindowsbasedagentrunningonadomainserverinyour
network,ortheintegratedPANOSUserIDagentrunningonthefirewallmonitorsthesecurityeventlogs
forspecifiedMicrosoftExchangeServers,domaincontrollers,orNovelleDirectoryserversforloginevents.
Forexample,inanADenvironment,youcanconfiguretheUserIDagenttomonitorthesecuritylogsfor
Kerberosticketgrantsorrenewals,Exchangeserveraccess(ifconfigured),andfileandprintservice
connections.Notethatfortheseeventstoberecordedinthesecuritylog,theADdomainmustbe
configuredtologsuccessfulaccountloginevents.Inaddition,becauseuserscanlogintoanyoftheservers
inthedomain,youmustsetupservermonitoringforallserverstocapturealluserloginevents.
Becauseservermonitoringrequiresverylittleoverheadandbecausethemajorityofuserscangenerallybe
mappedusingthismethod,itisrecommendedasthebaseusermappingmethodformostUserID
deployments.SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMapping
UsingthePANOSIntegratedUserIDAgentfordetails.
ClientProbing
InaMicrosoftWindowsenvironment,youcanconfiguretheUserIDagenttoprobeclientsystemsusing
WindowsManagementInstrumentation(WMI).TheWindowsbasedUserIDagentcanalsoperform
NetBIOSprobing(notsupportedonthePANOSintegratedUserIDagent).Probingisparticularlyusefulin
environmentswithahighIPaddressturnoverbecausechangeswillbereflectedonthefirewallmorequickly,
enablingmoreaccurateenforcementofuserbasedpolicies.However,ifthecorrelationbetweenIP
addressesandusersisfairlystatic,youprobablydonotneedtoenableclientprobing.Becauseprobingcan
generatealargeamountofnetworktraffic(basedonthetotalnumberofmappedIPaddresses),theagent
thatwillbeinitiatingtheprobesshouldbelocatedascloseaspossibletotheendclients.
Ifprobingisenabled,theagentwillprobeeachlearnedIPaddressperiodically(every20minutesbydefault,
butthisisconfigurable)toverifythatthesameuserisstillloggedin.Inaddition,whenthefirewallencounters
anIPaddressforwhichithasnousermapping,itwillsendtheaddresstotheagentforanimmediateprobe.
SeeConfigureUserMappingUsingtheWindowsUserIDAgentorConfigureUserMappingUsingthe
PANOSIntegratedUserIDAgentfordetails.
PortMapping
InenvironmentswithmultiusersystemssuchasMicrosoftTerminalServerorCitrixenvironmentsmany
userssharethesameIPaddress.Inthiscase,theusertoIPaddressmappingprocessrequiresknowledgeof
thesourceportofeachclient.Toperformthistypeofmapping,youmustinstallthePaloAltoNetworks
TerminalServicesAgentontheWindows/Citrixterminalserveritselftointermediatetheassignmentof
sourceportstothevarioususerprocesses.ForterminalserversthatdonotsupporttheTerminalServices
agent,suchasLinuxterminalservers,youcanusetheXMLAPItosendusermappinginformationfromlogin
andlogouteventstoUserID.SeeConfigureUserMappingforTerminalServerUsersforconfiguration
details.
Syslog
Inenvironmentswithexistingnetworkservicesthatauthenticateuserssuchaswirelesscontrollers,802.1x
devices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccessControl(NAC)mechanisms
thefirewallUserIDagent(eithertheWindowsagentorthePANOSintegratedagentonthefirewall)can
listenforauthenticationsyslogmessagesfromthoseservices.Syslogfilters,whichareprovidedbyacontent
update(integratedUserIDagentonly)orconfiguredmanually,allowtheUserIDagenttoparseandextract
usernamesandIPaddressesfromauthenticationsyslogeventsgeneratedbytheexternalservice,andadd
theinformationtotheUserIDIPaddresstousernamemappingsmaintainedbythefirewall.SeeConfigure
UserIDtoReceiveUserMappingsfromaSyslogSenderforconfigurationdetails.
Figure:UserIDIntegrationwithSyslog
CaptivePortal
IfthefirewallortheUserIDagentcantmapanIPaddresstoausernameforexample,iftheuserisnt
loggedinorusesanoperatingsystemsuchasLinuxthatyourdomainserversdontsupportyoucan
configureCaptivePortal.Anywebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalpolicyrulerequires
userauthentication.Youcanbasetheauthenticationonatransparentbrowserchallenge(KerberosSingle
SignOn(SSO)orNTLANManager(NTLM)authentication),webform(forRADIUS,TACACS+,LDAP,
Kerberos,orlocaldatabaseauthentication),orclientcertificates.Fordetails,seeMapIPAddressesto
UsernamesUsingCaptivePortal.
GlobalProtect
Formobileorroamingusers,theGlobalProtectclientprovidestheusermappinginformationtothefirewall
directly.Inthiscase,everyGlobalProtectuserhasanagentorapprunningontheclientthatrequiresthe
usertoenterlogincredentialsforVPNaccesstothefirewall.Thislogininformationisthenaddedtothe
UserIDusermappingtableonthefirewallforvisibilityanduserbasedsecuritypolicyenforcement.Because
GlobalProtectusersmustauthenticatetogainaccesstothenetwork,theIPaddresstousernamemapping
isexplicitlyknown.Thisisthebestsolutioninsensitiveenvironmentswhereyoumustbecertainofwhoa
userisinordertoallowaccesstoanapplicationorservice.FormoreinformationonsettingupGlobalProtect,
refertotheGlobalProtectAdministratorsGuide.
PANOSXMLAPI
CaptivePortalandtheotherstandardusermappingmethodsmightnotworkforcertaintypesofuseraccess.
Forexample,thestandardmethodscannotaddmappingsofusersconnectingfromathirdpartyVPN
solutionorusersconnectingtoa802.1xenabledwirelessnetwork.Forsuchcases,youcanusethePANOS
XMLAPItocapturelogineventsandsendthemtotheUserIDagentordirectlytothefirewall.SeeSend
UserMappingstoUserIDUsingtheXMLAPIfordetails.
EnableUserID
Youmustcompletethefollowingtaskstosetupthefirewalltouserusersandgroupsinpolicyenforcement,
logging,andreporting:
MapUserstoGroups
MapIPAddressestoUsers
EnableUserandGroupBasedPolicy
VerifytheUserIDConfiguration
MapUserstoGroups
Definingpolicyrulesbasedonusergroupmembershipratherthanindividualuserssimplifiesadministration
becauseyoudonthavetoupdatetheruleswhenevergroupmembershipchanges.Usethefollowing
proceduretoenablethefirewalltoconnecttoyourLDAPdirectoryandretrieveGroupMapping
information.YoucanthenEnableUserandGroupBasedPolicy.
ThefollowingarebestpracticesforgroupmappinginanActiveDirectory(AD)environment:
Ifyouhaveasingledomain,youneedonlyoneLDAPserverprofilethatconnectsthefirewalltothe
domaincontrollerwiththebestconnectivity.Youcanaddadditionaldomaincontrollersforfault
tolerance.
Ifyouhavemultipledomainsand/ormultipleforests,youmustcreateaserverprofiletoconnecttoa
domainserverineachdomain/forest.Takestepstoensureuniqueusernamesinseparateforests.
IfyouhaveUniversalGroups,createaserverprofiletoconnecttotheGlobalCatalogserver.
MapUserstoGroups
MapUserstoGroups(Continued)
Step2 Configuretheserversettingsinagroup 1. SelectDevice > User Identification > Group Mapping Settings.
mappingconfiguration. 2. Ifthefirewallhasmorethanonevirtualsystem(vsys),selecta
Location(vsysorShared)forthisconfiguration.
3. ClickAddandenterauniqueNametoidentifythegroup
mappingconfiguration.
4. SelecttheLDAPServer Profileyoujustcreated.
5. (Optional)Bydefault,theUser Domainfieldisblank:the
firewallautomaticallydetectsthedomainnamesforActive
Directory(AD)servers.Ifyouenteravalue,itoverridesany
domainnamesthatthefirewallretrievesfromtheLDAP
source.YourentrymustbetheNetBIOSdomainname.
6. (Optional)Tofilterthegroupsthatthefirewalltracksforgroup
mapping,intheGroupObjectssection,enteraSearch Filter
(LDAPquery),Object Class(groupdefinition),Group Name,
andGroup Member.
7. (Optional)Tofiltertheusersthatthefirewalltracksforgroup
mapping,intheUserObjectssection,enteraSearch Filter
(LDAPquery),Object Class(userdefinition),andUser Name.
8. (Optional)TomatchUserIDinformationwithemailheader
informationidentifiedinthelinksandattachmentsofemails
forwardedtoWildFire,enterthelistofemaildomainsin
yourorganizationintheMailDomainssection,Domain List
field.Usecommastoseparatemultipledomains(upto256
characters).AfteryouclickOK,PANOSautomatically
populatestheMail AttributesfieldbasedonyourLDAPserver
type(Sun/RFC,ActiveDirectory,orNovell).Whenamatch
occurs,theusernameintheWildFirelogemailheadersection
willcontainalinkthatopenstheACCtab,filteredbyuseror
usergroup.
9. MakesuretheEnabledcheckboxisselected.
MapUserstoGroups(Continued)
MapIPAddressestoUsers
ThetasksyouperformtomapIPaddressestousernamesdependsonthetypeandlocationoftheclient
systemsonyournetwork.Completeasmanyofthefollowingtasksasnecessarytoenablemappingofyour
clientsystems:
TomapusersastheylogintoyourExchangeservers,domaincontrollers,eDirectoryservers,or
Windowsclients,youmustconfiguretheUserIDagenttomonitorserverlogsandprobeclientsystems.
YoucaneitherConfigureUserMappingUsingthePANOSIntegratedUserIDAgentorConfigureUser
MappingUsingtheWindowsUserIDAgent.TheWindowsbasedUserIDagentisastandaloneagent
thatyouinstallononeormorememberserversinthedomainthatcontainstheserversandclientsthat
theagentwillmonitor.Forguidanceonwhichagentisappropriateforyournetworkandtherequired
numberandplacementsofagents,refertoArchitectingUserIdentificationDeployments.
IfyouhaveclientsrunningmultiusersystemsinaWindowsenvironment,suchasMicrosoftTerminal
ServerorCitrixMetaframePresentationServerorXenApp,ConfigurethePaloAltoNetworksTerminal
ServicesAgentforUserMapping.ForamultiusersystemthatdoesntrunonWindows,youcan
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI.
Toobtainusermappingsfromexistingnetworkservicesthatauthenticateuserssuchaswireless
controllers,802.1xdevices,AppleOpenDirectoryservers,proxyservers,orotherNetworkAccess
Control(NAC)mechanismsConfigureUserIDtoReceiveUserMappingsfromaSyslogSender.You
canuseeithertheWindowsagentortheagentlessusermappingfeatureonthefirewalltolistenfor
authenticationsyslogmessagesfromthenetworkservices.
Ifyouhaveuserswithclientsystemsthatarentloggedintoyourdomainserversforexample,users
runningLinuxclientsthatdontlogintothedomainyoucanMapIPAddressestoUsernamesUsing
CaptivePortal.
Forotherclientsthatyoucantmapusingtheprecedingmethods,youcanSendUserMappingsto
UserIDUsingtheXMLAPI.
Alargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsqueryforuserandgroup
mappingandcanhavenumerousfirewallsthatenforcepoliciesbasedonthemappinginformation.You
cansimplifyUserIDadministrationforsuchanetworkbyaggregatingthemappinginformationbefore
theUserIDagentscollectit.Youcanalsoreducetheresourcesthatthefirewallsandinformation
sourcesuseinthequeryingprocessbyconfiguringsomefirewallstoredistributethemapping
information.Fordetails,seeDeployUserIDinaLargeScaleNetwork.
ConfigureUserMappingUsingtheWindowsUserIDAgent
Inmostcases,themajorityofyournetworkuserswillhaveloginstoyourmonitoreddomainservices.For
theseusers,thePaloAltoNetworksUserIDagentmonitorstheserversforlogineventsandperformsthe
IPaddresstousernamemapping.ThewayyouconfiguretheUserIDagentdependsonthesizeofyour
environmentandthelocationofyourdomainservers.Asabestpractice,youshouldlocateyourUserID
agentsnearyourmonitoredservers(thatis,themonitoredserversandtheWindowsUserIDagentshould
notbeacrossaWANlinkfromeachother).Thisisbecausemostofthetrafficforusermappingoccurs
betweentheagentandthemonitoredserver,withonlyasmallamountoftrafficthedeltaofIPaddress
mappingssincethelastupdatefromtheagenttothefirewall.
ThefollowingtopicsdescribehowtoinstallandconfiguretheUserIDAgentandhowtoconfigurethe
firewalltoretrieveusermappinginformationfromtheagent:
InstalltheUserIDAgent
ConfiguretheUserIDAgentforUserMapping
InstalltheUserIDAgent
ThefollowingprocedureshowshowtoinstalltheUserIDagentonamemberserverinthedomainandset
uptheserviceaccountwiththerequiredpermissions.Ifyouareupgrading,theinstallerwillautomatically
removetheolderversion,however,itisagoodideatobackuptheconfig.xmlfilebeforerunningtheinstaller.
ForinformationaboutthesystemrequirementsforinstallingtheWindowsbasedUserIDagent
andforinformationonsupportedserverOSversions,refertoOperatingSystem(OS)
CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
InstalltheWindowsUserIDAgent
InstalltheWindowsUserIDAgent(Continued)
ConfiguretheUserIDAgentforUserMapping
ThePaloAltoNetworksUserIDagentisaWindowsservicethatconnectstoserversonyournetworkfor
example,ActiveDirectoryservers,MicrosoftExchangeservers,andNovelleDirectoryserversand
monitorsthelogsforloginevents.TheagentusesthisinformationtomapIPaddressestousernames.Palo
AltoNetworksfirewallsconnecttotheUserIDagenttoretrievethisusermappinginformation,enabling
visibilityintouseractivitybyusernameratherthanIPaddressandenablesuserandgroupbasedsecurity
enforcement.
ForinformationabouttheserverOSversionssupportedbytheUserIDagent,refertoOperating
System(OS)CompatibilityUserIDAgentintheUserIDAgentReleaseNotes.
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
MapIPAddressestoUsersUsingtheWindowsbasedUserIDAgent(Continued)
ConfigureUserMappingUsingthePANOSIntegratedUserIDAgent
ThefollowingprocedureshowshowtoconfigurethePANOSintegratedUserIDagentonthefirewallfor
IPaddresstousernamemapping.TheintegratedUserIDagentperformsthesametasksasthe
WindowsbasedagentwiththeexceptionofNetBIOSclientprobing(WMIprobingissupported).
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
MapIPAddressestoUsersUsingtheIntegratedUserIDAgent(Continued)
ConfigureUserIDtoReceiveUserMappingsfromaSyslogSender
ThefollowingtopicsdescribehowtoconfigurethePANOSintegratedUserIDagentorWindowsbased
UserIDagentasaSysloglistener:
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ConfiguretheWindowsUserIDAgentasaSyslogListener
ConfiguretheIntegratedUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigurethePANOSintegratedUserIDagenttoreceivesyslog
messagesfromauthenticatingservices.
ThePANOSintegratedUserIDagentacceptssyslogsoverSSLandUDPonly.However,you
mustusecautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocol
andassuchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.
AlthoughyoucanrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstill
spooftheIPaddress,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothe
firewall.Asabestpractice,alwaysuseSSLtolistenforsyslogmessages.However,ifyoumust
useUDP,makesurethatthesyslogserverandclientarebothonadedicated,secureVLANto
preventuntrustedhostsfromsendingUDPtraffictothefirewall.
CollectUserMappingsfromSyslogSenders
CollectUserMappingsfromSyslogSenders(Continued)
CollectUserMappingsfromSyslogSenders(Continued)
CollectUserMappingsfromSyslogSenders(Continued)
CollectUserMappingsfromSyslogSenders(Continued)
CollectUserMappingsfromSyslogSenders(Continued)
Step8 VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
AD AD 10.2.204.43 vsys1 Connected
Syslog Servers:
Name Connection Host Vsys Status
-----------------------------------------------------------------------------
Syslog1 UDP 10.5.204.40 vsys1 N/A
Syslog2 SSL 10.5.204.41 vsys1 Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
Total: 9 users
ConfiguretheWindowsUserIDAgentasaSyslogListener
ThefollowingworkflowdescribeshowtoconfigureaWindowsbasedUserIDagenttolistenforsyslogs
fromauthenticatingservices.
TheWindowsUserIDagentacceptssyslogsoverTCPandUDPonly.However,youmustuse
cautionwhenusingUDPtoreceivesyslogmessagesbecauseitisanunreliableprotocolandas
suchthereisnowaytoverifythatamessagewassentfromatrustedsyslogserver.Althoughyou
canrestrictsyslogmessagestospecificsourceIPaddresses,anattackercanstillspooftheIP
address,potentiallyallowingtheinjectionofunauthorizedsyslogmessagesintothefirewall.Asa
bestpractice,useTCPinsteadofUDP.Ineithercase,makesurethatthesyslogserverandclient
arebothonadedicated,secureVLANtopreventuntrustedhostsfromsendingsyslogstothe
UserIDagent.
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
ConfiguretheWindowsUserIDAgenttoCollectUserMappingsfromSyslogSenders(Continued)
Step7 VerifytheconfigurationbyopeninganSSHconnectiontothefirewallandthenrunningthefollowingCLI
commands:
Toseethestatusofaparticularsyslogsender:
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is enabled
Directory Servers:
Name TYPE Host Vsys Status
-----------------------------------------------------------------------------
AD AD 10.2.204.43 vsys1 Connected
Syslog Servers:
Name Connection Host Vsys Status
-----------------------------------------------------------------------------
Syslog1 UDP 10.5.204.40 vsys1 N/A
Syslog2 SSL 10.5.204.41 vsys1 Not connected
Toseehowmanyusermappingswerediscoveredthroughsyslogsenders:
admin@PA-5050> show user ip-user-mapping all type SYSLOG
Total: 9 users
MapIPAddressestoUsernamesUsingCaptivePortal
IfthefirewallreceivesarequestfromasecurityzonethathasUserIDenabledandthesourceIPaddress
doesnothaveanyuserdataassociatedwithityet,thefirewallchecksitsCaptivePortalpolicyrulesfora
matchtodeterminewhethertoperformauthentication.Thisisusefulinenvironmentswhereyouhave
clientsthatarenotloggedintoyourdomainservers,suchasLinuxclients.Thefirewalltriggersthisuser
mappingmethodonlyforwebtraffic(HTTPorHTTPS)thatmatchesaCaptivePortalrulebuthasnotbeen
mappedusingadifferentmethod.
CaptivePortalAuthenticationMethods
CaptivePortalModes
ConfigureCaptivePortal
CaptivePortalAuthenticationMethods
CaptivePortalusesthefollowingmethodstoobtainuserinformationfromtheclientwhenawebrequest
matchesaCaptivePortalrule:
AuthenticationMethod Description
KerberosSSO ThefirewallusesKerberosSingleSignOn(SSO)totransparentlyobtainuser
credentials.Tousethismethod,yournetworkrequiresaKerberosinfrastructure,
includingakeydistributioncenter(KDC)withanauthenticationserverandticket
grantingservice.ThefirewallmusthaveaKerberosaccount,includingaprincipal
nameandpassword.
IfKerberosSSOauthenticationfails,thefirewallfallsbacktoNTLANManager
(NTLM)authentication.IfyoudontconfigureNTLM,orNTLMauthentication
fails,thefirewallfallsbacktowebformorclientcertificateauthentication,
dependingonyourCaptivePortalconfiguration.
NTLANManager(NTLM) Thefirewallusesanencryptedchallengeresponsemechanismtoobtaintheuser
credentialsfromthebrowser.Whenconfiguredproperly,thebrowserwill
transparentlyprovidethecredentialstothefirewallwithoutpromptingtheuser,
butwillpromptforcredentialsifnecessary.
IfyouusetheWindowsbasedUserIDagent,NTLMresponsesgodirectlytothe
domaincontrollerwhereyouinstalledtheagent.
IfyouconfigureKerberosSSOauthentication,thefirewalltriesthatmethodfirst
beforefallingbacktoNTLMauthentication.IfthebrowsercantperformNTLM
orifNTLMauthenticationfails,thefirewallfallsbacktowebformorclient
certificateauthentication,dependingonyourCaptivePortalconfiguration.
MicrosoftInternetExplorersupportsNTLMbydefault.YoucanconfigureMozilla
FirefoxandGoogleChrometoalsouseNTLMbutyoucantuseNTLMto
authenticatenonWindowsclients.
WebForm Thefirewallredirectswebrequeststoawebformforauthentication.Youcan
configureCaptivePortaltousealocaluserdatabase,RADIUSserver,TACACS+
server,LDAPserver,orKerberosservertoauthenticateusers.Althoughthe
firewallalwayspromptsusersforcredentials,thismethodworkswithallbrowsers
andoperatingsystems.
ClientCertificateAuthentication Thefirewallpromptsthebrowsertopresentavalidclientcertificateto
authenticatetheuser.Tousethismethod,youmustprovisionclientcertificates
oneachusersystemandinstallthetrustedcertificateauthority(CA)certificate
usedtoissuethosecertificatesonthefirewall.
CaptivePortalModes
TheCaptivePortalmodedefineshowthefirewallcaptureswebrequestsforauthentication:
Mode Description
Transparent ThefirewallinterceptsthebrowsertrafficpertheCaptivePortalruleand
impersonatestheoriginaldestinationURL,issuinganHTTP401toinvoke
authentication.However,becausethefirewalldoesnothavetherealcertificate
forthedestinationURL,thebrowserdisplaysacertificateerrortousers
attemptingtoaccessasecuresite.Therefore,youshouldonlyusethismodewhen
absolutelynecessary,suchasinLayer2orvirtualwiredeployments.
Redirect ThefirewallinterceptsunknownHTTPorHTTPSsessionsandredirectsthemto
aLayer 3interfaceonthefirewallusinganHTTP302redirecttoperform
authentication.Thisisthepreferredmodebecauseitprovidesabetterenduser
experience(nocertificateerrors).However,itdoesrequireadditionalLayer3
configuration.AnotherbenefitoftheRedirectmodeisthatitprovidesfortheuse
ofsessioncookies,whichenabletheusertocontinuebrowsingtoauthenticated
siteswithoutrequiringremappingeachtimethetimeoutsexpire.Thisis
especiallyusefulforuserswhoroamfromoneIPaddresstoanother(forexample,
fromthecorporateLANtothewirelessnetwork)becausetheywontneedto
reauthenticatewhentheIPaddresschangesaslongasthesessionstaysopen.
IfyouuseKerberosSSOorNTLMauthentication,youmustuseRedirectmode
becausethebrowserwillprovidecredentialsonlytotrustedsites.
ConfigureCaptivePortal
ThefollowingprocedureshowshowtoconfigureCaptivePortalusingthePANOSintegratedUserIDagent
toredirectwebrequeststhatmatchaCaptivePortalruletoaredirecthost.Aredirecthostistheintranet
hostname(ahostnamewithnoperiodinitsname)thatresolvestotheIPaddressoftheLayer3interfaceon
thefirewalltowhichthefirewallwillredirectrequests.
IfyouuseCaptivePortalwithouttheotherUserIDfunctions(usermappingandgroupmapping),
youdontneedtoconfigureaUserIDagent.
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
ConfigureCaptivePortalUsingthePANOSIntegratedUserIDAgent(Continued)
Step11 ConfiguretheCaptivePortalsettings. 1. SelectDevice > User Identification > Captive Portal Settings
andeditthesettings.
2. MakesuretheEnable Captive Portalcheckboxisselected.
3. SelecttheSSL/TLS Service Profileyoucreatedforredirect
requestsoverTLS.
4. SelecttheMode(inthisexample,Redirect).
5. (Redirectmodeonly)SpecifytheRedirect Hostnamethat
resolvestotheIPaddressoftheLayer 3interfacefor
redirectedrequests.
6. SelecttheauthenticationmethodtouseifNTLMfails(orif
youdontuseNTLM):
TouseKerberosSSO,anexternalserver,orthelocal
database,selecttheAuthentication Profileor
authenticationsequenceyoucreated.
Touseclientcertificateauthentication,selectthe
Certificate Profileyoucreated.
7. ClickOKandCommittosavetheCaptivePortalconfiguration.
ConfigureUserMappingforTerminalServerUsers
IndividualterminalserverusersappeartohavethesameIPaddressandthereforeanIP
addresstousernamemappingisnotsufficienttoidentifyaspecificuser.Toenableidentificationofspecific
usersonWindowsbasedterminalservers,thePaloAltoNetworksTerminalServicesagent(TSagent)
allocatesaportrangetoeachuser.Itthennotifieseveryconnectedfirewallabouttheallocatedportrange,
whichallowsthefirewalltocreateanIPaddressportusermappingtableandenableuserandgroupbased
securitypolicyenforcement.FornonWindowsterminalservers,youcanconfigurethePANOSXMLAPIto
extractusermappinginformation.
Thefollowingsectionsdescribehowtoconfigureusermappingforterminalserverusers:
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
UsethefollowingproceduretoinstallandconfiguretheTSagentontheterminalserver.Tomapallyour
users,youmustinstalltheTSagentonallterminalserversthatyourusersloginto.
ForinformationaboutthesupportedterminalserverssupportedbytheTSAgent,referto
OperatingSystem(OS)CompatibilityTSAgentintheTerminalServicesAgentReleaseNotes.
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
ConfigurethePaloAltoNetworksTerminalServicesAgentforUserMapping(Continued)
RetrieveUserMappingsfromaTerminalServerUsingthePANOSXMLAPI
ThePANOSXMLAPIisaRESTfulAPIthatusesstandardHTTPrequeststosendandreceivedata.APIcalls
canbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTfulservices.
ToenableanonWindowsterminalservertosendusermappinginformationdirectlytothefirewall,create
scriptsthatextracttheuserloginandlogouteventsandusethemforinputtothePANOSXMLAPIrequest
format.ThendefinethemechanismsforsubmittingtheXMLAPIrequest(s)tothefirewallusingcURLor
wgetandprovidingthefirewallsAPIkeyforsecurecommunication.Creatingusermappingsfrommultiuser
systemssuchasterminalserversrequiresuseofthefollowingAPImessages:
<multiusersystem>SetsuptheconfigurationforanXMLAPIMultiuserSystemonthefirewall.
ThismessageallowsfordefinitionoftheterminalserverIPaddress(thiswillbethesourceaddressforall
usersonthatterminalserver).Inaddition,the<multiusersystem>setupmessagespecifiestherangeof
sourceportnumberstoallocateforusermappingandthenumberofportstoallocatetoeachindividual
useruponlogin(calledtheblocksize).Ifyouwanttousethedefaultsourceportallocationrange
(102565534)andblocksize(200),youdonotneedtosenda<multiusersystem>setupeventtothe
firewall.Instead,thefirewallwillautomaticallygeneratetheXMLAPIMultiuserSystemconfiguration
withthedefaultsettingsuponreceiptofthefirstuserlogineventmessage.
<blockstart>Usedwiththe<login>and<logout>messagestoindicatethestartingsourceport
numberallocatedtotheuser.Thefirewallthenusestheblocksizetodeterminetheactualrangeofport
numberstomaptotheIPaddressandusernameintheloginmessage.Forexample,ifthe<blockstart>
valueis13200andtheblocksizeconfiguredforthemultiusersystemis300,theactualsourceport
rangeallocatedtotheuseris13200through13499.Eachconnectioninitiatedbytheusershouldusea
uniquesourceportnumberwithintheallocatedrange,enablingthefirewalltoidentifytheuserbasedon
itsIPaddressportusermappingsforenforcementofuserandgroupbasedsecurityrules.Whenauser
exhaustsalltheportsallocated,theterminalservermustsendanew<login>messageallocatinganew
portrangefortheusersothatthefirewallcanupdatetheIPaddressportusermapping.Inaddition,a
singleusernamecanhavemultipleblocksofportsmappedsimultaneously.Whenthefirewallreceivesa
<logout>messagethatincludesa<blockstart>parameter,itremovesthecorrespondingIP
addressportusermappingfromitsmappingtable.Whenthefirewallreceivesa<logout>messagewith
ausernameandIPaddress,butno<blockstart>,itremovestheuserfromitstable.And,ifthefirewall
receivesa<logout>messagewithanIPaddressonly,itremovesthemultiusersystemandallmappings
associatedwithit.
TheXMLfilesthattheterminalserversendstothefirewallcancontainmultiplemessagetypes
andthemessagesdonotneedtobeinanyparticularorderwithinthefile.However,upon
receivinganXMLfilethatcontainsmultiplemessagetypes,thefirewallwillprocesstheminthe
followingorder:multiusersystemrequestsfirst,followedbylogins,thenlogouts.
ThefollowingworkflowprovidesanexampleofhowtousethePANOSXMLAPItosendusermappings
fromanonWindowsterminalservertothefirewall.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers
APIisavailabletoall Thefirewallrespondswithamessagecontainingthekey,forexample:
administrators(including <response status="success">
rolebasedadministrators <result>
withXMLAPIprivileges <key>k7J335J6hI7nBxIqyfa62sZugWx7ot%2BgzEA9UOnlZRg=</key>
enabled). </result>
Anyspecial </response>
charactersinthe
passwordmustbe
URL/
percentencoded.
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
terminalserverandthatthe Similarly,thescriptsyoucreateshouldalsoensurethattheIPtablerouting
mappingisremovedwhen configurationdynamicallyremovestheSNATmappingwhentheuserlogsout
theuserlogsoutortheport ortheportallocationchanges:
allocationchanges. [root@ts1 ~]# iptables -t nat -D POSTROUTING 1
UsethePANOSXMLAPItoMapNonWindowsTerminalServicesUsers(Continued)
Total host: 1
SendUserMappingstoUserIDUsingtheXMLAPI
UserIDprovidesmanyoutoftheboxmethodsforobtainingusermappinginformation.However,you
mighthaveapplicationsordevicesthatcaptureuserinformationbutcannotnativelyintegratewithUserID.
Forexample,youmighthaveacustom,internallydevelopedapplicationoradevicethatnostandarduser
mappingmethodsupports.Insuchcases,youcanusethePANOSXMLAPItocreatecustomscriptsthat
sendtheinformationtotheUserIDagentordirectlytothefirewall.ThePANOSXMLAPIusesstandard
HTTPrequeststosendandreceivedata.APIcallscanbemadedirectlyfromcommandlineutilitiessuchas
cURLorusinganyscriptingorapplicationframeworkthatsupportsPOSTandGETrequests.
ToenableanexternalsystemtosendusermappinginformationtotheUserIDagentordirectlytothe
firewall,youcancreatescriptsthatextractuserloginandlogouteventsandusetheeventsasinputtothe
PANOSXMLAPIrequest.ThendefinethemechanismsforsubmittingtheXMLAPIrequeststothefirewall
(usingcURL,forexample)andusetheAPIkeyofthefirewallforsecurecommunication.Formoredetails,
refertothePANOSXMLAPIUsageGuide.
EnableUserandGroupBasedPolicy
Toenablesecuritypolicybasedonusersandusergroups,youmustenableUserIDforeachzonethat
containsusersyouwanttoidentify.Youcanthendefinepolicyrulesthatallowordenytrafficbasedon
usernameorgroupmembership.Additionally,youcancreateCaptivePortalrulestoenableidentificationfor
IPaddressesthatdontyethaveanyuserdataassociatedwiththem.
PA5060andPA7000Seriesfirewallsthathavethemultiplevirtualsystemscapabilitydisabledcanbase
policiesonupto3,200distinctusergroups.Iftheseplatformshavemultiplevirtualsystems,thelimitis640
groups.Allotherfirewallplatformssupportupto640groupspervirtualsystemorperfirewall(ifitdoesnt
havemultiplevirtualsystems).
Foruserswithmultipleusernames,seeEnablePolicyforUserswithMultipleAccounts.
EnableUserandGroupBasedPolicy
EnableUserandGroupBasedPolicy(Continued)
EnablePolicyforUserswithMultipleAccounts
Ifauserinyourorganizationhasmultipleresponsibilities,thatusermighthavemultipleusernames
(accounts),eachwithdistinctprivilegesforaccessingaparticularsetofservices,butwithalltheusernames
sharingthesameIPaddress(theclientsystemoftheuser).However,theUserIDagentcanmapanyoneIP
address(orIPaddressandportrangeforterminalserverusers)toonlyoneusernameforenforcingpolicy,
andyoucantpredictwhichusernametheagentwillmap.Tocontrolaccessforalltheusernamesofauser,
youmustmakeadjustmentstotherules,usergroups,andUserIDagent.
Forexample,saythefirewallhasarulethatallowsusernamecorp_usertoaccessemailandarulethatallows
usernameadmin_usertoaccessaMySQLserver.Theuserlogsinwitheitherusernamefromthesameclient
IPaddress.IftheUserIDagentmapstheIPaddresstocorp_user,thenwhethertheuserlogsinascorp_user
oradmin_user,thefirewallidentifiesthatuserascorp_userandallowsaccesstoemailbutnottheMySQL
server.Ontheotherhand,iftheUserIDagentmapstheIPaddresstoadmin_user,thefirewallalways
identifiestheuserasadmin_userregardlessofloginandallowsaccesstotheMySQLserverbutnotemail.
Thefollowingstepsdescribehowtoenforcebothrulesinthisexample.
EnablePolicyforaUserwithMultipleAccounts
EnablePolicyforaUserwithMultipleAccounts(Continued)
VerifytheUserIDConfiguration
AfteryouconfiguregroupmappingandusermappingandenableUserIDonyoursecurityrulesandCaptive
Portalrules,youshouldverifythatitisworkingproperly.
VerifytheUserIDConfiguration
VerifytheUserIDConfiguration(Continued)
DeployUserIDinaLargeScaleNetwork
AlargescalenetworkcanhavehundredsofinformationsourcesthatfirewallsquerytomapIPaddressesto
usernamesandtomapusernamestousergroups.YoucansimplifyUserIDadministrationforsucha
networkbyaggregatingtheusermappingandgroupmappinginformationbeforetheUserIDagentscollect
it,therebyreducingthenumberofrequiredagents.
Alargescalenetworkcanalsohavenumerousfirewallsthatusethemappinginformationtoenforcepolicies.
Youcanreducetheresourcesthatthefirewallsandinformationsourcesuseinthequeryingprocessby
configuringsomefirewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.
Redistributionalsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesfor
authentication(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,
globaldatacenterapplications).
DeployUserIDforNumerousMappingInformationSources
ConfigureFirewallstoRedistributeUserMappingInformation
DeployUserIDforNumerousMappingInformationSources
YoucanuseWindowsLogForwardingandGlobalCatalogserverstosimplifyusermappingandgroup
mappinginalargescalenetworkofMicrosoftActiveDirectory(AD)domaincontrollersorExchangeservers.
ThesemethodssimplifyUserIDadministrationbyaggregatingthemappinginformationbeforetheUserID
agentscollectit,therebyreducingthenumberofrequiredagents.
WindowsLogForwardingandGlobalCatalogServers
PlanaLargeScaleUserIDDeployment
ConfigureWindowsLogForwarding
ConfigureUserIDforNumerousMappingInformationSources
WindowsLogForwardingandGlobalCatalogServers
BecauseeachUserIDagentcanmonitorupto100servers,thefirewallneedsmultipleUserIDagentsto
monitoranetworkwithhundredsofADdomaincontrollersorExchangeservers.Creatingandmanaging
numerousUserIDagentsinvolvesconsiderableadministrativeoverhead,especiallyinexpandingnetworks
wheretrackingnewdomaincontrollersisdifficult.WindowsLogForwardingenablesyoutominimizethe
administrativeoverheadbyreducingthenumberofserverstomonitorandtherebyreducingthenumberof
UserIDagentstomanage.WhenyouconfigureWindowsLogForwarding,multipledomaincontrollers
exporttheirlogineventstoasingledomainmemberfromwhichaUserIDagentcollectstheusermapping
information.
YoucanconfigureWindowsLogForwardingforWindowsServerversions2003,2008,2008R2,
2012,and2012R2.WindowsLogForwardingisnotavailablefornonMicrosoftservers.
Tocollectgroupmappinginformationinalargescalenetwork,youcanconfigurethefirewalltoquerya
GlobalCatalogserverthatreceivesaccountinformationfromthedomaincontrollers.
Thefollowingfigureillustratesusermappingandgroupmappingforalargescalenetworkinwhichthe
firewallusesaWindowsbasedUserIDagent.SeePlanaLargeScaleUserIDDeploymenttodetermineif
thisdeploymentsuitsyournetwork.
PlanaLargeScaleUserIDDeployment
WhendecidingwhethertouseWindowsLogForwardingandGlobalCatalogserversforyourUserID
implementation,consultyoursystemadministratortodetermine:
Bandwidthrequiredfordomaincontrollerstoforwardlogineventstomemberservers.Thebandwidthis
amultipleoftheloginrate(numberofloginsperminute)ofthedomaincontrollersandthebytesizeof
eachloginevent.
Notethatdomaincontrollerswontforwardtheirentiresecuritylogs;theyforwardonlytheeventsthat
theusermappingprocessrequiresperlogin:threeeventsforWindowsServer2003orfoureventsfor
WindowsServer2008/2012andMSExchange.
Whetherthefollowingnetworkelementssupporttherequiredbandwidth:
DomaincontrollersTheymustsupporttheprocessingloadassociatedwithforwardingtheevents.
MemberServersTheymustsupporttheprocessingloadassociatedwithreceivingtheevents.
ConnectionsThegeographicdistribution(localorremote)ofthedomaincontrollers,member
servers,andGlobalCatalogserversisafactor.Generally,aremotedistributionsupportsless
bandwidth.
ConfigureWindowsLogForwarding
ToconfigureWindowsLogForwarding,youneedadministrativeprivilegesforconfiguringgrouppolicieson
Windowsservers.ConfigureWindowsLogForwardingoneverymemberserverthatwillcollectloginevents
fromdomaincontrollers.Thefollowingisanoverviewofthetasks;consultyourWindowsServer
documentationforthespecificsteps.
ConfigureWindowsLogForwarding
Step1 Oneverymemberserverthatwillcollectsecurityevents,enableeventcollection,addthedomaincontrollers
aseventsources,andconfiguretheeventcollectionquery(subscription).Theeventsyouspecifyinthe
subscriptionvarybydomaincontrollerplatform:
WindowsServer2003TheeventIDsfortherequiredeventsare672(AuthenticationTicketGranted),
673(ServiceTicketGranted),and674(TicketGrantedRenewed).
WindowsServer2008/2012(includingR2)orMSExchangeTheeventIDsfortherequiredeventsare
4768(AuthenticationTicketGranted),4769(ServiceTicketGranted),4770(TicketGrantedRenewed),and
4624(LogonSuccess).
Youmustforwardeventstothesecuritylogslocationonthememberservers,nottothedefault
forwardedlogslocation.
Toforwardeventsasquicklyaspossible,selecttheMinimize Latencyoptionwhenconfiguringthe
subscription.
Step2 ConfigureagrouppolicytoenableWindowsRemoteManagement(WinRM)onthedomaincontrollers.
Step3 ConfigureagrouppolicytoenableWindowsEventForwardingonthedomaincontrollers.
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources
ConfigureUserIDforNumerousMappingInformationSources(Continued)
Step6 Createagroupmappingconfiguration 1. SelectDevice > User Identification > Group Mapping Settings.
foreachLDAPserverprofileyou 2. ClickAddandenteraNametoidentifythegroupmapping
created. configuration.
3. SelecttheLDAPServer ProfileandensuretheEnabledcheck
boxisselected.
4. Configuretheremainingfieldsasnecessary:seeMapUsersto
Groups.
IftheGlobalCataloganddomainmappingservers
referencemoregroupsthanyoursecurityrules
require,configuretheGroup Include Listand/or
Custom Grouplisttolimitthegroupsforwhich
UserIDperformsmapping.
5. ClickOKandCommit.
ConfigureFirewallstoRedistributeUserMappingInformation
Everyfirewallthatenforcesuserbasedpolicyrequiresusermappinginformation.However,alargescale
networkwherenumerousfirewallsdirectlyquerythemappinginformationsourcesrequiresboththe
firewallsandsourcestouseconsiderableresources.Toimproveresourceefficiency,youcanconfiguresome
firewallstoacquiremappinginformationthroughredistributioninsteadofdirectquerying.Redistribution
alsoenablesthefirewallstoenforceuserbasedpolicieswhenusersrelyonlocalsourcesforauthentication
(forexample,regionaldirectoryservices)butneedaccesstoremoteresources(forexample,globaldata
centerapplications).
FirewallDeploymentforUserIDRedistribution
ConfigureUserIDRedistribution
FirewallDeploymentforUserIDRedistribution
Youcanorganizetheredistributionsequenceinlayers,whereeachlayerhasoneormorefirewalls.Inthe
bottomlayer,PANOSintegratedUserIDagentsrunningonfirewallsandWindowsbasedUserIDagents
runningonWindowsserversperformtheIPaddresstousernamemapping.Eachhigherlayerhasfirewalls
thatreceivethemappinginformationfromupto100UserIDagentsinthelayerbeneathit.Thetoplayer
firewallsaggregatethemappinginformationfromalllayers.Thisdeploymentprovidestheoptionto
configureglobalpoliciesforallusers(intoplayerfirewalls)andregionorfunctionspecificpoliciesfora
subsetofusersinthecorrespondingdomains(inlowerlayerfirewalls).
Figure:UserIDRedistributionshowsadeploymentwiththreelayersoffirewallsthatredistributemapping
informationfromlocalinformationsources(directoryservers,inthisexample)toregionalofficesandthen
toaglobaldatacenter.Thedatacenterfirewallthataggregatesallthemappinginformationsharesitwith
otherdatacenterfirewallssothattheycanallenforceglobalpolicy.Onlythebottomlayerfirewallsuse
PANOSintegratedUserIDagentsandWindowsbasedUserIDagentstoquerythedirectoryservers.
TheinformationsourcesfromwhichUserIDagentscollectmappinginformationdonotcounttowardsthe
maximumoftenhopsinthesequence.However,WindowsbasedUserIDagentsthatforwardmapping
informationtofirewallsdocount.Therefore,inthisexample,redistributionfromtheEuropeanregiontoall
thedatacenterfirewallsrequiresonlythreehops,whileredistributionfromtheNorthAmericanregion
requiresfourhops.Alsointhisexample,thetoplayerhastwohops:thefirsttoaggregatemapping
informationinonedatacenterfirewallandthesecondtosharetheinformationwithotherdatacenter
firewalls.
Figure:UserIDRedistribution
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution
ConfigureUserIDRedistribution(Continued)
ConfigureUserIDRedistribution(Continued)
ConfigureUserIDRedistribution(Continued)
AppIDOverview
AppID,apatentedtrafficclassificationsystemonlyavailableinPaloAltoNetworksfirewalls,determines
whatanapplicationisirrespectiveofport,protocol,encryption(SSHorSSL)oranyotherevasivetacticused
bytheapplication.Itappliesmultipleclassificationmechanismsapplicationsignatures,applicationprotocol
decoding,andheuristicstoyournetworktrafficstreamtoaccuratelyidentifyapplications.
Here'showAppIDidentifiesapplicationstraversingyournetwork:
Trafficismatchedagainstpolicytocheckwhetheritisallowedonthenetwork.
Signaturesarethenappliedtoallowedtraffictoidentifytheapplicationbasedonuniqueapplication
propertiesandrelatedtransactioncharacteristics.Thesignaturealsodeterminesiftheapplicationis
beingusedonitsdefaultportoritisusinganonstandardport.Ifthetrafficisallowedbypolicy,thetraffic
isthenscannedforthreatsandfurtheranalyzedforidentifyingtheapplicationmoregranularly.
IfAppIDdeterminesthatencryption(SSLorSSH)isinuse,andaDecryptionpolicyruleisinplace,the
sessionisdecryptedandapplicationsignaturesareappliedagainonthedecryptedflow.
Decodersforknownprotocolsarethenusedtoapplyadditionalcontextbasedsignaturestodetectother
applicationsthatmaybetunnelinginsideoftheprotocol(forexample,Yahoo!InstantMessengerused
acrossHTTP).Decodersvalidatethatthetrafficconformstotheprotocolspecificationandprovide
supportforNATtraversalandopeningdynamicpinholesforapplicationssuchasSIPandFTP.
Forapplicationsthatareparticularlyevasiveandcannotbeidentifiedthroughadvancedsignatureand
protocolanalysis,heuristicsorbehavioralanalysismaybeusedtodeterminetheidentityofthe
application.
Whentheapplicationisidentified,thepolicycheckdetermineshowtotreattheapplication,forexample
block,orallowandscanforthreats,inspectforunauthorizedfiletransferanddatapatterns,orshapeusing
QoS.
ManageCustomorUnknownApplications
PaloAltoNetworksprovidesweeklyapplicationupdatestoidentifynewAppIDsignatures.Bydefault,
AppIDisalwaysenabledonthefirewall,andyoudon'tneedtoenableaseriesofsignaturestoidentify
wellknownapplications.Typically,theonlyapplicationsthatareclassifiedasunknowntraffictcp,udpor
nonsyntcpintheACCandthetrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeen
addedtoAppID,internalorcustomapplicationsonyournetwork,orpotentialthreats.
Onoccasion,thefirewallmayreportanapplicationasunknownforthefollowingreasons:
IncompletedataAhandshaketookplace,butnodatapacketsweresentpriortothetimeout.
InsufficientdataAhandshaketookplacefollowedbyoneormoredatapackets;however,notenough
datapacketswereexchangedtoidentifytheapplication.
Thefollowingchoicesareavailabletohandleunknownapplications:
CreatesecuritypoliciestocontrolunknownapplicationsbyunknownTCP,unknownUDPorbya
combinationofsourcezone,destinationzone,andIPaddresses.
RequestanAppIDfromPaloAltoNetworksIfyouwouldliketoinspectandcontroltheapplications
thattraverseyournetwork,foranyunknowntraffic,youcanrecordapacketcapture.Ifthepacket
capturerevealsthattheapplicationisacommercialapplication,youcansubmitthispacketcaptureto
PaloAltoNetworksforAppIDdevelopment.Ifitisaninternalapplication,youcancreateacustom
AppIDand/ordefineanapplicationoverridepolicy.
CreateaCustomApplicationwithasignatureandattachittoasecuritypolicy,orcreateacustom
applicationanddefineanapplicationoverridepolicyAcustomapplicationallowsyoutocustomizethe
definitionoftheinternalapplicationitscharacteristics,categoryandsubcategory,risk,port,timeout
andexercisegranularpolicycontrolinordertominimizetherangeofunidentifiedtrafficonyour
network.Creatingacustomapplicationalsoallowsyoutocorrectlyidentifytheapplicationinthe ACCand
trafficlogsandisusefulinauditing/reportingontheapplicationsonyournetwork.Foracustom
applicationyoucanspecifyasignatureandapatternthatuniquelyidentifiestheapplicationandattach
ittoasecuritypolicythatallowsordeniestheapplication.
Alternatively,ifyouwouldlikethefirewalltoprocessthecustomapplicationusingfastpath(Layer4
inspectioninsteadofusingAppIDforLayer7inspection),youcanreferencethecustomapplicationin
anapplicationoverridepolicyrule.Anapplicationoverridewithacustomapplicationwillpreventthe
sessionfrombeingprocessedbytheAppIDengine,whichisaLayer7inspection.Insteaditforcesthe
firewalltohandlethesessionasaregularstatefulinspectionfirewallatLayer4,andtherebysaves
applicationprocessingtime.
Forexample,ifyoubuildacustomapplicationthattriggersonahostheaderwww.mywebsite.com,the
packetsarefirstidentifiedaswebbrowsingandthenarematchedasyourcustomapplication(whose
parentapplicationiswebbrowsing).Becausetheparentapplicationiswebbrowsing,thecustom
applicationisinspectedatLayer7andscannedforcontentandvulnerabilities.
Ifyoudefineanapplicationoverride,thefirewallstopsprocessingatLayer4.Thecustomapplication
nameisassignedtothesessiontohelpidentifyitinthelogs,andthetrafficisnotscannedforthreats.
ManageNewAppIDsIntroducedinContentReleases
InstallingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangeinpolicy
enforcementforthenowuniquelyidentifiedapplication.Beforeinstallinganewcontentrelease,reviewthe
policyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assessthetreatmentanapplication
receivesbothbeforeandafterthenewcontentisinstalled.Youcanthenmodifyexistingsecuritypolicyrules
usingthenewAppIDscontainedinadownloadedcontentrelease(priortoinstallingtheAppIDs).This
enablesyoutosimultaneouslyupdateyoursecuritypoliciesandinstallnewcontent,andallowsfora
seamlessshiftinpolicyenforcement.Alternatively,youcanalsochoosetodisablenewAppIDswhen
installinganewcontentreleaseversion;thisenablesprotectionagainstthelatestthreats,whilegivingyou
theflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepareanypolicychanges.
ThefollowingoptionsenableyoutoassesstheimpactofnewAppIDsonexistingpolicyenforcement,
disable(andenable)AppIDs,andseamlesslyupdatepolicyrulestosecureandenforcenewlyidentified
applications:
ReviewNewAppIDs
DisableorEnableAppIDs
PreparePolicyUpdatesForPendingAppIDs
ReviewNewAppIDs
ReviewnewAppIDsignaturesintroducedinaApplicationsand/orThreatscontentupdate.Foreachnew
applicationsignatureintroduced,youcanpreviewtheAppIDdetails,includingadescriptionofthe
applicationidentifiedbytheAppID,otherexistingAppIDsthatthenewsignatureisdependenton(suchas
SSLorHTTP),andthecategorytheapplicationtrafficreceivedbeforetheintroductionofthenewAppID
(forexample,anapplicationmightbeclassifiedaswebbrowsingtrafficbeforeaAppIDsignatureis
introducedthatuniquelyidentifiesthetraffic).AfterreviewingthedescriptionanddetailsforanewAppID
signature,reviewtheAppIDsignatureimpactonexistingpolicyenforcement.Whennewapplication
signaturesareintroduced,thenewlyidentifiedapplicationtrafficmightnolongermatchtopoliciesthat
previouslyenforcedtheapplication.Reviewingthepolicyimpactfornewapplicationsignaturesenablesyou
toidentifythepoliciesthatwillnolongerenforcetheapplicationwhenthenewAppIDisinstalled.
Afterdownloadinganewcontentreleaseversion,reviewthenewAppIDsincludedinthecontentversionandassess
theimpactofthenewAppIDsonexistingpolicyrules:
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDImpactonExistingPolicyRules
ReviewNewAppIDsSinceLastContentVersion
ReviewNewAppIDsAvailableSincetheLastInstalledContentReleaseVersion
AlistofAppIDsshowsallnewAppIDsintroducedfromthecontentversioninstalledonthefirewall,totheselected
Content Version.
AppIDdetailsthatyoucanusetoassesspossibleimpacttopolicyenforcementinclude:
Depends onListstheapplicationsignaturesthatthisAppIDreliesontouniquelyidentifytheapplication.Ifoneof
theapplicationsignatureslistedintheDepends Onfieldisdisabled,thedependentAppIDisalsodisabled.
Previously Identified AsListstheAppIDsthatmatchedtotheapplicationbeforethenewAppIDwasinstalledto
uniquelyidentifytheapplication.
App-ID EnabledAllAppIDsdisplayasenabledwhenacontentreleaseisdownloaded,unlessyouchooseto
manuallydisabletheAppIDsignaturebeforeinstallingthecontentupdate(seeDisableorEnableAppIDs).
MultivsysfirewallsdisplayAppIDstatusas vsys-specific.Thisisbecausethestatusisnotappliedacrossvirtual
systemsandmustbeindividuallyenabledordisabledforeachvirtualsystem.ToviewtheAppIDstatusforaspecific
virtualsystem,selectObjects > Applications,selectaVirtual System,andselecttheAppID.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
ReviewNewAppIDImpactonExistingPolicyRules
ReviewtheImpactofNewAppIDSignaturesonExistingPolicyRules
Step2 Youcanreviewthepolicyimpactofnewcontentreleaseversionsthataredownloadedtothefirewall.
Downloadanewcontentreleaseversion,andclicktheReview PoliciesintheActioncolumn.ThePolicy
review based on candidate configurationdialogallowsyoutofilterbyContent VersionandviewAppIDs
introducedinaspecificrelease(youcanalsofilterthepolicyimpactofnewAppIDsaccordingtoRulebase
andVirtual System).
Step4 UsethedetailprovidedinthepolicyreviewtoplanpolicyruleupdatestotakeeffectwhentheAppIDis
installedandenabledtouniquelyidentifytheapplication.
YoucancontinuetoPreparePolicyUpdatesForPendingAppIDs,oryoucandirectlyaddthenewAppIDto
policyrulesthattheapplicationwaspreviouslymatchedtobycontinuingtousethepolicyreviewdialog.
Inthefollowingexample,thenewAppIDadobecloudisintroducedinacontentrelease.Adobecloudtraffic
iscurrentlyidentifiedasSSLandwebbrowsingtraffic.PolicyrulesconfiguredtoenforceSSLor
webbrowsingtrafficarelistedtoshowwhatpolicyruleswillbeaffectedwhenthenewAppIDisinstalled.
Inthisexample,theruleAllowSSLAppcurrentlyenforcesSSLtraffic.Tocontinuetoallowadobecloudtraffic
whenitisuniquelyidentified,andnolongeridentifiedasSSLtraffic.
Add thenewAppIDtoexistingpolicyrules,toallowtheapplicationtraffictocontinuetobeenforced
accordingtoyourexistingsecurityrequirementswhentheAppIDisinstalled.
Inthisexample,tocontinuetoallowadobecloudtrafficwhenitisuniquelyidentifiedbythenewAppID,and
nolongeridentifiedasSSLtraffic,addthenewAppIDtothesecuritypolicyruleAllowSSLApp.
Thepolicyruleupdatestakeeffectonlywhentheapplicationupdatesareinstalled.
NextSteps... DisableorEnableAppIDs.
PreparePolicyUpdatesForPendingAppIDs.
DisableorEnableAppIDs
DisablenewAppIDsincludedinacontentreleasetoimmediatelybenefitfromprotectionagainstthelatest
threatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessarypolicy
updates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
PolicyrulesreferencingAppIDsonlymatchtoandenforcetrafficbasedonenabledAppIDs.
CertainAppIDscannotbedisabledandonlyallowastatusofenabled.AppIDsthatcannotbedisabled
includedsomeapplicationsignaturesimplicitlyusedbyotherAppIDs(suchasunknowntcp).Disablinga
baseAppIDcouldcauseAppIDswhichdependonthebaseAppIDtoalsobedisabled.Forexample,
disablingfacebookbasewilldisableallotherFacebookAppIDs.
DisableandEnableAppIDs
DisableallAppIDsinacontentreleaseorfor TodisableallnewAppIDsintroducedinacontentrelease,select
scheduledcontentupdates. Device > Dynamic Updates andInstall anApplicationand
Threatscontentrelease.Whenprompted,selectDisable new
apps in content update.Selectthecheckboxtodisableappsand
continueinstallingthecontentupdate;thisallowsyoutobe
protectedagainstthreats,andgivesyoutheoptiontoenablethe
appsatalatertime.
Onthe Device > Dynamic Updatespage,selectSchedule.Choose
to Disable new apps in content updatefordownloadsand
installationsofcontentreleases.
DisableAppIDsforoneapplicationormultiple Toquicklydisableasingleapplicationormultipleapplicationsat
applicationsatasingletime. thesametime,clickObjects > Applications.Selectoneormore
applicationcheckboxandclickDisable.
Toreviewdetailsforasingleapplication,andthendisablethe
AppIDforthatapplication,selectObjects > Applications and
DisableApp-ID.Youcanusethissteptodisablebothpending
AppIDs(wherethecontentreleaseincludingtheAppIDis
downloadedtothefirewallbutnotinstalled)orinstalledAppIDs.
PreparePolicyUpdatesForPendingAppIDs
YoucannowstageseamlesspolicyupdatesfornewAppIDs.ReleaseversionspriortoPANOS7.0required
youtoinstallnewAppIDs(aspartofacontentrelease)andthenmakenecessarypolicyupdates.This
allowedforaperiodduringwhichthenewlyidentifiedapplicationtrafficwasnotenforced,eitherbyexisting
rules(thatthetraffichadmatchedtobeforebeinguniquelyidentified)orbyrulesthathadyettobecreated
ormodifiedtousethenewAppID.
PendingAppIDscannowbeaddedtopolicyrulestopreventgapsinpolicyenforcementthatcouldoccur
duringtheperiodbetweeninstallingacontentreleaseandupdatingsecuritypolicy.PendingAppIDs
includesAppIDsthathavebeenmanuallydisabled,orAppIDsthataredownloadedtothefirewallbutnot
installed.PendingAppIDscanbeusedtoupdatepoliciesbothbeforeandafterinstallinganewcontent
release.Thoughtheycanbeaddedtopolicyrules,pendingAppIDsarenotenforceduntiltheAppIDsare
bothinstalledandenabledonthefirewall.
ThenamesofAppIDsthathavebeenmanuallydisableddisplayasgrayanditalicized,toindicatethe
disabledstatus:
DisabledAppIDlistedontheObjects > Applicationspage:
DisabledAppIDincludedinasecuritypolicyrule:
AppIDsthatareincludedinadownloadedcontentreleaseversionmighthaveanAppIDstatus
ofenabled,butAppIDsarenotenforceduntilthecorrespondingcontentreleaseversionis
installed.
PerformSeamlessPolicyUpdatesforNewAppIDs
Toinstallthecontentreleaseversionnowandthen Toupdatepoliciesnowandtheninstallthecontent
updatepolicies: releaseversion:
Dothistobenefitfromnewthreatsignatures 1. SelectDevice > Dynamic UpdatesandDownloadthe
immediately,whileyoureviewnewapplication latestcontentreleaseversion.
signaturesandupdateyourpolicies.
2. ReviewtheImpactofNewAppIDSignatureson
1. SelectDevice > Dynamic UpdatesandDownloadthe ExistingPolicyRulestoassessthepolicyimpactof
latestcontentreleaseversion. newAppIDs.
2. ReviewtheImpactofNewAppIDSignatureson 3. WhilereviewingthepolicyimpactfornewAppIDs,
ExistingPolicyRulestoassessthepolicyimpactof youcanusethePolicy Review based on candidate
newAppIDs. configurationtoaddanewAppIDtoexistingpolicy
3. Installthelatestcontentreleaseversion.Beforethe rules: .
contentreleaseisinstalled,youarepromptedto 4. ThenewAppIDisaddedtotheexistingrulesasa
Disable new apps in content update.Selectthecheck disabledAppID.
boxandcontinuetoinstallthecontentrelease.Threat
5. ContinuetoreviewthepolicyimpactforallAppIDs
signaturesincludedinthecontentreleasewillbe
includedinthelatestcontentreleaseversionby
installedandeffective,whileneworupdatedAppIDs
selectingAppIDsintheApplicationsdropdown.
aredisabled.
AddthenewAppIDstoexistingpoliciesasneeded.
4. SelectPoliciesandupdateSecurity,QoS,andPolicy ClickOKtosaveyourchanges.
Based Forwardingrulestomatchtoandenforcethe
6. Installthelatestcontentreleaseversion.
nowuniquelyidentifiedapplicationtraffic,usingthe
pendingAppIDs. 7. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
5. SelectObjects > Applicationsandselectoneor
multipledisabledAppIDsandclickEnable.
6. Commityourchangestoseamlesslyupdatepolicy
enforcementfornewAppIDs.
UseApplicationObjectsinPolicy
CreateanApplicationGroup
CreateanApplicationFilter
CreateaCustomApplication
CreateanApplicationGroup
Anapplicationgroupisanobjectthatcontainsapplicationsthatyouwanttotreatsimilarlyinpolicy.
Applicationgroupsareusefulforenablingaccesstoapplicationsthatyouexplicitlysanctionforusewithin
yourorganization.Groupingsanctionedapplicationssimplifiesadministrationofyourrulebases.:insteadof
havingtoupdateindividualpolicyruleswhenthereisachangeintheapplicationsyousupport,youcan
insteadupdateonlytheaffectedapplicationgroups.
Whendecidinghowtogroupapplications,considerhowyouplantoenforceaccesstoyoursanctioned
applicationsandcreateanapplicationgroupthatalignswitheachofyourpolicygoals.Forexample,you
mighthavesomeapplicationsthatyouwillonlyallowyourITadministratorstoaccess,andotherapplications
thatyouwanttomakeavailableforanyknownuserinyourorganization.Inthiscase,youwouldcreate
separateapplicationgroupsforeachofthesepolicygoals.Althoughyougenerallywanttoenableaccessto
applicationsonthedefaultportonly,youmaywanttogroupapplicationsthatareanexceptiontothisand
enforceaccesstothoseapplicationsinaseparaterule.
CreateanApplicationGroup
Step1 SelectObjects > Application Groups.
Step2 AddagroupandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 AddtheapplicationsyouwantinthegroupandthenclickOK.
Step5 Committheconfiguration.
CreateanApplicationFilter
Anapplicationfilterisanobjectthatdynamicallygroupsapplicationsbasedonapplicationattributesthatyou
define,includingcategory,subcategory,technology,riskfactor,andcharacteristic.Thisisusefulwhenyou
wanttosafelyenableaccesstoapplicationsthatyoudonotexplicitlysanction,butthatyouwantusersto
beabletoaccess.Forexample,youmaywanttoenableemployeestochoosetheirownofficeprograms
(suchasEvernote,GoogleDocs,orMicrosoftOffice365)forbusinessuse.Tosafelyenablethesetypesof
applications,youcouldcreateanapplicationfilterthatmatchesontheCategorybusiness-systemsandthe
Subcategoryoffice-programs.AsnewapplicationsofficeprogramsemergeandnewAppIDsgetcreated,
thesenewapplicationswillautomaticallymatchthefilteryoudefined;youwillnothavetomakeany
additionalchangestoyourpolicyrulebasetosafelyenableanyapplicationthatmatchestheattributesyou
definedforthefilter.
CreateanApplicationFilter
Step1 SelectObjects > Application Filters.
Step2 AddafilterandgiveitadescriptiveName.
Step3 (Optional)SelectSharedtocreatetheobjectinasharedlocationforaccessasasharedobjectinPanorama
orforuseacrossallvirtualsystemsinamultiplevirtualsystemfirewall.
Step4 DefinethefilterbyselectingattributevaluesfromtheCategory,Subcategory,Technology,Risk,and
Characteristicsections.Asyouselectvalues,noticethatthelistofmatchingapplicationsatthebottomofthe
dialognarrows.Whenyouhaveadjustedthefilterattributestomatchthetypesofapplicationsyouwantto
safelyenable,clickOK.
Step5 Committheconfiguration.
CreateaCustomApplication
Tosafelyenableapplicationsyoumustclassifyalltraffic,acrossallports,allthetime.WithAppID,theonly
applicationsthataretypicallyclassifiedasunknowntraffictcp,udpornonsyntcpintheACCandthe
TrafficlogsarecommerciallyavailableapplicationsthathavenotyetbeenaddedtoAppID,internalor
customapplicationsonyournetwork,orpotentialthreats.
IfyouareseeingunknowntrafficforacommercialapplicationthatdoesnotyethaveanAppID,
youcansubmitarequestforanewAppIDhere:
http://researchcenter.paloaltonetworks.com/submitanapplication/.
Toensurethatyourinternalcustomapplicationsdonotshowupasunknowntraffic,createacustom
application.Youcanthenexercisegranularpolicycontrolovertheseapplicationsinordertominimizethe
rangeofunidentifiedtrafficonyournetwork,therebyreducingtheattacksurface.Creatingacustom
applicationalsoallowsyoutocorrectlyidentifytheapplicationintheACCandTrafficlogs,whichenables
youtoaudit/reportontheapplicationsonyournetwork.
Tocreateacustomapplication,youmustdefinetheapplicationattributes:itscharacteristics,categoryand
subcategory,risk,port,timeout.Inaddition,youmustdefinepatternsorvaluesthatthefirewallcanuseto
matchtothetrafficflowsthemselves(thesignature).Finally,youcanattachthecustomapplicationtoa
securitypolicythatallowsordeniestheapplication(oraddittoanapplicationgroupormatchittoan
applicationfilter).Youcanalsocreatecustomapplicationstoidentifyephemeralapplicationswithtopical
interest,suchasESPN3VideoforworldcupsoccerorMarchMadness.
Inordertocollecttherightdatatocreateacustomapplicationsignature,you'llneedagood
understandingofpacketcapturesandhowdatagramsareformed.Ifthesignatureiscreatedtoo
broadly,youmightinadvertentlyincludeothersimilartraffic;ifitisdefinedtoonarrowly,the
trafficwillevadedetectionifitdoesnotstrictlymatchthepattern.
Customapplicationsarestoredinaseparatedatabaseonthefirewallandthisdatabaseisnot
impactedbytheweeklyAppIDupdates.
Thesupportedapplicationprotocoldecodersthatenablethefirewalltodetectapplicationsthat
maybetunnelinginsideoftheprotocolincludethefollowingasofcontentupdate424:HTTP,
HTTPS,DNS,FTP,IMAPSMTP,Telnet,IRC(InternetRelayChat),Oracle,RTMP,RTSP,SSH,
GNUDebugger,GIOP(GlobalInterORBProtocol),MicrosoftRPC,MicrosoftSMB(alsoknown
asCIFS).
Thefollowingisabasicexampleofhowtocreateacustomapplication.
CreateaCustomApplication
CreateaCustomApplication(Continued)
CreateaCustomApplication(Continued)
5. Repeatstep3and4foreachmatchingcondition.
6. Iftheorderinwhichthefirewallattemptstomatchthe
signaturedefinitionsisimportant,makesuretheOrdered
Condition Matchcheckboxisselectedandthenorderthe
conditionssothattheyareevaluatedintheappropriateorder.
SelectaconditionoragroupandclickMove UporMove Down.
Youcannotmoveconditionsfromonegrouptoanother.
7. ClickOKtosavethesignaturedefinition.
CreateaCustomApplication(Continued)
ApplicationswithImplicitSupport
Whencreatingapolicytoallowspecificapplications,youmustalsobesurethatyouareallowinganyother
applicationsonwhichtheapplicationdepends.Inmanycases,youdonothavetoexplicitlyallowaccessto
thedependentapplicationsinorderforthetraffictoflowbecausethefirewallisabletodeterminethe
dependenciesandallowthemimplicitly.Thisimplicitsupportalsoappliestocustomapplicationsthatare
basedonHTTP,SSL,MSRPC,orRTSP.Applicationsforwhichthefirewallcannotdeterminedependent
applicationsontimewillrequirethatyouexplicitlyallowthedependentapplicationswhendefiningyour
policies.YoucandetermineapplicationdependenciesinApplipedia.
Thefollowingtableliststheapplicationsforwhichthefirewallhasimplicitsupport(asofContentUpdate
557).
Table:ApplicationswithImplicitSupport
Application ImplicitlySupports
360safeguardupdate http
appleupdate http
aptget http
as2 http
avgupdate http
aviraantivirupdate http,ssl
blokus rtmp
bugzilla http
clubcooee http
corba http
cubby http,ssl
dropbox ssl
esignal http
evernote http,ssl
ezhelp http
facebook http,ssl
facebookchat jabber
facebooksocialplugin http
fastviewer http,ssl
forticlientupdate http
goodforenterprise http,ssl
googlecloudprint http,ssl,jabber
Application ImplicitlySupports
googledesktop http
googletalk jabber
googleupdate http
gotomypcdesktopsharing citrixjedi
gotomypcfiletransfer citrixjedi
gotomypcprinting citrixjedi
hipchat http
iheartradio ssl,http,rtmp
infront http
instagram http,ssl
issuu http,ssl
javaupdate http
jepptechupdates http
kerberos rpc
kik http,ssl
lastpass http,ssl
logmein http,ssl
mcafeeupdate http
megaupload http
metatrader http
mochardp t_120
mount rpc
msfrs msrpc
msrdp t_120
msscheduler msrpc
msservicecontroller msrpc
nfs rpc
oovoo http,ssl
paloaltoupdates ssl
panosglobalprotect http
panoswebinterface http
pastebin http
Application ImplicitlySupports
pastebinposting http
pinterest http,ssl
portmapper rpc
prezi http,ssl
rdp2tcp t_120
renrenim jabber
roboform http,ssl
salesforce http
stumbleupon http
supremo http
symantecavupdate http
trendmicro http
trillian http,ssl
twitter http
whatsapp http,ssl
xmradio rtsp
ApplicationLevelGateways
ThePaloAltoNetworksfirewalldoesnotclassifytrafficbyportandprotocol;insteaditidentifiesthe
applicationbasedonitsuniquepropertiesandtransactioncharacteristicsusingtheAppIDtechnology.
Someapplications,however,requirethefirewalltodynamicallyopenpinholestoestablishtheconnection,
determinetheparametersforthesessionandnegotiatetheportsthatwillbeusedforthetransferofdata;
theseapplicationsusetheapplicationlayerpayloadtocommunicatethedynamicTCPorUDPportson
whichtheapplicationopensdataconnections.Forsuchapplications,thefirewallservesasanApplication
LevelGateway(ALG),anditopensapinholeforalimitedtimeandforexclusivelytransferringdataorcontrol
traffic.ThefirewallalsoperformsaNATrewriteofthepayloadwhennecessary.
AsofContentReleaseversion504,thePaloAltoNetworksfirewallprovidesNATALGsupportforthe
followingprotocols:FTP,H.225,H.248,MGCP,MySQL,Oracle/SQLNet/TNS,RPC,RTSP,SCCP,SIP,and
UNIStim.
WhenthefirewallservesasanALGfortheSessionInitiationProtocol(SIP),bydefaultitperforms
NATonthepayloadandopensdynamicpinholesformediaports.Insomecases,dependingon
theSIPapplicationsinuseinyourenvironment,theSIPendpointshaveNATintelligence
embeddedintheirclients.Insuchcases,youmightneedtodisabletheSIPALGfunctionalityto
preventthefirewallfrommodifyingthesignalingsessions.WhenSIPALGisdisabled,ifAppID
determinesthatasessionisSIP,thepayloadisnottranslatedanddynamicpinholesarenot
opened.SeeDisabletheSIPApplicationlevelGateway(ALG).
ThefirewallprovidesIPv6toIPv6NetworkPrefixTranslation(NPTv6)ALGsupportforthefollowing
protocols:FTP,Oracle,andRTSP.TheSIPALGisnotsupportedforNPTv6orNAT64.
DisabletheSIPApplicationlevelGateway(ALG)
ThePaloAltoNetworksfirewallusestheSessionInitiationProtocol(SIP)applicationlevelgateway(ALG)to
opendynamicpinholesinthefirewallwhereNATisenabled.However,someapplicationssuchasVoIP
haveNATintelligenceembeddedintheclientapplication.Inthesecases,theSIPALGonthefirewallcan
interferewiththesignalingsessionsandcausetheclientapplicationtostopworking.
OnesolutiontothisproblemistodefineanApplicationOverridePolicyforSIP,butusingthisapproach
disablestheAppIDandthreatdetectionfunctionality.AbetterapproachistodisabletheSIPALG,which
doesnotdisableAppIDorthreatdetection.
ThefollowingproceduredescribeshowtodisabletheSIPALG.
DisabletheSIPALG
Step2 Selectthesipapplication.
YoucantypesipintheSearchboxtohelpfindthesipapplication.
Step3 SelectCustomize...forALGintheOptionssectionoftheApplicationdialogbox.
Step5 ClosetheApplicationdialogboxandCommitthechange.
SetUpSecurityProfilesandPolicies
Thefollowingsectionsprovidebasicthreatpreventionconfigurationexamples:
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
SetUpDataFiltering
SetUpFileBlocking
Forinformationoncontrollingwebaccessaspartofyourthreatpreventionstrategy,seeURLFiltering.
SetUpAntivirus,AntiSpyware,andVulnerabilityProtection
ThefollowingdescribesthestepsneededtosetupthedefaultAntivirus,AntiSpyware,andVulnerability
ProtectionSecurityProfiles.
AllantispywareandvulnerabilityprotectionsignatureshaveadefaultactiondefinedbyPaloAlto
Networks.YoucanviewthedefaultactionbynavigatingtoObjects > Security Profiles >
Anti-SpywareorObjects > Security Profiles >Vulnerability Protectionandthen
selectingaprofile.ClicktheExceptionstabandthenclickShow all signaturesandyouwill
seealistofthesignatureswiththedefaultactionintheActioncolumn.Tochangethedefault
action,youmustcreateanewprofileandthencreateruleswithanondefaultaction,and/oradd
individualsignatureexceptionstoExceptionsintheprofile.
SetupAntivirus/AntiSpyware/VulnerabilityProtection
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
BestPracticesforAntivirusSchedules
Thegeneralrecommendationforantivirussignatureupdateschedulesistoperformadownload-and-installonadaily
basisforantivirusandweeklyforapplicationsandvulnerabilities.
RecommendationsforHAConfigurations:
Active/PassiveHAIftheMGTportisusedforantivirussignaturedownloads,youshouldconfigureascheduleon
bothfirewallsandbothfirewallswilldownload/installindependently.Ifyouareusingadataportfordownloads,the
passivefirewallwillnotperformdownloadswhileitisinthepassivestate.Inthiscaseyouwouldsetascheduleon
bothfirewallsandthenselecttheSync To Peeroption.Thiswillensurethatwhicheverfirewallisactive,theupdates
willoccurandwillthenpushtothepassivefirewall.
Active/ActiveHAIftheMGTportisusedforantivirussignaturedownloadsonbothfirewalls,thenschedulethe
download/installonbothfirewalls,butdonotselecttheSync To Peeroption.Ifyouareusingadataport,schedule
thesignaturedownloadsonbothfirewallsandselectSync To Peer.Thiswillensurethatifonefirewallinthe
active/activeconfigurationgoesintotheactivesecondarystate,theactivefirewallwilldownload/installthe
signatureandwillthenpushittotheactivesecondaryfirewall.
SetupAntivirus/AntiSpyware/VulnerabilityProtection(Continued)
SetUpDataFiltering
ThefollowingdescribesthestepsneededtoconfigureadatafilteringprofilethatwilldetectSocialSecurity
Numbersandacustompatternidentifiedin.docand.docxdocuments.
DataFilteringConfigurationExample
DataFilteringConfigurationExample(Continued)
4. (Optional)YoucanalsosetCustom Patternsthatwillbe
subjecttothisprofile.Inthiscase,youspecifyapatterninthe
custompatternsRegexfieldandsetaweight.Youcanadd
multiplematchexpressionstothesamedatapatternprofile.In
thisexample,wewillcreateaCustom Patternnamed
SSN_Customwithacustompatternofconfidential(the
patterniscasesensitive)anduseaweightof20.Thereasonwe
usethetermconfidentialinthisexampleisbecauseweknow
thatoursocialsecurityWorddocscontainthisterm,sowe
definethatspecifically.
DataFilteringConfigurationExample(Continued)
Step7 Committheconfiguration.
DataFilteringConfigurationExample(Continued)
SetUpFileBlocking
Thisexamplewilldescribethebasicstepsneededtosetupfileblocking.Inthisconfiguration,wewill
configuretheoptionsneededtopromptuserstocontinuebeforedownloading.exefilesfromwebsites.
Whentestingthisexample,beawarethatyoumayhaveothersystemsbetweenyouandthesourcethatmay
beblockingcontent.
ConfigureFileBlocking
ConfigureFileBlocking(Continued)
Step4 Totestyourfileblockingconfiguration,accessaclientPCinthetrustzoneofthefirewallandattemptto
downloadan.exefilefromawebsiteintheuntrustzone.Aresponsepageshoulddisplay.ClickContinueto
downloadthefile.Youcanalsosetotheractions,suchasalertorblock,whichwillnotprovideacontinuepage
totheuser.ThefollowingshowsthedefaultresponsepageforFileBlocking:
Example:DefaultFileBlockingResponsePage
PreventBruteForceAttacks
Abruteforceattackusesalargevolumeofrequests/responsesfromthesamesourceordestinationIP
addresstobreakintoasystem.Theattackeremploysatrialanderrormethodtoguesstheresponsetoa
challengeorarequest.
TheVulnerabilityProtectionprofileonthefirewallincludessignaturestoprotectyoufrombruteforce
attacks.EachsignaturehasanID,ThreatName,Severityandistriggeredwhenapatternisrecorded.The
patternspecifiestheconditionsandintervalatwhichthetrafficisidentifiedasabruteforceattack;some
signaturesareassociatedwithanotherchildsignaturethatisofalowerseverityandspecifiesthepatternto
matchagainst.Whenapatternmatchesagainstthesignatureorchildsignature,ittriggersthedefaultaction
forthesignature.
Toenforceprotection:
Attachthevulnerabilityprofiletoasecurityrule.SeeSetUpAntivirus,AntiSpyware,andVulnerability
Protection.
Installcontentupdatesthatincludenewsignaturestoprotectagainstemergingthreats.SeeInstall
ContentandSoftwareUpdates.
CustomizetheActionandTriggerConditionsforaBrute
ForceSignature
Thefirewallincludestwotypesofpredefinedbruteforcesignaturesparentsignatureandchildsignature.
Achildsignatureisasingleoccurrenceofatrafficpatternthatmatchesthesignature.Aparentsignatureis
associatedwithachildsignatureandistriggeredwhenmultipleeventsoccurwithinatimeintervaland
matchthetrafficpatterndefinedinthechildsignature.
Typically,achildsignatureisofdefaultactionallowbecauseasingleeventisnotindicativeofanattack.In
mostcases,theactionforachildsignatureissettoallowsothatlegitimatetrafficisnotblockedandthreat
logsarenotgeneratedfornonnoteworthyevents.Therefore,PaloAltoNetworksrecommendsthatyou
onlychangethedefaultactionaftercarefulconsideration.
Inmostcases,thebruteforcesignatureisanoteworthyeventbecauseofitsrecurrentpattern.Ifyouwould
liketocustomizetheactionforabruteforcesignature,youcandooneofthefollowing:
Createaruletomodifythedefaultactionforallsignaturesinthebruteforcecategory.Youcandefine
theactiontoallow,alert,block,reset,ordropthetraffic.
Defineanexceptionforaspecificsignature.Forexample,youcansearchforaCVEanddefinean
exceptionforit.
Foraparentsignature,youcanmodifyboththetriggerconditionsandtheaction;forachildsignature
youcanmodifytheactiononly.
Toeffectivelymitigateanattack,theblockipaddressactionisrecommendedoverthedropor
resetactionformostbruteforcesignatures.
CustomizetheThresholdandActionforaSignature
CustomizetheThresholdandActionforaSignature
7. ClickOKtosavetheruleandtheprofile.
3. Settheactiontoallow,alertorblock-ip.
4. Ifyouselectblockip,completetheseadditionaltasks:
a. SpecifytheTimeperiod(inseconds)afterwhichtotrigger
theaction.
b. IntheTrack Byfield,definewhethertoblocktheIPaddress
byIP source orbyIP source and destination.
5. ClickOK.
6. Foreachmodifiedsignature,selectthecheckboxinthe
Enablecolumn.
7. ClickOK.
CustomizetheThresholdandActionforaSignature
BestPracticesforSecuringYourNetworkfromLayer4and
Layer7Evasions
TomonitorandprotectyournetworkfrommostLayer4andLayer7attacks,hereareafew
recommendations.
UpgradetothemostcurrentPANOSsoftwareversionandcontentreleaseversiontoensurethatyou
havethelatestsecurityupdates.Forevasionprevention,upgradetoPANOS7.1.1andApplicationsand
Threatscontentreleaseversion579.SeeInstallContentandSoftwareUpdates.
SetupthefirewalltoactasaDNSproxyandenableevasionsignatures:
EnableDNSProxy.
WhenactingasaDNSproxy,thefirewallresolvesDNSrequestsandcaches
hostnametoIPaddressmappingsinordertoquicklyandefficientlyresolvesfutureDNSqueries.
Enableevasionsignatures.
EvasionsignaturesthatdetectcraftedHTTPorTLSrequestscanalertwhenaclientconnectstoa
domainotherthanthedomainspecifiedintheoriginalDNSrequest.MakesurethatDNSproxyis
configuredifyouchoosetoenableevasionsignatures.WithoutDNSproxyenabled,evasion
signaturescantriggerwhenaDNSserverinDNSloadbalancingconfigurationreturnsdifferentIP
addresses(forservershostingidenticalresources)tothefirewallandclientinresponsetothesame
DNSrequest.
Forservers,createSecuritypolicyrulestoonlyallowtheapplication(s)thatyousanctiononeachserver.
Verifythatthestandardportfortheapplicationmatchesthelisteningportontheserver.Forexample,
toensurethatonlySMTPtrafficisallowedtoyouremailserversettheApplicationtosmtpandsetthe
Servicetoapplication-default.Ifyourserverusesonlyasubsetofthestandardports(forexample,ifyour
SMTPserverusesonlyport587whiletheSMTPapplicationhasstandardportsdefinedas25and587),
youshouldcreateanewcustomservicethatonlyincludesport587andusethatnewserviceinyour
securitypolicyruleinsteadofusingapplicationdefault.Additionally,makesuretorestrictaccessto
specificsourceanddestinationszonesandsetsofIPaddresses.
AttachthefollowingsecurityprofilestoyourSecuritypolicyrulestoprovidesignaturebased
protection.
CreateaVulnerabilityProtectionprofiletoblockallvulnerabilitieswithseveritylowandhigher.
CreateanAntiSpywareprofiletoblockallspywarewithseveritylowandhigher.
CreateanAntivirusprofiletoblockallcontentthatmatchesanantivirussignature.
Blockallunknownapplications/trafficusingSecuritypolicy.Typically,theonlyapplicationsthatare
classifiedasunknowntrafficareinternalorcustomapplicationsonyournetwork,orpotentialthreats.
Becauseunknowntrafficcanbeanoncompliantapplicationorprotocolthatisanomalousorabnormal,
oraknownapplicationthatisusingnonstandardports,unknowntrafficshouldbeblocked.SeeManage
CustomorUnknownApplications.
CreateaFileBlockingprofilethatblocksPortableExecutable(PE)filetypesforInternetbasedSMB
(ServerMessageBlock)trafficfromtraversingthetrusttountrustzones,(msdssmbapplications).
CreateaZoneProtectionprofilethatisconfiguredtoprotectagainstpacketbasedattacks(Network >
Network Profiles > Zone Protection):
SelecttheoptiontodropMalformedIPpackets(Packet Based Attack Protection > IP Drop).
RemoveTCPtimestampsonSYNpacketsbeforethefirewallforwardsthepacket.Whenyouselect
theRemove TCP TimestampoptioninaSYNpacket,theTCPstackonbothendsoftheTCP
connectionwillnotsupportTCPtimestamps.Therefore,bydisablingtheTCPtimestampforaSYN
packet,youcanpreventanattackthatusesdifferenttimestampsonmultiplepacketsforthesame
sequencenumber.(Packet Based Attack Protection > TCP Drop).
SelecttheoptiontodropMismatched overlapping TCP segment.Bydeliberatelyconstructing
connectionswithoverlappingbutdifferentdatainthem,attackerscanattempttocause
misinterpretationoftheintentoftheconnection.Thiscanbeusedtodeliberatelyinducefalse
positivesorfalsenegatives.AnattackercanuseIPspoofingandsequencenumberpredictionto
interceptauser'sconnectionandinjecthis/herowndataintotheconnection.Selectingthisoption
causesPANOStodiscardsuchframeswithmismatchedandoverlappingdata.Thescenarioswhere
thereceivedsegmentwillbediscardedarewhenthesegmentreceivediscontainedwithinanother
segment,thesegmentreceivedoverlapswithpartofanothersegment,orthesegmentcompletely
containsanothersegment.
VerifythatsupportforIPv6isenabled,ifyouhaveconfiguredIPv6addressesonyournetworkhosts
(Network > Interfaces > Ethernet> IPv6).
ThisallowsaccesstoIPv6hostsandfiltersIPv6packetsthatareencapsulatedin
IPv4packets.EnablingsupportforIPv6preventsIPv6overIPv4multicast
addressesfrombeingleveragedfornetworkreconnaissance.
Enablesupportformulticasttrafficsothatthefirewallcanenforcepolicyon
multicasttraffic.(Network > Virtual Router > Multicast).
DisabletheForward segments exceeding TCP App-ID inspection queueoption(Device > Setup > Content-ID >
Content-ID Settings).
Bydefault,whentheAppIDinspectionqueueisfullthefirewallskipsAppIDinspectionclassifyingthe
applicationasunknowntcpandforwardsthesegments.Bydisablingthisoption,thefirewallinstead
dropssegmentswhentheAppIDinspectionqueueisfull.
DisabletheForward datagrams exceeding UDP content inspection queueandForward segments exceeding
TCP content inspection queueoptions(Device > Setup > Content-ID > Content-ID Settings).
Bydefault,whentheTCPorUDPcontentinspectionqueueisfullthefirewallskipsContentID
inspectionforTCPsegmentsorUDPdatagramsthatexceedthequeuelimitof64.Bydisablingthese
options,thefirewallinsteaddropsTCPsegmentsandUDPdatagramswhenthecorrespondingTCPor
UDPcontentinspectionqueueisfull.
DisabletheAllow HTTP Header Range Option(Device > Setup > Content-ID > Content-ID Settings).
TheHTTPRangeoptionallowsaclienttofetchpartofafileonly.Whenanextgenerationfirewallinthe
pathofatransferidentifiesanddropsamaliciousfile,itterminatestheTCPsessionwithaRSTpacket.If
thewebbrowserimplementstheHTTPRangeoption,itcanstartanewsessiontofetchonlythe
remainingpartofthefile.Thispreventsthefirewallfromtriggeringthesamesignatureagainduetothe
lackofcontextintotheinitialsession,whileatthesametimeallowingthewebbrowsertoreassemble
thefileanddeliverthemaliciouscontent.Disablingthisoptionpreventsthisfromhappening.
EnableDNSProxy
Domainnamesystem(DNS)serverstranslateuserfriendlydomainstotheassociatedIPaddresseswhich
locateandidentifythecorrespondingresources.APaloAltoNetworksfirewallintermediatetoclientsand
serverscanactasaDNSproxytoresolvedomainnamequeries.
TheDNSproxyfeatureenablesthefirewallto:
Quickly,efficiently,andlocallyresolvedomainnamequeriesbasedonstaticandcachedDNSentries.
ReachouttospecificDNSserverstoresolvecertaintypesofDNSrequests(forexample,thefirewall
canresolvecorporatedomainsbasedonacorporateDNSserverhostnametoIPaddressmappings,and
resolveotherdomainsusingapublicorISPDNSserver).
EnabletheFirewalltoActasaDNSProxy
EnabletheFirewalltoActasaDNSProxy(Continued)
EnabletheFirewalltoActasaDNSProxy(Continued)
LearnmoreaboutDNSfeatures... UseDNSqueriestoidentifyinfectedhostsonthenetwork.
EnablepassiveDNScollectionforbetterthreatintelligence.
ToworkwithDNSfeaturesandvirtualsystems,seetheseDNS
usecasesforvirtualsystemsandlearnhowtoconfigureaDNS
proxyobjectandDNSserverprofilesforvirtualsystems.
EnablePassiveDNSCollectionforImprovedThreat
Intelligence
PassiveDNSisanoptinfeaturethatenablesthefirewalltoactasapassiveDNSsensorandsendselectDNS
informationtoPaloAltoNetworksforanalysisinordertoimprovethreatintelligenceandthreatprevention
capabilities.Thedatacollectedincludesnonrecursive(i.e.originatingfromthelocalrecursiveresolver,not
individualclients)DNSqueryandresponsepacketpayloads.DatasubmittedviathePassiveDNSMonitoring
featureconsistssolelyofmappingsofdomainnamestoIPaddresses.PaloAltoNetworksretainsnorecord
ofthesourceofthisdataanddoesnothavetheabilitytoassociateitwiththesubmitteratafuturedate.
ThePaloAltoNetworksthreatresearchteamusesthisinformationtogaininsightintomalwarepropagation
andevasiontechniquesthatabusetheDNSsystem.Informationgatheredthroughthisdatacollectionis
usedtoimproveaccuracyandmalwaredetectionabilitieswithinPANDBURLfiltering,DNSbased
commandandcontrolsignatures,andWildFire.
DNSresponsesareonlyforwardedtothePaloAltoNetworksandwillonlyoccurwhenthefollowing
requirementsaremet:
DNSresponsebitisset
DNStruncatedbitisnotset
DNSrecursivebitisnotset
DNSresponsecodeis0or3(NX)
DNSquestioncountbiggerthan0
DNSAnswerRRcountisbiggerthan0orifitis0,theflagsneedtobe3(NX)
DNSqueryrecordtypeareA,NS,CNAME,AAAA,MX
PassiveDNSmonitoringisdisabledbydefault,butitisrecommendedthatyouenableittofacilitate
enhancedthreatintelligence.UsethefollowingproceduretoenablePassiveDNS:
EnablePassiveDNS
Step2 Selectanexistingprofiletomodifyitorconfigureanewprofile.
TheAntiSpywareprofilemustbeattachedtoasecuritypolicythatgovernsyour
DNSserversexternalDNStraffic.
Step4 ClickOKandthenCommit.
UseDNSQueriestoIdentifyInfectedHostsontheNetwork
TheDNSsinkholeactioninAntiSpywareprofilesenablesthefirewalltoforgearesponsetoaDNSquery
foraknownmaliciousdomainortoacustomdomainsothatyoucanidentifyhostsonyournetworkthat
havebeeninfectedwithmalware.Bydefault,DNSqueriestoanydomainincludedinthePaloAltoNetworks
DNSsignatureslistissinkholedtoaPaloAltoNetworksserverIPaddress.Thefollowingtopicsprovide
detailsonhowtoenableDNSsinkholingforcustomdomainsandhowtoidentifyinfectedhosts.
DNSSinkholing
ConfigureDNSSinkholingforaListofCustomDomains
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
IdentifyInfectedHosts
DNSSinkholing
DNSsinkholinghelpsyoutoidentifyinfectedhostsontheprotectednetworkusingDNStrafficinsituations
wherethefirewallcannotseetheinfectedclient'sDNSquery(thatis,thefirewallcannotseetheoriginator
oftheDNSquery).InatypicaldeploymentwherethefirewallisnorthofthelocalDNSserver,thethreatlog
willidentifythelocalDNSresolverasthesourceofthetrafficratherthantheactualinfectedhost.Sinkholing
malwareDNSqueriessolvesthisvisibilityproblembyforgingresponsestotheclienthostqueriesdirected
atmaliciousdomains,sothatclientsattemptingtoconnecttomaliciousdomains(forcommandandcontrol,
forexample)willinsteadattempttoconnecttoadefaultPaloAltoNetworkssinkholeIPaddress,ortoa
userdefinedIPaddressasillustratedinConfigureDNSSinkholingforaListofCustomDomains.Infected
hostscanthenbeeasilyidentifiedinthetrafficlogsbecauseanyhostthatattemptstoconnecttothe
sinkholeIPaddressismostlikelyinfectedwithmalware.
IfyouwanttoenableDNSsinkholingforPaloAltoNetworksDNSsignatures,attachthedefault
AntiSpywareprofiletoasecuritypolicyrule(seeSetUpAntivirus,AntiSpyware,andVulnerability
Protection).DNSqueriestoanydomainincludedinthePaloAltoNetworksDNSsignatureswillberesolved
tothedefaultPaloAltoNetworkssinkholeIPaddress.TheIPaddressescurrentlyareIPv471.19.152.112
andaloopbackaddressIPv6address::1.Theseaddressaresubjecttochangeandcanbeupdatedwith
contentupdates.
Figure:DNSSinkholingExample
ConfigureDNSSinkholingforaListofCustomDomains
ToenableDNSSinkholingforacustomlistofdomains,youmustcreateanexternaldynamiclistthatincludes
thedomains,enablethesinkholeactioninanAntiSpywareprofileandattachtheprofiletoasecuritypolicy
rule.Whenaclientattemptstoaccessamaliciousdomaininthelist,thefirewallforgesthedestinationIP
addressinthepackettothedefaultPaloAltoNetworksserverortoauserdefinedIPaddressforsinkholing.
Foreachcustomdomainincludedintheexternaldynamiclist,thefirewallgeneratesDNSbasedspyware
signatures.ThesignatureisnamedCustomMaliciousDNSQuery<domainname>,andisoftypespyware
withmediumseverity;eachsignatureisa24bytehashofthedomainname.
Eachfirewallplatformsupportsamaximumof50,000domainnamestotalinoneormoreExternalDynamic
Listbutnomaximumlimitisenforcedforanyonelist.
ConfigureDNSSinkholingforaCustomListofDomains
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
9. ClickOKtosavetheAntiSpywareprofile.
ConfigureDNSSinkholingforaCustomListofDomains(Continued)
ConfiguretheSinkholeIPAddresstoaLocalServeronYourNetwork
Bydefault,sinkholingisenabledforallPaloAltoNetworksDNSsignatures,andthesinkholeIPaddressis
settoaccessaPaloAltoNetworksserver.Usetheinstructionsinthissectionifyouwanttosetthesinkhole
IPaddresstoalocalserveronyournetwork.
YoumustobtainbothanIPv4andIPv6addresstouseasthesinkholeIPaddressesbecausemalicious
softwaremayperformDNSqueriesusingoneorbothoftheseprotocols.TheDNSsinkholeaddressmust
beinadifferentzonethantheclienthoststoensurethatwhenaninfectedhostattemptstostartasession
withthesinkholeIPaddress,itwillberoutedthroughthefirewall.
Thesinkholeaddressesmustbereservedforthispurposeanddonotneedtobeassigned
toaphysicalhost.Youcanoptionallyuseahoneypotserverasaphysicalhosttofurther
analyzethemalicioustraffic.
TheconfigurationstepsthatfollowusethefollowingexampleDNSsinkholeaddresses:
IPv4DNSsinkholeaddress10.15.0.20
IPv6DNSsinkholeaddressfd97:3dec:4d27:e37c:5:5:5:5
ConfigureSinkholingtoaLocalServeronYourNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
ConfigureSinkholingtoaLocalServeronYourNetwork
IdentifyInfectedHosts
AfteryouhaveconfiguredDNSsinkholingandverifiedthattraffictoamaliciousdomaingoestothesinkhole
address,youshouldregularlymonitortraffictothesinkholeaddress,sothatyoucantrackdowntheinfected
hostsandeliminatethethreat.
DNSSinkholeVerificationandReporting
DNSSinkholeVerificationandReporting(Continued)
5. Toviewscheduledreportsthathaverun,selectMonitor >
Reports.
ContentDeliveryNetworkInfrastructureforDynamic
Updates
PaloAltoNetworksmaintainsaContentDeliveryNetwork(CDN)infrastructurefordeliveringcontent
updatestothePaloAltoNetworksfirewalls.ThefirewallsaccessthewebresourcesintheCDNtoperform
variousAppIDandContentIDfunctions.Forenablingandschedulingthecontentupdates,seeInstall
ContentandSoftwareUpdates.
Thefollowingtableliststhewebresourcesthatthefirewallaccessesforafeatureorapplication:
ThreatPreventionResources
FormoreinformationonThreatPrevention,refertothefollowingsources:
CreatingCustomThreatSignatures
ThreatPreventionDeployment
UnderstandingDoSProtection
ToviewalistofThreatsandApplicationsthatPaloAltoNetworksproductscanidentify,usethefollowing
links:
ApplipediaProvidesdetailsontheapplicationsthatPaloAltoNetworkscanidentify.
ThreatVaultListsthreatsthatPaloAltoNetworksproductscanidentify.Youcansearchby
Vulnerability,Spyware,orVirus.ClicktheDetailsiconnexttotheIDnumberformoreinformationabout
athreat.
DecryptionOverview
SecureSocketsLayer(SSL)andSecureShell(SSH)areencryptionprotocolsusedtosecuretrafficbetween
twoentities,suchasawebserverandaclient.SSLandSSHencapsulatetraffic,encryptingdatasothatitis
meaninglesstoentitiesotherthantheclientandserverwiththekeystodecodethedataandthecertificates
toaffirmtrustbetweenthedevices.TrafficthathasbeenencryptedusingtheprotocolsSSLandSSHcanbe
decryptedtoensurethattheseprotocolsarebeingusedfortheintendedpurposesonly,andnottoconceal
unwantedactivityormaliciouscontent.
PaloAltoNetworksfirewallsdecryptencryptedtrafficbyusingkeystotransformstrings(passwordsand
sharedsecrets)fromciphertexttoplaintext(decryption)andfromplaintextbacktociphertext(reencrypting
trafficasitexitsthefirewall).Certificatesareusedtoestablishthefirewallasatrustedthirdpartyandto
createasecureconnection.SSLdecryption(bothforwardproxyandinboundinspection)requires
certificatestoestablishtrustbetweentwoentitiesinordertosecureanSSL/TLSconnection.Certificates
canalsobeusedwhenexcludingserversfromSSLdecryption.Youcanintegrateahardwaresecuritymodule
(HSM)withafirewalltoenableenhancedsecurityfortheprivatekeysusedinSSLforwardproxyandSSL
inboundinspectiondecryption.TolearnmoreaboutstoringandgeneratingkeysusinganHSMand
integratinganHSMwithyourfirewall,seeSecureKeyswithaHardwareSecurityModule.SSHdecryption
doesnotrequirecertificates.
PaloAltoNetworksfirewalldecryptionispolicybased,andcanbeusedtodecrypt,inspect,andcontrolboth
inboundandoutboundSSLandSSHconnections.Decryptionpoliciesallowyoutospecifytrafficfor
decryptionaccordingtodestination,source,orURLcategoryandinordertoblockorrestrictthespecified
trafficaccordingtoyoursecuritysettings.Thefirewallusescertificatesandkeystodecryptthetraffic
specifiedbythepolicytoplaintext,andthenenforcesAppIDandsecuritysettingsontheplaintexttraffic,
includingDecryption,Antivirus,Vulnerability,AntiSpyware,URLFiltering,WildFireSubmissions,and
FileBlockingprofiles.Aftertrafficisdecryptedandinspectedonthefirewall,theplaintexttrafficis
reencryptedasitexitsthefirewalltoensureprivacyandsecurity.Usepolicybaseddecryptiononthe
firewallto:
Preventmalwareconcealedasencryptedtrafficfrombeingintroducedintoancorporatenetwork.
Preventsensitivecorporateinformationfrommovingoutsidethecorporatenetwork.
Ensuretheappropriateapplicationsarerunningonasecurenetwork.
Selectivelydecrypttraffic;forexample,excludetrafficforfinancialorhealthcaresitesfromdecryption
byconfiguringadecryptionexception.
Thethreedecryptionpoliciesofferedonthefirewall,SSLForwardProxy,SSLInboundInspection,andSSH
Proxy,allprovidemethodstospecificallytargetandinspectSSLoutboundtraffic,SSLinboundtraffic,and
SSHtraffic,respectively.Thedecryptionpoliciesprovidethesettingsforyoutospecifywhattrafficto
decryptandyoucanattachadecryptionprofiletoapolicyruletoapplymoregranularsecuritysettingsto
decryptedtraffic,suchaschecksforservercertificates,unsupportedmodes,andfailures.Thispolicybased
decryptiononthefirewallgivesyouvisibilityintoandcontrolofSSLandSSHencryptedtrafficaccordingto
configurableparameters.
YoucanalsochoosetoextendadecryptionconfigurationonthefirewalltoincludeDecryptionMirroring,
whichallowsfordecryptedtraffictobeforwardedasplaintexttoathirdpartysolutionforadditionalanalysis
andarchiving.
DecryptionConcepts
Tolearnaboutkeysandcertificatesfordecryption,decryptionpolicies,anddecryptionportmirroring,see
thefollowingtopics:
KeysandCertificatesforDecryptionPolicies
SSLForwardProxy
SSLInboundInspection
SSHProxy
DecryptionExceptions
DecryptionMirroring
KeysandCertificatesforDecryptionPolicies
Keysarestringsofnumbersthataretypicallygeneratedusingamathematicaloperationinvolvingrandom
numbersandlargeprimes.Keysareusedtotransformotherstringssuchaspasswordsandsharedsecrets
fromplaintexttociphertext(calledencryption)andfromciphertexttoplaintext(calleddecryption).Keyscan
besymmetric(thesamekeyisusedtoencryptanddecrypt)orasymmetric(onekeyisusedforencryption
andamathematicallyrelatedkeyisusedfordecryption).Anysystemcangenerateakey.
X.509certificatesareusedtoestablishtrustbetweenaclientandaserverinordertoestablishanSSL
connection.Aclientattemptingtoauthenticateaserver(oraserverauthenticatingaclient)knowsthe
structureoftheX.509certificateandthereforeknowshowtoextractidentifyinginformationaboutthe
serverfromfieldswithinthecertificate,suchasitsFQDNorIPaddress(calledacommonnameorCNwithin
thecertificate)orthenameoftheorganization,department,orusertowhichthecertificatewasissued.All
certificatesmustbeissuedbyacertificateauthority(CA).AftertheCAverifiesaclientorserver,theCA
issuesthecertificateandsignsitwithaprivatekey.
Withadecryptionpolicyconfigured,asessionbetweentheclientandtheserverisestablishedonlyifthe
firewalltruststheCAthatsignedtheservercertificate.Inordertoestablishtrust,thefirewallmusthavethe
serverrootCAcertificateinitscertificatetrustlist(CTL)andusethepublickeycontainedinthatrootCA
certificatetoverifythesignature.Thefirewallthenpresentsacopyoftheservercertificatesignedbythe
ForwardTrustcertificatefortheclienttoauthenticate.Youcanalsoconfigurethefirewalltousean
enterpriseCAasaforwardtrustcertificateforSSLForwardProxy.Ifthefirewalldoesnothavetheserver
rootCAcertificateinitsCTL,thefirewallwillpresentacopyoftheservercertificatesignedbytheForward
Untrustcertificatetotheclient.TheForwardUntrustcertificateensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteshostedbyaserverwithuntrustedcertificates.
Fordetailedinformationoncertificates,seeCertificateManagement.
Table:PaloAltoNetworksFirewallKeysandCertificatesdescribesthedifferentkeysandcertificatesused
byPaloAltoNetworksfirewallsfordecryption.Asabestpractice,usedifferentkeysandcertificatesforeach
usage.
Table:PaloAltoNetworksFirewallKeysandCertificates
Key/CertificateUsage Description
ForwardTrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
trusts.ToconfigureaForwardTrustcertificateonthefirewall,seeStep 2inthe
ConfigureSSLForwardProxytask.Bydefault,thefirewalldeterminesthekeysizeto
usefortheclientcertificatebasedonthekeysizeofthedestinationserver.However,
youcanalsosetaspecifickeysizeforthefirewalltouse.SeeConfiguretheKeySize
forSSLForwardProxyServerCertificates.Foraddedsecurity,storetheforwardtrust
certificateonaHardwareSecurityModule(HSM),seeStorePrivateKeysonanHSM.
ForwardUntrust Thecertificatethefirewallpresentstoclientsduringdecryptionifthesitetheclient
isattemptingtoconnecttohasacertificatethatissignedbyaCAthatthefirewall
doesnottrust.ToconfigureaForwardUntrustcertificateonthefirewall,seeStep 4
intheConfigureSSLForwardProxytask.
SSLExcludeCertificate CertificatesforserversthatyouwanttoexcludefromSSLdecryption.Forexample,
ifyouhaveSSLdecryptionenabled,buthavecertainserversthatyoudonotwant
includedinSSLdecryption,suchasthewebservicesforyourHRsystems,youwould
importthecorrespondingcertificatesontothefirewallandconfigurethemasSSL
ExcludeCertificates.SeeExcludeaServerfromDecryption.
SSLInboundInspection ThecertificateusedtodecryptinboundSSLtrafficforinspectionandpolicy
enforcement.Forthisapplication,youwouldimporttheservercertificateforthe
serversforwhichyouareperformingSSLinboundinspection,orstorethemonan
HSM(seeStorePrivateKeysonanHSM).
SSLForwardProxy
UseanSSLForwardProxydecryptionpolicytodecryptandinspectSSL/TLStrafficfrominternalusersto
theweb.SSLForwardProxydecryptionpreventsmalwareconcealedasSSLencryptedtrafficfrombeing
introducedtoyourcorporatenetwork.
WithSSLForwardProxydecryption,thefirewallresidesbetweentheinternalclientandoutsideserver.The
firewallusescertificatestoestablishitselfasatrustedthirdpartytothesessionbetweentheclientandthe
server(Fordetailsoncertificates,seeKeysandCertificatesforDecryptionPolicies).Whentheclientinitiates
anSSLsessionwiththeserver,thefirewallinterceptstheclientSSLrequestandforwardstheSSLrequest
totheserver.Theserverreturnsacertificateintendedfortheclientthatisinterceptedbythefirewall.Ifthe
servercertificateissignedbyaCAthatthefirewalltrusts,thefirewallcreatesacopyoftheservercertificate
signsitwiththefirewallForwardTrustcertificateandsendsthecertificatetotheclient.Iftheserver
certificateissignedbyaCAthatthefirewalldoesnottrust,thefirewallcreatesacopyoftheserver
certificate,signsitwiththeForwardUntrustcertificateandsendsittotheclient.Inthiscase,theclientsees
ablockpagewarningthatthesitetheyreattemptingtoconnecttoisnottrustedandtheclientcanchoose
toproceedorterminatethesession.Whentheclientauthenticatesthecertificate,theSSLsessionis
establishedwiththefirewallfunctioningasatrustedforwardproxytothesitethattheclientisaccessing.
AsthefirewallcontinuestoreceiveSSLtrafficfromtheserverthatisdestinedfortheclient,itdecryptsthe
SSLtrafficintocleartexttrafficandappliesdecryptionandsecurityprofilestothetraffic.Thetrafficisthen
reencryptedonthefirewallandthefirewallforwardstheencryptedtraffictotheclient.
Figure:SSLForwardProxyshowsthisprocessindetail.
Figure:SSLForwardProxy
SeeConfigureSSLForwardProxyfordetailsonconfiguringSSLForwardProxy.
SSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficfromaclienttoatargetedserver(any
serveryouhavethecertificateforandcanimportitontothefirewall).Forexample,ifanemployeeis
remotelyconnectedtoawebserverhostedonthecompanynetworkandisattemptingtoaddrestricted
internaldocumentstohisDropboxfolder(whichusesSSLfordatatransmission),SSLInboundInspectioncan
beusedtoensurethatthesensitivedatadoesnotmoveoutsidethesecurecompanynetworkbyblocking
orrestrictingthesession.
ConfiguringSSLInboundInspectionincludesimportingthetargetedservercertificateandkeyontothe
firewall.Becausethetargetedservercertificateandkeyareimportedonthefirewall,thefirewallisableto
accesstheSSLsessionbetweentheserverandtheclientanddecryptandinspecttraffictransparently,rather
thanfunctioningasaproxy.Thefirewallisabletoapplysecuritypoliciestothedecryptedtraffic,detecting
maliciouscontentandcontrollingapplicationsrunningoverthissecurechannel.
Figure:SSLInboundInspectionshowsthisprocessindetail.
Figure:SSLInboundInspection
SeeConfigureSSLInboundInspectionfordetailsonconfiguringSSLInboundInspection.
SSHProxy
SSHProxyprovidesthecapabilityforthefirewalltodecryptinboundandoutboundSSHconnections
passingthroughthefirewall,inordertoensurethatSSHisnotbeingusedtotunnelunwantedapplications
andcontent.SSHdecryptiondoesnotrequireanycertificatesandthekeyusedforSSHdecryptionis
automaticallygeneratedwhenthefirewallbootsup.Duringthebootupprocess,thefirewallcheckstosee
ifthereisanexistingkey.Ifnot,akeyisgenerated.ThiskeyisusedfordecryptingSSHsessionsforallvirtual
systemsconfiguredonthefirewall.ThesamekeyisalsousedfordecryptingallSSHv2sessions.
InanSSHProxyconfiguration,thefirewallresidesbetweenaclientandaserver.Whentheclientsendsan
SSHrequesttotheserver,thefirewallinterceptstherequestandforwardstheSSHrequesttotheserver.
Thefirewalltheninterceptstheserverresponseandforwardstheresponsetotheclient,establishinganSSH
tunnelbetweenthefirewallandtheclientandanSSHtunnelbetweenthefirewallandtheserver,with
firewallfunctioningasaproxy.Astrafficflowsbetweentheclientandtheserver,thefirewallisableto
distinguishwhethertheSSHtrafficisbeingroutednormallyorifitisusingSSHtunneling(portforwarding).
ContentandthreatinspectionsarenotperformedonSSHtunnels;however,ifSSHtunnelsareidentifiedby
thefirewall,theSSHtunneledtrafficisblockedandrestrictedaccordingtoconfiguredsecuritypolicies.
Figure:SSHProxyDecryptionshowsthisprocessindetail.
Figure:SSHProxyDecryption
SeeConfigureSSHProxyfordetailsonconfiguringanSSHProxypolicy.
DecryptionExceptions
Applicationsthatdonotfunctionproperlywhenthefirewalldecryptsthemareautomaticallyexcludedfrom
SSLdecryption.ForacurrentlistofapplicationsthefirewallexcludesfromSSLdecryptionbydefault,see
ListofApplicationsExcludedfromSSLDecryption.
YoucanalsoConfigureDecryptionExceptionstoexcludeapplications,URLcategories,andtargetedserver
trafficfromdecryption:
ExcludecertainURLcategoriesorapplicationsthateitherdonotworkproperlywithdecryptionenabled
orforanyotherreason,includingforlegalorprivacypurposes.Youcanuseadecryptionpolicytoexclude
trafficfromdecryptionbasedonsource,destination,URLcategory,service(portorprotocol),andTCP
portnumbers.Forexample,withSSLdecryptionenabled,youcanchooseURLcategoriestoexclude
trafficthatiscategorizedasfinancialorhealthrelatedfromdecryption.
ExcludeservertrafficfromSSLdecryptionbasedontheCommonName(CN)intheservercertificate.For
example,ifyouhaveSSLdecryptionenabledbuthavecertainserversforwhichyoudonotwantto
decrypttraffic,suchasthewebservicesforyourHRsystems,excludethoseserversfromdecryptionby
importingtheservercertificateontothefirewallandmodifyingthecertificatetobeanSSL Exclude
Certificate.
DecryptionMirroring
Thedecryptionmirroringfeatureprovidesthecapabilitytocreateacopyofdecryptedtrafficfromafirewall
andsendittoatrafficcollectiontoolthatiscapableofreceivingrawpacketcapturessuchasNetWitness
orSoleraforarchivingandanalysis.Thisfeatureisnecessaryfororganizationsthatrequirecomprehensive
datacaptureforforensicandhistoricalpurposesordataleakprevention(DLP)functionality.Decryption
mirroringisavailableonPA7000Series,PA5000SeriesandPA3000Seriesplatformsonlyandrequires
thatafreelicensebeinstalledtoenablethisfeature.
Keepinmindthatthedecryption,storage,inspection,and/oruseofSSLtrafficisgovernedincertain
countriesanduserconsentmightberequiredinordertousethedecryptionmirrorfeature.Additionally,use
ofthisfeaturecouldenablemalicioususerswithadministrativeaccesstothefirewalltoharvestusernames,
passwords,socialsecuritynumbers,creditcardnumbers,orothersensitiveinformationsubmittedusingan
encryptedchannel.PaloAltoNetworksrecommendsthatyouconsultwithyourcorporatecouncilbefore
activatingandusingthisfeatureinaproductionenvironment.
Figure:DecryptionPortMirroringshowstheprocessformirroringdecryptedtrafficandthesection
ConfigureDecryptionPortMirroringdescribeshowtolicenseandenablethisfeature.
Figure:DecryptionPortMirroring
DefineTraffictoDecrypt
Adecryptionpolicyruleallowsyoutodefinetrafficthatyouwantthefirewalltodecrypt,ortodefinetraffic
thatyouwantthefirewalltoexcludefromdecryption.Youcanattachadecryptionprofileruletoa
decryptionpolicyruletomoregranularlycontrolmatchingtraffic.
CreateaDecryptionProfile
CreateaDecryptionPolicyRule
CreateaDecryptionProfile
Adecryptionprofileallowsyoutoperformchecksonbothdecryptedtrafficandtrafficthatyouhave
excludedfromdecryption.Createadecryptionprofileto:
Blocksessionsusingunsupportedprotocols,ciphersuits,orsessionsthatrequireclientauthentication.
Blocksessionsbasedoncertificatestatus,wherethecertificateisexpired,issignedbyanuntrustedCA,
hasextensionsrestrictingthecertificateuse,hasanunknowncertificatestatus,orthecertificatestatus
cantberetrievedduringaconfiguredtimeoutperiod.
Blocksessionsiftheresourcestoperformdecryptionarenotavailableorifahardwaresecuritymodule
isnotavailabletosigncertificates.
Afteryoucreateadecryptionprofile,youcanattachittoadecryptionpolicyrule;thefirewallthenenforces
thedecryptionprofilesettingsontrafficmatchedtothedecryptionpolicyrule.
PaloAltoNetworksfirewallsincludeadefaultdecryptionprofilethatyoucanusetoenforcethebasic
recommendedprotocolversionsandciphersuitesfordecryptedtraffic.
ConfigureaDecryptionProfileRule
ConfigureaDecryptionProfileRule(Continued)
Step8 Committheconfiguration.
CreateaDecryptionPolicyRule
Createadecryptionpolicyruletodefinetrafficforthefirewalltodecryptandthetypeofdecryptionyou
wantthefirewalltoperform:SSLForwardProxy,SSLInboundInspection,orSSHProxydecryption.Youcan
alsouseadecryptionpolicyruletodefineDecryptionExceptions.
ConfigureaDecryptionPolicyRule
Step2 GivethepolicyruleadescriptiveName.
Step3 Configurethedecryptionruletomatchtotrafficbasedonnetworkandpolicyobjects:
FirewallsecurityzonesSelectSourceand/orDestinationandmatchtotrafficbasedontheSource Zone
and/ortheDestination Zone.
IPaddresses,addressobjects,and/oraddressgroupsSelectSourceand/orDestination tomatchto
trafficbasedonSource Addressand/ortheDestination Address.Alternatively,selectNegatetoexclude
thesourceaddresslistfromdecryption.
UsersSelectSourceandsettheSource Userforwhomtodecrypttraffic.Youcandecryptspecificuser
orgrouptraffic,ordecrypttrafficforcertaintypesofusers,suchasunknownusersorprelogonusers
(usersthatareconnectedtoGlobalProtectbutarenotyetloggedin).
PortsandprotocolsSelectService/URL Categorytosettheruletomatchtotrafficbasedonservice.By
default,thepolicyruleissettodecryptAnytrafficonTCPandUDPports.YoucanAddaserviceora
servicegroup,andoptionallysettheruleto application-defaulttomatchtoapplicationsonlyonthe
applicationdefaultports.
TheapplicationdefaultsettingisusefultoConfigureDecryptionExceptions.Youcanexclude
applicationsrunningontheirdefaultportsfromdecryption,whilecontinuingtodecryptthesame
applicationswhentheyaredetectedonnonstandardports
URLsandURLcategoriesSelectService/URLCategoryanddecrypttrafficbasedon:
AnexternallyhostedlistofURLsthatthefirewallretrievesforpolicyenforcement(seeObjects >
External Dynamic Lists).
CustomURLcategories(seeObjects > Custom Objects > URL Category).
PaloAltoNetworksURLcategories.ThisoptionisusefultoConfigureDecryptionExceptions.For
example,youcouldcreateacustomURLcategorytogroupsitesthatyoudonotwanttodecrypt,oryou
couldexcludefinancialorhealthcarerelatedsitesfromdecryptionbasedonthePaloAltoNetworks
URLcategories.
ConfigureaDecryptionPolicyRule
Step6 ClickOKtosavethepolicy.
NextSteps... Fullyenablethefirewalltodecrypttraffic:
ConfigureSSLForwardProxy
ConfigureSSLInboundInspection
ConfigureSSHProxy
ConfigureDecryptionExceptions
ConfigureSSLForwardProxy
ToenablethefirewalltoperformSSLForwardProxydecryption,youmustsetupthecertificatesrequired
toestablishthefirewallasatrustedthirdpartytothesessionbetweentheclientandtheserver.Thefirewall
canuseselfsignedcertificatesorcertificatessignedbyanenterprisecertificateauthority(CA)asforward
trustcertificatestoauthenticatetheSSLsessionwiththeclient.
(Recommended)EnterpriseCAsignedCertificates
AnenterpriseCAcanissueasigningcertificatewhichthefirewallcanusetosignthecertificatesforsites
requiringSSLdecryption.WhenthefirewalltruststheCAthatsignedthecertificateofthedestination
server,thefirewallcanthensendacopyofthedestinationservercertificatetotheclientsignedbythe
enterpriseCA.
SelfsignedCertificates
WhenaclientconnectstoaserverwithacertificatethatissignedbyaCAthatthefirewalltrusts,the
firewallcansignacopyoftheservercertificatetopresenttotheclientandestablishtheSSLsession.You
canuseselfsignedcertificatesforSSLForwardProxydecryptionifyourorganizationdoesnothavean
enterpriseCAorifyouintendtoonlyperformdecryptionforalimitednumberofclients.
Additionally,setupaforwarduntrustcertificateforthefirewalltopresenttoclientswhentheserver
certificateissignedbyaCAthatthefirewalldoesnottrust.Thisensuresthatclientsarepromptedwitha
certificatewarningwhenattemptingtoaccesssiteswithuntrustedcertificates.
AftersettinguptheforwardtrustandforwarduntrustcertificatesrequiredforSSLForwardProxy
decryption,addadecryptionpolicyruletodefinethetrafficyouwantthefirewalltodecrypt.SSLtunneled
trafficmatchedtothedecryptionpolicyruleisdecryptedtocleartexttraffic.Thecleartexttrafficisblocked
andrestrictedbasedonthedecryptionprofileattachedtothepolicyandthefirewallsecuritypolicy.Traffic
isreencryptedasitexitsthefirewall.
ConfigureSSLForwardProxy
Step2 Configuretheforwardtrustcertificateforthefirewalltopresenttoclientswhentheservercertificateissigned
byatrustedCA:
(Recommended)UseanenterpriseCAsignedcertificateastheforwardtrustcertificate.
Useaselfsignedcertificateastheforwardtrustcertificate.
ConfigureSSLForwardProxy(Continued)
(Recommended)Useanenterprise 1. GenerateaCertificateSigningRequest(CSR)fortheenterprise
CAsignedcertificateastheforward CAtosignandvalidate:
trustcertificate. a. SelectDevice > Certificate Management > Certificatesand
clickGenerate.
b. EnteraCertificate Name, suchasmyfwdproxy.
c. IntheSigned Bydropdown,selectExternal Authority
(CSR).
d. (Optional)IfyourenterpriseCArequiresit,addCertificate
Attributestofurtheridentifythefirewalldetails,suchas
CountryorDepartment.
e. ClickOKtosavetheCSR.Thependingcertificateisnow
displayedontheDevice Certificatestab.
2. ExporttheCSR:
a. SelectthependingcertificatedisplayedontheDevice
Certificatestab.
b. ClickExport todownloadandsavethecertificatefile.
LeaveExport private keyunselectedinordertoensure
thattheprivatekeyremainssecurelyonthefirewall.
c. ClickOK.
3. ProvidethecertificatefiletoyourenterpriseCA.Whenyou
receivetheenterpriseCAsignedcertificatefromyour
enterpriseCA,savetheenterpriseCAsignedcertificatefor
importontothefirewall.
4. ImporttheenterpriseCAsignedcertificateontothefirewall:
a. SelectDevice > Certificate Management > Certificatesand
clickImport.
b. EnterthependingCertificate Nameexactly(inthiscase,
myfwdtrust).TheCertificate Namethatyouentermust
exactlymatchthependingcertificatenameinorderforthe
pendingcertificatetobevalidated.
c. SelectthesignedCertificate Filethatyoureceivedfrom
yourenterpriseCA.
d. ClickOK.ThecertificateisdisplayedasvalidwiththeKey
andCAcheckboxesselected.
5. Selectthevalidatedcertificate,inthiscase,myfwdproxy,to
enableitasaForward Trust CertificatetobeusedforSSL
ForwardProxydecryption.
6. ClickOKtosavetheenterpriseCAsignedforwardtrust
certificate.
ConfigureSSLForwardProxy(Continued)
Useaselfsignedcertificateasthe 1. Generateanewcertificate:
forwardtrustcertificate. a. SelectDevice > Certificate Management > Certificates.
b. ClickGenerateatthebottomofthewindow.
c. EnteraCertificate Name, suchasmyfwdtrust.
d. EnteraCommon Name, suchas192.168.2.1.Thisshouldbe
theIPorFQDNthatwillappearinthecertificate.Inthis
case,weareusingtheIPofthetrustinterface.Avoidusing
spacesinthisfield.
e. LeavetheSigned Byfieldblank.
f. ClicktheCertificate Authoritycheckboxtoenablethe
firewalltoissuethecertificate.Selectingthischeckbox
createsacertificateauthority(CA)onthefirewallthatis
importedtotheclientbrowsers,soclientstrustthefirewall
asaCA.
g. Generatethecertificate.
2. Clickthenewcertificatemyfwdtrusttomodifyitandenable
thecertificatetobeaForward Trust Certificate.
3. ClickOKtosavetheselfsignedforwardtrustcertificate.
ConfigureSSLForwardProxy(Continued)
Step8 Committheconfiguration.
ConfigureSSLForwardProxy(Continued)
NextSteps... EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
ConfigureSSLInboundInspection
UseSSLInboundInspectiontodecryptandinspectinboundSSLtrafficdestinedforanetworkserver(you
canperformSSLInboundInspectionforanyserverifyouhavetheservercertificate).WithanSSLInbound
Inspectiondecryptionpolicyenabled,allSSLtrafficidentifiedbythepolicyisdecryptedtocleartexttraffic
andinspected.Thecleartexttrafficisblockedandrestrictedbasedonthedecryptionprofileattachedtothe
policyandanyconfiguredAntivirus,Vulnerability,AntiSpyware,URLFilteringandFileBlockingprofiles.
Youcanalsoenablethefirewalltoforwarddecrypted,unknownfilesforWildFireanalysisandsignature
generation.Trafficisreencryptedasitexitsthefirewall.
ConfiguringSSLInboundInspectionincludesinstallingthetargetedservercertificateonthefirewalland
creatinganSSLInboundInspectiondecryptionpolicy.
ConfigureSSLInboundInspection
ConfigureSSLInboundInspection
Step5 Committheconfiguration.
NextSteps... EnableUserstoOptOutofSSLDecryption.
ConfigureDecryptionExceptionstodisabledecryptionfor
certaintypesoftraffic.
ConfigureSSHProxy
ConfiguringSSHProxydoesnotrequirecertificatesandthekeyusedtodecryptSSHsessionsisgenerated
automaticallyonthefirewallduringbootup.
WithSSHdecryptionenabled,allSSHtrafficidentifiedbythepolicyisdecryptedandidentifiedaseither
regularSSHtrafficorasSSHtunneledtraffic.SSHtunneledtrafficisblockedandrestrictedaccordingtothe
profilesconfiguredonthefirewall.Trafficisreencryptedasitexitsthefirewall.
ConfigureSSHProxyDecryption
Step4 Committheconfiguration.
NextStep... ConfigureDecryptionExceptionstodisabledecryptionforcertain
typesoftraffic.
ConfigureDecryptionExceptions
Youcanpurposefullyexcludetrafficfromdecryptionbasedonsource,destination,URLcategory,and
service(portsandprotocols).Youcanalsoexcludeaspecificserverfromdecryption.Seethefollowingtopics
toconfigureDecryptionExceptions:
ExcludeTrafficfromDecryption
ExcludeaServerfromDecryption
ExcludeTrafficfromDecryption
Toexcludetrafficfromdecryption,createadecryptionpolicyruleandsetthepolicyactiontoNo Decrypt.
Excludetrafficfromdecryptionbasedonapplication,source,destination,URLcategory,andservice(ports
andprotocols).Becausepolicyrulesarecomparedagainstincomingtrafficinsequence,makesurethata
decryptionexclusionruleislistedfirstinyourdecryptionpolicy.
ExcludeTrafficfromaDecryptionPolicy
ExcludeTrafficfromaDecryptionPolicy
ExcludeaServerfromDecryption
YoucanexcludeservertrafficfromSSLdecryptionbasedonthecommonname(CN)intheservercertificate.
Forexample,ifyouhaveSSLdecryptionenabled,youcouldconfigureadecryptionexceptionfortheserver
onyourcorporatenetworkthathoststhewebservicesforyourHRsystems.
ExcludeaServerfromDecryption
Step1 Importthetargetedservercertificateontothefirewall:
1. OntheDevice > Certificate Management > Certificates > Device Certificatestab,selectImport.
2. Enteradescriptive Certificate Name.
3. BrowseforandselectthetargetedserverCertificate File.
4. ClickOK.
EnableUserstoOptOutofSSLDecryption
Insomecases,youmightneedtoalertyouruserstothefactthatthefirewallisdecryptingcertainwebtraffic
andallowthemtoterminatesessionsthattheydonotwantinspected.WithSSLOptOutenabled,thefirst
timeauserattemptstobrowsetoanHTTPSsiteorapplicationthatmatchesyourdecryptionpolicy,the
firewalldisplaysaresponsepagenotifyingtheuserthatitwilldecryptthesession.UserscaneitherclickYes
toallowdecryptionandcontinuetothesiteorclickNotooptoutofdecryptionandterminatethesession.
ThechoicetoallowdecryptionappliestoallHTTPSsitesthatuserstrytoaccessforthenext24hours,after
whichthefirewallredisplaystheresponsepage.UserswhooptoutofSSLdecryptioncannotaccessthe
requestedwebpage,oranyotherHTTPSsite,forthenextminute.Aftertheminuteelapses,thefirewall
redisplaystheresponsepagethenexttimetheusersattempttoaccessanHTTPSsite.
ThefirewallincludesapredefinedSSLDecryptionOptoutPagethatyoucanenable.Youcanoptionally
customizethepagewithyourowntextand/orimages.
EnableUserstoOptOutofSSLDecryption
EnableUserstoOptOutofSSLDecryption
ConfigureDecryptionPortMirroring
BeforeyoucanenableDecryptionMirroring,youmustobtainandinstallaDecryptionPortMirrorlicense.
Thelicenseisfreeofchargeandcanbeactivatedthroughthesupportportalasdescribedinthefollowing
procedure.AfteryouinstalltheDecryptionPortMirrorlicenseandrebootthefirewall,youcanenable
decryptionportmirroring.
ConfigureDecryptionPortMirroring
ConfigureDecryptionPortMirroring(Continued)
TemporarilyDisableSSLDecryption
InsomecasesyoumaywanttotemporarilydisableSSLdecryption.Forexample,ifyourusersarehaving
problemsaccessinganencryptedsiteorapplication,youmaywanttodisableSSLdecryptioninorderto
troubleshoottheissue.Althoughyoucoulddisabletheassociateddecryptionpolicies,modifyingthepolicies
isaconfigurationchangethatrequiresaCommit.Instead,usethefollowingcommandtotemporarilydisable
SSLdecryptionandthenreenableitafteryoufinishtroubleshooting.Thiscommanddoesnotrequirea
commitanditdoesnotpersistinyourconfigurationafterareboot.
TemporarilyDisableSSLDecryption
URLFilteringOverview
ThePaloAltoNetworksURLfilteringsolutioncomplimentsAppIDbyenablingyoutoconfigurethefirewall
toidentifyandcontrolaccesstoweb(HTTPandHTTPS)trafficandtoprotectyournetworkfromattack.
WithURLFilteringenabled,allwebtrafficiscomparedagainsttheURLfilteringdatabase,whichcontainsa
listingofmillionsofwebsitesthathavebeencategorizedintoapproximately6080categories.Youcanuse
theseURLcategoriesasamatchcriteriainpolicies(CaptivePortal,Decryption,Security,andQoS)orattach
themasURLfilteringprofilesinsecuritypolicy,tosafelyenablewebaccessandcontrolthetrafficthat
traversesyournetwork.
AlthoughthePaloAltoNetworksURLfilteringsolutionsupportsbothBrightCloudandPANDB,onlythe
PANDBURLfilteringsolutionallowsyoutochoosebetweenthePANDBPublicCloudandthePANDB
PrivateCloud.UsethepubliccloudsolutionifthePaloAltoNetworksnextgenerationfirewallsonyour
networkcandirectlyaccesstheInternet.Ifthenetworksecurityrequirementsinyourenterpriseprohibitthe
firewallsfromdirectlyaccessingtheInternet,youcandeployaPANDBprivatecloudononeormoreM500
appliancesthatfunctionasPANDBserverswithinyournetwork.
URLFilteringVendors
InteractionBetweenAppIDandURLCategories
PANDBPrivateCloud
URLFilteringVendors
PaloAltoNetworksfirewallssupporttwoURLfilteringvendors:
PANDBAPaloAltoNetworksdevelopedURLfilteringdatabasethatistightlyintegratedintoPANOS
andthePaloAltoNetworksthreatintelligencecloud.PANDBprovideshighperformancelocalcaching
formaximuminlineperformanceonURLlookups,andofferscoverageagainstmaliciousURLsandIP
addresses.AsWildFire,whichisapartofthePaloAltoNetworksthreatintelligencecloud,identifies
unknownmalware,zerodayexploits,andadvancedpersistentthreats(APTs),thePANDBdatabaseis
updatedwithinformationonmaliciousURLssothatyoucanblockmalwaredownloads,anddisable
CommandandControl(C&C)communicationstoprotectyournetworkfromcyberthreats.
ToviewalistofPANDBURLfilteringcategories,referto
https://urlfiltering.paloaltonetworks.com/CategoryList.aspx.
BrightCloudAthirdpartyURLdatabasethatisownedbyWebroot,Inc.andisintegratedintoPANOS
firewalls.ForinformationontheBrightCloudURLdatabase,visithttp://brightcloud.com.
ForinstructionsonconfiguringthefirewalltouseoneofthesupportedURLFilteringvendors,seeEnablea
URLFilteringVendor.
InteractionBetweenAppIDandURLCategories
ThePaloAltoNetworksURLfilteringsolutionincombinationwithAppIDprovidesunprecedented
protectionagainstafullspectrumofcyberattacks,legal,regulatory,productivity,andresourceutilization
risks.WhileAppIDgivesyoucontroloverwhatapplicationsuserscanaccess,URLfilteringprovidescontrol
overrelatedwebactivity.WhencombinedwithUserID,youcanenforcecontrolsbasedonusersand
groups.
WithtodaysapplicationlandscapeandthewaymanyapplicationsuseHTTPandHTTPS,youwillneedto
useAppID,URLfiltering,orbothinordertodefinecomprehensivewebaccesspolicies.AppIDsignatures
aregranularandtheyallowyoutoidentifyshiftsfromonewebbasedapplicationtoanother;URLfiltering
allowsyoutoenforceactionsbasedonaspecificwebsiteorURLcategory.Forexample,whileyoucanuse
URLfilteringtocontrolaccesstoFacebookand/orLinkedIn,URLfilteringcannotblocktheuseofrelated
applicationssuchasemail,chat,orotheranynewapplicationsthatareintroducedafteryouimplement
policy.WhencombinedwithAppID,youcancontroltheuseofrelatedapplicationsbecauseofthegranular
applicationsignaturesthatcanidentifyeachapplicationandregulateaccesstoFacebookwhileblocking
accesstoFacebookchat,whendefinedinpolicy.
YoucanalsouseURLcategoriesasamatchcriteriainpolicies.Insteadofcreatingpolicieslimitedtoeither
allowallorblockallbehavior,URLasamatchcriteriapermitsexceptionbasedbehaviorandgivesyoumore
granularpolicyenforcementcapabilities.Forexample,denyaccesstomalwareandhackingsitesforallusers,
butallowaccesstousersthatbelongtotheITsecuritygroup.
Forsomeexamples,seeURLFilteringUseCaseExamples.
PANDBPrivateCloud
ThePANDBprivatecloudisanonpremisesolutionthatissuitablefororganizationsthatprohibitorrestrict
theuseofthePANDBpubliccloudservice.Withthisonpremisesolution,youcandeployoneormore
M500appliancesasPANDBserverswithinyournetworkordatacenter.ThefirewallsquerythePANDB
privatecloudtoperformURLlookups,insteadofaccessingthePANDBpubliccloud.
TheprocessforperformingURLlookups,inboththeprivateandthepubliccloudisthesameforthefirewalls
onthenetwork.Bydefault,thefirewallisconfiguredtoaccessthepublicPANDBcloud.Ifyoudeploya
PANDBprivatecloud,youmustconfigurethefirewallswithalistofIPaddressesorFQDNstoaccessthe
server(s)intheprivatecloud.
FirewallsrunningPANOS5.0orlaterversionscancommunicatewiththePANDBprivatecloud.
WhenyouSetUpthePANDBPrivateCloud,youcaneitherconfiguretheM500appliance(s)tohavedirect
Internetaccessorkeepitcompletelyoffline.BecausetheM500appliancerequiresdatabaseandcontent
updatestoperformURLlookups,iftheappliancedoesnothaveanactiveInternetconnection,youmust
manuallydownloadtheupdatestoaserveronyournetworkandthen,importtheupdatesusingSCPinto
eachM500applianceinthePANDBprivatecloud.Inaddition,theappliancesmustbeabletoobtainthe
seeddatabaseandanyotherregularorcriticalcontentupdatesforthefirewallsthatitservices.
ToauthenticatethefirewallsthatconnecttothePANDBprivatecloud,asetofdefaultservercertificates
arepackagedwiththeappliance;youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesanew
setofcertificatestoauthenticatethefirewalls.
M500ApplianceforPANDBPrivateCloud
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
M500ApplianceforPANDBPrivateCloud
TodeployaPANDBprivatecloud,youneedoneormoreM500appliances.TheM500applianceshipsin
Panoramamode,andtobedeployedasPANDBprivatecloudyoumustsetituptooperateinPANURLDB
mode.InthePANURLDBmode,theapplianceprovidesURLcategorizationservicesforenterprisesthatdo
notwanttousethePANDBpubliccloud.
TheM500appliancewhendeployedasaPANDBprivatecloudusestwoportsMGT(Eth0)andEth1;Eth2
isnotavailableforuse.Themanagementportisusedforadministrativeaccesstotheapplianceandfor
obtainingthelatestcontentupdatesfromthePANDBpubliccloudorfromaserveronyournetwork.For
communicationbetweenthePANDBprivatecloudandthefirewallsonthenetwork,youcanusetheMGT
portorEth1.
TheM100appliancecannotbedeployedasaPANDBprivatecloud.
TheM500applianceinPANURLDBmode:
Doesnothaveawebinterface,itonlysupportsacommandlineinterface(CLI).
CannotbemanagedbyPanorama.
Cannotbedeployedinahighavailabilitypair.
DoesnotrequireaURLFilteringlicense.Thefirewalls,musthaveavalidPANDBURLFilteringlicense
toconnectwithandquerythePANDBprivatecloud.
Shipswithasetofdefaultservercertificatesthatareusedtoauthenticatethefirewallsthatconnectto
thePANDBprivatecloud.Youcannotimportoruseanotherservercertificateforauthenticatingthe
firewalls.IfyouchangethehostnameontheM500appliance,theapplianceautomaticallygeneratesa
newsetofcertificatestoauthenticatethefirewallsthatitservices.
CanberesettoPanoramamodeonly.IfyouwanttodeploytheapplianceasadedicatedLogCollector,
switchtoPanoramamodeandthensetitinlogcollectormode.
DifferencesBetweenthePANDBPublicCloudandPANDBPrivateCloud
URLFilteringConcepts
URLCategories
URLFilteringProfile
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringResponsePages
URLCategoryasPolicyMatchCriteria
URLCategories
EachwebsitedefinedintheURLfilteringdatabaseisassignedoneofapproximately60differentURL
categories.TherearetwowaystomakeuseofURLcategorizationonthefirewall:
BlockorallowtrafficbasedonURLcategoryYoucancreateaURLFilteringprofilethatspecifiesan
actionforeachURLcategoryandattachtheprofiletoapolicy.Trafficthatmatchesthepolicywouldthen
besubjecttotheURLfilteringsettingsintheprofile.Forexample,toblockallgamingwebsitesyouwould
settheblockactionfortheURLcategorygamesintheURLprofileandattachittothesecuritypolicy
rule(s)thatallowwebaccess.SeeConfigureURLFilteringformoreinformation.
MatchtrafficbasedonURLcategoryforpolicyenforcementIfyouwantaspecificpolicyruletoapply
onlytowebtraffictositesinaspecificcategory,youwouldaddthecategoryasmatchcriteriawhenyou
createthepolicyrule.Forexample,youcouldusetheURLcategorystreamingmediainaQoSpolicyto
applybandwidthcontrolstoallwebsitesthatarecategorizedasstreamingmedia.SeeURLCategoryas
PolicyMatchCriteriaformoreinformation.
Bygroupingwebsitesintocategories,itmakesiteasytodefineactionsbasedoncertaintypesofwebsites.
InadditiontothestandardURLcategories,therearethreeadditionalcategories:
Category Description
notresolved IndicatesthatthewebsitewasnotfoundinthelocalURLfilteringdatabaseandthe
firewallwasunabletoconnecttotheclouddatabasetocheckthecategory.Whena
URLcategorylookupisperformed,thefirewallfirstchecksthedataplanecachefor
theURL;ifnomatchisfound,itchecksthemanagementplanecache,andifnomatch
isfoundthere,itqueriestheURLdatabaseinthecloud.InthecaseofthePANDB
privatecloud,theURLdatabaseinthecloudisnotusedforqueries.
Settingtheactiontoblockfortrafficthatiscategorizedasnotresolved,maybevery
disruptivetousers.Youcouldsettheactionascontinue,sothatusersyoucannotify
usersthattheyareaccessingasitethatisblockedbycompanypolicyandprovidethe
optiontoreadthedisclaimerandcontinuetothewebsite.
Formoreinformationontroubleshootinglookupissues,seeTroubleshootURL
Filtering.
privateipaddresses Indicatesthatthewebsiteisasingledomain(nosubdomains),theIPaddressisinthe
privateIPrange,ortheURLrootdomainisunknowntothecloud.
unknown Thewebsitehasnotyetbeencategorized,soitdoesnotexistintheURLfiltering
databaseonthefirewallorintheURLclouddatabase.
Whendecidingonwhatactiontotakefortrafficcategorizedasunknown,beaware
thatsettingtheactiontoblockmaybeverydisruptivetousersbecausetherecould
bealotofvalidsitesthatarenotintheURLdatabaseyet.Ifyoudowantaverystrict
policy,youcouldblockthiscategory,sowebsitesthatdonotexistintheURL
databasecannotbeaccessed.
PaloAltoNetworkscollectsthelistofURLsfromtheunknowncategoryand
processesthemtodeterminetheURLcategory.TheseURLsareprocessed
automatically,everyday,providedthewebsiteshasmachinereadablecontentthatis
inasupportedformatandlanguage.Uponcategorization,theupdatedcategory
informationismadeavailabletoallPANDBcustomers.
SeeConfigureURLFiltering.
ChangeRequestProcess
PaloAltoNetworkscustomerscansubmitURLcategorizationchangerequestsusingthePaloAltoNetworks
dedicatedwebportal(TestASite),theURLfilteringprofilesetuppageonthefirewall,ortheURLfilteringlog
onthefirewall.Eachchangerequestisautomaticallyprocessedeveryday,providedthewebsitesprovides
machinereadablecontentthatisinasupportedformatandlanguage.Sometimes,thecategorizationchange
requiresamemberofthePaloAltoNetworksengineeringstafftoperformamanualreview.Insuchcases,the
processmaytakealittlelonger.
URLFilteringProfile
AURLfilteringprofileisacollectionofURLfilteringcontrolsthatareappliedtoindividualsecuritypolicy
rulestoenforceyourwebaccesspolicy.Thefirewallcomeswithadefaultprofilethatisconfiguredtoblock
threatpronecategories,suchasmalware,phishing,andadult.Youcanusethedefaultprofileinasecurity
policy,cloneittobeusedasastartingpointfornewURLfilteringprofiles,oraddanewURLfilteringprofile
thatwillhaveallcategoriessettoallowforvisibilityintothetrafficonyournetwork.Youcanthencustomize
thenewlyaddedURLprofilesandaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowedfor
moregranularcontroloverURLcategories.Forexample,youmaywanttoblocksocialnetworkingsites,but
allowsomewebsitesthatarepartofthesocialnetworkingcategory.
URLFilteringProfileActions
BlockandAllowLists
ExternalDynamicListforURLs
SafeSearchEnforcement
ContainerPages
HTTPHeaderLogging
URLFilteringProfileActions
TheURLFilteringprofilespecifiesanactionforeachURLcategory.Bydefault,allURLcategoriesaresetto
allowwhenyouCreateanewURLFilteringprofile.Thismeansthattheuserswillbeabletobrowsetoall
sitesfreelyandthetrafficwillnotbelogged.ThefirewallalsocomespredefineddefaultURLfilteringprofile
thatallowsaccesstoallcategoriesexceptthefollowingthreatpronecategories,whichitblocks:
abuseddrugs,adult,gambling,hacking,malware,phishing,questionable,andweapons.
Asabestpractice,ifyouwanttocreateacustomURLFilteringcategory,clonethedefaultURL
filteringprofileandchangetheactioninallallowcategoriestoeitheralertorcontinuesothatyou
havevisibilityintothetraffic.Itisalsoabestpracticetosetthe
proxyavoidanceandanonymizerscategorytoblock.
Action Description
alert ThewebsiteisallowedandalogentryisgeneratedintheURLfilteringlog.
allow Thewebsiteisallowedandnologentryisgenerated.
block Thewebsiteisblockedandtheuserwillseearesponsepageandwillnotbeableto
continuetothewebsite.AlogentryisgeneratedintheURLfilteringlog.
continue Theuserwillbepromptedwitharesponsepageindicatingthatthesitehasbeenblocked
duetocompanypolicy,buttheuserispromptedwiththeoptiontocontinuetothe
website.Thecontinueactionistypicallyusedforcategoriesthatareconsideredbenign
andisusedtoimprovetheuserexperiencebygivingthemtheoptiontocontinueifthey
feelthesiteisincorrectlycategorized.Theresponsepagemessagecanbecustomizedto
containdetailsspecifictoyourcompany.AlogentryisgeneratedintheURLfilteringlog.
TheContinuepagewillnotbedisplayedproperlyonclientmachinesthatare
configuredtouseaproxyserver.
Action Description
override Theuserwillseearesponsepageindicatingthatapasswordisrequiredtoallowaccessto
websitesinthegivencategory.Withthisoption,thesecurityadminorhelpdeskperson
wouldprovideapasswordgrantingtemporaryaccesstoallwebsitesinthegivencategory.
AlogentryisgeneratedintheURLfilteringlog.SeeConfigureURLAdminOverride.
TheOverridepagedoesnotdisplayproperlyonclientmachinesthatare
configuredtouseaproxyserver.
none ThenoneactiononlyappliestocustomURLcategories.Selectnonetoensurethatif
multipleURLprofilesexist,thecustomcategorywillnothaveanyimpactonotherprofiles.
Forexample,ifyouhavetwoURLprofilesandthecustomURLcategoryissettoblockin
oneprofile,ifyoudonotwanttheblockactiontoapplytotheotherprofile,youmustset
theactiontonone.
Also,inordertodeleteacustomURLcategory,itmustbesettononeinanyprofilewhere
itisused.
BlockandAllowLists
Insomecasesyoumightwanttoblockacategory,butallowafewspecificsitesinthatcategory.
Alternatively,youmightwanttoallowsomecategories,butblockindividualsitesinthecategory.Youdothis
byaddingtheIPaddressesorURLsofthesesitesintheBlocklistandAllowlistsectionsoftheURLFiltering
profiletoDefinewebsitesthatshouldalwaysbeblockedorallowed.
WhenenteringURLsintheBlockListorAllowListorExternalDynamicListforURLs,entereachURLorIP
addressinanewrowseparatedbyanewline.WhenusingwildcardsintheURLs,followtheserules:
DonotincludeHTTPandHTTPSwhendefiningURLs.Forexample,enterwww.paloaltonetworks.com
orpaloaltonetworks.cominsteadofhttps://www.paloaltonetworks.com.
Entriesintheblocklistmustbeanexactmatchandarecaseinsensitive.
Forexample:Ifyouwanttopreventauserfromaccessinganywebsitewithinthedomain
paloaltonetworks.com,youwouldalsoadd*.paloaltonetworks.com,sowhateverdomainprefix(http://,
www,orasubdomainprefixsuchasmail.paloaltonetworks.com)isaddedtotheaddress,thespecified
actionwillbetaken.Thesameappliestothesubdomainsuffix;ifyouwanttoblock
paloaltonetworks.com/en/US,youwouldneedtoaddpaloaltonetworks.com/*aswell.
Further,ifyouwanttolimitaccesstoadomainsuffixsuchaspaloaltonetworks.com.au,youmust
adda/,sothatthematchrestrictsadotthatfollows.com.Inthiscase,youneedtoaddtheentryas
*.paloaltonetworks.com/
Thelistssupportwildcardpatterns.Thefollowingcharactersareconsideredseparators:
.
/
?
&
=
;
+
Everysubstringthatisseparatedbythecharacterslistedaboveisconsideredatoken.Atokencanbeany
numberofASCIIcharactersthatdoesnotcontainanyseparatorcharacteror*.Forexample,thefollowing
patternsarevalid:
*.yahoo.com(tokensare:"*","yahoo"and"com")
www.*.com(tokensare:"www","*"and"com")
www.yahoo.com/search=*(tokensare:"www","yahoo","com","search","*")
Thefollowingpatternsareinvalidbecausethecharacter*isnottheonlycharacterinthetoken.
ww*.yahoo.com
www.y*.com
ExternalDynamicListforURLs
Toprotectyournetworkfromnewsourcesofthreatormalware,youcanuseExternalDynamicListinURL
Filteringprofilestoblockorallow,ortodefinegranularactionssuchascontinue,alert,oroverrideforURLs,
beforeyouattachtheprofiletoaSecuritypolicyrule.Unliketheallowlist,blocklist,oracustomURL
categoryonthefirewall,anexternaldynamiclistgivesyoutheabilitytoupdatethelistwithouta
configurationchangeorcommitonthefirewall.Thefirewalldynamicallyimportsthelistattheconfigured
intervalandenforcespolicyfortheURLs(IPaddressesordomainswillbeignored)inthelist.ForURL
formattingguidelines,seeBlockandAllowLists.
SafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosinsearchquery
returntraffic.Onthefirewall,youcanEnableSafeSearchEnforcementsothatthefirewallwillblocksearch
resultsiftheenduserisnotusingthestrictestsafesearchsettingsinthesearchquery.Thefirewallcan
enforcesafesearchforthefollowingsearchproviders:Google,Yahoo,Bing,Yandex,andYouTube.Thisisa
besteffortsettingandisnotguaranteedbythesearchproviderstoworkwitheverywebsite.
TousethisfeatureyoumustenabletheSafe Search EnforcementoptioninaURLfilteringprofileandattach
ittoasecuritypolicyrule.Thefirewallwillthenblockanymatchingsearchqueryreturntrafficthatisnot
usingthestrictestsafesearchsettings.Therearetwomethodsforblockingthesearchresults:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettingsWhenanenduserattemptsto
performasearchwithoutfirstenablingthestrictestsafesearchsettings,thefirewallblocksthesearch
queryresultsanddisplaystheURLFilteringSafeSearchBlockPage.Bydefault,thispagewillprovidea
URLtothesearchprovidersettingsforconfiguringsafesearch.
EnableTransparentSafeSearchEnforcementWhenanenduserattemptstoperformasearchwithout
firstenablingthestrictsafesearchsettings,thefirewallblocksthesearchresultswithanHTTP503status
codeandredirectsthesearchquerytoaURLthatincludesthesafesearchparameters.Youenablethis
functionalitybyimportinganewURLFilteringSafeSearchBlockPagecontainingtheJavaScriptfor
rewritingthesearchURLtoincludethestrictsafesearchparameters.Inthisconfiguration,userswillnot
seetheblockpage,butwillinsteadbeautomaticallyredirectedtoasearchquerythatenforcesthe
strictestsafesearchoptions.Thissafesearchenforcementmethodrequirescontentreleaseversion475
orlaterandisonlysupportedforGoogle,Yahoo,andBingsearches.
Also,becausemostsearchprovidersnowuseSSLtoreturnsearchresults,youmustalsoconfigurea
Decryptionpolicyruleforthesearchtraffictoenablethefirewalltoinspectthesearchtrafficandenforce
safesearch.
Safesearchenforcementenhancementsandsupportfornewsearchprovidersisperiodically
addedincontentreleases.ThisinformationisdetailedintheApplicationandThreatContent
ReleaseNotes.Howsitesarejudgedtobesafeorunsafeisperformedbyeachsearchprovider,
notbyPaloAltoNetworks.
SafesearchsettingsdifferbysearchproviderasdetailedinTable:SearchProviderSafeSearchSettings.
Table:SearchProviderSafeSearchSettings
SearchProvider SafeSearchSettingDescription
Google/YouTube OfferssafesearchonindividualcomputersornetworkwidethroughGooglessafesearch
virtualIPaddress:
SafeSearchEnforcementforGoogleSearchesonIndividualComputers
IntheGoogleSearchSettings,theFilter explicit resultssettingenablessafesearch
functionality.Whenenabled,thesettingisstoredinabrowsercookieasFF=andpassedtothe
servereachtimetheuserperformsaGooglesearch.
Appendingsafe=activetoaGooglesearchqueryURLalsoenablesthestrictestsafesearch
settings.
SafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddress
GoogleprovidesserversthatLockSafeSearch(forcesafesearch.google.com)settingsinevery
GoogleandYouTubesearch.ByaddingaDNSentryforwww.google.comand
www.youtube.com(andotherrelevantGoogleandYouTubecountrysubdomains)that
includesaCNAMErecordpointingtoforcesafesearch.google.comtoyourDNSserver
configuration,youcanensurethatallusersonyournetworkareusingstrictsafesearch
settingseverytimetheyperformaGoogleorYouTubesearch.Keepinmind,however,thatthis
solutionisnotcompatiblewithSafeSearchEnforcementonthefirewall.Therefore,ifyouare
usingthisoptiontoforcesafesearchonGoogle,thebestpracticeistoblockaccesstoother
searchenginesonthefirewallbycreatingcustomURLcategoriesandaddingthemtotheblock
listintheURLfilteringprofile.
IfyouplantousetheGoogleLockSafeSearchsolution,considerconfiguringDNSProxy
(Network > DNS Proxy)andsettingtheinheritancesourceastheLayer3interfaceon
whichthefirewallreceivesDNSsettingsfromserviceproviderviaDHCP.Youwould
configuretheDNSproxywithStatic Entriesforwww.google.comand
www.youtube.com,usingthelocalIPaddressfortheforcesafesearch.google.com
server.
Yahoo Offerssafesearchonindividualcomputersonly.TheYahooSearchPreferencesincludesthree
SafeSearchsettings:Strict,Moderate,orOff.Whenenabled,thesettingisstoredinabrowser
cookieasvm=andpassedtotheservereachtimetheuserperformsaYahoosearch.
Appendingvm=rtoaYahoosearchqueryURLalsoenablesthestrictestsafesearchsettings.
WhenperformingasearchonYahooJapan(yahoo.co.jp)whileloggedintoaYahoo
account,endusersmustalsoenabletheSafeSearchLockoption.
SearchProvider SafeSearchSettingDescription
Bing OfferssafesearchonindividualcomputersorthroughtheirBingintheClassroomprogram.
TheBingSettingsincludethreeSafeSearchsettings:Strict,Moderate,orOff.Whenenabled,
thesettingisstoredinabrowsercookieasadlt=andpassedtotheservereachtimetheuser
performsaBingsearch.
Appendingadlt=stricttoaBingsearchqueryURLalsoenablesthestrictestsafesearch
settings.
TheBingSSLsearchenginedoesnotenforcethesafesearchURLparametersandyoushould
thereforeconsiderblockingBingoverSSLforfullsafesearchenforcement.
ContainerPages
Acontainerpageisthemainpagethatauseraccesseswhenvisitingawebsite,butadditionalwebsitesmay
beloadedwithinthemainpage.IftheLog Container page only optionisenabledintheURLfilteringprofile,
onlythemaincontainerpagewillbelogged,notsubsequentpagesthatmaybeloadedwithinthecontainer
page.BecauseURLfilteringcanpotentiallygeneratealotoflogentries,youmaywanttoturnonthisoption,
sologentrieswillonlycontainthoseURIswheretherequestedpagefilenamematchesthespecific
mimetypes.Thedefaultsetincludesthefollowingmimetypes:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
HTTPHeaderLogging
URLfilteringprovidesvisibilityandcontroloverwebtrafficonyournetwork.Forimprovedvisibilityintoweb
content,youcanconfiguretheURLFilteringprofiletologHTTPheaderattributesincludedinawebrequest.
Whenaclientrequestsawebpage,theHTTPheaderincludestheuseragent,referer,andxforwardedfor
fieldsasattributevaluepairsandforwardsthemtothewebserver.WhenenabledforloggingHTTP
headers,thefirewalllogsthefollowingattributevaluepairsintheURLFilteringlogs:
Attribute Description
UserAgent ThewebbrowserthattheuserusedtoaccesstheURL,forexample,Internet
Explorer.ThisinformationissentintheHTTPrequesttotheserver.
Referer TheURLofthewebpagethatlinkedtheusertoanotherwebpage;itisthe
sourcethatredirected(referred)theusertothewebpagethatisbeing
requested.
Attribute Description
XForwardedFor(XFF) TheoptionintheHTTPrequestheaderfieldthatpreservestheIPaddressof
theuserwhorequestedthewebpage.Ifyouhaveaproxyserveronyour
network,theXFFallowsyoutoidentifytheIPaddressoftheuserwho
requestedthecontent,insteadofonlyrecordingtheproxyserversIPaddress
assourceIPaddressthatrequestedthewebpage.
URLFilteringResponsePages
Thefirewallprovidesthreepredefinedresponsepagesthatdisplaybydefaultwhenauserattemptsto
browsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFilteringProfile
(block,continue,oroverride)orwhenSafeSearchEnforcementisenabled:
URLFilteringandCategoryMatchBlockPageAccessblockedbyaURLFilteringProfileorbecausethe
URLcategoryisblockedbyasecuritypolicy.
URLFilteringContinueandOverridePagePagewithinitialblockpolicythatallowsuserstobypassthe
blockbyclickingContinue.WithURLAdminOverrideenabled,(ConfigureURLAdminOverride),after
clickingContinue,theusermustsupplyapasswordtooverridethepolicythatblockstheURL.
URLFilteringSafeSearchBlockPageAccessblockedbyasecuritypolicywithaURLfilteringprofile
thathastheSafeSearchEnforcementoptionenabled(seeEnableSafeSearchEnforcement).Theuser
willseethispageifasearchisperformedusingGoogle,Bing,Yahoo,orYandexandtheirbrowseror
searchengineaccountsettingforSafeSearchisnotsettostrict.
Youcaneitherusethepredefinedpages,oryoucanCustomizetheURLFilteringResponsePagesto
communicateyourspecificacceptableusepoliciesand/orcorporatebranding.Inaddition,youcanusethe
URLFilteringResponsePageVariablesforsubstitutionatthetimeoftheblockeventoraddoneofthe
supportedResponsePageReferencestoexternalimages,sounds,orstylesheets.
URLFilteringResponsePageVariables
Variable Usage
<user/> Thefirewallreplacesthevariablewiththeusername(ifavailableviaUserID)orIP
addressoftheuserwhendisplayingtheresponsepage.
<url/> ThefirewallreplacesthevariablewiththerequestedURLwhendisplayingthe
responsepage.
<category/> ThefirewallreplacesthevariablewiththeURLfilteringcategoryoftheblocked
request.
<pan_form/> HTMLcodefordisplayingtheContinuebuttonontheURLFilteringContinueand
Overridepage.
YoucanalsoaddcodethattriggersthefirewalltodisplaydifferentmessagesdependingonwhatURL
categorytheuserisattemptingtoaccess.Forexample,thefollowingcodesnippetfromaresponsepage
specifiestodisplayMessage1iftheURLcategoryisgames,Message2ifthecategoryistravel,orMessage
3ifthecategoryiskids:
var cat = "<category/>";
switch(cat)
{
case 'games':
document.getElementById("warningText").innerHTML = "Message 1";
break;
case 'travel':
document.getElementById("warningText").innerHTML = "Message 2";
break;
case 'kids':
document.getElementById("warningText").innerHTML = "Message 3";
break;
}
OnlyasingleHTMLpagecanbeloadedintoeachvirtualsystemforeachtypeofblockpage.However,otherresources
suchasimages,sounds,andcascadingstylesheets(CSSfiles)canbeloadedfromotherserversatthetimetheresponse
pageisdisplayedinthebrowser.AllreferencesmustincludeafullyqualifiedURL.
ResponsePageReferences
ReferenceType ExampleHTMLCode
URLCategoryasPolicyMatchCriteria
UseURLCategoriesasamatchcriteriainapolicyruleformoregranularenforcement.Forexample,suppose
youhaveconfiguredDecryption,butyouwanttoexcludetraffictocertaintypesofwebsites(forexample,
healthcareorfinancialservices)frombeingdecrypted.Inthiscaseyoucouldcreateadecryptionpolicyrule
thatmatchesthosecategoriesandsettheactiontonodecrypt.Byplacingthisruleabovetheruletodecrypt
alltraffic,youcanensurethatwebtrafficwithURLcategoriesthatmatchthenodecryptrule,andallother
trafficwouldmatchthesubsequentrule.
ThefollowingtabledescribesthepolicytypesthatacceptURLcategoryasmatchcriteria:
PolicyType Description
CaptivePortal Toensurethatusersauthenticatebeforebeingallowedaccesstoaspecificcategory,you
canattachaURLcategoryasamatchcriterionfortheCaptivePortalpolicy.
Decryption DecryptionpoliciescanuseURLcategoriesasmatchcriteriatodetermineifspecified
websitesshouldbedecryptedornot.Forexample,ifyouhaveadecryptionpolicywiththe
actiondecryptforalltrafficbetweentwozones,theremaybespecificwebsitecategories,
suchasfinancialservicesand/orhealthandmedicine,thatshouldnotbedecrypted.Inthis
case,youwouldcreateanewdecryptionpolicywiththeactionofnodecryptthat
precedesthedecryptpolicyandthendefinesalistofURLcategoriesasmatchcriteriafor
thepolicy.Bydoingthis,eachURLcategorythatispartofthenodecryptpolicywillnot
bedecrypted.YoucouldalsoconfigureacustomURLcategorytodefineyourownlistof
URLsthatcanthenbeusedinthenodecryptpolicy.
QoS QoSpoliciescanuseURLcategoriestoallocatethroughputlevelsforspecificwebsite
categories.Forexample,youmaywanttoallowthestreamingmediacategory,butlimit
throughputbyaddingtheURLcategoryasmatchcriteriatotheQoSpolicy.
PolicyType Description
Security InsecuritypoliciesyoucanuseURLcategoriesbothasamatchcriteriaintheService/URL
Category tab,andinURLfilteringprofilesthatareattachedintheActionstab.
Ifforexample,theITsecuritygroupinyourcompanyneedsaccesstothehacking
category,whileallotherusersaredeniedaccesstothecategory,youmustcreatethe
followingrules:
AsecurityrulethatallowstheITSecuritygrouptoaccesscontentcategorizedas
hacking.ThesecurityrulereferencesthehackingcategoryintheServices/URL
CategorytabandITSecuritygroupintheUserstab.
Anothersecurityrulethatallowsgeneralwebaccessforallusers.Tothisruleyou
attachaURLfilteringprofilethatblocksthehackingcategory.
Thepolicythatallowsaccesstohackingmustbelistedbeforethepolicythatblocks
hacking.Thisisbecausesecuritypolicyrulesareevaluatedtopdown,sowhenauser
whoispartofthesecuritygroupattemptstoaccessahackingsite,thepolicyrulethat
allowsaccessisevaluatedfirstandwillallowtheuseraccesstothehackingsites.Users
fromallothergroupsareevaluatedagainstthegeneralwebaccessrulewhichblocks
accesstothehackingsites.
PANDBCategorization
PANDBURLCategorizationComponents
PANDBURLCategorizationWorkflow
PANDBURLCategorizationComponents
ThefollowingtabledescribesthePANDBcomponentsindetail.TheBrightCloudsystemworkssimilarly,
butdoesnotuseaninitialseeddatabase.
Component Description
URLFilteringSeed Theinitialseeddatabasedownloadedtothefirewallisasmallsubsetofthedatabase
Database thatismaintainedonthePaloAltoNetworksURLcloudservers.Thereasonthisis
doneisbecausethefulldatabasecontainsmillionsofURLsandmanyoftheseURLs
mayneverbeaccessedbyyourusers.Whendownloadingtheinitialseeddatabase,
youselectaregion(NorthAmerica,Europe,APAC,Japan).Eachregioncontainsa
subsetofURLsmostaccessedforthegivenregion.Thisallowsthefirewalltostorea
muchsmallerURLdatabaseforbetterURLlookupperformance.Ifauseraccessesa
websitethatisnotinthelocalURLdatabase,thefirewallqueriesthefullcloud
databaseandthenaddsthenewURLtothelocaldatabase.Thiswaythelocal
databaseonthefirewalliscontinuallypopulated/customizedbasedonactualuser
activity.
NotethatredownloadingthePANDBseeddatabaseorswitchingtheURLdatabase
vendorfromPANDBtoBrightCloudwillclearthelocaldatabase.
CloudService ThePANDBcloudserviceisimplementedusingAmazonWebServices(AWS).AWS
SeeDifferencesBetween providesadistributed,highperformance,andstableenvironmentforseeddatabase
thePANDBPublicCloud downloadsandURLlookupsforPaloAltoNetworksfirewallsandcommunicationis
andPANDBPrivate performedoverSSL.TheAWScloudsystemsholdtheentirePANDBandisupdated
Cloud,forinformationon asnewURLsareidentified.ThePANDBcloudservicesupportsanautomated
theprivatecloud. mechanismtoupdatethefirewallslocalURLdatabaseiftheversiondoesnotmatch.
EachtimethefirewallqueriesthecloudserversforURLlookups,itwillalsocheckfor
criticalupdates.Iftherehavebeennoqueriestothecloudserversformorethan30
minutes,thefirewallwillcheckforupdatesonthecloudsystems.
ThecloudsystemalsoprovidesamechanismtosubmitURLcategorychange
requests.Thisisperformedthroughthetestasiteserviceandisavailabledirectly
fromthefirewall(URLfilteringprofilesetup)andfromthePaloAltoNetworksTest
ASitewebsite.YoucanalsosubmitaURLcategorizationchangerequestdirectly
fromtheURLfilteringlogonthefirewallinthelogdetailssection.
Component Description
ManagementPlane(MP) WhenyouactivatePANDBonthefirewall,thefirewalldownloadsaseeddatabase
URLCache fromoneofthePANDBcloudserverstoinitiallypopulatethelocalcachefor
improvedlookupperformance.EachregionalseeddatabasecontainsthetopURLs
fortheregionandthesizeoftheseeddatabase(numberofURLentries)alsodepends
ontheplatform.TheURLMPcacheisautomaticallywrittentothefirewallslocal
driveeveryeighthours,beforethefirewallisrebooted,orwhenthecloudupgrades
theURLdatabaseversiononthefirewall.Afterrebootingthefirewall,thefilethat
wassavedtothelocaldrivewillbeloadedtotheMPcache.Aleastrecentlyused
(LRU)mechanismisalsoimplementedintheURLMPcacheincasethecacheisfull.
Ifthecachebecomesfull,theURLsthathavebeenaccessedtheleastwillbereplaced
bythenewerURLs.
Dataplane(DP)URLCache ThisisasubsetoftheMPcacheandisacustomized,dynamicURLdatabasethatis
storedinthedataplane(DP)andisusedtoimproveURLlookupperformance.The
URLDPcacheisclearedateachfirewallreboot.ThenumberofURLsthatarestored
intheURLDPcachevariesbyhardwareplatformandthecurrentURLsstoredinthe
TRIE(datastructure).Aleastrecentlyused(LRU)mechanismisimplementedinthe
DPcacheincasethecacheisfull.Ifthecachebecomesfull,theURLsthathavebeen
accessedtheleastwillbereplacedbythenewerURLs.EntriesintheURLDPcache
expireafteraspecifiedperiodoftimeandtheexpirationperiodcannotbechanged
bytheadministrator.
PANDBURLCategorizationWorkflow
WhenauserattemptstoaccessaURLandtheURLcategoryneedstobedetermined,thefirewallwill
comparetheURLwiththefollowingcomponents(inorder)untilamatchhasbeenfound:
IfaURLquerymatchesanexpiredentryintheURLDPcache,thecacherespondswiththeexpiredcategory,
butalsosendsaURLcategorizationquerytothemanagementplane.Thisisdonetoavoidunnecessary
delaysintheDP,assumingthatthefrequencyofchangingcategoriesislow.Similarly,intheURLMPcache,
ifaURLqueryfromtheDPmatchesanexpiredentryintheMP,theMPrespondstotheDPwiththeexpired
categoryandwillalsosendaURLcategorizationrequesttothecloudservice.Upongettingtheresponse
fromthecloud,thefirewallwillresendtheupdatedresponsetotheDP.
AsnewURLsandcategoriesaredefinedorifcriticalupdatesareneeded,theclouddatabasewillbeupdated.
EachtimethefirewallqueriesthecloudforaURLlookuporifnocloudlookupshaveoccurredfor30
minutes,thedatabaseversionsonthefirewallbecomparedandiftheydonotmatch,anincrementalupdate
willbeperformed.
EnableaURLFilteringVendor
ToenableURLfilteringonafirewall,youmustpurchaseandactivateaURLFilteringlicenseforoneofthe
supportedURLFilteringVendorsandtheninstallthedatabaseforthevendoryouselected.
StartingwithPANOS6.0,firewallsmanagedbyPanoramadonotneedtoberunningthesame
URLfilteringvendorthatisconfiguredonPanorama.ForfirewallsrunningPANOS6.0orlater,
whenamismatchisdetectedbetweenthevendorenabledonthefirewallsandwhatisenabled
onPanorama,thefirewallscanautomaticallymigrateURLcategoriesand/orURLprofilesto(one
ormore)categoriesthatalignwiththatofthevendorenabledonit.Forguidanceonhowto
configureURLFilteringonPanoramaifyouaremanagingfirewallsrunningdifferentPANOS
versions,refertothePanoramaAdministratorsGuide.
IfyouhavevalidlicensesforbothPANDBandBrightCloud,activatingthePANDBlicenseautomatically
deactivatestheBrightCloudlicense(andviceversa).Atatime,onlyoneURLfilteringlicensecanbeactive
onafirewall.
EnablePANDBURLFiltering
EnableBrightCloudURLFiltering
EnablePANDBURLFiltering
EnablePANDBURLFiltering
EnablePANDBURLFiltering(Continued)
EnableBrightCloudURLFiltering
EnableBrightCloudURLFiltering
EnableBrightCloudURLFiltering(Continued)
EnableBrightCloudURLFiltering(Continued)
DetermineURLFilteringPolicyRequirements
TherecommendedpracticefordeployingURLfilteringinyourorganizationistofirststartwithapassiveURL
filteringprofilethatwillalertonmostcategories.Aftersettingthealertaction,youcanthenmonitoruser
webactivityforafewdaystodeterminepatternsinwebtraffic.Afterdoingso,youcanthenmakedecisions
onthewebsitesandwebsitecategoriesthatshouldbecontrolled.
Intheprocedurethatfollows,threatpronesiteswillbesettoblockandtheothercategorieswillbesetto
alert,whichwillcauseallwebsitestraffictobelogged.Thismaypotentiallycreatealargeamountoflogfiles,
soitisbesttodothisforinitialmonitoringpurposestodeterminethetypesofwebsitesyourusersare
accessing.Afterdeterminingthecategoriesthatyourcompanyapprovesof,thosecategoriesshouldthenbe
settoallow,whichwillnotgeneratelogs.YoucanalsoreduceURLfilteringlogsbyenablingtheLog container
page onlyoptionintheURLFilteringprofile,soonlythemainpagethatmatchesthecategorywillbelogged,
notsubsequentpages/categoriesthatmaybeloadedwithinthecontainerpage.
IfyousubscribetothirdpartyURLfeedsandwanttosecureyourusersfromemergingthreats,seeUsean
ExternalDynamicListinaURLFilteringProfile.
ConfigureandApplyaPassiveURLFilteringProfile
ConfigureandApplyaPassiveURLFilteringProfile(Continued)
UseanExternalDynamicListinaURLFilteringProfile
AnExternalDynamicListisatextfilethatishostedonanexternalwebserver.Youcanusethislisttoimport
URLsandenforcepolicyontheseURLs.Whenyouupdatethelistonthewebserver,thefirewallretrieves
thechangesandappliespolicytothemodifiedlistwithoutrequiringacommitonthefirewall.
Formoreinformation,seeExternalDynamicListandEnforcePolicyonEntriesinanExternalDynamicList.
UseanExternalDynamicListwithURLsinaURLFilteringProfile
UseanExternalDynamicListwithURLsinaURLFilteringProfile(Continued)
MonitorWebActivity
TheACC,URLfilteringlogsandreportsshowalluserwebactivityforURLcategoriesthataresettoalert,
block,continue,oroverride.Bymonitoringthelogs,youcangainabetterunderstandingofthewebactivity
ofyouruserbasetodetermineawebaccesspolicy.
Thefollowingtopicsdescribehowtomonitorwebactivity:
MonitorWebActivityofNetworkUsers
ViewtheUserActivityReport
ConfigureCustomURLFilteringReports
MonitorWebActivityofNetworkUsers
YoucanusetheACC,andtheURLfilteringreportsandlogsthataregeneratedonthefirewalltotrackuser
activity.
Foraquickviewofthemostcommoncategoriesusersaccessinyourenvironment,checktheACCwidgets.
MostwidgetsintheNetworkActivitytab,allowsyoutosortonURLs.Forexample,intheApplicationUsage
widget,youcanseethatthenetworkingcategoryisthemostaccessedcategory,followedbyencrypted
tunnel,andssl.YoucanalsoviewthelistofThreat ActivityandBlocked ActivitysortedonURLs.
FromtheACC,youcandirectly Jump to the LogsoryoucannavigatetoMonitor > Logs > URL filtering toview
theURLfilteringlogs.ThefollowingbulletpointsshowexamplesoftheURLfilteringlogs().
AlertlogInthislog,thecategoryisshoppingandtheactionisalert.
BlocklogInthislog,thecategorymalwarewassettoblock,sotheactionisblockurlandtheuserwill
seearesponsepageindicatingthatthewebsitewasblocked.
AlertlogonencryptedwebsiteInthisexample,thecategoryissocialnetworkingandtheapplicationis
facebookbase,whichisrequiredtoaccesstheFacebookwebsiteandotherFacebookapplications.
Becausefaceboook.comisalwaysencryptedusingSSL,thetrafficwasdecryptedbythefirewall,which
allowsthewebsitetoberecognizedandcontrolledifneeded.
YoucanalsoaddseveralothercolumnstoyourURLFilteringlogview,suchas:toandfromzone,content
type,andwhetherornotapacketcapturewasperformed.Tomodifywhatcolumnstodisplay,clickthe
downarrowinanycolumnandselecttheattributetodisplay.
Toviewthecompletelogdetailsand/orrequestacategorychangeforthegivenURLthatwasaccessed,click
thelogdetailsiconinthefirstcolumnofthelog.
TogenerateapredefinedURLfilteringreportsonURLcategories,URLusers,Websitesaccessed,Blocked
categories,andmore,selectMonitor > ReportsandundertheURL Filtering Reportssection,selectoneofthe
reports.Thereportsarebasedona24hourperiodandthedayisselectedbychoosingadayinthecalendar
section.YoucanalsoexportthereporttoPDF,CSV,orXML.
ViewtheUserActivityReport
Thisreportprovidesaquickmethodofviewinguserorgroupactivityandalsoprovidesanoptiontoview
browsetimeactivity.
GenerateaUserActivityReport
Step1 ConfigureaUserActivityReport. 1. SelectMonitor > PDF Reports > User Activity Report.
2. EnterareportNameandselectthereporttype.SelectUserto
generateareportforoneperson,orselectGroupforagroup
ofusers.
YoumustEnableUserIDinordertobeabletoselect
userorgroupnames.IfUserIDisnotconfigured,you
canselectthetypeUserandentertheIPaddressofthe
userscomputer.
3. EntertheUsername/IPaddressforauserreportorenterthe
groupnameforausergroupreport.
4. Selectthetimeperiod.Youcanselectanexistingtimeperiod,
orselectCustom.
5. SelecttheInclude Detailed Browsingcheckbox,sobrowsing
informationisincludedinthereport.
GenerateaUserActivityReport(Continued)
3. Afterthereportisdownloaded,clickCancelandthenclickOK
tosavethereport.
Step3 ViewtheuseractivityreportbyopeningthePDFfilethatwasdownloaded.Thetopofthereportwillcontain
atableofcontentssimilartothefollowing:
ConfigureCustomURLFilteringReports
Togenerateadetailedreportthatcanalsobescheduled,youcanconfigureacustomreportandselectfrom
alistofallavailableURLfilteringlogfields.
ConfigureaCustomURLFilteringReport
ConfigureURLFiltering
AfteryouDetermineURLFilteringPolicyRequirements,youshouldhaveabasicunderstandingofwhat
typesofwebsitesandwebsitecategoriesyourusersareaccessing.Withthisinformation,youarenowready
tocreatecustomURLfilteringprofilesandattachthemtothesecuritypolicyrule(s)thatallowwebaccess.
ConfigureWebsiteControls
ConfigureWebsiteControls
CustomizetheURLFilteringResponsePages
ThefirewallprovidesthreepredefinedURLFilteringResponsePagesthatdisplaybydefaultwhenauser
attemptstobrowsetoasiteinacategorythatisconfiguredwithoneoftheblockactionsintheURLFiltering
Profile(block,continue,oroverride)orwhenSafeSearchEnforcementblocksasearchattempt.However,
youcancreateyourowncustomresponsepageswithyourcorporatebranding,acceptableusepolicies,links
toyourinternalresourcesasfollows:
CustomizetheURLFilteringResponsePages
ConfigureURLAdminOverride
InsomecasestheremaybeURLcategoriesthatyouwanttoblock,butallowcertainindividualstobrowse
toonoccasion.Inthiscase,youwouldsetthecategoryactiontooverrideanddefineaURLadminoverride
passwordinthefirewallContentIDconfiguration.Whenusersattempttobrowsetothecategory,theywill
berequiredtoprovidetheoverridepasswordbeforetheyareallowedaccesstothesite.Usethefollowing
proceduretoconfigureURLadminoverride:
ConfigureURLAdminOverride
ConfigureURLAdminOverride(Continued)
EnableSafeSearchEnforcement
Manysearchengineshaveasafesearchsettingthatfiltersoutadultimagesandvideosforsearchquery
returntraffic.YoucanconfigureSafeSearchEnforcementthePaloAltoNetworksnextgenerationfirewall
topreventsearchrequeststhatdonothavethestrictestsafesearchsettingsenabled.
TheSafeSearchEnforcementforGoogleandYouTubeSearchesusingaVirtualIPAddressisnot
compatiblewithSafeSearchEnforcementonthefirewall.
TherearetwowaystoenforceSafeSearchonthefirewall:
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
EnableTransparentSafeSearchEnforcement
BlockSearchResultsthatarenotUsingStrictSafeSearchSettings
Bydefault,whenyouenablesafesearchenforcement,whenauserattemptstoperformasearchwithout
usingthestrictestsafesearchsettings,thefirewallwillblockthesearchqueryresultsanddisplaytheURL
FilteringSafeSearchBlockPage.Thispageprovidesalinktothesearchsettingspageforthecorresponding
searchprovidersothattheendusercanenablethesafesearchsettings.Ifyouplantousethisdefault
methodforenforcingsafesearch,youshouldcommunicatethepolicytoyourenduserspriortodeploying
thepolicy.SeeTable:SearchProviderSafeSearchSettingsfordetailsonhoweachsearchprovider
implementssafesearch.ThedefaultURLFilteringSafeSearchBlockPageprovidesalinktothesearch
settingsforthecorrespondingsearchprovider.YoucanoptionallyCustomizetheURLFilteringResponse
Pages.
Alternatively,toenablesafesearchenforcementsothatitistransparenttoyourendusers,configurethe
firewalltoEnableTransparentSafeSearchEnforcement.
EnableSafeSearchEnforcement
EnableSafeSearchEnforcement(Continued)
EnableSafeSearchEnforcement(Continued)
4. Usethelinkintheblockpagetogotothesearchsettingsfor
thesearchproviderandsetthesafesearchsettingbacktothe
strictestsetting(StrictinthecaseofBing)andthenclickSave.
5. PerformasearchagainfromBingandverifythatthefiltered
searchresultsdisplayinsteadoftheblockpage.
EnableTransparentSafeSearchEnforcement
Ifyouwanttoenforcefilteringofsearchqueryresultswiththestrictestsafesearchfilters,butyoudont
wantyourenduserstohavetomanuallyconfigurethesettings,youcanenabletransparentsafesearch
enforcementasfollows.ThisfunctionalityissupportedonGoogle,Yahoo,andBingsearchenginesonlyand
requiresContentReleaseversion475orlater.
EnableTransparentSafeSearchEnforcement
EnableTransparentSafeSearchEnforcement(Continued)
EnableTransparentSafeSearchEnforcement(Continued)
Step4 EdittheURLFilteringSafeSearchBlock 1. SelectDevice > Response Pages > URL Filtering Safe Search
Page,replacingtheexistingcodewith Block Page.
theJavaScriptforrewritingsearchquery 2. SelectPredefinedandthenclickExporttosavethefilelocally.
URLstoenforcesafesearch
transparently. 3. UseanHTMLeditorandreplacealloftheexistingblockpage
textwiththefollowingtextandthensavethefile:
Forascriptthatyoucancopyandpaste,
gohere.
EnableTransparentSafeSearchEnforcement(Continued)
<html>
<head>
<title>Search Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<h1>Search Blocked</h1>
<p><b>User:</b> <user/> </p>
<p>Your search results have been blocked because your search settings are not in accordance with company
policy. In order to continue, please update your search settings so that Safe Search is set to the strictest
setting. If you are currently logged into your account, please also lock Safe Search and try your search
again.</p>
<p>For more information, please refer to: <a href="<ssurl/>"><ssurl/></a></p>
<p id="java_off"> Please enable JavaScript in your browser.<br></p>
<p><b>Please contact your system administrator if you believe this message is in error.</b></p>
</body>
<script>
//bing
// Matches the forward slashes in the beginning, anything, then ".bing." then anything followed by a non
greedy slash. Hopefully the first forward slash.
var b_a = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
if (b_a) {
//google
// Matches the forward slashes in the beginning, anything, then ".google." then anything followed by a non
greedy slash. Hopefully the first forward slash.
var g_a = /^.*\/\/(.+\.google\..+?)\//.exec(s_u);
if (g_a) {
s_u = s_u.replace(/&safe=off/ig,"");
s_u = s_u + "&safe=active";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
//yahoo
// Matches the forward slashes in the beginning, anything, then ".yahoo."" then anything followed by a non
greedy slash. Hopefully the first forward slash.
var y_a = /^.*\/\/(.+\.yahoo\..+?)\//.exec(s_u);
if (y_a) {
s_u = s_u.replace(/&vm=p/ig,"");
s_u = s_u + "&vm=r";
window.location.replace(s_u);
document.getElementById("java_off").innerHTML = 'You are being redirected to a safer search!';
}
document.getElementById("java_off").innerHTML = ' ';
</script>
</html>
EnableTransparentSafeSearchEnforcement(Continued)
SetUpthePANDBPrivateCloud
UsethefollowingsectiontodeployoneormoreM500appliancesasaPANDBprivatecloudwithinyour
networkordatacenterandConfiguretheFirewallstoAccessthePANDBPrivateCloud.
SetupthePANDBPrivateCloud
SetupthePANDBPrivateCloud
3. Usethefollowingcommandtochecktheversionofthecloud
databaseontheappliance:
show pan-url-cloud-status
Cloud status: Up
URL database version: 20150417-220
SetupthePANDBPrivateCloud
SetupthePANDBPrivateCloud
Step7 ConfiguretheFirewallstoAccess
thePANDBPrivateCloud.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
WhenusingthePANDBpubliccloud,eachfirewallaccessesthePANDBserversintheAWScloudtodownloadthelist
ofeligibleserverstowhichitcanconnectforURLlookups.WiththePANDBprivatecloud,youmustconfigurethe
firewallswitha(static)listofyourPANDBprivatecloudserversthatwillbeusedforURLlookups.Thelistcancontain
upto20entries;IPv4addresses,IPv6addresses,andFQDNsaresupported.EachentryonthelistIPaddressor
FQDNmustbeassignedtothemanagementportand/oreth1ofthePANDBserver.
ConfiguretheFirewallstoAccessthePANDBPrivateCloud
Step1 PickoneofthefollowingoptionsbasedonthePANOSversiononthefirewall.
a. ForfirewallsrunningPANOS7.0,accessthePANOSCLIorthewebinterfaceonthefirewall.
UsethefollowingCLIcommandtoconfigureaccesstotheprivatecloud:
setdeviceconfigsettingpanurldbcloudstaticlist<IPaddresses>enable
Or,inthewebinterfaceforeachfirewall,
1. SelectDevice > Setup >Content-ID, edittheURLFilteringsection.
2. EnterthePAN-DB Server IPaddress(es)orFQDN(s).Thelistmustbecommaseparated.
b. ForfirewallsrunningPANOS5.0,6.0,or6.1,usethefollowingCLIcommandtoconfigureaccesstotheprivate
cloud:
debugdeviceserverpanurldbcloudstaticlistenable<IPaddresses>enable
Step2 Commityourchanges.
Step3 Toverifythatthechangeiseffective,usethefollowingCLIcommandonthefirewall:
show url-cloud-status
Cloud status: Up
URL database version: 20150417-220
TodeletetheentriesfortheprivatePANDBservers,andallowthefirewallstoconnecttothePANDBpubliccloud,usethe
command:
set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable
WhenyoudeletethelistofprivatePANDBservers,areelectionprocessistriggeredonthefirewall.Thefirewallfirstchecks
forthelistofPANDBprivatecloudserversandwhenitcannotfindone,thefirewallaccessesthePANDBserversinthe
AWScloudtodownloadthelistofeligibleserverstowhichitcanconnect.
URLFilteringUseCaseExamples
ThefollowingusecasesshowhowtouseAppIDtocontrolaspecificsetofwebbasedapplicationsandhow
touseURLcategoriesasmatchcriteriainapolicy.WhenworkingwithAppID,itisimportanttounderstand
thateachAppIDsignaturemayhavedependenciesthatarerequiredtofullycontrolanapplication.For
example,withFacebookapplications,theAppIDfacebookbaseisrequiredtoaccesstheFacebookwebsite
andtocontrolotherFacebookapplications.Forexample,toconfigurethefirewalltocontrolFacebookemail,
youwouldhavetoallowtheAppIDsfacebookbaseandfacebookmail.Asanotherexample,ifyousearch
Applipedia(theAppIDdatabase)forLinkedIn,youwillseethatinordertocontrolLinkedInmail,youneed
toapplythesameactiontobothAppIDs:linkedinbaseandlinkedinmail.Todetermineapplication
dependenciesforAppIDsignatures,visitApplipedia,searchforthegivenapplication,andthenclickthe
applicationfordetails.
TheUserIDfeatureisrequiredtoimplementpoliciesbasedonusersandgroupsanda
DecryptionpolicyisrequiredtoidentifyandcontrolwebsitesthatareencryptedusingSSL/TLS.
Thissectionincludestwousescases:
UseCase:ControlWebAccess
UseCase:UseURLCategoriesforPolicyMatching
UseCase:ControlWebAccess
WhenusingURLfilteringtocontroluserwebsiteaccess,theremaybeinstanceswheregranularcontrolis
requiredforagivenwebsite.Inthisusecase,aURLfilteringprofileisappliedtothesecuritypolicythat
allowswebaccessforyourusersandthesocialnetworkingURLcategoryissettoblock,buttheallowlistin
theURLprofileisconfiguredtoallowthesocialnetworkingsiteFacebook.TofurthercontrolFacebook,the
companypolicyalsostatesthatonlymarketinghasfullaccesstoFacebookandallotheruserswithinthe
companycanonlyreadFacebookpostsandcannotuseanyotherFacebookapplications,suchasemail,
posting,chat,andfilesharing.Toaccomplishthisrequirement,AppIDmustbeusedtoprovidegranular
controloverFacebook.
ThefirstsecurityrulewillallowmarketingtoaccesstheFacebookwebsiteaswellasallFacebook
applications.BecausethisallowrulewillalsoallowaccesstotheInternet,threatpreventionprofilesare
appliedtotherule,sotrafficthatmatchesthepolicywillbescannedforthreats.Thisisimportantbecause
theallowruleisterminalandwillnotcontinuetocheckotherrulesifthereisatrafficmatch.
ControlWebAccess
ControlWebAccess(Continued)
3. ClickOKtosavetheprofile.
3. ClickOKtosave.
ControlWebAccess(Continued)
ControlWebAccess(Continued)
7. ClickOKtosavethesecurityprofile.
8. Ensurethatthisnewdenyruleislistedafterthemarketing
allowrule,toensurethatruleprocessingoccursinthecorrect
ordertoallowmarketingusersandthentodeny/limitallother
users.
9. ClickCommittosavetheconfiguration.
Withthesesecuritypolicyrulesinplace,anyuserwhoispartofthemarketinggroupwillhavefullaccessto
allFacebookapplicationsandanyuserthatisnotpartofthemarketinggroupwillonlyhavereadonlyaccess
totheFacebookwebsiteandwillnotbeabletouseFacebookapplicationssuchaspost,chat,email,andfile
sharing.
UseCase:UseURLCategoriesforPolicyMatching
URLcategoriescanalsobeusedasmatchcriteriainthefollowingpolicytypes:CaptivePortal,Decryption,
Security,andQoS.Inthisusecase,URLcategorieswillbeusedinDecryptionpolicyrulestocontrolwhich
webcategoriesshouldbedecryptedornotdecrypted.Thefirstruleisanodecryptrulethatwillnotdecrypt
usertrafficifthewebsitecategoryisfinancialservicesorhealthandmedicineandthesecondrulewilldecrypt
allothertraffic.Thedecryptionpolicytypeissslforwardproxy,whichisusedforcontrollingdecryptionfor
alloutboundconnectionsperformedbyusers.
ConfigureaDecryptionPolicyBasedonURLCategory
8. ClickOKtosavethepolicyrule.
ConfigureaDecryptionPolicyBasedonURLCategory(Continued)
certificateverification,unsupportedmodechecksandfailure
checksfortheSSLtraffic.SeeConfigureSSLForwardProxy
formoredetails.
6. Ensurethatthisnewdecryptionruleislistedafterthe
nodecryptruletoensurethatruleprocessingoccursinthe
correctorder,sowebsitesinthefinancialservicesand
healthandmedicinearenotdecrypted
7. ClickOKtosavethepolicyrule.
Withthesetwodecryptpoliciesinplace,anytrafficdestinedforthefinancialservicesorhealthandmedicine
URLcategorieswillnotbedecrypted.Allothertrafficwillbedecrypted.
NowthatyouhaveabasicunderstandingofthepowerfulfeaturesofURLfiltering,AppID,andUserID,you
canapplysimilarpoliciestoyourfirewalltocontrolanyapplicationinthePaloAltoNetworksAppID
signaturedatabaseandcontrolanywebsitecontainedintheURLfilteringdatabase.
ForhelpintroubleshootingURLfilteringissues,seeTroubleshootURLFiltering.
TroubleshootURLFiltering
ThefollowingtopicsprovidetroubleshootingguidelinesfordiagnosingandresolvingcommonURLfiltering
problems.
ProblemsActivatingPANDB
PANDBCloudConnectivityIssues
URLsClassifiedasNotResolved
IncorrectCategorization
URLDatabaseOutofDate
ProblemsActivatingPANDB
ThefollowingtabledescribesproceduresthatyoucanusetoresolveissueswithactivatingPANDB.
TroubleshootPANDBActivationIssues
Step1 AccessthePANOSCLI.
Step2 VerifywhetherPANDBhasbeenactivatedbyrunningthefollowingcommand:
admin@PA-200> show system setting url-database
Iftheresponseispaloaltonetworks,thenPANDBistheactivevendor.
Step3 VerifythatthefirewallhasavalidPANDBlicensebyrunningthefollowingcommand:
admin@PA-200> request license info
YoushouldseethelicenseentryFeature:PAN_DBURLFiltering.Ifthelicenseisnotinstalled,youwillneed
toobtainandinstallalicense.SeeConfigureURLFiltering.
Step4 Afterthelicenseisinstalled,downloadanewPANDBseeddatabasebyrunningthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region>
3. Checkthedownloadstatusbyrunningthefollowingcommand:
admin@PA-200> request url-filtering download status vendor paloaltonetworks
IfthemessageisdifferentfromPAN-DB download: Finished successfully,stophere;theremaybea
problemconnectingtothecloud.Attempttosolvetheconnectivityissuebyperformingbasicnetwork
troubleshootingbetweenthefirewallandtheInternet.Formoreinformation,seePANDBCloudConnectivity
Issues.
IfthemessageisPAN-DB download: Finished successfully,thefirewallsuccessfullydownloadedtheURL
seeddatabase.TrytoenablePANDBagainbyrunningthefollowingcommand:
admin@PA-200> set system setting url-database paloaltonetworks
4. Iftheproblemspersists,contactPaloAltoNetworksCustomerSupport.
PANDBCloudConnectivityIssues
Tocheckcloudconnectivity,runthefollowingcommand:
admin@pa-200> show url-cloud status
Ifthecloudisaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : s0000.urlcloud.paloaltonetworks.com
Cloud connection : connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Ifthecloudisnoteaccessible,theexpectedresponseissimilartothefollowing:
admin@PA-200> show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time
2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Thefollowingtabledescribesproceduresthatyoucanusetoresolveissuesbasedontheoutputoftheshow
url-cloud statuscommand,howtopingtheURLcloudservers,andwhattocheckifthefirewallisina
HighAvailability(HA)configuration.
TroubleshootCloudConnectivityIssues
PANDBURLFilteringlicensefieldshowsinvalidObtainandinstallavalidPANDBlicense.
URLdatabasestatusisoutofdateDownloadanewseeddatabasebyrunningthefollowingcommand:
admin@pa-200> request url-filtering download paloaltonetworks region <region>
URLprotocolversionshowsnotcompatibleUpgradePANOStothelatestversion.
AttempttopingthePANDBcloudserverfromthefirewallbyrunningthefollowingcommand:
admin@pa-200> ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
Forexample,ifyourmanagementinterfaceIPaddressis10.1.1.5,runthefollowingcommand:
admin@pa-200> ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
IfthefirewallisinanHAconfiguration,verifythattheHAstateofthefirewallssupportsconnectivitytothecloud
systems.YoucandeterminetheHAstatebyrunningthefollowingcommand:
admin@pa-200> show high-availability state
Connectiontothecloudwillbeblockedifthefirewallisnotinoneofthefollowingstates:
active
activeprimary
activesecondary
Iftheproblempersists,contactPaloAltoNetworkssupport.
URLsClassifiedasNotResolved
ThefollowingtabledescribesproceduresyoucanusetoresolveissueswheresomeoralloftheURLsbeing
identifiedbyPANDBareclassifiedasNotresolved:
TroubleshootURLsClassifiedasNotResolved
Step1 CheckthePANDBcloudconnectionbyrunningthefollowingcommand:
admin@PA-200> show url-cloud status
TheCloudconnection:fieldshouldshowconnected.Ifyouseeanythingotherthanconnected,any
URLthatdonotexistinthemanagementplanecachewillbecategorizedasnot-resolved.Toresolve
thisissue,seePANDBCloudConnectivityIssues.
Step2 Ifthecloudconnectionstatusshowsconnected,checkthecurrentutilizationofthefirewall.Iffirewall
utilizationisspiking,URLrequestsmaybedropped(maynotreachthemanagementplane),andwillbe
categorizedasnot-resolved.
Toviewsystemresources,runthefollowingcommandandviewthe%CPUand%MEMcolumns:
admin@PA-200> showsystemresources
YoucanalsoviewsystemresourcesfromthefirewallswebinterfacesbyclickingtheDashboard tab
andviewingtheSystem Resources section.
Step3 Iftheproblempersist,contactPaloAltoNetworkssupport.
IncorrectCategorization
ThefollowingstepsdescribetheproceduresyoucanuseifyouidentifyaURLthatdoesnothavethecorrect
categorization.Forexample,iftheURLpaloaltonetworks.comwascategorizedasalcoholandtobacco,the
categorizationisnotcorrect;thecategoryshouldbecomputerandinternetinfo.
TroubleshootIncorrectCategorizationIssues
Step1 Verifythecategoryinthedataplanebyrunningthefollowingcommand:
admin@PA-200> show running url <URL>
Forexample,toviewthecategoryforthePaloAltoNetworkswebsite,runthefollowingcommand:
admin@PA-200> show running url paloaltonetworks.com
IftheURLstoredinthedataplanecachehasthecorrectcategory(computerandinternetinfointhis
example),thenthecategorizationiscorrectandnofurtheractionisrequired.Ifthecategoryisnotcorrect,
continuetothenextstep.
Step2 Verifyifthecategoryinthemanagementplanebyrunningthecommand:
admin@PA-200> test url-info-host <URL>
Forexample:
admin@PA-200> test url-info-host paloaltonetworks.com
IftheURLstoredinthemanagementplanecachehasthecorrectcategory,removetheURLfromthe
dataplanecachebyrunningthefollowingcommand:
admin@PA-200> clear url-cache url <URL>
ThenexttimethefirewallrequeststhecategoryforthisURL,therequestwillbeforwardedtothe
managementplane.Thiswillresolvetheissueandnofurtheractionisrequired.Ifthisdoesnotsolvetheissue,
gotothenextsteptochecktheURLcategoryonthecloudsystems.
Step3 Verifythecategoryinthecloudbyrunningthefollowingcommand:
admin@PA-200> test url-info-cloud <URL>
Step4 IftheURLstoredinthecloudhasthecorrectcategory,removetheURLfromthedataplaneandthe
managementplanecaches.
RunthefollowingcommandtodeleteaURLfromthedataplanecache:
admin@PA-200> clear url-cache url <URL>
RunthefollowingcommandtodeleteaURLfromthemanagementplanecache:
admin@PA-200> delete url-database url <URL>
ThenexttimethefirewallqueriesforthecategoryofthegivenURL,therequestwillbeforwardedtothe
managementplaneandthentothecloud.Thisshouldresolvethecategorylookupissue.Ifproblemspersist,
seethenextsteptosubmitacategorizationchangerequest.
Step5 Tosubmitachangerequestfromthewebinterface,gototheURLlogandselectthelogentryfortheURL
youwouldliketohavechanged.
URLDatabaseOutofDate
IfyouhaveobservedthroughthesyslogortheCLIthatPANDBisoutofdate,itmeansthattheconnection
fromthefirewalltotheURLCloudisblocked.ThisusuallyoccurswhentheURLdatabaseonthefirewallis
tooold(versiondifferenceismorethanthreemonths)andthecloudcannotupdatethefirewall
automatically.Inordertoresolvethisissue,youwillneedtoredownloadaninitialseeddatabasefromthe
cloud(thisoperationisnotblocked).ThiswillresultinanautomaticreactivationofPANDB.
Tomanuallyupdatethedatabase,performoneofthefollowingsteps:
Fromthewebinterface,selectDevice > LicensesandinthePAN-DB URL Filtering sectionclickthe
Re-Downloadlink.
FromtheCLI,runthefollowingcommand:
admin@PA-200> request url-filtering download paloaltonetworks region <region_name>
RedownloadingtheseeddatabasecausestheURLcacheinthemanagementplaneanddataplane
tobepurged.Themanagementplanecachewillthenberepopulatedwiththecontentsofthe
newseeddatabase.
QoSOverview
UseQoStoprioritizeandadjustqualityaspectsofnetworktraffic.Youcanassigntheorderinwhichpackets
arehandledandallotbandwidth,ensuringpreferredtreatmentandoptimallevelsofperformanceare
affordedtoselectedtraffic,applications,andusers.
ServicequalitymeasurementssubjecttoaQoSimplementationarebandwidth(maximumrateoftransfer),
throughput(actualrateoftransfer),latency(delay),andjitter(varianceinlatency).Thecapabilitytoshape
andcontroltheseservicequalitymeasurementsmakesQoSofparticularimportancetohighbandwidth,
realtimetrafficsuchasvoiceoverIP(VoIP),videoconferencing,andvideoondemandthathasahigh
sensitivitytolatencyandjitter.Additionally,useQoStoachieveoutcomessuchasthefollowing:
Prioritizenetworkandapplicationtraffic,guaranteeinghighprioritytoimportanttrafficorlimiting
nonessentialtraffic.
Achieveequalbandwidthsharingamongdifferentsubnets,classes,orusersinanetwork.
Allocatebandwidthexternallyorinternallyorboth,applyingQoStobothuploadanddownloadtrafficor
toonlyuploadordownloadtraffic.
Ensurelowlatencyforcustomerandrevenuegeneratingtrafficinanenterpriseenvironment.
Performtrafficprofilingofapplicationstoensurebandwidthusage.
QoSimplementationonaPaloAltoNetworksfirewallbeginswiththreeprimaryconfigurationcomponents
thatsupportafullQoSsolution:aQoSProfile,aQoSPolicy,andsettinguptheQoSEgressInterface.Each
oftheseoptionsintheQoSconfigurationtaskfacilitateabroaderprocessthatoptimizesandprioritizesthe
trafficflowandallocatesandensuresbandwidthaccordingtoconfigurableparameters.
ThefigureQoSTrafficFlowshowstrafficasitflowsfromthesource,isshapedbythefirewallwithQoS
enabled,andisultimatelyprioritizedanddeliveredtoitsdestination.
QoSTrafficFlow
TheQoSconfigurationoptionsallowyoutocontrolthetrafficflowanddefineitatdifferentpointsinthe
flow.TheQoSTrafficFlowindicateswheretheconfigurableoptionsdefinethetrafficflow.AQoSpolicy
ruleallowsyoutodefinetrafficyouwanttoreceiveQoStreatmentandassignthattrafficaQoSclass.The
matchingtrafficisthenshapedbasedontheQoSprofileclasssettingsasitexitsthephysicalinterface.
EachoftheQoSconfigurationcomponentsinfluenceeachotherandtheQoSconfigurationoptionscanbe
usedtocreateafullandgranularQoSimplementationorcanbeusedsparinglywithminimaladministrator
action.
EachfirewallmodelsupportsamaximumnumberofportsthatcanbeconfiguredwithQoS.Refertothespec
sheetforyourfirewallmodelorusetheproductcomparisontooltoviewQoSfeaturesupportfortwoor
morefirewallsonasinglepage.
QoSConcepts
UsethefollowingtopicstolearnaboutthedifferentcomponentsandmechanismsofaQoSconfiguration
onaPaloAltoNetworksfirewall:
QoSforApplicationsandUsers
QoSPolicy
QoSProfile
QoSClasses
QoSPriorityQueuing
QoSBandwidthManagement
QoSEgressInterface
QoSforClearTextandTunneledTraffic
QoSforApplicationsandUsers
APaloAltoNetworksfirewallprovidesbasicQoS,controllingtrafficleavingthefirewallaccordingto
networkorsubnet,andextendsthepowerofQoStoalsoclassifyandshapetrafficaccordingtoapplication
anduser.ThePaloAltoNetworksfirewallprovidesthiscapabilitybyintegratingthefeaturesAppIDand
UserIDwiththeQoSconfiguration.AppIDandUserIDentriesthatexisttoidentifyspecificapplications
andusersinyournetworkareavailableintheQoSconfigurationsothatyoucaneasilyspecifyapplications
andusersforwhichyouwanttomanageand/orguaranteebandwidth.
QoSPolicy
UseaQoSpolicyruletodefinetraffictoreceiveQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)andassignssuchtrafficaQoSclassofservice.
DefineaQoSpolicyruletomatchtotrafficbasedon:
Applicationsandapplicationgroups.
Sourcezones,sourceaddresses,andsourceusers.
Destinationzonesanddestinationaddresses.
ServicesandservicegroupslimitedtospecificTCPand/orUDPportnumbers.
URLcategories,includingcustomURLcategories.
DifferentiatedServicesCodePoint(DSCP)andTypeofService(ToS)values,whichareusedtoindicate
thelevelofservicerequestedfortraffic,suchashighpriorityorbesteffortdelivery.
SetupmultipleQoSpolicyrules(Policies>QoS)toassociatedifferenttypesoftrafficwithdifferentQoS
Classesofservice.
QoSProfile
UseaQoSprofileruletodefinevaluesofuptoeightQoSClassescontainedwithinthatsingleprofilerule.
WithaQoSprofilerule,youcandefineQoSPriorityQueuingandQoSBandwidthManagementforQoS
classes.EachQoSprofileruleallowsyoutoconfigureindividualbandwidthandprioritysettingsforupeight
QoSclasses,aswellasthetotalbandwidthallotedfortheeightclassescombined.AttachtheQoSprofile
rule(ormultipleQoSprofilerules)toaphysicalinterfacetoapplythedefinedpriorityandbandwidthsettings
tothetrafficexitingthatinterface.
AdefaultQoSprofileruleisavailableonthefirewall.Thedefaultprofileruleandtheclassesdefinedinthe
profiledonothavepredefinedmaximumorguaranteedbandwidthlimits.
TodefinepriorityandbandwidthsettingsforQoSclasses,AddaQoSprofilerule.
QoSClasses
AQoSclassdeterminesthepriorityandbandwidthfortrafficmatchingaQoSPolicyrule.YoucanuseaQoS
ProfileruletodefineQoSclasses.ThereareuptoeightdefinableQoSclassesinasingleQoSprofile.Unless
otherwiseconfigured,trafficthatdoesnotmatchaQoSclassisassignedaclassof4.
QoSPriorityQueuingandQoSBandwidthManagement,thefundamentalmechanismsofaQoS
configuration,areconfiguredwithintheQoSclassdefinition(seeStep 4).ForeachQoSclass,youcanseta
priority(realtime,high,medium,andlow)andthemaximumandguaranteedbandwidthformatchingtraffic.
QoSpriorityqueuingandbandwidthmanagementdeterminetheorderoftrafficandhowtrafficishandled
uponenteringorleavinganetwork.
QoSPriorityQueuing
OneoffourprioritiescanbeenforcedforaQoSclass:realtime,high,medium,andlow.Trafficmatchinga
QoSpolicyruleisassignedtheQoSclassassociatedwiththatrule,andthefirewalltreatsthematchingtraffic
basedontheQoSclasspriority.Packetsintheoutgoingtrafficflowarequeuedbasedontheirpriorityuntil
thenetworkisreadytoprocessthepackets.Priorityqueuingallowsyoutoensurethatimportanttraffic,
applications,anduserstakeprecedence.Realtimepriorityistypicallyusedforapplicationsthatare
particularlysensitivetolatency,suchasvoiceandvideoapplications.
QoSBandwidthManagement
QoSbandwidthmanagementallowsyoutocontroltrafficflowsonanetworksothattrafficdoesnotexceed
networkcapacity(resultinginnetworkcongestion)andalsoallowsyoutoallocatebandwidthforcertain
typesoftrafficandforapplicationsandusers.WithQoS,youcanenforcebandwidthfortrafficonanarrow
orabroadscale.AQoSprofileruleallowsyoutosetbandwidthlimitsforindividualQoSclassesandthetotal
combinedbandwidthforalleightQoSclasses.AspartofthestepstoConfigureQoS,youcanattachtheQoS
profileruletoaphysicalinterfacetoenforcebandwidthsettingsonthetrafficexitingthatinterfacethe
individualQoSclasssettingsareenforcedfortrafficmatchingthatQoSclass(QoSclassesareassignedto
trafficmatchingQoSPolicyrules)andtheoverallbandwidthlimitfortheprofilecanbeappliedtoallclear
texttraffic,specificcleartexttrafficoriginatingfromsourceinterfacesandsourcesubnets,alltunneled
traffic,andindividualtunnelinterfaces.YoucanaddmultipleprofilerulestoasingleQoSinterfacetoapply
varyingbandwidthsettingstothetrafficexitingthatinterface.
ThefollowingfieldssupportQoSbandwidthsettings:
Egress GuaranteedTheamountofbandwidthguaranteedformatchingtraffic.Whentheegress
guaranteedbandwidthisexceeded,thefirewallpassestrafficonabesteffortbasis.Bandwidththatis
guaranteedbutisunusedcontinuestoremainavailableforalltraffic.DependingonyourQoS
configuration,youcanguaranteebandwidthforasingleQoSclass,forallorsomecleartexttraffic,and
forallorsometunneledtraffic.
Example:
Class1traffichas5Gbpsofegressguaranteedbandwidth,whichmeansthat5Gbpsisavailablebutis
notreservedforclass1traffic.IfClass1trafficdoesnotuseoronlypartiallyusestheguaranteed
bandwidth,theremainingbandwidthcanbeusedbyotherclassesoftraffic.However,duringhightraffic
periods,5Gbpsofbandwidthisabsolutelyavailableforclass1traffic.Duringtheseperiodsof
congestion,anyClass1trafficthatexceeds5Gbpsisbesteffort.
Egress MaxTheoverallbandwidthallocationformatchingtraffic.Thefirewalldropstrafficthatexceeds
theegressmaxlimitthatyouset.DependingonyourQoSconfiguration,youcansetamaximum
bandwidthlimitforaQoSclass,forallorsomecleartexttraffic,forallorsometunneledtraffic,andfor
alltrafficexitingtheQoSinterface.
ThecumulativeguaranteedbandwidthfortheQoSprofilerulesattachedtotheinterfacemustnotexceedthe
totalbandwidthallocatedtotheinterface.
TodefinebandwidthsettingsforQoSclasses,AddaQoSprofilerule.Tothenapplythosebandwidthsettings
tocleartextandtunneledtraffic,andtosettheoverallbandwidthlimitforaQoSinterface,EnableQoSon
aphysicalinterface.
QoSEgressInterface
EnablingaQoSprofileruleontheegressinterfaceofthetrafficidentifiedforQoStreatmentcompletesa
QoSconfiguration.TheingressinterfaceforQoStrafficistheinterfaceonwhichthetrafficentersthe
firewall.TheegressinterfaceforQoStrafficistheinterfacethattrafficleavesthefirewallfrom.QoSis
alwaysenabledandenforcedontheegressinterfaceforatrafficflow.TheegressinterfaceinaQoS
configurationcaneitherbetheexternalorinternalfacinginterfaceofthefirewall,dependingontheflow
ofthetrafficreceivingQoStreatment.
Forexample,inanenterprisenetwork,ifyouarelimitingemployeesdownloadtrafficfromaspecific
website,theegressinterfaceintheQoSconfigurationisthefirewallsinternalinterface,asthetrafficflowis
fromtheInternet,throughthefirewall,andtoyourcompanynetwork.Alternatively,whenlimiting
employeesuploadtraffictothesamewebsite,theegressinterfaceintheQoSconfigurationisthefirewalls
externalinterface,asthetrafficyouarelimitingflowsfromyourcompanynetwork,throughthefirewall,and
thentotheInternet.
SeeStep 3tolearnhowtoIdentifytheegressinterfaceforapplicationsthatyouwanttoreceiveQoS
treatment.
QoSforClearTextandTunneledTraffic
Attheminimum,enablingaQoSinterfacesrequiresyoutoselectadefaultQoSprofilerulethatdefines
bandwidthandprioritysettingsforcleartexttrafficegressingtheinterface.However,whensettingupor
modifyingaQoSinterface,youcanapplygranularQoSsettingstooutgoingcleartexttrafficandtunneled
traffic.QoSpreferentialtreatmentandbandwidthlimitingcanbeenforcedfortunneledtraffic,forindividual
tunnelinterfaces,and/orforcleartexttrafficoriginatingfromdifferentsourceinterfacesandsource
subnets.OnPaloAltoNetworksfirewalls,tunneledtrafficreferstotunnelinterfacetraffic,specificallyIPSec
trafficintunnelmode.
ConfigureQoS
FollowthesestepstoconfigureQualityofService(QoS),whichincludescreatingaQoSprofile,creatinga
QoSpolicy,andenablingQoSonaninterface.
ConfigureQoS
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterfacelisted
intheDestinationsection:
ConfigureQoS(Continued)
ConfigureQoS(Continued)
Step4 AddaQoSprofilerule. 1. SelectNetwork > Network Profiles > QoS Profile andAdda
AQoSprofileruleallowsyoutodefine newprofile.
theeightclassesofservicethattraffic 2. EnteradescriptiveProfile Name.
canreceive,includingpriority,and
3. SettheoverallbandwidthlimitsfortheQoSprofilerule:
enablesQoSBandwidthManagement.
EnteranEgress Maxvaluetosettheoverallbandwidth
YoucaneditanyexistingQoSprofile,
allocationfortheQoSprofilerule.
includingthedefault,byclickingtheQoS
profilename. EnteranEgress Guaranteed valuetosettheguaranteed
bandwidthfortheQoSProfile.
AnytrafficthatexceedstheEgressGuaranteed
valueisbesteffortandnotguaranteed.Bandwidth
thatisguaranteedbutisunusedcontinuestoremain
availableforalltraffic.
4. IntheClassessection,specifyhowtotreatuptoeight
individualQoSclasses:
a. AddaclasstotheQoSProfile.
b. SelectthePriority fortheclass:realtime,high,medium,
andlow.
c. EntertheEgress Max andEgress Guaranteedbandwidth
fortrafficassignedtoeachQoSclass.
5. ClickOK.
Inthefollowingexample,theQoSprofileruleLimitWebBrowsing
limitsClass2traffictoamaximumbandwidthof50Mbpsanda
guaranteedbandwidthof2Mbps.
ConfigureQoS(Continued)
7. (Optional)Continuetodefinemoregranularsettingsto
provideQoSforClearTextandTunneledTraffic.Settings
configuredontheClear Text TraffictabandtheTunneled
Traffictabautomaticallyoverridethedefaultprofilesettings
forcleartextandtunneledtrafficonthePhysicalInterfacetab.
SelectClear Text Trafficand:
SettheEgress GuaranteedandEgress Maxbandwidths
forcleartexttraffic.
ClickAddandapplyaQoSprofileruletoenforcecleartext
trafficbasedonsourceinterfaceandsourcesubnet.
SelectTunneled Traffic and:
SettheEgress GuaranteedandEgress Maxbandwidths
fortunneledtraffic.
ClickAddandattachaQoSprofileruletoasingletunnel
interface.
8. ClickOK.
Step6 Committheconfiguration.
ConfigureQoS(Continued)
Class2trafficlimitedto2Mbpsofguaranteedbandwidthanda
maximumbandwidthof50Mbps.
Continuetoclickthetabstodisplayfurtherinformationregarding
applications,sourceusers,destinationusers,securityrulesandQoS
rules.
BandwidthlimitsshownontheQoS Statisticswindow
includeahardwareadjustmentfactor.
ConfigureQoSforaVirtualSystem
QoScanbeconfiguredforasingleorseveralvirtualsystemsconfiguredonaPaloAltoNetworksfirewall.
Becauseavirtualsystemisanindependentfirewall,QoSmustbeconfiguredindependentlyforasingle
virtualsystem.
ConfiguringQoSforavirtualsystemissimilartoconfiguringQoSonaphysicalfirewall,withtheexception
thatconfiguringQoSforavirtualsystemrequiresspecifyingthesourceanddestinationoftraffic.Because
avirtualsystemexistswithoutsetphysicalboundariesandbecausetrafficinavirtualenvironmentspans
morethanonevirtualsystem,specifyingsourceanddestinationzonesandinterfacesfortrafficisnecessary
tocontrolandshapetrafficforasinglevirtualsystem.
Theexamplebelowshowstwovirtualsystemsconfiguredonfirewall.VSYS1(purple)andVSYS2(red)each
haveQoSconfiguredtoprioritizeorlimittwodistincttrafficflows,indicatedbytheircorrespondingpurple
(VSYS1)andred(VSYS2)lines.TheQoSnodesindicatethepointsattrafficismatchedtoaQoSpolicyand
assignedaQoSclassofservice,andthenlaterindicatethepointatwhichtrafficisshapedasitegressesthe
firewall.
RefertotheVirtualSystems(VSYS)technoteforinformationonVirtualSystemsandhowtoconfigurethem.
ConfigureQoSinaVirtualSystemEnvironment
ConfigureQoSinaVirtualSystemEnvironment
Clickanyapplicationnametodisplaydetailedapplication
information.
Clickthespyglassicontotheleftofanyentrytodisplaya
detailedlogthatincludestheapplicationsegressinterface,as
wellassourceanddestinationzones,intheSourceand
Destinationsections:
Forexample,forwebbrowsingtrafficfromVSYS1,theingress
interfaceisethernet1/2,theegressinterfaceisethernet1/1,the
sourcezoneistrustandthedestinationzoneisuntrust.
ConfigureQoSinaVirtualSystemEnvironment
Step4 CreateaQoSProfile. 1. SelectNetwork > Network Profiles > QoS Profile andclickAdd
YoucaneditanyexistingQoSProfile, toopentheQoSProfiledialog.
includingthedefault,byclickingthe 2. EnteradescriptiveProfile Name.
profilename.
3. EnteranEgress Maxtosettheoverallbandwidthallocation
fortheQoSprofile.
4. EnteranEgress Guaranteed tosettheguaranteedbandwidth
fortheQoSprofile.
AnytrafficthatexceedstheQoSprofilesegress
guaranteedlimitisbesteffortbutisnotguaranteed.
5. IntheClassessectionoftheQoS Profile,specifyhowtotreat
uptoeightindividualQoSclasses:
a. ClickAddtoaddaclasstotheQoSProfile.
b. SelectthePriority fortheclass.
c. EnteranEgress Max foraclasstosettheoverallbandwidth
limitforthatindividualclass.
d. EnteranEgress Guaranteedfortheclasstosetthe
guaranteedbandwidthforthatindividualclass.
6. ClickOKtosavetheQoSprofile.
ConfigureQoSinaVirtualSystemEnvironment
4. SelectSourceandAdd thesourcezoneofvsys 1
webbrowsingtraffic.
5. SelectDestinationandAddthedestinationzoneofvsys1
webbrowsingtraffic.
7. ClickOKtosavetheQoSpolicyrule.
ConfigureQoSinaVirtualSystemEnvironment
EnforceQoSBasedonDSCPClassification
ADifferentiatedServicesCodePoint(DSCP)isapacketheadervaluethatcanbeusedtorequest(for
example)highpriorityorbesteffortdeliveryfortraffic.SessionBasedDSCPClassificationallowsyouto
bothhonorDSCPvaluesforincomingtrafficandtomarkasessionwithaDSCPvalueassessiontrafficexits
thefirewall.ThisenablesallinboundandoutboundtrafficforasessioncanreceivecontinuousQoS
treatmentasitflowsthroughyournetwork.Forexample,inboundreturntrafficfromanexternalservercan
nowbetreatedwiththesameQoSprioritythatthefirewallinitiallyenforcedfortheoutboundflowbased
ontheDSCPvaluethefirewalldetectedatthebeginningofthesession.Networkdevicesbetweenthe
firewallandenduserwillalsothenenforcethesamepriorityforthereturntraffic(andanyotheroutbound
orinboundtrafficforthesession).
DifferenttypesofDSCPmarkingsindicatedifferentlevelsofservice:
CompletingthisstepenablesthefirewalltomarktrafficwiththesameDSCPvaluethatwasdetectedatthe
beginningofasession(inthisexample,thefirewallwouldmarkreturntrafficwiththeDSCPAF11value).
WhileconfiguringQoSallowsyoutoshapetrafficasitegressesthefirewall,enablingthisoptioninasecurity
ruleallowstheothernetworkdevicesintermediatetothefirewallandtheclienttocontinuetoenforce
priorityforDSCPmarkedtraffic.
Expedited Forwarding (EF):Canbeusedtorequestlowloss,lowlatencyandguaranteedbandwidthfor
traffic.PacketswithEFcodepointsaretypicallyguaranteedhighestprioritydelivery.
Assured Forwarding (AF):Canbeusedtoprovidereliabledeliveryforapplications.PacketswithAF
codepointindicatearequestforthetraffictoreceivehigherprioritytreatmentthanbesteffortservice
provides(thoughpacketswithanEFcodepointwillcontinuetotakeprecedenceoverthosewithanAF
codepoint).
Class Selector (CS):CanbeusedtoprovidebackwardcompatibilitywithnetworkdevicesthatusetheIP
precedencefieldtomarkprioritytraffic.
IP Precedence (ToS):Canbeusedbylegacynetworkdevicestomarkprioritytraffic(theIPPrecedence
headerfieldwasusedtoindicatethepriorityforapacketbeforetheintroductionoftheDSCP
classification).
Custom Codepoint:CreateacustomcodepointtomatchtotrafficbyenteringaCodepoint NameandBinary
Value.
Forexample,selecttheAssured Forwarding (AF)toensuretrafficmarkedwithanAFcodepointvaluehas
higherpriorityforreliabledeliveryoverapplicationsmarkedtoreceivelowerpriority.Usethefollowingsteps
toenableSessionBasedDSCPClassification.StartbyconfiguringQoSbasedonDSCPmarkingdetectedat
thebeginningofasession.Youcanthencontinuetoenablethefirewalltomarkthereturnflowforasession
withthesameDSCPvalueusedtoenforceQoSfortheinitialoutboundflow.
ApplyQoSBasedonDSCP/ToSMarking
BeforeYouBegin Makesurethatyouhaveperformedthepreliminarystepsto
ConfigureQoS.
Step2 DefinetheQoSpriorityfortrafficto 1. SelectNetwork > Network Profiles > QoS Profile andAddor
receivewhenitismatchedtoaQoSrule modifyanexistingQoSprofile.Fordetailsonprofileoptions
basedtheDSCPmarkingdetectedatthe tosetpriorityandbandwidthfortraffic,seeQoSConcepts
beginningofasession. andConfigureQoS.
2. Add ormodifyaprofileclass.Forexample,because Step 1
showedstepstoclassifyAF11trafficasClass1traffic,you
couldaddormodifyaclass1entry.
3. SelectaPriority fortheclassoftraffic,suchashigh.
4. ClickOKtosavetheQoSProfile.
ApplyQoSBasedonDSCP/ToSMarking
QoSUseCases
ThefollowingusecasesdemonstratehowtouseQoSincommonscenarios:
UseCase:QoSforaSingleUser
UseCase:QoSforVoiceandVideoApplications
UseCase:QoSforaSingleUser
ACEOfindsthatduringperiodsofhighnetworkusage,sheisunabletoaccessenterpriseapplicationsto
respondeffectivelytocriticalbusinesscommunications.TheITadminwantstoensurethatalltraffictoand
fromtheCEOreceivespreferentialtreatmentoverotheremployeetrafficsothatsheisguaranteednotonly
accessto,buthighperformanceof,criticalnetworkresources.
ApplyQoStoaSingleUser
Step1 TheadmincreatestheQoSprofileCEO_traffictodefinehowtrafficoriginatingfromtheCEOwillbetreated
andshapedasitflowsoutofthecompanynetwork:
Theadminassignsaguaranteedbandwidth(Egress Guaranteed)of50MbpstoensurethattheCEOwillhave
thatamountthatbandwidthguaranteedtoheratalltimes(morethanshewouldneedtouse),regardlessof
networkcongestion.
TheadmincontinuesbydesignatingClass1trafficashighpriorityandsetstheprofilesmaximumbandwidth
usage(Egress Max)to1000Mbps,thesamemaximumbandwidthfortheinterfacethattheadminwillenable
QoSon.TheadminischoosingtonotrestricttheCEOsbandwidthusageinanyway.
ItisabestpracticetopopulatetheEgress MaxfieldforaQoSprofile,evenifthemaxbandwidthof
theprofilematchesthemaxbandwidthoftheinterface.TheQoSprofilesmaxbandwidthshouldnever
exceedthemaxbandwidthoftheinterfaceyouareplanningtoenableQoSon.
ApplyQoStoaSingleUser(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifytheCEOstraffic(Policies>QoS)andassignsittheclassthathe
definedintheQoSprofile(seeStep 1).BecauseUserIDisconfigured,theadminusestheSource tabinthe
QoSpolicytosingularlyidentifytheCEOstrafficbyhercompanynetworkusername.(IfUserIDisnot
configured,theadministratorcouldAdd theCEOsIPaddressunderSource Address.SeeUserID.):
BecausetheadminwantstoensurethatalltrafficoriginatingfromtheCEOisguaranteedbytheQoSprofile
andassociatedQoSpolicyhecreated,heselectstheCEO_traffictoapplytoClear Texttrafficflowingfrom
ethernet1/2.
ApplyQoStoaSingleUser(Continued)
HeclicksStatisticstoviewhowtrafficoriginatingwiththeCEO(Class1)isbeingshapedasitflowsfrom
ethernet1/2:
ThiscasedemonstrateshowtoapplyQoStotrafficoriginatingfromasinglesourceuser.However,ifyoualso
wantedtoguaranteeorshapetraffictoadestinationuser,youcouldconfigureasimilarQoSsetup.Insteadof,
orinadditiontothisworkflow,createaQoSpolicythatspecifiestheusersIPaddressastheDestination
Address onthe Policies > QoS page (insteadofspecifyingtheuserssourceinformation,asshowninStep 2)and
thenenableQoSonthenetworksinternalfacinginterfaceontheNetwork > QoS page(insteadofthe
externalfacinginterface,asshowninStep 3.)
UseCase:QoSforVoiceandVideoApplications
VoiceandvideotrafficisparticularlysensitivetomeasurementsthattheQoSfeatureshapesandcontrols,
especiallylatencyandjitter.Forvoiceandvideotransmissionstobeaudibleandclear,voiceandvideo
packetscannotbedropped,delayed,ordeliveredinconsistently.Abestpracticeforvoiceandvideo
applications,inadditiontoguaranteeingbandwidth,istoguaranteeprioritytovoiceandvideotraffic.
Inthisexample,employeesatacompanybranchofficeareexperiencingdifficultiesandunreliabilityinusing
videoconferencingandVoiceoverIP(VoIP)technologiestoconductbusinesscommunicationswithother
branchoffices,withpartners,andwithcustomers.AnITadminintendstoimplementQoSinordertoaddress
theseissuesandensureeffectiveandreliablebusinesscommunicationforthebranchemployees.Because
theadminwantstoguaranteeQoStobothincomingandoutgoingnetworktraffic,hewillenableQoSon
boththefirewallsinternalandexternalfacinginterfaces.
EnsureQualityforVoiceandVideoApplications
Step1 TheadmincreatesaQoSprofile,definingClass2sothatClass2trafficreceivesrealtimepriorityandonan
interfacewithamaximumbandwidthof1000Mbps,isguaranteedabandwidthof250Mbpsatalltimes,
includingpeakperiodsofnetworkusage.
Realtimepriorityistypicallyrecommendedforapplicationsaffectedbylatency,andisparticularlyusefulin
guaranteeingperformanceandqualityofvoiceandvideoapplications.
Onthefirewallwebinterface,theadminselectsNetwork > Network Profiles > Qos Profile page,clicksAdd,
enterstheProfile Name ensurevoipvideotrafficanddefinesClass2traffic.
EnsureQualityforVoiceandVideoApplications(Continued)
Step2 TheadmincreatesaQoSpolicytoidentifyvoiceandvideotraffic.Becausethecompanydoesnothaveone
standardvoiceandvideoapplication,theadminwantstoensureQoSisappliedtoafewapplicationsthatare
widelyandregularlyusedbyemployeestocommunicatewithotheroffices,withpartners,andwithcustomers.
OnthePolicies > QoS > QoS Policy Rule > Applicationstab,theadminclicksAddandopenstheApplication
Filterwindow.TheadmincontinuesbyselectingcriteriatofiltertheapplicationshewantstoapplyQoSto,
choosingtheSubcategoryvoipvideo,andnarrowingthatdownbyspecifyingonlyvoipvideoapplicationsthat
arebothlowriskandwidelyused.
Theapplicationfilterisadynamictoolthat,whenusedtofilterapplicationsintheQoSpolicy,allowsQoSto
beappliedtoallapplicationsthatmeetthecriteriaofvoipvideo,lowrisk,andwidelyusedatanygiventime.
TheadminnamestheApplication FiltervoipvideolowriskandincludesitintheQoSpolicy:
TheadminnamestheQoSpolicyVoiceVideoandselectsOtherSettingstoassignalltrafficmatchedtothe
policyClass2.HeisgoingtousetheVoiceVideoQoSpolicyforbothincomingandoutgoingQoStraffic,sohe
sets SourceandDestinationinformationtoAny:
EnsureQualityforVoiceandVideoApplications(Continued)
Step3 BecausetheadminwantstoensureQoSforbothincomingandoutgoingvoiceandvideocommunications,he
enablesQoSonthenetworksexternalfacinginterface(toapplyQoStooutgoingcommunications)andtothe
internalfacinginterface(toapplyQoStoincomingcommunications).
TheadminbeginsbyenablingtheQoSprofilehecreatedinStep 1,ensurevoicevideotraffic(Class2inthis
profileisassociatedwithpolicycreatedinStep 2,VoiceVideo)ontheexternalfacinginterface,inthiscase,
ethernet1/2.
HethenenablesthesameQoSprofileensurevoipvideotrafficonasecondinterface,theinternalfacing
interface(inthiscase,ethernet 1/1).
TheadminhassuccessfullyenabledQoSonboththenetworksinternalandexternalfacinginterfaces.Realtime
priorityisnowensuredforvoiceandvideoapplicationtrafficasitflowsbothintoandoutofthenetwork,ensuringthat
thesecommunications,whichareparticularlysensitivetolatencyandjitter,canbeusedreliablyandeffectivelyto
performbothinternalandexternalbusinesscommunications.
VPNDeployments
ThePaloAltoNetworksfirewallsupportsthefollowingVPNdeployments:
SitetoSiteVPNAsimpleVPNthatconnectsacentralsiteandaremotesite,orahubandspokeVPN
thatconnectsacentralsitewithmultipleremotesites.ThefirewallusestheIPSecurity(IPSec)setof
protocolstosetupasecuretunnelforthetrafficbetweenthetwosites.SeeSitetoSiteVPNOverview.
RemoteUsertoSiteVPNAsolutionthatusestheGlobalProtectagenttoallowaremoteuserto
establishasecureconnectionthroughthefirewall.ThissolutionusesSSLandIPSectoestablishasecure
connectionbetweentheuserandthesite.RefertotheGlobalProtectAdministratorsGuide.
LargeScaleVPNThePaloAltoNetworksGlobalProtectLargeScaleVPN(LSVPN)providesasimplified
mechanismtorolloutascalablehubandspokeVPNwithupto1,024satelliteoffices.Thesolution
requiresPaloAltoNetworksfirewallstobedeployedatthehubandateveryspoke.Itusescertificates
fordeviceauthentication,SSLforsecuringcommunicationbetweenallcomponents,andIPSectosecure
data.SeeLargeScaleVPN(LSVPN).
Figure:VPNDeployments
SitetoSiteVPNOverview
AVPNconnectionthatallowsyoutoconnecttwoLocalAreaNetworks(LANs)iscalledasitetositeVPN.
YoucanconfigureroutebasedVPNstoconnectPaloAltoNetworksfirewallslocatedattwositesorto
connectaPaloAltoNetworksfirewallwithathirdpartysecuritydeviceatanotherlocation.Thefirewallcan
alsointeroperatewiththirdpartypolicybasedVPNdevices;thePaloAltoNetworksfirewallsupports
routebasedVPN.
ThePaloAltoNetworksfirewallsetsuparoutebasedVPN,wherethefirewallmakesaroutingdecision
basedonthedestinationIPaddress.IftrafficisroutedtoaspecificdestinationthroughaVPNtunnel,then
itishandledasVPNtraffic.
TheIPSecurity(IPSec)setofprotocolsisusedtosetupasecuretunnelfortheVPNtraffic,andthe
informationintheTCP/IPpacketissecured(andencryptedifthetunneltypeisESP).TheIPpacket(header
andpayload)isembeddedinanotherIPpayload,andanewheaderisappliedandthensentthroughtheIPSec
tunnel.ThesourceIPaddressinthenewheaderisthatofthelocalVPNpeerandthedestinationIPaddress
isthatoftheVPNpeeronthefarendofthetunnel.WhenthepacketreachestheremoteVPNpeer(the
firewallatthefarendofthetunnel),theouterheaderisremovedandtheoriginalpacketissenttoits
destination.
InordertosetuptheVPNtunnel,firstthepeersneedtobeauthenticated.Aftersuccessfulauthentication,
thepeersnegotiatetheencryptionmechanismandalgorithmstosecurethecommunication.TheInternet
KeyExchange(IKE)processisusedtoauthenticatetheVPNpeers,andIPSecSecurityAssociations(SAs)are
definedateachendofthetunneltosecuretheVPNcommunication.IKEusesdigitalcertificatesor
presharedkeys,andtheDiffieHellmankeystosetuptheSAsfortheIPSectunnel.TheSAsspecifyallofthe
parametersthatarerequiredforsecuretransmissionincludingthesecurityparameterindex(SPI),security
protocol,cryptographickeys,andthedestinationIPaddressencryption,dataauthentication,dataintegrity,
andendpointauthentication.
ThefollowingfigureshowsaVPNtunnelbetweentwosites.WhenaclientthatissecuredbyVPNPeerA
needscontentfromaserverlocatedattheothersite,VPNPeerAinitiatesaconnectionrequesttoVPNPeer
B.Ifthesecuritypolicypermitstheconnection,VPNPeerAusestheIKECryptoprofileparameters(IKE
phase1)toestablishasecureconnectionandauthenticateVPNPeerB.Then,VPNPeerAestablishesthe
VPNtunnelusingtheIPSecCryptoprofile,whichdefinestheIKEphase2parameterstoallowthesecure
transferofdatabetweenthetwosites.
Figure:SitetoSiteVPN
SitetoSiteVPNConcepts
AVPNconnectionprovidessecureaccesstoinformationbetweentwoormoresites.Inordertoprovide
secureaccesstoresourcesandreliableconnectivity,aVPNconnectionneedsthefollowingcomponents:
IKEGateway
TunnelInterface
TunnelMonitoring
InternetKeyExchange(IKE)forVPN
IKEv2
IKEGateway
ThePaloAltoNetworksfirewallsorafirewallandanothersecuritydevicethatinitiateandterminateVPN
connectionsacrossthetwonetworksarecalledtheIKEGateways.TosetuptheVPNtunnelandsendtraffic
betweentheIKEGateways,eachpeermusthaveanIPaddressstaticordynamicorFQDN.TheVPN
peersusepresharedkeysorcertificatestomutuallyauthenticateeachother.
ThepeersmustalsonegotiatethemodemainoraggressiveforsettinguptheVPNtunnelandtheSA
lifetimeinIKEPhase1.Mainmodeprotectstheidentityofthepeersandismoresecurebecausemore
packetsareexchangedwhensettingupthetunnel.MainmodeistherecommendedmodeforIKE
negotiationifbothpeerssupportit.AggressivemodeusesfewerpacketstosetuptheVPNtunnelandis
hencefasterbutalesssecureoptionforsettinguptheVPNtunnel.
SeeSetUpanIKEGatewayforconfigurationdetails.
TunnelInterface
TosetupaVPNtunnel,theLayer3interfaceateachendmusthavealogicaltunnelinterfaceforthefirewall
toconnecttoandestablishaVPNtunnel.Atunnelinterfaceisalogical(virtual)interfacethatisusedto
delivertrafficbetweentwoendpoints.Eachtunnelinterfacecanhaveamaximumof10IPSectunnels;this
meansthatupto10networkscanbeassociatedwiththesametunnelinterfaceonthefirewall.
Thetunnelinterfacemustbelongtoasecurityzonetoapplypolicyanditmustbeassignedtoavirtualrouter
inordertousetheexistingroutinginfrastructure.Ensurethatthetunnelinterfaceandthephysicalinterface
areassignedtothesamevirtualroutersothatthefirewallcanperformaroutelookupanddeterminethe
appropriatetunneltouse.
Typically,theLayer3interfacethatthetunnelinterfaceisattachedtobelongstoanexternalzone,for
exampletheuntrustzone.Whilethetunnelinterfacecanbeinthesamesecurityzoneasthephysical
interface,foraddedsecurityandbettervisibility,youcancreateaseparatezoneforthetunnelinterface.If
youcreateaseparatezoneforthetunnelinterface,sayaVPNzone,youwillneedtocreatesecuritypolicies
toenabletraffictoflowbetweentheVPNzoneandthetrustzone.
Toroutetrafficbetweenthesites,atunnelinterfacedoesnotrequireanIPaddress.AnIPaddressisonly
requiredifyouwanttoenabletunnelmonitoringorifyouareusingadynamicroutingprotocoltoroute
trafficacrossthetunnel.Withdynamicrouting,thetunnelIPaddressservesasthenexthopIPaddressfor
routingtraffictotheVPNtunnel.
IfyouareconfiguringthePaloAltoNetworksfirewallwithaVPNpeerthatperformspolicybasedVPN,you
mustconfigurealocalandremoteProxyIDwhensettinguptheIPSectunnel.Eachpeercomparesthe
ProxyIDsconfiguredonitwithwhatisactuallyreceivedinthepacketinordertoallowasuccessfulIKE
phase2negotiation.Ifmultipletunnelsarerequired,configureuniqueProxyIDsforeachtunnelinterface;a
tunnelinterfacecanhaveamaximumof250ProxyIDs.EachProxyIDcountstowardstheIPSecVPNtunnel
capacityofthefirewall,andthetunnelcapacityvariesbythefirewallmodel.
SeeSetUpanIPSecTunnelforconfigurationdetails.
TunnelMonitoring
ForaVPNtunnel,youcancheckconnectivitytoadestinationIPaddressacrossthetunnel.Thenetwork
monitoringprofileonthefirewallallowsyoutoverifyconnectivity(usingICMP)toadestinationIPaddress
oranexthopataspecifiedpollinginterval,andtospecifyanactiononfailuretoaccessthemonitoredIP
address.
IfthedestinationIPisunreachable,youeitherconfigurethefirewalltowaitforthetunneltorecoveror
configureautomaticfailovertoanothertunnel.Ineithercase,thefirewallgeneratesasystemlogthatalerts
youtoatunnelfailureandrenegotiatestheIPSeckeystoacceleraterecovery.
Thedefaultmonitoringprofileisconfiguredtowaitforthetunneltorecover;thepollingintervalis3seconds
andthefailurethresholdis5.
SeeSetUpTunnelMonitoringforconfigurationdetails.
InternetKeyExchange(IKE)forVPN
TheIKEprocessallowstheVPNpeersatbothendsofthetunneltoencryptanddecryptpacketsusing
mutuallyagreeduponkeysorcertificateandmethodofencryption.TheIKEprocessoccursintwophases:
IKEPhase1andIKEPhase2.Eachofthesephasesusekeysandencryptionalgorithmsthataredefinedusing
cryptographicprofilesIKEcryptoprofileandIPSeccryptoprofileandtheresultoftheIKEnegotiationis
aSecurityAssociation(SA).AnSAisasetofmutuallyagreeduponkeysandalgorithmsthatareusedbyboth
VPNpeerstoallowtheflowofdataacrosstheVPNtunnel.Thefollowingillustrationdepictsthekey
exchangeprocessforsettinguptheVPNtunnel:
IKEPhase1
Inthisphase,thefirewallsusetheparametersdefinedintheIKEGatewayconfigurationandtheIKECrypto
profiletoauthenticateeachotherandsetupasecurecontrolchannel.IKEPhasesupportstheuseof
presharedkeysordigitalcertificates(whichusepublickeyinfrastructure,PKI)formutualauthenticationof
theVPNpeers.Presharedkeysareasimplesolutionforsecuringsmallernetworksbecausetheydonot
requirethesupportofaPKIinfrastructure.Digitalcertificatescanbemoreconvenientforlargernetworks
orimplementationsthatrequirestrongerauthenticationsecurity.
Whenusingcertificates,makesurethattheCAissuingthecertificateistrustedbybothgatewaypeersand
thatthemaximumlengthofcertificatesinthecertificatechainis5orless.WithIKEfragmentationenabled,
thefirewallcanreassembleIKEmessageswithupto5certificatesinthecertificatechainandsuccessfully
establishaVPNtunnel.
TheIKECryptoprofiledefinesthefollowingoptionsthatareusedintheIKESAnegotiation:
DiffieHellman(DH)groupforgeneratingsymmetricalkeysforIKE.
TheDiffieHellmanalgorithmusestheprivatekeyofonepartyandthepublickeyoftheothertocreate
asharedsecret,whichisanencryptedkeythatbothVPNtunnelpeersshare.TheDHgroupssupported
onthefirewallare:Group1768bits,Group21024bits(default),Group51536bits,Group142048
bits,Group19256bitellipticcurvegroup,andGroup20384bitellipticcurvegroup.
Authenticationalgorithmssha1,sha256,sha384,sha512,ormd5
Encryptionalgorithms3des,aes128cbc,aes192cbc,aes256cbc,ordes
IKEPhase2
Afterthetunnelissecuredandauthenticated,inPhase2thechannelisfurthersecuredforthetransferof
databetweenthenetworks.IKEPhase2usesthekeysthatwereestablishedinPhase1oftheprocessand
theIPSecCryptoprofile,whichdefinestheIPSecprotocolsandkeysusedfortheSAinIKEPhase2.
TheIPSECusesthefollowingprotocolstoenablesecurecommunication:
EncapsulatingSecurityPayload(ESP)AllowsyoutoencrypttheentireIPpacket,andauthenticatethe
sourceandverifyintegrityofthedata.WhileESPrequiresthatyouencryptandauthenticatethepacket,
youcanchoosetoonlyencryptoronlyauthenticatebysettingtheencryptionoptiontoNull;using
encryptionwithoutauthenticationisdiscouraged.
AuthenticationHeader(AH)Authenticatesthesourceofthepacketandverifiesdataintegrity.AHdoes
notencryptthedatapayloadandisunsuitedfordeploymentswheredataprivacyisimportant.AHis
commonlyusedwhenthemainconcernistoverifythelegitimacyofthepeer,anddataprivacyisnot
required.
Table:AlgorithmsSupportedforIPSECAuthenticationandEncryption
ESP AH
DiffieHellman(DH)exchangeoptionssupported
Group1768bits
Group21024bits(thedefault)
Group51536bits
Group142048bits.
Group19256bitellipticcurvegroup
Group20384bitellipticcurvegroup
nopfsBydefault,perfectforwardsecrecy(PFS)isenabled,whichmeansanewDHkeyisgenerated
inIKEphase2usingoneofthegroupslistedabove.Thiskeyisindependentofthekeysexchangedin
IKEphase1andprovidesbetterdatatransfersecurity.Ifyouselectnopfs,theDHkeycreatedatphase
1isnotrenewedandasinglekeyisusedfortheIPSecSAnegotiations.BothVPNpeersmustbe
enabledordisabledforPFS.
Encryptionalgorithmssupported
3des TripleDataEncryptionStandard(3DES)withasecuritystrengthof112
bits
aes128cbc AdvancedEncryptionStandard(AES)usingcipherblockchaining(CBC)
withasecuritystrengthof128bits
aes192cbc AESusingCBCwithasecuritystrengthof192bits
aes256cbc AESusingCBCwithasecuritystrengthof256bits
aes128ccm AESusingCounterwithCBCMAC(CCM)withasecuritystrengthof
128bits
aes128gcm AESusingGalois/CounterMode(GCM)withasecuritystrengthof128
bits
aes256gcm AESusingGCMwithasecuritystrengthof256bits
des DataEncryptionStandard(DES)withasecuritystrengthof56bits
ESP AH
Authenticationalgorithmssupported
md5 md5
sha1 sha1
sha256 sha256
sha384 sha384
sha512 sha512
MethodsofSecuringIPSecVPNTunnels(IKEPhase2)
IPSecVPNtunnelscanbesecuredusingmanualkeysorautokeys.Inaddition,IPSecconfigurationoptions
includeDiffieHellmanGroupforkeyagreement,and/oranencryptionalgorithmandahashformessage
authentication.
ManualKeyManualkeyistypicallyusedifthePaloAltoNetworksfirewallisestablishingaVPNtunnel
withalegacydevice,orifyouwanttoreducetheoverheadofgeneratingsessionkeys.Ifusingmanual
keys,thesamekeymustbeconfiguredonbothpeers.
ManualkeysarenotrecommendedforestablishingaVPNtunnelbecausethesessionkeyscanbe
compromisedwhenrelayingthekeyinformationbetweenthepeers;ifthekeysarecompromised,the
datatransferisnolongersecure.
AutoKeyAutoKeyallowsyoutoautomaticallygeneratekeysforsettingupandmaintainingtheIPSec
tunnelbasedonthealgorithmsdefinedintheIPSecCryptoprofile.
IKEv2
AnIPSecVPNgatewayusesIKEv1orIKEv2tonegotiatetheIKEsecurityassociation(SA)andIPSectunnel.
IKEv2isdefinedinRFC5996.
UnlikeIKEv1,whichusesPhase1SAandPhase2SA,IKEv2usesachildSAforEncapsulatingSecurity
Payload(ESP)orAuthenticationHeader(AH),whichissetupwithanIKESA.
NATtraversal(NATT)mustbeenabledonbothgatewaysifyouhaveNAToccurringonadevicethatsits
betweenthetwogateways.Agatewaycanseeonlythepublic(globallyroutable)IPaddressoftheNAT
device.
IKEv2providesthefollowingbenefitsoverIKEv1:
Tunnelendpointsexchangefewermessagestoestablishatunnel.IKEv2usesfourmessages;IKEv1uses
eithernine messages(inmainmode)orsixmessages(inaggressivemode).
BuiltinNATTfunctionalityimprovescompatibilitybetweenvendors.
Builtinhealthcheckautomaticallyreestablishesatunnelifitgoesdown.Thelivenesscheckreplaces
theDeadPeerDetectionusedinIKEv1.
Supportstrafficselectors(oneperexchange).ThetrafficselectorsareusedinIKEnegotiationstocontrol
whattrafficcanaccessthetunnel.
SupportsHashandURLcertificateexchangetoreducefragmentation.
ResiliencyagainstDoSattackswithimprovedpeervalidation.AnexcessivenumberofhalfopenSAscan
triggercookievalidation.
BeforeconfiguringIKEv2,youshouldbefamiliarwiththefollowingconcepts:
LivenessCheck
CookieActivationThresholdandStrictCookieValidation
TrafficSelectors
HashandURLCertificateExchange
SAKeyLifetimeandReAuthenticationInterval
AfteryouSetUpanIKEGateway,ifyouchoseIKEv2,performthefollowingoptionaltasksrelatedtoIKEv2
asrequiredbyyourenvironment:
ExportaCertificateforaPeertoAccessUsingHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
ChangetheCookieActivationThresholdforIKEv2
ConfigureIKEv2TrafficSelectors
LivenessCheck
ThelivenesscheckforIKEv2issimilartoDeadPeerDetection(DPD),whichIKEv1usesasthewayto
determinewhetherapeerisstillavailable.
InIKEv2,thelivenesscheckisachievedbyanyIKEv2packettransmissionoranemptyinformational
messagethatthegatewaysendstothepeerataconfigurableinterval,fivesecondsbydefault.Ifnecessary,
thesenderattemptstheretransmissionuptotentimes.Ifitdoesntgetaresponse,thesenderclosesand
deletestheIKE_SAandcorrespondingCHILD_SAs.Thesenderwillstartoverbysendingoutanother
IKE_SA_INITmessage.
CookieActivationThresholdandStrictCookieValidation
CookievalidationisalwaysenabledforIKEv2;ithelpsprotectagainsthalfSADoSattacks.Youcan
configuretheglobalthresholdnumberofhalfopenSAsthatwilltriggercookievalidation.Youcanalso
configureindividualIKEgatewaystoenforcecookievalidationforeverynewIKEv2SA.
TheCookie Activation Threshold isaglobalVPNsessionsettingthatlimitsthenumberofsimultaneous
halfopenedIKESAs(defaultis500).WhenthenumberofhalfopenedIKESAsexceedstheCookie
Activation Threshold,theResponderwillrequestacookie,andtheInitiatormustrespondwithan
IKE_SA_INITcontainingacookietovalidatetheconnection.Ifthecookievalidationissuccessful,another
SAcanbeinitiated.Avalueof0meansthatcookievalidationisalwayson.
TheResponderdoesnotmaintainastateoftheInitiator,nordoesitperformaDiffieHellmankey
exchange,untiltheInitiatorreturnsthecookie.IKEv2cookievalidationmitigatesaDoSattackthatwould
trytoleavenumerousconnectionshalfopen.
TheCookie Activation ThresholdmustbelowerthantheMaximum Half Opened SAsetting.IfyouChangethe
CookieActivationThresholdforIKEv2toaveryhighnumber(forexample,65534)andtheMaximum Half
Opened SAsettingremainedatthedefaultvalueof65535,cookievalidationisessentiallydisabled.
TrafficSelectors
InIKEv1,afirewallthathasaroutebasedVPNneedstousealocalandremoteProxyIDinordertosetup
anIPSectunnel.EachpeercomparesitsProxyIDswithwhatitreceivedinthepacketinordertosuccessfully
negotiateIKEPhase2.IKEPhase2isaboutnegotiatingtheSAstosetupanIPSectunnel.(Formore
informationonProxyIDs,seeTunnelInterface.)
InIKEv2,youcanConfigureIKEv2TrafficSelectors,whicharecomponentsofnetworktrafficthatareused
duringIKEnegotiation.TrafficselectorsareusedduringtheCHILD_SA(tunnelcreation)Phase2tosetup
thetunnelandtodeterminewhattrafficisallowedthroughthetunnel.ThetwoIKEgatewaypeersmust
negotiateandagreeontheirtrafficselectors;otherwise,onesidenarrowsitsaddressrangetoreach
agreement.OneIKEconnectioncanhavemultipletunnels;forexample,youcanassigndifferenttunnelsto
eachdepartmenttoisolatetheirtraffic.SeparationoftrafficalsoallowsfeaturessuchasQoStobe
implemented.
TheIPv4andIPv6trafficselectorsare:
SourceIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
DestinationIPaddressAnetworkprefix,addressrange,specifichost,orwildcard.
ProtocolAtransportprotocol,suchasTCPorUDP.
SourceportTheportwherethepacketoriginated.
DestinationportTheportthepacketisdestinedfor.
DuringIKEnegotiation,therecanbemultipletrafficselectorsfordifferentnetworksandprotocols.For
example,theInitiatormightindicatethatitwantstosendTCPpacketsfrom172.168.0.0/16throughthe
tunneltoitspeer,destinedfor198.5.0.0/16.ItalsowantstosendUDPpacketsfrom172.17.0.0/16through
thesametunneltothesamegateway,destinedfor0.0.0.0(anynetwork).Thepeergatewaymustagreeto
thesetrafficselectorssothatitknowswhattoexpect.
ItispossiblethatonegatewaywillstartnegotiationusingatrafficselectorthatisamorespecificIPaddress
thantheIPaddressoftheothergateway.
Forexample,gatewayAoffersasourceIPaddressof172.16.0.0/16andadestinationIPaddressof
192.16.0.0/16.ButgatewayBisconfiguredwith0.0.0.0(anysource)asthesourceIPaddressand0.0.0.0
(anydestination)asthedestinationIPaddress.Therefore,gatewayBnarrowsdownitssourceIPaddress
to192.16.0.0/16anditsdestinationaddressto172.16.0.0/16.Thus,thenarrowingdown
accommodatestheaddressesofgatewayAandthetrafficselectorsofthetwogatewaysarein
agreement.
IfgatewayB(configuredwithsourceIPaddress0.0.0.0)istheInitiatorinsteadoftheResponder,gateway
AwillrespondwithitsmorespecificIPaddresses,andgatewayBwillnarrowdownitsaddressestoreach
agreement.
HashandURLCertificateExchange
IKEv2supportsHashandURLCertificateExchange,whichisusedduringanIKEv2negotiationofanSA.You
storethecertificateonanHTTPserver,whichisspecifiedbyaURL.Thepeerfetchesthecertificatefrom
theserverbasedonreceivingtheURLtotheserver.Thehashisusedtocheckwhetherthecontentofthe
certificateisvalidornot.Thus,thetwopeersexchangecertificateswiththeHTTPCAratherthanwitheach
other.
ThehashpartofHashandURLreducesthemessagesizeandthusHashandURLisawaytoreducethe
likelihoodofpacketfragmentationduringIKEnegotiation.Thepeerreceivesthecertificateandhashthatit
expects,andthusIKEPhase1hasvalidatedthepeer.Reducingfragmentationoccurrenceshelpsprotect
againstDoSattacks.
YoucanenabletheHashandURLcertificateexchangewhenconfiguringanIKEgatewaybyselectingHTTP
Certificate ExchangeandenteringtheCertificate URL.ThepeermustalsouseHashandURLcertificate
exchangeinorderfortheexchangetobesuccessful.IfthepeercannotuseHashandURL,X.509certificates
areexchangedsimilarlytohowtheyareexchangedinIKEv1.
IfyouenabletheHashandURLcertificateexchange,youmustexportyourcertificatetothecertificate
serverifitisnotalreadythere.Whenyouexportthecertificate,thefileformatshouldbeBinary Encoded
Certificate (DER).SeeExportaCertificateforaPeertoAccessUsingHashandURL.
SAKeyLifetimeandReAuthenticationInterval
SetUpSitetoSiteVPN
TosetupsitetositeVPN:
MakesurethatyourEthernetinterfaces,virtualrouters,andzonesareconfiguredproperly.Formore
information,seeConfigureInterfacesandZones.
Createyourtunnelinterfaces.Ideally,putthetunnelinterfacesinaseparatezone,sothattunneled
trafficcanusedifferentpolicies.
SetupstaticroutesorassignroutingprotocolstoredirecttraffictotheVPNtunnels.Tosupport
dynamicrouting(OSPF,BGP,RIParesupported),youmustassignanIPaddresstothetunnelinterface.
DefineIKEgatewaysforestablishingcommunicationbetweenthepeersacrosseachendoftheVPN
tunnel;alsodefinethecryptographicprofilethatspecifiestheprotocolsandalgorithmsfor
identification,authentication,andencryptiontobeusedforsettingupVPNtunnelsinIKEv1Phase1.
SeeSetUpanIKEGatewayandDefineIKECryptoProfiles.
ConfiguretheparametersthatareneededtoestablishtheIPSecconnectionfortransferofdataacross
theVPNtunnel;SeeSetUpanIPSecTunnel.ForIKEv1Phase2,seeDefineIPSecCryptoProfiles.
(Optional)SpecifyhowthefirewallwillmonitortheIPSectunnels.SeeSetUpTunnelMonitoring.
Definesecuritypoliciestofilterandinspectthetraffic.
Ifthereisadenyruleattheendofthesecurityrulebase,intrazonetrafficisblockedunless
otherwiseallowed.RulestoallowIKEandIPSecapplicationsmustbeexplicitlyincludedabove
thedenyrule.
Whenthesetasksarecomplete,thetunnelisreadyforuse.Trafficdestinedforthezones/addressesdefined
inpolicyisautomaticallyroutedproperlybasedonthedestinationrouteintheroutingtable,andhandledas
VPNtraffic.ForafewexamplesonsitetositeVPN,seeSitetoSiteVPNQuickConfigs.
Fortroubleshootingpurposes,youcanEnable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel.
SetUpanIKEGateway
TosetupaVPNtunnel,theVPNpeersorgatewaysmustauthenticateeachotherusingpresharedkeysor
digitalcertificatesandestablishasecurechannelinwhichtonegotiatetheIPSecsecurityassociation(SA)
thatwillbeusedtosecuretrafficbetweenthehostsoneachside.
SetUpanIKEGateway
SetUpanIKEGateway(Continued)
SetUpanIKEGateway(Continued)
SetUpanIKEGateway(Continued)
ExportaCertificateforaPeertoAccessUsingHashandURL
IKEv2supportsHashandURLCertificateExchangeasamethodofhavingthepeerattheremoteendofthe
tunnelfetchthecertificatefromaserverwhereyouhaveexportedthecertificate.Performthistaskto
exportyourcertificatetothatserver.YoumusthavealreadycreatedacertificateusingDevice > Certificate
Management.
ExportaCertificateforHashandURL
ImportaCertificateforIKEv2GatewayAuthentication
PerformthistaskifyouareauthenticatingapeerforanIKEv2gatewayandyoudidnotusealocalcertificate
alreadyonthefirewall;youwanttoimportacertificatefromelsewhere.
ThistaskpresumesthatyouselectedNetwork > IKE Gateways,addedagateway,andforLocal Certificate,you
clickedImport.
ImportaCertificateforIKEv2GatewayAuthentication
Step2 Afteryouperformthistask,returnto
ConfigureanIKEv2Gatewayandresume
Step 6.
ChangetheKeyLifetimeorAuthenticationIntervalforIKEv2
Thistaskisoptional;thedefaultsettingoftheIKEv2IKESArekeylifetimeis8hours.Thedefaultsettingof
theIKEv2AuthenticationMultipleis0,meaningthereauthenticationfeatureisdisabled.Formore
information,seeSAKeyLifetimeandReAuthenticationInterval.
Tochangethedefaultvalues,performthefollowingtask.AprerequisiteisthatanIKEcryptoprofilealready
exists.
ChangetheSAKeyLifetimeorAuthenticationInterval
ChangetheCookieActivationThresholdforIKEv2
Performthefollowingtaskifyouwantafirewalltohaveathresholddifferentfromthedefaultsettingof500
halfopenedSAsessionsbeforecookievalidationisrequired.Formoreinformationaboutcookievalidation,
seeCookieActivationThresholdandStrictCookieValidation.
ChangetheCookieActivationThreshold
ConfigureIKEv2TrafficSelectors
ConfigureTrafficSelectorsforIKEv2
DefineCryptographicProfiles
Acryptographicprofilespecifiestheciphersusedforauthenticationand/orencryptionbetweentwoIKE
peers,andthelifetimeofthekey.Thetimeperiodbetweeneachrenegotiationisknownasthelifetime;
whenthespecifiedtimeexpires,thefirewallrenegotiatesanewsetofkeys.
ForsecuringcommunicationacrosstheVPNtunnel,thefirewallrequiresIKEandIPSeccryptographic
profilesforcompletingIKEphase1andphase2negotiations,respectively.Thefirewallincludesadefault
IKEcryptoprofileandadefaultIPSeccryptoprofilethatisreadyforuse.
DefineIKECryptoProfiles
DefineIPSecCryptoProfiles
DefineIKECryptoProfiles
TheIKEcryptoprofileisusedtosetuptheencryptionandauthenticationalgorithmsusedforthekey
exchangeprocessinIKEPhase1,andlifetimeofthekeys,whichspecifieshowlongthekeysarevalid.To
invoketheprofile,youmustattachittotheIKEGatewayconfiguration.
AllIKEgatewaysconfiguredonthesameinterfaceorlocalIPaddressmustusethesamecrypto
profile.
DefineanIKECryptoProfile
Step1 CreateanewIKEprofile. 1. SelectNetwork > Network Profiles > IKE Crypto andselect
Add.
2. EnteraName forthenewprofile.
DefineIPSecCryptoProfiles
TheIPSeccryptoprofileisinvokedinIKEPhase2.Itspecifieshowthedataissecuredwithinthetunnelwhen
AutoKeyIKEisusedtoautomaticallygeneratekeysfortheIKESAs.
DefinetheIPSecCryptoProfile
Step1 CreateanewIPSecprofile. 1. SelectNetwork > Network Profiles > IPSec Crypto andselect
Add.
2. EnteraName forthenewprofile.
3. SelecttheIPSec ProtocolESPorAHthatyouwanttoapply
tosecurethedataasittraversesacrossthetunnel.
4. ClickAddandselecttheAuthenticationandEncryption
algorithmsforESP,andAuthenticationalgorithmsforAH,so
thattheIKEpeerscannegotiatethekeysforthesecure
transferofdataacrossthetunnel.
IfyouarenotcertainofwhattheIKEpeerssupport,add
multiplealgorithmsintheorderofmosttoleastsecureas
follows;thepeersnegotiatethestrongestsupported
algorithmtoestablishthetunnel:
Encryptionaes-256-gcm,aes-256-cbc,aes-192-cbc,
aes-128-gcm,aes-128-ccm(theVMSeriesfirewall
doesntsupportthisoption),aes-128-cbc,3des,des.
DESisavailabletoprovidebackwardcompatibility
withlegacydevicesthatdonotsupportstronger
encryption,butasabestpracticealwaysusea
strongerencryptionalgorithm,suchas3DESorAES
ifthepeercansupportit.
Authenticationsha512,sha384,sha256,sha1,md5.
SetUpanIPSecTunnel
TheIPSectunnelconfigurationallowsyoutoauthenticateand/orencryptthedata(IPpacket)asittraverses
acrossthetunnel.
IfyouaresettingupthePaloAltoNetworksfirewalltoworkwithapeerthatsupportspolicybasedVPN,
youmustdefineProxyIDs.DevicesthatsupportpolicybasedVPNusespecificsecurityrules/policiesor
accesslists(sourceaddresses,destinationaddressesandports)forpermittinginterestingtrafficthroughan
IPSectunnel.Theserulesarereferencedduringquickmode/IKEphase2negotiation,andareexchangedas
ProxyIDsinthefirstorthesecondmessageoftheprocess.So,ifyouareconfiguringthePaloAltoNetworks
firewalltoworkwithapolicybasedVPNpeer,forasuccessfulphase2negotiationyoumustdefinethe
ProxyIDsothatthesettingonbothpeersisidentical.IftheProxyIDisnotconfigured,becausethePalo
AltoNetworksfirewallsupportsroutebasedVPN,thedefaultvaluesusedasProxyIDaresourceip:
0.0.0.0/0,destinationip:0.0.0.0/0andapplication:any;andwhenthesevaluesareexchangedwiththepeer,
itresultsinafailuretosetuptheVPNconnection.
SetUpanIPSecTunnel
SetUpanIPSecTunnel(Continued)
SetupAutoKeyexchange. 1. SelecttheIKEGateway.TosetupanIKEgateway,seeSetUp
anIKEGateway.
2. (Optional)SelectthedefaultIPSecCryptoProfile.Tocreatea
newIPSecProfile,seeDefineIPSecCryptoProfiles.
SetupaManualKeyexchange. 1. Setuptheparametersforthelocalfirewall:
a. SpecifytheSPIforthelocalfirewall.SPIisa32bit
hexadecimalindexthatisaddedtotheheaderforIPSec
tunnelingtoassistindifferentiatingbetweenIPSectraffic
flows;itisusedtocreatetheSArequiredforestablishinga
VPNtunnel.
b. SelecttheInterfacethatwillbethetunnelendpoint,and
optionallyselecttheIPaddressforthelocalinterfacethatis
theendpointofthetunnel.
c. SelecttheprotocoltobeusedAHorESP.
d. ForAH,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.
e. ForESP,selecttheAuthenticationmethodfromthe
dropdownandenteraKeyandthenConfirm Key.Then,
selecttheEncryptionmethodandenteraKeyandthen
Confirm Key,ifneeded.
2. SetuptheparametersthatpertaintotheremoteVPNpeer.
a. SpecifytheSPIfortheremotepeer.
b. EntertheRemote Address,theIPaddressoftheremote
peer.
SetUpanIPSecTunnel(Continued)
SetUpTunnelMonitoring
ToprovideuninterruptedVPNservice,youcanusetheDeadPeerDetectioncapabilityalongwiththetunnel
monitoringcapabilityonthefirewall.Youcanalsomonitorthestatusofthetunnel.Thesemonitoringtasks
aredescribedinthefollowingsections:
DefineaTunnelMonitoringProfile
ViewtheStatusoftheTunnels
DefineaTunnelMonitoringProfile
AtunnelmonitoringprofileallowsyoutoverifyconnectivitybetweentheVPNpeers;youcanconfigurethe
tunnelinterfacetopingadestinationIPaddressataspecifiedintervalandspecifytheactionifthe
communicationacrossthetunnelisbroken.
DefineaTunnelMonitoringProfile
Step2 ClickAdd,andenteraNamefortheprofile.
Step3 SelecttheActionifthedestinationIPaddressisunreachable.
Wait Recoverthefirewallwaitsforthetunneltorecover.Itcontinuestousethetunnelinterfaceinrouting
decisionsasifthetunnelwerestillactive.
Fail Overforcestraffictoabackuppathifoneisavailable.Thefirewalldisablesthetunnelinterface,and
therebydisablesanyroutesintheroutingtablethatusetheinterface.
Ineithercase,thefirewallattemptstoacceleratetherecoverybynegotiatingnewIPSeckeys.
Step4 SpecifytheIntervalandThresholdtotriggerthespecifiedaction.
Thethresholdspecifiesthenumberofheartbeatstowaitbeforetakingthespecifiedaction.Therangeis2100
andthedefaultis5.
TheIntervalmeasuresthetimebetweenheartbeats.Therangeis210andthedefaultis3seconds.
Step5 AttachthemonitoringprofiletotheIPsecTunnelconfiguration.SeeEnableTunnelMonitoring.
ViewtheStatusoftheTunnels
ThestatusofthetunnelinformsyouaboutwhetherornotvalidIKEphase1andphase2SAshavebeen
established,andwhetherthetunnelinterfaceisupandavailableforpassingtraffic.
Becausethetunnelinterfaceisalogicalinterface,itcannotindicateaphysicallinkstatus.Therefore,you
mustenabletunnelmonitoringsothatthetunnelinterfacecanverifyconnectivitytoanIPaddressand
determineifthepathisstillusable.IftheIPaddressisunreachable,thefirewallwilleitherwaitforthetunnel
torecoverorfailover.Whenafailoveroccurs,theexistingtunnelistorndownandroutingchangesare
triggeredtosetupanewtunnelandredirecttraffic.
ViewTunnelStatus
TotroubleshootaVPNtunnelthatisnotyetup,seeInterpretVPNErrorMessages.
Enable/Disable,RefreshorRestartanIKEGatewayorIPSecTunnel
Youcanenable,disable,refreshorrestartanIKEgatewayorVPNtunneltomaketroubleshootingeasier.
EnableorDisableanIKEGatewayorTunnel
TherefreshandrestartbehaviorsforanIKEgatewayandIPSectunnelareasfollows:
Asthetableaboveindicates,restartinganIKEv2gatewayhasaresultdifferentfromrestartinganIKEv1
gateway.
RefreshorRestartanIKEGatewayorIPSecTunnel
TestVPNConnectivity
TestConnectivity
InitiateIKEphase1byeitherpingingahostacrossthetunnelorusingthefollowingCLIcommand:
test vpn ike-sa gateway <gateway_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ike-sa gateway <gateway_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
InitiateIKEphase2byeitherpingingahostfromacrossthetunnelorusingthefollowingCLIcommand:
test vpn ipsec-sa tunnel <tunnel_name>
ThenenterthefollowingcommandtotestifIKEphase1issetup:
show vpn ipsec-sa tunnel <tunnel_name>
Intheoutput,checkiftheSecurityAssociationdisplays.Ifitdoesnot,reviewthesystemlogmessagestointerpret
thereasonforfailure.
ToviewtheVPNtrafficflowinformation,usethefollowingcommand:
show vpn-flow
admin@PA-500> show vpn flow
total tunnels configured: 1
filter - type IPSec, state any
total IPSec tunnel configured: 1
total IPSec tunnel shown: 1
InterpretVPNErrorMessages
ThefollowingtablelistssomeofthecommonVPNerrormessagesthatareloggedinthesystemlog.
Table:SyslogErrorMessagesforVPNIssues
Iferroristhis: Trythis:
Iferroristhis: Trythis:
SitetoSiteVPNQuickConfigs
ThefollowingsectionsprovideinstructionsforconfiguringsomecommonVPNdeployments:
SitetoSiteVPNwithStaticRouting
SitetoSiteVPNwithOSPF
SitetoSiteVPNwithStaticandDynamicRouting
SitetoSiteVPNwithStaticRouting
ThefollowingexampleshowsaVPNconnectionbetweentwositesthatusestaticroutes.Withoutdynamic
routing,thetunnelinterfacesonVPNPeerAandVPNPeerBdonotrequireanIPaddressbecausethe
firewallautomaticallyusesthetunnelinterfaceasthenexthopforroutingtrafficacrossthesites.However,
toenabletunnelmonitoring,astaticIPaddresshasbeenassignedtoeachtunnelinterface.
QuickConfig:SitetoSiteVPNwithStaticRouting
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticRouting(Continued)
SitetoSiteVPNwithOSPF
Inthisexample,eachsiteusesOSPFfordynamicroutingoftraffic.ThetunnelIPaddressoneachVPNpeer
isstaticallyassignedandservesasthenexthopforroutingtrafficbetweenthetwosites.
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
QuickConfig:SitetoSiteVPNwithDynamicRoutingusingOSPF(Continued)
SitetoSiteVPNwithStaticandDynamicRouting
Inthisexample,onesiteusesstaticroutesandtheothersiteusesOSPF.Whentheroutingprotocolisnot
thesamebetweenthelocations,thetunnelinterfaceoneachfirewallmustbeconfiguredwithastaticIP
address.Then,toallowtheexchangeofroutinginformation,thefirewallthatparticipatesinboththestatic
anddynamicroutingprocessmustbeconfiguredwithaRedistributionprofile.Configuringtheredistribution
profileenablesthevirtualroutertoredistributeandfilterroutesbetweenprotocolsstaticroutes,
connectedroutes,andhostsfromthestaticautonomoussystemtotheOSPFautonomoussystem.
Withoutthisredistributionprofile,eachprotocolfunctionsonitsownanddoesnotexchangeanyroute
informationwithotherprotocolsrunningonthesamevirtualrouter.
Inthisexample,thesatelliteofficehasstaticroutesandalltrafficdestinedtothe192.168.x.xnetworkis
routedtotunnel.41.ThevirtualrouteronVPNPeerBparticipatesinboththestaticandthedynamicrouting
processandisconfiguredwitharedistributionprofileinordertopropagate(export)thestaticroutestothe
OSPFautonomoussystem.
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
QuickConfig:SitetoSiteVPNwithStaticandDynamicRouting(Continued)
showroutingroute
ThefollowingisanexampleoftheoutputoneachVPNpeer.
LSVPNenablessitetositeVPNsbetweenPaloAltoNetworksfirewalls.Tosetupasitetosite
VPNbetweenaPaloAltoNetworksfirewallandanotherdevice,seeVPNs.
ThefollowingtopicsdescribetheLSVPNcomponentsandhowtosetthemuptoenablesitetositeVPN
servicesbetweenPaloAltoNetworksfirewalls:
LSVPNOverview
CreateInterfacesandZonesfortheLSVPN
EnableSSLBetweenGlobalProtectLSVPNComponents
ConfigurethePortaltoAuthenticateSatellites
ConfigureGlobalProtectGatewaysforLSVPN
ConfiguretheGlobalProtectPortalforLSVPN
PreparetheSatellitetoJointheLSVPN
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
LSVPNOverview
GlobalProtectprovidesacompleteinfrastructureformanagingsecureaccesstocorporateresourcesfrom
yourremotesites.Thisinfrastructureincludesthefollowingcomponents:
GlobalProtectPortalProvidesthemanagementfunctionsforyourGlobalProtectLSVPNinfrastructure.
EverysatellitethatparticipatesintheGlobalProtectLSVPNreceivesconfigurationinformationfromthe
portal,includingconfigurationinformationtoenablethesatellites(thespokes)toconnecttothe
gateways(thehubs).YouconfiguretheportalonaninterfaceonanyPaloAltoNetworksnextgeneration
firewall.
GlobalProtectGatewaysAPaloAltoNetworksfirewallthatprovidesthetunnelendpointforsatellite
connections.Theresourcesthatthesatellitesaccessisprotectedbysecuritypolicyonthegateway.Itis
notrequiredtohaveaseparateportalandgateway;asinglefirewallcanfunctionbothasportaland
gateway.
GlobalProtectSatelliteAPaloAltoNetworksfirewallataremotesitethatestablishesIPSectunnels
withthegateway(s)atyourcorporateoffice(s)forsecureaccesstocentralizedresources.Configuration
onthesatellitefirewallisminimal,enablingyoutoquicklyandeasilyscaleyourVPNasyouaddnewsites.
ThefollowingdiagramillustrateshowtheGlobalProtectLSVPNcomponentsworktogether.
CreateInterfacesandZonesfortheLSVPN
YoumustconfigurethefollowinginterfacesandzonesforyourLSVPNinfrastructure:
GlobalProtectportalRequiresaLayer3interfaceforGlobalProtectsatellitestoconnectto.Iftheportal
andgatewayareonthesamefirewall,theycanusethesameinterface.Theportalmustbeinazonethat
isaccessiblefromyourbranchoffices.
GlobalProtectgatewaysRequiresthreeinterfaces:aLayer3interfaceinthezonethatisreachableby
theremotesatellites,aninternalinterfaceinthetrustzonethatconnectstotheprotectedresources,and
alogicaltunnelinterfaceforterminatingtheVPNtunnelsfromthesatellites.Unlikeothersitetosite
VPNsolutions,theGlobalProtectgatewayonlyrequiresasingletunnelinterface,whichitwillusefor
tunnelconnectionswithallofyourremotesatellites(pointtomultipoint).Ifyouplantousedynamic
routing,youmustassignanIPaddresstothetunnelinterface.
GlobalProtectsatellitesRequiresasingletunnelinterfaceforestablishingaVPNwiththeremote
gateways(uptoamaximumof25gateways).Ifyouplantousedynamicrouting,youmustassignanIP
addresstothetunnelinterface.
Formoreinformationaboutportals,gateways,andsatellitesseeLSVPNOverview.
SetUpInterfacesandZonesfortheGlobalProtectLSVPN
SetUpInterfacesandZonesfortheGlobalProtectLSVPN(Continued)
EnableSSLBetweenGlobalProtectLSVPNComponents
AllinteractionbetweentheGlobalProtectcomponentsoccursoveranSSL/TLSconnection.Therefore,you
mustgenerateand/orinstalltherequiredcertificatesbeforeconfiguringeachcomponentsothatyoucan
referencetheappropriatecertificate(s)and/orcertificateprofilesintheconfigurationsforeachcomponent.
Thefollowingsectionsdescribethesupportedmethodsofcertificatedeployment,descriptionsandbest
practiceguidelinesforthevariousGlobalProtectcertificates,andprovideinstructionsforgeneratingand
deployingtherequiredcertificates:
AboutCertificateDeployment
DeployServerCertificatestotheGlobalProtectLSVPNComponents
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
AboutCertificateDeployment
TherearetwobasicapproachestodeployingcertificatesforGlobalProtectLSVPN:
EnterpriseCertificateAuthorityIfyoualreadyhaveyourownenterprisecertificateauthority,youcan
usethisinternalCAtoissueanintermediateCAcertificatefortheGlobalProtectportaltoenableitto
issuecertificatestotheGlobalProtectgatewaysandsatellites.YoucanalsoconfiguretheGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoissueclientcertificatesto
GlobalProtectsatellites.
SelfSignedCertificatesYoucangenerateaselfsignedrootCAcertificateonthefirewallanduseitto
issueservercertificatesfortheportal,gateway(s),andsatellite(s).Asabestpractice,createaselfsigned
rootCAcertificateontheportalanduseittoissueservercertificatesforthegatewaysandsatellites.This
way,theprivatekeyusedforcertificatesigningstaysontheportal.
DeployServerCertificatestotheGlobalProtectLSVPNComponents
TheGlobalProtectLSVPNcomponentsuseSSL/TLStomutuallyauthenticate.BeforedeployingtheLSVPN,
youmustassignanSSL/TLSserviceprofiletoeachportalandgateway.Theprofilespecifiestheserver
certificateandallowedTLSversionsforcommunicationwithsatellites.YoudontneedtocreateSSL/TLS
serviceprofilesforthesatellitesbecausetheportalwillissueaservercertificateforeachsatelliteduringthe
firstconnectionaspartofthesatelliteregistrationprocess.
Inaddition,youmustimporttherootcertificateauthority(CA)certificateusedtoissuetheservercertificates
ontoeachfirewallthatyouplantohostasagatewayorsatellite.Finally,oneachgatewayandsatellite
participatingintheLSVPN,youmustconfigureacertificateprofilethatwillenablethemtoestablishan
SSL/TLSconnectionusingmutualauthentication.
ThefollowingworkflowshowsthebestpracticestepsfordeployingSSLcertificatestotheGlobalProtect
LSVPNcomponents:
DeploySSLServerCertificatestotheGlobalProtectComponents
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
DeploySSLServerCertificatestotheGlobalProtectComponents(Continued)
DeployClientCertificatestotheGlobalProtectSatellitesUsingSCEP
Asanalternativemethodfordeployingclientcertificatestosatellites,youcanconfigureyourGlobalProtect
portaltoactasaSimpleCertificateEnrollmentProtocol(SCEP)clienttoaSCEPserverinyourenterprise
PKI.SCEPoperationisdynamicinthattheenterprisePKIgeneratesacertificatewhentheportalrequestsit
andsendsthecertificatetotheportal.
Whenthesatellitedevicerequestsaconnectiontotheportalorgateway,italsoincludesitsserialnumber
withtheconnectionrequest.TheportalsubmitsaCSRtotheSCEPserverusingthesettingsintheSCEP
profileandautomaticallyincludestheserialnumberofthedeviceinthesubjectoftheclientcertificate.After
receivingtheclientcertificatefromtheenterprisePKI,theportaltransparentlydeploystheclientcertificate
tothesatellitedevice.Thesatellitedevicethenpresentstheclientcertificatetotheportalorgatewayfor
authentication.
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
DeployServerCertificatestotheGlobalProtectComponentsUsingSCEP(Continued)
ConfigurethePortaltoAuthenticateSatellites
InordertoregisterwiththeLSVPN,eachsatellitemustestablishanSSL/TLSconnectionwiththeportal.
Afterestablishingtheconnection,theportalauthenticatesthesatellitetoensurethatisauthorizedtojoin
theLSVPN.Aftersuccessfullyauthenticatingthesatellite,theportalwillissueaservercertificateforthe
satelliteandpushtheLSVPNconfigurationspecifyingthegatewaystowhichthesatellitecanconnectand
therootCAcertificaterequiredtoestablishanSSLconnectionwiththegateways.
Therearetwowaysthatthesatellitecanauthenticatetotheportalduringitsinitialconnection:
SerialnumberYoucanconfiguretheportalwiththeserialnumberofthesatellitefirewallsthatare
authorizedtojointheLSVPN.Duringtheinitialsatelliteconnectiontotheportal,thesatellitepresents
itsserialnumbertotheportalandiftheportalhastheserialnumberinitsconfiguration,thesatellitewill
besuccessfullyauthenticated.Youaddtheserialnumbersofauthorizedsatelliteswhenyouconfigure
theportal.SeeConfigurethePortal.
UsernameandpasswordIfyouwouldratherprovisionyoursatelliteswithoutmanuallyenteringthe
serialnumbersofthesatellitesintotheportalconfiguration,youcaninsteadrequirethesatellite
administratortoauthenticatewhenestablishingtheinitialconnectiontotheportal.Althoughtheportal
willalwayslookfortheserialnumberintheinitialrequestfromthesatellite,ifitcannotidentifytheserial
number,thesatelliteadministratormustprovideausernameandpasswordtoauthenticatetotheportal.
Becausetheportalwillalwaysfallbacktothisformofauthentication,youmustcreateanauthentication
profileinordertocommittheportalconfiguration.Thisrequiresthatyousetupanauthenticationprofile
fortheportalLSVPNconfigurationevenifyouplantoauthenticatesatellitesusingtheserialnumber.
Thefollowingworkflowdescribeshowtosetuptheportaltoauthenticatesatellitesagainstanexisting
authenticationservice.GlobalProtectLSVPNsupportsexternalauthenticationusingalocaldatabase,LDAP
(includingActiveDirectory),Kerberos,TACACS+,orRADIUS.
SetUpSatelliteAuthentication
ConfigureGlobalProtectGatewaysforLSVPN
BecausetheGlobalProtectconfigurationthattheportaldeliverstothesatellitesincludesthelistofgateways
thesatellitecanconnectto,itisagoodideatoconfigurethegatewaysbeforeconfiguringtheportal.
PrerequisiteTasks
ConfiguretheGateway
PrerequisiteTasks
BeforeyoucanconfiguretheGlobalProtectgateway,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfigureeachgateway.
Youmustconfigureboththephysicalinterfaceandthevirtualtunnelinterface.
EnableSSLBetweenGlobalProtectLSVPNComponentsbyconfiguringthegatewayservercertificates,
SSL/TLSserviceprofiles,andcertificateprofilerequiredtoestablishamutualSSL/TLSconnectionfrom
theGlobalProtectsatellitestothegateway.
ConfiguretheGateway
AfteryouhavecompletedthePrerequisiteTasks,configureeachGlobalProtectgatewaytoparticipateinthe
LSVPNasfollows:
ConfiguretheGatewayforLSVPN
ConfiguretheGatewayforLSVPN(Continued)
ConfiguretheGatewayforLSVPN(Continued)
ConfiguretheGlobalProtectPortalforLSVPN
TheGlobalProtectportalprovidesthemanagementfunctionsforyourGlobalProtectLSVPN.Everysatellite
systemthatparticipatesintheLSVPNreceivesconfigurationinformationfromtheportal,including
informationaboutavailablegatewaysaswellasthecertificateitneedsinordertoconnecttothegateways.
Thefollowingsectionsprovideproceduresforsettinguptheportal:
PrerequisiteTasks
ConfigurethePortal
DefinetheSatelliteConfigurations
PrerequisiteTasks
BeforeconfiguringtheGlobalProtectportal,youmustcompletethefollowingtasks:
CreateInterfacesandZonesfortheLSVPNontheinterfacewhereyouwillconfiguretheportal.
EnableSSLBetweenGlobalProtectLSVPNComponentsbycreatinganSSL/TLSserviceprofileforthe
portalservercertificate,issuinggatewayservercertificates,andconfiguringtheportaltoissueserver
certificatesfortheGlobalProtectsatellites.
ConfigurethePortaltoAuthenticateSatellitesbydefiningtheauthenticationprofilethattheportalwill
usetoauthenticatesatellitesiftheserialnumberisnotavailable.
ConfigureGlobalProtectGatewaysforLSVPN.
ConfigurethePortal
AfteryouhavecompletedthePrerequisiteTasks,configuretheGlobalProtectportalasfollows:
ConfigurethePortalforLSVPN
ConfigurethePortalforLSVPN(Continued)
DefinetheSatelliteConfigurations
WhenaGlobalProtectsatelliteconnectsandsuccessfullyauthenticatestotheGlobalProtectportal,the
portaldeliversasatelliteconfiguration,whichspecifieswhatgatewaysthesatellitecanconnectto.Ifallyour
satelliteswillusethesamegatewayandcertificateconfigurations,youcancreateasinglesatellite
configurationtodelivertoallsatellitesuponsuccessfulauthentication.However,ifyourequiredifferent
satelliteconfigurationsforexampleifyouwantonegroupofsatellitestoconnecttoonegatewayand
anothergroupofsatellitestoconnecttoadifferentgatewayyoucancreateaseparatesatellite
configurationforeach.Theportalwillthenusetheenrollmentusername/groupnameortheserialnumber
ofthesatellitetodeterminewhichsatelliteconfigurationtodeploy.Aswithsecurityruleevaluation,the
portallooksforamatchstartingfromthetopofthelist.Whenitfindsamatch,itdeliversthecorresponding
configurationtothesatellite.
Forexample,thefollowingfigureshowsanetworkinwhichsomebranchofficesrequireVPNaccesstothe
corporateapplicationsprotectedbyyourperimeterfirewallsandanothersiteneedsVPNaccesstothedata
center.
Usethefollowingproceduretocreateoneormoresatelliteconfigurations.
CreateaGlobalProtectSatelliteConfiguration
CreateaGlobalProtectSatelliteConfiguration(Continued)
CreateaGlobalProtectSatelliteConfiguration(Continued)
PreparetheSatellitetoJointheLSVPN
ToparticipateintheLSVPN,thesatellitesrequireaminimalamountofconfiguration.Becausetherequired
configurationisminimal,youcanpreconfigurethesatellitesbeforeshippingthemtoyourbranchofficesfor
installation.
PreparetheSatellitetoJointheGlobalProtectLSVPN
PreparetheSatellitetoJointheGlobalProtectLSVPN(Continued)
VerifytheLSVPNConfiguration
Afterconfiguringtheportal,gateways,andsatellites,verifythatthesatellitesareabletoconnecttothe
portalandgatewayandestablishVPNtunnelswiththegateway(s).
VerifytheLSVPNConfiguration
LSVPNQuickConfigs
ThefollowingsectionsprovidestepbystepinstructionsforconfiguringsomecommonGlobalProtect
LSVPNdeployments:
BasicLSVPNConfigurationwithStaticRouting
AdvancedLSVPNConfigurationwithDynamicRouting
BasicLSVPNConfigurationwithStaticRouting
ThisquickconfigshowsthefastestwaytogetupandrunningwithLSVPN.Inthisexample,asinglefirewall
atthecorporateheadquarterssiteisconfiguredasbothaportalandagateway.Satellitescanbequicklyand
easilydeployedwithminimalconfigurationforoptimizedscalability.
Thefollowingworkflowshowsthestepsforsettingupthisbasicconfiguration:
QuickConfig:BasicLSVPNwithStaticRouting
Step3 Createthesecuritypolicyruletoenable
trafficflowbetweentheVPNzone
wherethetunnelterminates(lsvpntun)
andthetrustzonewherethecorporate
applicationsreside(L3Trust).
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
QuickConfig:BasicLSVPNwithStaticRouting(Continued)
AdvancedLSVPNConfigurationwithDynamicRouting
InlargerLSVPNdeploymentswithmultiplegatewaysandmanysatellites,investingalittlemoretimeinthe
initialconfigurationtosetupdynamicroutingwillsimplifythemaintenanceofgatewayconfigurations
becauseaccessrouteswillupdatedynamically.Thefollowingexampleconfigurationshowshowtoextend
thebasicLSVPNconfigurationtoconfigureOSPFasthedynamicroutingprotocol.
SettingupanLSVPNtouseOSPFfordynamicroutingrequiresthefollowingadditionalstepsonthe
gatewaysandthesatellites:
ManualassignmentofIPaddressestotunnelinterfacesonallgatewaysandsatellites.
ConfigurationofOSPFpointtomultipoint(P2MP)onthevirtualrouteronallgatewaysandsatellites.In
addition,aspartoftheOSPFconfigurationoneachgateway,youmustmanuallydefinethetunnelIP
addressofeachsatelliteasanOSPFneighbor.Similarly,oneachsatellite,youmustmanuallydefinethe
tunnelIPaddressofeachgatewayasanOSPFneighbor.
AlthoughdynamicroutingrequiresadditionalsetupduringtheinitialconfigurationoftheLSVPN,itreduces
themaintenancetasksassociatedwithkeepingroutesuptodateastopologychangesoccuronyour
network.
ThefollowingfigureshowsanLSVPNdynamicroutingconfiguration.Thisexampleshowshowtoconfigure
OSPFasthedynamicroutingprotocolfortheVPN.
ForabasicsetupofaLSVPN,followthestepsinBasicLSVPNConfigurationwithStaticRouting.Youcan
thencompletethestepsinthefollowingworkflowtoextendtheconfigurationtousedynamicroutingrather
thanstaticrouting.
QuickConfig:LSVPNwithDynamicRouting
QuickConfig:LSVPNwithDynamicRouting(Continued)
InterfaceDeployments
APaloAltoNetworksfirewallcanoperateinmultipledeploymentsatoncebecausethedeploymentsoccur
attheinterfacelevel.Thefollowingsectionsdescribethesupporteddeployments.
VirtualWireDeployments
Layer2Deployments
Layer3Deployments
TapModeDeployments
VirtualWireDeployments
Inavirtualwiredeployment,thefirewallisinstalledtransparentlyonanetworksegmentbybindingtwo
portstogetherandshouldbeusedonlywhennoswitchingorroutingisneeded.
Avirtualwiredeploymentallowsthefollowingconveniences:
Simplifiesinstallationandconfiguration.
Doesnotrequireanyconfigurationchangestosurroundingoradjacentnetworkdevices.
Thevirtualwiredeploymentshippedasthefactorydefaultconfiguration(defaultvwire)bindstogether
Ethernetports1and2andallowsalluntaggedtraffic.Youcan,however,useavirtualwiretoconnectany
twoportsandconfigureittoblockorallowtrafficbasedonthevirtualLAN(VLAN)tags;theVLANtag0
indicatesuntaggedtraffic.Youcanalsocreatemultiplesubinterfaces,addthemintodifferentzonesandthen
classifytrafficaccordingtoaVLANtag,oracombinationofaVLANtagwithIPclassifiers(address,range,
orsubnet)toapplygranularpolicycontrolforspecificVLANtagsorforVLANtagsfromaspecificsourceIP
address,range,orsubnet.
Figure:VirtualWireDeployment
VirtualWireSubinterfaces
Virtualwiresubinterfacesprovideflexibilityinenforcingdistinctpolicieswhenyouneedtomanagetraffic
frommultiplecustomernetworks.Itallowsyoutoseparateandclassifytrafficintodifferentzones(thezones
canbelongtoseparatevirtualsystems,ifrequired)usingthefollowingcriteria:
VLANtagsTheexampleinFigure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly),
showsanInternetServiceProvider(ISP)usingvirtualwiresubinterfaceswithVLANtagstoseparate
trafficfortwodifferentcustomers.
VLANtagsinconjunctionwithIPclassifiers(address,range,orsubnet)Thefollowingexampleshows
anISPwithtwoseparatevirtualsystemsonafirewallthatmanagestrafficfromtwodifferentcustomers.
Oneachvirtualsystem,theexampleillustrateshowvirtualwiresubinterfaceswithVLANtagsandIP
classifiersareusedtoclassifytrafficintoseparatezonesandapplyrelevantpolicyforcustomersfrom
eachnetwork.
VirtualWireSubinterfaceWorkflow
Step1 ConfiguretwoEthernetinterfacesastypevirtualwire,andassigntheseinterfacestoavirtualwire.
Step2 CreatesubinterfacesontheparentVirtualWiretoseparateCustomerAandCustomerBtraffic.Makesurethat
theVLANtagsdefinedoneachpairofsubinterfacesthatareconfiguredasvirtualwire(s)areidentical.Thisis
essentialbecauseavirtualwiredoesnotswitchVLANtags.
Step3 CreatenewsubinterfacesanddefineIPclassifiers.Thistaskisoptionalandonlyrequiredifyouwishtoadd
additionalsubinterfaceswithIPclassifiersforfurthermanagingtrafficfromacustomerbasedonthe
combinationofVLANtagsandaspecificsourceIPaddress,rangeorsubnet.
YoucanalsouseIPclassifiersformanaginguntaggedtraffic.Todoso,youmustcreateasubinterfacewith
thevlantag0,anddefinesubinterface(s)withIPclassifiersformanaginguntaggedtrafficusingIPclassifiers
IPclassificationmayonlybeusedonthesubinterfacesassociatedwithonesideofthevirtual
wire.Thesubinterfacesdefinedonthecorrespondingsideofthevirtualwiremustusethesame
VLANtag,butmustnotincludeanIPclassifier.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsonly)depictsCustomerAandCustomerB
connectedtothefirewallthroughonephysicalinterface,ethernet1/1,configuredasaVirtualWire;itisthe
ingressinterface.Asecondphysicalinterface,ethernet1/2,isalsopartoftheVirtualWire;itistheegress
interfacethatprovidesaccesstotheInternet.ForCustomerA,youalsohavesubinterfacesethernet1/1.1
(ingress)andethernet1/2.1(egress).ForCustomerB,youhavethesubinterfaceethernet1/1.2(ingress)and
ethernet1/2.2(egress).Whenconfiguringthesubinterfaces,youmustassigntheappropriateVLANtagand
zoneinordertoapplypoliciesforeachcustomer.Inthisexample,thepoliciesforCustomerAarecreated
betweenZone1andZone2,andpoliciesforCustomerBarecreatedbetweenZone3andZone4.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthisexample,asinglesubinterface
matchestheVLANtagontheincomingpacket,hencethatsubinterfaceisselected.Thepoliciesdefinedfor
thezoneareevaluatedandappliedbeforethepacketexitsfromthecorrespondingsubinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)depictsCustomerAand
CustomerBconnectedtoonephysicalfirewallthathastwovirtualsystems(vsys),inadditiontothedefault
virtualsystem(vsys1).Eachvirtualsystemisanindependentvirtualfirewallthatismanagedseparatelyfor
eachcustomer.Eachvsyshasattachedinterfaces/subinterfacesandsecurityzonesthataremanaged
independently.
Figure:VirtualWireDeploymentwithSubinterfaces(VLANTagsandIPClassifiers)
Vsys1issetuptousethephysicalinterfacesethernet1/1andethernet1/2asavirtualwire;ethernet1/1is
theingressinterfaceandethernet1/2istheegressinterfacethatprovidesaccesstotheInternet.Thisvirtual
wireisconfiguredtoacceptalltaggedanduntaggedtrafficwiththeexceptionofVLANtags100and200
thatareassignedtothesubinterfaces.
CustomerAismanagedonvsys2andCustomerBismanagedonvsys3.Onvsys2andvsys3,thefollowing
vwiresubinterfacesarecreatedwiththeappropriateVLANtagsandzonestoenforcepolicymeasures.
WhentrafficentersthefirewallfromCustomerAorCustomerB,theVLANtagontheincomingpacketisfirst
matchedagainsttheVLANtagdefinedontheingresssubinterfaces.Inthiscase,forCustomerA,thereare
multiplesubinterfacesthatusethesameVLANtag.Hence,thefirewallfirstnarrowstheclassificationtoa
subinterfacebasedonthesourceIPaddressinthepacket.Thepoliciesdefinedforthezoneareevaluated
andappliedbeforethepacketexitsfromthecorrespondingsubinterface.
Forreturnpathtraffic,thefirewallcomparesthedestinationIPaddressasdefinedintheIPclassifieronthe
customerfacingsubinterfaceandselectstheappropriatevirtualwiretoroutetrafficthroughtheaccurate
subinterface.
ThesameVLANtagmustnotbedefinedontheparentvirtualwireinterfaceandthesubinterface.
VerifythattheVLANtagsdefinedontheTagAllowedlistoftheparentvirtualwireinterface
(Network > Virtual Wires)arenotincludedonasubinterface.
Layer2Deployments
InaLayer2deployment,thefirewallprovidesswitchingbetweentwoormorenetworks.Youmustassigna
groupofinterfacestoaVLANobjectinorderforthefirewalltoswitchbetweenthem.Thefirewallperforms
VLANtagswitchingwhenLayer2subinterfacesareattachedtoacommonVLANobject.Choosethisoption
whenswitchingisrequired.
Figure:Layer2Deployment
InaLayer2deployment,thefirewallrewritestheinboundPortVLANID(PVID)numberinaCiscoperVLAN
spanningtree(PVST+)orRapidPVST+bridgeprotocoldataunit(BPDU)totheproperoutboundVLANID
numberandforwardsitout.ThefirewallrewritessuchBPDUsonLayer2EthernetandAggregatedEthernet
(AE)interfacesonly.
TheCiscoswitchmusthavetheloopguarddisabledforthePVST+orRapidPVST+BPDUrewritetofunction
properlyonthefirewall.
Layer3Deployments
InaLayer3deployment,thefirewallroutestrafficbetweenmultipleports.Thisdeploymentrequiresthat
youassignanIPaddresstoeachinterfaceandconfigureVirtualRouterstoroutethetraffic.Choosethis
optionwhenroutingisrequired.
Figure:Layer3Deployment
ThefollowingLayer3interfacedeploymentsarealsosupported:
PointtoPointProtocoloverEthernetSupport
DHCPClient
PointtoPointProtocoloverEthernetSupport
YoucanconfigurethefirewalltobeaPointtoPointProtocoloverEthernet(PPPoE)terminationpointto
supportconnectivityinaDigitalSubscriberLine(DSL)environmentwherethereisaDSLmodembutno
otherPPPoEdevicetoterminatetheconnection.
YoucanchoosethePPPoEoptionandconfiguretheassociatedsettingswhenaninterfaceisdefinedasa
Layer 3interface.
PPPoEisnotsupportedinHAactive/activemode.
DHCPClient
YoucanconfigurethefirewallinterfacetoactasaDHCPclientandreceiveadynamicallyassignedIP
address.ThefirewallalsoprovidesthecapabilitytopropagatesettingsreceivedbytheDHCPclientinterface
intoaDHCPserveroperatingonthefirewall.ThisismostcommonlyusedtopropagateDNSserversettings
fromanInternetserviceprovidertoclientmachinesoperatingonthenetworkprotectedbythefirewall.
DHCPclientisnotsupportedinHAactive/activemode.
Formoreinformation,seeDHCP.
TapModeDeployments
Anetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork.Tapmode
deploymentallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofaswitchSPANormirror
port.
TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.Bydedicatingan
interfaceonthefirewallasatapmodeinterfaceandconnectingitwithaswitchSPANport,theswitchSPAN
portprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetwork
withoutbeingintheflowofnetworktraffic.
Whendeployedintapmode,thefirewallisnotabletotakeaction,suchasblocktrafficorapply
QoStrafficcontrol.
ConfigureanAggregateInterfaceGroup
AnaggregateinterfacegroupusesIEEE802.1AXlinkaggregationtocombinemultipleEthernetinterfaces
intoasinglevirtualinterfacethatconnectsthefirewalltoanothernetworkdeviceoranotherfirewall.An
aggregategroupincreasesthebandwidthbetweenpeersbyloadbalancingtrafficacrossthecombined
interfaces.Italsoprovidesredundancy;whenoneinterfacefails,theremaininginterfacescontinue
supportingtraffic.
Bydefault,interfacefailuredetectionisautomaticonlyatthephysicallayerbetweendirectlyconnected
peers.However,ifyouenableLinkAggregationControlProtocol(LACP),failuredetectionisautomaticatthe
physicalanddatalinklayersregardlessofwhetherthepeersaredirectlyconnected.LACPalsoenables
automaticfailovertostandbyinterfacesifyouconfiguredhotspares.AllPaloAltoNetworksfirewallsexcept
thePA200andVMSeriesplatformssupportaggregategroups.Youcanadduptoeightaggregategroups
perfirewallandeachgroupcanhaveuptoeightinterfaces.
Beforeconfiguringanaggregategroup,youmustconfigureitsinterfaces.Alltheinterfacesinanaggregate
groupmustbethesamewithrespecttobandwidthandinterfacetype.Theoptionsare:
Bandwidth1Gbpsor10Gbps
InterfacetypeHA3,virtualwire,Layer2,orLayer3.YoucanaggregatetheHA3(packetforwarding)
interfacesinanactive/activehighavailability(HA)deploymentbutonlyforPA500,PA3000Series,
PA4000Series,andPA5000Seriesfirewalls.
ThisproceduredescribesconfigurationstepsonlyforthePaloAltoNetworksfirewall.Youmustalsoconfigure
theaggregategrouponthepeerdevice.Refertothedocumentationofthatdeviceforinstructions.
ConfigureanAggregateInterfaceGroup
ConfigureanAggregateInterfaceGroup(Continued)
ConfigureanAggregateInterfaceGroup(Continued)
UseInterfaceManagementProfilestoRestrictAccess
AnInterfaceManagementprofileprotectsthefirewallfromunauthorizedaccessbydefiningtheprotocols,
services,andIPaddressesthatafirewallinterfacepermitsformanagementtraffic.Forexample,youmight
wanttopreventusersfromaccessingthefirewallwebinterfaceovertheethernet1/1interfacebutallow
thatinterfacetoreceiveSNMPqueriesfromyournetworkmonitoringsystem.Inthiscase,youwouldenable
SNMPanddisableHTTP/HTTPSinanInterfaceManagementprofileandassigntheprofiletoethernet1/1.
YoucanassignanInterfaceManagementprofiletoLayer3Ethernetinterfaces(includingsubinterfaces)and
tologicalinterfaces(aggregategroup,VLAN,loopback,andtunnelinterfaces).Ifyoudonotassignan
InterfaceManagementprofiletoaninterface,itdeniesaccessforallIPaddresses,protocols,andservicesby
default.
Themanagement(MGT)interfacedoesnotrequireanInterfaceManagementprofile.Yourestrictprotocols,
services,andIPaddressesfortheMGTinterfacewhenyouPerformInitialConfigurationofthefirewall.Incase
theMGTinterfacegoesdown,allowingmanagementaccessoveranotherinterfaceenablesyoutocontinue
managingthefirewall.However,asabestpractice,useadditionalmethodsbesidesInterfaceManagement
profilestopreventunauthorizedaccessoverthatinterface.Thesemethodsincluderolebasedaccesscontroland
accessrestrictionsbasedonVLANs,virtualrouters,orvirtualsystems.
ConfigureandAssignanInterfaceManagementProfile
ConfigureandAssignanInterfaceManagementProfile(Continued)
VirtualRouters
Thefirewallusesvirtualrouterstoobtainroutestoothersubnetsbymanuallydefiningaroute(staticroutes)
orthroughparticipationinLayer3routingprotocols(dynamicroutes).Thebestroutesobtainedthrough
thesemethodsareusedtopopulatethefirewallsIProutetable.Whenapacketisdestinedforadifferent
subnet,theVirtualRouterobtainsthebestroutefromthisIProutetableandforwardsthepackettothenext
hoprouterdefinedinthetable.
TheEthernetinterfacesandVLANinterfacesdefinedonthefirewallreceiveandforwardtheLayer3traffic.
Thedestinationzoneisderivedfromtheoutgoinginterfacebasedontheforwardingcriteria,andpolicyrules
areconsultedtoidentifythesecuritypoliciestobeapplied.Inadditiontoroutingtoothernetworkdevices,
virtualrouterscanroutetoothervirtualrouterswithinthesamefirewallifanexthopisspecifiedtopointto
anothervirtualrouter.
Youcanconfigurethevirtualroutertoparticipatewithdynamicroutingprotocols(BGP,OSPF,orRIP)as
wellasaddingstaticroutes.Youcanalsocreatemultiplevirtualrouters,eachmaintainingaseparatesetof
routesthatarenotsharedbetweenvirtualrouters,enablingyoutoconfiguredifferentroutingbehaviorsfor
differentinterfaces.
EachLayer3interface,loopbackinterface,andVLANinterfacedefinedonthefirewallmustbeassociated
withavirtualrouter.Whileeachinterfacecanbelongtoonlyonevirtualrouter,multipleroutingprotocols
andstaticroutescanbeconfiguredforavirtualrouter.Regardlessofthestaticroutesanddynamicrouting
protocolsconfiguredforavirtualrouter,acommongeneralconfigurationisrequired.Thefirewalluses
EthernetswitchingtoreachotherdevicesonthesameIPsubnet.
ThefollowingLayer3routingprotocolsaresupportedfromVirtualRouters:
RIP
OSPF
OSPFv3
BGP
DefineaVirtualRouterGeneralConfiguration
DefineaVirtualRouterGeneralConfiguration(Continued)
StaticRoutes
Thefollowingprocedureshowshowtointegratethefirewallintothenetworkusingstaticrouting.
SetUpInterfacesandZones
SetUpInterfacesandZones(Continued)
RIP
RoutingInformationProtocol(RIP)isaninteriorgatewayprotocol(IGP)thatwasdesignedforsmallIP
networks.RIPreliesonhopcounttodetermineroutes;thebestrouteshavethefewestnumberofhops.RIP
isbasedonUDPandusesport520forrouteupdates.Bylimitingroutestoamaximumof15hops,the
protocolhelpspreventthedevelopmentofroutingloops,butalsolimitsthesupportednetworksize.Ifmore
than15hopsarerequired,trafficisnotrouted.RIPalsocantakelongertoconvergethanOSPFandother
routingprotocols.ThefirewallsupportsRIPv2.
PerformthefollowingproceduretoconfigureRIP.
ConfigureRIP
ConfigureRIP(Continued)
OSPF
OpenShortestPathFirst(OSPF)isaninteriorgatewayprotocol(IGP)thatismostoftenusedtodynamically
managenetworkroutesinlargeenterprisenetwork.Itdeterminesroutesdynamicallybyobtaining
informationfromotherroutersandadvertisingroutestootherroutersbywayofLinkStateAdvertisements
(LSAs).TheinformationgatheredfromtheLSAsisusedtoconstructatopologymapofthenetwork.This
topologymapissharedacrossroutersinthenetworkandusedtopopulatetheIProutingtablewithavailable
routes.
Changesinthenetworktopologyaredetecteddynamicallyandusedtogenerateanewtopologymapwithin
seconds.Ashortestpathtreeiscomputedofeachroute.Metricsassociatedwitheachroutinginterfaceare
usedtocalculatethebestroute.Thesecanincludedistance,networkthroughput,linkavailabilityetc.
Additionally,thesemetricscanbeconfiguredstaticallytodirecttheoutcomeoftheOSPFtopologymap.
PaloAltonetworksimplementationofOSPFfullysupportsthefollowingRFCs:
RFC2328(forIPv4)
RFC5340(forIPv6)
ThefollowingtopicsprovidemoreinformationabouttheOSPFandproceduresforconfiguringOSPFonthe
firewall:
OSPFConcepts
ConfigureOSPF
ConfigureOSPFv3
ConfigureOSPFGracefulRestart
ConfirmOSPFOperation
AlsorefertoHowtoConfigureOSPFTechNote.
OSPFConcepts
ThefollowingtopicsintroducetheOSPFconceptsyouwillneedtounderstandinordertoconfigurethe
firewalltoparticipateinanOSPFnetwork:
OSPFv3
OSPFNeighbors
OSPFAreas
OSPFRouterTypes
OSPFv3
OSPFv3providessupportfortheOSPFroutingprotocolwithinanIPv6network.Assuch,itprovidessupport
forIPv6addressesandprefixes.ItretainsmostofthestructureandfunctionsinOSPFv2(forIPv4)withsome
minorchanges.ThefollowingaresomeoftheadditionsandchangestoOSPFv3:
SupportformultipleinstancesperlinkWithOSPFv3,youcanrunmultipleinstancesoftheOSPF
protocoloverasinglelink.ThisisaccomplishedbyassigninganOSPFv3instanceIDnumber.Aninterface
thatisassignedtoaninstanceIDdropspacketsthatcontainadifferentID.
ProtocolProcessingPerlinkOSPFv3operatesperlinkinsteadofperIPsubnetasonOSPFv2.
ChangestoAddressingIPv6addressesarenotpresentinOSPFv3packets,exceptforLSApayloads
withinlinkstateupdatepackets.NeighboringroutersareidentifiedbytheRouterID.
AuthenticationChangesOSPFv3doesn'tincludeanyauthenticationcapabilities.ConfiguringOSPFv3
onafirewallrequiresanauthenticationprofilethatspecifiesEncapsulatingSecurityPayload(ESP)orIPv6
AuthenticationHeader(AH).TherekeyingprocedurespecifiedinRFC4552isnotsupportedinthis
release.
SupportformultipleinstancesperlinkEachinstancecorrespondstoaninstanceIDcontainedinthe
OSPFv3packetheader.
NewLSATypesOSPFv3supportstwonewLSAtypes:LinkLSAandIntraAreaPrefixLSA.
AlladditionalchangesaredescribedindetailinRFC5340.
OSPFNeighbors
TwoOSPFenabledroutersconnectedbyacommonnetworkandinthesameOSPFareathatforma
relationshipareOSPFneighbors.Theconnectionbetweentheserouterscanbethroughacommon
broadcastdomainorbyapointtopointconnection.Thisconnectionismadethroughtheexchangeofhello
OSPFprotocolpackets.Theseneighborrelationshipsareusedtoexchangeroutingupdatesbetween
routers.
OSPFAreas
OSPFoperateswithinasingleautonomoussystem(AS).NetworkswithinthissingleAS,however,canbe
dividedintoanumberofareas.Bydefault,Area0iscreated.Area0caneitherfunctionaloneoractasthe
OSPFbackboneforalargernumberofareas.EachOSPFareaisnamedusinga32bitidentifierwhichinmost
casesiswritteninthesamedotteddecimalnotationasanIP4address.Forexample,Area0isusuallywritten
as0.0.0.0.
Thetopologyofanareaismaintainedinitsownlinkstatedatabaseandishiddenfromotherareas,which
reducestheamountoftrafficroutingrequiredbyOSPF.Thetopologyisthensharedinasummarizedform
betweenareasbyaconnectingrouter.
OSPFAreaType Description
BackboneArea Thebackbonearea(Area0)isthecoreofanOSPFnetwork.Allotherareasare
connectedtoitandalltrafficbetweenareasmusttraverseit.Allroutingbetween
areasisdistributedthroughthebackbonearea.WhileallotherOSPFareasmust
connecttothebackbonearea,thisconnectiondoesntneedtobedirectandcanbe
madethroughavirtuallink.
OSPFAreaType Description
NormalOSPFArea InanormalOSPFareatherearenorestrictions;theareacancarryalltypesofroutes.
StubOSPFArea Astubareadoesnotreceiveroutesfromotherautonomoussystems.Routingfrom
thestubareaisperformedthroughthedefaultroutetothebackbonearea.
NSSAArea TheNotSoStubbyArea(NSSA)isatypeofstubareathatcanimportexternalroutes,
withsomelimitedexceptions.
OSPFRouterTypes
WithinanOSPFarea,routersaredividedintothefollowingcategories.
InternalRouterArouterwiththathasOSPFneighborrelationshipsonlywithdevicesinthesamearea.
AreaBorderRouter(ABR)ArouterthathasOSPFneighborrelationshipswithdevicesinmultipleareas.
ABRsgathertopologyinformationfromtheirattachedareasanddistributeittothebackbonearea.
BackboneRouterAbackbonerouterisanyOSPFrouterthatisattachedtotheOSPFbackbone.Since
ABRsarealwaysconnectedtothebackbone,theyarealwaysclassifiedasbackbonerouters.
AutonomousSystemBoundaryRouter(ASBR)AnASBRisarouterthatattachestomorethanone
routingprotocolandexchangesroutinginformationbetweenthem.
ConfigureOSPF
OSPFdeterminesroutesdynamicallybyobtaininginformationfromotherroutersandadvertisingroutesto
otherroutersbywayofLinkStateAdvertisements(LSAs).Therouterkeepsinformationaboutthelinks
betweenitandthedestinationandcanmakehighlyefficientroutingdecisions.Acostisassignedtoeach
routerinterface,andthebestroutesaredeterminedtobethosewiththelowestcosts,whensummedover
alltheencounteredoutboundrouterinterfacesandtheinterfacereceivingtheLSA.
Hierarchicaltechniquesareusedtolimitthenumberofroutesthatmustbeadvertisedandtheassociated
LSAs.BecauseOSPFdynamicallyprocessesaconsiderableamountofrouteinformation,ithasgreater
processorandmemoryrequirementsthandoesRIP.
ConfigureOSPF
ConfigureOSPF(Continued)
ConfigureOSPF(Continued)
ConfigureOSPF(Continued)
ConfigureOSPF(Continued)
ConfigureOSPFv3
ConfigureOSPFv3
ConfigureOSPFv3(Continued)
AHOSPFv3authentication
1. OntheAuth Profilestab,clickAdd.
2. Enteranamefortheauthenticationprofiletoauthenticate
OSPFv3messages.
3. SpecifyaSecurityPolicyIndex(SPI).TheSPImustmatch
betweenbothendsoftheOSPFv3adjacency.TheSPInumber
mustbeahexadecimalvaluebetween00000000and
FFFFFFFF.
4. SelectAHforProtocol.
5. SelectaCrypto Algorithmfromthedropdown.
Youmustenteroneofthefollowingalgorithms:SHA1,
SHA256,SHA384,SHA512orMD5.
6. EnteravalueforKeyandthenconfirm.
7. ClickOK.
8. ClickOKagainintheVirtualRouterOSPFAuthProfiledialog.
ConfigureOSPFv3(Continued)
ConfigureOSPFGracefulRestart
OSPFGracefulRestartdirectsOSPFneighborstocontinueusingroutesthroughadeviceduringashort
transitionwhenitisoutofservice.Thisbehaviorincreasesnetworkstabilitybyreducingthefrequencyof
routingtablereconfigurationandtherelatedrouteflappingthatcanoccurduringshortperiodicdowntimes.
ForaPaloAltoNetworksfirewall,OSPFGracefulRestartinvolvesthefollowingoperations:
FirewallasarestartingdeviceInasituationwherethefirewallwillbedownforashortperiodoftime
orisunavailableforshortintervals,itsendsGraceLSAstoitsOSPFneighbors.Theneighborsmustbe
configuredtoruninGracefulRestartHelpermode.InHelperMode,theneighborsreceivetheGrace
LSAsthatinformitthatthefirewallwillperformagracefulrestartwithinaspecifiedperiodoftime
definedastheGracePeriod.Duringthegraceperiod,theneighborcontinuestoforwardroutesthrough
thefirewallandtosendLSAsthatannounceroutesthroughthefirewall.Ifthefirewallresumesoperation
beforeexpirationofthegraceperiod,trafficforwardingwillcontinueasbeforewithoutnetwork
disruption.Ifthefirewalldoesnotresumeoperationafterthegraceperiodhasexpired,theneighborswill
exithelpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtableto
bypassthefirewall.
FirewallasaGracefulRestartHelperInasituationwhereneighboringroutersmaybedownforashort
periodsoftime,thefirewallcanbeconfiguredtooperateinGracefulRestartHelpermode.Ifconfigured
inthismode,thefirewallwillbeconfiguredwithaMaxNeighborRestartTime.Whenthefirewall
receivestheGraceLSAsfromitsOSPFneighbor,itwillcontinuetoroutetraffictotheneighborand
advertiseroutesthroughtheneighboruntileitherthegraceperiodormaxneighborrestarttimeexpires.
Ifneitherexpiresbeforetheneighborreturnstoservice,trafficforwardingcontinuesasbeforewithout
networkdisruption.Ifeitherperiodexpiresbeforetheneighborreturnstoservice,thefirewallwillexit
helpermodeandresumenormaloperation,whichwillinvolvereconfiguringtheroutingtabletobypass
theneighbor.
ConfigureOSPFGracefulRestart
3. Verifythatthefollowingareselected(theyareenabledbydefault):
Enable Graceful Restart
Enable Helper Mode
Enable Strict LSA checking
Theseshouldremainselectedunlessrequiredbyyourtopology.
4. ConfigureaGrace Periodinseconds.
ConfirmOSPFOperation
OnceanOSPFconfigurationhasbeencommitted,youcanuseanyofthefollowingoperationstoconfirm
thatOSPFisoperating:
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
ViewtheRoutingTable
Byviewingtheroutingtable,youcanseewhetherOSPFrouteshavebeenestablished.Theroutingtableis
accessiblefromeitherthewebinterfaceortheCLI.IfyouareusingtheCLI,usethefollowingcommands:
show routing route
show routing fib
Thefollowingproceduredescribeshowtousethewebinterfacetoviewtheroutingtable.
ViewtheRoutingTable
ConfirmOSPFAdjacencies
ByviewingtheNeighbortabasdescribedinthefollowingprocedure,youcanconfirmthatOSPFadjacencies
havebeenestablished.
ViewtheNeighborTabtoConfirmOSPFAdjacencies
ConfirmthatOSPFConnectionsareEstablished
Byviewingthesystemlog,youcanconfirmthatOSPFconnectionshavebeenestablished,asdescribedin
thefollowingprocedure:
ExaminetheSystemLog
BGP
BorderGatewayProtocol(BGP)istheprimaryInternetroutingprotocol.BGPdeterminesnetwork
reachabilitybasedonIPprefixesthatareavailablewithinautonomoussystems(AS),whereanASisasetof
IPprefixesthatanetworkproviderhasdesignatedtobepartofasingleroutingpolicy.
Intheroutingprocess,connectionsareestablishedbetweenBGPpeers(orneighbors).Ifarouteispermitted
bythepolicy,itisstoredintheroutinginformationbase(RIB).EachtimethelocalfirewallRIBisupdated,
thefirewalldeterminestheoptimalroutesandsendsanupdatetotheexternalRIB,ifexportisenabled.
ConditionaladvertisementisusedtocontrolhowBGProutesareadvertised.TheBGProutesmustsatisfy
conditionaladvertisementrulesbeforebeingadvertisedtopeers.
BGPsupportsthespecificationofaggregates,whichcombinemultipleroutesintoasingleroute.Duringthe
aggregationprocess,thefirststepistofindthecorrespondingaggregationrulebyperformingalongest
matchthatcomparestheincomingroutewiththeprefixvaluesforotheraggregationrules.
FormoreinformationonBGP,refertoHowtoConfigureBGPTechNote.
ThefirewallprovidesacompleteBGPimplementation,whichincludesthefollowingfeatures:
SpecificationofoneBGProutinginstancepervirtualrouter.
Routingpoliciesbasedonroutemaptocontrolimport,exportandadvertisement,prefixbasedfiltering,
andaddressaggregation.
AdvancedBGPfeaturesthatincluderoutereflector,ASconfederation,routeflapdampening,and
gracefulrestart.
IGPBGPinteractiontoinjectroutestoBGPusingredistributionprofiles.
BGPconfigurationconsistsofthefollowingelements:
Perroutinginstancesettings,whichincludebasicparameterssuchaslocalrouteIDandlocalASand
advancedoptionssuchaspathselection,routereflector,ASconfederation,routeflap,anddampening
profiles.
Authenticationprofiles,whichspecifytheMD5authenticationkeyforBGPconnections.
Peergroupandneighborsettings,whichincludeneighboraddressandremoteASandadvancedoptions
suchasneighborattributesandconnections.
Routingpolicy,whichspecifiesrulesetsthatpeergroupsandpeersusetoimplementimports,exports,
conditionaladvertisements,andaddressaggregationcontrols.
PerformthefollowingproceduretoconfigureBGP.
ConfigureBGP
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
ConfigureBGP(Continued)
SessionSettingsandTimeouts
ThissectiondescribestheglobalsettingsthataffectTCP,UDP,andICMPv6sessions,inadditiontoIPv6,
NAT64,NAToversubscription,jumboframesize,MTU,acceleratedaging,andcaptiveportalauthentication.
Thereisalsoasetting(RematchSessions)thatallowsyoutoapplynewlyconfiguredsecuritypoliciesto
sessionsthatarealreadyinprogress.
ThefirstfewtopicsbelowprovidebriefsummariesoftheTransportLayeroftheOSImodel,TCP,UDP,and
ICMP.Formoreinformationabouttheprotocols,refertotheirrespectiveRFCs.Theremainingtopics
describethesessiontimeoutsandsettings.
TransportLayerSessions
TCP
UDP
ICMP
ConfigureSessionTimeouts
ConfigureSessionSettings
PreventTCPSplitHandshakeSessionEstablishment
TransportLayerSessions
Anetworksessionisanexchangeofmessagesthatoccursbetweentwoormorecommunicationdevices,
lastingforsomeperiodoftime.Asessionisestablishedandistorndownwhenthesessionends.Different
typesofsessionsoccuratthreelayersoftheOSImodel:theTransportlayer,theSessionlayer,andthe
Applicationlayer.
TheTransportLayeroperatesatLayer4oftheOSImodel,providingreliableorunreliable,endtoend
deliveryandflowcontrolofdata.InternetprotocolsthatimplementsessionsattheTransportlayerinclude
TransmissionControlProtocol(TCP)andUserDatagramProtocol(UDP).
TCP
TransmissionControlProtocol(TCP)(RFC793)isoneofthemainprotocolsintheInternetProtocol(IP)suite,
andissoprevalentthatitisfrequentlyreferencedtogetherwithIPasTCP/IP.TCPisconsideredareliable
transportprotocolbecauseitprovideserrorcheckingwhiletransmittingandreceivingsegments,
acknowledgessegmentsreceived,andreorderssegmentsthatarriveinthewrongorder.TCPalsorequests
andprovidesretransmissionofsegmentsthatweredropped.TCPisstatefulandconnectionoriented,
meaningaconnectionbetweenthesenderandreceiverisestablishedforthedurationofthesession.TCP
providesflowcontrolofpackets,soitcanhandlecongestionovernetworks.
TCPperformsahandshakeduringsessionsetuptoinitiateandacknowledgeasession.Afterthedatais
transferred,thesessionisclosedinanorderlymanner,whereeachsidetransmitsaFINpacketand
acknowledgesitwithanACKpacket.ThehandshakethatinitiatestheTCPsessionisoftenathreeway
handshake(anexchangeofthreemessages)betweentheinitiatorandthelistener,oritcouldbeavariation,
suchasafourwayorfivewaysplithandshakeorasimultaneousopen.TheTCPSplitHandshakeDrop
explainshowtoPreventTCPSplitHandshakeSessionEstablishment.
ApplicationsthatuseTCPastheirtransportprotocolincludeHypertextTransferProtocol(HTTP),HTTP
Secure(HTTPS),FileTransferProtocol(FTP),SimpleMailTransferProtocol(SMTP),Telnet,PostOffice
Protocolversion3(POP3),InternetMessageAccessProtocol(IMAP),andSecureShell(SSH).
ThefollowingtopicsdescribedetailsofthePANOSimplementationofTCP.
TCPHalfClosedandTCPTimeWaitTimers
UnverifiedRSTTimer
TCPSplitHandshakeDrop
MaximumSegmentSize(MSS)
TCPHalfClosedandTCPTimeWaitTimers
TheTCPconnectionterminationprocedureusesaTCPHalfClosedtimer,whichistriggeredbythefirstFIN
thefirewallseesforasession.ThetimerisnamedTCPHalfClosedbecauseonlyonesideoftheconnection
hassentaFIN.Asecondtimer,TCPTimeWait,istriggeredbythesecondFINoraRST.
IfthefirewallweretohaveonlyonetimertriggeredbythefirstFIN,asettingthatwastooshortcould
prematurelyclosethehalfclosedsessions.Conversely,asettingthatwastoolongwouldmakethesession
tablegrowtoomuchandpossiblyuseupallofthesessions.Twotimersallowyoutohavearelativelylong
TCPHalfClosedtimerandashortTCPTimeWaittimer,therebyquicklyagingfullyclosedsessionsand
controllingthesizeofthesessiontable.
ThefollowingfigureillustrateswhenthefirewallstwotimersaretriggeredduringtheTCPconnection
terminationprocedure.
TheTCPTimeWaittimershouldbesettoavaluelessthantheTCPHalfClosedtimerforthefollowing
reasons:
ThelongertimeallowedafterthefirstFINisseengivestheoppositesideoftheconnectiontimetofully
closethesession.
TheshorterTimeWaittimeisbecausethereisnoneedforthesessiontoremainopenforalongtime
afterthesecondFINoraRSTisseen.AshorterTimeWaittimefreesupresourcessooner,yetstillallows
timeforthefirewalltoseethefinalACKandpossibleretransmissionofotherdatagrams.
IfyouconfigureaTCPTimeWaittimertoavaluegreaterthantheTCPHalfClosedtimer,thecommitwill
beaccepted,butinpracticetheTCPTimeWaittimerwillnotexceedtheTCPHalfClosedvalue.
Thetimerscanbesetgloballyorperapplication.Theglobalsettingsareusedforallapplicationsbydefault.
IfyouconfigureTCPwaittimersattheapplicationlevel,theyoverridetheglobalsettings.
UnverifiedRSTTimer
IfthefirewallreceivesaReset(RST)packetthatcannotbeverified(becauseithasanunexpectedsequence
numberwithintheTCPwindoworitisfromanasymmetricpath),theUnverifiedRSTtimercontrolstheaging
outofthesession.Itdefaultsto30seconds;therangeis1600 seconds.TheUnverifiedRSTtimerprovides
anadditionalsecuritymeasure,explainedinthesecondbulletbelow.
ARSTpacketwillhaveoneofthreepossibleoutcomes:
ARSTpacketthatfallsoutsidetheTCPwindowisdropped.
ARSTpacketthatfallsinsidetheTCPwindowbutdoesnothavetheexactexpectedsequencenumber
isunverifiedandsubjecttotheUnverifiedRSTtimersetting.Thisbehaviorhelpspreventdenialofservice
(DoS)attackswheretheattacktriestodisruptexistingsessionsbysendingrandomRSTpacketstothe
firewall.
ARSTpacketthatfallswithintheTCPwindowandhastheexactexpectedsequencenumberissubject
totheTCPTimeWaittimersetting.
TCPSplitHandshakeDrop
TheSplit HandshakeoptionisconfiguredforaZoneProtectionprofilethatisassignedtoazone.Aninterface
thatisamemberofthezonedropsanysynchronization(SYN)packetssentfromtheserver,preventingthe
followingvariationsofhandshakes.TheletterAinthefigureindicatesthesessioninitiatorandBindicates
thelistener.Eachnumberedsegmentofthehandshakehasanarrowindicatingthedirectionofthesegment
fromthesendertothereceiver,andeachsegmentindicatesthecontrolbit(s)setting.
YoucanPreventTCPSplitHandshakeSessionEstablishment.
MaximumSegmentSize(MSS)
Themaximumtransmissionunit(MTU)isavalueindicatingthelargestnumberofbytesthatcanbe
transmittedinasingleTCPpacket.TheMTUincludesthelengthofheaders,sotheMTUminusthenumber
ofbytesintheheadersequalsthemaximumsegmentsize(MSS),whichisthemaximumnumberofdatabytes
thatcanbetransmittedinasinglepacket.
AconfigurableMSSadjustmentsize(shownbelow)allowsyourfirewalltopasstrafficthathaslonger
headersthanthedefaultsettingallows.Encapsulationaddslengthtoheaders,soyouwouldincreasethe
MSSadjustmentsizetoallowbytes,forexample,toaccommodateanMPLSheaderortunneledtrafficthat
hasaVLANtag.
IftheDF(dontfragment)bitissetforapacket,itisespeciallyhelpfultohavealargerMSSadjustmentsize
andsmallerMSSsothatlongerheadersdonotresultinapacketlengththatexceedstheallowedMTU.If
theDFbitweresetandtheMTUwereexceeded,thelargerpacketswouldbedropped.
ThefirewallsupportsaconfigurableMSSadjustmentsizeforIPv4andIPv6addressesonthefollowingLayer
3interfacetypes:Ethernet,subinterfaces,AggregatedEthernet(AE),VLAN,andloopback.TheIPv6MSS
adjustmentsizeappliesonlyifIPv6isenabledontheinterface.
IfIPv4andIPv6areenabledonaninterfaceandtheMSSAdjustmentSizediffersbetweenthe
twoIPaddressformats,theproperMSSvaluecorrespondingtotheIPtypeisusedforTCPtraffic.
ForIPv4andIPv6addresses,thefirewallaccommodateslargerthanexpectedTCPheaderlengths.Inthe
casewhereaTCPpackethasalargerheaderlengththanyouplannedfor,thefirewallchoosesastheMSS
adjustmentsizethelargerofthefollowingtwovalues:
TheconfiguredMSSadjustmentsize
ThesumofthelengthoftheTCPheader(20)+thelengthofIPheadersintheTCPSYN
ThisbehaviormeansthatthefirewalloverridestheconfiguredMSSadjustmentsizeifnecessary.For
example,ifyouconfigureanMSSadjustmentsizeof42,youexpecttheMSStoequal1458(thedefaultMTU
sizeminustheadjustmentsize[150042]).However,theTCPpackethas4extrabytesofIPoptionsinthe
header,sotheMSSadjustmentsize(20+20+4)equals44,whichislargerthantheconfiguredMSS
adjustmentsizeof42.TheresultingMSSis150044=1456bytes,smallerthanyouexpected.
ToconfiguretheMSSadjustmentsize,seeStep 8inConfigureSessionSettings.
UDP
UserDatagramProtocol(UDP)(RFC768)isanothermainprotocoloftheIPsuite,andisanalternativeto
TCP.UDPisstatelessandconnectionlessinthatthereisnohandshaketosetupasession,andnoconnection
betweenthesenderandreceiver;thepacketsmaytakedifferentroutestogettoasingledestination.UDP
isconsideredanunreliableprotocolbecauseitdoesnotprovideacknowledgments,errorchecking,
retransmission,orreorderingofdatagrams.Withouttheoverheadrequiredtoprovidethosefeatures,UDP
hasreducedlatencyandisfasterthanTCP.UDPisreferredtoasabesteffortprotocolbecausethereisno
mechanismorguaranteetoensurethatthedatawillarriveatitsdestination.
AlthoughUDPusesachecksumfordataintegrity,itperformsnoerrorcheckingatthenetworkinterface
level.ErrorcheckingisassumedtobeunnecessaryorisperformedbytheapplicationratherthanUDPitself.
UDPhasnomechanismtohandleflowcontrolofpackets.
UDPisoftenusedforapplicationsthatrequirefasterspeedsandtimesensitive,realtimedelivery,suchas
VoiceoverIP(VoIP),streamingaudioandvideo,andonlinegames.UDPistransactionoriented,soitisalso
usedforapplicationsthatrespondtosmallqueriesfrommanyclients,suchasDomainNameSystem(DNS)
andTrivialFileTransferProtocol(TFTP).
ICMP
InternetControlMessageProtocol(ICMP)(RFC792)isanotheroneofthemainprotocolsoftheInternet
Protocolsuite;itoperatesattheNetworklayeroftheOSImodel.ICMPisusedfordiagnosticandcontrol
purposes,tosenderrormessagesaboutIPoperations,ormessagesaboutrequestedservicesorthe
reachabilityofahostorrouter.Networkutilitiessuchastracerouteandpingareimplementedbyusing
variousICMPmessages.
ICMPisaconnectionlessprotocolthatdoesnotopenormaintainactualsessions.However,theICMP
messagesbetweentwodevicescanbeconsideredasession.
PaloAltoNetworksfirewallssupportICMPv4andICMPv6.ICMPv4andICMPv6errorpacketscanbe
controlledbyconfiguringasecuritypolicyforazone,andselectingtheicmporipv6-icmpapplicationinthe
policy.Additionally,theICMPv6errorpacketratecanbecontrolledthroughthesessionsettings,as
describedinthesectionConfigureSessionSettings.
ICMPv6RateLimiting
ICMPv6ratelimitingisathrottlingmechanismtopreventfloodingandDDoSattempts.Theimplementation
employsanerrorpacketrateandatokenbucket,whichworktogethertoenablethrottlingandensurethat
ICMPpacketsdonotfloodthenetworksegmentsprotectedbythefirewall.
FirsttheglobalICMPv6errorpacketratecontrolstherateatwhichICMPerrorpacketsareallowedthrough
thefirewall;thedefaultis100packetspersecond;therangeis10to65535packetspersecond.Ifthe
firewallreachestheICMPerrorpacketrate,thenthetokenbucketcomesintoplayandthrottlingoccurs,as
follows.
TheconceptofalogicaltokenbucketcontrolstherateatwhichICMPmessagescanbetransmitted.The
numberoftokensinthebucketisconfigurable,andeachtokenrepresentsanICMPmessagethatcanbe
sent.ThetokencountisdecrementedeachtimeanICMPmessageissent;whenthebucketreacheszero
tokens,nomoreICMPmessagescanbesentuntilanothertokenisaddedtothebucket.Thedefaultsizeof
thetokenbucketis100tokens(packets);therangeis10to65535tokens.
Tochangethedefaulttokenbucketsizeorerrorpacketrate,seethesectionConfigureSessionSettings.
ConfigureSessionTimeouts
AsessiontimeoutdefinesthedurationoftimeforwhichPANOSmaintainsasessiononthefirewallafter
inactivityinthesession.Bydefault,whenthesessiontimeoutfortheprotocolexpires,PANOSclosesthe
session.
Onthefirewall,youcandefineanumberoftimeoutsforTCP,UDP,andICMPsessionsinparticular.The
Defaulttimeoutappliestoanyothertypeofsession.Allofthesetimeoutsareglobal,meaningtheyapplyto
allofthesessionsofthattypeonthefirewall.
Inadditiontotheglobalsettings,youhavetheflexibilitytodefinetimeoutsforanindividualapplicationin
theObjects>Applicationstab.Thefirewallappliesapplicationtimeoutstoanapplicationthatisin
establishedstate.Whenconfigured,timeoutsforanapplicationoverridetheglobalTCPorUDPsession
timeouts.
Returningtotheglobalsettings,performtheoptionaltasksbelowifyouneedtochangedefaultvaluesof
theglobalsessiontimeoutsettingsforTCP,UDP,ICMP,CaptivePortalauthentication,orothertypesof
sessions.Allvaluesareinseconds.
Thedefaultsareoptimalvalues.However,youcanmodifytheseaccordingtoyournetwork
needs.Settingavaluetoolowcouldcausesensitivitytominornetworkdelaysandcouldresultin
afailuretoestablishconnectionswiththefirewall.Settingavaluetoohighcoulddelayfailure
detection.
ChangeSessionTimeouts
ChangeSessionTimeouts(Continued)
ChangeSessionTimeouts(Continued)
ConfigureSessionSettings
Thistopicdescribesvarioussettingsforsessionsotherthantimeoutsvalues.Performthesetasksifyouneed
tochangethedefaultsettings.
ConfigureSessionSettings
ConfigureSessionSettings(Continued)
ConfigureSessionSettings(Continued)
PreventTCPSplitHandshakeSessionEstablishment
YoucanconfigureaTCPSplitHandshakeDropinaZoneProtectionprofiletopreventTCPsessionsfrom
beingestablishedunlesstheyusethestandardthreewayhandshake.Thistaskassumesthatyouassigneda
securityzonefortheinterfacewhereyouwanttopreventTCPsplithandshakesfromestablishingasession.
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
ConfigureaZoneProtectionProfiletoPreventTCPSplitHandshakeSessions
DHCP
ThissectiondescribesDynamicHostConfigurationProtocol(DHCP)andthetasksrequiredtoconfigurean
interfaceonaPaloAltoNetworksfirewalltoactasaDHCPserver,client,orrelayagent.Byassigningthese
rolestodifferentinterfaces,thefirewallcanperformmultipleroles.
DHCPOverview
FirewallasaDHCPServerandClient
DHCPMessages
DHCPAddressing
DHCPOptions
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
DHCPOverview
DHCPisastandardizedprotocoldefinedinRFC2131,DynamicHostConfigurationProtocol.DHCPhastwo
mainpurposes:toprovideTCP/IPandlinklayerconfigurationparametersandtoprovidenetworkaddresses
todynamicallyconfiguredhostsonaTCP/IPnetwork.
DHCPusesaclientservermodelofcommunication.Thismodelconsistsofthreerolesthatthedevicecan
fulfill:DHCPclient,DHCPserver,andDHCPrelayagent.
AdeviceactingasaDHCPclient(host)canrequestanIPaddressandotherconfigurationsettingsfrom
aDHCPserver.Usersonclientdevicessaveconfigurationtimeandeffort,andneednotknowthe
networksaddressingplanorotherresourcesandoptionstheyareinheritingfromtheDHCPserver.
AdeviceactingasaDHCPservercanserviceclients.ByusinganyofthreeDHCPAddressing
mechanisms,thenetworkadministratorsavesconfigurationtimeandhasthebenefitofreusingalimited
numberofIPaddresseswhenaclientnolongerneedsnetworkconnectivity.TheservercandeliverIP
addressingandmanyDHCPoptionstomanyclients.
AdeviceactingasaDHCPrelayagenttransmitsDHCPmessagesbetweenDHCPclientsandservers.
DHCPusesUserDatagramProtocol(UDP),RFC768,asitstransportprotocol.DHCPmessagesthataclient
sendstoaserveraresenttowellknownport67(UDPBootstrapProtocolandDHCP).DHCPMessages
thataserversendstoaclientaresenttoport68.
AninterfaceonaPaloAltoNetworksfirewallcanperformtheroleofaDHCPserver,client,orrelayagent.
TheinterfaceofaDHCPserverorrelayagentmustbeaLayer3Ethernet,AggregatedEthernet,orLayer3
VLANinterface.Youconfigurethefirewallsinterfaceswiththeappropriatesettingsforanycombinationof
roles.ThebehaviorofeachroleissummarizedinFirewallasaDHCPServerandClient.
ThefirewallsupportsDHCPv4ServerandDHCPv6Relay.However,asingleinterfacecannotsupportboth
DHCPv4ServerandDHCPv6Relay.
ThePaloAltoNetworksimplementationsofDHCPserverandDHCPclientsupportIPv4addressesonly.Its
DHCPrelayimplementationsupportsIPv4andIPv6.DHCPclientisnotsupportedinHighAvailability
active/activemode.
FirewallasaDHCPServerandClient
ThefirewallcanfunctionasaDHCPserverandasaDHCPclient.DynamicHostConfigurationProtocol,RFC
2131,isdesignedtosupportIPv4andIPv6addresses.ThePaloAltoNetworksimplementationofDHCP
serversupportsIPv4addressesonly.
ThefirewallDHCPserveroperatesinthefollowingmanner:
WhentheDHCPserverreceivesaDHCPDISCOVERmessagefromaclient,theserverreplieswitha
DHCPOFFERmessagecontainingallofthepredefinedanduserdefinedoptionsintheordertheyappear
intheconfiguration.TheclientselectstheoptionsitneedsandrespondswithaDHCPREQUEST
message.
WhentheserverreceivesaDHCPREQUESTmessagefromaclient,theserverreplieswithitsDHCPACK
messagecontainingonlytheoptionsspecifiedintherequest.
ThefirewallDHCPClientoperatesinthefollowingmanner:
WhentheDHCPclientreceivesaDHCPOFFERfromtheserver,theclientautomaticallycachesallofthe
optionsofferedforfutureuse,regardlessofwhichoptionsithadsentinitsDHCPREQUEST.
Bydefaultandtosavememoryconsumption,theclientcachesonlythefirstvalueofeachoptioncodeif
itreceivesmultiplevaluesforacode.
ThereisnomaximumlengthforDHCPmessagesunlesstheDHCPclientspecifiesamaximumin
option 57initsDHCPDISCOVERorDHCPREQUESTmessages.
DHCPMessages
DHCPuseseightstandardmessagetypes,whichareidentifiedbyanoptiontypenumberintheDHCP
message.Forexample,whenaclientwantstofindaDHCPserver,itbroadcastsaDHCPDISCOVERmessage
onitslocalphysicalsubnetwork.IfthereisnoDHCPserveronitssubnetandifDHCPHelperorDHCPRelay
isconfiguredproperly,themessageisforwardedtoDHCPserversonadifferentphysicalsubnet.Otherwise,
themessagewillgonofurtherthanthesubnetonwhichitoriginated.OneormoreDHCPserverswill
respondwithaDHCPOFFERmessagethatcontainsanavailablenetworkaddressandotherconfiguration
parameters.
WhentheclientneedsanIPaddress,itsendsaDHCPREQUESTtooneormoreservers.Ofcourseifthe
clientisrequestinganIPaddress,itdoesnthaveoneyet,soRFC2131requiresthatthebroadcastmessage
theclientsendsouthaveasourceaddressof0initsIPheader.
Whenaclientrequestsconfigurationparametersfromaserver,itmightreceiveresponsesfrommorethan
oneserver.OnceaclienthasreceiveditsIPaddress,itissaidthattheclienthasatleastanIPaddressand
possiblyotherconfigurationparametersboundtoit.DHCPserversmanagesuchbindingofconfiguration
parameterstoclients.
ThefollowingtableliststheDHCPmessages.
DHCPMessage Description
DHCPDISCOVER ClientbroadcasttofindavailableDHCPservers.
DHCPOFFER ServerresponsetoclientsDHCPDISCOVER,offeringconfigurationparameters.
DHCPREQUEST Clientmessagetooneormoreserverstodoanyofthefollowing:
Requestparametersfromoneserverandimplicitlydeclineoffersfromother
servers.
Confirmthatapreviouslyallocatedaddressiscorrectafter,forexample,asystem
reboot.
Extendtheleaseofanetworkaddress.
DHCPACK Servertoclientacknowledgmentmessagecontainingconfigurationparameters,
includingaconfirmednetworkaddress.
DHCPNAK Servertoclientnegativeacknowledgmentindicatingtheclientsunderstandingofthe
networkaddressisincorrect(forexample,iftheclienthasmovedtoanewsubnet),
oraclientsleasehasexpired.
DHCPDECLINE Clienttoservermessageindicatingthenetworkaddressisalreadybeingused.
DHCPRELEASE Clienttoservermessagegivinguptheuserofthenetworkaddressandcancelingthe
remainingtimeonthelease.
DHCPINFORM Clienttoservermessagerequestingonlylocalconfigurationparameters;clienthasan
externallyconfigurednetworkaddress.
DHCPAddressing
DHCPAddressAllocationMethods
DHCPLeases
DHCPAddressAllocationMethods
TherearethreewaysthataDHCPservereitherassignsorsendsanIPaddresstoaclient:
AutomaticallocationTheDHCPserverassignsapermanentIPaddresstoaclientfromitsIP Pools.On
thefirewall,aLeasespecifiedasUnlimitedmeanstheallocationispermanent.
DynamicallocationTheDHCPserverassignsareusableIPaddressfromIP Poolsofaddressestoaclient
foramaximumperiodoftime,knownasalease.Thismethodofaddressallocationisusefulwhenthe
customerhasalimitednumberofIPaddresses;theycanbeassignedtoclientswhoneedonlytemporary
accesstothenetwork.SeetheDHCPLeasessection.
StaticallocationThenetworkadministratorchoosestheIPaddresstoassigntotheclientandtheDHCP
serversendsittotheclient.AstaticDHCPallocationispermanent;itisdonebyconfiguringaDHCP
serverandchoosingaReserved AddresstocorrespondtotheMAC Addressoftheclientdevice.TheDHCP
assignmentremainsinplaceeveniftheclientlogsoff,reboots,hasapoweroutage,etc.
StaticallocationofanIPaddressisuseful,forexample,ifyouhaveaprinteronaLANandyoudonot
wantitsIPaddresstokeepchanging,becauseitisassociatedwithaprinternamethroughDNS.Another
exampleisifaclientdeviceisusedforsomethingcrucialandmustkeepthesameIPaddress,evenifthe
deviceisturnedoff,unplugged,rebooted,orapoweroutageoccurs,etc.
KeepthesepointsinmindwhenconfiguringaReserved Address:
ItisanaddressfromtheIP Pools.Youmayconfiguremultiplereservedaddresses.
IfyouconfigurenoReserved Address,theclientsoftheserverwillreceivenewDHCPassignments
fromthepoolwhentheirleasesexpireoriftheyreboot,etc.(unlessyouspecifiedthataLeaseis
Unlimited).
IfyouallocatealloftheaddressesintheIP PoolsasaReserved Address,therearenodynamic
addressesfreetoassigntothenextDHCPclientrequestinganaddress.
YoumayconfigureaReserved AddresswithoutconfiguringaMAC Address.Inthiscase,theDHCP
serverwillnotassigntheReserved Addresstoanydevice.Youmightreserveafewaddressesfrom
thepoolandstaticallyassignthemtoafaxandprinter,forexample,withoutusingDHCP.
DHCPLeases
AleaseisdefinedasthetimeperiodforwhichaDHCPserverallocatesanetworkaddresstoaclient.The
leasemightbeextended(renewed)uponsubsequentrequests.Iftheclientnolongerneedstheaddress,it
canreleasetheaddressbacktotheserverbeforetheleaseisup.Theserveristhenfreetoassignthat
addresstoadifferentclientifithasrunoutofunassignedaddresses.
TheleaseperiodconfiguredforaDHCPserverappliestoalloftheaddressesthatasingleDHCPserver
(interface)dynamicallyassignstoitsclients.Thatis,allofthatinterfacesaddressesassigneddynamicallyare
ofUnlimiteddurationorhavethesameTimeoutvalue.AdifferentDHCPserverconfiguredonthefirewall
mayhaveadifferentleasetermforitsclients.AReserved Addressisastaticaddressallocationandisnot
subjecttotheleaseterms.
PertheDHCPstandard,RFC2131,aDHCPclientdoesnotwaitforitsleasetoexpire,becauseitrisks
gettinganewaddressassignedtoit.Instead,whenaDHCPclientreachesthehalfwaypointofitslease
period,itattemptstoextenditsleasesothatitretainsthesameIPaddress.Thus,theleasedurationislikea
slidingwindow.
TypicallyifanIPaddresswasassignedtoadevice,thedevicewassubsequentlytakenoffthenetworkand
itsleasewasnotextended,theDHCPserverwillletthatleaserunout.Becausetheclientisgonefromthe
networkandnolongerneedstheaddress,theleasedurationintheserverisreachedandtheleaseisin
Expiredstate.
ThefirewallhasaholdtimerthatpreventstheexpiredIPaddressfrombeingreassignedimmediately.This
behaviortemporarilyreservestheaddressforthedeviceincaseitcomesbackontothenetwork.Butifthe
addresspoolrunsoutofaddresses,theserverreallocatesthisexpiredaddressbeforetheholdtimerexpires.
Expiredaddressesareclearedautomaticallyasthesystemsneedsmoreaddressesorwhentheholdtimer
releasesthem.
IntheCLI,usetheshow dhcp server leaseoperationalcommandtoviewleaseinformationaboutthe
allocatedIPaddresses.Ifyoudonotwanttowaitforexpiredleasestobereleasedautomatically,youcan
usetheclear dhcp lease interface value expired-only commandtoclearexpiredleases,
makingthoseaddressesavailableinthepoolagain.Youcanusetheclear dhcp lease interface
value ipip commandtoreleaseaparticularIPaddress.Usetheclear dhcp lease interface
value mac mac_address commandtoreleaseaparticularMACaddress.
DHCPOptions
ThehistoryofDHCPandDHCPoptionstracesbacktotheBootstrapProtocol(BOOTP).BOOTPwasused
byahosttoconfigureitselfdynamicallyduringitsbootingprocedure.AhostcouldreceiveanIPaddressand
afilefromwhichtodownloadabootprogramfromaserver,alongwiththeserversaddressandtheaddress
ofanInternetgateway.
IncludedintheBOOTPpacketwasavendorinformationfield,whichcouldcontainanumberoftaggedfields
containingvarioustypesofinformation,suchasthesubnetmask,theBOOTPfilesize,andmanyother
values.RFC1497describestheBOOTPVendorInformationExtensions.DHCPreplacesBOOTP;BOOTPis
notsupportedonthefirewall.
TheseextensionseventuallyexpandedwiththeuseofDHCPandDHCPhostconfigurationparameters,also
knownasoptions.Similartovendorextensions,DHCPoptionsaretaggeddataitemsthatprovide
informationtoaDHCPclient.TheoptionsaresentinavariablelengthfieldattheendofaDHCPmessage.
Forexample,theDHCPMessageTypeisoption53,andavalueof1indicatestheDHCPDISCOVER
message.DHCPoptionsaredefinedinRFC2132,DHCPOptionsandBOOTPVendorExtensions.
ADHCPclientcannegotiatewiththeserver,limitingtheservertosendonlythoseoptionsthattheclient
requests.
PredefinedDHCPOptions
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
PredefinedDHCPOptions
PaloAltoNetworksfirewallssupportuserdefinedandpredefinedDHCPoptionsintheDHCPserver
implementation.SuchoptionsareconfiguredontheDHCPserverandsenttotheclientsthatsenta
DHCPREQUESTtotheserver.Theclientsaresaidtoinheritandimplementtheoptionsthattheyare
programmedtoaccept.
ThefirewallsupportsthefollowingpredefinedoptionsonitsDHCPservers,shownintheorderinwhich
theyappearontheDHCP Serverconfigurationscreen:
DHCPOption DHCPOptionName
51 Leaseduration
3 Gateway
1 IPPoolSubnet(mask)
6 DomainNameSystem(DNS)serveraddress(primaryandsecondary)
44 WindowsInternetNameService(WINS)serveraddress(primaryandsecondary)
41 NetworkInformationService(NIS)serveraddress(primaryandsecondary)
42 NetworkTimeProtocol(NTP)serveraddress(primaryandsecondary)
70 PostOfficeProtocolVersion3(POP3)serveraddress
69 SimpleMailTransferProtocol(SMTP)serveraddress
DHCPOption DHCPOptionName
15 DNSsuffix
Asmentioned,youcanalsoconfigurevendorspecificandcustomizedoptions,whichsupportawidevariety
ofofficeequipment,suchasIPphonesandwirelessinfrastructuredevices.Eachoptioncodesupports
multiplevalues,whichcanbeIPaddress,ASCII,orhexadecimalformat.WiththefirewallenhancedDCHP
optionsupport,branchofficesdonotneedtopurchaseandmanagetheirownDHCPserversinorderto
providevendorspecificandcustomizedoptionstoDHCPclients.
MultipleValuesforaDHCPOption
DHCPOptions43,55,and60andOtherCustomizedOptions
ThefollowingtabledescribestheoptionbehaviorforseveraloptionsdescribedinRFC2132.
43 VendorSpecific Sentfromservertoclient.VendorspecificinformationthattheDHCPserverhas
Information beenconfiguredtooffertotheclient.Theinformationissenttotheclientonly
iftheserverhasaVendorClassIdentifier(VCI)initstablethatmatchestheVCI
intheclientsDHCPREQUEST.
AnOption43packetcancontainmultiplevendorspecificpiecesofinformation.
Itcanalsoincludeencapsulated,vendorspecificextensionsofdata.
55 ParameterRequestList Sentfromclienttoserver.Listofconfigurationparameters(optioncodes)thata
DHCPclientisrequesting,possiblyinorderoftheclientspreference.Theserver
triestorespondwithoptionsinthesameorder.
60 VendorClassIdentifier Sentfromclienttoserver.VendortypeandconfigurationofaDHCPclient.The
(VCI) DHCPclientsendsoptioncode60inaDHCPREQUESTtotheDHCPserver.
Whentheserverreceivesoption 60,itseestheVCI,findsthematchingVCIinits
owntable,andthenitreturnsoption43withthevalue(thatcorrespondstothe
VCI),therebyrelayingvendorspecificinformationtothecorrectclient.Boththe
clientandserverhaveknowledgeoftheVCI.
Youcansendcustom,vendorspecificoptioncodesthatarenotdefinedinRFC2132.Theoptioncodescan
beintherange1254andoffixedorvariablelength.
CustomDHCPoptionsarenotvalidatedbytheDHCPServer;youmustensurethatyouenter
correctvaluesfortheoptionsyoucreate.
ForASCIIandhexadecimalDHCPoptiontypes,theoptionvaluecanbeamaximumof255octets.
ConfigureanInterfaceasaDHCPServer
Theprerequisitesforthistaskare:
ConfigureaLayer3EthernetorLayer3VLANinterface.
Assigntheinterfacetoavirtualrouterandazone.
DetermineavalidpoolofIPaddressesfromyournetworkplanthatyoucandesignatetobeassignedby
yourDHCPservertoclients.
CollecttheDHCPoptions,values,andVendorClassIdentifiersyouplantoconfigure.
PerformthefollowingtasktoconfigureaninterfaceonthefirewalltoactasaDHCPserver.Youcan
configuremultipleDHCPservers.
ConfigureanInterfaceasaDHCPServer
ConfigureanInterfaceasaDHCPServer(Continued)
ConfigureanInterfaceasaDHCPServer(Continued)
Forthefollowingfields,clickthedownarrowandselectNone,or
inherited,orenteraremoteserversIPaddressthatyourDHCP
serverwillsendtoclientsforaccessingthatservice.Ifyouselect
inherited, theDHCPserverinheritsthevaluesfromthesource
DHCPclientspecifiedastheInheritance Source.
Primary DNS, Secondary DNSIPaddressofthepreferredand
alternateDomainNameSystem(DNS)servers.
Primary WINS, Secondary WINSIPaddressofthepreferred
andalternateWindowsInternetNamingService(WINS)
servers.
Primary NIS, Secondary NISIPaddressofthepreferredand
alternateNetworkInformationService(NIS)servers.
Primary NTP, Secondary NTPIPaddressoftheavailable
NetworkTimeProtocolservers.
POP3 ServerIPaddressofaPostOfficeProtocol(POP3)
server.
SMTP ServerIPaddressofaSimpleMailTransferProtocol
(SMTP)server.
DNS SuffixSuffixfortheclienttouselocallywhenan
unqualifiedhostnameisenteredthatitcannotresolve.
ConfigureanInterfaceasaDHCPServer(Continued)
ConfigureanInterfaceasaDHCPClient
BeforeconfiguringafirewallinterfaceasaDHCPClient,makesureyouhaveconfiguredaLayer3Ethernet
orLayer 3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.Performthistaskif
youneedtouseDHCPtorequestanIPv4addressforaninterfaceonyourfirewall.
ToconfigurethemanagementinterfaceasaDHCPclient,seeConfiguretheManagementInterfaceasa
DHCPClient.
ConfigureanInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient
ThemanagementinterfaceonthefirewallsupportsDHCPclientforIPv4,whichallowsthemanagement
interfacetoreceiveitsIPv4addressfromaDHCPserver.ThemanagementinterfacealsosupportsDHCP
Option12andOption61,whichallowthefirewalltosenditshostnameandclientidentifier,respectively,to
DHCPservers.
Bydefault,VMSeriesfirewallsdeployedinAWSandAzureusethemanagementinterfaceasaDHCP
clienttoobtainitsIPaddress,ratherthanastaticIPaddress,becauseclouddeploymentsrequirethe
automationthisfeatureprovides.DHCPonthemanagementinterfaceisturnedoffbydefaultforthe
VMSeriesfirewallexceptfortheVMSeriesfirewallinAWSandAzure.Themanagementinterfaceson
WildFireandPanoramaplatformsdonotsupportthisDHCPfunctionality.
Forhardwarebasedfirewallplatforms(notVMSeries),configurethemanagementinterface
withastaticIPaddresswhenpossible.
IfthefirewallacquiresamanagementinterfaceaddressthroughDHCP,assignaMACaddress
reservationontheDHCPserverthatservesthatfirewall.Thereservationensuresthatthe
firewallretainsitsmanagementIPaddressafterarestart.IftheDHCPserverisaPaloAlto
Networksfirewall,seeStep6ofConfigureanInterfaceasaDHCPServerforreservingan
address.
IfyouconfigurethemanagementinterfaceasaDHCPclient,thefollowingtworestrictionsapply:
YoucannotusethemanagementinterfaceinanHAconfigurationforcontrollink(HA1orHA1backup),
datalink(HA2orHA2backup),orpacketforwarding(HA3)communication.
YoucannotselectMGTastheSourceInterfacewhenyoucustomizeserviceroutes(Device > Setup >
Services > Service Route Configuration > Customize).However,youcanselectUse defaulttoroutethe
packetsviathemanagementinterface.
AprerequisiteforthistaskisthatthemanagementinterfacemustbeabletoreachaDHCPserver.
ConfiguretheManagementInterfaceasaDHCPClient
ConfiguretheManagementInterfaceasaDHCPClient(Continued)
ConfigureanInterfaceasaDHCPRelayAgent
ToenableafirewallinterfacetotransmitDHCPmessagesbetweenclientsandservers,youmustconfigure
thefirewallasaDHCPrelayagent.TheinterfacecanforwardmessagestoamaximumofeightexternalIPv4
DHCPserversandeightexternalIPv6DHCPservers.AclientDHCPDISCOVERmessageissenttoall
configuredservers,andtheDHCPOFFERmessageofthefirstserverthatrespondsisrelayedbacktothe
requestingclient.BeforeconfiguringaDHCPrelayagent,makesureyouhaveconfiguredaLayer3Ethernet
orLayer3VLANinterface,andtheinterfaceisassignedtoavirtualrouterandazone.
ConfigureanInterfaceasaDHCPRelayAgent
MonitorandTroubleshootDHCP
YoucanviewthestatusofdynamicaddressleasesthatyourDHCPserverhasassignedorthatyourDHCP
clienthasbeenassignedbyissuingcommandsfromtheCLI.Youcanalsoclearleasesbeforetheytimeout
andarereleasedautomatically.
ViewDHCPServerInformation
ClearLeasesBeforeTheyExpireAutomatically
ViewDHCPClientInformation
GatherDebugOutputaboutDHCP
ViewDHCPServerInformation
ToviewDHCPpoolstatistics,IPaddressestheserverhasassigned,thecorrespondingMACaddress,state
anddurationofthelease,andtimetheleasebegan,usethefollowingcommand.Iftheaddresswas
configuredasaReserved Address, thestatecolumnindicatesreservedandthereisnodurationor
lease_time.IftheleasewasconfiguredasUnlimited,thedurationcolumndisplaysavalueof0.
admin@PA-200> show dhcp server lease all
interface: "ethernet1/2"
Allocated IPs: 1, Total number of IPs in pool: 5. 20.0000% used
ip mac state duration lease_time
192.168.3.11 f0:2f:af:42:70:cf committed 0 Wed Jul 2 08:10:56 2014
admin@PA-200>
ToviewtheoptionsthataDHCPserverhasassignedtoclients,usethefollowingcommand:
admin@PA-200> show dhcp server settings all
Interface GW DNS1 DNS2 DNS-Suffix Inherit source
-------------------------------------------------------------------------------------
ethernet1/2 192.168.3.1 10.43.2.10 10.44.2.10 ethernet1/3
admin@PA-200>
ClearLeasesBeforeTheyExpireAutomatically
ThefollowingexampleshowshowtoreleaseexpiredDHCPLeasesofaninterface(server)beforethehold
timerreleasesthemautomatically.ThoseaddresseswillbeavailableintheIPpoolagain.
admin@PA-200> clear dhcp lease interface ethernet1/2 expired-only
ThefollowingexampleshowshowtoreleasetheleaseofaparticularIPaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 ip 192.168.3.1
ThefollowingexampleshowshowtoreleasetheleaseofaparticularMACaddress:
admin@PA-200> clear dhcp lease interface ethernet1/2 mac f0:2c:ae:29:71:34
ViewDHCPClientInformation
ToviewthestatusofIPaddressleasessenttothefirewallwhenitisactingasaDHCPclient,usetheshow
dhcp client state interface_namecommandorthefollowingcommand:
admin@PA-200> show dhcp client state all
Interface State IP Gateway Leased-until
---------------------------------------------------------------------------
ethernet1/1 Bound 10.43.14.80 10.43.14.1 70315
admin@PA-200>
GatherDebugOutputaboutDHCP
TogatherdebugoutputaboutDHCP,useoneofthefollowingcommands:
admin@PA-200> debug dhcpd
admin@PA-200> debug management-server dhcpd
NAT
ThissectiondescribesNetworkAddressTranslation(NAT)andhowtoconfigurethefirewallforNAT.NAT
allowsyoutotranslateprivate,nonroutableIPv4addressestooneormoregloballyroutableIPv4
addresses,therebyconservinganorganizationsroutableIPaddresses.NATallowsyoutonotdisclosethe
realIPaddressesofhoststhatneedaccesstopublicaddressesandtomanagetrafficbyperformingport
forwarding.YoucanuseNATtosolvenetworkdesignchallenges,enablingnetworkswithidenticalIP
subnetstocommunicatewitheachother.ThefirewallsupportsNATonLayer3andvirtualwireinterfaces.
TheNAT64optiontranslatesbetweenIPv6andIPv4addresses,providingconnectivitybetweennetworks
usingdisparateIPaddressingschemes,andthereforeamigrationpathtoIPv6addressing.IPv6toIPv6
NetworkPrefixTranslation(NPTv6)translatesoneIPv6prefixtoanotherIPv6prefix.PANOSsupportsall
ofthesefunctions.
IfyouuseprivateIPaddresseswithinyourinternalnetworks,youmustuseNATtotranslatetheprivate
addressestopublicaddressesthatcanberoutedonexternalnetworks.InPANOS,youcreateNATpolicy
rulesthatinstructthefirewallwhichpacketaddressesandportsneedtranslationandwhatthetranslated
addressesandportsare.
NATPolicyRules
SourceNATandDestinationNAT
NATRuleCapacities
DynamicIPandPortNATOversubscription
DataplaneNATMemoryStatistics
ConfigureNAT
NATConfigurationExamples
NATPolicyRules
NATPolicyOverview
NATAddressPoolsIdentifiedasAddressObjects
ProxyARPforNATAddressPools
NATPolicyOverview
YouconfigureaNATruletomatchapacketssourcezoneanddestinationzone,ataminimum.Inaddition
tozones,youcanconfigurematchingcriteriabasedonthepacketsdestinationinterface,sourceand
destinationaddress,andservice.YoucanconfiguremultipleNATrules.Thefirewallevaluatestherulesin
orderfromthetopdown.OnceapacketmatchesthecriteriaofasingleNATrule,thepacketisnotsubjected
toadditionalNATrules.Therefore,yourlistofNATrulesshouldbeinorderfrommostspecifictoleast
specificsothatpacketsaresubjectedtothemostspecificruleyoucreatedforthem.
StaticNATrulesdonothaveprecedenceoverotherformsofNAT.Therefore,forstaticNATtowork,the
staticNATrulesmustbeaboveallotherNATrulesinthelistonthefirewall.
NATrulesprovideaddresstranslation,andaredifferentfromsecuritypolicyrules,whichallowordeny
packets.ItisimportanttounderstandthefirewallsflowlogicwhenitappliesNATrulesandsecuritypolicy
rulessothatyoucandeterminewhatrulesyouneed,basedonthezonesyouhavedefined.Youmust
configuresecuritypolicyrulestoallowtheNATtraffic.
Uponingress,thefirewallinspectsthepacketanddoesaroutelookuptodeterminetheegressinterfaceand
zone.ThenthefirewalldeterminesifthepacketmatchesoneoftheNATrulesthathavebeendefined,based
onsourceand/ordestinationzone.Itthenevaluatesandappliesanysecuritypoliciesthatmatchthepacket
basedontheoriginal(preNAT)sourceanddestinationaddresses,butthepostNATzones.Finally,upon
egress,foramatchingNATrule,thefirewalltranslatesthesourceand/ordestinationaddressandport
numbers.
KeepinmindthatthetranslationoftheIPaddressandportdonotoccuruntilthepacketleavesthefirewall.
TheNATrulesandsecuritypoliciesapplytotheoriginalIPaddress(thepreNATaddress).ANATruleis
configuredbasedonthezoneassociatedwithapreNATIPaddress.
SecuritypoliciesdifferfromNATrulesbecausesecuritypoliciesexaminepostNATzonestodetermine
whetherthepacketisallowedornot.BecausetheverynatureofNATistomodifysourceordestinationIP
addresses,whichcanresultinmodifyingthepacketsoutgoinginterfaceandzone,securitypoliciesare
enforcedonthepostNATzone.
ASIPcallsometimesexperiencesonewayaudiowhengoingthroughthefirewallbecausethecallmanagersends
aSIPmessageonbehalfofthephonetosetuptheconnection.Whenthemessagefromthecallmanagerreaches
thefirewall,theSIPALGmustputtheIPaddressofthephonethroughNAT.Ifthecallmanagerandthephones
arenotinthesamesecurityzone,theNATlookupoftheIPaddressofthephoneisdoneusingthecallmanager
zone.TheNATpolicyshouldtakethisintoconsideration.
NoNATrulesareconfiguredtoallowexclusionofIPaddressesdefinedwithintherangeofNATrules
definedlaterintheNATpolicy.TodefineanoNATpolicy,specifyallofthematchcriteriaandselectNo
SourceTranslationinthesourcetranslationcolumn.
YoucanverifytheNATrulesprocessedbyusingtheCLItest nat-policy-matchcommandin
operationalmode.Forexample:
user@device1> test nat-policy-match ?
+ destinationDestination IP address
+ destination-portDestination port
+ fromFrom zone
+ ha-device-idHA Active/Active device ID
+ protocolIP protocol value
+ sourceSource IP address
+ source-portSource port
+ toTo Zone
+ to-interfaceEgress interface to use
|Pipe through a command
<Enter>Finish input
user@device1> test nat-policy-match from l3-untrust source 10.1.1.1 destination
66.151.149.20 destination-port 443 protocol 6
Destination-NAT: Rule matched: CA2-DEMO
66.151.149.20:443 => 192.168.100.15:443
NATAddressPoolsIdentifiedasAddressObjects
BecausebothNATrulesandsecuritypolicyrulesuseaddressobjects,itisabestpracticeto
distinguishbetweenthembynaminganaddressobjectusedforNATwithaprefix,suchas
NATname.
ProxyARPforNATAddressPools
NATaddresspoolsarenotboundtoanyinterfaces.Thefollowingfigureillustratesthebehaviorofthe
firewallwhenitisperformingproxyARPforanaddressinaNATaddresspool.
ThefirewallperformssourceNATforaclient,translatingthesourceaddress1.1.1.1totheaddressinthe
NATpool,2.2.2.2.Thetranslatedpacketissentontoarouter.
Forthereturntraffic,therouterdoesnotknowhowtoreach2.2.2.2(becausetheIPaddress2.2.2.2isjust
anaddressintheNATaddresspool),soitsendsanARPrequestpackettothefirewall.
Iftheaddresspool(2.2.2.2)isinthesamesubnetastheegress/ingressinterfaceIPaddress(2.2.2.3/24),
thefirewallcansendaproxyARPreplytotherouter,indicatingtheLayer2MACaddressoftheIP
address,asshowninthefigureabove.
Iftheaddresspool(2.2.2.2)isnotasubnetofaninterfaceonthefirewall,thefirewallwillnotsendaproxy
ARPreplytotherouter.Thismeansthattheroutermustbeconfiguredwiththenecessaryroutetoknow
wheretosendpacketsdestinedfor2.2.2.2,inordertoensurethereturntrafficisroutedbacktothe
firewall,asshowninthefigurebelow.
SourceNATandDestinationNAT
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestinationaddressand/orport
translation.
SourceNAT
SourceNATistypicallyusedbyinternaluserstoaccesstheInternet;thesourceaddressistranslatedand
therebykeptprivate.TherearethreetypesofsourceNAT:
DynamicIPandPort(DIPP)AllowsmultiplehoststohavetheirsourceIPaddressestranslatedtothe
samepublicIPaddresswithdifferentportnumbers.Thedynamictranslationistothenextavailable
addressintheNATaddresspool,whichyouconfigureasaTranslated AddresspoolbetoanIPaddress,
rangeofaddresses,asubnet,oracombinationofthese.
AsanalternativetousingthenextaddressintheNATaddresspool,DIPPallowsyoutospecifythe
addressoftheInterfaceitself.TheadvantageofspecifyingtheinterfaceintheNATruleisthattheNAT
rulewillbeautomaticallyupdatedtouseanyaddresssubsequentlyacquiredbytheinterface.DIPPis
sometimesreferredtoasinterfacebasedNATornetworkaddressporttranslation(NAPT).
DIPPhasadefaultNAToversubscriptionrate,whichisthenumberoftimesthatthesametranslatedIP
addressandportpaircanbeusedconcurrently.Formoreinformation,seeDynamicIPandPortNAT
OversubscriptionandModifytheOversubscriptionRateforDIPPNAT.
DynamicIPAllowstheonetoone,dynamictranslationofasourceIPaddressonly(noportnumber)to
thenextavailableaddressintheNATaddresspool.ThesizeoftheNATpoolshouldbeequaltothe
numberofinternalhoststhatrequireaddresstranslations.Bydefault,ifthesourceaddresspoolislarger
thantheNATaddresspoolandeventuallyalloftheNATaddressesareallocated,newconnectionsthat
needaddresstranslationaredropped.Tooverridethisdefaultbehavior,useAdvanced (Dynamic IP/Port
Fallback)toenableuseofDIPPaddresseswhennecessary.Ineitherevent,assessionsterminateandthe
addressesinthepoolbecomeavailable,theycanbeallocatedtotranslatenewconnections.
DynamicIPNATsupportstheoptionforyoutoReserveDynamicIPNATAddresses.
StaticIPAllowsthe1to1,statictranslationofasourceIPaddress,butleavesthesourceport
unchanged.AcommonscenarioforastaticIPtranslationisaninternalserverthatmustbeavailableto
theInternet.
DestinationNAT
DestinationNATisperformedonincomingpackets,whenthefirewalltranslatesapublicdestinationaddress
toaprivateaddress.DestinationNATdoesnotuseaddresspoolsorranges.Itisa1to1,statictranslation
withtheoptiontoperformportforwardingorporttranslation.
StaticIPAllowsthe1to1,statictranslationofadestinationIPaddressandoptionallytheportnumber.
OnecommonuseofdestinationNATistoconfigureseveralNATrulesthatmapasinglepublicdestination
addresstoseveralprivatedestinationhostaddressesassignedtoserversorservices.Inthiscase,the
destinationportnumbersareusedtoidentifythedestinationhosts.Forexample:
PortForwardingCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
address,butkeepsthesameportnumber.
PortTranslationCantranslateapublicdestinationaddressandportnumbertoaprivatedestination
addressandadifferentportnumber,thuskeepingtherealportnumberprivate.Itisconfiguredby
enteringaTranslated Port ontheTranslated PackettabintheNATpolicyrule.SeetheDestinationNAT
withPortTranslationExample.
NATRuleCapacities
ThenumberofNATrulesallowedisbasedonthefirewallplatform.Individualrulelimitsaresetforstatic,
DynamicIP(DIP),andDynamicIPandPort(DIPP)NAT.ThesumofthenumberofrulesusedfortheseNAT
typescannotexceedthetotalNATrulecapacity.ForDIPP,therulelimitisbasedontheoversubscription
setting(8,4,2,or1)ofthefirewallandtheassumptionofonetranslatedIPaddressperrule.Tosee
platformspecificNATrulelimitsandtranslatedIPaddresslimits,usetheCompareFirewallstool.
ConsiderthefollowingwhenworkingwithNATrules:
Ifyourunoutofpoolresources,youcannotcreatemoreNATrules,eveniftheplatformsmaximumrule
counthasnotbeenreached.
IfyouconsolidateNATrules,theloggingandreportingwillalsobeconsolidated.Thestatisticsare
providedpertherule,notperalloftheaddresseswithintherule.Ifyouneedgranularloggingand
reporting,donotcombinetherules.
DynamicIPandPortNATOversubscription
DynamicIPandPort(DIPP)NATallowsyoutouseeachtranslatedIPaddressandportpairmultipletimes
(8,4,or2times)inconcurrentsessions.ThisreusabilityofanIPaddressandport(knownasoversubscription)
providesscalabilityforcustomerswhohavetoofewpublicIPaddresses.Thedesignisbasedonthe
assumptionthathostsareconnectingtodifferentdestinations,thereforesessionscanbeuniquelyidentified
andcollisionsareunlikely.Theoversubscriptionrateineffectmultipliestheoriginalsizeoftheaddress/port
poolto8,4,or2timesthesize.Forexample,thedefaultlimitof64Kconcurrentsessionsallowed,when
multipliedbyanoversubscriptionrateof8,resultsin512Kconcurrentsessionsallowed.
Theoversubscriptionratesthatareallowedvarybasedontheplatform.Theoversubscriptionrateisglobal;
itappliestothefirewall.Thisoversubscriptionrateissetbydefaultandconsumesmemory,evenifyouhave
enoughpublicIPaddressesavailabletomakeoversubscriptionunnecessary.Youcanreducetheratefrom
thedefaultsettingtoalowersettingoreven1(whichmeansnooversubscription).Byconfiguringareduced
rate,youdecreasethenumberofsourcedevicetranslationspossible,butincreasetheDIPandDIPPNAT
rulecapacities.Tochangethedefaultrate,seeModifytheOversubscriptionRateforDIPPNAT.
IfyouselectPlatform Default,yourexplicitconfigurationofoversubscriptionisturnedoffandthedefault
oversubscriptionratefortheplatformapplies,asshowninthetablebelow.ThePlatform Defaultsetting
allowsforanupgradeordowngradeofasoftwarerelease.
Thefollowingtableliststhedefault(highest)oversubscriptionrateforeachplatform.
Platform DefaultOversubscriptionRate
PA200 2
PA500 2
PA2020 2
Platform DefaultOversubscriptionRate
PA2050 2
PA3020 2
PA3050 2
PA3060 2
PA4020 4
PA4050 8
PA4060 8
PA5020 4
PA5050 8
PA5060 8
PA7050 8
PA7080 8
VM100 1
VM200 1
VM300 2
VM1000HV 2
Thefirewallsupportsamaximumof256translatedIPaddressesperNATrule,andeachplatformsupports
amaximumnumberoftranslatedIPaddresses(forallNATrulescombined).Ifoversubscriptioncausesthe
maximumtranslatedaddressesperrule(256)tobeexceeded,thefirewallwillautomaticallyreducethe
oversubscriptionratioinanefforttohavethecommitsucceed.However,ifyourNATrulesresultin
translationsthatexceedthemaximumtranslatedaddressesfortheplatform,thecommitwillfail.
DataplaneNATMemoryStatistics
ConfigureNAT
PerformthefollowingtaskstoconfigurevariousaspectsofNAT.Inadditiontotheexamplesbelow,there
areexamplesinthesectionNATConfigurationExamples.
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSourceNAT)
ModifytheOversubscriptionRateforDIPPNAT
DisableNATforaSpecificHostorInterface
ReserveDynamicIPNATAddresses
TheNATexampleinthissectionisbasedonthefollowingtopology,whichwasalsousedinGettingStarted
forsettingupinterfacesandzones:
BasedonthetopologyinitiallyusedinGettingStartedtocreatetheinterfacesandzones,therearethree
NATpoliciesweneedtocreateasfollows:
ToenabletheclientsontheinternalnetworktoaccessresourcesontheInternet,theinternal
192.168.1.0addresseswillneedtobetranslatedtopubliclyroutableaddresses.Inthiscase,wewill
configuresourceNAT(thepurpleenclosureandarrowabove),usingtheegressinterfaceaddress,
203.0.113.100,asthesourceaddressinallpacketsthatleavethefirewallfromtheinternalzone.See
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)forinstructions.
ToenableclientsontheinternalnetworktoaccessthepublicwebserverintheDMZzone,wemust
configureaNATrulethatredirectsthepacketfromtheexternalnetwork,wheretheoriginalroutingtable
lookupwilldetermineitshouldgobasedonthedestinationaddressof203.0.113.11withinthepacket,
totheactualaddressofthewebserverontheDMZnetworkof10.1.1.11.Todothisyoumustcreatea
NATrulefromthetrustzone(wherethesourceaddressinthepacketis)totheuntrustzone(wherethe
originaldestinationaddressis)totranslatethedestinationaddresstoanaddressintheDMZzone.This
typeofdestinationNATiscalledUTurnNAT(theyellowenclosureandarrowabove).SeeEnableClients
ontheInternalNetworktoAccessyourPublicServers(DestinationUTurnNAT)forinstructions.
ToenablethewebserverwhichhasbothaprivateIPaddressontheDMZnetworkandapublicfacing
addressforaccessbyexternaluserstobothsendandreceiverequests,thefirewallmusttranslatethe
incomingpacketsfromthepublicIPaddresstotheprivateIPaddressandtheoutgoingpacketsfromthe
privateIPaddresstothepublicIPaddress.Onthefirewall,youcanaccomplishthiswithasingle
bidirectionalstaticsourceNATpolicy(thegreenenclosureandarrowabove).SeeEnableBiDirectional
AddressTranslationforYourPublicFacingServers(StaticSourceNAT).
TranslateInternalClientIPAddressestoYourPublicIPAddress(SourceDIPPNAT)
Whenaclientonyourinternalnetworksendsarequest,thesourceaddressinthepacketcontainstheIP
addressfortheclientonyourinternalnetwork.IfyouuseprivateIPaddressrangesinternally,thepackets
fromtheclientwillnotbeabletoberoutedontheInternetunlessyoutranslatethesourceIPaddressinthe
packetsleavingthenetworkintoapubliclyroutableaddress.
OnthefirewallyoucandothisbyconfiguringasourceNATpolicythattranslatesthesourceaddress(and
optionallytheport)intoapublicaddress.Onewaytodothisistotranslatethesourceaddressforallpackets
totheegressinterfaceonyourfirewall,asshowninthefollowingprocedure.
ConfigureSourceNAT
ConfigureSourceNAT(Continued)
EnableClientsontheInternalNetworktoAccessyourPublicServers(DestinationUTurn
NAT)
WhenauserontheinternalnetworksendsarequestforaccesstothecorporatewebserverintheDMZ,
theDNSserverwillresolveittothepublicIPaddress.Whenprocessingtherequest,thefirewallwillusethe
originaldestinationinthepacket(thepublicIPaddress)androutethepackettotheegressinterfaceforthe
untrustzone.InorderforthefirewalltoknowthatitmusttranslatethepublicIPaddressofthewebserver
toanaddressontheDMZnetworkwhenitreceivesrequestsfromusersonthetrustzone,youmustcreate
adestinationNATrulethatwillenablethefirewalltosendtherequesttotheegressinterfacefortheDMZ
zoneasfollows.
ConfigureUTurnNAT
EnableBiDirectionalAddressTranslationforYourPublicFacingServers(StaticSource
NAT)
WhenyourpublicfacingservershaveprivateIPaddressesassignedonthenetworksegmentwheretheyare
physicallylocated,youneedasourceNATruletotranslatethesourceaddressoftheservertotheexternal
addressuponegress.YoucreateastaticNATruletotranslatetheinternalsourceaddress,10.1.1.11,tothe
externalwebserveraddress,203.0.113.11inourexample.
However,apublicfacingservermustbeabletobothsendandreceivepackets.Youneedareciprocalpolicy
thattranslatesthepublicaddress(thedestinationIPaddressinincomingpacketsfromInternetusers)into
theprivateaddresssothatthefirewallcanroutethepackettoyourDMZnetwork.Youcreatea
bidirectionalstaticNATrule,asdescribedinthefollowingprocedure.Bidirectionaltranslationisanoption
forstaticNATonly.
ConfigureBiDirectionalNAT
ModifytheOversubscriptionRateforDIPPNAT
IfyouhaveenoughpublicIPaddressesthatyoudonotneedtouseDIPPNAToversubscription,youcan
reducetheoversubscriptionrateandtherebygainmoreDIPandDIPPNATrulesallowed.
SetNATOversubscription
Step1 ViewtheDIPPNAToversubscription 1. SelectDevice > Setup > Session > Session Settings.Viewthe
rate. NAT Oversubscription Ratesetting.
DisableNATforaSpecificHostorInterface
BothsourceNATanddestinationNATrulescanbeconfiguredtodisableaddresstranslation.Youmayhave
exceptionswhereyoudonotwantNATtooccurforacertainhostinasubnetorfortrafficexitingaspecific
interface.ThefollowingprocedureshowshowtodisablesourceNATforahost.
CreateaSourceNATExemption
NATrulesareprocessedinorderfromthetoptothebottom,soplacetheNATexemptionpolicy
beforeotherNATpoliciestoensureitisprocessedbeforeanaddresstranslationoccursforthe
sourcesyouwanttoexempt.
ReserveDynamicIPNATAddresses
YoucanreserveDynamicIPNATaddresses(foraconfigurableperiodoftime)topreventthemfrombeing
allocatedastranslatedaddressestoadifferentsourceIPaddressthatneedstranslation.Whenconfigured,
thereservationappliestoallofthetranslatedDynamicIPaddressesinprogressandanynewtranslations.
Forbothtranslationsinprogressandnewtranslations,whenasourceIPaddressistranslatedtoanavailable
translatedIPaddress,thatpairingisretainedevenafterallsessionsrelatedtothatspecificsourceIPare
expired.ThereservationtimerforeachsourceIPaddressbeginsafterallsessionsthatusethatsourceIP
addresstranslationexpire.DynamicIPNATisaonetoonetranslation;onesourceIPaddresstranslatesto
onetranslatedIPaddressthatischosendynamicallyfromthoseaddressesavailableintheconfiguredpool.
Therefore,atranslatedIPaddressthatisreservedisnotavailableforanyothersourceIPaddressuntilthe
reservationexpiresbecauseanewsessionhasnotstarted.Thetimerisreseteachtimeanewsessionfora
sourceIP/translatedIPmappingbegins,afteraperiodwhennosessionswereactive.
Bydefault,noaddressesarereserved.YoucanreserveDynamicIPNATaddressesforthefirewallorfora
virtualsystem.
ReserveDynamicIPNATAddressesforaFirewall
ReserveDynamicIPNATAddressesforaVirtualSystem
Step2 user@device1# set vsys <vsysid> setting nat reserve-time <1-604800 secs>
Forexample,supposethereisaDynamicIPNATpoolof30addressesandthereare20translationsin
progresswhenthe nat reserve-timeissetto28800seconds(8hours).Those20translationsarenow
reserved,sothatwhenthelastsession(ofanyapplication)thatuseseachsourceIP/translatedIPmapping
expires,thetranslatedIPaddressisreservedforonlythatsourceIPaddressfor8hours,incasethatsource
IPaddressneedstranslationagain.Additionally,asthe10remainingtranslatedaddressesareallocated,they
eacharereservedfortheirsourceIPaddress,eachwithatimerthatbeginswhenthelastsessionforthat
sourceIPaddressexpires.
Inthismanner,eachsourceIPaddresscanberepeatedlytranslatedtoitssameNATaddressfromthepool;
anotherhostwillnotbeassignedareservedtranslatedIPaddressfromthepool,eveniftherearenoactive
sessionsforthattranslatedaddress.
SupposeasourceIP/translatedIPmappinghasallofitssessionsexpire,andthereservationtimerof8hours
begins.Afteranewsessionforthattranslationbegins,thetimerstops,andthesessionscontinueuntilthey
allend,atwhichpointthereservationtimerstartsagain,reservingthetranslatedaddress.
ThereservationtimerremainineffectontheDynamicIPNATpooluntilyoudisableitbyenteringtheset
setting nat reserve-ip no commandoryouchangethenat reserve-timetoadifferentvalue.
TheCLIcommandsforreservationsdonotaffectDynamicIPandPort(DIPP)orStaticIPNATpools.
NATConfigurationExamples
DestinationNATExampleOnetoOneMapping
DestinationNATwithPortTranslationExample
DestinationNATExampleOnetoManyMapping
SourceandDestinationNATExample
VirtualWireSourceNATExample
VirtualWireStaticNATExample
VirtualWireDestinationNATExample
DestinationNATExampleOnetoOneMapping
ThemostcommonmistakeswhenconfiguringNATandsecurityrulesarethereferencestothezonesand
addressobjects.TheaddressesusedindestinationNATrulesalwaysrefertotheoriginalIPaddressinthe
packet(thatis,thepretranslatedaddress).ThedestinationzoneintheNATruleisdeterminedafterthe
routelookupofthedestinationIPaddressintheoriginalpacket(thatis,thepreNATdestinationIPaddress).
TheaddressesinthesecuritypolicyalsorefertotheIPaddressintheoriginalpacket(thatis,thepreNAT
address).However,thedestinationzoneisthezonewheretheendhostisphysicallyconnected.Inother
words,thedestinationzoneinthesecurityruleisdeterminedaftertheroutelookupofthepostNAT
destinationIPaddress.
InthefollowingexampleofaonetoonedestinationNATmapping,usersfromthezonenamedUntrustL3
accesstheserver10.1.1.100inthezonenamedDMZusingtheIPaddress1.1.1.100.
BeforeconfiguringtheNATrules,considerthesequenceofeventsforthisscenario.
Host1.1.1.250sendsanARPrequestfortheaddress1.1.1.100(thepublicaddressofthedestination
server).
ThefirewallreceivestheARPrequestpacketfordestination1.1.1.100ontheEthernet1/1interfaceand
processestherequest.ThefirewallrespondstotheARPrequestwithitsownMACaddressbecauseof
thedestinationNATruleconfigured.
TheNATrulesareevaluatedforamatch.ForthedestinationIPaddresstobetranslated,adestination
NATrulefromzoneUntrustL3tozoneUntrustL3mustbecreatedtotranslatethedestinationIPof
1.1.1.100to10.1.1.100.
Afterdeterminingthetranslatedaddress,thefirewallperformsaroutelookupfordestination
10.1.1.100todeterminetheegressinterface.Inthisexample,theegressinterfaceisEthernet1/2in
zoneDMZ.
ThefirewallperformsasecuritypolicylookuptoseeifthetrafficispermittedfromzoneUntrustL3to
DMZ.
Thedirectionofthepolicymatchestheingresszoneandthezonewheretheserverisphysically
located.
ThesecuritypolicyreferstotheIPaddressintheoriginalpacket,whichhasadestinationaddress
of1.1.1.100.
ThefirewallforwardsthepackettotheserveroutegressinterfaceEthernet1/2.Thedestinationaddress
ischangedto10.1.1.100asthepacketleavesthefirewall.
Forthisexample,addressobjectsareconfiguredforwebserverprivate(10.1.1.100)andWebserverpublic
(1.1.1.100).TheconfiguredNATrulewouldlooklikethis:
ThedirectionoftheNATrulesisbasedontheresultofroutelookup.
TheconfiguredsecuritypolicytoprovideaccesstotheserverfromtheUntrustL3zonewouldlooklikethis:
DestinationNATwithPortTranslationExample
Inthisexample,thewebserverisconfiguredtolistenforHTTPtrafficonport8080.Theclientsaccessthe
webserverusingtheIPaddress1.1.1.100andTCPPort80.ThedestinationNATruleisconfiguredto
translatebothIPaddressandportto10.1.1.100andTCPport8080.Addressobjectsareconfiguredfor
webserverprivate(10.1.1.100)andServerspublic(1.1.1.100).
ThefollowingNATandsecurityrulesmustbeconfiguredonthefirewall:
DestinationNATExampleOnetoManyMapping
Inthisexample,oneIPaddressmapstotwodifferentinternalhosts.Thefirewallusestheapplicationto
identifytheinternalhosttowhichthefirewallforwardsthetraffic.
AllHTTPtrafficissenttohost10.1.1.100andSSHtrafficissenttoserver10.1.1.101.Thefollowingaddress
objectsarerequired:
AddressobjectfortheonepretranslatedIPaddressoftheserver
AddressobjectfortherealIPaddressoftheSSHserver
AddressobjectfortherealIPaddressofthewebserver
Thecorrespondingaddressobjectsarecreated:
Serverspublic:1.1.1.100
SSHserver:10.1.1.101
webserverprivate:10.1.1.100
TheNATruleswouldlooklikethis:
Thesecurityruleswouldlooklikethis:
SourceandDestinationNATExample
Inthisexample,NATrulestranslateboththesourceanddestinationIPaddressofpacketsbetweenthe
clientsandtheserver.
SourceNATThesourceaddressesinthepacketsfromtheclientsintheTrustL3zonetotheserverin
theUntrustL3zonearetranslatedfromtheprivateaddressesinthenetwork192.168.1.0/24totheIP
addressoftheegressinterfaceonthefirewall(10.16.1.103).DynamicIPandPorttranslationcausesthe
portnumberstobetranslatedalso.
DestinationNATThedestinationaddressesinthepacketsfromtheclientstotheserveraretranslated
fromtheserverspublicaddress(80.80.80.80)totheserversprivateaddress(10.2.133.15).
ThefollowingaddressobjectsarecreatedfordestinationNAT.
ServerPreNAT:80.80.80.80
ServerpostNAT:10.2.133.15
ThefollowingscreenshotsillustratehowtoconfigurethesourceanddestinationNATpoliciesforthe
example.
VirtualWireSourceNATExample
VirtualwiredeploymentofaPaloAltoNetworksfirewallincludesthebenefitofprovidingsecurity
transparentlytotheenddevices.ItispossibletoconfigureNATforinterfacesconfiguredinavirtualwire.
AlloftheNATtypesareallowed:sourceNAT(DynamicIP,DynamicIPandPort,static)anddestinationNAT.
BecauseinterfacesinavirtualwiredonothaveanIPaddressassigned,itisnotpossibletotranslateanIP
addresstoaninterfaceIPaddress.YoumustconfigureanIPaddresspool.
WhenperformingNATonvirtualwireinterfaces,itisrecommendedthatyoutranslatethesourceaddress
toadifferentsubnetthantheoneonwhichtheneighboringdevicesarecommunicating.Thefirewallwillnot
proxyARPforNATaddresses.Properroutingmustbeconfiguredontheupstreamanddownstreamrouters
inorderforthepacketstobetranslatedinvirtualwiremode.Neighboringdeviceswillonlybeabletoresolve
ARPrequestsforIPaddressesthatresideontheinterfaceofthedeviceontheotherendofthevirtualwire.
SeeProxyARPforNATAddressPoolsformoreexplanationaboutproxyARP.
InthesourceNATandstaticNATexamplesbelow,securitypolicies(notshown)areconfiguredfromthe
virtualwirezonenamedvwtrusttothezonenamedvwuntrust.
Inthefollowingtopology,tworoutersareconfiguredtoprovideconnectivitybetweensubnets1.1.1.0/24
and3.1.1.0/24.Thelinkbetweentheroutersisconfiguredinsubnet2.1.1.0/30.Staticroutingisconfigured
onbothrouterstoestablishconnectivitybetweenthenetworks.Beforethefirewallisdeployedinthe
environment,thetopologyandtheroutingtableforeachrouterlooklikethis:
RouteonR1:
Destination NextHop
3.1.1.0/24 2.1.1.2
RouteonR2:
Destination NextHop
1.1.1.0/24 2.1.1.1
NowthefirewallisdeployedinvirtualwiremodebetweenthetwoLayer3devices.Allcommunicationsfrom
clientsinnetwork1.1.1.0/24accessingserversinnetwork3.1.1.0/24aretranslatedtoanIPaddressinthe
range2.1.1.92.1.1.14.ANATIPaddresspoolwithrange2.1.1.92.1.1.14isconfiguredonthefirewall.
Allconnectionsfromtheclientsinsubnet1.1.1.0/24willarriveatrouterR2withatranslatedsourceaddress
intherange2.1.1.92.1.1.14.Theresponsefromserverswillbedirectedtotheseaddresses.Inorderfor
sourceNATtowork,youmustconfigureproperroutingonrouterR2,sothatpacketsdestinedforother
addressesarenotdropped.TheroutingtablebelowshowsthemodifiedroutingtableonrouterR2.The
routeensuresthetraffictothedestinations2.1.1.92.1.1.14(thatis,hostsonsubnet2.1.1.8/29)willbesent
backthroughthefirewalltorouterR1.
RouteonR2:
Destination NextHop
2.1.1.8/29 2.1.1.1
VirtualWireStaticNATExample
Inthisexample,securitypoliciesareconfiguredfromthevirtualwirezonenamedTrusttothevirtualwire
zonenamedUntrust.Host1.1.1.100isstaticallytranslatedtoaddress2.1.1.100.WiththeBi-directional
optionenabled,thefirewallgeneratesaNATpolicyfromtheUntrustzonetotheTrustzone.Clientsonthe
UntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto1.1.1.100.Any
connectionsinitiatedbytheserverat1.1.1.100aretranslatedtosourceIPaddress2.1.1.100.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1
VirtualWireDestinationNATExample
ClientsintheUntrustzoneaccesstheserverusingtheIPaddress2.1.1.100,whichthefirewalltranslatesto
1.1.1.100.BoththeNATandsecuritypoliciesmustbeconfiguredfromtheUntrustzonetotheTrustzone.
RouteonR2:
Destination NextHop
2.1.1.100/32 2.1.1.1
NPTv6
IPv6toIPv6NetworkPrefixTranslation(NPTv6)performsastateless,statictranslationofoneIPv6prefix
toanotherIPv6prefix(portnumbersarenotchanged).TherearefourprimarybenefitsofNPTv6:
YoucanpreventtheasymmetricalroutingproblemsthatresultfromProviderIndependentaddresses
beingadvertisedfrommultipledatacenters.
NPTv6allowsmorespecificroutestobeadvertisedsothatreturntrafficarrivesatthesamefirewallthat
transmittedthetraffic.
Privateandpublicaddressesareindependent;youcanchangeonewithoutaffectingtheother.
YouhavetheabilitytotranslateUniqueLocalAddressestogloballyroutableaddresses.
ThistopicbuildsonabasicunderstandingofNAT.YoushouldbesureyouarefamiliarwithNATconcepts
beforeconfiguringNPTv6.
NPTv6Overview
HowNPTv6Works
NDPProxy
NPTv6andNDPProxyExample
CreateanNPTv6Policy
NPTv6Overview
ThissectiondescribesIPv6toIPv6NetworkPrefixTranslation(NPTv6)andhowtoconfigureit.NPTv6is
definedinRFC6296.PaloAltoNetworksdoesnotimplementallfunctionalitydefinedintheRFC,butis
compliantwiththeRFCinthefunctionalityithasimplemented.
NPTv6performsstatelesstranslationofoneIPv6prefixtoanotherIPv6prefix.Itisstateless,meaningthat
itdoesnotkeeptrackofportsorsessionsontheaddressestranslated.NPTv6differsfromNAT66,whichis
stateful.PaloAltoNetworkssupportsNPTv6RFC6296prefixtranslation;itdoesnotsupportNAT66.
WiththelimitedaddressesintheIPv4space,NATwasrequiredtotranslateprivate,nonroutableIPv4
addressestooneormoregloballyroutableIPv4addresses.
FororganizationsusingIPv6addressing,thereisnoneedtotranslateIPv6addressestoIPv6addressesdue
totheabundanceofIPv6addresses.However,thereareReasonstoUseNPTv6totranslateIPv6prefixes
atthefirewall.
NPTv6translatestheprefixportionofanIPv6addressbutnotthehostportionortheapplicationport
numbers.Thehostportionissimplycopied,andthereforeremainsthesameoneithersideofthefirewall.
Thehostportionalsoremainsvisiblewithinthepacketheader.
NPTv6DoesNotProvideSecurity
PlatformSupportforNPTv6
UniqueLocalAddresses
ReasonstoUseNPTv6
NPTv6DoesNotProvideSecurity
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.Ingeneral,statelessnetworkaddress
translationdoesnotprovideanysecurity;itprovidesanaddresstranslationfunction.NPTv6doesnothide
ortranslateportnumbers.Youmustsetupfirewallsecuritypoliciescorrectlyineachdirectiontoensurethat
trafficiscontrolledasyouintended.
PlatformSupportforNPTv6
NPTv6issupportedonthefollowingplatforms(NPTv6withhardwarelookupbutpacketsgothroughthe
CPU):PA7000Series,PA5000Series,PA4000Series,PA3050firewall,andPA2000Series.Platforms
supportedwithnoabilitytohavehardwareperformasessionlookup:PA3020firewall,PA500firewall,
PA200firewall,andVMSeries.
UniqueLocalAddresses
RFC4193,UniqueLocalIPv6UnicastAddresses,definesuniquelocaladdresses(ULAs),whichareIPv6
unicastaddresses.TheycanbeconsideredIPv6equivalentsoftheprivateIPv4addressesidentifiedinRFC
1918,AddressAllocationforPrivateInternets,whichcannotberoutedglobally.
AULAisgloballyunique,butnotexpectedtobegloballyroutable.Itisintendedforlocalcommunications
andtoberoutableinalimitedareasuchasasiteoramongasmallnumberofsites.PaloAltoNetworksdoes
notrecommendthatyouassignULAs,butafirewallconfiguredwithNPTv6willtranslateprefixessenttoit,
includingULAs.
ReasonstoUseNPTv6
Althoughthereisnoshortageofpublic,globallyroutableIPv6addresses,therearereasonsyoumightwant
totranslateIPv6addresses.NPTv6:
PreventsasymmetricalroutingAsymmetricroutingcanoccurifaProviderIndependentaddressspace
(/48,forexample)isadvertisedbymultipledatacenterstotheglobalInternet.ByusingNPTv6,youcan
advertisemorespecificroutesfromregionalfirewalls,andthereturntrafficwillarriveatthesamefirewall
wherethesourceIPaddresswastranslatedbythetranslator.
ProvidesaddressindependenceYouneednotchangetheIPv6prefixesusedinsideyourlocalnetwork
iftheglobalprefixesarechanged(forexample,byanISPorasaresultofmergingorganizations).
Conversely,youcanchangetheinsideaddressesatwillwithoutdisruptingtheaddressesthatareused
toaccessservicesintheprivatenetworkfromtheInternet.Ineithercase,youupdateaNATrulerather
thanreassignnetworkaddresses.
TranslatesULAsforroutingYoucanhaveUniqueLocalAddressesassignedwithinyourprivate
network,andhavethefirewalltranslatethemtogloballyroutableaddresses.Thus,youhavethe
convenienceofprivateaddressingandthefunctionalityoftranslated,routableaddresses.
ReducesexposuretoIPv6prefixesIPv6prefixesarelessexposedthanifyoudidnttranslatenetwork
prefixes,however,NPTv6isnotasecuritymeasure.TheinterfaceidentifierportionofeachIPv6address
isnottranslated;itremainsthesameoneachsideofthefirewallandvisibletoanyonewhocanseethe
packetheader.Additionally,theprefixesarenotsecure;theycanbedeterminedbyothers.
HowNPTv6Works
WhenyouconfigureapolicyforNPTv6,thePaloAltoNetworksfirewallperformsastatic,onetooneIPv6
translationinbothdirections.ThetranslationisbasedonthealgorithmdescribedinRFC6296.
Inoneusecase,thefirewallperformingNPTv6islocatedbetweenaninternalnetworkandanexternal
network(suchastheInternet)thatusesgloballyroutableprefixes.Whendatagramsaregoinginthe
outbounddirection,theinternalsourceprefixisreplacedwiththeexternalprefix;thisisknownassource
translation.
Inanotherusecase,whendatagramsaregoingintheinbounddirection,thedestinationprefixisreplaced
withtheinternalprefix(knownasdestinationtranslation).Thefigurebelowillustratesdestinationtranslation
andacharacteristicofNPTv6:onlytheprefixportionofanIPv6addressistranslated.Thehostportionof
theaddressisnottranslatedandremainsthesameoneithersideofthefirewall.Inthefigurebelow,thehost
identifieris111::55onbothsidesofthefirewall.
ItisimportanttounderstandthatNPTv6doesnotprovidesecurity.WhileyouareplanningyourNPTv6NAT
policies,rememberalsotoconfiguresecuritypoliciesineachdirection.
ANATorNPTv6policyrulecannothaveboththeSourceAddressandtheTranslatedAddresssettoAny.
InanenvironmentwhereyouwantIPv6prefixtranslation,threefirewallfeaturesworktogether:NPTv6
NATpolicies,securitypolicies,andNDPProxy.
Thefirewalldoesnottranslatethefollowing:
AddressesthatthefirewallhasinitsNeighborDiscovery(ND)cache.
Thesubnet0xFFFF(inaccordancewithRFC6296,AppendixB).
IPmulticastaddresses.
IPv6addresseswithaprefixlengthof/31orshorter.
Linklocaladdresses.Ifthefirewallisoperatinginvirtualwiremode,therearenoIPaddressesto
translate,andthefirewalldoesnottranslatelinklocaladdresses.
AddressesforTCPsessionsthatauthenticatepeersusingtheTCPAuthenticationOption(RFC5925).
WhenusingNPTv6,performanceforfastpathtrafficisimpactedbecauseNPTv6isperformedintheslow
path.
NPTv6willworkwithIPSecIPv6onlyifthefirewallisoriginatingandterminatingthetunnel.TransitIPSec
trafficwouldfailbecausethesourceand/ordestinationIPv6addresswouldbemodified.ANATtraversal
techniquethatencapsulatesthepacketwouldallowIPSecIPv6toworkwithNPTv6.
ChecksumNeutralMapping
BiDirectionalTranslation
NPTv6AppliedtoaSpecificService
ChecksumNeutralMapping
TheNPTv6mappingtranslationsthatthefirewallperformsarechecksumneutral,meaningthat...they
resultinIPheadersthatwillgeneratethesameIPv6pseudoheaderchecksumwhenthechecksumis
calculatedusingthestandardInternetchecksumalgorithm[RFC1071].SeeRFC6296,Section2.6,formore
informationaboutchecksumneutralmapping.
IfyouareusingNPTv6toperformdestinationNAT,youcanprovidetheinternalIPv6addressandthe
externalprefix/prefixlengthofthefirewallinterfaceinthesyntaxofthetest nptv6CLIcommand.TheCLI
respondswiththechecksumneutral,publicIPv6addresstouseinyourNPTv6configurationtoreachthat
destination.
BiDirectionalTranslation
WhenyouCreateanNPTv6Policy,theBi-directionaloptionintheTranslated Packettabprovidesa
convenientwayforyoutohavethefirewallcreateacorrespondingNATorNPTv6translationinthe
oppositedirectionofthetranslationyouconfigured.Bydefault,Bi-directionaltranslationisdisabled.
IfyouenableBi-directional translation,itisveryimportanttomakesureyouhavesecurity
policiesinplacetocontrolthetrafficinbothdirections.Withoutsuchpolicies,the
Bi-directionalfeaturewillallowpacketstobeautomaticallytranslatedinbothdirections,which
youmightnotwant.
NPTv6AppliedtoaSpecificService
ThePaloAltoNetworksimplementationofNPTv6offerstheabilitytofilterpacketstolimitwhichpackets
aresubjecttotranslation.KeepinmindthatNPTv6doesnotperformporttranslation.Thereisnoconcept
ofDynamicIPandPort(DIPP)translationbecauseNPTv6translatesIPv6prefixesonly.However,youcan
specifythatonlypacketsforacertainserviceportundergoNPTv6translation.Todoso,CreateanNPTv6
PolicythatspecifiesaServiceintheOriginalPacket.
NDPProxy
NeighborDiscoveryProtocol(NDP)forIPv6performsfunctionssimilartothoseprovidedbyAddress
ResolutionProtocol(ARP)forIPv4.RFC4861definesNeighborDiscoveryforIPversion6(IPv6).Hosts,
routers,andfirewallsuseNDPtodeterminethelinklayeraddressesofneighborsonconnectedlinks,to
keeptrackofwhichneighborsarereachable,andtoupdateneighborslinklayeraddressesthathave
changed.PeersadvertisetheirownMACaddressandIPv6address,andtheyalsosolicitaddressesfrom
peers.
NDPalsosupportstheconceptofproxy,whenanodehasaneighboringdevicethatisabletoforward
packetsonbehalfofthenode.Thedevice(firewall)performstheroleofNDPProxy.
PaloAltoNetworksfirewallssupportNDPandNDPProxyontheirinterfaces.Whenyouconfigurethe
firewalltoactasanNDPProxyforaddresses,itallowsthefirewalltosendNeighborDiscovery(ND)
advertisementsandrespondtoNDsolicitationsfrompeersthatareaskingforMACaddressesofIPv6
prefixesassignedtodevicesbehindthefirewall.Youcanalsoconfigureaddressesforwhichthefirewallwill
notrespondtoproxyrequests(negatedaddresses).
Infact,NDPisenabledbydefault,andyouneedtoconfigureNDPProxywhenyouconfigureNPTv6,for
thefollowingreasons:
ThestatelessnatureofNPTv6requiresawaytoinstructthefirewalltorespondtoNDpacketssentto
specifiedNDPProxyaddresses,andtonotrespondtonegatedNDPProxyaddresses.
ItisrecommendedthatyounegateyourneighborsaddressesintheNDPProxyconfiguration,
becauseNDPProxyindicatesthefirewallwillreachthoseaddressesbehindthefirewall,butthe
neighborsarenotbehindthefirewall.
NDPcausesthefirewalltosavetheMACaddressesandIPv6addressesofneighborsinitsNDcache.
(RefertothefigureinNPTv6andNDPProxyExample.)ThefirewalldoesnotperformNPTv6translation
foraddressesthatitfindsinitsNDcachebecausedoingsocouldintroduceaconflict.Ifthehostportion
ofanaddressinthecachehappenstooverlapwiththehostportionofaneighborsaddress,andtheprefix
inthecacheistranslatedtothesameprefixasthatoftheneighbor(becausetheegressinterfaceonthe
firewallbelongstothesamesubnetastheneighbor),thenyouwouldhaveatranslatedaddressthatis
exactlythesameasthelegitimateIPv6addressoftheneighbor,andaconflictoccurs.(Ifanattemptto
performNPTv6translationoccursonanaddressintheNDcache,aninformationalsyslogmessagelogs
theevent:NPTv6 Translation Failed.)
WhenaninterfacewithNDPProxyenabledreceivesanNDsolicitationrequestingaMACaddressforan
IPv6address,thefollowingsequenceoccurs:
ThefirewallsearchestheNDcachetoensuretheIPv6addressfromthesolicitationisnotthere.Ifthe
addressisthere,thefirewallignorestheNDsolicitation.
IfthesourceIPv6addressis0,thatmeansthepacketisaDuplicateAddressDetectionpacket,andthe
firewallignorestheNDsolicitation.
ThefirewalldoesaLongestPrefixMatchsearchoftheNDPProxyaddressesandfindsthebestmatch
totheaddressinthesolicitation.IftheNegatefieldforthematchischecked(intheNDPProxylist),the
firewalldropstheNDsolicitation.
OnlyiftheLongestPrefixMatchsearchmatches,andthatmatchedaddressisnotnegated,willtheNDP
ProxyrespondtotheNDsolicitation.ThefirewallrespondswithanNDpacket,providingitsownMAC
addressastheMACaddressofthenexthoptowardthequerieddestination.
InordertosuccessfullysupportNDP,thefirewalldoesnotperformNDPProxyforthefollowing:
DuplicateAddressDetection(DAD).
AddressesintheNDcache(becausesuchaddressesdonotbelongtothefirewall;theybelongto
discoveredneighbors).
NPTv6andNDPProxyExample
ThefollowingfigureandtextillustratehowNPTv6andNDPProxyfunctiontogether.
TheNDCacheinNPTv6Example
Intheaboveexample,multiplepeersconnecttothefirewallthoughaswitch,withNDoccurringbetween
thepeersandtheswitch,betweentheswitchandthefirewall,andbetweenthefirewallandthedeviceson
thetrustside.
Asthefirewalllearnsofpeers,itsavestheiraddressestoitsNDcache.TrustedpeersFDDA:7A3E::1,
FDDA:7A3E::2,andFDDA:7A3E::3areconnectedtothefirewallonthetrustside.FDDA:7A3E::99isthe
untranslatedaddressofthefirewallitself;itspublicfacingaddressis2001:DB8::99.Theaddressesofthe
peersontheuntrustsidehavebeendiscoveredandappearintheNDcache:2001:DB8::1,2001:DB8::2,and
2001:DB8::3.
TheNDPProxyinNPTv6Example
Inourscenario,wewantthefirewalltoactasNDPProxyfortheprefixesondevicesbehindthefirewall.
WhenthefirewallisNDPProxyforaspecifiedsetofaddresses/ranges/prefixes,anditseesanaddressfrom
thisrangeinanNDsolicitationoradvertisement,thefirewallwillrespondaslongasadevicewiththat
specificaddressdoesntrespondfirst,theaddressisnotnegatedintheNDPproxyconfiguration,andthe
addressisnotintheNDcache.Thefirewalldoestheprefixtranslation(describedbelow)andsendsthe
packettothetrustside,wherethataddressmightormightnotbeassignedtoadevice.
Inthisexample,theNDProxytablecontainsthenetworkaddress2001:DB8::0.Whentheinterfaceseesan
NDfor2001:DB8::100,nootherdevicesontheL2switchclaimthepacket,sotheproxyrangecausesthe
firewalltoclaimit,andaftertranslationtoFDD4:7A3E::100,thefirewallsendsitouttothetrustside.
TheNPTv6TranslationinNPTv6Example
NeighborsintheNDCacheareNotTranslated
Inourexample,therearehostsbehindthefirewallwithhostidentifiers:1,:2,and:3.Iftheprefixesofthose
hostsaretranslatedtoaprefixthatexistsbeyondthefirewall,andifthosedevicesalsohavehostidentifiers
:1,:2,and:3,becausethehostidentifierportionoftheaddressremainsunchanged,theresultingtranslated
addresswouldbelongtotheexistingdevice,andanaddressingconflictwouldresult.Inordertoavoida
conflictwithoverlappinghostidentifiers,NPTv6doesnottranslateaddressesthatitfindsititsNDcache.
CreateanNPTv6Policy
PerformthistaskwhenyouwanttoconfigureaNATNPTv6policytotranslateoneIPv6prefixtoanother
IPv6prefix.Theprerequisitesforthistaskare:
EnableIPv6.SelectDevice > Setup > Session.ClickEditandselectIPv6 Firewalling.
ConfigureaLayer3EthernetinterfacewithavalidIPv6addressandwithIPv6enabled.SelectNetwork >
Interfaces > Ethernet,selectaninterface,andontheIPv6tab,selectEnable IPv6 on the interface.
Createnetworksecuritypolicies,becauseNPTv6doesnotprovidesecurity.
Decidewhetheryouwantsourcetranslation,destinationtranslation,orboth.
IdentifythezonestowhichyouwanttoapplytheNPTv6policy.
IdentifyyouroriginalandtranslatedIPv6prefixes.
ConfigureanNPTv6Policy
ConfigureanNPTv6Policy(Continued)
ConfigureanNPTv6Policy(Continued)
ECMP
EqualCostMultiplePath(ECMP)processingisanetworkingfeaturethatenablesthefirewalltouseupto
fourequalcostroutestothesamedestination.Withoutthisfeature,iftherearemultipleequalcostroutes
tothesamedestination,thevirtualrouterchoosesoneofthoseroutesfromtheroutingtableandaddsitto
itsforwardingtable;itwillnotuseanyoftheotherroutesunlessthereisanoutageinthechosenroute.
EnablingECMPfunctionalityonavirtualrouterallowsthefirewalltohaveuptofourequalcostpathstoa
destinationinitsforwardingtable,allowingthefirewallto:
Loadbalanceflows(sessions)tothesamedestinationovermultipleequalcostlinks.
Efficientlyuseallavailablebandwidthonlinkstothesamedestinationratherthanleavesomelinks
unused.
DynamicallyshifttraffictoanotherECMPmembertothesamedestinationifalinkfails,ratherthan
havingtowaitfortheroutingprotocolorRIBtabletoelectanalternativepath/route.Thiscanhelp
reducedowntimewhenlinksfail.
ForinformationaboutECMPpathselectionwhenanHApeerfails,seeECMPinActive/ActiveHAMode.
ThefollowingsectionsdescribeECMPandhowtoconfigureit.
ECMPLoadBalancingAlgorithms
ECMPPlatform,Interface,andIPRoutingSupport
ConfigureECMPonaVirtualRouter
EnableECMPforMultipleBGPAutonomousSystems
VerifyECMP
ECMPLoadBalancingAlgorithms
LetssupposetheRoutingInformationBase(RIB)ofthefirewallhasmultipleequalcostpathstoasingle
destination.Themaximumnumberofequalcostpathsdefaultsto2.ECMPchoosesthebesttwoequalcost
pathsfromtheRIBtocopytotheForwardingInformationBase(FIB).ECMPthendetermines,basedonthe
loadbalancingmethod,whichofthetwopathsintheFIBthatthefirewallwilluseforthedestinationduring
thissession.
ECMPloadbalancingisdoneatthesessionlevel,notatthepacketlevelthestartofanewsessioniswhen
thefirewall(ECMP)choosesanequalcostpath.Theequalcostpathstoasingledestinationareconsidered
ECMPpathmembersorECMPgroupmembers.ECMPdetermineswhichoneofthemultiplepathstoa
destinationintheFIBtouseforanECMPflow,basedonwhichloadbalancingalgorithmyouset.Avirtual
routercanuseonlyoneloadbalancingalgorithm.
Enabling,disabling,orchangingECMPonanexistingvirtualroutercausesthesystemtorestart
thevirtualrouter,whichmightcauseexistingsessionstobeterminated.
Thefouralgorithmchoicesemphasizedifferentpriorities,asfollows:
HashbasedalgorithmsprioritizesessionstickinessTheIP ModuloandIP Hashalgorithmsusehashes
basedoninformationinthepacketheader,suchassourceanddestinationaddress.Becausetheheader
ofeachflowinagivensessioncontainsthesamesourceanddestinationinformation,theseoptions
Assignlowerspeedorlowercapacitylinkswithalowerweight.Assignhigherspeedor
highercapacitylinkswithahigherweight.Inthismanner,thefirewallcandistributesessions
basedontheseratios,ratherthanoverdrivealowcapacitylinkthatisoneoftheequalcostpaths.
KeepinmindthatECMPweightsareassignedtointerfacestodetermineloadbalancing(toinfluence
whichequalcostpathischosen),notforrouteselection(aroutechoicefromroutesthatcouldhave
differentcosts).
ECMPPlatform,Interface,andIPRoutingSupport
ECMPissupportedonallPaloAltoNetworksfirewallplatforms,withhardwareforwardingsupportonthe
PA7000Series,PA5000Series,PA3060firewalls,andPA3050firewalls.PA3020firewalls,PA500
firewalls,PA200firewalls,andVMSeriesfirewallssupportECMPthroughsoftwareonly.Performanceis
affectedforsessionsthatcannotbehardwareoffloaded.
ECMPissupportedonLayer3,Layer3subinterface,VLAN,tunnel,andAggregatedEthernetinterfaces.
ECMPcanbeconfiguredforstaticroutesandanyofthedynamicroutingprotocolsthefirewallsupports.
ECMPaffectstheroutetablecapacitybecausethecapacityisbasedonthenumberofpaths,soanECMP
routewithfourpathswillconsumefourentriesofroutetablecapacity.ECMPimplementationmightslightly
decreasetheroutetablecapacitybecausemorememoryisbeingusedbysessionbasedtagstomaptraffic
flowstoparticularinterfaces.
ECMPhasthefollowingrestrictions:
PA2000SeriesfirewallsandPA4000SeriesfirewallswithECMPenabledmightnotbeabletooffload
sessionstohardwareforforwarding.PacketsmatchingECMProuteswillbesenttosoftware,while
packetsmatchingnonECMProutescanstillbeforwardedbyhardware.
ForthePA4000Seriesfirewalls,packetstobeforwardedbyECMProuteswillbesenttosoftwarefor
routelookupandforwarding,eventhoughthesessionisinoffloadedstate.
VirtualroutertovirtualrouterroutingusingstaticroutesdoesnotsupportECMP.
ConfigureECMPonaVirtualRouter
UsethefollowingproceduretoenableECMPonavirtualrouter.Theprerequisitesareto:
Specifytheinterfacesthatbelongtoavirtualrouter(Network > Virtual Routers > Router Settings >
General).
SpecifytheIProutingprotocol.
Enabling,disabling,orchangingECMPforanexistingvirtualroutercausesthesystemtorestartthevirtual
router,whichmightcausesessionstobeterminated.
ConfigureECMPonaVirtualRouter
ConfigureECMPonaVirtualRouter(Continued)
EnableECMPforMultipleBGPAutonomousSystems
PerformthefollowingtaskifyouhaveBGPconfigured,andyouwanttoenableECMPovermultiple
autonomoussystems.ThistaskpresumesthatBGPisalreadyconfigured.Inthefollowingfigure,twoECMP
pathstoadestinationgothroughtwofirewallsbelongingtoasingleISPinasingleBGPautonomoussystem.
Inthefollowingfigure,twoECMPpathstoadestinationgothroughtwofirewallsbelongingtotwodifferent
ISPsindifferentBGPautonomoussystems.
EnableECMPforBGPAutonomousSystems
EnableECMPforBGPAutonomousSystems(Continued)
VerifyECMP
AvirtualrouterconfiguredforECMPindicatesintheForwardingInformationBase(FIB)tablewhichroutes
areECMProutes.AnECMPflag(E)forarouteindicatesthatitisparticipatinginECMPfortheegress
interfacetothenexthopforthatroute.
ConfirmThatRoutesAreEqualCostMultiplePaths
LLDP
PaloAltoNetworksfirewallssupportLinkLayerDiscoveryProtocol(LLDP),whichfunctionsatthelinklayer
todiscoverneighboringdevicesandtheircapabilities.LLDPallowsthefirewallandothernetworkdevicesto
sendandreceiveLLDPdataunits(LLDPDUs)toandfromneighbors.Thereceivingdevicestoresthe
informationinaMIB,whichtheSimpleNetworkManagementProtocol(SNMP)canaccess.LLDPmakes
troubleshootingeasier,especiallyforvirtualwiredeploymentswherethefirewallwouldtypicallygo
undetectedbyapingortraceroute.
LLDPOverview
SupportedTLVsinLLDP
LLDPSyslogMessagesandSNMPTraps
ConfigureLLDP
ViewLLDPSettingsandStatus
ClearLLDPStatistics
LLDPOverview
LLDPoperatesatLayer2oftheOSImodel,usingMACaddresses.AnLLDPDUisasequenceof
typelengthvalue(TLV)elementsencapsulatedinanEthernetframe.TheIEEE802.1ABstandarddefines
threeMACaddressesforLLDPDUs:0180C200000E,0180C2000003,and0180C2000000.
ThePaloAltoNetworksfirewallsupportsonlyoneMACaddressfortransmittingandreceivingLLDPdata
units:0180C200000E.Whentransmitting,thefirewalluses0180C200000Easthedestination
MACaddress.Whenreceiving,thefirewallprocessesdatagramswith0180C200000Easthedestination
MACaddress.IfthefirewallreceiveseitheroftheothertwoMACaddressesforLLDPDUsonitsinterfaces,
thefirewalltakesthesameforwardingactionittookpriortothisfeature,asfollows:
Iftheinterfacetypeisvwire,thefirewallforwardsthedatagramtotheotherport.
IftheinterfacetypeisL2,thefirewallfloodsthedatagramtotherestoftheVLAN.
IftheinterfacetypeisL3,thefirewalldropsthedatagrams.
ThePA2000SeriesplatformisnotsupportedduetothehardwarelimitationofhowAggregatedEthernet
interfacesfunction.Panorama,theGlobalProtectMobileSecurityManager,andtheWildFireapplianceare
alsonotsupported.
InterfacetypesthatdonotsupportLLDPareTAP,highavailability(HA),DecryptMirror,virtualwire/vlan/L3
subinterfaces,andPA7000SeriesLogProcessingCard(LPC)interfaces.
AnLLDPEthernetframehasthefollowingformat:
WithintheLLDPEthernetframe,theTLVstructurehasthefollowingformat:
SupportedTLVsinLLDP
LLDPDUsincludemandatoryandoptionalTLVs.ThefollowingtableliststhemandatoryTLVsthatthe
firewallsupports:
ChassisIDTLV 1 Identifiesthefirewallchassis.EachfirewallmusthaveexactlyoneuniqueChassis
ID.TheChassisIDsubtypeis4(MACaddress)onPaloAltoNetworksplatformswill
usetheMACaddressofEth0toensureuniqueness.
PortIDTLV 2 IdentifiestheportfromwhichtheLLDPDUissent.EachfirewallusesonePortID
foreachLLDPDUmessagetransmitted.ThePortIDsubtypeis5(interfacename)
anduniquelyidentifiesthetransmittingport.Thefirewallusestheinterfaces
ifnameasthePortID.
Timetolive(TTL) 3 Specifieshowlong(inseconds)LLDPDUinformationreceivedfromthepeeris
TLV retainedasvalidinthelocalfirewall(rangeis065535).Thevalueisamultipleof
theLLDPHoldTimeMultiplier.WhentheTTLvalueis0,theinformationassociated
withthedeviceisnolongervalidandthefirewallremovesthatentryfromtheMIB.
EndofLLDPDU 0 IndicatestheendoftheTLVsintheLLDPEthernetframe.
TLV
ThefollowingtableliststheoptionalTLVsthatthePaloAltoNetworksfirewallsupports:
PortDescriptionTLV 4 Describestheportofthefirewallinalphanumericformat.TheifAliasobjectis
used.
SystemNameTLV 5 Configurednameofthefirewallinalphanumericformat.ThesysNameobjectis
used.
SystemDescription 6 Describesthefirewallinalphanumericformat.ThesysDescrobjectisused.
TLV
SystemCapabilities 7 Describesthedeploymentmodeoftheinterface,asfollows:
AnL3interfaceisadvertisedwithrouter(bit6)capabilityandtheotherbit
(bit 1).
AnL2interfaceisadvertisedwithMACBridge(bit3)capabilityandtheother
bit(bit1).
AvirtualwireinterfaceisadvertisedwithRepeater(bit2)capabilityandthe
otherbit(bit1).
Management 8 OneormoreIPaddressesusedforfirewallmanagement,asfollows:
Address IPaddressofthemanagement(MGT)interface
IPv4and/orIPv6addressoftheinterface
Loopbackaddress
Userdefinedaddressenteredinthemanagementaddressfield
IfnomanagementIPaddressisprovided,thedefaultistheMACaddressofthe
transmittinginterface.
Includedistheinterfacenumberofthemanagementaddressspecified.Also
includedistheOIDofthehardwareinterfacewiththemanagementaddress
specified(ifapplicable).
Ifmorethanonemanagementaddressisspecified,theywillbesentintheorder
theyarespecified,startingatthetopofthelist.AmaximumoffourManagement
Addressesaresupported.
Thisisanoptionalparameterandcanbeleftdisabled.
LLDPSyslogMessagesandSNMPTraps
ThefirewallstoresLLDPinformationinMIBs,whichanSNMPManagercanmonitor.Ifyouwantthefirewall
tosendSNMPtrapnotificationsandsyslogmessagesaboutLLDPevents,youmustenableSNMP Syslog
NotificationinanLLDPprofile.
PerRFC5424,TheSyslogProtocol,andRFC1157,ASimpleNetworkManagementProtocol,LLDPsends
syslogandSNMPtrapmessageswhenMIBchangesoccur.Thesemessagesareratelimitedbythe
Notification Interval,anLLDPglobalsettingthatdefaultsto5secondsandisconfigurable.
BecausetheLLDPsyslogandSNMPtrapmessagesareratelimited,someLLDPinformationprovidedto
thoseprocessesmightnotmatchthecurrentLLDPstatisticsseenwhenyouViewtheLLDPstatus
information.Thisisnormal,expectedbehavior.
Amaximumof5MIBscanbereceivedperinterface(EthernetorAE).EachdifferentsourcehasoneMIB.If
thislimitisexceeded,theerrormessagetooManyNeighborsistriggered.
ConfigureLLDP
ToconfigureLLDP,andcreateanLLDPprofile,youmustbeasuperuserordeviceadministrator
(deviceadmin).AfirewallinterfacesupportsamaximumoffiveLLDPpeers.
ConfigureLLDP
ConfigureLLDP(Continued)
Step3 CreateanLLDPprofile. 1. SelectNetwork > Network Profiles > LLDP Profile andclick
FordescriptionsoftheoptionalTLVs, Add.
seeSupportedTLVsinLLDP. 2. EnteraNamefortheLLDPprofile.
3. ForMode,selecttransmit-receive(default),transmit-only,or
receive-only.
4. SelectSNMP Syslog Notification toenableSNMPnotifications
andsyslogmessages.Ifenabled,theglobalNotification
Intervalisused.ThefirewallwillsendbothanSNMPtrapand
asyslogeventasconfiguredintheDevice > Log Settings >
System > SNMP Trap ProfileandSyslog Profile.
5. ForOptionalTLVs,selecttheTLVsyouwanttransmitted:
Port Description
System Name
System Description
System Capabilities
6. (Optional)SelectManagement Addresstoaddoneormore
managementaddressesandAddaName.
7. SelecttheInterfacefromwhichtoobtainthemanagement
address.Atleastonemanagementaddressisrequiredif
Management AddressTLVisenabled.IfnomanagementIP
addressisconfigured,thesystemusestheMACaddressofthe
transmittinginterfaceasthemanagementaddressTLV.
8. SelectIPv4orIPv6,andintheadjacentfield,selectanIP
addressfromthedropdown(whichliststheaddresses
configuredontheselectedinterface),orenteranaddress.
9. ClickOK.
10. Uptofourmanagementaddressesareallowed.Ifyouspecify
morethanoneManagement Address,theywillbesentinthe
ordertheyarespecified,startingatthetopofthelist.To
changetheorderoftheaddresses,selectanaddressanduse
theMove UporMove Downbuttons.
11. ClickOK.
ViewLLDPSettingsandStatus
PerformthefollowingproceduretoviewLLDPsettingsandstatus.
ViewLLDPSettingsandStatus
ViewLLDPSettingsandStatus(Continued)
ClearLLDPStatistics
YoucanclearLLDPstatisticsforspecificinterfaces.
ClearLLDPStatistics
BFD
ThefirewallsupportsBidirectionalForwardingDetection(BFD),aprotocolthatrecognizesafailureinthe
bidirectionalpathbetweentworoutingpeers.BFDfailuredetectionisextremelyfast,providingforafaster
failoverthancanbeachievedbylinkmonitoringorfrequentdynamicroutinghealthchecks,suchasHello
packetsorheartbeats.Missioncriticaldatacentersandnetworksthatrequirehighavailabilityandextremely
fastfailoverneedtheextremelyfastfailuredetectionthatBFDprovides.
BFDOverview
ConfigureBFD
Reference:BFDDetails
BFDOverview
WhenyouenableBFD,BFDestablishesasessionfromoneendpoint(thefirewall)toitsBFDpeeratthe
endpointofalinkusingathreewayhandshake.Controlpacketsperformthehandshakeandnegotiatethe
parametersconfiguredintheBFDprofile,includingtheminimumintervalsatwhichthepeerscansendand
receivecontrolpackets.BFDcontrolpacketsforbothIPv4andIPv6aretransmittedoverUDPport3784.
BFDcontrolpacketsformultihopsupportaretransmittedoverUDPport4784.BFDcontrolpackets
transmittedovereitherportareencapsulatedintheUDPpackets.
AftertheBFDsessionisestablished,thePaloAltoNetworksimplementationofBFDoperatesin
asynchronousmode,meaningbothendpointssendeachothercontrolpackets(whichfunctionlikeHello
packets)atthenegotiatedinterval.Ifapeerdoesnotreceiveacontrolpacketwithinthedetectiontime
(calculatedasthenegotiatedtransmitintervalmultipliedbyaDetectionTimeMultiplier),thepeerconsiders
thesessiondown.(Thefirewalldoesnotsupportdemandmode,inwhichcontrolpacketsaresentonlyif
necessaryratherthanperiodically.)
WhenyouenableBFDforastaticrouteandaBFDsessionbetweenthefirewallandtheBFDpeerfails,the
firewallremovesthefailedroutefromtheRIBandFIBtablesandallowsanalternatepathwithalower
prioritytotakeover.WhenyouenableBFDforaroutingprotocol,BFDnotifiestheroutingprotocolto
switchtoanalternatepathtothepeer.Thus,thefirewallandBFDpeerreconvergeonanewpath.
ABFDprofileallowsyoutoConfigureBFDsettingsandapplythemtooneormoreroutingprotocolsor
staticroutesonthefirewall.IfyouenableBFDwithoutconfiguringaprofile,thefirewallusesitsdefaultBFD
profile(withallofthedefaultsettings).YoucannotchangethedefaultBFDprofile.
WhenaninterfaceisrunningmultipleprotocolsthatusedifferentBFDprofiles,BFDusestheprofilehaving
thelowestDesired Minimum Tx Interval.SeeBFDforDynamicRoutingProtocols.
Active/passiveHApeerssynchronizeBFDconfigurationsandsessions;active/activeHApeersdonot.
BFDisstandardizedinRFC5880.PANOSdoesnotsupportallcomponentsofRFC 5880;see
NonSupportedRFCComponentsofBFD.
PANOSalsosupportsRFC5881,BidirectionalForwardingDetection(BFD)forIPv4andIPv6(SingleHop).
Inthiscase,BFDtracksasinglehopbetweentwosystemsthatuseIPv4orIPv6,sothetwosystemsare
directlyconnectedtoeachother.BFDalsotracksmultiplehopsfrompeersconnectedbyBGP.PANOS
followsBFDencapsulationasdescribedinRFC5883,BidirectionalForwardingDetection(BFD)forMultihop
Paths.However,PANOSdoesnotsupportauthentication.
BFDPlatform,Interface,andClientSupport
NonSupportedRFCComponentsofBFD
BFDforStaticRoutes
BFDforDynamicRoutingProtocols
BFDPlatform,Interface,andClientSupport
PANOSsupportsBFDonPA3000Series,PA5000Series,PA7000Series,andVMSeriesfirewalls.Each
platformsupportsamaximumnumberofBFDsessions,aslistedintheProductSelectiontool.
BFDrunsonphysicalEthernet,AggregatedEthernet(AE),VLAN,andtunnelinterfaces(sitetositeVPNand
LSVPN),andonLayer3subinterfaces.
SupportedBFDclientsare:
Staticroutes(IPv4andIPv6)consistingofasinglehop
OSPFv2andOSPFv3(interfacetypesincludebroadcast,pointtopoint,andpointtomultipoint)
BGPIPv4(IBGP,EBGP)consistingofasinglehopormultiplehops
RIP(singlehop)
NonSupportedRFCComponentsofBFD
Demandmode
Authentication
SendingorreceivingEchopackets;however,thefirewallwillpassEchopacketsthatarriveonavirtual
wireortapinterface.(BFDEchopacketshavethesameIPaddressforthesourceanddestination.)
Pollsequences
Congestioncontrol
BFDforStaticRoutes
TouseBFDonastaticroute,boththefirewallandthepeerattheoppositeendofthestaticroutemust
supportBFDsessions.AstaticroutecanhaveaBFDprofileonlyiftheNext HoptypeisIP Address.
Ifaninterfaceisconfiguredwithmorethanonestaticroutetoapeer(theBFDsessionhasthesamesource
IPaddressandsamedestinationIPaddress),asingleBFDsessionautomaticallyhandlesthemultiplestatic
routes.ThisbehaviorreducesBFDsessions.IfthestaticrouteshavedifferentBFDprofiles,theprofilewith
thesmallestDesired Minimum Tx Intervaltakeseffect.
InadeploymentwhereyouwanttoconfigureBFDforastaticrouteonaDHCPorPPPoEclientinterface,
youmustperformtwocommits.EnablingBFDforastaticrouterequiresthattheNext HoptypemustbeIP
Address.ButatthetimeofaDHCPorPPPoEinterfacecommit,theinterfaceIPaddressandnexthopIP
address(defaultgateway)areunknown.
YoumustfirstenableaDHCPorPPPoEclientfortheinterface,performacommit,andwaitfortheDHCP
orPPPoEservertosendthefirewalltheclientIPaddressanddefaultgatewayIPaddress.Thenyoucan
configurethestaticroute(usingthedefaultgatewayaddressoftheDHCPorPPPoEclientasthenexthop),
enableBFD,andperformasecondcommit.
BFDforDynamicRoutingProtocols
InadditiontoBFDforstaticroutes,thefirewallsupportsBFDfortheBGP,OSPF,andRIProutingprotocols.
ThePaloAltoNetworksimplementationofmultihopBFDfollowstheencapsulationportionof
RFC 5883,BidirectionalForwardingDetection(BFD)forMultihopPathsbutdoesnotsupport
authentication.AworkaroundistoconfigureBFDinaVPNtunnelforBGP.TheVPNtunnelcan
provideauthenticationwithouttheduplicationofBFDauthentication.
WhenyouenableBFDforOSPFv2orOSPFv3broadcastinterfaces,OSPFestablishesaBFDsessiononly
withitsDesignatedRouter(DR)andBackupDesignatedRouter(BDR).Onpointtopointinterfaces,OSPF
establishesaBFDsessionwiththedirectneighbor.Onpointtomultipointinterfaces,OSPFestablishesa
BFDsessionwitheachpeer.
ThefirewalldoesnotsupportBFDonanOSPForOSPFv3virtuallink.
EachroutingprotocolcanhaveindependentBFDsessionsonaninterface.Alternatively,twoormore
routingprotocols(BGP,OSPF,andRIP)canshareacommonBFDsessionforaninterface.
WhenyouenableBFDformultipleprotocolsonthesameinterface,andthesourceIPaddressand
destinationIPaddressfortheprotocolsarealsothesame,theprotocolsshareasingleBFDsession,thus
reducingbothdataplaneoverhead(CPU)andtrafficloadontheinterface.IfyouconfiguredifferentBFD
profilesfortheseprotocols,onlyoneBFDprofileisused:theonethathasthelowestDesired Minimum Tx
Interval.IftheprofileshavethesameDesired Minimum Tx Interval,theprofileusedbythefirstcreatedsession
takeseffect.InthecasewhereastaticrouteandOSPFsharethesamesession,becauseastaticsessionis
createdrightafteracommit,whileOSPFwaitsuntilanadjacencyisup,theprofileofthestaticroutetakes
effect.
ThebenefitofusingasingleBFDsessioninthesecasesisthatthisbehaviorusesresourcesmoreefficiently.
ThefirewallcanusethesavedresourcestosupportmoreBFDsessionsondifferentinterfacesorsupport
BFDfordifferentsourceIPanddestinationIPaddresspairs.
IPv4andIPv6onthesameinterfacealwayscreatedifferentBFDsessions,eventhoughtheycanusethe
sameBFDprofile.
ConfigureBFD
Thistaskassumesyouhaveperformedthefollowingprerequisites:
Configuredavirtualrouter.
ConfiguredoneormorestaticroutesifyouareapplyingBFDtostaticroutes.
Configuredaroutingprotocol(BGP,OSPF,OSPFv3,orRIP)ifyouareapplyingBFDtoarouting
protocol.
TheeffectivenessofyourBFDimplementationdependsonavarietyoffactors,suchastraffic
loads,networkconditions,howaggressiveyourBFDsettingsare,andhowbusythedataplaneis.
ConfigureBFD
Step1 CreateaBFDprofile. 1. SelectNetwork > Network Profiles > BFD Profile andAdda
IfyouchangeasettinginaBFD NamefortheBFDprofile.Thenameiscasesensitiveand
profilethatanexistingBFD mustbeuniqueonthefirewall.Useonlyletters,numbers,
sessionisusingandyoucommit spaces,hyphens,andunderscores.
thechange,beforethefirewall 2. SelecttheMode inwhichBFDoperates:
deletesthatBFDsessionand ActiveBFDinitiatessendingcontrolpacketstopeer
recreatesitwiththenewsetting, (default).AtleastoneoftheBFDpeersmustbeActive;
thefirewallsendsaBFDpacket bothcanbeActive.
withthelocalstatesettoadmin
PassiveBFDwaitsforpeertosendcontrolpacketsand
down.Thepeerdevicemayor
respondsasrequired.
maynotflaptheroutingprotocol
orstaticroute,dependingonthe 3. EntertheDesired Minimum Tx Interval (ms).Thisisthe
peersimplementationof minimuminterval,inmilliseconds,atwhichyouwanttheBFD
RFC 5882,Section3.2. protocol(referredtoasBFD)tosendBFDcontrolpackets;you
arethusnegotiatingthetransmitintervalwiththepeer.
MinimumonPA7000andPA5000Seriesfirewallsis50;
minimumonPA3000Seriesfirewallis100;minimumon
VMSeriesfirewallis200.Maximumis2000;defaultis1000.
Ifyouhavemultipleroutingprotocolsthatuse
differentBFDprofilesonthesameinterface,configure
theBFDprofileswiththesameDesired Minimum Tx
Interval.
4. EntertheRequired Minimum Rx Interval (ms).Thisisthe
minimuminterval,inmilliseconds,atwhichBFDcanreceive
BFDcontrolpackets.MinimumonPA7000andPA5000
Seriesfirewallsis50;minimumonPA3000Seriesfirewallis
100;minimumonVMSeriesfirewallis200.Maximumis
2000;defaultis1000.
5. EntertheDetection Time Multiplier.Thetransmitinterval
(negotiatedfromtheDesired Minimum Tx Interval)multiplied
bytheDetection Time Multiplierequalsthedetectiontime.If
BFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.
Rangeis250;defaultis3.
Forexample,atransmitintervalof300msx3(DetectionTime
Multiplier)=900msdetectiontime.
WhenconfiguringaBFDprofile,takeinto
considerationthatthefirewallisasessionbased
devicetypicallyattheedgeofanetworkordatacenter
andmayhaveslowerlinksthanadedicatedrouter.
Therefore,thefirewalllikelyneedsalongerinterval
andahighermultiplierthanthefastestsettings
allowed.Adetectiontimethatistooshortcancause
falsefailuredetectionswhentheissueisreallyjust
trafficcongestion.
ConfigureBFD(Continued)
ConfigureBFD(Continued)
e. ClickOK.
5. ClickOK.
ABFDcolumnontheBGPPeerGroup/PeerlistindicatestheBFD
profileconfiguredfortheinterface.
ConfigureBFD(Continued)
ConfigureBFD(Continued)
ConfigureBFD(Continued)
Reference:BFDDetails
Toseethefollowinginformationforavirtualrouter,youcanViewBFDsummaryanddetails.
SessionID 1 IDnumberoftheBFDsession.
MultihopTTL TTLofmultihop;rangeis1254.FieldisemptyifMultihopis
disabled.
ReceivedMultiplier 3 DetectiontimemultipliervaluereceivedfromtheBFDpeer.The
TransmitTimemultipliedbytheMultiplierequalsthedetection
time.IfBFDdoesnotreceiveaBFDcontrolpacketfromitspeer
beforethedetectiontimeexpires,afailurehasoccurred.Range
is250.
Errors 0 NumberofBFDerrors.
LastPacketCausingStateChange
Version 1 BFDversion.
PollBit 0 BFDpollbit;0indicatesnotset.
DetectMultiplier 3 DetectMultiplieroflastpacketcausingstatechange.
MyDiscriminator 1 Remotediscriminator.Adiscriminatorisaunique,nonzerovalue
thepeersusetodistinguishmultipleBFDsessionsbetween
them.
Length 24 LengthofBFDcontrolpacketinbytes.
DemandBit 0 PANOSdoesnotsupportBFDDemandmode,soDemandBitis
alwayssetto0(disabled).
FinalBit 0 PANOSdoesnotsupportthePollSequence,soFinalBitis
alwayssetto0(disabled).
MultipointBit 0 Thisbitisreservedforfuturepointtomultipointextensionsto
BFD.Itmustbezeroonbothtransmitandreceipt.
ControlPlaneIndependent 1 Ifsetto1,thetransmittingsystemsBFDimplementationdoes
Bit notsharefatewithitscontrolplane(i.e.,BFDisimplemented
intheforwardingplaneandcancontinuetofunctionthrough
disruptionsinthecontrolplane).InPANOS,thisbitisalways
setto1.
Ifsetto0,thetransmittingsystemsBFDimplementation
sharesfatewithitscontrolplane.
AuthenticationPresentBit 0 PANOSdoesnotsupportBFDAuthentication,sothe
AuthenticationPresentBitisalwayssetto0.
PolicyTypes
ThePaloAltoNetworksnextgenerationfirewallsupportsavarietyofpolicytypesthatworktogetherto
safelyenableapplicationsonyournetwork.
PolicyType Description
Security Determinewhethertoblockorallowasessionbasedontrafficattributessuchasthe
sourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.Formoredetails,seeSecurityPolicy.
NAT Instructthefirewallwhichpacketsneedtranslationandhowtodothetranslation.
Thefirewallsupportsbothsourceaddressand/orporttranslationanddestination
addressand/orporttranslation.Formoredetails,seeNAT.
QoS IdentifytrafficrequiringQoStreatment(eitherpreferentialtreatmentor
bandwidthlimiting)usingadefinedparameterormultipleparametersandassignita
class.Formoredetails,seeQualityofService.
PolicyBasedForwarding Identifytrafficthatshoulduseadifferentegressinterfacethantheonethatwould
normallybeusedbasedontheroutingtable.Fordetails,seePolicyBased
Forwarding.
Decryption Identifyencryptedtrafficthatyouwanttoinspectforvisibility,control,andgranular
security.Formoredetails,seeDecryption.
ApplicationOverride IdentifysessionsthatyoudonotwantprocessedbytheAppIDengine,whichisa
Layer7inspection.Trafficmatchinganapplicationoverridepolicyforcesthefirewall
tohandlethesessionasaregularstatefulinspectionfirewallatLayer4.Formore
details,seeManageCustomorUnknownApplications.
CaptivePortal Identifytrafficthatrequirestheusertobeknown.Thecaptiveportalpolicyisonly
triggeredifotherUserIDmechanismsdidnotidentifyausertoassociatewiththe
sourceIPaddress.Formoredetails,seeCaptivePortal.
DoSProtection Identifypotentialdenialofservice(DoS)attacksandtakeprotectiveactionin
responsetorulematches.DoSProtectionProfiles.
SecurityPolicy
Securitypolicyprotectsnetworkassetsfromthreatsanddisruptionsandaidsinoptimallyallocatingnetwork
resourcesforenhancingproductivityandefficiencyinbusinessprocesses.OnthePaloAltoNetworks
firewall,individualsecuritypolicyrulesdeterminewhethertoblockorallowasessionbasedontraffic
attributessuchasthesourceanddestinationsecurityzone,thesourceanddestinationIPaddress,the
application,user,andtheservice.
Alltrafficpassingthroughthefirewallismatchedagainstasessionandeachsessionismatchedagainsta
securitypolicy.Whenasessionmatchoccurs,thesecuritypolicyisappliedtobidirectionaltraffic(clientto
serverandservertoclient)inthatsession.Fortrafficthatdoesntmatchanydefinedrules,thedefaultrules
apply.Thedefaultrulesdisplayedatthebottomofthesecurityrulebasearepredefinedtoallowall
intrazone(withinthezone)trafficanddenyallinterzone(betweenzones)traffic.Althoughtheserulesare
partofthepredefinedconfigurationandarereadonlybydefault,youcanoverridethemandchangea
limitednumberofsettings,includingthetags,action(alloworblock),logsettings,andsecurityprofiles.
Securitypoliciesareevaluatedlefttorightandfromtoptobottom.Apacketismatchedagainstthefirstrule
thatmeetsthedefinedcriteria;afteramatchistriggeredthesubsequentrulesarenotevaluated.Therefore,
themorespecificrulesmustprecedemoregenericonesinordertoenforcethebestmatchcriteria.Traffic
thatmatchesarulegeneratesalogentryattheendofthesessioninthetrafficlog,ifloggingisenabledfor
thatrule.Theloggingoptionsareconfigurableforeachrule,andcanforexamplebeconfiguredtologatthe
startofasessioninsteadof,orinadditionto,loggingattheendofasession.
ComponentsofaSecurityPolicyRule
SecurityPolicyActions
CreateaSecurityPolicyRule
ComponentsofaSecurityPolicyRule
Thesecuritypolicyruleconstructpermitsacombinationoftherequiredandoptionalfieldsasdetailedinthe
followingtables:
RequiredFields
OptionalFields
RequiredFields
RequiredField Description
Name Alabelthatsupportsupto31characters,usedtoidentifytherule.
Application Theapplicationwhichyouwishtocontrol.ThefirewallusesAppID,thetraffic
classificationtechnology,toidentifytrafficonyournetwork.AppIDprovidesapplication
controlandvisibilityincreatingsecuritypoliciesthatblockunknownapplications,while
enabling,inspecting,andshapingthosethatareallowed.
Action SpecifiesanAlloworBlockactionforthetrafficbasedonthecriteriayoudefineintherule.
Whenyouconfigurethefirewalltoblocktraffic,iteitherresetstheconnectionorsilently
dropspackets.Toprovideabetteruserexperience,youcanconfiguregranularoptionsto
blocktrafficinsteadofsilentlydroppingpackets,whichcancausesomeapplicationsto
breakandappearunresponsivetotheuser.Formoredetails,seeSecurityPolicyActions.
OptionalFields
OptionalField Description
Tag Akeywordorphrasethatallowsyoutofiltersecurityrules.Thisishandywhenyouhave
definedmanyrulesandwishtothenreviewthosethataretaggedwithakeywordsuchas
ITsanctionedapplicationsorHighriskapplications.
Description Atextfield,upto255characters,usedtodescribetherule.
OptionalField Description(Continued)
User Theuserorgroupofusersforwhomthepolicyapplies.YoumusthaveUserIDenabledon
thezone.ToenableUserID,seeUserIDOverview.
Service AllowsyoutoselectaLayer4(TCPorUDP)portfortheapplication.Youcanchooseany,
specifyaport,oruseapplicationdefaulttopermituseofthestandardsbasedportforthe
application.Forexample,forapplicationswithwellknownportnumberssuchasDNS,the
applicationdefaultoptionwillmatchagainstDNStrafficonlyonTCPport53.Youcanalso
addacustomapplicationanddefinetheportsthattheapplicationcanuse.
Forinboundallowrules(forexample,fromuntrusttotrust),using
applicationdefaultpreventsapplicationsfromrunningonunusualportsand
protocols.Applicationdefaultisthedefaultoption;whilethefirewallstillchecksfor
allapplicationsonallports,withthisconfiguration,applicationsareonlyallowedon
theirstandardports/protocols.
Options Allowyoutodefineloggingforthesession,logforwardingsettings,changeQualityof
Service(QoS)markingsforpacketsthatmatchtherule,andschedulewhen(dayandtime)
thesecurityruleshouldbeineffect.
SecurityPolicyActions
Fortrafficthatmatchestheattributesdefinedinasecuritypolicy,youcanapplythefollowingactions:
Action Description
Allow(defaultaction) Allowsthetraffic.
Deny BlockstrafficandenforcesthedefaultDenyActiondefinedfortheapplicationthatis
beingdenied.Toviewthedenyactiondefinedbydefaultforanapplication,viewthe
applicationdetailsinObjects > Applicationsorchecktheapplicationdetailsin
Applipedia.
Drop Silentlydropsthetraffic;foranapplication,itoverridesthedefaultdenyaction.A
TCPresetisnotsenttothehost/application.
ForLayer3interfaces,tooptionallysendanICMPunreachableresponsetotheclient,
setAction:DropandenabletheSend ICMP Unreachablecheckbox.Whenenabled,
thefirewallsendstheICMPcodeforcommunicationwiththedestinationis
administrativelyprohibitedICMPv4:Type3,Code13;ICMPv6:Type1,Code1.
Aresetissentonlyafterasessionisformed.Ifthesessionisblockedbefore
a3wayhandshakeiscompleted,thefirewallwillnotsendthereset.
ForaTCPsessionwitharesetaction,thefirewalldoesnotsendanICMP
Unreachableresponse.
ForaUDPsessionwithadroporresetaction,iftheICMP Unreachablecheck
boxisselected,thefirewallsendsanICMPmessagetotheclient.
CreateaSecurityPolicyRule
CreateaSecurityPolicyRule
CreateaSecurityPolicyRule(Continued)
CreateaSecurityPolicyRule(Continued)
"Updates-DC to Internet" {
from data_center_applications;
source any;
source-region any;
to untrust;
destination any;
destination-region any;
user any;
category any;
application/service[dns/tcp/any/53 dns/udp/any/53
dns/udp/any/5353 ms-update/tcp/any/80
ms-update/tcp/any/443];
action allow;
terminal yes;
PolicyObjects
ApolicyobjectisasingleobjectoracollectiveunitthatgroupsdiscreteidentitiessuchasIPaddresses,URLs,
applications,orusers.Withpolicyobjectsthatareacollectiveunit,youcanreferencetheobjectinsecurity
policyinsteadofmanuallyselectingmultipleobjectsoneatatime.Typically,whencreatingapolicyobject,
yougroupobjectsthatrequiresimilarpermissionsinpolicy.Forexample,ifyourorganizationusesasetof
serverIPaddressesforauthenticatingusers,youcangroupthesetofserverIPaddressesasanaddressgroup
policyobjectandreferencetheaddressgroupinthesecuritypolicy.Bygroupingobjects,youcan
significantlyreducetheadministrativeoverheadincreatingpolicies.
Youcancreatethefollowingpolicyobjectsonthefirewall:
PolicyObject Description
Address/AddressGroup, Allowyoutogroupspecificsourceordestinationaddressesthatrequirethesame
Region policyenforcement.TheaddressobjectcanincludeanIPv4orIPv6address(single
IP,range,subnet)ortheFQDN.Alternatively,aregioncanbedefinedbythelatitude
andlongitudecoordinatesoryoucanselectacountryanddefineanIPaddressorIP
range.Youcanthengroupacollectionofaddressobjectstocreateanaddressgroup
object.
YoucanalsousedynamicaddressgroupstodynamicallyupdateIPaddressesin
environmentswherehostIPaddresseschangefrequently.
User/UserGroup Allowyoutocreatealistofusersfromthelocaldatabaseoranexternaldatabaseand
groupthem.
ApplicationGroupand AnApplicationFilterallowsyoutofilterapplicationsdynamically.Itallowsyouto
ApplicationFilter filter,andsaveagroupofapplicationsusingtheattributesdefinedintheapplication
databaseonthefirewall.Forexample,youcanCreateanApplicationFilterbyoneor
moreattributescategory,subcategory,technology,risk,characteristics.Withan
applicationfilter,whenacontentupdateoccurs,anynewapplicationsthatmatch
yourfiltercriteriaareautomaticallyaddedtoyoursavedapplicationfilter.
AnApplicationGroupallowsyoutocreateastaticgroupofspecificapplicationsthat
youwanttogrouptogetherforagroupofusersorforaparticularservice,orto
achieveaparticularpolicygoal.SeeCreateanApplicationGroup.
Service/ServiceGroups Allowsyoutospecifythesourceanddestinationportsandprotocolthataservicecan
use.Thefirewallincludestwopredefinedservicesservicehttpandservicehttps
thatuseTCPports80and8080forHTTP,andTCPport443forHTTPS.Youcan
however,createanycustomserviceonanyTCP/UDPportofyourchoicetorestrict
applicationusagetospecificportsonyournetwork(inotherwords,youcandefine
thedefaultportfortheapplication).
Toviewthestandardportsusedbyanapplication,inObjects > Applications
searchfortheapplicationandclickthelink.Asuccinctdescriptiondisplays.
SecurityProfiles
Whilesecuritypolicyrulesenableyoutoalloworblocktrafficonyournetwork,securityprofileshelpyou
defineanallowbutscanrule,whichscansallowedapplicationsforthreats,suchasviruses,malware,spyware,
andDDOSattacks.Whentrafficmatchestheallowruledefinedinthesecuritypolicy,thesecurityprofile(s)
thatareattachedtotheruleareappliedforfurthercontentinspectionrulessuchasantiviruschecksanddata
filtering.
Securityprofilesarenotusedinthematchcriteriaofatrafficflow.Thesecurityprofileisapplied
toscantrafficaftertheapplicationorcategoryisallowedbythesecuritypolicy.
Thefirewallprovidesdefaultsecurityprofilesthatyoucanuseoutoftheboxtobeginprotectingyour
networkfromthreats.SeeSetUpaBasicSecurityPolicyforinformationonusingthedefaultprofilesinyour
securitypolicy.Asyougetabetterunderstandingaboutthesecurityneedsonyournetwork,youcancreate
customprofiles.SeeScanTrafficforThreatsformoreinformation.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
YoucanaddsecurityprofilesthatarecommonlyappliedtogethertoaSecurityProfileGroup;thissetof
profilescanbetreatedasaunitandaddedtosecuritypoliciesinonestep(orincludedinsecuritypoliciesby
default,ifyouchoosetosetupadefaultsecurityprofilegroup).
Thefollowingtopicsprovidemoredetailedinformationabouteachtypeofsecurityprofileandhowtoset
upasecurityprofilegroup:
AntivirusProfiles
AntiSpywareProfiles
VulnerabilityProtectionProfiles
URLFilteringProfiles
DataFilteringProfiles
FileBlockingProfiles
WildFireAnalysisProfiles
DoSProtectionProfiles
ZoneProtectionProfiles
SecurityProfileGroup
AntivirusProfiles
Antivirusprofilesprotectagainstviruses,worms,andtrojansaswellasspywaredownloads.Usinga
streambasedmalwarepreventionengine,whichinspectstrafficthemomentthefirstpacketisreceived,the
PaloAltoNetworksantivirussolutioncanprovideprotectionforclientswithoutsignificantlyimpactingthe
performanceofthefirewall.Thisprofilescansforawidevarietyofmalwareinexecutables,PDFfiles,HTML
andJavaScriptviruses,includingsupportforscanninginsidecompressedfilesanddataencodingschemes.If
youhaveenabledDecryptiononthefirewall,theprofilealsoenablesscanningofdecryptedcontent.
Thedefaultprofileinspectsallofthelistedprotocoldecodersforviruses,andgeneratesalertsforSMTP,
IMAP,andPOP3protocolswhileblockingforFTP,HTTP,andSMBprotocols.Youcanconfiguretheaction
foradecoderorAntivirussignatureandspecifyhowthefirewallrespondstoathreatevent:
Action Description
Default ForeachthreatsignatureandAntivirussignaturethatisdefinedbyPaloAlto
Networks,adefaultactionisspecifiedinternally.Typically,thedefaultactionisan
alertoraresetboth.Thedefaultactionisdisplayedinparenthesis,forexample
default(alert)inthethreatorAntivirussignature.
Allow Permitstheapplicationtraffic.
Alert Generatesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
Drop Dropstheapplicationtraffic.
Customizedprofilescanbeusedtominimizeantivirusinspectionfortrafficbetweentrustedsecurityzones,
andtomaximizetheinspectionoftrafficreceivedfromuntrustedzones,suchastheInternet,aswellasthe
trafficsenttohighlysensitivedestinations,suchasserverfarms.
ThePaloAltoNetworksWildFiresystemalsoprovidessignaturesforpersistentthreatsthataremore
evasiveandhavenotyetbeendiscoveredbyotherantivirussolutions.AsthreatsarediscoveredbyWildFire,
signaturesarequicklycreatedandthenintegratedintothestandardAntivirussignaturesthatcanbe
downloadedbyThreatPreventionsubscribersonadailybasis(subhourlyforWildFiresubscribers).
AntiSpywareProfiles
AntiSpywareprofilesblocksspywareoncompromisedhostsfromtryingtophonehomeorbeaconoutto
externalcommandandcontrol(C2)servers,allowingyoutodetectmalicioustrafficleavingthenetwork
frominfectedclients.Youcanapplyvariouslevelsofprotectionbetweenzones.Forexample,youmaywant
tohavecustomAntiSpywareprofilesthatminimizeinspectionbetweentrustedzones,whilemaximizing
inspectionontrafficreceivedfromanuntrustedzone,suchasInternetfacingzones.
YoucandefineyourowncustomAntiSpywareprofiles,orchooseoneofthefollowingpredefinedprofiles
whenapplyingAntiSpywaretoaSecuritypolicyrule:
DefaultUsesthedefaultactionforeverysignature,asspecifiedbyPaloAltoNetworkswhenthe
signatureiscreated.
StrictOverridesthedefaultactionofcritical,high,andmediumseveritythreatstotheblockaction,
regardlessoftheactiondefinedinthesignaturefile.Thisprofilestillusesthedefaultactionformedium
andinformationalseveritysignatures.
Whenthefirewalldetectsathreatevent,youcanconfigurethefollowingactionsinanAntiSpywareprofile:
DefaultForeachthreatsignatureandAntiSpywaresignaturethatisdefinedbyPaloAltoNetworks,a
defaultactionisspecifiedinternally.Typicallythedefaultactionisanalertoraresetboth.Thedefault
actionisdisplayedinparenthesis,forexampledefault(alert)inthethreatorAntivirussignature.
AllowPermitstheapplicationtraffic
AlertGeneratesanalertforeachapplicationtrafficflow.Thealertissavedinthethreatlog.
DropDropstheapplicationtraffic.
Reset ClientForTCP,resetstheclientsideconnection.ForUDP,dropstheconnection.
Reset ServerForTCP,resetstheserversideconnection.ForUDP,dropstheconnection.
Reset BothForTCP,resetstheconnectiononbothclientandserverends.ForUDP,dropsthe
connection.
Block IPThisactionblockstrafficfromeitherasourceorasourcedestinationpair.Itisconfigurablefor
aspecifiedperiodoftime.
Inaddition,youcanenabletheDNSSinkholingactioninAntiSpywareprofilestoenablethefirewalltoforge
aresponsetoaDNSqueryforaknownmaliciousdomain,causingthemaliciousdomainnametoresolveto
anIPaddressthatyoudefine.Thisfeaturehelpstoidentifyinfectedhostsontheprotectednetworkusing
DNStrafficInfectedhostscanthenbeeasilyidentifiedinthetrafficandthreatlogsbecauseanyhostthat
attemptstoconnecttothesinkholeIPaddressaremostlikelyinfectedwithmalware.
AntiSpywareandVulnerabilityProtectionprofilesareconfiguredsimilarly.
VulnerabilityProtectionProfiles
VulnerabilityProtectionprofilesstopattemptstoexploitsystemflawsorgainunauthorizedaccessto
systems.WhileAntiSpywareprofileshelpidentifyinfectedhostsastrafficleavesthenetwork,Vulnerability
Protectionprofilesprotectagainstthreatsenteringthenetwork.Forexample,VulnerabilityProtection
profileshelpprotectagainstbufferoverflows,illegalcodeexecution,andotherattemptstoexploitsystem
vulnerabilities.ThedefaultVulnerabilityProtectionprofileprotectsclientsandserversfromallknown
critical,high,andmediumseveritythreats.Youcanalsocreateexceptions,whichallowyoutochangethe
responsetoaspecificsignature.
Toconfigurehowthefirewallrespondstoathreat,seeAntiSpywareProfilesforalistofsupportedactions.
URLFilteringProfiles
URLFilteringprofilesenableyoutomonitorandcontrolhowusersaccesstheweboverHTTPandHTTPS.
Thefirewallcomeswithadefaultprofilethatisconfiguredtoblockwebsitessuchasknownmalwaresites,
phishingsites,andadultcontentsites.Youcanusethedefaultprofileinasecuritypolicy,cloneittobeused
asastartingpointfornewURLfilteringprofiles,oraddanewURLprofilethatwillhaveallcategoriessetto
allowforvisibilityintothetrafficonyournetwork.YoucanthencustomizethenewlyaddedURLprofiles
andaddlistsofspecificwebsitesthatshouldalwaysbeblockedorallowed,whichprovidesmoregranular
controloverURLcategories.
DataFilteringProfiles
Datafilteringprofilespreventsensitiveinformationsuchascreditcardorsocialsecuritynumbersfrom
leavingaprotectednetwork.Thedatafilteringprofilealsoallowsyoutofilteronkeywords,suchasa
sensitiveprojectnameorthewordconfidential.Itisimportanttofocusyourprofileonthedesiredfiletypes
toreducefalsepositives.Forexample,youmayonlywanttosearchWorddocumentsorExcelspreadsheets.
Youmayalsoonlywanttoscanwebbrowsingtraffic,orFTP.
Youcanusedefaultprofiles,orcreatecustomdatapatterns.Therearetwodefaultprofiles:
CC#(CreditCard)Identifiescreditcardnumbersusingahashalgorithm.Thecontentmustmatchthe
hashalgorithminorderfordatatobedetectedasacreditcardnumber.Thismethodwillreducefalse
positives.
SSN#(SocialSecurityNumber)Usesanalgorithmtodetectninedigitnumbers,regardlessofformat.
Therearetwofields:SSN#andSSN#(nodash).
WeightandThresholdValues
Itisimportanttounderstandhowtheweightofanobject(SSN,CC#,pattern)iscalculatedinordertosetthe
appropriatethresholdforaconditionyouaretryingtofilter.Eachoccurrencemultipliedbytheweightvalue
willbeaddedtogetherinordertoreachanactionthreshold(alertorblock).
Example:FilterforSocialSecurityNumbersOnly
Forsimplicity,ifyouonlywanttofilterfileswithSocialSecurityNumbers(SSN)andyoudefineaweightof
3forSSN#,youwouldusethefollowingformula:eachinstanceofaSSNxweight=thresholdincrement.In
thiscase,ifaWorddocumenthas10socialsecuritynumbersyoumultiplythatbytheweightof3,so10x
3=30.Inordertotakeactionforafilethatcontains10socialsecuritynumbersyouwouldsetthethreshold
to30.Youmaywanttosetanalertat30andthenblockat60.Youmayalsowanttosetaweightinthefield
SSN#(nodash)forSocialSecurityNumbersthatdonotcontaindashes.Ifmultiplesettingsareused,they
willaccumulatetoreachagiventhreshold.
Example:FilterforSocialSecurityNumbersandaCustomPattern
Inthisexample,wewillfilteronfilesthatcontainSocialSecurityNumbersandthecustompattern
confidential.Inotherwords,ifafilehasSocialSecurityNumbersinadditiontothewordconfidentialandthe
combinedinstancesofthoseitemshitthethreshold,thefilewilltriggeranalertorblock,dependingonthe
actionsetting.
SSN#weight=3
CustomPatternconfidentialweight=20
Thecustompatterniscasesensitive.
Ifthefilecontains20SocialSecurityNumbersandaweightof3isconfigured,thatis20x3=60.Ifthefile
alsocontainsoneinstanceofthetermconfidentialandaweightof20isconfigured,thatis1x20=20for
atotalof80.Ifyourthresholdforblockissetto80,thisscenariowouldblockthefile.Thealertorblock
actionwillbetriggeredassoonasthethresholdishit.
FileBlockingProfiles
Thefirewallusesfileblockingprofilestoblockspecifiedfiletypesoverspecifiedapplicationsandinthe
specifiedsessionflowdirection(inbound/outbound/both).Youcansettheprofiletoalertorblockonupload
and/ordownloadandyoucanspecifywhichapplicationswillbesubjecttothefileblockingprofile.Youcan
alsoconfigurecustomblockpagesthatwillappearwhenauserattemptstodownloadthespecifiedfiletype.
Thisallowstheusertotakeamomenttoconsiderwhetherornottheywanttodownloadafile.
Configureafileblockingprofilewiththefollowingactions:
AlertWhenthespecifiedfiletypeisdetected,alogisgeneratedinthedatafilteringlog.
BlockWhenthespecifiedfiletypeisdetected,thefileisblockedandacustomizableblockpageis
presentedtotheuser.Alogisalsogeneratedinthedatafilteringlog.
ContinueWhenthespecifiedfiletypeisdetected,acustomizableresponsepageispresentedtotheuser.
Theusercanclickthroughthepagetodownloadthefile.Alogisalsogeneratedinthedatafilteringlog.
Becausethistypeofforwardingactionrequiresuserinteraction,itisonlyapplicableforwebtraffic.
WildFireAnalysisProfiles
UseaWildFireanalysisprofiletoenablethefirewalltoforwardunknownfilesoremaillinksforWildFire
analysis.Specifyfilestobeforwardedforanalysisbasedonapplication,filetype,andtransmissiondirection
(uploadordownload).FilesoremaillinksmatchedtotheprofileruleareforwardedeithertheWildFirepublic
cloudortheWildFireprivatecloud(hostedwithaWF500appliance),dependingontheanalysislocation
definedfortherule.
YoucanalsousetheWildFireanalysisprofilestosetupaWildfirehybridclouddeployment.Ifyouareusing
aWildFireappliancetoanalyzesensitivefileslocally(suchasPDFs),youcanspecifyforlesssensitivefiles
types(suchasPEfiles)orfiletypesthatarenotsupportedforWildFireapplianceanalysis(suchasAPKs)to
beanalyzedbytheWildFirepubliccloud.UsingboththeWildFireapplianceandtheWildFirecloudfor
analysisallowsyoutobenefitfromapromptverdictforfilesthathavealreadybeenprocessedbythecloud,
andforfilesthatarenotsupportedforapplianceanalysis,andfreesuptheappliancecapacitytoprocess
sensitivecontent.
DoSProtectionProfiles
DoSprotectionprofilesprovidedetailedcontrolforDenialofService(DoS)protectionpolicies.DoSpolicies
allowyoutocontrolthenumberofsessionsbetweeninterfaces,zones,addresses,andcountriesbasedon
aggregatesessionsorsourceand/ordestinationIPaddresses.TherearetwoDoSprotectionmechanisms
thatthePaloAltoNetworksfirewallssupport.
FloodProtectionDetectsandpreventsattackswherethenetworkisfloodedwithpacketsresultingin
toomanyhalfopensessionsand/orservicesbeingunabletorespondtoeachrequest.Inthiscasethe
sourceaddressoftheattackisusuallyspoofed.SeeDoSProtectionAgainstFloodingofNewSessions.
ResourceProtectionDetectsandpreventsessionexhaustionattacks.Inthistypeofattack,alarge
numberofhosts(bots)areusedtoestablishasmanyfullyestablishedsessionsaspossibletoconsumeall
ofasystemsresources.
YoucanenablebothtypesofprotectionmechanismsinasingleDoSprotectionprofile.
TheDoSprofileisusedtospecifythetypeofactiontotakeanddetailsonmatchingcriteriafortheDoS
policy.TheDoSprofiledefinessettingsforSYN,UDP,andICMPfloods,canenableresourceprotectand
definesthemaximumnumberofconcurrentconnections.AfteryouconfiguretheDoSprotectionprofile,
youthenattachittoaDoSpolicy.
WhenconfiguringDoSprotection,itisimportanttoanalyzeyourenvironmentinordertosetthecorrect
thresholdsandduetosomeofthecomplexitiesofdefiningDoSprotectionpolicies,thisguidewillnotgo
intodetailedexamples.Formoreinformation,refertotheThreatPreventionTechNote.
ZoneProtectionProfiles
Zoneprotectionprofilesprovideadditionalprotectionbetweenspecificnetworkzonesinordertoprotect
thezonesagainstattack.Theprofilemustbeappliedtotheentirezone,soitisimportanttocarefullytest
theprofilesinordertopreventissuesthatmayarisewiththenormaltraffictraversingthezones.When
definingpacketspersecond(pps)thresholdslimitsforzoneprotectionprofiles,thethresholdisbasedonthe
packetspersecondthatdonotmatchapreviouslyestablishedsession.Formoreinformation,refertothe
ThreatPreventionTechNote.
SecurityProfileGroup
Asecurityprofilegroupisasetofsecurityprofilesthatcanbetreatedasaunitandtheneasilyaddedto
securitypolicies.Profilesthatareoftenassignedtogethercanbeaddedtoprofilegroupstosimplifythe
creationofsecuritypolicies.Youcanalsosetupadefaultsecurityprofilegroupnewsecuritypolicieswill
usethesettingsdefinedinthedefaultprofilegrouptocheckandcontroltrafficthatmatchesthesecurity
policy.Nameasecurityprofilegroupdefaulttoallowtheprofilesinthatgrouptobeaddedtonewsecurity
policiesbydefault.Thisallowsyoutoconsistentlyincludeyourorganizationspreferredprofilesettingsin
newpoliciesautomatically,withouthavingtomanuallyaddsecurityprofileseachtimeyoucreatenewrules.
Forrecommendationsonthebestpracticesettingsforsecurityprofiles,seeCreateBestPracticeSecurity
Profiles.
Thefollowingsectionsshowhowtocreateasecurityprofilegroupandhowtoenableaprofilegrouptobe
usedbydefaultinnewsecuritypolicies:
CreateaSecurityProfileGroup
SetUporOverrideaDefaultSecurityProfileGroup
CreateaSecurityProfileGroup
Usethefollowingstepstocreateasecurityprofilegroupandaddittoasecuritypolicy.
CreateaSecurityProfileGroup
5. ClickOKtosavetheprofilegroup.
5. ClickOK tosavethepolicyandCommityourchanges.
SetUporOverrideaDefaultSecurityProfileGroup
Usethefollowingoptionstosetupadefaultsecurityprofilegrouptobeusedinnewsecuritypolicies,orto
overrideanexistingdefaultgroup.Whenanadministratorcreatesanewsecuritypolicy,thedefaultprofile
groupwillbeautomaticallyselectedasthepolicysprofilesettings,andtrafficmatchingthepolicywillbe
checkedaccordingtothesettingsdefinedintheprofilegroup(theadministratorcanchoosetomanually
selectdifferentprofilesettingsifdesired).Usethefollowingoptionstosetupadefaultsecurityprofilegroup
ortooverrideyourdefaultsettings.
Ifnodefaultsecurityprofileexists,theprofilesettingsforanewsecuritypolicyaresetto None
bydefault.
SetUporOverrideaDefaultSecurityProfileGroup
5. ClickOKtosavetheprofilegroup.
6. Addthesecurityprofilegrouptoasecuritypolicy.
7. AddormodifyasecuritypolicyruleandselecttheActionstab.
8. SelectGroup fortheProfile Type.
9. IntheGroup Profile dropdown,selectthegroupyoucreated
(forexample,selecttheThreatsgroup):
SetUporOverrideaDefaultSecurityProfileGroup
3. ClickOKandCommit.
4. Confirmthatthedefaultsecurityprofilegroupisincludedin
newsecuritypoliciesbydefault:
a. SelectPolicies > SecurityandAddanewsecuritypolicy.
b. SelecttheActionstabandviewtheProfile Settingfields:
Bydefault,thenewsecuritypolicycorrectlyshowstheProfile Type
settoGroupandthedefaultGroup Profileisselected.
Overrideadefaultsecurityprofilegroup. Ifyouhaveanexistingdefaultsecurityprofilegroup,andyoudo
notwantthatsetofprofilestobeattachedtoanewsecuritypolicy,
youcancontinuetomodifytheProfileSettingfieldsaccordingto
yourpreference.BeginbyselectingadifferentProfileTypeforyour
policy(Policies > Security > Security Policy Rule > Actions).
BestPracticeInternetGatewaySecurityPolicy
Oneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetworkisthroughusers
accessingtheInternet.Bysuccessfullyexploitinganendpoint,anattackercantakeholdinyournetworkand
begintomovelaterallytowardstheendgoal,whetherthatistostealyoursourcecode,exfiltrateyour
customerdata,ortakedownyourinfrastructure.Toprotectyournetworkfromcyberattackandimprove
youroverallsecurityposture,implementabestpracticeInternetgatewaysecuritypolicy.Abestpractice
policyallowsyoutosafelyenableapplications,users,andcontentbyclassifyingalltraffic,acrossallports,all
thetime.
ThefollowingtopicsdescribetheoverallprocessfordeployingabestpracticeInternetgatewaysecurity
policyandprovidedetailedinstructionsforcreatingit.
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
IdentifyWhitelistApplications
CreateUserGroupsforAccesstoWhitelistApplications
DecryptTrafficforFullVisibilityandThreatInspection
CreateBestPracticeSecurityProfiles
DefinetheInitialInternetGatewaySecurityPolicy
MonitorandFineTunethePolicyRulebase
RemovetheTemporaryRules
MaintaintheRulebase
WhatIsaBestPracticeInternetGatewaySecurityPolicy?
AbestpracticeInternetgatewaysecuritypolicyhastwomainsecuritygoals:
MinimizethechanceofasuccessfulintrusionUnlikelegacyportbasedsecuritypoliciesthateither
blockeverythingintheinterestofnetworksecurity,orenableeverythingintheinterestofyourbusiness,
abestpracticesecuritypolicyleveragesAppID,UserID,andContentIDtoensuresafeenablementof
applicationsacrossallports,forallusers,allthetime,whilesimultaneouslyscanningalltrafficforboth
knownandunknownthreats.
IdentifythepresenceofanattackerAbestpracticeInternetgatewaysecuritypolicyprovidesbuiltin
mechanismstohelpyouidentifygapsintherulebaseanddetectalarmingactivityandpotentialthreats
onyournetwork.
Toachievethesegoals,thebestpracticeInternetgatewaysecuritypolicyusesapplicationbasedrulesto
allowaccesstowhitelistedapplicationsbyuser,whilescanningalltraffictodetectandblockallknown
threats,andsendunknownfilestoWildFiretoidentifynewthreatsandgeneratesignaturestoblockthem:
Thebestpracticepolicyisbasedonthefollowingmethodologies.Thebestpracticemethodologiesensure
detectionandpreventionatmultiplestagesoftheattacklifecycle.
BestPracticeMethodology Whyisthisimportant?
InspectAllTrafficforVisibility Becauseyoucannotprotectagainstthreatsyoucannotsee,youmustmakesureyou
havefullvisibilityintoalltrafficacrossallusersandapplicationsallthetime.To
accomplishthis:
DeployGlobalProtecttoextendthenextgenerationsecurityplatformtousers
anddevicesnomatterwheretheyarelocated.
EnableSSLdecryptionsothefirewallcaninspectencryptedtraffic(SSL/TLStraffic
flowsaccountfor40%ormoreofthetotaltrafficonatypicalnetworktoday).
EnableUserIDtomapapplicationtrafficandassociatedthreatstousers/devices.
Thefirewallcantheninspectalltrafficinclusiveofapplications,threats,and
contentandtieittotheuser,regardlessoflocationordevicetype,port,encryption,
orevasivetechniquesemployedusingthenativeAppID,ContentID,andUserID
technologies.
Completevisibilityintotheapplications,thecontent,andtheusersonyournetwork
isthefirststeptowardinformedpolicycontrol.
ReducetheAttackSurface Afteryouhavecontextintothetrafficonyournetworkapplications,their
associatedcontent,andtheuserswhoareaccessingthemcreateapplicationbased
Securitypolicyrulestoallowthoseapplicationsthatarecriticaltoyourbusinessand
additionalrulestoblockallhighriskapplicationsthathavenolegitimateusecase.
Tofurtherreduceyourattacksurface,attachFileBlockingandURLFilteringprofiles
toallrulesthatallowapplicationtraffictopreventusersfromvisitingthreatprone
websitesandpreventthemfromuploadingordownloadingdangerousfiletypes
(eitherknowinglyorunknowingly).
PreventKnownThreats Enablethefirewalltoscanallallallowedtrafficforknownthreatsbyattaching
securityprofilestoallallowrulestodetectandblocknetworkandapplicationlayer
vulnerabilityexploits,bufferoverflows,DoSattacks,andportscans,knownmalware
variants,(includingthosehiddenwithincompressedfilesorcompressed
HTTP/HTTPStraffic).Toenableinspectionofencryptedtraffic,enableSSL
decryption.
BestPracticeMethodology Whyisthisimportant?
DetectUnknownThreats ForwardallunknownfilestoWildFireforanalysis.WildFireidentifiesunknownor
targetedmalware(alsocalledadvancedpersistentthreatsorAPTs)hiddenwithinfiles
bydirectlyobservingandexecutingunknownfilesinavirtualizedsandbox
environmentinthecloudorontheWF500appliance.WildFiremonitorsmorethan
250maliciousbehaviorsand,ifmalwareisfound,itautomaticallydevelopsa
signatureanddeliversittoyouinaslittleas5minutes(andnowthatunknownthreat
isaknownthreat).
WhyDoINeedaBestPracticeInternetGatewaySecurityPolicy?
Unlikelegacyportbasedsecuritypoliciesthateitherblockeverythingintheinterestofnetworksecurity,or
enableeverythingintheinterestofyourbusiness,abestpracticesecuritypolicyallowsyoutosafelyenable
applicationsbyclassifyingalltraffic,acrossallports,allthetime,includingencryptedtraffic.Bydetermining
thebusinessusecaseforeachapplication,youcancreatesecuritypolicyrulestoallowandprotectaccess
torelevantapplications.Simplyput,abestpracticesecuritypolicyisapolicythatleveragesthe
nextgenerationtechnologiesAppID,ContentID,andUserIDonthePaloAltoNetworksenterprise
securityplatformto:
Identifyapplicationsregardlessofport,protocol,evasivetacticorencryption
IdentifyandcontrolusersregardlessofIPaddress,location,ordevice
Protectagainstknownandunknownapplicationbornethreats
Providefinegrainedvisibilityandpolicycontroloverapplicationaccessandfunctionality
Abestpracticesecuritypolicyusesalayeredapproachtoensurethatyounotonlysafelyenablesanctioned
applications,butalsoblockapplicationswithnolegitimateusecase.Tomitigatetheriskofbreaking
applicationswhenmovingfromaportbasedenforcementtoanapplicationbasedenforcement,the
bestpracticerulebaseprovidesbuiltinmechanismstohelpyouidentifygapsintherulebaseanddetect
alarmingactivityandpotentialthreatsonyournetwork.Thesetemporarybestpracticerulesensurethat
applicationsyourusersarecountingondontbreak,whileallowingyoutomonitorapplicationusageand
craftappropriaterules.Youmayfindthatsomeoftheapplicationsthatwerebeingallowedthroughexisting
portbasedpolicyrulesarenotnecessarilyapplicationsthatyouwanttocontinuetoalloworthatyouwant
tolimittoamoregranularsetofusers.
Unlikeaportbasedpolicy,abestpracticesecuritypolicyiseasytoadministerandmaintainbecauseeach
rulemeetsaspecificgoalofallowinganapplicationorgroupofapplicationstoaspecificusergroupbased
onyourbusinessneeds.Therefore,youcaneasilyunderstandwhattraffictheruleenforcesbylookingatthe
matchcriteria.Additionally,abestpracticesecuritypolicyrulebaseleveragestagsandobjectstomakethe
rulebasemorescannableandeasiertokeepsynchronizedwithyourchangingenvironment.
HowDoIDeployaBestPracticeInternetGatewaySecurityPolicy?
Movingfromaportbasedsecuritypolicytoanapplicationbasedsecuritypolicymayseemlikeadaunting
task.However,thesecurityrisksofstickingwithaportbasedpolicyfaroutweightheeffortrequiredto
implementanapplicationbasedpolicy.And,whilelegacyportbasedsecuritypoliciesmayhavehundreds,if
notthousandsofrules(manyofwhichnobodyintheorganizationknowsthepurpose),abestpracticepolicy
hasastreamlinedsetofrulesthatalignwithyourbusinessgoals,simplifyingadministrationandreducingthe
chanceoferror.Becausetherulesinanapplicationbasedpolicyalignwithyourbusinessgoalsand
acceptableusepolicies,youcanquicklyscanthepolicytounderstandthereasonforeachandeveryrule.
Aswithanytechnology,thereisusuallyagradualapproachtoacompleteimplementation,consistingof
carefullyplanneddeploymentphasestomakethetransitionassmoothaspossible,withminimalimpactto
yourendusers.Generally,theworkflowforimplementingabestpracticeInternetgatewaysecuritypolicyis:
AssessyourbusinessandidentifywhatyouneedtoprotectThefirststepindeployingasecurity
architectureistoassessyourbusinessandidentifywhatyourmostvaluableassetsareaswellaswhat
thebiggestthreatstothoseassetsare.Forexample,ifyouareatechnologycompany,yourintellectual
propertyisyourmostvaluableasset.Inthiscase,oneofyourbiggestthreatswouldbesourcecode
theft.
SegmentYourNetworkUsingInterfacesandZonesTrafficcannotflowbetweenzonesunlessthereis
asecuritypolicyruletoallowit.Oneoftheeasiestdefensesagainstlateralmovementofanattacker
thathasmadeitswayintoyournetworkistodefinegranularzonesandonlyallowaccesstothespecific
usergroupswhoneedtoaccessanapplicationorresourceineachzone.Bysegmentingyournetwork
intogranularzones,youcanpreventanattackerfromestablishingacommunicationchannelwithinyour
network(eitherviamalwareorbyexploitinglegitimateapplications),therebyreducingthelikelihoodof
asuccessfulattackonyournetwork.
IdentifyWhitelistApplicationsBeforeyoucancreateanInternetgatewaybestpracticesecuritypolicy,
youmusthaveaninventoryoftheapplicationsyouwanttoallowonyournetwork,anddistinguish
betweenthoseapplicationsyouadministerandofficiallysanctionandthosethatyousimplywantusers
tobeabletousesafely.Afteryouidentifytheapplications(includinggeneraltypesofapplications)you
wanttoallow,youcanmapthemtospecificbestpracticerules.
CreateUserGroupsforAccesstoWhitelistApplicationsAfteryouidentifytheapplicationsyouplanto
allow,youmustidentifytheusergroupsthatrequireaccesstoeachone.Becausecompromisinganend
userssystemisoneofthecheapestandeasiestwaysforanattackertogainaccesstoyournetwork,
youcangreatlyreduceyourattacksurfacebyonlyallowingaccesstoapplicationstotheusergroups
thathavealegitimatebusinessneed.
DecryptTrafficforFullVisibilityandThreatInspectionYoucantinspecttrafficforthreatsifyoucant
seeit.AndtodaySSL/TLStrafficflowsaccountfor40%ormoreofthetotaltrafficonatypicalnetwork.
Thisispreciselywhyencryptedtrafficisacommonwayforattackerstodeliverthreats.Forexample,an
attackermayuseawebapplicationsuchasGmail,whichusesSSLencryption,toemailanexploitor
malwaretoemployeesaccessingthatapplicationonthecorporatenetwork.Or,anattackermay
compromiseawebsitethatusesSSLencryptiontosilentlydownloadanexploitormalwaretosite
visitors.Ifyouarenotdecryptingtrafficforvisibilityandthreatinspection,youareleavingaverylarge
surfaceopenforattack.
CreateBestPracticeSecurityProfilesCommandandcontroltraffic,CVEs,drivebydownloadsof
maliciouscontent,APTsarealldeliveredvialegitimateapplications.Toprotectagainstknownand
unknownthreats,youmustattachstringentsecurityprofilestoallSecuritypolicyallowrules.
DefinetheInitialInternetGatewaySecurityPolicyUsingtheapplicationandusergroupinventoryyou
conducted,youcandefineaninitialpolicythatallowsaccesstoalloftheapplicationsyouwantto
whitelistbyuserorusergroup.Theinitialpolicyrulebaseyoucreatemustalsoincludetemporaryrules
topreventotherapplicationsyoumightnothaveknownaboutfrombreakingandtoidentifypolicygaps
andsecurityholesinyourexistingdesign.
MonitorandFineTunethePolicyRulebaseAfterthetemporaryrulesareinplace,youcanbegin
monitoringtrafficthatmatchestothemsothatyoucanfinetuneyourpolicy.Becausethetemporary
rulesaredesignedtouncoverunexpectedtrafficonthenetwork,suchastrafficrunningonnondefault
portsortrafficfromunknownusers,youmustassessthetrafficmatchingtheserulesandadjustyour
applicationallowrulesaccordingly.
RemovetheTemporaryRulesAfteramonitoringperiodofseveralmonths,youshouldseelessandless
traffichittingthetemporaryrules.Whenyoureachthepointwheretrafficnolongerhitsthetemporary
rules,youcanremovethemtocompleteyourbestpracticeInternetGatewaySecuritypolicy.
MaintaintheRulebaseDuetothedynamicnatureofapplications,youmustcontinuallymonitoryour
applicationwhitelistandadaptyourrulestoaccommodatenewapplicationsthatyoudecidetosanction
aswelltodeterminehownewormodifiedAppIDsimpactyourpolicy.Becausetherulesinabest
practicerulebasealignwithyourbusinessgoalsandleveragepolicyobjectsforsimplifiedadministration,
addingsupportforanewsanctionedapplicationornewormodifiedAppIDoftentimesisassimpleas
addingorremovinganapplicationfromanapplicationgroupormodifyinganapplicationfilter.
IdentifyWhitelistApplications
Theapplicationwhitelistincludesnotonlytheapplicationsyouprovisionandadministerforbusinessand
infrastructurepurposes,butalsootherapplicationsthatyourusersmayneedtouseinordertogettheirjobs
done,andapplicationsyoumaychoosetoallowforpersonaluse.Beforeyoucanbegincreatingyourbest
practiceInternetGatewaySecuritypolicy,youmustcreateaninventoryoftheapplicationsyouwantto
whitelist.
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
UseTemporaryRulestoTunetheWhitelist
ApplicationWhitelistExample
MapApplicationstoBusinessGoalsforaSimplifiedRulebase
Asyouinventorytheapplicationsonyournetwork,consideryourbusinessgoalsandacceptableusepolicies
andidentifytheapplicationsthatcorrespondtoeach.Thiswillallowyoutocreateagoaldrivenrulebase.
Forexample,onegoalmightbetoallowallusersonyournetworktoaccessdatacenterapplications.Another
goalmightbetoallowthesalesandsupportgroupsaccessyourcustomerdatabase.Youcanthencreatea
whitelistrulethatcorrespondtoeachgoalyouidentifyandgroupalloftheapplicationsthatalignwiththe
goalintoasinglerule.Thisapproachallowsyoutocreatearulebasewithasmallernumberofindividualrules,
eachwithaclearpurpose.
Inaddition,becausetheindividualrulesyoucreatealignwithyourbusinessgoals,youcanuseapplication
objectstogroupthewhitelisttofurthersimplifyadministrationofthebestpracticerulebase:
CreateapplicationgroupsforsanctionedapplicationsBecauseyouwillknowexactlywhatapplications
yourequireandsanctionforofficialuse,createapplicationgroupsthatexplicitlyincludeonlythose
applications.Usingapplicationgroupsalsosimplifiestheadministrationofyourpolicybecauseitallows
youtoaddandremovesanctionedapplicationswithoutrequiringyoutomodifyindividualpolicyrules.
Generally,iftheapplicationsthatmaptothesamegoalhavethesamerequirementsforenablingaccess
(forexample,theyallhaveadestinationaddressthatpointstoyourdatacenteraddressgroup,theyall
allowaccesstoanyknownuser,andyouwanttoenablethemontheirdefaultportsonly)youwouldadd
themtothesameapplicationgroup.
CreateapplicationfilterstoallowgeneraltypesofapplicationsBesidestheapplicationsyouofficially
sanctioned,youwillalsoneedtodecidewhatadditionalapplicationsyouwillwanttoallowyourusersto
access.Applicationfiltersallowyoutosafelyenablecertaincategoriesofapplicationsusingapplication
filters(basedoncategory,subcategory,technology,riskfactor,orcharacteristic).Separatethedifferent
typesofapplicationsbasedonbusinessandpersonaluse.Createseparatefiltersforeachtypeof
applicationtomakeiteasiertounderstandeachpolicyruleataglance.
UseTemporaryRulestoTunetheWhitelist
Althoughtheendgoalofabestpracticeapplicationbasedpolicyistousepositiveenforcementtosafely
enableyourwhitelistapplications,theinitialrulebaserequiressomeadditionalrulesdesignedtoensurethat
youhavefullvisibilityintotheallapplicationsinuseonyournetworksothatyoucanproperlytuneit.The
initialrulebaseyoucreatewillhavethefollowingtypesofrules:
Whitelistrulesfortheapplicationsyouofficiallysanctionanddeploy.
Whitelistrulesforsafelyenablingaccesstogeneraltypesofapplicationsyouwanttoallowperyour
acceptableusepolicy.
Blacklistrulesthatblockapplicationsthathavenolegitimateusecase.Youneedtheserulessothatthe
temporaryrulesthatcatchapplicationsthathaventyetbeenaccountedforinyourpolicydontlet
anythingbadontoyournetwork.
Temporaryallowrulestogiveyouvisibilityintoalloftheapplicationsrunningonyournetworksothat
youcantunetherulebase.
Thetemporaryrulesareaveryimportantpartoftheinitialbestpracticerulebase.Notonlywilltheygiveyou
visibilityintoapplicationsyouwerentawarewererunningonyournetwork(andpreventlegitimate
applicationsyoudidntknowaboutfrombreaking),buttheywillalsohelpyouidentifythingssuchas
unknownusersandapplicationsrunningonnonstandardports.Becauseattackerscommonlyusestandard
applicationsonnonstandardportsasanevasiontechnique,allowingapplicationsonanyportopensthe
doorformaliciouscontent.Therefore,youmustidentifyanylegitimateapplicationsrunningonnonstandard
ports(forexample,internallydevelopedapplications)sothatyoucaneithermodifywhatportsareusedor
createacustomapplicationstoenablethem.
ApplicationWhitelistExample
Keepinmindthatyoudonotneedtocaptureeveryapplicationthatmightbeinuseonyournetworkinyour
initialinventory.Insteadyoushouldfocushereontheapplications(andgeneraltypesofapplications)that
youwanttoallow.Temporaryrulesinthebestpracticerulebasewillcatchanyadditionalapplicationsthat
maybeinuseonyournetworksothatyouarenotinundatedwithcomplaintsofbrokenapplicationsduring
yourtransitiontoapplicationbasedpolicy.Thefollowingisanexampleapplicationwhitelistforan
enterprisegatewaydeployment.
ApplicationType BestPracticeforSecuring
SanctionedApplications ThesearetheapplicationsthatyourITdepartmentadministersspecificallyforbusinessuse
withinyourorganizationortoprovideinfrastructureforyournetworkandapplications.For
example,inanInternetgatewaydeploymenttheseapplicationsfallintothefollowing
categories:
InfrastructureApplicationsThesearetheapplicationsthatyoumustallowtoenable
networkingandsecurity,suchasping,NTP,SMTP,andDNS.
ITSanctionedApplicationsThesearetheapplicationsthatyouprovisionand
administerforyourusers.Thesefallintotwocategories:
ITSanctionedOnPremiseApplicationsThesearetheapplicationsyouinstalland
hostinyourdatacenterforbusinessuse.WithITsanctionedonpremise
applications,theapplicationinfrastructureandthedataresideonenterpriseowned
equipment.ExamplesincludeMicrosoftExchangeandactivesync,aswellas
authenticationtoolssuchasKerberosandLDAP.
ITSanctionedSaaSApplicationsSaaSapplicationsarethosewherethesoftware
andinfrastructureareownedandmanagedbytheapplicationserviceprovider,but
whereyouretainfullcontrolofthedata,includingwhocancreate,access,share,
andtransferit(forexample,Salesforce,Box,andGitHub).
AdministrativeApplicationsTheseareapplicationsthatonlyaspecificgroupof
administrativeusersshouldhaveaccesstoinordertoadministerapplicationsand
supportusers(forexample,remotedesktopapplications).
GeneralTypesof Besidestheapplicationsyouofficiallysanctionanddeploy,youwillalsowanttoallowyour
Applications userstosafelyuseothertypesofapplications:
GeneralBusinessApplicationsForexample,allowaccesstosoftwareupdates,and
webservices,suchasWebEx,Adobeonlineservices,andEvernote.
PersonalApplicationsForexample,youmaywanttoallowyouruserstobrowsethe
weborsafelyusewebbasedmail,instantmessaging,orsocialnetworkingapplications.
Therecommendedapproachhereistobeginwithwideapplicationfilterssoyoucangain
anunderstandingofwhatapplicationsareinuseonyournetwork.Youcanthendecide
howmuchriskyouarewillingtoassumeandbegintoparedowntheapplicationwhitelist.
Forexample,supposeyoufindthatBox,Dropbox,andOffice 365filesharingapplications
areallonuseonyournetwork.Eachoftheseapplicationshasaninherentriskassociated
withit,fromdataleakagetorisksassociatedwithtransferofmalwareinfectedfiles.The
bestapproachwouldbetoofficiallysanctionasinglefilesharingapplicationandthenbegin
tophaseouttheothersbyslowlytransitioningfromanallowpolicytoanalertpolicy,and
finally,aftergivingusersamplewarning,ablockpolicyforallfilesharingapplicationsexcept
theoneyouchoosetosanction.Inthiscase,youmightalsochoosetoenableasmallgroup
ofuserstocontinueusinganadditionalfilesharingapplicationasneededtoperformjob
functionswithpartners.
CustomApplications Ifyouhaveproprietaryapplicationsonyournetworkorapplicationsthatyourunon
SpecifictoYour nonstandardports,itisabestpracticetocreatecustomapplicationsforthem.Thisway
Environment youcanallowtheapplicationasasanctionedapplicationandlockitdowntoitsdefault
port.Otherwiseyouwouldeitherhavetoopenupadditionalports(forapplicationsrunning
onnonstandardports),orallowunknowntraffic(forproprietaryapplications),neitherof
whicharerecommendedinabestpracticeSecuritypolicy.
CreateUserGroupsforAccesstoWhitelistApplications
Safelyenablingapplicationsmeansnotonlydefiningthelistofapplicationsyouwanttoallow,butalso
enablingaccessonlyforthoseuserswhohavealegitimatebusinessneed.Forexample,someapplications,
suchasSaaSapplicationsthatenableaccesstoHumanResourcesservices(suchasWorkdayorServiceNow)
mustbeavailabletoanyknownuseronyournetwork.However,formoresensitiveapplicationsyoucan
reduceyourattacksurfacebyensuringthatonlyuserswhoneedtheseapplicationscanaccessthem.For
example,whileITsupportpersonnelmaylegitimatelyneedaccesstoremotedesktopapplications,the
majorityofyourusersdonot.Limitinguseraccesstoapplicationspreventspotentialsecurityholesforan
attackertogainaccesstoandcontroloversystemsinyournetwork.
Toenableuserbasedaccesstoapplications:
EnableUserIDinzonesfromwhichyourusersinitiatetraffic.
Foreachapplicationwhitelistruleyoudefine,identifytheusergroupsthathavealegitimatebusiness
needfortheapplicationsallowedbytherule.Keepinmindthatbecausethebestpracticeapproachisto
maptheapplicationwhitelistrulestoyourbusinessgoals(whichincludesconsideringwhichusershave
abusinessneedforaparticulartypeofapplication),youwillhaveamuchsmallernumberofrulesto
managethanifyouweretryingtomapindividualportbasedrulestousers.
IfyoudonthaveanexistinggrouponyourADserver,youcanalternativelycreatecustomLDAPgroups
tomatchthelistofuserswhoneedaccesstoaparticularapplication.
DecryptTrafficforFullVisibilityandThreatInspection
Thebestpracticesecuritypolicydictatesthatyoudecryptalltrafficexceptsensitivecategories,which
includeHealth,Finance,Government,Military,andShopping.
Usedecryptionexceptionsonlywhererequired,andbeprecisetoensurethatyouarelimitingtheexception
toaspecificapplicationoruserbasedonneedonly:
Ifdecryptionbreaksanimportantapplication,createanexceptionforthespecificIPaddress,domain,or
commonnameinthecertificateassociatedwiththeapplication.
Ifaspecificuserneedstobeexcludedforregulatoryorlegalreasons,createanexceptionforjustthat
user.
ToensurethatcertificatespresentedduringSSLdecryptionareavalid,configurethefirewalltoperform
CRL/OCSPchecks.
BestpracticeDecryptionpolicyrulesincludeastrictDecryptionProfile.BeforeyouconfigureSSLForward
Proxy,createabestpracticeDecryptionProfile(Objects > Decryption Profile)toattachtoyourDecryption
policyrules:
BestPracticeDecryptionProfile
BestPracticeDecryptionProfile(Continued)
CreateBestPracticeSecurityProfiles
Mostmalwaresneaksontothenetworkinlegitimateapplicationsorservices.Therefore,tosafelyenable
applicationsyoumustscanalltrafficallowedintothenetworkforthreats.Todothis,attachsecurityprofiles
toallSecuritypolicyrulesthatallowtrafficsothatyoucandetectthreatsbothknownandunknownin
yournetworktraffic.Thefollowingaretherecommendedbestpracticesettingsforeachofthesecurity
profilesthatyoushouldattachtoeverySecuritypolicyrule.
Consideraddingthebestpracticesecurityprofilestoadefaultsecurityprofilegroupsothatitwillautomatically
attachtoanynewSecuritypolicyrulesyoucreate.
SecurityProfile BestPracticeSettings
FileBlocking CreateaFileBlockingprofilethatblocksfilesthatarecommonlyincludedinmalwareattack
campaignsorthathavenorealusecaseforupload/download.Currently,theseincludebatch
files,DLLs,Javaclassfiles,helpfiles,Windowsshortcuts(.lnk),andBitTorrentfilesaswellas
WindowsPortableExecutable(PE)files,whichinclude.exe,.cpl,.dll,.ocx,.sys,.scr,.drv,.efi,.fon,
and.piffiles.Youcanallowdownload/uploadofexecutablesandarchivefiles(.zipand.rar),but
forceuserstoclickcontinuebeforetransferringafiletogivethempause.Finally,alertonall
otherfiletypesforvisibilityintowhatotherfiletransfersarehappeningsothatyoucan
determineifyouneedtomakepolicychanges.
WhydoIneedthisprofile?
Therearemanywaysforattackerstodelivermaliciousfiles:Asattachmentsorlinksincorporate
emailorinwebmail,linksorIMsinsocialmedia,ExploitKits,throughfilesharingapplications
(suchasFTP,GoogleDrive,orDropbox),oronUSBdrives.AttachingaFileBlockingprofile
reducesyourattacksurfacebypreventingthesetypesofattacks.
WhatifIcantblockalloftherecommendedfiletypes?
IfyoucannotblockallPEfilespertherecommendation,makesureyousendallunknownfiles
toWildFireforanalysis.Additionally,settheActiontocontinuetopreventdrivebydownloads.
Adrivebydownloadiswhenanenduserdownloadscontentthatinstallsmaliciousfiles,such
asJavaappletsorexecutables,withoutknowingtheyaredoingit.Drivebydownloadscan
occurwhenusersvisitwebsites,viewemailmessages,orclickintopopupwindowsmeantto
deceivethem.Educateyourusersthatiftheyarepromptedtocontinuewithafiletransferthey
didntknowinglyinitiate,theymaybesubjecttoamaliciousdownload.
Antivirus AttachanAntivirusprofiletoallallowedtraffictodetectandpreventvirusesandmalwarefrom
beingtransferredovertheHTTP,SMTP,IMAP,POP3,FTP,andSMBprotocols.Thebest
practiceAntivirusprofileusesthedefaultactionwhenitdetectstrafficthatmatcheseitheran
AntivirussignatureoraWildFiresignature.Thedefaultactiondiffersforeachprotocoland
followsthemostuptodaterecommendationfromPaloAltoNetworksforhowtobestprevent
malwareineachtypeofprotocolfrompropagating.
Bydefault,thefirewallalertsonvirusesfoundinSMTPtraffic.However,ifyoudonthavea
dedicatedAntivirusgatewaysolutioninplaceforyourSMTPtraffic,defineastricteractionfor
thisprotocoltoprotectagainstinfectedemailcontent.Usetheresetbothactiontoreturna541
responsetothesendingSMTPservertopreventitfromresendingtheblockedmessage.
WhydoIneedthisprofile?
ByattachingAntivirusprofilestoallSecurityrulesyoucanblockknownmaliciousfiles(malware,
ransomwarebots,andviruses)astheyarecomingintothenetwork.Commonwaysforusersto
receivemaliciousfilesincludemaliciousattachmentsinemail,linkstodownloadmaliciousfiles,
orsilentcompromisewithExploitKitsthatexploitavulnerabilityandthenautomaticallydeliver
maliciouspayloadstotheenduser.
SecurityProfile BestPracticeSettings
Vulnerability AttachaVulnerabilityProtectionprofiletoallallowedtraffictoprotectagainstbuffer
Protection overflows,illegalcodeexecution,andotherattemptstoexploitclientandserverside
vulnerabilities.ThebestpracticeprofileisacloneofthepredefinedStrictprofile,withpacket
capturesettingsenabledtohelpyoutrackdownthesourceofanypotentialattacks.
WhydoIneedthisprofile?
Withoutstrictvulnerabilityprotection,attackerscanleverageclientandserverside
vulnerabilitiestocompromiseendusers.Forexample,anattackercouldleverageavulnerability
toinstallmaliciouscodeonclientsystemsoruseanExploitKit(Angler,Nuclear,Fiesta,KaiXin)
toautomaticallydelivermaliciouspayloadstotheenduser.VulnerabilityProtectionprofilesalso
preventanattackerfromusingvulnerabilitiesoninternalhoststomovelaterallywithinyour
network.
AntiSpyware AttachanAntiSpywareprofiletoallallowedtraffictodetectcommandandcontroltraffic(C2)
initiatedfromspywareinstalledonaserverorendpointandpreventscompromisedsystems
fromestablishinganoutboundconnectionfromyournetwork.ThebestpracticeAntiSpyware
profileresetstheconnectionwhenthefirewalldetectsamedium,high,orcriticalseveritythreat
andblocksorsinkholesanyDNSqueriesforknownmaliciousdomains.
Tocreatethisprofile,clonethepredefinedstrictprofileandmakesuretoenableDNS
sinkholeandpacketcapturetohelpyoutrackdowntheendpointthatattemptedto
resolvethemaliciousdomain.Forthebestpossibleprotection,enablepassiveDNS
monitoring,whichenablesthefirewalltoactasapassiveDNSsensorandsendselect
DNSinformationtoPaloAltoNetworksforanalysisinordertoimprovethreat
intelligenceandthreatpreventioncapabilities.
SecurityProfile BestPracticeSettings
URLFiltering Asabestpractice,usePANDBURLfilteringtopreventaccesstowebcontentthatisat
highriskforbeingmalicious.AttachaURLFilteringprofiletoallrulesthatallowaccessto
webbasedapplicationstoprotectagainstURLsthathavebeenobservedhostingmalwareor
exploitivecontent.
ThebestpracticeURLFilteringprofilesetsallknowndangerousURLcategoriestoblock.These
includemalware,phishing,dynamicDNS,unknown,proxyavoidanceandanonymizers,
questionable,andparked.Failuretoblockthesedangerouscategoriesputsyouatriskfor
exploitinfiltration,malwaredownload,commandandcontrolactivity,anddataexfiltration.
Inadditiontoblockingknownbadcategories,youshouldalsoalertonallothercategoriesso
thatyouhavevisibilityintothesitesyourusersarevisiting.Ifyouneedtophaseinablockpolicy,
setcategoriestocontinueandcreateacustomresponsepagetoeducateusersonyour
acceptableusepoliciesandalertthemtothefactthattheyarevisitingasitethatmayposea
threat.Thiswillpavethewayforyoutooutrightblockthecategoriesafteramonitoringperiod.
WhatifIcantblockalloftherecommendedcategories?
Ifyoufindthatusersneedaccesstositesintheblockedcategories,considercreatinganallow
listforjustthespecificsites,ifyoufeeltheriskisjustified.Allowingtraffictoarecommended
blockcategoryposesthefollowingrisks:
malwareSitesknowntohostmalwareorusedforcommandandcontrol(C2)traffic.May
alsoexhibitExploitKits.
phishingKnowntohostcredentialphishingpagesorphishingforpersonalidentification.
dynamic-dnsHostsanddomainnamesforsystemswithdynamicallyassignedIPaddresses
andwhichareoftentimesusedtodelivermalwarepayloadsorC2traffic.Also,dynamicDNS
domainsdonotgothroughthesamevettingprocessasdomainsthatareregisteredbya
reputabledomainregistrationcompany,andarethereforelesstrustworthy.
unknownSitesthathavenotyetbeenidentifiedbyPANDB,perhapsbecausetheywere
justregistered.However,oftentimesthesearesitesthataregeneratedbydomaingeneration
algorithmsandarelaterfoundtoexhibitmaliciousbehavior.
proxy-avoidance-and-questionableURLsandservicesoftenusedtobypasscontent
filteringproducts.
questionableDomainswithillegalcontent,suchascontentthatinfringesoncopyrightsor
thatallowsillegaldownloadofsoftwareorotherintellectualproperty.
parkedDomainsregisteredbyindividuals,oftentimeslaterfoundtobeusedforcredential
phishing.Thesedomainsmaybesimilartolegitimatedomains,forexample,
pal0alto0netw0rks.com,withtheintentofphishingforcredentialsorpersonalidentify
information.Or,theymaybedomainsthatanindividualpurchasesrightstoinhopesthatit
maybevaluablesomeday,suchaspanw.net.
SecurityProfile BestPracticeSettings
WildFire Whiletherestofthebestpracticesecurityprofilessignificantlyreducetheattacksurfaceon
Analysis yournetworkbydetectingandblockingknownthreats,thethreatlandscapeiseverchanging
andtheriskofunknownthreatslurkinginthefilesweusedailyPDFs,MicrosoftOffice
documents(.docand.xlsfiles)isevergrowing.And,becausetheseunknownthreatsare
increasinglysophisticatedandtargeted,theyoftengoundetecteduntillongafterasuccessful
attack.Toprotectyournetworkfromunknownthreats,youmustconfigurethefirewallto
forwardfilestoWildFireforanalysis.Withoutthisprotection,attackershavefreereignto
infiltrateyournetworkandexploitvulnerabilitiesintheapplicationsyouremployeesuse
everyday.BecauseWildFireprotectsagainstunknownthreats,itisyourgreatestdefense
againstadvancedpersistentthreats(APTs).
ThebestpracticeWildFireAnalysisprofilesendsallfilesinbothdirections(uploadand
download)toWildFireforanalysis.Specifically,makesureyouaresendingallPEfiles(ifyoure
notblockingthemperthefileblockingbestpractice),AdobeFlashandReaderfiles(PDF,SWF),
MicrosoftOfficefiles(PowerPoint,Excel,Word,RTF),Javafiles(Java,.CLASS),andAndroidfiles
(.APK).
DefinetheInitialInternetGatewaySecurityPolicy
TheoverallgoalofabestpracticeInternetgatewaysecuritypolicyistousepositiveenforcementofwhitelist
applications.However,ittakessometimetoidentifyexactlywhatapplicationsarerunningonyournetwork,
whichoftheseapplicationsarecriticaltoyourbusiness,andwhotheusersarethatneedaccesstoeachone.
Thebestwaytoaccomplishtheendgoalofapolicyrulebasethatincludesonlyapplicationallowrulesisto
createaninitialpolicyrulebasethatliberallyallowsboththeapplicationsyouofficiallyprovisionforyour
usersaswellasothergeneralbusinessand,ifappropriate,personalapplications.Thisinitialpolicyalso
includesadditionalrulesthatexplicitlyblockbadapplicationsaswellassometemporaryallowrulesthatare
designedtohelpyourefineyourpolicyandpreventapplicationsyourusersmayneedfrombreakingwhile
youtransitiontothebestpractices.
Thefollowingtopicsdescribehowtocreatetheinitialrulebaseanddescribewhyeachruleisnecessaryand
whattherisksareofnotfollowingthebestpracticerecommendation:
Step1:CreatetheApplicationWhitelistRules
Step2:CreatetheApplicationBlockRules
Step3:CreatetheTemporaryTuningRules
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Step1:CreatetheApplicationWhitelistRules
AfteryouIdentifyWhitelistApplicationsyouarereadytocreatethefirstpartofthebestpracticeInternet
GatewaySecuritypolicyrulebase:theapplicationwhitelistrules.Everywhitelistruleyoucreatemustallow
trafficbasedonapplication(notport)and,withtheexceptionofcertaininfrastructureapplicationsthat
requireuseraccessbeforethefirewallcanidentifytheuser,mustonlyallowaccesstoknownusers.
Wheneverpossible,CreateUserGroupsforAccesstoWhitelistApplicationssothatyoucanlimituser
accesstothespecificusersorusergroupswhohaveabusinessneedtoaccesstheapplication.
Whencreatingtheapplicationwhitelistrules,makesuretoplacemorespecificrulesabovemoregeneral
rules.Forexample,therulesforallofyoursanctionedandinfrastructureapplicationswouldcomebeforethe
rulesthatallowgeneralaccesstocertaintypesofbusinessandpersonalapplications.Thisfirstpartofthe
rulebaseincludestheallowrulesfortheapplicationsyouidentifiedaspartofyourapplicationwhitelist:
Sanctionedapplicationsyouprovisionandadministerforbusinessandinfrastructurepurposes
Generalbusinessapplicationsthatyourusersmayneedtouseinordertogettheirjobsdone
Generalapplicationsyoumaychoosetoallowforpersonaluse
Everyapplicationwhitelistrulealsorequiresthatyouattachthebestpracticesecurityprofilestoensurethat
youarescanningallallowedtrafficforknownandunknownthreats.Ifyouhavenotyetcreatedthese
profiles,seeCreateBestPracticeSecurityProfiles.And,becauseyoucantinspectwhatyoucantsee,you
mustalsomakesureyouhaveconfiguredthefirewalltoDecryptTrafficforFullVisibilityandThreat
Inspection.
CreatetheApplicationWhitelistRules
Step1 AllowaccesstoyourcorporateDNSservers.
WhydoIneedthisrule? RuleHighlights
AccesstoDNSisrequiredtoprovidenetwork Becausethisruleisveryspecific,placeitatthetopofthe
infrastructureservices,butitiscommonly rulebase.
exploitedbyattackers. Createanaddressobjecttouseforthedestinationaddressto
AllowingaccessonlyonyourinternalDNS ensurethatusersonlyaccesstheDNSserverinyourdata
serverreducesyourattacksurface. center.
Becauseuserswillneedaccesstotheseservicesbeforetheyare
loggedin,youmustallowaccesstoanyuser.
Step2 AllowaccesstootherrequiredITinfrastructureresources.
WhydoIneedthisrule? RuleHighlights
Enabletheapplicationsthatprovideyour Becausetheseapplicationsrunonthedefaultport,allowaccess
networkinfrastructureandmanagement toanyuser(usersmaynotyetbeaknownuserbecauseofwhen
functions,suchasNTP,OCSP,STUN,and theseservicesareneeded),andallhaveadestinationaddressof
ping. any,containtheminasingleapplicationgroupandcreatea
WhileDNStrafficallowedinthepreceding singleruletoenableaccesstoallofthem.
ruleisrestrictedtothedestinationaddressin Usersmaynothaveloggedinyetatthetimetheyneedaccess
thedatacenter,theseapplicationsmaynot totheinfrastructureapplications,somakesurethisruleallows
resideinyourdatacenterandtherefore accesstoanyuser.
requireaseparaterule.
CreatetheApplicationWhitelistRules(Continued)
Step3 AllowaccesstoITsanctionedSaaSapplications.
WhydoIneedthisrule? RuleHighlights
WithSaaSapplications,yourproprietarydata GroupallsanctionedSaaSapplicationsinanapplicationgroup.
isinthecloud.Thisruleensuresthatonly SaaSapplicationsshouldalwaysrunontheapplicationdefault
yourknownusershaveaccesstothese port.
applications(andtheunderlyingdata). Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
ScanallowedSaaStrafficforthreats. AccesstoWhitelistApplications.
Step4 AllowaccesstoITprovisionedonpremiseapplications.
WhydoIneedthisrule? RuleHighlights
Businesscriticaldatacenterapplicationsare Groupalldatacenterapplicationsinanapplicationgroup.
oftenleveragedinattacksduringthe Createanaddressgroupforyourdatacenterserveraddresses.
exfiltrationstage,usingapplicationssuchas Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
FTP,orinthelateralmovementstageby AccesstoWhitelistApplications.
exploitingapplicationvulnerabilities.
Manydatacenterapplicationsusemultiple
ports;settingtheServiceto
applicationdefaultsafelyenablesthe
applicationsontheirstandardports.You
shouldnotallowapplicationson
nonstandardportsbecauseitisoften
associatedwithevasivebehavior.
Step5 Allowaccesstoapplicationsyouradministrativeusersneed.
WhydoIneedthisrule? RuleHighlights
Toreduceyourattacksurface,CreateUser ThisrulerestrictsaccesstousersintheIT_adminsgroup.
GroupsforAccesstoWhitelistApplications. Createcustomapplicationsforinternalapplicationsor
Becauseadministratorsoftenneedaccessto applicationsthatrunonnonstandardportssothatyoucan
sensitiveaccountdataandremoteaccessto enforcethemontheirdefaultportsratherthanopening
othersystems(forexampleRDP),youcan additionalportsonyournetwork.
greatlyreduceyourattacksurfacebyonly Ifyouhavedifferentusergroupsfordifferentapplications,
allowingaccesstotheadministratorswho createseparaterulesforgranularcontrol.
haveabusinessneed.
CreatetheApplicationWhitelistRules(Continued)
Step6 Allowaccesstogeneralbusinessapplications.
WhydoIneedthisrule? RuleHighlights
Beyondtheapplicationsyousanctionforuse Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
andadministerforyourusers,therearea AccesstoWhitelistApplications.
varietyofapplicationsthatusersmay Forvisibility,createseparateapplicationfiltersforeachtypeof
commonlyuseforbusinesspurposes,for applicationyouwanttoallow.
exampletointeractwithpartners,suchas Attachthebestpracticesecurityprofilestoensurethatalltraffic
WebEx,Adobeonlineservices,orEvernote, isfreeofknownandunknownthreats.SeeCreateBestPractice
butwhichyoumaynotofficiallysanction. SecurityProfiles.
Becausemalwareoftensneaksinwith
legitimatewebbasedapplications,thisrule
allowsyoutosafelyallowwebbrowsing
whilestillscanningforthreats.SeeCreate
BestPracticeSecurityProfiles.
Step7 (Optional)Allowaccesstopersonalapplications.
WhydoIneedthisrule? RuleHighlights
Asthelinesblurbetweenworkandpersonal Restrictaccesstoyourknownusers.SeeCreateUserGroupsfor
devices,youwanttoensurethatall AccesstoWhitelistApplications.
applicationsyourusersaccessaresafely Forvisibility,createseparateapplicationfiltersforeachtypeof
enabledandfreeofthreats. applicationyouwanttoallow.
Byusingapplicationfilters,youcansafely Scanalltrafficforthreatsbyattachingyourbestpractice
enableaccesstopersonalapplicationswhen securityprofilegroup.SeeCreateBestPracticeSecurity
youcreatethisinitialrulebase.Afteryou Profiles.
assesswhatapplicationsareinuse,youcan
usetheinformationtodecidewhetherto
removethefilterandallowasmallersubsetof
personalapplicationsappropriateforyour
acceptableusepolicies.
CreatetheApplicationWhitelistRules(Continued)
Step8 Allowgeneralwebbrowsing.
WhydoIneedthisrule? RuleHighlights
Whilethepreviousruleallowedaccessto Thisruleusesthesamebestpracticesecurityprofilesastherest
personalapplications(manyofthem oftherules,exceptfortheFileBlockingprofile,whichismore
browserbased),thisruleallowsgeneralweb stringentbecausegeneralwebbrowsingtrafficismore
browsing. vulnerabletothreats.
Generalwebbrowsingismoreriskprone Thisruleallowsonlyknownuserstopreventdeviceswith
thanothertypesofapplicationtraffic.You malwareorembeddeddevicesfromreachingtheInternet.
mustCreateBestPracticeSecurityProfiles Useapplicationfilterstoallowaccesstogeneraltypesof
andattachthemtothisruleinordertosafely applications.
enablewebbrowsing. MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
Becausethreatsoftenhideinencrypted youwanttoallowuserstobeabletobrowsetoHTTPSsites.
traffic,youmustDecryptTrafficforFull thatareexcludedfromdecryption.
VisibilityandThreatInspectionifyouwantto
safelyenablewebbrowsing.
Step2:CreatetheApplicationBlockRules
Althoughtheoverallgoalofyoursecuritypolicyistosafelyenableapplicationsusingapplicationwhitelist
rules(alsoknownaspositiveenforcement),theinitialbestpracticerulebasemustalsoincluderulestohelp
youfindgapsinyourpolicyandidentifypossibleattacks.Becausetheserulesaredesignedtocatchthings
youdidntknowwererunningonyournetwork,theyallowtrafficthatcouldalsoposesecurityrisksonyour
network.Therefore,beforeyoucancreatethetemporaryrules,youmustcreaterulesthatexplicitlyblacklist
applicationsdesignedtoevadeorbypasssecurityorthatarecommonlyexploitedbyattackers,suchas
publicDNSandSMTP,encryptedtunnels,remoteaccess,andnonsanctionedfilesharingapplications.
EachofthetuningrulesyouwilldefineinStep3:CreatetheTemporaryTuningRulesaredesignedtoidentifya
specificgapinyourinitialpolicy.Thereforesomeoftheseruleswillneedtogoabovetheapplicationblockrules
andsomewillneedtogoafter.
CreatetheApplicationBlockRules
Step1 Blockapplicationsthatdonothavealegitimateusecase.
WhydoIneedthisrule? RuleHighlights
Blocknefariousapplicationssuchas UsetheDropActiontosilentlydropthetrafficwithoutsending
encryptedtunnelsandpeertopeerfile asignaltotheclientortheserver.
sharing,aswellaswebbasedfilesharing Enableloggingfortrafficmatchingthisrulesothatyoucan
applicationsthatarenotITsanctioned. investigatemisuseofapplicationsandpotentialthreatsonyour
Becausethetuningrulesthatfolloware network.
designedtoallowtrafficwithmaliciousintent Becausethisruleisintendedtocatchmalicioustraffic,it
orlegitimatetrafficthatisnotmatchingyour matchestotrafficfromanyuserrunningonanyport.
policyrulesasexpected,theserulescould
alsoallowriskyormalicioustrafficintoyour
network.Thisrulepreventsthatbyblocking
trafficthathasnolegitimateusecaseandthat
couldbeusedbyanattackeroranegligent
user.
Step2 BlockpublicDNSandSMTPapplications.
WhydoIneedthisrule? RuleHighlights
BlockpublicDNS/SMTPapplicationstoavoid UsetheReset both client and serverActiontosendaTCPreset
DNStunneling,commandandcontroltraffic, messagetoboththeclientsideandserversidedevices.
andremoteadministration. Enableloggingfortrafficmatchingthisrulesothatyoucan
investigateapotentialthreatonyournetwork.
Step3:CreatetheTemporaryTuningRules
Thetemporarytuningrulesareexplicitlydesignedtohelpyoumonitortheinitialbestpracticerulebasefor
gapsandalertyoutoalarmingbehavior.Forexample,youwillcreatetemporaryrulestoidentifytrafficthat
iscomingfromunknownuserorapplicationsrunningonunexpectedports.Bymonitoringthetraffic
matchingonthetemporaryrulesyoucanalsogainafullunderstandingofalloftheapplicationsinuseon
yournetwork(andpreventapplicationsfrombreakingwhileyoutransitiontoabestpracticerulebase).You
canusethisinformationtohelpyoufinetuneyourwhitelist,eitherbyaddingnewwhitelistrulestoallow
applicationsyouwerentawarewereneededortonarrowyourwhitelistrulestoremoveapplicationfilters
andinsteadallowonlyspecificapplicationsinaparticularcategory.Whentrafficisnolongerhittingthese
rulesyoucanRemovetheTemporaryRules.
Someofthetemporarytuningrulesmustgoabovetherulestoblockbadapplicationsandsomemustgoafterto
ensurethattargetedtraffichitstheappropriaterule,whilestillensuringthatbadtrafficisnotallowedontoyour
network.
CreateTemporaryTuningRules
Step1 AllowwebbrowsingandSSLonnonstandardportsforknownuserstodetermineifthereareanylegitimate
applicationsrunningonnonstandardports.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyoudetermineifyouhaveany Unlikethewhitelistrulesthatallowapplicationsonthedefault
gapsinyourpolicywhereusersareunableto portonly,thisruleallowswebbrowsingandSSLtrafficonany
accesslegitimateapplicationsbecausethey portsothatyoucanfindgapsinyourwhitelist.
arerunningonnonstandardports. Becausethisruleisintendedtofindgapsinpolicy,limititto
Youmustmonitoralltrafficthatmatchesthis knownusersonyournetwork.SeeCreateUserGroupsfor
rule.Foranytrafficthatislegitimate,you AccesstoWhitelistApplications.
shouldtunetheappropriateallowruleto MakesureyoualsoexplicitlyallowSSLasanapplicationhereif
includetheapplication,perhapscreatinga youwanttoallowuserstobeabletobrowsetoHTTPSsitesthat
customapplicationwhereappropriate. arentdecrypted(suchasfinancialservicesandhealthcaresites).
Youmustaddthisruleabovetheapplicationblockrulesorno
trafficwillhitthisrule.
Step2 AllowwebbrowsingandSSLtrafficonnonstandardportsfromunknownuserstohighlightallunknown
usersregardlessofport.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyoudeterminewhetheryou Whilethemajorityoftheapplicationwhitelistrulesapplyto
havegapsinyourUserIDcoverage. knownusersorspecificusergroups,thisruleexplicitlymatches
Thisrulealsohelpsyouidentifycompromised trafficfromunknownusers.
orembeddeddevicesthataretryingtoreach Notethatthisrulemustgoabovetheapplicationblockrulesor
theInternet. trafficwillneverhitit.
Itisimportanttoblocknonstandardport Becauseitisanallowrule,youmustattachthebestpractice
usage,evenforwebbrowsingtraffic, securityprofilestoscanforthreats.
becauseitisusuallyanevasiontechnique.
Step3 Allowallapplicationsontheapplicationdefaultporttoidentifyunexpectedapplications.
WhydoIneedthisrule? RuleHighlights
Thisruleprovidesvisibilityintoapplications Becausethisruleallowsallapplications,youmustadditafter
thatyouwerentawarewererunningonyour theapplicationblockrulestopreventbadapplicationsfrom
networksothatyoucanfinetuneyour runningonyournetwork.
applicationwhitelist. IfyouarerunningPANOS7.0.xorearlier,toappropriately
Monitoralltrafficmatchingthisruleto identifyunexpectedapplications,youmustuseanapplication
determinewhetheritrepresentsapotential filterthatincludesallapplications,insteadofsettingtheruleto
threat,orwhetheryouneedtomodifyyour allowanyapplication.
whitelistrulestoallowthetraffic.
CreateTemporaryTuningRules
Step4 Allowanyapplicationonanyporttoidentifyapplicationsrunningwheretheyshouldntbe.
WhydoIneedthisrule? RuleHighlights
Thisrulehelpsyouidentifylegitimate,known Becausethisisaverygeneralrulethatallowsanyapplication
applicationsrunningonunknownports. fromanyuseronanyport,itmustcomeattheendofyour
Thisrulealsohelpsyouidentifyunknown rulebase.
applicationsforwhichyouneedtocreatea Enableloggingfortrafficmatchingthisrulesothatyoucan
customapplicationtoaddtoyourapplication investigateformisuseofapplicationsandpotentialthreatson
whitelist. yournetworkoridentifylegitimateapplicationsthatrequirea
Anytrafficmatchingthisruleisactionable customapplication.
andrequiresthatyoutrackdownthesource
ofthetrafficandensurethatyouarenot
allowinganyunknowntcp,udpor
nonsyntcptraffic.
Step4:EnableLoggingforTrafficthatDoesntMatchAnyRules
Trafficthatdoesnotmatchanyoftherulesyoudefinedwillmatchthepredefinedinterzonedefaultruleat
thebottomoftherulebaseandbedenied.Forvisibilityintothetrafficthatisnotmatchinganyoftherules
youcreated,enableloggingontheinterzonedefaultrule:
EnableLoggingforTrafficThatDoesntMatchAnyRules
Step1 SelecttheinterzonedefaultrowintherulebaseandclickOverridetoenableeditingonthisrule.
Step2 Selecttheinterzone-defaultrulenametoopentheruleforediting.
Step4 Createacustomreporttomonitortrafficthathitsthisrule.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveName.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtheinterzonedefaultrule:
(rule eq 'interzone-default')
Step5 Committhechangesyoumadetotherulebase.
MonitorandFineTunethePolicyRulebase
Abestpracticesecuritypolicyisiterative.Itisatoolforsafelyenablingapplications,users,andcontentby
classifyingalltraffic,acrossallports,allthetime.AssoonasyouDefinetheInitialInternetGatewaySecurity
Policy,youmustbegintomonitorthetrafficthatmatchesthetemporaryrulesdesignedtoidentifypolicy
gapsandalarmingbehaviorandtuneyourpolicyaccordingly.Bymonitoringtraffichittingtheserules,you
canmakeappropriateadjustmentstoyourrulestoeithermakesurealltrafficishittingyourwhitelist
applicationallowrulesorassesswhetherparticularapplicationsshouldbeallowed.Asyoutuneyour
rulebase,youshouldseelessandlesstraffichittingtheserules.Whenyounolongerseetraffichittingthese
rules,itmeansthatyourpositiveenforcementwhitelistrulesarecompleteandyoucanRemovethe
TemporaryRules.
BecausenewAppIDsareaddedinweeklycontentreleases,youshouldreviewtheimpactthechangesin
AppIDshaveonyourpolicy.
IdentifyPolicyGaps
Step1 Createcustomreportsthatletyoumonitortrafficthathitstherulesdesignedtoidentifypolicygaps.
1. SelectMonitor > Manage Custom Reports.
2. AddareportandgiveitadescriptiveNamethatindicatestheparticularpolicygapyouareinvestigating,
suchasBestPracticePolicyTuning.
3. SettheDatabasetoTraffic Summary.
4. SelecttheScheduledcheckbox.
5. AddthefollowingtotheSelectedColumnslist:Rule,Application,Bytes,Sessions.
6. SetthedesiredTime Frame,Sort ByandGroup Byfields.
7. Definethequerytomatchtraffichittingtherulesdesignedtofindpolicygapsandalarmingbehavior.You
cancreateasinglereportthatdetailstraffichittinganyoftherules(usingtheoroperator),orcreate
individualreportstomonitoreachrule.Usingtherulenamesdefinedintheexamplepolicy,youwould
enterthecorrespondingqueries:
(rule eq 'Unexpected Port SSL and Web')
(rule eq 'Unknown User SSL and Web')
(rule eq 'Unexpected Traffic')
(rule eq 'Unexpected Port Usage')
IdentifyPolicyGaps(Continued)
Step2 Reviewthereportregularlytomakesureyouunderstandwhytrafficishittingeachofthebestpracticepolicy
tuningrulesandeitherupdateyourpolicytoincludelegitimateapplicationsandusers,orusetheinformation
inthereporttoassesstheriskofthatapplicationusageandimplementpolicyreforms.
RemovetheTemporaryRules
AfterseveralmonthsofmonitoringyourinitialInternetGatewaybestpracticeSecuritypolicy,youshould
seelessandtraffichittingthetemporaryrulesasyoumakeadjustmentstotherulebase.Whenyounolonger
seeanytraffichittingtheserules,youhaveachievedyourgoaloftransitioningtoafullyapplicationbased
Securitypolicyrulebase.Atthispoint,youcanfinalizeyourpolicyrulebasebyremovingthetemporaryrules,
whichincludestherulesyoucreatedtoblockbadapplicationsandtherulesyoucreatedfortuningthe
rulebase.
RemovetheTemporaryRules
Step2 SelecttheruleandclickDelete.
Alternatively,Disabletherulesforaperiodoftimebeforedeletingthem.ThiswouldallowyoutoEnable
themagainiftrafficlogsshowtrafficmatchingtheinterzonedefaultrule.
Step3 Committhechanges.
MaintaintheRulebase
Becauseapplicationsarealwaysevolving,yourapplicationwhitelistwillneedtoevolvealso.Eachtimeyou
makeachangeinwhatapplicationsyousanction,youmustmakeacorrespondingpolicychange.Asyoudo
this,insteadofjustaddinganewrulelikeyouwoulddowithaportbasedpolicy,insteadidentifyandmodify
therulethatalignswiththebusinessusecasefortheapplication.Becausethebestpracticerulesleverage
policyobjectsforsimplifiedadministration,addingsupportforanewapplicationorremovinganapplication
fromyourwhitelisttypicallymeansmodifyingthecorrespondingapplicationgrouporapplicationfilter
accordingly.
Additionally,installingnewAppIDsincludedinacontentreleaseversioncansometimescauseachangein
policyenforcementforapplicationswithnewormodifiedAppIDs.Therefore,beforeinstallinganew
contentrelease,reviewthepolicyimpactfornewAppIDsandstageanynecessarypolicyupdates.Assess
thetreatmentanapplicationreceivesbothbeforeandafterthenewcontentisinstalled.Youcanthen
modifyexistingSecuritypolicyrulesusingthenewAppIDscontainedinadownloadedcontentrelease
(priortoinstallingtheAppIDs).Thisenablesyoutosimultaneouslyupdateyoursecuritypolicyrulesand
installnewcontent,andallowsforaseamlessshiftinpolicyenforcement.Alternatively,youcanchooseto
disablenewAppIDswheninstallinganewcontentreleaseversion;thisenablesprotectionagainstthelatest
threats,whilegivingyoutheflexibilitytoenablethenewAppIDsafteryou'vehadthechancetoprepare
anypolicychanges.
MaintaintheBestPracticeRulebase
Step1 Beforeinstallinganewcontentreleaseversion,reviewthenewAppIDstodetermineifthereispolicy
impact.
Step2 DisablenewAppIDsintroducedinacontentrelease,inordertoimmediatelybenefitfromprotectionagainst
thelatestthreatswhilecontinuingtohavetheflexibilitytolaterenableAppIDsafterpreparingnecessary
policyupdates.YoucandisableallAppIDsintroducedinacontentrelease,setscheduledcontentupdatesto
automaticallydisablenewAppIDs,ordisableAppIDsforspecificapplications.
Step3 TunesecuritypolicyrulestoaccountforAppIDchangesincludedinacontentreleaseortoaddnew
sanctionedapplicationstoorremoveapplicationsfromyourapplicationwhitelistrules.
EnumerationofRulesWithinaRulebase
Eachrulewithinarulebaseisautomaticallynumberedandtheorderingadjustsasrulesaremovedor
reordered.Whenfilteringrulestofindrulesthatmatchthespecifiedfilter(s),eachruleislistedwithits
numberinthecontextofthecompletesetofrulesintherulebaseanditsplaceintheevaluationorder.
OnPanorama,prerules,postrules,anddefaultrulesareindependentlynumbered.WhenPanoramapushes
rulestoafirewall,therulenumberingreflectsthehierarchyandevaluationorderofsharedrules,device
groupprerules,firewallrules,devicegrouppostrules,anddefaultrules.ThePreview Rulesoptionin
Panoramadisplaysanorderedlistviewofthetotalnumberofrulesonafirewall.
ViewtheOrderedListofRulesWithinaRulebase
Viewthenumberedlistofrulesonthefirewall.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security.Theleftmostcolumninthetabledisplays
therulenumber.
ViewthenumberedlistofrulesonPanorama.
SelectPoliciesandanyrulebaseunderit.Forexample,Policies > Security> Pre-rules.
AfteryoupushtherulesfromPanorama,viewthecompletelistofruleswithnumbersonthefirewall.
Fromthewebinterfaceofthefirewall,selectPoliciesandpickanyrulebaseunderit.Forexample,selectPolicies >
Securityandviewthecompletesetofnumberedrulesthatthefirewallwillevaluate.
MoveorCloneaPolicyRuleorObjecttoaDifferentVirtual
System
Onafirewallthathasmorethanonevirtualsystem(vsys),youcanmoveorclonepolicyrulesandobjectsto
adifferentvsysortotheSharedlocation.Movingandcloningsaveyoutheeffortofdeleting,recreating,or
renamingrulesandobjects.Ifthepolicyruleorobjectthatyouwillmoveorclonefromavsyshasreferences
toobjectsinthatvsys,moveorclonethereferencedobjectsalso.Ifthereferencesaretosharedobjects,you
donothavetoincludethosewhenmovingorcloning.YoucanUseGlobalFindtoSearchtheFirewallor
PanoramaManagementServerforreferences.
MoveorCloneaPolicyRuleorObjecttoaVirtualSystem
Step3 Performoneofthefollowingsteps:
SelectMove > Move to other vsys(forpolicyrules).
ClickMove(forobjects).
ClickClone(forpolicyrulesorobjects).
Step7 ClickOKtostarttheerrorvalidation.Ifthefirewalldisplayserrors,fixthemandretrythemoveorclone
operation.Ifthefirewalldoesntfinderrors,theobjectismovedorclonedsuccessfully.Aftertheoperation
finishes,clickCommit.
UseTagstoGroupandVisuallyDistinguishObjects
Youcantagobjectstogrouprelateditemsandaddcolortothetaginordertovisuallydistinguishthemfor
easyscanning.Youcancreatetagsforthefollowingobjects:addressobjects,addressgroups,zones,service
groups,andpolicyrules.
ThefirewallandPanoramasupportbothstatictagsanddynamictags.Dynamictagsareregisteredfroma
varietyofsourcesandarenotdisplayedwiththestatictagsbecausedynamictagsarenotpartofthe
firewall/Panoramaconfiguration.SeeRegisterIPAddressesandTagsDynamicallyforinformationon
registeringtagsdynamically.Thetagsdiscussedinthissectionarestaticallyaddedandarepartofthe
configuration.
Youcanapplyoneormoretagstoobjectsandtopolicyrules,uptoamaximumof64tagsperobject.
Panoramasupportsamaximumof10,000tags,whichyoucanapportionacrossPanorama(sharedand
devicegroups)andthemanagedfirewalls(includingfirewallswithmultiplevirtualsystems).
CreateandApplyTags
ModifyTags
UsetheTagBrowser
CreateandApplyTags
CreateandApplyTags
6. ClickOKandCommittosavethechanges.
CreateandApplyTags(Continued)
ModifyTags
ModifyTags
Fordetailsoncreatingtags,seeCreateandApplyTags.Forinformationonworkingwithtags,seeUsethe
TagBrowser.
UsetheTagBrowser
Thetagbrowserprovidesawaytoviewallthetagsusedwithinarulebase.Inrulebaseswithalargenumber
ofrules,thetagbrowsersimplifiesthedisplaybypresentingthetags,thecolorcode,andtherulenumbers
inwhichthetagsareused.
Italsoallowsyoutogrouprulesusingthefirsttagappliedtotherule.Asabestpractice,usethefirsttagto
identifytheprimarypurposeforarule.Forexample,thefirsttagcanidentifyarulebyahighlevelfunction
suchasbestpractice,orInternetaccessorITsanctionedapplicationsorhighriskapplications.Inthetag
browser,whenyouFilter by first tag in rule,youcaneasilyidentifygapsincoverageandmoverulesoradd
newruleswithintherulebase.Allthechangesaresavedtothecandidateconfigurationuntilyoucommitthe
changesonthefirewallandmakethemapartoftherunningconfiguration.
ForfirewallsthataremanagedbyPanorama,thetagsappliedtoprerulesandpostrulesthathavebeen
pushedfromPanorama,displayinagreenbackgroundandaredemarcatedwithgreenlinessothatyoucan
identifythesetagsfromthelocaltagsonthefirewall.
UsetheTagBrowser
6. Search barTosearchforatag,enterthetermandclickthe
greenarrowicontoapplythefilter.Italsodisplaysthetotal
numberoftagsintherulebaseandthenumberofselected
tags.
7. Expandorcollapsethetagbrowser.
UsetheTagBrowser(Continued)
Tagarule. 1. Selectaruleontherightpane.
2. Dooneofthefollowing:
SelectataginthetagbrowserandselectApply the Tag to
the Selection(s)fromthedropdown.
Draganddroptag(s)fromthetagbrowserontotheTags
columnoftherule.Whenyoudropatag,aconfirmation
dialogdisplays.
3. Committhechanges.
Viewrulesthatmatchtheselectedtags. ORfilter:Toviewrulesthathavespecifictags,selectoneormore
YoucanfilterrulesbasedontagswithanAND tagsinthetagbrowser;therightpaneonlydisplaystherulesthat
oranORoperator. includeanyofthecurrentlyselectedtags.
ANDfilter:Toviewrulesthathavealltheselectedtags,hover
overthenumberassociatedwiththetagintheRulecolumnof
thetagbrowserandselectFilter.Repeattoaddmoretags.
Clicktheapplyfiltericoninthesearchbarontherightpane.The
resultsaredisplayedusinganANDoperator.
Viewthecurrentlyselectedtags. Toviewthecurrentlyselectedtags,hoverovertheClearlabelin
thetagbrowser.
Untagarule. HoverovertherulenumberassociatedwithatagintheRule
columnofthetagbrowserandselectUntag Rule(s).Confirmthat
youwanttoremovetheselectedtagfromtherule.Committhe
changes.
UsetheTagBrowser(Continued)
Reorderrulesusingtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowserandselectMove Rule(s).
Selectatagfromthedropdowninthemoverulewindowand
selectwhetheryouwanttoMove BeforeorMove Afterthetag
selectedinthedropdown.Committhechanges.
Addanewrulethatappliestheselectedtags. SelectoneormoretagsandhoverovertherulenumberintheRule
columnofthetagbrowser,andselectAdd New Rule.Definethe
ruleandCommitthechanges.
Thenumericalorderofthenewrulevariesbywhetheryou
selectedaruleontherightpane.Ifyoudidnotselectaruleonthe
rightpane,thenewrulewillbeaddedaftertheruletowhichthe
selectedtag(s)belongs.Otherwise,thenewruleisaddedafterthe
selectedrule.
Searchforatag. Inthetagbrowser,enterthefirstfewlettersofthetagnameyou
wanttosearchforandclicktheApplyFiltericon.Thetagsthat
matchyourinputwilldisplay.
UseanExternalDynamicListinPolicy
Anexternaldynamiclist(formerlycalleddynamicblocklist)isatextfilethatyouhostonanexternalweb
serversothatthefirewallcanimportobjectsIPaddresses,URLs,domainstoenforcepolicyontheentries
inthelist.Asyouupdatethelist,thefirewalldynamicallyimportsthelistattheconfiguredintervaland
enforcespolicywithouttheneedtomakeaconfigurationchangeoracommitonthefirewall.
ExternalDynamicList
FormattingGuidelinesforanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
RetrieveanExternalDynamicListfromtheWebServer
ExternalDynamicList
AnExternalDynamicListisatextfilethatishostedonanexternalwebserversothatthefirewallcanimport
objectsIPaddresses,URLs,domainsincludedinthelistandenforcepolicy.Toenforcepolicyonthe
entriesincludedintheexternaldynamiclist,youmustreferencethelistinasupportedpolicyruleorprofile.
Asyoumodifythelist,thefirewalldynamicallyimportsthelistattheconfiguredintervalandenforcespolicy
withouttheneedtomakeaconfigurationchangeoracommitonthefirewall.Ifthewebserveris
unreachable,thefirewallwillusethelastsuccessfullyretrievedlistforenforcingpolicyuntiltheconnection
isrestoredwiththewebserver.Toretrievetheexternaldynamiclist,thefirewallusestheinterfaceattached
totheserviceroutethatitusestoaccessthePaloAltoUpdatesservice.
Thefirewallsupportsthreetypesofexternaldynamiclists:
IPAddressThefirewalltypicallyenforcespolicyforasourceordestinationIPaddressthatisdefinedas
astaticobjectonthefirewall.IfyouneedagilityinenforcingpolicyforalistofsourceordestinationIP
addressesthatemergeadhoc,youcanuseanexternaldynamiclistoftypeIPaddressasasourceor
destinationaddressobjectinpolicyrules,andconfigurethefirewalltodenyorallowaccesstotheIP
addresses(IPv4andIPv6address,IPrangeandIPsubnets)includedinthelist.Thefirewalltreatsan
externaldynamiclistoftypeIPaddressasanaddressobject;alltheIPaddressesincludedinalistare
handledasoneaddressobject.
URLAnexternaldynamiclistoftypeURLgivesyoutheagilitytoprotectyournetworkfromnew
sourcesofthreatormalware.ThefirewallhandlesanexternaldynamiclistwithURLslikeacustomURL
categoryandyoucanusethislistintwoways:
AsamatchcriteriainSecuritypolicyrules,Decryptionpolicyrules,andQoSpolicyrulestoallow,
deny,decrypt,notdecrypt,orallocatebandwidthfortheURLsinthecustomcategory.
InaURLFilteringprofilewhereyoucandefinemoregranularactions,suchascontinue,alert,or
override,beforeyouattachtheprofiletoaSecuritypolicyrule.
DomainAnexternaldynamiclistoftypedomainallowsyoutoimportcustomdomainnamesintothe
firewalltoenforcepolicyusinganAntiSpywareprofile.Thiscapabilityisveryusefulifyousubscribeto
thirdpartythreatintelligenceandwanttoprotectyournetworkfromnewsourcesofthreatormalware
assoonasyoulearnofamaliciousdomain.Foreachdomainyouincludeintheexternaldynamiclist,the
firewallcreatesacustomDNSbasedspywaresignaturesothatyoucanenableDNSsinkholing.The
DNSbasedspywaresignatureisoftypespywarewithmediumseverityandeachsignatureisnamed
Custom Malicious DNS Query <domain name>.Fordetails,seeConfigureDNSSinkholingfora
ListofCustomDomains.
Oneachfirewallplatform,youcanconfigureamaximumof30uniquesourcesforexternaldynamiclists;
theselimitsarenotapplicabletoPanorama.WhenusingPanoramatomanageafirewallthatisenabledfor
multiplevirtualsystems,ifyouexceedthelimitforthefirewall,acommiterrordisplaysonPanorama.A
sourceisaURLthatincludestheIPaddressorhostname,thepath,andthefilenamefortheexternaldynamic
list.ThefirewallmatchestheURL(completestring)todeterminewhetherasourceisunique.
Whilethefirewalldoesnotimposealimitonthenumberoflistsofaspecifictype,thefollowinglimitsare
enforced:
IPaddressThePA5000SeriesandthePA7000Seriesfirewallssupportamaximumof150,000total
IPaddresses;allotherplatformssupportamaximumof50,000totalIPaddresses.Nolimitsareenforced
forthenumberofIPaddressesperlist.WhenthemaximumsupportedIPaddresslimitisreachedonthe
firewall,thefirewallgeneratesasyslogmessage.
URLanddomainAmaximumof50,000URLsand50,000domainsaresupportedoneachplatform,with
nolimitsenforcedonthenumberofentriesperlist.
Whenparsingthelist,thefirewallskipsentriesthatdonotmatchthelisttype,andignoresentriesthatexceed
themaximumnumbersupportedfortheplatform.
FormattingGuidelinesforanExternalDynamicList
AnexternaldynamiclistofonetypeIPaddress,URLorDomainmustincludeentriesofthattypeonly.
IPAddressList
DomainList
URLList
IPAddressList
TheexternaldynamiclistcanincludeindividualIPaddresses,subnetaddresses(address/mask),orrangeof
IPaddresses.Inaddition,theblocklistcanincludecommentsandspecialcharacterssuchas*,:,;,#,or
/.Thesyntaxforeachlineinthelistis[IP address, IP/Mask, or IP start range-IP end
range] [space] [comment].
EntereachIPaddress/range/subnetinanewline;URLsordomainsarenotsupportedinthislist.Ifyouadd
comments,thecommentmustbeonthesamelineastheIPaddress/range/subnet.Thespaceattheendof
theIPaddressisthedelimiterthatseparatesacommentfromtheIPaddress.
AnexampleIPaddresslist:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
ForanIPaddressthatisblocked,youcandisplayanotificationpageonlyiftheprotocolisHTTP.
DomainList
Entereachdomainnameinanewline;URLsorIPaddressesarenotsupportedinthislist.Donotprefixthe
domainnamewiththeprotocol,http://orhttps://.Wildcardsarenotsupported.
Anexamplelistofdomains:
www.example.com
baddomain.com
qqq.abcedfg.au
URLList
SeeBlockandAllowLists.
EnforcePolicyonEntriesinanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
EnforcePolicyonEntriesinanExternalDynamicList(Continued)
ViewtheListofEntriesinanExternalDynamicList
ViewtheListofEntriesinanExternalDynamicList
ToviewthelistofentriesthatthefirewallhasretrievedfromthewebserverenterthefollowingCLIcommand:
request system external-list show name <name>
Forexample,foralistnamedcaseDBL_2014oftypeIPaddress,theoutputis:
vsys1/DBL_2014:
Next update at: Wed Aug 27 16:00:00 2014
IPs:
1.1.1.1
1.2.2.2/20 #test China
192.168.255.0; test internal
192.168.254.0/24 test internal range
RetrieveanExternalDynamicListfromtheWebServer
YoucanconfigurethefirewalltoretrievetheExternalDynamicListfromthewebserveronanhourly,daily,
weekly,ormonthlybasis.IfyouhaveaddedordeletedIPaddressesonthelistandneedtotriggeran
immediaterefresh,usethefollowingprocess:
RetrieveanExternalDynamicList
RegisterIPAddressesandTagsDynamically
Tomitigatethechallengesofscale,lackofflexibilityandperformance,thearchitectureinnetworkstoday
allowsforclients,servers,andapplicationstobeprovisioned,changed,anddeletedondemand.Thisagility
posesachallengeforsecurityadministratorsbecausetheyhavelimitedvisibilityintotheIPaddressesofthe
dynamicallyprovisionedclientsandservers,andtheplethoraofapplicationsthatcanbeenabledonthese
virtualresources.
Thefirewall(hardwarebasedplatformsandtheVMSeries)supportstheabilitytoregisterIPaddressesand
tagsdynamically.TheIPaddressesandtagscanberegisteredonthefirewalldirectlyorregisteredonthe
firewallthroughPanorama.Thisdynamicregistrationprocesscanbeenabledusinganyofthefollowing
options:
UserIDagentforWindowsInanenvironmentwhereyouvedeployedtheUserIDagent,youcan
enabletheUserIDagenttomonitorupto100VMwareESXiand/orvCenterServers.Asyouprovision
ormodifyvirtualmachinesontheseVMwareservers,theagentcanretrievetheIPaddresschangesand
sharethemwiththefirewall.
VMInformationSourcesAllowsyoutomonitorVMwareESXiandvCenterServer,andtheAWSVPC
toretrieveIPaddresschangeswhenyouprovisionormodifyvirtualmachinesonthesesources.VM
InformationSourcespollsforapredefinedsetofattributesanddoesnotrequireexternalscriptsto
registertheIPaddressesthroughtheXMLAPI.SeeMonitorChangesintheVirtualEnvironment.
VMwareServiceManager(onlyavailablefortheintegratedNSXsolution)TheintegratedNSXsolution
isdesignedforautomatedprovisioninganddistributionofPaloAltoNetworksnextgenerationsecurity
servicesandthedeliveryofdynamiccontextbasedsecuritypoliciesusingPanorama.TheNSXManager
updatesPanoramawiththelatestinformationontheIPaddressesandtagsassociatedwiththevirtual
machinesdeployedinthisintegratedsolution.Forinformationonthissolution,seeSetUpaVMSeries
NSXEditionFirewall.
XMLAPIThefirewallandPanoramasupportanXMLAPIthatusesstandardHTTPrequeststosendand
receivedata.YoucanusethisAPItoregisterIPaddressesandtagswiththefirewallorPanorama.API
callscanbemadedirectlyfromcommandlineutilitiessuchascURLorusinganyscriptingorapplication
frameworkthatsupportsRESTbasedservices.RefertothePANOSXMLAPIUsageGuidefordetails.
ForinformationoncreatingandusingDynamicAddressGroups,seeUseDynamicAddressGroupsinPolicy.
FortheCLIcommandsforregisteringtagsdynamically,seeCLICommandsforDynamicIPAddressesand
Tags.
MonitorChangesintheVirtualEnvironment
Tosecureapplicationsandpreventthreatsinanenvironmentwherenewusersandserversareconstantly
emerging,yoursecuritypolicymustbenimble.Tobenimble,thefirewallmustbeabletolearnaboutnewor
modifiedIPaddressesandconsistentlyapplypolicywithoutrequiringconfigurationchangesonthefirewall.
ThiscapabilityisprovidedbythecoordinationbetweentheVM Information SourcesandDynamic Address
Groupsfeaturesonthefirewall.ThefirewallandPanoramaprovideanautomatedwaytogatherinformation
onthevirtualmachine(orguest)inventoryoneachmonitoredsourceandcreatepolicyobjectsthatstayin
syncwiththedynamicchangesonthenetwork.
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
AttributesMonitoredintheAWSandVMwareEnvironments
UseDynamicAddressGroupsinPolicy
EnableVMMonitoringtoTrackChangesontheVirtualNetwork
VMinformationsourcesprovidesanautomatedwaytogatherinformationontheVirtualMachine(VM)
inventoryoneachmonitoredsource(host);thefirewallcanmonitortheVMwareESXiandvCenterServer,
andtheAWSVPC.Asvirtualmachines(guests)aredeployedormoved,thefirewallcollectsapredefinedset
ofattributes(ormetadataelements)astags;thesetagscanthenbeusedtodefineDynamicAddressGroups
(seeUseDynamicAddressGroupsinPolicy)andmatchedagainstinpolicy.
Upto10VMinformationsourcescanbeconfiguredonthefirewallorpushedusingPanoramatemplates.
Bydefault,thetrafficbetweenthefirewallandthemonitoredsourcesusesthemanagement(MGT)porton
thefirewall.
VM Information Sourcesofferseasyconfigurationandenablesyoutomonitorapredefined
setof16metadataelementsorattributes.SeeAttributesMonitoredintheAWSandVMware
Environmentsforthelist.
WhenmonitoringESXihoststhatarepartoftheVMSeriesNSXeditionsolution,useDynamic
AddressGroupsinsteadofusingVMInformationSourcestolearnaboutchangesinthevirtual
environment.FortheVMSeriesNSXeditionsolution,theNSXManagerprovidesPanoramawith
informationontheNSXsecuritygrouptowhichanIPaddressbelongs.Theinformationfromthe
NSXManagerprovidesthefullcontextfordefiningthematchcriteriainaDynamicAddress
GroupbecauseitusestheserviceprofileIDasadistinguishingattributeandallowsyouto
properlyenforcepolicywhenyouhaveoverlappingIPaddressesacrossdifferentNSXsecurity
groups.Uptoamaximumof32tags(fromvCenterserverandNSXManager)thatcanbe
registeredtoanIPaddress.
SetuptheVMMonitoringAgent
(Optional)Entertheintervalinhourswhentheconnection
tothemonitoredsourceisclosed,ifthehostdoesnot
respond.(default:2hours,range210hours)
Tochangethedefaultvalue,selectthecheckboxtoEnable
timeout when the source is disconnectedandspecifythe
value.Whenthespecifiedlimitisreachedorifthehost
cannotbeaccessedordoesnotrespond,thefirewallwill
closetheconnectiontothesource.
ClickOK,andCommitthechanges.
VerifythattheconnectionStatus displaysasconnected .
SetuptheVMMonitoringAgent(Continued)
Iftheconnectionstatusispendingordisconnected,verifythatthe
sourceisoperationalandthatthefirewallisabletoaccessthe
source.IfyouuseaportotherthantheMGTportfor
communicatingwiththemonitoredsource,youmustchangethe
serviceroute(Device > Setup > Services,clicktheService Route
ConfigurationlinkandmodifytheSource Interface fortheVM
Monitor service).
AttributesMonitoredintheAWSandVMwareEnvironments
EachVMonamonitoredESXiorvCenterservermusthaveVMwareToolsinstalledandrunning.VMware
ToolsprovidethecapabilitytogleantheIPaddress(es)andothervaluesassignedtoeachVM.
InordertocollectthevaluesassignedtothemonitoredVMs,thefirewallmonitorsthefollowingpredefined
setofattributes:
AttributesMonitoredonaVMwareSource AttributesMonitoredontheAWSVPC
UUID Architecture
Name GuestOS
GuestOS ImageID
VMStatethepowerstatecanbepoweredOff, InstanceID
poweredOn,standBy,andunknown.
Annotation InstanceState
Version InstanceType
NetworkVirtualSwitchName,PortGroup KeyName
Name,andVLANID
ContainerNamevCenterName,DataCenter PlacementTenancy,GroupName,AvailabilityZone
ObjectName,ResourcePoolName,ClusterName, PrivateDNSName
Host,HostIPaddress. PublicDNSName
SubnetID
Tag(key,value)(upto5tagssupportedperinstance
VPCID
UseDynamicAddressGroupsinPolicy
Dynamicaddressgroupsareusedinpolicy.Theyallowyoutocreatepolicythatautomaticallyadaptsto
changesadds,moves,ordeletionsofservers.Italsoenablestheflexibilitytoapplydifferentrulestothe
sameserverbasedontagsthatdefineitsroleonthenetwork,theoperatingsystem,orthedifferentkinds
oftrafficitprocesses.
Adynamicaddressgroupusestagsasafilteringcriteriatodetermineitsmembers.Thefilteruseslogicaland
andoroperators.AllIPaddressesoraddressgroupsthatmatchthefilteringcriteriabecomemembersofthe
dynamicaddressgroup.Tagscanbedefinedstaticallyonthefirewalland/orregistered(dynamically)tothe
firewall.Thedifferencebetweenstaticanddynamictagsisthatstatictagsarepartoftheconfigurationon
thefirewall,anddynamictagsarepartoftheruntimeconfiguration.Thisimpliesthatacommitisnotrequired
toupdatedynamictags;thetagsmusthoweverbeusedbyDynamicAddressGroupsthatarereferencedin
policy,andthepolicymustbecommittedonthefirewall.
Todynamicallyregistertags,youcanusetheXMLAPIortheVMMonitoringagentonthefirewalloronthe
UserIDagent.Eachtagisametadataelementorattributevaluepairthatisregisteredonthefirewallor
Panorama.Forexample,IP1{tag1,tag2,.....tag32},wheretheIPaddressandtheassociatedtagsare
maintainedasalist;eachregisteredIPaddresscanhaveupto32tagssuchastheoperatingsystem,the
datacenterorthevirtualswitchtowhichitbelongs.Within60secondsoftheAPIcall,thefirewallregisters
theIPaddressandassociatedtags,andautomaticallyupdatesthemembershipinformationforthedynamic
addressgroup(s).
ThemaximumnumberofIPaddressesthatcanberegisteredforeachplatformisdifferent.Usethefollowing
tableforspecificsonyourplatform:
PA7000Series,PA5060,VM1000HV 100,000
PA5050 50,000
PA5020 25,000
PA4000Series,PA3000Series 5,000
PA2000Series,PA500,PA200,VM300, 1,000
VM200,VM100
Thefollowingexampleshowshowdynamicaddressgroupscansimplifynetworksecurityenforcement.The
exampleworkflowshowshowto:
EnabletheVMMonitoringagentonthefirewall,tomonitortheVMwareESX(i)hostorvCenterServer
andregisterVMIPaddressesandtheassociatedtags.
Createdynamicaddressgroupsanddefinethetagstofilter.Inthisexample,twoaddressgroupsare
created.Onethatonlyfiltersfordynamictagsandanotherthatfiltersforbothstaticanddynamictags
topopulatethemembersofthegroup.
Validatethatthemembersofthedynamicaddressgrouparepopulatedonthefirewall.
Usedynamicaddressgroupsinpolicy.Thisexampleusestwodifferentsecuritypolicies:
AsecuritypolicyforallLinuxserversthataredeployedasFTPservers;thisrulematcheson
dynamicallyregisteredtags.
AsecuritypolicyforallLinuxserversthataredeployedaswebservers;thisrulematchesona
dynamicaddressgroupthatusesstaticanddynamictags.
ValidatethatthemembersofthedynamicaddressgroupsareupdatedasnewFTPorwebserversare
deployed.Thisensurethatthesecurityrulesareenforcedonthesenewvirtualmachinestoo.
UseDynamicAddressGroupsinPolicy
6. ClickCommit.
Thematchcriteriaforeachdynamicaddressgroupinthisexampleisasfollows:
ftp_server:matchesontheguestoperatingsystemLinux64bitandannotatedasftp('guestos.UbuntuLinux64bit'
and'annotation.ftp').
webservers:matchesontwocriteriathetagblackoriftheguestoperatingsystemisLinux64bitandthenameofthe
serverusWeb_server_Corp.('guestos.UbuntuLinux64bit'and'vmname.WebServer_Corp'or'black')
UseDynamicAddressGroupsinPolicy(Continued)
Thisexampleshowshowtocreatetwopolicies:oneforallaccesstoFTPserversandtheotherforaccesstoweb
servers.
3. ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongto
thisaddressgroup,andaredisplayedhere.
CLICommandsforDynamicIPAddressesandTags
TheCommandLineInterfaceonthefirewallandPanoramagiveyouadetailedviewintothedifferent
sourcesfromwhichtagsandIPaddressesaredynamicallyregistered.Italsoallowsyoutoauditregistered
andunregisteredtags.ThefollowingexamplesillustratethecapabilitiesintheCLI.
Example CLICommand
Example CLICommand
IdentifyUsersConnectedthroughaProxyServer
Ifyouhaveaproxyserverdeployedbetweentheusersonyournetworkandthefirewall,inHTTP/HTTPS
requeststhefirewallmightseetheproxyserverIPaddressasthesourceIPaddressinthetrafficthatthe
proxyforwardsratherthantheIPaddressoftheclientthatrequestedthecontent.Inmanycases,theproxy
serveraddsanXForwardedFor(XFF)headertotrafficpacketsthatincludestheactualIPv4orIPv6address
oftheclientthatrequestedthecontentorfromwhomtherequestoriginated.Insuchcases,youcan
configurethefirewalltoreadtheXFFheadervaluesanddeterminetheIPaddressesoftheclientwho
requestedthecontent.ThefirewallmatchestheXFFIPaddresseswithusernamesthatyourpolicyrules
referencesothatthoserulescancontrolaccessfortheassociatedusersandgroups.Thefirewallalsouses
theXFFderivedusernamestopopulatethesourceuserfieldsoflogssoyoucanmonitoruseraccesstoweb
services.
YoucanalsoconfigurethefirewalltoaddXFFvaluestoURLFilteringlogs.Intheselogs,anXFFvaluecan
betheclientIPaddress,clientusername(ifavailable),theIPaddressofthelastproxyservertraversedina
proxychain,oranystringofupto128charactersthattheXFFheaderstores.
XFFuseridentificationappliesonlytoHTTPorHTTPStraffic,andonlyiftheproxyserversupportstheXFF
header.IftheheaderhasaninvalidIPaddress,thefirewallusesthatIPaddressasausernameforgroup
mappingreferencesinpolicies.IftheXFFheaderhasmultipleIPaddresses,thefirewallusesthefirstentry
fromtheleft.
UseXFFValuesforPoliciesandLoggingSourceUsers
AddXFFValuestoURLFilteringLogs
UseXFFValuesforPoliciesandLoggingSourceUsers
YoucanconfigurethefirewalltouseXFFvaluesinuserbasedpoliciesandinthesourceuserfieldsoflogs.
TouseXFFvaluesinpolicies,youmustalsoMapIPAddressestoUsers,MapUserstoGroups(ifyouhave
groupbasedpolicies),andconfigurepoliciesbasedonusersorgroups.
LoggingXFFvaluesdoesntpopulatethesourceIPaddressvaluesoflogs.Whenyouviewthe
logs,thesourcefielddisplaystheIPaddressoftheproxyserverifoneisdeployedbetweenthe
userclientsandthefirewall.However,youcanconfigurethefirewalltoAddXFFValuestoURL
FilteringLogssothatyoucanseeuserIPaddressesinthoselogs.
ToensurethatattackerscantreadandexploittheXFFvaluesinwebrequestpacketsthatexitthefirewall
toretrievecontentfromanexternalserver,youcanalsoconfigurethefirewalltostriptheXFFvaluesfrom
outgoingpackets.
Theseoptionsarenotmutuallyexclusive:ifyouconfigureboth,thefirewallzeroesoutXFFvaluesonlyafter
usingtheminpoliciesandlogs.
UseXFFValuesforPoliciesandLoggingSourceUsers
UseXFFValuesforPoliciesandLoggingSourceUsers(Continued)
AddXFFValuestoURLFilteringLogs
YoucanconfigurethefirewalltoaddtheXFFvaluesfromwebrequeststoURLFilteringlogs.TheXFFvalues
thatthelogsdisplaycanbeclientIPaddresses,usernamesifavailable,oranyvaluesofupto128characters
thattheXFFfieldsstore.
ThismethodofloggingXFFvaluesdoesntaddusernamestothesourceuserfieldsinURL
Filteringlogs.Topopulatethesourceuserfields,seeUseXFFValuesforPoliciesandLogging
SourceUsers.
AddXFFValuestoURLFilteringLogs
PolicyBasedForwarding
Normally,thefirewallusesthedestinationIPaddressinapackettodeterminetheoutgoinginterface.The
firewallusestheroutingtableassociatedwiththevirtualroutertowhichtheinterfaceisconnectedto
performtheroutelookup.PolicyBasedForwarding(PBF)allowsyoutooverridetheroutingtable,and
specifytheoutgoingoregressinterfacebasedonspecificparameterssuchassourceordestinationIP
address,ortypeoftraffic.
PBF
CreateaPolicyBasedForwardingRule
UseCase:PBFforOutboundAccesswithDualISPs
UseCase:PBFforRoutingTrafficThroughVirtualSystems
PBF
PBFrulesallowtraffictotakeanalternativepathfromthenexthopspecifiedintheroutetable,andare
typicallyusedtospecifyanegressinterfaceforsecurityorperformancereasons.Let'ssayyourcompanyhas
twolinksbetweenthecorporateofficeandthebranchoffice:acheaperInternetlinkandamoreexpensive
leasedline.Theleasedlineisahighbandwidth,lowlatencylink.Forenhancedsecurity,youcanusePBFto
sendapplicationsthatarentencryptedtraffic,suchasFTPtraffic,overtheprivateleasedlineandallother
trafficovertheInternetlink.Or,forperformance,youcanchoosetoroutebusinesscriticalapplicationsover
theleasedlinewhilesendingallothertraffic,suchaswebbrowsing,overthecheaperlink.
EgressPathandSymmetricReturn
UsingPBF,youcandirecttraffictoaspecificinterfaceonthefirewall,dropthetraffic,ordirecttrafficto
anothervirtualsystem(onsystemsenabledformultiplevirtualsystems).
Innetworkswithasymmetricroutes,suchasinadualISPenvironment,
connectivityissuesoccurwhentrafficarrivesatoneinterfaceonthe
firewallandleavesfromanotherinterface.Iftherouteisasymmetrical,
wheretheforward(SYNpacket)andreturn(SYN/ACK)pathsare
different,thefirewallisunabletotrackthestateoftheentiresession
andthiscausesaconnectionfailure.Toensurethatthetrafficusesa
symmetricalpath,whichmeansthatthetrafficarrivesatandleaves
fromthesameinterfaceonwhichthesessionwascreated,youcan
enabletheSymmetricReturnoption.
Withsymmetricreturn,thevirtualrouteroverridesaroutinglookupfor
returntrafficandinsteaddirectstheflowbacktotheMACaddressfrom
whichitreceivedtheSYNpacket(orfirstpacket).However,ifthe
destinationIPaddressisonthesamesubnetastheingress/egress
interfacesIPaddress,aroutelookupisperformedandsymmetricreturn
isnotenforced.Thisbehaviorpreventstrafficfrombeingblackholed.
Todeterminethenexthopforsymmetricreturns,thefirewallusesanAddressResolutionProtocol(ARP)table.
ThemaximumnumberofentriesthatthisARPtablesupportsislimitedbythefirewallmodelandthevalueisnot
userconfigurable.Todeterminethelimitforyourmodel,usetheCLIcommand:show pbf return-mac all.
PathMonitoring
PathmonitoringallowsyoutoverifyconnectivitytoanIPaddresssothatthefirewallcandirecttraffic
throughanalternateroute,whenneeded.ThefirewallusesICMPpingsasheartbeatstoverifythatthe
specifiedIPaddressisreachable.
AmonitoringprofileallowsyoutospecifythethresholdnumberofheartbeatstodeterminewhethertheIP
addressisreachable.WhenthemonitoredIPaddressisunreachable,youcaneitherdisablethePBFruleor
specifyafailoverorwaitrecoveraction.DisablingthePBFruleallowsthevirtualroutertotakeoverthe
routingdecisions.Whenthefailoverorwaitrecoveractionistaken,themonitoringprofilecontinuesto
monitorwhetherthetargetIPaddressisreachable,andwhenitcomesbackup,thefirewallrevertsbackto
usingtheoriginalroute.
Thefollowingtableliststhedifferenceinbehaviorforapathmonitoringfailureonanewsessionversusan
establishedsession.
fail-overUsepathdeterminedby fail-overUsepathdeterminedbyrouting
routingtable(noPBF) table(noPBF)
fail-overUsepathdeterminedby fail-overChecktheremainingPBFrules.If
routingtable(noPBF) nomatch,usetheroutingtable
ServiceVersusApplicationsinPBF
PBFrulesareappliedeitheronthefirstpacket(SYN)orthefirstresponsetothefirstpacket(SYN/ACK).This
meansthataPBFrulemaybeappliedbeforethefirewallhasenoughinformationtodeterminethe
application.Therefore,applicationspecificrulesarenotrecommendedforusewithPBF.Whenever
possible,useaserviceobject,whichistheLayer4port(TCPorUDP)usedbytheprotocolorapplication.
However,ifyouspecifyanapplicationinaPBFrule,thefirewallperformsAppIDcaching.Whenan
applicationpassesthroughthefirewallforthefirsttime,thefirewalldoesnothaveenoughinformationto
identifytheapplicationandthereforecannotenforcethePBFrule.Asmorepacketsarrive,thefirewall
determinestheapplicationandcreatesanentryintheAppIDcacheandretainsthisAppIDforthe
session.WhenanewsessioniscreatedwiththesamedestinationIPaddress,destinationport,andprotocol
ID,thefirewallcouldidentifytheapplicationasthesamefromtheinitialsession(basedontheAppIDcache)
andapplythePBFrule.Therefore,asessionthatisnotanexactmatchandisnotthesameapplication,can
beforwardedbasedonthePBFrule.
Further,applicationshavedependenciesandtheidentityoftheapplicationcanchangeasthefirewall
receivesmorepackets.BecausePBFmakesaroutingdecisionatthestartofasession,thefirewallcannot
enforceachangeinapplicationidentity.YouTube,forexample,startsaswebbrowsingbutchangestoFlash,
RTSP,orYouTubebasedonthedifferentlinksandvideosincludedonthepage.HoweverwithPBF,because
thefirewallidentifiestheapplicationaswebbrowsingatthestartofthesession,thechangeinapplication
isnotrecognizedthereafter.
PBFrulescannotbebasedondomainnames;onlyIPaddressesarevalid;also,youcannotusecustomapplications,
applicationfiltersorapplicationgroupsinPBFrules.
CreateaPolicyBasedForwardingRule
UseaPBFruletodirecttraffictoaspecificegressinterfaceonthefirewall,andoverridethedefaultpathfor
thetraffic.
CreateaPBFRule
b. (Optional)SpecifytheSource AddresstowhichPBFwill
apply.Forexample,aspecificIPaddressorsubnetIP
addressfromwhichyouwanttoforwardtraffictothe
interfaceorzonespecifiedinthisrule.
UsetheNegateoptiontoexcludeaoneormore
sourceIPaddressesfromthePBFrule.Forexample,if
yourPBFruledirectsalltrafficfromthespecifiedzone
totheInternet,Negateallowsyoutoexcludeinternal
IPaddressesfromthePBFrule.
Theevaluationorderistopdown.Apacketismatched
againstthefirstrulethatmeetsthedefinedcriteria;
afteramatchistriggeredthesubsequentrulesarenot
evaluated.
c. (Optional)AddandselecttheSource Userorgroupsof
userstowhomthepolicyapplies.
4. IntheDestination/Application/Service tab,selectthe
following:
a. Destination Address.BydefaulttheruleappliestoAnyIP
address.UsetheNegateoptiontoexcludeoneormore
destinationIPaddressesfromthePBFrule.
b. SelecttheApplication(s)orService(s)thatyouwantto
controlusingPBF.
Applicationspecificrulesarenotrecommendedfor
usewithPBF.Wheneverpossible,useaserviceobject,
whichistheLayer4port(TCPorUDP)usedbythe
protocolorapplication.Formoredetails,seeService
VersusApplicationsinPBF.
CreateaPBFRule(Continued)
5. IntheForwardingtab,selectthefollowing:
a. SettheAction. Theoptionsareasfollows:
ForwardDirectsthepackettoaspecificEgress
Interface.EntertheNext Hop IPaddressforthepacket.
Forward To VSYS(Onafirewallenabledformultiple
virtualsystems)Selectthevirtualsystemtowhichto
forwardthepacket.
DiscardDropthepacket.
No PBFExcludethepacketsthatmatchthecriteriafor
source/destination/application/servicedefinedinthe
rule.MatchingpacketsusetheroutetableinsteadofPBF;
thefirewallusestheroutetabletoexcludethematched
trafficfromtheredirectedport.
Totriggerthespecifiedactionatadaily,weeklyor
nonrecurringfrequency,createandattachaSchedule.
(Optional)EnableMonitoringtoverifyconnectivitytoatarget
IPaddressortothenexthopIPaddress.SelectMonitorand
attachamonitoringProfile(defaultorcustom)thatspecifies
theactionwhentheIPaddressisunreachable.
b. (Optional,requiredforasymmetricroutingenvironments)
SelectEnforce Symmetric ReturnandenteroneormoreIP
addressesintheNext Hop Address List.
Enablingsymmetricreturnensuresthatreturntraffic(say,
fromtheTrustzoneontheLANtotheInternet)is
forwardedoutthroughthesameinterfacethroughwhich
trafficingressesfromtheInternet.
UseCase:PBFforOutboundAccesswithDualISPs
Inthisusecase,thebranchofficehasadualISPconfigurationandimplementsPBFforredundantInternet
access.ThebackupISPisthedefaultroutefortrafficfromtheclienttothewebservers.Inordertoenable
redundantInternetaccesswithoutusinganinternetworkprotocolsuchasBGP,weusePBFwithdestination
interfacebasedsourceNATandstaticroutes,andconfigurethefirewallasfollows:
EnableaPBFrulethatroutestrafficthroughtheprimaryISP,andattachamonitoringprofiletotherule.
ThemonitoringprofiletriggersthefirewalltousethedefaultroutethroughthebackupISPwhenthe
primaryISPisunavailable.
DefineSourceNATrulesforboththeprimaryandbackupISPthatinstructthefirewalltousethesource
IPaddressassociatedwiththeegressinterfaceforthecorrespondingISP.Thisensuresthattheoutbound
traffichasthecorrectsourceIPaddress.
AddastaticroutetothebackupISP,sothatwhentheprimaryISPisunavailable,thedefaultroutecomes
intoeffectandthetrafficisdirectedthroughthebackupISP.
PBFforOutboundAccesswithDualISPs
PBFforOutboundAccesswithDualISPs(Continued)
5. ClickOKtwicetosavethevirtualrouterconfiguration.
PBFforOutboundAccesswithDualISPs(Continued)
5. IntheForwardingtab,specifytheinterfacetowhichyouwant
toforwardtrafficandenablepathmonitoring.
a. Toforwardtraffic,settheActiontoForward,andselectthe
Egress Interface andspecifytheNext Hop.Inthisexample,
theegressinterfaceisethernet1/1,andthenexthopIP
addressis1.1.1.1.
PBFforOutboundAccesswithDualISPs(Continued)
b. EnableMonitorandattachthedefaultmonitoringprofile,to
triggerafailovertothebackupISP.Inthisexample,wedo
notspecifyatargetIPaddresstomonitor.Thefirewallwill
monitorthenexthopIPaddress;ifthisIPaddressis
unreachablethefirewallwilldirecttraffictothedefault
routespecifiedonthevirtualrouter.
c. (Requiredifyouhaveasymmetricroutes).SelectEnforce
Symmetric Returntoensurethatreturntrafficfromthe
TrustzonetotheInternetisforwardedoutonthesame
interfacethroughwhichtrafficingressedfromtheInternet.
NATensuresthatthetrafficfromtheInternetisreturnedto
thecorrectinterface/IPaddressonthefirewall.
d. ClickOKtosavethechanges.
PBFforOutboundAccesswithDualISPs(Continued)
PBFforOutboundAccesswithDualISPs(Continued)
2. Fromaclientonthenetwork,usethepingutilitytoverify
connectivitytoawebserverontheInternet.andcheckthe
trafficlogonthefirewall.
C:\Users\pm-user1>ping 4.2.2.1
Pinging 4.2.2.1 with 32 bytes of data:
Reply from 4.2.2.1: bytes=32 time=34ms TTL=117
Reply from 4.2.2.1: bytes=32 time=13ms TTL=117
Reply from 4.2.2.1: bytes=32 time=25ms TTL=117
Reply from 4.2.2.1: bytes=32 time=3ms TTL=117
Ping statistics for 4.2.2.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 34ms, Average = 18ms
3. ToconfirmthatthePBFruleisactive,usetheCLIcommand
show pbf rule all
admin@PA-NGFW> show pbf rule all
Rule ID Rule State Action Egress IF/VSYS NextHop
========== === ========== ====== ============== =======
Use ISP-Pr 1 Active Forward ethernet1/1 1.1.1.1
3. Accessawebserver,andcheckthetrafficlogtoverifythat
trafficisbeingforwardedthroughthebackupISP.
PBFforOutboundAccesswithDualISPs(Continued)
4. ViewthesessiondetailstoconfirmthattheNATruleis
workingproperly.
admin@PA-NGFW> show session all
---------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto
(translated IP[Port]) Vsys Dst[Dport]/Zone (translated
IP[Port])
---------------------------------------------------------
87212 ssl ACTIVE FLOW NS 192.168.54.56[53236]/Trust/6
(2.2.2.2[12896]) vsys1 204.79.197.200[443]/ISP-East
(204.79.197.200[443])
5. Obtainthesessionidentificationnumberfromtheoutputand
viewthesessiondetails.NotethatthePBFruleisnotusedand
henceisnotlistedintheoutput.
admin@PA-NGFW> show session id 87212
Session 87212
c2s flow:
source: 192.168.54.56 [Trust]
dst: 204.79.197.200
proto: 6
sport: 53236 dport: 443
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 204.79.197.200 [ISP-East]
dst: 2.2.2.2
proto: 6
sport: 443 dport: 12896
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Wed Nov5 11:16:10 2014
timeout : 1800 sec
time to live : 1757 sec
total byte count(c2s) : 1918
total byte count(s2c) : 4333
layer7 packet count(c2s) : 10
layer7 packet count(s2c) : 7
vsys : vsys1
application : ssl
rule : Trust2ISP
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source
nat-rule : NAT-Backup ISP(vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : search-engines
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
DoSProtectionAgainstFloodingofNewSessions
ThefollowingtopicsdescribehowtoconfigureDoSprotectiontobetterblockIPaddressesinorderto
handlehighvolumeattacksmoreefficiently.
DoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
UsetheCLItoEndaSingleAttackingSession
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
DiscardaSessionWithoutaCommit
DoSProtectionAgainstFloodingofNewSessions
DoSprotectionagainstfloodingofnewsessionsisbeneficialagainsthighvolumesinglesessionand
multiplesessionattacks.Inasinglesessionattack,anattackerusesasinglesessiontotargetadevicebehind
thefirewall.IfaSecurityruleallowsthetraffic,thesessionisestablishedandtheattackerinitiatesanattack
bysendingpacketsataveryhighratewiththesamesourceIPaddressandportnumber,destinationIP
addressandportnumber,andprotocol,tryingtooverwhelmthetarget.Inamultiplesessionattack,an
attackerusesmultiplesessions(orconnectionspersecond[cps])fromasinglehosttolaunchaDoSattack.
ThisfeaturedefendsonlyagainstDoSattacksofnewsessions,thatis,trafficthathasnotbeen
offloadedtohardware.Anoffloadedattackisnotprotectedbythisfeature.However,thistopic
describeshowyoucancreateaSecuritypolicyruletoresettheclient;theattackerreinitiatesthe
attackwithnumerousconnectionspersecondandisblockedbythedefensesillustratedinthis
topic.
MultipleSessionDoSAttack
SingleSessionDoSAttack
MultipleSessionDoSAttack
ConfigureDoSProtectionAgainstFloodingofNewSessionsbyconfiguringaDoSProtectionpolicyrule,
whichdeterminesthecriteriathat,whenmatchedbyincomingpackets,triggertheprotectaction.TheDoS
ProtectionprofilecountseachnewconnectiontowardtheAlarmRate,ActivateRate,andMaxRate
thresholds.WhentheincomingnewconnectionspersecondexceedtheMaxRateallowed,thefirewalltakes
theactionspecifiedintheDoSProtectionpolicyrule.
ThefollowingfigureandtabledescribehowtheSecuritypolicyrules,DoSProtectionpolicyrulesandprofile
worktogetherinanexample.
SequenceofEventsasFirewallQuarantinesanIPAddress
Inthisexample,anattackerlaunchesaDoSattackatarateof10,000newconnectionspersecondtoUDP
port 53.Theattackeralsosends10newconnectionspersecondtoHTTPport80.
ThenewconnectionsmatchcriteriaintheDoSProtectionpolicyrule,suchasasourcezoneorinterface,
sourceIPaddress,destinationzoneorinterface,destinationIPaddress,oraservice,amongothersettings.In
thisexample,thepolicyrulespecifiesUDP.
TheDoSrulealsospecifiestheProtectactionandClassified,twosettingsthatdynamicallyputtheDoS
ProtectionProfilesettingsintoeffect.TheDoSProtectionProfilespecifiesthataMaxRateof3000packets
persecondisallowed.WhenincomingpacketsmatchtheDoSrule,newconnectionspersecondarecounted
towardtheAlert,Activate,andMaxRatethresholds.
YoucanalsouseaSecuritypolicyruletoblockalltrafficfromthesourceIPaddressifyoudeemthat
addresstobemaliciousallthetime.
The10,000newconnectionspersecondexceedtheMaxRatethreshold.Whenallofthefollowingoccur:
thethresholdisexceeded,
aBlockDurationisspecified,and
ClassifiedissettoincludessourceIPaddress,
thefirewallputstheoffendingsourceIPaddressontheblocklist.
AnIPaddressontheblocklistisinquarantine,meaningalltrafficfromthatIPaddressisblocked.Thefirewall
blockstheoffendingsourceIPaddressbeforeadditionalattackpacketsreachtheSecuritypolicy.
ThefollowingfiguredescribesinmoredetailwhathappensafteranIPaddressthatmatchestheDoS
Protectionpolicyruleisputontheblocklist.ItalsodescribestheBlockDurationtimer.
Everyonesecond,thefirewallallowstheIPaddresstocomeofftheBlockListsothatthefirewallcantest
thetrafficpatternsanddetermineiftheattackisongoing.Thefirewalltakesthefollowingaction:
Duringthisonesecondtestperiod,thefirewallallowspacketsthatdonotmatchtheDoSProtection
policycriteria(HTTPtrafficinthisexample)throughtheDoSProtectionpolicyrulestotheSecuritypolicy
forvalidation.Veryfewpackets,ifany,havetimetogetthroughbecausethefirstattackpacketthatthe
firewallreceivesaftertheIPaddressisletofftheBlockListwillmatchtheDoSProtectionpolicycriteria,
quicklycausingtheIPaddresstobeplacedbackontheblocklistforanothersecond.Thefirewallrepeats
thistesteachseconduntiltheattackstops.
ThefirewallblocksallattacktrafficfromgoingpasttheDoSProtectionpolicyrulesuntiltheBlock
Durationexpires.
Whentheattackstops,thefirewalldoesnotputtheIPaddressbackontheblocklist.Thefirewallallows
nonattacktraffictoproceedthroughtheDoSProtectionpolicyrulestotheSecuritypolicyrulesfor
validation.YoumustconfigureaSecuritypolicyrulebecausewithoutone,animplicitdenyruledeniesall
traffic.
Theblocklistisbasedonasourcezoneandsourceaddresscombination.ThisbehaviorallowsduplicateIP
addressestoexistaslongastheyareindifferentzonesbelongingtoseparatevirtualrouters.
TheBlockDurationsettinginaDoSProtectionprofilespecifieshowlongthefirewallblocksthe[offending]
packetsthatexactlymatchaDoSProtectionpolicyrule.TheattacktrafficremainsblockeduntiltheBlock
Durationexpires,afterwhichtheattacktrafficmustagainexceedtheMaxRatethresholdtobeblocked
again.
Iftheattackerusesmultiplesessionsorbotsthatinitiatemultipleattacksessions,thesessions
counttowardthethresholdsintheDoSProtectionprofilewithoutaSecuritypolicydenyrulein
place.Hence,asinglesessionattackrequiresaSecuritypolicydenyruleinorderforeachpacket
tocounttowardthethresholds;amultiplesessionattackdoesnot.
Therefore,theDoSprotectionagainstfloodingofnewsessionsallowsthefirewalltoefficientlydefend
againstasourceIPaddresswhileattacktrafficisongoingandtopermitnonattacktraffictopassassoonas
theattackstops.PuttingtheoffendingIPaddressontheblocklistallowstheDoSprotectionfunctionality
totakeadvantageoftheblocklist,whichisdesignedtoquarantineallactivity.QuarantiningtheIPaddress
fromallactivityprotectsagainstamodernattackerwhoattemptsarotatingapplicationattack,inwhichthe
attackersimplychangesapplicationstostartanewattackorusesacombinationofdifferentattacksina
hybridDoSattack.
BeginningwithPANOS7.0.2,itisachangeinbehaviorthatthefirewallplacestheattacking
sourceIPaddressontheblocklist.Whentheattackstops,nonattacktrafficisallowedtoproceed
totheSecuritypolicyrules.TheattacktrafficthatmatchedtheDoSProtectionprofileandDoS
ProtectionpolicyrulesremainsblockeduntiltheBlockDurationexpires.
SingleSessionDoSAttack
AsinglesessionDoSattacktypicallywillnottriggerZoneorDoSProtectionprofilesbecausetheyare
attacksthatareformedafterthesessioniscreated.TheseattacksareallowedbytheSecuritypolicybecause
asessionisallowedtobecreated,andafterthesessioniscreated,theattackdrivesupthepacketvolume
andtakesdownthetargetdevice.
ConfigureDoSProtectionAgainstFloodingofNewSessionstoprotectagainstfloodingofnewsessions
(singlesessionandmultiplesessionflooding).Intheeventofasinglesessionattackthatisunderway,
additionallyUsetheCLItoEndaSingleAttackingSession.
ConfigureDoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
ConfigureDoSProtectionAgainstFloodingofNewSessions(Continued)
UsetheCLItoEndaSingleAttackingSession
TomitigateasinglesessionDoSattack,youwouldstillConfigureDoSProtectionAgainstFloodingofNew
Sessionsinadvance.Atsomepointafteryouconfigurethefeature,asessionmightbeestablishedbefore
yourealizeaDoSattack(fromtheIPaddressofthatsession)isunderway.Whenyouseeasinglesession
DoSattack,performthefollowingtasktoendthesession,sothatsubsequentconnectionattemptsfromthat
IPaddresstriggertheDoSprotectionagainstfloodingofnewsessions.
UsetheCLItoEndaSingleAttackingSession
Step1 IdentifythesourceIPaddressthatiscausingtheattack.
Forexample,usethefirewallPacketCapturefeaturewithadestinationfiltertocollectasampleofthetraffic
goingtothedestinationIPaddress.Alternatively,inPANOS7.0andlater,youcanuseACCtofilteron
destinationaddresstoviewtheactivitytothetargethostbeingattacked.
Step2 CreateaDoSProtectionpolicyrulethatwillblocktheattackersIPaddressaftertheattackthresholdsare
exceeded.
Step3 CreateaSecuritypolicyruletodenythesourceIPaddressanditsattacktraffic.
Afteryouendtheexistingattacksession,anysubsequentattemptstoformanattacksessionareblockedby
theSecuritypolicy.TheDoSProtectionpolicycountsallconnectionattemptstowardthethresholds.When
theMaxRatethresholdisexceeded,thesourceIPaddressisblockedfortheBlockDuration,asdescribedin
SequenceofEventsasFirewallQuarantinesanIPAddress.
IdentifySessionsThatUseanExcessivePercentageofthePacketBuffer
Whenafirewallexhibitssignsofresourcedepletion,itmightbeexperiencinganattackthatissendingan
overwhelmingnumberofpackets.Insuchevents,thefirewallstartsbufferinginboundpackets.Youcan
quicklyidentifythesessionsthatareusinganexcessivepercentageofthepacketbufferandmitigatetheir
impactbydiscardingthem.
Performthefollowingtaskonanyhardwarebasedfirewallplatform(notaVMSeriesfirewall)toidentify,
foreachslotanddataplane,thepacketbufferpercentageused,thetopfivesessionsusingmorethantwo
percentofthepacketbuffer,andthesourceIPaddressesassociatedwiththosesessions.Havingthat
informationallowsyoutotakeappropriateaction.
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step1 Viewfirewallresourceusage,topsessions,andsessiondetails.Executethefollowingoperationalcommand
intheCLI(sampleoutputfromthecommandfollows):
admin@PA-7050> showrunningresourcemonitoringressbacklogs
-- SLOT:s1, DP:dp1 --
USAGE - ATOMIC: 92% TOTAL: 93%
TOP SESSIONS:
SESS-ID PCT GRP-ID COUNT
6 92% 1 156
7 1732
SESSION DETAILS
SESS-ID PROTO SZONE SRC SPORT DST DPORT IGR-IF EGR-IF APP
6 6 trust 192.168.2.35 55653 10.1.8.89 80 ethernet1/21 ethernet1/22 undecided
Thecommanddisplaysamaximumofthetopfivesessionsthateachuse2%ormoreofthepacketbuffer.
ThesampleoutputaboveindicatesthatSession6isusing92%ofthepacketbufferwithTCPpackets
(protocol6)comingfromsourceIPaddress192.168.2.35.
SESSIDIndicatestheglobalsessionIDthatisusedinallother show session commands.Theglobal
sessionIDisuniquewithinthefirewall.
GRPIDIndicatesaninternalstageofprocessingpackets.
COUNTIndicateshowmanypacketsareinthatGRPIDforthatsession.
APPIndicatestheAppIDextractedfromtheSessioninformation,whichcanhelpyoudetermine
whetherthetrafficislegitimate.Forexample,ifpacketsuseacommonTCPorUDPportbuttheCLIoutput
indicatesanAPPof undecided,thepacketsarepossiblyattacktraffic.TheAPPisundecidedwhen
ApplicationIPDecoderscannotgetenoughinformationtodeterminetheapplication.AnAPPofunknown
indicatesthatApplicationIPDecoderscannotdeterminetheapplication;asessionofunknownAPPthat
usesahighpercentageofthepacketbufferisalsosuspicious.
Torestrictthedisplayoutput:
OnaPA7000Seriesplatform,youcanlimitoutputtoaslot,adataplane,orboth.Forexample:
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1
admin@PA-7050> showrunningresourcemonitoringressbacklogsslots1dpdp1
OnaPA5000Seriesplatform,youcanlimitoutputtoadataplane.Forexample:
admin@PA-5060> showrunningresourcemonitoringressbacklogsdpdp1
ViewFirewallResourceUsage,TopSessions,andSessionDetails
Step2 UsethecommandoutputtodeterminewhetherthesourceatthesourceIPaddressusingahighpercentage
ofthepacketbufferissendinglegitimateorattacktraffic.
Inthesampleoutputabove,asinglesessionattackislikelyoccurring.Asinglesession(SessionID6)isusing
92%ofthepacketbufferforSlot1,DP1,andtheapplicationatthatpointis undecided.
Ifyoudetermineasingleuserissendinganattackandthetrafficisnotoffloaded,youcanUsetheCLIto
EndaSingleAttackingSession.Ataminimum,youcanConfigureDoSProtectionAgainstFloodingofNew
Sessions.
Onahardwareplatformthathasafieldprogrammablegatearray(FPGA),thefirewalloffloadstrafficto
theFPGAwhenpossibletoincreaseperformance.Ifthetrafficisoffloadedtohardware,clearingthe
sessiondoesnothelpbecausethenitisthesoftwarethatmusthandlethebarrageofpackets.Youshould
insteadDiscardaSessionWithoutaCommit.
Toseewhetherasessionisoffloadedornot,usethe show session id <session-id> operational
commandintheCLIasshowninthefollowingexample.The layer7 processing valueindicates completed
forsessionsoffloadedor enabled forsessionsnotoffloaded.
DiscardaSessionWithoutaCommit
Performthistasktopermanentlydiscardasession,suchasasessionthatisoverloadingthepacketbuffer.
Nocommitisrequired;thesessionisdiscardedimmediatelyafterexecutingthecommand.Thecommands
applytobothoffloadedandnonoffloadedsessions.
DiscardaSessionWithoutaCommit
Step1 IntheCLI,executethefollowingoperationalcommandonanyhardwareplatform:
admin@PA-7050> requestsessiondiscard[timeout<seconds>][reason<reasonstring>]id<sessionid>
Thedefaulttimeoutis3600seconds.
Step2 Verifythatsessionshavebeendiscarded.
admin@PA-7050> showsessionallfilterstatediscard
VirtualSystemsOverview
Virtualsystemsareseparate,logicalfirewallinstanceswithinasinglephysicalPaloAltoNetworksfirewall.
Ratherthanusingmultiplefirewalls,managedserviceprovidersandenterprisescanuseasinglepairof
firewalls(forhighavailability)andenablevirtualsystemsonthem.Eachvirtualsystem(vsys)isan
independent,separatelymanagedfirewallwithitstraffickeptseparatefromthetrafficofothervirtual
systems.
Thistopicincludesthefollowing:
VirtualSystemComponentsandSegmentation
BenefitsofVirtualSystems
UseCasesforVirtualSystems
PlatformSupportandLicensingforVirtualSystems
AdministrativeRolesforVirtualSystems
SharedObjectsforVirtualSystems
VirtualSystemComponentsandSegmentation
Avirtualsystemisanobjectthatcreatesanadministrativeboundary,asshowninthefollowingfigure.
Avirtualsystemconsistsofasetofphysicalandlogicalinterfacesandsubinterfaces(includingVLANsand
virtualwires),virtualrouters,andsecurityzones.Youchoosethedeploymentmode(s)(anycombinationof
virtualwire,Layer2,orLayer3)ofeachvirtualsystem.Byusingvirtualsystems,youcansegmentanyofthe
following:
Administrativeaccess
Themanagementofallpolicies(security,NAT,QoS,policybasedforwarding,decryption,application
override,captiveportal,andDoSprotection)
Allobjects(suchasaddressobjects,applicationgroupsandfilters,dynamicblocklists,securityprofiles,
decryptionprofiles,customobjects,etc.)
UserID
Certificatemanagement
Serverprofiles
Logging,reporting,andvisibilityfunctions
Virtualsystemsaffectthesecurityfunctionsofthefirewall,butvirtualsystemsalonedonotaffect
networkingfunctionssuchasstaticanddynamicrouting.Youcansegmentroutingforeachvirtualsystem
bycreatingoneormorevirtualroutersforeachvirtualsystem,asinthefollowingusecases:
Ifyouhavevirtualsystemsfordepartmentsofoneorganization,andthenetworktrafficforallofthe
departmentsiswithinacommonnetwork,youcancreateasinglevirtualrouterformultiplevirtual
systems.
Ifyouwantroutingsegmentationandeachvirtualsystemstrafficmustbeisolatedfromothervirtual
systems,youcancreateoneormorevirtualroutersforeachvirtualsystem.
BenefitsofVirtualSystems
Virtualsystemsprovidethesamebasicfunctionsasaphysicalfirewall,alongwithadditionalbenefits:
SegmentedadministrationDifferentorganizations(orcustomersorbusinessunits)cancontrol(and
monitor)aseparatefirewallinstance,sothattheyhavecontrolovertheirowntrafficwithoutinterfering
withthetrafficorpoliciesofanotherfirewallinstanceonthesamephysicalfirewall.
ScalabilityAfterthephysicalfirewallisconfigured,addingorremovingcustomersorbusinessunitscan
bedoneefficiently.AnISP,managedsecurityserviceprovider,orenterprisecanprovidedifferent
securityservicestoeachcustomer.
ReducedcapitalandoperationalexpensesVirtualsystemseliminatetheneedtohavemultiplephysical
firewallsatonelocationbecausevirtualsystemscoexistononefirewall.Bynothavingtopurchase
multiplefirewalls,anorganizationcansaveonthehardwareexpense,electricbills,andrackspace,and
canreducemaintenanceandmanagementexpenses.
UseCasesforVirtualSystems
Therearemanywaystousevirtualsystemsinanetwork.OnecommonusecaseisforanISPoramanaged
securityserviceprovider(MSSP)todeliverservicestomultiplecustomerswithasinglefirewall.Customers
canchoosefromawidearrayofservicesthatcanbeenabledordisabledeasily.Thefirewallsrolebased
administrationallowstheISPorMSSPtocontroleachcustomersaccesstofunctionality(suchasloggingand
reporting)whilehidingorofferingreadonlycapabilitiesforotherfunctions.
Anothercommonusecaseiswithinalargeenterprisethatrequiresdifferentfirewallinstancesbecauseof
differenttechnicalorconfidentialityrequirementsamongmultipledepartments.Liketheabovecase,
differentgroupscanhavedifferentlevelsofaccesswhileITmanagesthefirewallitself.Servicescanbe
trackedand/orbilledbacktodepartmentstotherebymakeseparatefinancialaccountabilitypossiblewithin
anorganization.
PlatformSupportandLicensingforVirtualSystems
VirtualsystemsaresupportedonthePA2000,PA3000,PA4000,PA5000,andPA7000Seriesfirewalls.
Eachfirewallseriessupportsabasenumberofvirtualsystems;thenumbervariesbyplatform.AVirtual
Systemslicenseisrequiredinthefollowingcases:
TosupportmultiplevirtualsystemsonPA2000orPA3000Seriesfirewalls.
Tocreatemorethanthebasenumberofvirtualsystemssupportedonaplatform.
Forlicenseinformation,seeActivateLicensesandSubscriptions.Forthebaseandmaximumnumberof
virtualsystemssupported,seeCompareFirewallstool.
MultiplevirtualsystemsarenotsupportedonthePA200,PA500orVMSeriesfirewalls.
AdministrativeRolesforVirtualSystems
AsuperuseradministratorcancreatevirtualsystemsandaddaDevice Administrator,vsysadmin,orvsysreader.
ADevice Administratorcanaccessallvirtualsystems,butcannotaddadministrators.Thetwotypesofvirtual
systemadministrativerolesare:
vsysadminGrantsfullaccesstoavirtualsystem.
vsysreaderGrantsreadonlyaccesstoavirtualsystem.
Avirtualsystemadministratorcanviewlogsofonlythevirtualsystemsassignedtothatadministrator.
SomeonewithsuperuserorDevice Admin permissioncanviewallofthelogsorselectavirtualsystemtoview.
Personswithvsysadminpermissioncancommitconfigurationsforonlythevirtualsystemsassignedtothem.
SharedObjectsforVirtualSystems
Ifyouradministratoraccountextendstomultiplevirtualsystems,youcanchoosetoconfigureobjects(such
asanaddressobject)andpoliciesforaspecificvirtualsystemorassharedobjects,whichapplytoallofthe
virtualsystemsonthefirewall.Ifyoutrytocreateasharedobjectwiththesamenameandtypeasanexisting
objectinavirtualsystem,thevirtualsystemobjectisused.
CommunicationBetweenVirtualSystems
Therearetwotypicalscenarioswherecommunicationbetweenvirtualsystems(intervsystraffic)is
desirable.Inamultitenancyenvironment,communicationbetweenvirtualsystemscanoccurbyhaving
trafficleavethefirewall,gothroughtheInternet,andreenterthefirewall.Inasingleorganization
environment,communicationbetweenvirtualsystemscanremainwithinthefirewall.Thissectiondiscusses
bothscenarios.
InterVSYSTrafficThatMustLeavetheFirewall
InterVSYSTrafficThatRemainsWithintheFirewall
InterVSYSCommunicationUsesTwoSessions
InterVSYSTrafficThatMustLeavetheFirewall
AnISPthathasmultiplecustomersonafirewall(knownasmultitenancy)canuseavirtualsystemforeach
customer,andtherebygiveeachcustomercontroloveritsvirtualsystemconfiguration.TheISPgrants
vsysadminpermissiontocustomers.Eachcustomerstrafficandmanagementareisolatedfromtheothers.
EachvirtualsystemmustbeconfiguredwithitsownIPaddressandoneormorevirtualroutersinorderto
managetrafficanditsownconnectiontotheInternet.
Ifthevirtualsystemsneedtocommunicatewitheachother,thattrafficgoesoutthefirewalltoanother
Layer 3routingdeviceandbacktothefirewall,eventhoughthevirtualsystemsexistonthesamephysical
firewall,asshowninthefollowingfigure.
InterVSYSTrafficThatRemainsWithintheFirewall
Unliketheprecedingmultitenancyscenario,virtualsystemsonafirewallcanbeunderthecontrolofasingle
organization.Theorganizationwantstobothisolatetrafficbetweenvirtualsystemsandallow
communicationsbetweenvirtualsystems.Thiscommonusecaseariseswhentheorganizationwantsto
providedepartmentalseparationandstillhavethedepartmentsbeabletocommunicatewitheachotheror
connecttothesamenetwork(s).Inthisscenario,theintervsystrafficremainswithinthefirewall,as
describedinthefollowingtopics:
ExternalZone
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
ExternalZone
Thecommunicationdesiredintheusecaseaboveisachievedbyconfiguringsecuritypoliciesthatpointto
orfromanexternalzone.Anexternalzoneisasecurityobjectthatisassociatedwithaspecificvirtualsystem
thatitcanreach;thezoneisexternaltothevirtualsystem.Avirtualsystemcanhaveonlyoneexternalzone,
regardlessofhowmanysecurityzonesthevirtualsystemhaswithinit.Externalzonesarerequiredtoallow
trafficbetweenzonesindifferentvirtualsystems,withoutthetrafficleavingthefirewall.
Thevirtualsystemadministratorconfiguresthesecuritypoliciesneededtoallowtrafficbetweentwovirtual
systems.Unlikesecurityzones,anexternalzoneisnotassociatedwithaninterface;itisassociatedwitha
virtualsystem.Thesecuritypolicyallowsordeniestrafficbetweenthesecurity(internal)zoneandthe
externalzone.
BecauseexternalzonesdonothaveinterfacesorIPaddressesassociatedwiththem,somezoneprotection
profilesarenotsupportedonexternalzones.
Rememberthateachvirtualsystemisaseparateinstanceofafirewall,whichmeansthateachpacketmoving
betweenvirtualsystemsisinspectedforsecuritypolicyandAppIDevaluation.
ExternalZonesandSecurityPoliciesForTrafficWithinaFirewall
Inthefollowingexample,anenterprisehastwoseparateadministrativegroups:thedepartmentAand
departmentBvirtualsystems.Thefollowingfigureshowstheexternalzoneassociatedwitheachvirtual
system,andtrafficflowingfromonetrustzone,outanexternalzone,intoanexternalzoneofanothervirtual
system,andintoitstrustzone.
Tocreateexternalzones,thefirewalladministratormustconfigurethevirtualsystemssothattheyarevisible
toeachother.Externalzonesdonothavesecuritypoliciesbetweenthembecausetheirvirtualsystemsare
visibletoeachother.
Tocommunicatebetweenvirtualsystems,theingressandegressinterfacesonthefirewallareeither
assignedtoasinglevirtualrouterorelsetheyareconnectedusingintervirtualrouterstaticroutes.The
simplerofthesetwoapproachesistoassignallvirtualsystemsthatmustcommunicatewitheachothertoa
singlevirtualrouter.
Theremightbeareasonthatthevirtualsystemsneedtohavetheirownvirtualrouter,forexample,ifthe
virtualsystemsuseoverlappingIPaddressranges.Trafficcanberoutedbetweenthevirtualsystems,but
eachvirtualroutermusthavestaticroutesthatpointtotheothervirtualrouter(s)asthenexthop.
Referringtothescenariointhefigureabove,wehaveanenterprisewithtwoadministrativegroups:
departmentAanddepartmentB.ThedepartmentAgroupmanagesthelocalnetworkandtheDMZ
resources.ThedepartmentBgroupmanagestrafficinandoutofthesalessegmentofthenetwork.Alltraffic
isonalocalnetwork,soasinglevirtualrouterisused.Therearetwoexternalzonesconfiguredfor
communicationbetweenthetwovirtualsystems.ThedepartmentAvirtualsystemhasthreezonesusedin
securitypolicies:deptADMZ,deptAtrust,anddeptAExternal.ThedepartmentBvirtualsystemalsohas
threezones:deptBDMZ,deptBtrust,anddeptBExternal.Bothgroupscancontrolthetrafficpassing
throughtheirvirtualsystems.
InordertoallowtrafficfromdeptAtrusttodeptBtrust,twosecuritypoliciesarerequired.Inthefollowing
figure,thetwoverticalarrowsindicatewherethesecuritypolicies(describedbelowthefigure)are
controllingtraffic.
SecurityPolicy1:Intheprecedingfigure,trafficisdestinedforthedeptBtrustzone.Trafficleavesthe
deptAtrustzoneandgoestothedeptAExternalzone.Asecuritypolicymustallowtrafficfromthe
sourcezone(deptAtrust)tothedestinationzone(deptAExternal).Avirtualsystemallowsanypolicy
typetobeusedforthistraffic,includingNAT.
Nopolicyisneededbetweenexternalzonesbecausetrafficsenttoanexternalzoneappearsinandhas
automaticaccesstotheotherexternalzonesthatarevisibletotheoriginalexternalzone.
SecurityPolicy2:Intheprecedingfigure,thetrafficfromdeptBExternalisstilldestinedtothe
deptBtrustzone,andasecuritypolicymustbeconfiguredtoallowit.Thepolicymustallowtrafficfrom
thesourcezone(deptBExternal)tothedestinationzone(deptBtrust).
ThedepartmentBvirtualsystemcouldbeconfiguredtoblocktrafficfromthedepartmentAvirtualsystem,
andviceversa.Liketrafficfromanyotherzone,trafficfromexternalzonesmustbeexplicitlyallowedby
policytoreachotherzonesinavirtualsystem.
Inadditiontoexternalzonesbeingrequiredforintervirtualsystemtrafficthatdoesnotleavethe
firewall,externalzonesarealsorequiredifyouconfigureaSharedGateway,inwhichcasethe
trafficisintendedtoleavethefirewall.
InterVSYSCommunicationUsesTwoSessions
Itishelpfultounderstandthatcommunicationbetweentwovirtualsystemsusestwosessions,unlikethe
onesessionusedforasinglevirtualsystem.Letscomparethescenarios.
Scenario1Vsys1hastwozones:trust1anduntrust1.Ahostinthetrust1zoneinitiatestrafficwhenit
needstocommunicatewithadeviceintheuntrust1zone.Thehostsendstraffictothefirewall,andthe
firewallcreatesanewsessionforsourcezonetrust1todestinationzoneuntrust1.Onlyonesessionis
neededforthistraffic.
Scenario2Ahostfromvsys1needstoaccessaserveronvsys2.Ahostinthetrust1zoneinitiatestraffic
tothefirewall,andthefirewallcreatesthefirstsession:sourcezonetrust1todestinationzoneuntrust1.
Trafficisroutedtovsys2,eitherinternallyorexternally.Thenthefirewallcreatesasecondsession:source
zoneuntrust2todestinationzonetrust2.Twosessionsareneededforthisintervsystraffic.
SharedGateway
Thistopicincludesthefollowinginformationaboutsharedgateways:
ExternalZonesandSharedGateway
NetworkingConsiderationsforaSharedGateway
ExternalZonesandSharedGateway
Asharedgatewayisaninterfacethatmultiplevirtualsystemsshareinordertocommunicateoverthe
Internet.EachvirtualsystemrequiresanExternalZone,whichactsasanintermediary,forconfiguring
securitypoliciesthatallowordenytrafficfromthevirtualsystemsinternalzonetothesharedgateway.
Thesharedgatewayusesasinglevirtualroutertoroutetrafficforallvirtualsystems.Asharedgatewayis
usedincaseswhenaninterfacedoesnotneedafulladministrativeboundaryaroundit,orwhenmultiple
virtualsystemsmustshareasingleInternetconnection.ThissecondcasearisesifanISPprovidesan
organizationwithonlyoneIPaddress(interface),butmultiplevirtualsystemsneedexternalcommunication.
Unlikethebehaviorbetweenvirtualsystems,securitypolicyandAppIDevaluationsarenotperformed
betweenavirtualsystemandasharedgateway.ThatiswhyusingasharedgatewaytoaccesstheInternet
involveslessoverheadthancreatinganothervirtualsystemtodoso.
Inthefollowingfigure,threecustomersshareafirewall,butthereisonlyoneinterfaceaccessibletothe
Internet.CreatinganothervirtualsystemwouldaddtheoverheadofAppIDandsecuritypolicyevaluation
fortrafficbeingsenttotheinterfacethroughtheaddedvirtualsystem.Toavoidaddinganothervirtual
system,thesolutionistoconfigureasharedgateway,asshowninthefollowingdiagram.
ThesharedgatewayhasonegloballyroutableIPaddressusedtocommunicatewiththeoutsideworld.
InterfacesinthevirtualsystemshaveIPaddressestoo,buttheycanbeprivate,nonroutableIPaddresses.
Youwillrecallthatanadministratormustspecifywhetheravirtualsystemisvisibletoothervirtualsystems.
Unlikeavirtualsystem,asharedgatewayisalwaysvisibletoallofthevirtualsystemsonthefirewall.
AsharedgatewayIDnumberappearsassg<ID>onthewebinterface.Itisrecommendedthatyounameyour
sharedgatewaywithanamethatincludesitsIDnumber.
Whenyouaddobjectssuchaszonesorinterfacestoasharedgateway,thesharedgatewayappearsasan
availablevirtualsysteminthevsysdropdownmenu.
Asharedgatewayisalimitedversionofavirtualsystem;itsupportsNATandpolicybasedforwarding(PBF),
butdoesnotsupportsecurity,DoSpolicies,QoS,decryption,applicationoverride,orcaptiveportalpolicies.
NetworkingConsiderationsforaSharedGateway
Keepthefollowinginmindwhileyouareconfiguringasharedgateway.
ThevirtualsystemsinasharedgatewayscenarioaccesstheInternetthroughthesharedgateways
physicalinterface,usingasingleIPaddress.IftheIPaddressesofthevirtualsystemsarenotglobally
routable,configuresourceNATtotranslatethoseaddressestogloballyroutableIPaddresses.
Avirtualrouterroutesthetrafficforallofthevirtualsystemsthroughthesharedgateway.
Thedefaultrouteforthevirtualsystemsshouldpointtothesharedgateway.
Securitypoliciesmustbeconfiguredforeachvirtualsystemtoallowthetrafficbetweentheinternalzone
andexternalzone,whichisvisibletothesharedgateway.
Afirewalladministratorshouldcontrolthevirtualrouter,sothatnomemberofavirtualsystemcanaffect
thetrafficofothervirtualsystems.
WithinaPaloAltoNetworksfirewall,apacketmayhopfromonevirtualsystemtoanothervirtualsystem
orasharedgateway.Apacketmaynottraversemorethantwovirtualsystemsorsharedgateways.For
example,apacketcannotgofromonevirtualsystemtoasharedgatewaytoasecondvirtualsystem
withinthefirewall.
Tosaveconfigurationtimeandeffort,considerthefollowingadvantagesofasharedgateway:
RatherthanconfigureNATformultiplevirtualsystemsassociatedwithasharedgateway,youcan
configureNATforthesharedgateway.
Ratherthanconfigurepolicybasedrouting(PBR)formultiplevirtualsystemsassociatedwithashared
gateway,youcanconfigurePBRforthesharedgateway.
ServiceRoutesforVirtualSystems
ThefirewallusestheMGTinterface(bydefault)toaccessexternalservices,suchasDNSservers,software
updates,andsoftwarelicenses.AnalternativetousingtheMGTinterfaceistoconfigureadataport(a
regularinterface)toaccesstheseservices.Thepathfromtheinterfacetotheserviceonaserverisknown
asaserviceroute.Serviceroutescanbeconfiguredforthefirewallorforindividualvirtualsystems.Each
serviceallowsredirectionofmanagementservicestotherespectivevirtualsystemownerthroughoneofthe
interfacesassociatedwiththatvirtualsystem.
Theabilitytoconfigureserviceroutespervirtualsystemprovidestheflexibilitytocustomizeserviceroutes
fornumeroustenantsordepartmentsonasinglefirewall.Theservicepacketsexitthefirewallonaportthat
isassignedtoaspecificvirtualsystem,andtheserversendsitsresponsetotheconfiguredsourceinterface
andsourceIPaddress.Anyvirtualsystemthatdoesnothaveaservicerouteconfiguredforaparticular
serviceinheritstheinterfaceandIPaddressthataresetgloballyforthatservice.
UseCasesforServiceRoutesforaVirtualSystem
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathstoLoggingServers
DNSProxyObject
DNSServerProfile
MultiTenantDNSDeployments
Toconfigureserviceroutesforavirtualsystem,seeCustomizeServiceRoutesforaVirtualSystem.
UseCasesforServiceRoutesforaVirtualSystem
Oneusecaseforconfiguringserviceroutesatthevirtualsystemleveliswhenalargecustomer(suchasan
ISP)needstosupportmultipleindividualtenantsonasinglePaloAltoNetworksfirewall.TheISPhas
configuredvirtualsystemsonthefirewall,andwantstohaveseparateserviceroutesforeachvirtualsystem,
ratherthanservicesroutesconfiguredatthegloballevel.Eachtenantrequiresserviceroutecapabilitiesso
thatitcancustomizeservicerouteparametersforDNS,email,Kerberos,LDAP,NetFlow,RADIUS,SNMP
trap,syslog,TACACS+,UserIDAgent,andVMMonitor.
AnotherusecaseisanITorganizationthatwantstoprovidefullautonomytogroupsthatsetserversfor
services.Eachgroupcanhaveavirtualsystemanddefineitsownserviceroutes.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Anorganizationcanhavemultiplevirtualsystems,butuseaglobalservicerouteforaserviceratherthan
differentserviceroutesforeachvirtualsystem.Forexample,thefirewallcanuseasharedemailserverto
originateemailalertstoitsvirtualsystems.
AfirewallwithmultiplevirtualsystemsmusthaveinterfacesandsubinterfaceswithnonoverlappingIP
addresses.
ApervirtualsystemservicerouteforSNMPtrapsorforKerberosisforIPv4only.
Youcanselectavirtualrouterforaservicerouteinavirtualsystem;youcannotselecttheegressinterface.
Afteryouselectthevirtualrouterandthefirewallsendsthepacketfromthevirtualrouter,thefirewall
selectstheegressinterfacebasedonthedestinationIPaddress.Therefore:
Ifavirtualsystemhasmultiplevirtualrouters,packetstoalloftheserversforaservicemustegressout
ofonlyonevirtualrouter.
Apacketwithaninterfacesourceaddressmayegressadifferentinterface,butthereturntrafficwould
beontheinterfacethathasthesourceIPaddress,creatingasymmetrictraffic.
PA7000SeriesFirewallLPCSupportforPerVirtualSystemPathsto
LoggingServers
ForTraffic,HIPMatch,Threat,andWildfirelogtypes,thePA7000Seriesfirewalldoesnotuseservice
routesforSNMPTrap,syslogandemailservices.Instead,thePA7000SeriesfirewallLogProcessingCard
(LPC)supportsvirtualsystemspecificpathsfromLPCsubinterfacestoanonpremiseswitchtothe
respectiveserviceonaserver.ForSystemandConfiglogs,thePA7000Seriesfirewallusesglobalservice
routes,andnottheLPC.
InotherPaloAltoNetworksplatforms,thedataplanesendsloggingserviceroutetraffictothemanagement
plane,whichsendsthetraffictologgingservers.InthePA7000Seriesfirewall,eachLPChasonlyone
interface,anddataplanesformultiplevirtualsystemssendloggingservertraffic(typesmentionedabove)to
thePA7000SeriesfirewallLPC.TheLPCisconfiguredwithmultiplesubinterfaces,overwhichtheplatform
sendstheloggingservicetrafficouttoacustomersswitch,whichcanbeconnectedtomultiplelogging
servers.
EachLPCsubinterfacecanbeconfiguredwithasubinterfacenameandadottedsubinterfacenumber.The
subinterfaceisassignedtoavirtualsystem,whichisconfiguredforloggingservices.Theotherserviceroutes
onaPA7000SeriesfirewallfunctionsimilarlytoserviceroutesonotherPaloAltoNetworksplatforms.
ToconfiguretheLPCforpervirtualsystemloggingservices,seeConfigureaPA7000SeriesFirewallfor
LoggingPerVirtualSystem.ForinformationabouttheLPCitself,seethePA7000SeriesHardware
ReferenceGuide.
DNSProxyObject
DomainNameSystem(DNS)serversperformtheserviceofresolvingadomainnametoanIPaddress,and
viceversa.DNSproxyisaroleinwhichthefirewallisanintermediarybetweenDNSclientsandservers;it
actsasaDNSserveritselfbyresolvingqueriesfromitsDNSproxycache.Ifthedomainnameisnotfound
intheDNSproxycache,thefirewallsearchesforamatchtothedomainnameamongtheentriesinthe
specificDNSproxyobject(ontheinterfaceonwhichtheDNSqueryarrived),andforwardsthequerytoa
DNSserverbasedonthematchresults.Ifnomatchisfound,thedefaultDNSserversareused.
ADNSproxyobjectiswhereyouconfigurethesettingsthatdeterminehowthefirewallfunctionsasaDNS
proxy.YoucanassignaDNSproxyobjecttoasinglevirtualsystemoritcanbesharedamongallvirtual
systems.
IftheDNSproxyobjectisforavirtualsystem,youcanspecifyaDNSServerProfile,whichspecifiesthe
primaryandsecondaryDNSserveraddresses,alongwithotherinformation.TheDNSserverprofile
simplifiesconfiguration.
IftheDNSproxyobjectisshared,youmustspecifyatleasttheprimaryaddressofaDNSserver.
WhenconfiguringtenantswithDNSservices,eachtenantshouldhaveitsownDNSproxy
defined,whichkeepsthetenantsDNSserviceseparatefromothertenantsservices.
Intheproxyobject,youspecifytheinterfacesforwhichthefirewallisactingasDNSproxy.TheDNSproxy
fortheinterfacedoesnotusetheserviceroute;responsestotheDNSrequestsarealwayssenttothe
interfaceassignedtothevirtualrouterwheretheDNSrequestarrived.
YoucansupplytheDNSproxywithstaticFQDNtoaddressmappings.YoucancreateDNSproxyrulesthat
controltowhichDNSserverthespecifieddomainnamequeriesaredirected.ADNSproxyhasother
options;toconfigureaDNSproxy,seeConfigureaDNSProxyObject.Amaximumof256DNSproxy
objectscanbeconfiguredonafirewall.
DNSServerProfile
Tosimplifyconfigurationforavirtualsystem,aDNS serverprofileallowsyoutospecifythevirtualsystem
thatisbeingconfigured,aninheritancesourceortheprimaryandsecondaryIPaddressesforDNSservers,
andasourceinterfaceandsourceaddress(serviceroute)thatwillbeusedinpacketssenttotheDNSserver.
Thesourceinterfacedeterminesthevirtualrouter,whichhasaroutetable.ThedestinationIPaddressis
lookedupintheroutingtableofthevirtualrouterwherethesourceinterfaceisassigned.Itispossiblethat
theresultofthedestinationIPegressinterfacediffersfromthesourceinterface.Thepacketwouldegress
outofthedestinationIPegressinterfacedeterminedbytheroutetablelookup,butthesourceIPaddress
wouldbetheaddressconfigured.Thesourceaddressisusedasthedestinationaddressinthereplyfromthe
DNSserver.
ThevirtualsystemreportandvirtualsystemserverprofilesendtheirqueriestotheDNSserverspecifiedfor
thevirtualsystem,ifthereisone.(TheDNSserverusedisdefinedinDevice > Virtual Systems > General > DNS
Proxy.)IfthereisnoDNSserverspecifiedforthevirtualsystem,theDNSserverspecifiedforthefirewallis
queried.
ADNSserverprofileisforavirtualsystemonly;itisnotforaglobalSharedlocation.ToconfigureaDNS
serverprofile,seeConfigureaDNSServerProfile.
FormoreinformationonDNSserverprofiles,seeDNSResolutionThreeUseCases.
MultiTenantDNSDeployments
TherearethreeusecasesformultitenantDNSdeployments:
GlobalManagementDNSResolutionThefirewallneedsDNSresolutionforitsownpurposes,for
example,whentherequestiscomingfromthemanagementplanetoresolveanFQDNinasecurity
policy.ThefirewallusestheserviceroutetogettoaDNSserverbecausethereisnoincomingvirtual
router.TheDNSserverisconfiguredinDevice > Setup > Services > Global,andServersareconfiguredby
enteringaprimaryandsecondaryDNSserver.
PolicyandReportFQDNResolutionforaVirtualSystemForDNSqueriesthatneedtoberesolved
fromasecuritypolicyorareport,youcanspecifyasetofDNSserversspecifictothevirtualsystem
(tenant)oryoucandefaulttotheglobalDNSservers.IfyourusecaserequiresadifferentsetofDNS
serverspervirtualsystem,theDNSserverisconfiguredinDevice > Virtual Systems > General > DNS Proxy.
TheDNSproxyobjectisconfiguredinNetwork > DNS Proxy.Theresolutionisspecifictothevirtualsystem
towhichtheDNSproxyisassigned.IfyoudonthavespecificDNSserversapplicabletothisvirtual
systemandwanttousetheglobalDNSsetting,theglobalDNSserverstakeprecedence.
DataplaneDNSResolutionforaVirtualSystemThismethodisalsoknownasaNetworkRequestfor
DNSResolution.Thetenantsvirtualsystemcanbeconfiguredsothatspecifieddomainnamesare
resolvedonthetenantsDNSserverinitsnetwork.ThismethodsupportssplitDNS,meaningthatthe
tenantcanalsouseitsownISPDNSserversfortheremainingDNSqueriesnotresolvedonitsown
server.DNSProxyrulescontrolthesplitDNS;thetenantsdomainredirectsDNSrequeststoitsDNS
servers,whichareconfiguredinaDNSserverprofile.TheDNSserverprofilehasprimaryandsecondary
DNSserversdesignated,andalsoDNSserviceroutesforIPv4andIPv6,whichoverridethedefaultDNS
settings.
FormoreinformationonDNSdeployments,seeDNSResolutionThreeUseCases.
ConfigureVirtualSystems
Creatingavirtualsystemrequiresthatyouhavethefollowing:
Asuperuseradministrativerole.
Aninterfaceconfigured.
AVirtualSystemslicenseifyouareconfiguringaPA2000orPA3000Seriesfirewall,orifyouare
creatingmorethanthebasenumberofvirtualsystemssupportedontheplatform.SeePlatformSupport
andLicensingforVirtualSystems.
ConfigureaVirtualSystem
ConfigureaVirtualSystem
ConfigureaVirtualSystem
ConfigureInterVirtualSystemCommunicationwithinthe
Firewall
Performthistaskifyouhaveausecase,perhapswithinasingleenterprise,whereyouwantthevirtual
systemstobeabletocommunicatewitheachotherwithinthefirewall.Suchascenarioisdescribedin
InterVSYSTrafficThatRemainsWithintheFirewall.Thistaskpresumes:
Youcompletedthetask,ConfigureVirtualSystems.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatewitheachothertobevisibletoeachother.
ConfigureInterVirtualSystemCommunicationwithintheFirewall
ConfigureaSharedGateway
Performthistaskifyouneedmultiplevirtualsystemstoshareaninterface(aSharedGateway)tothe
Internet.Thistaskpresumes:
YouconfiguredaninterfacewithagloballyroutableIPaddress,whichwillbethesharedgateway.
Youcompletedthepriortask,ConfigureVirtualSystems.Fortheinterface,youchosethe
externalfacinginterfacewiththegloballyroutableIPaddress.
Whenconfiguringthevirtualsystems,intheVisible Virtual System field,youcheckedtheboxesofall
virtualsystemsthatmustcommunicatetobevisibletoeachother.
ConfigureaSharedGateway
CustomizeServiceRoutesforaVirtualSystem
CustomizeServiceRoutestoServicesforVirtualSystems
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaDNSProxyObject
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
CustomizeServiceRoutestoServicesforVirtualSystems
Priortoperformingthistask,inordertoseetheGlobalandVirtual Systemstabs,youmustenableMulti
Virtual System Capability.
IfMulti Virtual System Capability isenabled,anyvirtualsystemthatdoesnothavespecificserviceroutes
configuredinheritstheglobalserviceandserviceroutesettingsforthefirewall.
Thefirewallsupportssyslogforwardingonavirtualsystembasis.Whenmultiplevirtualsystems
onafirewallareconnectingtoasyslogserverusingSSLtransport,thefirewallcangenerateonly
onecertificateforsecurecommunication.Thefirewalldoesnotsupporteachvirtualsystem
havingitsowncertificate.
Inthefollowingusecase,youareconfiguringindividualservicesroutesforafirewallwithmultiplevirtual
systems.
CustomizeServiceRoutestoServicesPerVirtualSystem
Step1 Customizeserviceroutesforavirtual 1. SelectDevice > Setup > Services > Virtual Systems,andselect
system. thevirtualsystemyouwanttoconfigure.
2. ClicktheService Route Configurationlink.
3. Selectoneoftheradiobuttons:
Inherit Global Service Route ConfigurationCausesthe
virtualsystemtoinherittheglobalserviceroutesettings
relevanttoavirtualsystem.Ifyouchoosethisoption,skip
downtostep7.
CustomizeAllowsyoutospecifyasourceinterfaceand
sourceaddressforeachservice.
4. IfyouchoseCustomize,selecttheIPv4orIPv6tab,depending
onwhattypeofaddressingtheserverofferingtheservice
uses.YoucanspecifybothIPv4andIPv6addressesfora
service.Clickthecheckbox(es)fortheservicesforwhichyou
wanttospecifythesamesourceinformation.(Onlyservices
thatarerelevanttoavirtualsystemareavailable.)ClickSet
Selected Service Routes.
ForSource Interface,selectAny,Inherit Global Setting,or
aninterfacefromthedropdowntospecifythesource
interfacethatwillbeusedinpacketssenttotheexternal
service(s).Hence,theserversresponsewillbesenttothat
sourceinterface.Inourexampledeployment,youwould
setthesourceinterfacetobethesubinterfaceofthe
tenant.
Source AddresswillindicateInheritedifyouselected
Inherit Global SettingfortheSource Interfaceoritwill
indicatethesourceaddressoftheSource Interfaceyou
selected.IfyouselectedAnyforSource Interface,selectan
IPaddressfromthedropdown,orenteranIPaddress
(usingtheIPv4orIPv6formatthatmatchesthetabyou
chose)tospecifythesourceaddressthatwillbeusedin
packetssenttotheexternalservice.
IfyoumodifyanaddressobjectandtheIPfamilytype
(IPv4/IPv6)changes,aCommitisrequiredtoupdatethe
serviceroutefamilytouse.
5. ClickOK.
6. Repeatsteps4and5toconfiguresourceaddressesforother
externalservices.
7. ClickOK.
ConfigureaPA7000SeriesFirewallforLoggingPerVirtualSystem
ConfigureaPA7000SeriesFirewallSubinterfaceforServiceRoutesperVirtualSystem
4. (Optional)EnteraComment.
5. OntheConfigtab,intheAssign Interface to Virtual System
field,selectthevirtualsystemtowhichtheLPCsubinterface
isassigned(fromthedropdown).Alternatively,youcanclick
Virtual Systemstoaddanewvirtualsystem.
6. ClickOK.
ConfigureaDNSProxyObject
IfyourfirewallistoactasaDNSproxyforavirtualsystem,performthistasktoconfigureaDNSProxy
Object.Theproxyobjectcaneitherbesharedamongallvirtualsystemsorappliedtoaspecificvirtual
system.
ConfigureaDNSProxyObject
ConfigureaDNSProxyObject(Continued)
ConfigureaDNSServerProfile
PerformthistasktoconfigureaDNSServerProfile,whichsimplifiesconfigurationofavirtualsystem.The
Primary DNSorSecondary DNSaddressisusedtocreatetheDNSrequestthatthevirtualsystemsendstothe
DNSserver.
ConfigureaDNSServerProfile
ConfigureAdministrativeAccessPerVirtualSystemorFirewall
Ifyouhaveasuperuseradministrativeaccount,younowhavetheabilitytocreateandconfiguremore
granularpermissionsforavsysadminordeviceadminrole.
CreateanAdminRoleProfilePerVirtualSystemorFirewall
CreateanAdminRoleProfilePerVirtualSystemorFirewall(Continued)
DNSResolutionThreeUseCases
ThefirewalldetermineshowtohandleDNSrequestsbasedonwheretherequestoriginated.Thissection
illustratesthreetypesofDNSresolution,whicharelistedinthefollowingtable.Thebindinglocation
determineswhichDNSproxyobjectisusedfortheresolution.Forillustrationpurposes,theusecasesshow
howaserviceprovidermightconfigureDNSsettingstoprovideDNSservicesforresolvingDNSqueries
requiredonthefirewallandfortenant(subscriber)virtualsystems.
DNSproxyresolutionforDNSclient Binding:Interface
hostsconnectedtointerfaceon ServiceRoute:InterfaceandIPaddressonwhichtheDNSRequestwas
firewall,goingthroughthefirewallto received.
aDNSServerperformedby IllustratedinUseCase3
dataplane
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionforSecurityPolicies,Reporting,and
ServiceswithinitsVirtualSystem
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
UseCase1:FirewallRequiresDNSResolutionforManagementPurposes
Inthisusecase,thefirewallistheclientrequestingDNSresolutionsofFQDNsformanagementeventssuch
assoftwareupdateservices,dynamicsoftwareupdates,orWildFire.Theshared,globalDNSservices
performtheDNSresolutionforthemanagementplanefunctions.
ConfigureDNSServicesfortheFirewall
Step1 Configuretheprimaryandsecondary 1. SelectDevice > Setup > Services > Global andEdit.(For
DNSserversyouwantthefirewallto firewallsthatdonotsupportmultiplevirtualsystems,thereis
useforitsmanagementDNS noGlobaltab;simplyedittheServices.)
resolutions. 2. OntheServicestab,forDNS,clickServersandenterthe
Youmustmanuallyconfigureat Primary DNS ServeraddressandSecondary DNS Server
leastoneDNSserveronthe address.
firewalloritwillnotbeableto
3. ClickOKandCommit.
resolvehostnames;itwillnotuse
DNSserversettingsfrom
anothersource,suchasanISP.
UseCase2:ISPTenantUsesDNSProxytoHandleDNSResolutionfor
SecurityPolicies,Reporting,andServiceswithinitsVirtualSystem
Inthisusecase,multipletenants(ISPsubscribers)aredefinedonthefirewallandeachtenantisallocateda
separatevirtualsystem(vsys)andvirtualrouterinordertosegmentitsservicesandadministrativedomains.
Thefollowingfigureillustratesseveralvirtualsystemswithinafirewall.
EachtenanthasitsownserverprofilesforSecuritypolicyrules,reporting,andmanagementservices(such
asemail,Kerberos,SNMP,syslog,andmore)definedinitsownnetworks.
FortheDNSresolutionsinitiatedbytheseservices,eachvirtualsystemisconfiguredwithitsownDNSProxy
objecttoalloweachtenanttocustomizehowDNSresolutionishandledwithinitsvirtualsystem.Anyservice
withaLocationwillusetheDNSProxyobjectconfiguredforthevirtualsystemtodeterminetheprimary(or
secondary)DNSservertoresolveFQDNs,asillustratedinthefollowingfigure.
ConfigureaDNSProxyforaVirtualSystem
IfyouusetwoseparateDNSserverprofilesinthesameDNSProxyobject,onefortheDNSProxyandone
fortheDNSproxyrule,thefollowingbehaviorsoccur:
IfaservicerouteisdefinedintheDNSserverprofileusedbytheDNSProxy,ittakesprecedenceandis
used.
IfaservicerouteisdefinedintheDNSserverprofileusedintheDNSproxyrules,itisnotused.Ifthe
serviceroutediffersfromtheonedefinedintheDNSserverprofileusedbytheDNSProxy,thefollowing
warningmessageisdisplayedduringtheCommitprocess:
Warning: The DNS service route defined in the DNS proxy object is different from the DNS proxy
rules service route. Using the DNS proxy objects service route.
IfnoservicerouteisdefinedinanyDNSserverprofile,theglobalservicerouteisusedifneeded.
UseCase3:FirewallActsasDNSProxyBetweenClientandServer
Inthisusecase,thefirewallislocatedbetweenaDNSclientandaDNSserver.ADNSProxyonthefirewall
isconfiguredtoactastheDNSserverforthehoststhatresideonthetenantsnetworkconnectedtothe
firewallinterface.Insuchascenario,thefirewallperformsDNSresolutiononitsdataplane.
FordataplaneDNSresolutions,thesourceIPaddressfromtheDNSproxyinPANOStothe
outsideDNSserverwouldbetheaddressoftheproxy(thedestinationIPoftheoriginalrequest).
AnyserviceroutesdefinedintheDNSServerProfilearenotused.Forexample,iftherequestis
fromhost1.1.1.1totheDNSproxyat2.2.2.2,thentherequesttotheDNSserver(at3.3.3.3)
woulduseasourceof2.2.2.2andadestinationof3.3.3.3.
ConfigureaDNSProxyandDNSProxyRules
VirtualSystemFunctionalitywithOtherFeatures
Manyofthefirewallsfeaturesandfunctionalityarecapableofbeingconfigured,viewed,logged,orreported
pervirtualsystem.Therefore,virtualsystemsarementionedinotherrelevantlocationsinthe
documentationandthatinformationisnotrepeatedhere.Someofthespecificchaptersarethefollowing:
IfyouareconfiguringActive/PassiveHA,thetwofirewallsmusthavethesamevirtualsystemcapability
(singleormultiplevirtualsystemcapability).SeeHighAvailability.
ToconfigureQoSforvirtualsystems,seeConfigureQoSforaVirtualSystem.
Forinformationaboutconfiguringafirewallwithvirtualsystemsinavirtualwiredeploymentthatuses
subinterfaces(andVLANtags),seetheVirtualWireSubinterfacesinInterfaceDeployments.
EnableFIPSandCommonCriteriaSupport
UsethefollowingproceduretoenableFIPSCCmodeonasoftwareversionthatsupportsCommonCriteria
andtheFederalInformationProcessingStandards1402(FIPS1402).WhenyouenableFIPSCCmode,all
FIPSandCCfunctionalityisincluded.
WhenyouenableFIPSCCmode,thefirewallwillresettothefactorydefaultsettings;all
configurationwillberemoved.
EnableFIPSCCMode
Step1 Bootthefirewallintomaintenancemodeasfollows:
1. Establishaserialconnectiontotheconsoleportonthefirewall.
2. EnterthefollowingCLIcommand:
debug system maintenance-mode
3. PressEntertocontinue.
Youcanalsorebootthefirewallandenter maint atthemaintenancemode
prompt.
Step4 Whenprompted,selectReboot.
AftersuccessfullyswitchingtoFIPSCCmode,thefollowingstatusdisplays:FIPS-CC mode
enabled successfully.Inaddition,thefollowingchangeswilltakeplace:
FIPS-CCwilldisplayatalltimesinthestatusbaratthebottomofthewebinterface.
Theconsoleportfunctionsasastatusoutputportonly.
Thedefaultadminlogincredentialschangetoadmin/paloalto.
FIPSCCSecurityFunctions
WhenFIPSCCmodeisenabled,thefollowingsecurityfunctionsareenforced:
Tologintothefirewall,thebrowsermustbeTLS1.0(orlater)compatible.OnaWF500appliance,you
managetheapplianceusingtheCLIonlyandyoumustconnectusinganSSHv2compatibleclient
application.
Allpasswordsonthefirewallmustbeatleastsixcharacters.
YoumustenforceaFailed AttemptsandLockout Time (min) valuethatisgreaterthan0inauthentication
settings.IfanadministratorreachestheFailed Attemptsthreshold,theadministratorislockedoutforthe
durationdefinedintheLockout Time (min) field.
YoumustenforceanIdle Timeoutvaluegreaterthan0inauthenticationsettings.Ifaloginsessionisidle
formorethanthespecifiedvalue,theaccountisautomaticallyloggedout.
Thefirewallautomaticallydeterminestheappropriatelevelofselftestingandenforcestheappropriate
levelofstrengthinencryptionalgorithmsandciphersuites.
UnapprovedFIPS/CCalgorithmsarenotdecryptedandarethusignoredduringdecryption.
WhenconfiguringanIPSecVPN,theadministratormustselectaciphersuiteoptionpresentedtothem
duringtheIPSecsetup.
SelfgeneratedandimportedcertificatesmustcontainpublickeysthatareeitherRSA2048bits(or
more)orECDSA256bits(ormore)andyoumustuseadigestofSHA256orgreater.
TheserialconsoleportisonlyavailableasastatusoutputportwhenFIPSCCmodeisenabled.
Telnet,TFTP,andHTTPmanagementconnectionsareunavailable.
Highavailability(HA)portencryptionisrequired.