Paloalto Note 3

Download as pdf or txt
Download as pdf or txt
You are on page 1of 45

facebook application) - it mean you will block facebook chat or facebook mail while

allow facebook browsing

4- Content ID - allow or block policy based on content; Ex: Credit card details, Insurance
number or you can define custom content based on "Reg Expression"

5- Live Malware Protection - Wildfire and Signature creation based on analysis

6- User ID - Policy based on user ID and Many more new service


o Variables can be used to replace device-specific information, such as IP's, IP Ranges,
FQDN and interface specific information.
o The values of the variables can be overriden by the value in the template stack
o Max number of variables per template is 4,096
o Max number of variables per template stack is 8192
o These new variables also work with PAN firewalls running 8.0 or earlier versions.
 To create a variable and a default value, Navigate under Panorama > Templates > Add
(interface template example)
o Create a new template - Confirm the interface template is selected
o Navigate to Network > Interfaces
o Select the Template you created
o Add Interface - Select Slot Interface (slot 1 by default), Interface type (L3 in this
example)
o Click IPv4, and add to add an IP
o Select Variable (Green X on the bottom of this box)
o Give it a name (such as: $Inside_IP) and assign it an IP (such as 10.0.1.1/24) and
select OK
 To assign device-specific value to a variable, Navigate to Panorama > Managed Devices >
summary
o For the specific firewall, click on the 'create' under the Variables column
o The 'create device variable definition' window appears.
o Keep the button on 'No' for a cloning option, and click OK
o The 'Template Variables for Device (name)' is shown
o Select 'Inside IP' and click 'override'
o Enter the override IP in the new window that appears for the variables.
o Repeat on other devices as needed
o Commit and push to devices when completed and ready to push out.

Features of paloalto:-

1- First of all, the next generation term (marketing term) was first introduce by Palo alto
networks and they really do have some next gen features

2- App - ID; traffics are classified based on application (Ex- Facebook is classified as an
application and you control Facebook not by URL, rather by Palo Alto Signature

3- Signature Decoder - This help detection of application inside of other application (


Evasive application tunnelling through popular application or "facebook chat" inside
 Common Template deployment scenarios can include:
o Function: Sales/Marketing/Support
o Departments: Dev/QA/Tech
o Geographic: World/Region/country/state/city
Create and Configure Templates
For this example, we are configuring an interface in a template
 Navigate to: Panorama > Templates > Add
o Add the information for the template (name and description)
 To create a new interface to add, Navigate to: Network > Zones
o Select the template you created
o Add the zones for this template
 Templates can be cloned and altered for granular configurations based on the deployment
scenarios and network designs
o Cloned templates will NOT have any devices attached, they will need to be added
manually.
 To create a stack, navigate to: Panorama > Templates
o Click the 'add stack'
o Create a name, select the VSYS, and add a description.
o Select the templates by clicking add in the templates section
o (update by /u/stangri-la Be sure to add them in the hierarchy they will be applied on.
Lower listed templates will overwrite lower listed template settings.
o Select the firewalls on the bottom right the stack will be applied to.
 To push the template stack to a device or devices:
o Navigate to: Commit > Push to Devices > Edit Selections
o A checkbox on the bottom 'Force Template Values' is unchecked by default; selecting
this checkbox will force-overwrite any values that are already configured locally on the
firewall with the template/stack's configuration push.
 Local devices can be set to keep local values from being overwritten
o On the device settings, the green gear on a configuration window can be selected,
and locally applied settings put in place. This will superimpose an orange wheel over
the green, showing that a local override has been put in place.
 These settings can be replaced by Panorama, but should be done with care, as
local values being overwritten can impact the function of devices.
 Device Server profiles can be configured in templates under Device > Server Profile
Template Variables
 An example of this will assume:
o Deploy firewalls that have an Internal IP of 10.0.*.1
o Asterisk will be set for each FW
o In Panorama 8.0, 255 templates would be needed
o In Panorama 8.1, a few templates and 1 stack will do the same function.
 Using the above example, using the template variable $IP_Variable
 Add a temporary route entry for a Monitored path to fail response on the
upstream router
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: Templates
Note: in my personal opinion, the information here could have been better organized and presented. I'm sticking with notes from the section, but I think that this could have been streamlined and presented in a different method.

Purpose of Templates
 Templates are Data Objects to hold settings for network devices
 When working under the Network and Device tabs in Panorama, a specific template must be
chosen where settings will be stored.
 Template stacks can be formed from individual templates, up to 8 layers
o Settings in each later are inherited downward
o (update by stangri-la ) If there is a settings conflict, a lower layer will overwrite it.
o Settings most commonly shared are generally put higher in the stack.
o Individual templates can be used in multiple stacks.
o Firewall settings in a stack must be completed
 Example: An interface must have all settings configured
 Steps to push common parameters to a device
o Create a template then store the common settings/configuration parameters there
o Create a template stack, then add templates to a stack
o Push the stack to a device
 Stacks are:
o An ordered list of Templates
o All settings in a template stack are pushed to a managed device
o Firewalls are assigned to one template stack
 Max of 8 templates per stack
o Panorama 8.0+ supports up to 1024 template stacks
o When pushing updates to a device, the FW will push the updated template settings to
the firewall, and then execute a local commit to update the firewall
 A template stack example:
o Template one (worldwide)
 Logging profile settings
 Administrator accounts
o Template Two (country)
 SNMP, Syslog, DNS, Service Routes
o Template Three (local)
 Interface Settings
o The above Templates will be: Worldwide->Country->Region
 Country values will override the local settings, as it is higher in the template
stack.
o Network connectivity between MGT interfaces of HA Peers
o Validate the same URL Database and Dynamic update versions are identical
o Validate that both members will have communication to all managed devices
 To create a Panorama HA Pairing (configure)
o Define the Primary and Secondary Devices
 Navigate to Panorama > High Availability > Setup
 Click to enable HA, enter the peer IP address
 (optional) Encryption can be set. Recommended if the Panorama peers are in
different physical locations.
 If using Encryption, the HA keys must match. Before enabling encryption,
Export the key from one device and import it to the other.
 HA Uses TCP port 28 when encryption is enabled, and port 28769 when
encryption is not used.
 Set the Monitor Hold time (in milliseconds). this time will be the wait time until
fail-over is triggered.
o Enable HA, configure heartbeat settings, Enable Path Groups
 To create a Panorama HA Pairing (commit)
o Commit changes
o When commit is completed, any previous config on the secondary will be overwritten
and lost
 HA Fail-over can occur when:
o Hello/Heartbeat message failure
o A heartbeat is sent every 1000ms (1s).
o A Hello message is sent every 5000ms (5s) (default)
o NOTE: The Module Says in text that the Hello message defaults to 5000ms, however the
audio states that the timeout is 1000ms, and the knowledge check question at the end of
the module also says that it is 1000ms. I have reached out to my PAN SE's and Local
Reps on this one to ask if this can be corrected by PAN's Education department.
 Path Monitoring (optional)
o This is done by monitoring remote IP's for connectivity
o Done by using Ping ICMP messages
o Examples can include routers, switches, servers or other devices
o Path Monitoring fail-over can be configured on an 'any' or 'all' failure type.
 HA timers can be adjusted to account for Latency of network response times
o Configured under Panorama > High Availability > Election Settings
o HA timer settings can be set manually by selecting Advanced.
 Status can be seen by adding a widget to the dashboard; Also available in the logfiles.
 Validate that HA fail-over is configured properly
o Schedule a PM window and simulate a fail-over
 Physically unplug the cable to the Panorama device
 Shut down the switchport it is connected to
oUpdates can only be done one at a time; stagger the updates to ensure that they will
complete.
 Global Protect can be centrally managed and updated in Panorama
 The options and configuration are avilable under: Panorama > Device Deployment >
GlobalProtect Client
o Select the version to download to Panorama.
o When downloaded, this version can be activated, and then specific firewalls can be
selected to push the update to.
Manage Panorama and Firewall configuration backups
 Under Panorama > Setup > Operations, the export options for the configuration of Panorama
are listed.
o Export Named Panorama configuration snapshot exports the current running config, the
candidate config, or a previously imported config
o Export Panorama configuration version exports a version that is specified.
o Export Panorama and Devices config bundle exports Panorama and all firewall
configurations
o Export or Push device config bundle (see the transition section above in this chapter for
details)
 A scheduled export can be configured for automatic backups
o Navigate under Panorama > Scheduled Config Export
o Export can be scheduled once per day
o FTP and SCP options are supported
 FTP Passive mode can be selected from the checkbox, if Active mode is having
issues.
o If using anonymous for username, do not specify a password.
 When a commit is done on a local firewall, a backup is sent to Panorama automatically.
 By default, Panorama stores up to 100 previous configurations.
o These can be viewed under: Panorama > Managed Devices > Summary
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: High Availability
Configuration and Deployment of Panorama HA
 Benfits of HA:
o Redundant systems ensures continuation of services if one system fails
 Priority and Fail-over
o HA Pair is set as Active/Passive
o Active devices handles all the configuration changes and pushes to the firewalls
o Passive device receives synchronization updates from the Primary so it is current if
the primary fails
o Passive device cannot update device
o In a fail-over event where the active Panorama system cannot communicate with the
secondary, The active appliance monitors if the FW's are still connected to the primary
system. If the Passive system takes over control of devices, the active system sets
itself to passive, and lets the secondary become active.
 To create a Panorama HA Pairing (prepare):
o Validate the Panorama systems are the same model, storage capasity, PanOS
version and mode
o Determine the OS version both on the Firewall and on Panorama
o Panorama must be running the same or later version of PanOS that is on the firewall
o Plan out the device group hierarchy and template deployment
 Reduced redundancy
 Streamline management of shared settings
o Identify andy configuration that needs to be managed locally
 Normalize Zone Names
 High Level sequence to add firewalls to Panorama:
o Add a new device
o Import the configuration
o Fine-tune the configurations
o Push the device state (config bundle)
o Commit the device groups and templates.
 Note: This process replaces some or all of the firewall's configuration with the
config managed by Panorama.
 In an HA Pair, further considerations are needed:
o Disable the Config Sync under Device > High Availability > General > Setup
o Add each firewall into Panorama
o After the import and configuration within Panorama, add both firewalls to the same
Device Group and Templates stack.
 Steps to add:
o Join the firewall to Panorama as a managed device
 Do not add the FW to any device groups or templates yet.
o Import the device configuration to Panorama - this is done under Panorama > Setup >
Operations > Configuration management
 The import does not impact the config, it makes a copy of the configuration to
Panorama
 Update the device group and template configurations as needed or desired for
standardization.
o Local configuration is removed
o Zone names are updated (if needed)
o Configuration data may be moved to different device groups or templates
o Shared object names changed where conflicts exist
o Push the configuration to the firewall; this will remove all policy rules and objects from
local configuration
 Export or push device config bundle
 Note: the firewall cannot be added to a device group or template before the
export/push device, as Panorama would error with problems of duplicate object
names.
Upgrade PanOS Software and perform dynamic updates
 Panorama can manage software upgrades from a central location
 To see the options available, navigate to: Panorama > Device Deployment > Software
o In this section, the software can be downloaded to Panorama, and then can be pushed
to firewalls.
o The options include:
 Upload Only (do not install)
 Install, and reboot after install
 The application and content-ID updates can also be centrally managed and distributed with
Panorama
 The options and configuration are available under: Panorama > Device Deployments >
Dynamic Updates
o A manual update/push can be done
o A scheduled download/push can be done
o A list of all devices and the location of the changes is listed.
 Validate device group push will do a full validation on all device configuration to
validate the config
 Validate Template Push will validate that the templates are valid and no errors
are present
 The 'Edit selections' will let you edit the changes being pushed to which
devices. Useful if pushing to a single location, test device, all but a single device
 Edit selections will allow to be very detailed in what is pushed where.
 Options include to 'merge with device candidate config', 'include device and
network templates', and 'force template values'.
 The 'force template values' will override any locally corrected values on the
target
o When a push is started, a status window will display showing the status.
o Selecting the link under 'Type' will show the status of the commit function.
o A Panorama server will commit one at a time, and while multiple can be made, they
will be queued and run in series.
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: Adding Firewalls to Panorama
Adding new Firewalls to Panorama
 Configure the new firewall to connect to Panorama
o On the firewall's web interface, navigate to: Device > Setup > Management > Panorama
Settings
o Enter the MGT IP of the primary Panorama appliance (and it's HA Peer)
o Options on this page can be set to allow/disallow Panorama to manage policy and
objects, and network templates.
 Add the FW's serial number to Panorama
o On the Panorama interface, navigate to: Panorama > Managed Devices > Summary >
Add
o Add the Device(s) Serial Numbers, and OK
 On the Summary page after adding, the 'Group HA Peers' button can be selected
to group HA firewalls. If this is unchecked, each firewall is individually displayed.
o Device Tagging can be used to help identify specific firewalls in large managements.
Navigate under: Panorama > Manage devices > Summary > Tag
o Communication between devices can be secured. Navigate to: Panorama > Setup >
Management > Secure Communications Settings
 Communication will be handled by either a predefined or local certificate
 Commit All Changes
o Changes must be committed on both the local firewalls, and on the Panorama device.
 Panorama can manage all licences on managed devices. This can be viewed under:
Panorama > Device Deployment > Licenses
o License status and expiration dates can be seen
o New licenses can be added with the 'activate' option, and an activation code.
o A license can be deactivated on one device, and activated on another (limited on some
depending on the license type).
Transition a firewall to Panorama management
 Prior to migrating firewall, the following options must be done:
 Services need to be configured for accurate function
o DNS and NTP servers should be set and validate they can be reached
o Panorama can be configured with a proxy server for outbound internet access
 SNMP (Option) can also be configured
o MIB's from PAN are required for an SNMP manager
o These can be downloaded from the PAN website.
 Legacy Mode (VM Mode) provides a single interface enabled, including managments.
o This mode is generally not recommended, unless needed for a specific deployment
o The management profile should be configured for this interface to allow management
connections
o This is configured under Panorama > Setup > Interfaces > Management
o If using SNMP, be sure to select SNMP in the management profile.
 Network Segmentation can improve security and reduce congestion.
o Multiple interface (non-legacy) can be used for different network segments
o Device Management and Device Log Collection can be set on different interfaces;
This is set under the interface configuration at:
 Panorama > Setup > Interfaces > Ethernet1/x
o An example configuration for multiple interface could be:
 E1/1: Managment, Log and Query (perimeter firewalls)
 E1/2: Managment traffic, for managing, updating and configuration (perimeter
firewalls)
 E1/3: Device updates for content, software upgrades, etc (all firewall)
 E1/4: Managment, Log and Query (DC/Colo firewalls)
 E1/5: Managment traffic, for managing, updating and configuration (DC/Colo
firewalls)
 This is useful for helping to balance the traffic so interfaces aren't tapped.
Describe the Commit Process
 Commit process starts with clicking 'Commit' in the top right corner of the page:
o Commit to Panorama will save the candidate configuration changes to the Panorama
config.
o Push to Device will push the configuration to managed devices
o Commit and Push will perform both functions at once.
 In the commit to Panorama window, the option to commit all changes, or to commit changes
made by the specific administrator
o A preview changes option is available to see what the changes will be
o A Change summary will provide a summary of changes
o A Validate Commit will validate the full configuration with changes, but not write the
new config
o An optional (but recommended) description field is available. Putting brief notes
stating what changes are being done is recommended
 In the Push to devices window:
 Responds to query's from Panorama servers
o Management Only Mode
o Only functions as a device manager
o No log collection
 Requirements for each Mode in a VM are:
o Legacy:
 4 CPU's, 4GB RAM, Max of 8TB of Storage
o Panorama:
 8 CPU's, 32GB RAM, Max of 24TB of Storage
o Log Collector
 16 CPU's, 32gb RAM, max of 24TB of storage
o Management only
 4 CPU's, 8gb RAM, no storage needed beyond OS Disk.
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: Initial Configuration

Register and License


 Register the devices under the 'Assets' tab on the support website, under 'devices'
 Provide the serial number from the fulfillment paperwork, or from the dashboard of the
panorama device
o For VM series, select the 'VM-Series' option, and enter the VM Auth-Code
 After licensing, connect to the console to perform initial management interface configuration
o or
 Connect to the web interface at the default IP of 192.168.1.1
 A self-signed cert will be used on SSL connections
o This can be replaced with a certificate issued from a CA
 When registering a Panorama VM, it will provide a serial # on the registration page.
o Add this SN to the device under: Panorama > Setup > Management > General
Settings
o Note that physical appliances will already have this present.
 A valid support and capasity license is required.
o The licences can be retrieved or added under: Panorama > Licenses > License
management
o Licenses can manage up to 25, 100, or 1000, depending on the license purchased.
o If no path to the license server is available, then the licenses can be activated
manually via phone, or generating an authorization code from the support website.
 Panorama supports 3rd party plugins.
o These can be managed under: Panorama > Plugins
Perform initial config of interfaces and services
 This device is generally deployed as a dedicated log collector, with a VM
Panorama management device to administer.
o M500
 Intel Xeon 6-core CPU
 128GB DDR4/240GB SSD
 Up to 24TB storage for logs. Default is 4TB
 Deployed as a pair, this can service a busy PA-7000 in HSFM (high speed
forwarding mode).
 This device is generally deployed as a dedicated log collector, with a VM
Panorama management device to administer.
o M600
 2 Intel Xeon 14-core CPU
 256GB DDR4 Ram/240GB SSD
 Up to 48TB storage for logs; default is 16TB
 This device is used for large enterprises, or can be dedicated to a single
location that processes a large amount of log entries.
 Panorama Modes (Physical)
o Panorama Mode
 Manage devices
 Collect Logs
o Log Collector Mode
 Collects logs
 Responds to query's from Panorama servers
o Management Only Mode
 Only functions as a device manager
 No log collection
 Panorama Modes (VM)
o Legacy mode
 Manage Devices
 Collects Logs
 Legacy does not support logging/reporting enhancements made in 8.0+
 Mode is available only when a Panorama VM is upgraded to 8.1
 If a legacy device is changed to another mode, it cannot be changed back to
Legacy.
 Fresh install of 8.1, this mode is not available.
 8.1 Supports only the 3 modes below
o Panorama Mode
 Manage devices
 Collect Logs
o Log Collector Mode
 Collects logs
 Direct Log collection (known as panorama mode).
 Performs both device management and log collection
o Distributed Deployment
 Log collection is directed to Log collectors.
 Panorama maintains management of the firewalls (policy management)
 Panorama will query the log collectors to gather data for centralized log views
 Log Collector will respond to the query with a report of the data requested, not
the data itself.
 The log data stays on the collector, is not transferred to the Panorama server in
this setup.
 This can also be done with the cloud logging service that Panorama can query.
o Panorama devices deployed in HA pairs must be the same version and type.
 Configured as HA
 Sync'd automatically
 Active platform is responsible for communication to devices.
 Panorama can be run as a cloud service to manage their cloud-based VM systems.
o VM systems include:
 VM Series firewall
 Panorama Virtual Appliance
 Virtual Dedicated Log Server
 8.1 VM systems are supported on Azure and AWS
Describe the Panorama Platforms
 These devices can be deployed in different ways depending on the environment:
o Management Appliance
 Configuration
 Device Management
o Log Collector
 Aggregated collection
 Query servicing
o Can be deployed as both in single system to scale distributed environments
 Models:
o M100
 Intel Xeon 4-core CPU
 32gb DDR3/120GB SSD
 Up to 8TB storage; default is 2TB
 Can be deployed as a Management Appliance or Log Collector
o M200
 Intel Xeon 8-core CPU
 128GB DDR4/240GB SSD
 Standard 16TB RAID storage for logs
 States of the individual members can be added as a widget on the Dashboard
o Add under Dashboard > Widgets > System > High Availability
o This will show at a glance the status
 Green: Good
 Yellow: Warning (normal state for a standby firewall in an A/P pair)
 Red: Error to be resolved
 When an HA Pair is initially formed, a manual sync will need to be done. This
screen can initiate a 'sync to peer' push.
o System Log will show the events in an HA Pair negotiation.

Panorama 8.1: Manage Firewalls at Scale (EDU-120)


Panorama Overview
Describe the Panorama Solution
 Provides Central Management for multiple PAN NGFW's
 Features of Panorama include:
o Device administration
 Allows Role-based access control (RBAC) for specific control, or specific
firewalls
o Template and Device Groups
 Streamline Configuration
 Prevent Duplicating items (and work)
o Software / Content / License Updates
 Schedules updates to push updates and software upgrades to all PAN
managed devices
o Local Policy and config
 Allows local firewall admins to manage their own firewalls
o User-ID Data
 Panorama can provide a centralized place for User-ID collection and distribution
to PAN Firewalls
o Report Data
 Summary data is gathered and sent to the Panorama server every 60 minutes
Providing overview of the deployment design of Panorama
 Flexible Deployment Options
o Selecting an Appliance to your environment
 Options Available include
o Basic Deployment
o Backup link can be configured using an in-band port
 Configure the DataLink
o If available, configured on the HA2 link
o If using in-band and the peer is on a different subnet, add a gateway
o An HA2 keepalive can also be configured.
 To prevent split-brain, use the action 'log only'
o Select 'session synchronization' to ensure sessions are sync'd
o A backup datalink can also be configured
 Election Settings
o Device Priority can be set if one should be preferred to be the Primary
o (correction provided by /u/stangri-la) Preemptive can be set if a specific firewall should
be primary if available. The firewall with the lower numerical value has the higher
priority and will be primary if both are active and pre-empt is set.
o HA Timer can be changed, however leaving at recommended unless a specific reason
is needed for change.
 (Optional) set the passive link state to auto
 Link Monitoring (Optional)
o Configured under Device > High Availability > Link and Path Monitoring
 Different link groups can be configured with different failure conditions
 Example: Critical links can force a failover if any of the links fail. other links can
be set if all links fail (Aggregate interfaces, which would likely be a switch
failure, for example).
 Path Monitoring (Optional)
o Configured under Device > High Availability > Link and Path Monitoring
o Options for VWire Path, VLAN Path and/or a Virtual Router Path.
 A VWire will need a source and destination IP
 Virtual Router monitoring does not need a source, as a route lookup will be
done to determine the source.
Monitoring HA state
 During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn't been discovered,
the FW will boot as Active.
 If a peer is found, it will negotiate with the peer
o If Preempt is active, determine who has highest priority - this FW becomes active.
 If a FW is in a suspend state, it will not participate in a FW election
 States an A/P FW can be in are:
o Initial - Transient state when it joins an HA pair
o Active - normal state, primary and processing traffic
o Passive - normal traffic is discarded, may process LLDP and LACP traffic
o Suspended - administratively disabled
o Non-functional - FW is non-functional and will need to have the issues resolved before
it can return to service.
o High Speed Chassis Interconnects (HSCI) are used as the Primary and backup
Datalinks
 If distance is beyond the scope of the HSCI ports, inband ports can be used.
 HA firewalls can be set with a device priority to indicate a preference for which should be
active.
o Enable Pre-empt on both firewalls if you want one firewall to become the active
firewall when it is available/brought online.
 Failure Detection
o Hello and Heartbeats to confirm responsiveness and availability
o Link Groups can be configured to validate interfaces are up
o Path groups can monitor remote IP's to validate reachability
o These items can be configured for any/all and the failure conditions.
o Internal Health checks are done to validate hardware is healthy
 HA Timers
o HA Timers enable the firewall to detect failures and fail over
o Timer profiles simplify setting HA timer settings
o Advances enables individual timer modification
 HA Heartbeat on the management port
o Helps to prevent split-brain
o Happens when a non-redundant control link goes down
Active/Passive HA Configuration
 Prepare In-band Interface
o Set interface type as HA
 Configured under Device > High Availability
o Each section here can be configured depending on the needs of the deployment
 Enable HA A/P mode under Device > High Availability > General
o Select Mode (A/A or A/P)
o Matching Group ID's for the HA Pair
o Description (useful if configuring multiple HA configurations
o Check enable config sync to automatically sync any config changes to the peer
o Add the Peer IP address
 HIGHLY recommended to add a backup peer IP Address
 Configure the Control Link
o Under Device > High Availability > General
o Select the Control Link (HA1)
 Select management port or another configured in-band port
 MGT Port is recommended if a dedicated HA port is not available
 Add a gateway if the peer is in a different subnet
o Control link can be encrypted
 Private keys will need to be exported/imported from the certificate configuration
for this to function.
o Both firewalls are active and processing traffic
o Both individually maintain routing and session tables, sync'd to the other
o Is for use in Asyncronous routing deployments
o No increase in throughput/session tables
o Supported in V-Wire and L3 deployments
 HA Prerequisites
o Both firewalls must be running the same hardware or VM model
o Both firewalls must be running the same version PanOS
o Starting in 7.0, session syncing is an option when upgrading major and minor releases
o Updated and current Threat, URL and App DB's
o Same dedicated HA interfaces
o Licenses are unique to each FW; each needs matching licenses
o Matching Slot configurations (for chassis 5000/7000 series)
o VM's must be on the same hyper-visor, and have same number of CPU Cores
HA Components and Operations
 HA Control Link is L3 link that requires an IP address.
o Used to exchange heartbeats and hellos and HA state info
o Used to exchange routing and user ID information
o Active firewall uses this to exchange config change information
 HA Datalink is a L2 Link, but can be configured in L3 that requires and IP
o L3 is required if the data links are not on the same subnet
o In L2 mode, the Datalink uses ethernet type 0x7261
o The Datalink synchronize sessions, forwarding table, IPSec SA's and ARP tables in
the HA Pair
o Dataflow is unidirectional from the Active to Passive firewall.
 Some models have dedicated HA ports, other models will use MGT or other in-band ports
o Dedicated HA Ports are on 3000, 4000, 5000 and 7000 models
o HA1/HA2 ports can be directly connected via ethernet cable
o Recommended to use the MGT port as the control link
 Any in-band port used must be configured as type HA
 HA Backup Links are recommended for the control link, to prevent the FW's going into 'split-
brain' mode
o Backup links must be on separate physical ports
o Backup links must be in separate subnets as the primary backup links
 PA-7000 series mandates the use of specific ports on the Switch Management Card (SMC)
o HA1-A is the control link; connect to same port on the 2nd firewall (or through
switch/router)
o HA1-B is the backup control link; connect to same port on 2nd firewall (or through
switch/router)
o Backup control link cannot be configured on the MGT or NPC Data ports.
 IP of Manager
 Community Name
o V3
 Username
 IP Address
 EngineID (can get using OID 1.3.6.1.6.3.10.2.1.1.0)
 Auth Password (SHA)
 Private Password (AES)
Active / Passive High Availability
Overview
 2 firewalls can be configured in a High Availability pair
 HA Provides:
o Redundancy
o Business Continuity
o If one firewall fails, the second can continue service with little to no interruption
 HA options can be deployed as:
o Active/Passive: One active, one standby firewall
o Active/Active: Both Active, used in specific circumstances, such as asynchronous
routing setups
 Items Synchronized include:
o Networks
o Objects
o Policies
o Certificates
o Session Tables (not available on the PA-200)
 Items NOT Synchronized:
o Management Interface configuration
o HA Settings
o Logs
o ACC information
 For a consolidated application and log view, Panorama must be used.
 PA-200 only supports HA-Lite
o Lite is only available due to the low number of ports available on this model
 A/P Deployment
o Only one firewall is active
o One firewall synchronized and ready to process traffic
o No increase in session capacity or network throughput
o Supports VWire, Layer 2, and Layer 3 deployments
o A/P HA has simplistic design to help with implementation.
 A/A Deployment
 The Log forwarding profiles can be viewed under Device > Log Settings. these profiles are
only visible to the security policy rules for log forwarding
Syslog
 Allows the aggregation of logs from different sources to be combined, compiled, analyzed
and reports generated from.
 Syslog can be sent over:
o UDP (unsecured and unreliable)
o TCP (more overhead, reliable but unsecured)
o SSL (highest overhead, secured auth is required)
 Syslog Profiles can be created under Device > Server Profiles > Syslog
o Specify IP
o Transport type
o Set port defaults are:
 UDP:514
 TCP:must be manually specified.
 SSL: =6514
o Format: BSD, Default, IETF
o Facility: Level of logging to send
 Syslog over TCP/SSL
o If the syslog server uses client auth:
 A local certificate is required
 The private key must also be available.
 This cannot be stored in an Hardware Security Module (HSM)
 Import an existing certificate (or)
 Create a self-signed certificate (or)
 Create a cert using a windows cert server on your network
 Syslog custom format
o Under Device > Server Profiles > Syslog
o Create a custom log format based on criteria from your syslog server or custom needs
Configuring SNMP
 If the SNMP Manager is not on the MGT interface, then SNMP must be enabled on the
management profile where it is, and a service route added.
 Configure under Device > Setup > Operations > Miscellaneous > SNMP Setup
o Enter and IOD and a mast to determine which parts of the MIB can be seen.
 1.3.6.1 mast 0xf0 to see everything
 .1 mask 0x80 to see more information.
o Users select View for User, user name auth and privilege password should match in
SNMP Manager
o The Community string needs to match the string in the SNMP manager
 For SNMP Traps Profile:
o V2c
o Predefined reports are included with the FW, and can be run to generate reports on
commonly requested information
o Custom reports can be created using the Query Builder
o User or Group activity reports can show what users and groups access (must have
User-ID enabled and configured)
o Botnet reports can show systems that display behaviors noted with known botnets
o PDF Summary reports can help aggregate reports and export to PDF format for
reports and presentations
o Report Groups combine reports into a single emailed PDF document.
o SaaS Reports can be generated on all data over a specified timeframe, or based on a
certain group or application.
o Reports can be scheduled to run at a specific schedule
Log Forwarding
 Under the logs, a CSV file can be exported with a maximum of up to 65,535 rows.
o Limit can be changed by updating the Max Rows field in Device > Setup >
Management > Logging and Reporting Settings
 In Scheduled Log Export, the logs exported will be up to the last scheduled export.
 Logs can be forwarded with:
o Panorama
o http
o Syslog SIEM
o SNMP Manager
o Email
 Panorama can be a log aggregator to generate reports based on all firewall traffic, push
updated policies, and monitor usage and security incidents
 Panorama comes in applicances or VM:
o M100 - supports 8 terabytes
o M500 - supports 24 terabytes
o VM - supports ?? petabytes
 Logs can be configured to be sent to an external archive system (syslog / SIEM server)
o Define the remote logging destination
o Enable log forwarding for each type
 SNMP Trap servers, Syslog and Email log forwarding can be configured under: Device >
Server Profiles
 System log will contain information about changes to the device, failed logins and config
commits.
 Log forwarding is configured under Objects > Log forwarding
o The log objects that can be forwarded are broken down into categories: Traffic,
Threat, Wildfire, URL, Data, GTP, Tunnel and Authentication.
 Each security policy rule can have a log forwarding profile applied to each rule. Under the
actions tab, the rule can be set to log at start, end, and a log forwarding profile set.
o The test VPN command can be used to test a VPN:
 Ike Phase 1 test: test vpn ike-sa gateway (name)
 Show VPN ike-sa gateway (name) to check status
 IPSec Phase 2 test: test vpn ipsec-sa tunnel (name)
 Show VPN ipsec-sa tunnel (name) to check status
 To validate traffic flow, use the 'show vpn flow' command.
 Troubleshooting from the responder is easier to track down issues
o VPN error messages can include:
o Wrong IP - Incorrect IP in P1 config or cannot communicate/route to the IP
o No matching P1/P2 proposal - double check IKE/IPSec and encryption settings
o Mismatched Peer ID - Able to communicate, but Peer ID's do not match
o PFS group mismatch - Check/update PFS DH Group
o Mismatched Proxy ID - generally caused by a mismatch from Policy Based VPN's
o The System Log will log attempts and this can be used to troubleshoot the errors
Monitor and Reporting
Dashboard, ACC and Monitor
 Dashboard
o On the dashboard, individual widgets can be added and removed to have a
customized display
o A custom refresh counter can be set in the upper right hand corner.
 ACC
 Interactive graph of traffic and applications going through the firewall
 Threat graph shows the risk of traffic going through
 Custom Tabs can be added, with custom widgets to be added with information specific to
your network and security concerns.
 Filters
o Applied by using the funnel shaped icon in the top right corner of the widget
o Can be applied to a specific widget to set custom displays
o Persistent between reboots
o A global filter can be applied to all graphs in the ACC to help troubleshooting or trends
o Global Filters on the ACC are not persistent.
o Global filters can be applied in three methods:
 Select an attribute from a table in any widget, apply it as a global filter.
 Promote a local filter and elevate it to a global filter
 Use the global filters pane in the ACC
 Session Browser
o To see active sessions on the firewall, go under Monitor > Session Browser
 Reports
o Various reports can be accessed under Monitor tab
o Each Tunnel interface represents an individual tunnel connection
o Must be added to a security zone and a VR
o Does not require an IP address, but is needed if traffic will be participating in Dynamic
routing protocols (ospf, BGP) or if the tunnel monitor is enabled.
 Phase 2 IPsec Tunnel
o Configured under Network > IPSec Tunnel
o Name the Tunnel with a clear identifier
o Specify the IKE Gateway and IPSec Crypto Profile (also called 'phase 2 proposal')
o 'Show Advanced Options' checkbox will show further configuration items:
 Enable Replay protection - adds sequence numbers to packets so that a replay
of captured packets to an IPSec device are discarded if not the expected packet
numbers
 Tunnel Monitor - Only available if the Tunnel interface has an IP address.
Sends Ping traffic to a specified IP across the tunnel to validate the route/path is
valid.
 Monitor profile can be configured configured to send pings over the tunnel in an
attempt to restore the session, or to fail over to another routing path.
 Monitor profiles can configured under Network > Network Profiles > Monitor
o The Proxy ID tab on the IPSec configuration page can be used to specify a local and
remote proxy ID if needed, and a specific protocol of allowed traffic can be set if
needed (TCP, UDP, Non-IP protocol number, or Any). By default, the proxy ID
is 0.0.0.0/0
 Static Route for VPN
o Configured under Network > Virtual Routers > Add > Static Routes > IPv4
o Add the Static route remote destination network, specifying the tunnel interface of the
VPN
o Next-Hop not required, but can be specified if needed
o Any admin distance or metric adjustments
o This step is not required if Dynamic routing will be used through the tunnel.
 Validating Connectivity
o Under Network > IPSec Tunnels
o The status will show green if the tunnel has established and is active.
o Clicking on 'Tunnel Info' will provide details about the tunnel.
IPSec Troubleshooting
 First step is to double-check all the settings in the IKE and IPSec sections. Talk to a rubber
duckie!
 Check under Network > IPSec Tunnels
o Tunnel Status red indicates that IPSec Phase 2 is not available or expired.
o Ike Gateway Status green indicates Phase 1 is established, red indicates it has failed.
o Note that Tunnels are only up/established when traffic is needed to cross them
(except when Monitoring is used, this will keep the tunnel active).
 Supported ID Types include: FQDN, IP Address, KeyID (Binary format ID Hex
string),Email/User FQDN
 If none is specified, local IP is used.
 Phase 1 IKE Gateway Advanced Options
o Configured under Network > Network Profiles > Ike Gateways > Advanced Options
o Enable Passive Mode - will not initiate connections, only receive incoming requests
o Enable NAT traversal - UDP encapsulation used on IKE and UDP protocols, allows
them to pass through intermediate NAT devices (upstream routers for example)
o Exchange Mode Options
 Auto (default) allows both Main and Aggresive
 Main: Used for fixed IP tunnels where the IP's on each end will not change
 Aggressive: Used when one endpoint has an IP address that may change, such
as and ISP that provides a DHCP Address
 Both sides must have the same mode set
o Ike Crypto Profile
 By default, the crypto profile is set to AES-128-CBC, 3DES, SHA1
 A custome IKE crypto profile can be created under Network > Network Profiles
> IKE Crypto
o Enable Fragmentation
 Allows the local gateway to receive fragmented IKE packets - max is 576 bytes
o Dead Peer Detection
 Identifies and confirms that the remote peer is alive and responding by sending
a request to confirm, and receiving a response. If no response, the tunnel is torn
down.
 Phase 1 IKE Cryptographic Profiles
o Both peers must match a cryptography for the tunnel to be established.
o Specify the DH group for Asymetric Key Exchange
o Multiple encryption types can be set to help match with a peer
o Multiple Authentication types can be set
 Phase 2 IPSec Cryptographic Profiles
o Configured under Network > Network Profiles > IPSec Crypto
o Set the IPSec Protocol (ESP or AH)
o Encryption type (must match remote peer)
o Authentication (MD5, SHA1, SHA256, SHA384, SHA512)
o Set the DH Group
o Set Lifetime
o (Optional) Set the lifesize, which will re-establish the tunnel after a certain amount of
traffic has passed and the tunnel will rekey. This is to help prevent session data
decryption of sniffed packets if one key has been captured.
 VPN Tunnel Interface
o Configured under Network > Interfaces > Tunnel tab
o IKEv1 is the most common version used
o IKEv2 is primarily used to meet NDPP (network device protection profile), Suite B
support and/or MS Azure compliance
o IKEv2 preferred mode provides a fail back to IKEv1 after 5 retries (about 30 seconds)
 IKE Phase 1
o Identifies the endpoints of the VPN
o Uses Peer IDs to identify the devices
 Usually the public IP's of each end
 Can also be an FQDN or other string of data
o Three Settings/modes: Agressive, Main, Auto
o 5 pieces of info are exchanged during Phase 1:
 Authentication Method
 DH Key Exchange
 Symmetric Key Algorithm bulk data encryption
 Hashing algorithm
 Lifetime
 Ike Phase 2
o Creates the tunnel that will encapsulate traffic
o Each side of the tunnel has a proxy ID to identify traffic
 There is support for multiple proxy ID's
 Proxy ID's are also known as 'Encryption Domain' with other vendors
o Proxy ID's can be specific or 0.0.0.0/0
o 5 Pieces of information are passed during phase 2:
 IPsec type/mode
 DH additional exchange if specified
 PFS
 Symmetric key algorithm/Hashing Algorithm
 Lifetime before Rekey
 Route Based site-to-site VPN
o VPN setup depends on the need and requirements of each site and the company
configuration
o Each tunnel interface will support up to ten (10) IPSec tunnels
Configuring site-to-site tunnels
 Phase 1 IKE Gateway Configuration
o Create the IKE Gateway under Network > Network Profiles > IKE Gateways
o Simple tunnels (PAN to PAN) only require the interface, IP and PSK are needed.
o If the firewall uses a dynamic IP address (PPPoE DSL for example), leave the local IP
address field blank.
o Certificate PKI authentication is supported, with the following Limitations:
 Maximum level of cert chain is 5
 CRL over LDAP is not supported
o Can be set to not allow any local network access (no access to home
devices/printers/ect).
 Network Services Tab can be used to override the local settings of DNS, WINS and DNS
Suffixes with the settings of the interface selected for the 'inheritance source' (aka the
interface selected) field.
 User-ID can be used to map users to username to IP. This info is added to the User-ID list to
show in the logfiles. Can also be used in internal networks to validate only specific users and
authenticated users have access to specific systems.
Configuration: GP Agents
 Agent runs on Windows, Mac, Linux, and is availabe as apps for ios and android (HIP check
license required for ios/android).
 Agent must be installed on client device. The portal will provide a download link after a
successful login to the portal webpage.
 Agent can be open or locked down depending on administrator.
o FQDN or IP, and login/password are minimum requirements if not already
configurated. Username can be left blank if using SSO.
o A right-click on the icon will show the option available. connect to will default to 'auto
discovery' to find the fastest gateway. manual selection of a gateway can be selected.
 X-auth can be configured (only configurable if Tunnel Mode and IPSec enabled)
o Third party X-auth clients can connect to a GP Gateway such IPSec VPN on
IOS/android and the VPNC client on Linux
o Provides simplified access
o If group name and group password are populated, then the group name/password
must be entered first, THEN the auth profile credentials are used. if the group
name/password is left blank, a certificate must be used for the first authentication.
o By Default, there is not required to re-authenticate when the IKE rekey timer is up. The
check box can be set to skip auth on rekey.
 System Logs show the GP connection logs.
o Available Under Monitor > Logs > System, a log filter of 'subtype eq globalprotect' will
show the GP connections.
 The traffic logs are under the standard Monitor > Logs > Traffic.
Site to Site VPN's
Site-to-Site VPN
 Overview
o PanOS does IPSec tunnels as route-based tunnels
o Support for connecting to 3rd party IPSec devices
o The tunnel is represented by a logical tunnel interface
o The tunnel interface is placed in a zone
o When traffic is sent to the tunnel, the VPN is connected and traffic sent across
 IKEv1 vs IKEv2
o The internal portal can be configured under the Internal tab. These gateways need to
be manually defined.
o On the external gateway, the connection is made by the fastest response time and
priority. A checkbox is available to manually select a tunnel.
o Gateways that are set as 'manual only' are not provided for consideration for the
fastest SSL response.
o Three Types of App connection Methods are supported:
 On Demand: Users connect when they need to, and disconnect when
completed.
 User-Logon: Automatically connects when the user logs in
 Pre-Logon: GP connects before the user has entered credentials, to keep the
system secured, and updates the user login information when they supply
credentials.
 Clientless VPN
o Users can log in through a browser to access specific configured applications.
Examples can be web-based email, internal web apps.
o Applications can be published under Network > GlobalProtect > Portals > Clientless
VPN > Application > Add
 Group Mappings need to be configured prior to this point in order to use group
mappings.
Configuration: GP Gateway
 Global Protect Gateway is configured under Network > Global Protect > Gateways
 Select the L3 interface to use with the gateway, and the IP Address (if different from the
interface IP)
 The tunnel tab will be needed if you are configuring an external gateway; optional for internal
gateways.
 Agent configuration
o Check the 'Tunnel Mode' to enable tunneling (for external gateways; not needed for
internal but can be used).
o Tunnel settings will include the tunnel interface.
 Enable IPSec, or uncheck to enable SSL. If IPSec is selected but not able to
connect, it will fall back to SSL automatically.
o Timeouts can be set for inactive connections to be disconnected.
o A group name and password can be used in place of certificates to authenticate third-
party VPN clients
 IP Pools Tab
o When configured in Tunnel mode, it functions as a DHCP client.
o Pools are only available if tunnel mode is enabled.
 Split Tunneling
o NOT recommended; This will allow internal traffic to go up the tunnel, and internet
traffic out the local network.
o A public CA certificate should be used for external users to provide the correct
authority and security for the Portal.
o Portal will include the public server certificate, and the client certificate and key.
o GP users use the client certificate to identify the client.
 Authentication Server Profile
o Authentication servers are used to authenticate users. An existing Server
Authentication profile can be used.
 This is done under Device > Authentication Profile
 Agent Software
o Under Device > GlobalProtect Client
 Review the currently installed and activated GlobalProtect client version
 New versions can be downloaded and activated from this page
 GP Client software only needs to be updated and activated on the portal, not on
the gateways.
Configuration: GP Portal
 GP Portal
o Authenticates users using GP
o Ability to create and store custome client configurations
o Maintains a list of internal and external gateways
o Manages CA Certificates for client validation of gateways
 Configuration
o Configuration is done under Network > GlobalProtect > Portals > General
o A Portal must be configured on an L3 interface.
o Custom pages can be created and uploaded to the firewall under Device > Response
Page
 Access to the Portal Login page can also be disabled (via browser on 443).
 This does not impact the GP Client connections, they can still connect.
 Clientless VPN's need portal page to be accessible.
 Portal Authentication
o This is under Network > GlobalProtect > Portals > Add > Authentication
 Portal Configuration Authentication profile is used to authenticate users
 Certificate profiles are used if certificates are used for client validation. If not
using certificates, select 'none'.
 Authentication Message is an optional entry of up to 50 characters in length, to
provide a message such as what kind of credentials to use.
 Agent configuration
o For certificate logins: A root CA must be specified under the Agent tab. If a gateway
gives a certificate that is not from the listed CA, the login is rejected
o Multiple configurations can be done for different groups. For example, a config for field
users, and another for office users.
 Connection Sequence
o GP client connects to the portal for authentication
o After auth, the portal sends the configuration and list of GP Gateways
o Client will connect to the portal with the best SSL response time
o If the client is not installed, it will ask to be downloaded and installed
o When the client is installed, the client will connect to the selected gateway.
 GlobalProtect in the Cloud
o Infrastructure can be extended using AWS VM-series. When a Portal is contacted, it
can provide an AWS Gateway as an option.
 Simple Topology
o Required at least one portal and one gateway.
 In small deployments this can be on the same device.
 If Portal and Gateway share a single system, only one certificate is needed for
the firewall.
 Advanced Topology
o Multiple Gateways can be configured for performance and global deployments.
 Chosen gateway is the fastest responded.
 Only one Portal can be configured and active.
 If Portal goes down, existing users can log into a cached gateway.
 If Portal is down, no new clients can connect, and no new configuration
changes can be sent out to existing users.
 If the portal is down, either restore it, or activate a portal at another location.
 Determining External or Internal Gateways
o The portal may provide an IP and DNS to determine if the client is inside or outside
the network
 This should be a hostname that can only be resolved internally
 If the IP is able to be resolved to a hostname, then the internal gateway is used.
 If the IP is not resolvable, then the external gateway is used.
 GP for Internal Users
o Internal Gateways are useful for enforcing group based policies, or access to
restricted or confidential data.
o Examples include: Enforcing access to Engineering to Code and Bug DB's, While
blocking access to Finance and HR to that resource.
o Profiles on the gateway can allow only certain LDAP/AD group members
 Can also enforce HIP checks for AV/OS Patching/etc
Preparing the firewall for GlobalProtect
 Certificates:
o Certificate Authority Certificate (Optional)
o GP Portal certificate
o GP client certificate (optional)
 Group include list will allow you to filter specific groups to be included. If no groups are
added to the 'included groups' section, then all groups are added.
o It is recommended if you have a large/complex tree/forest, to specify groups. This will
reduce search time and CPU utilization.
 Custom Groups allow you to set certain filters so that a filter will match certain critera, but are
not in a specific LDAP/AD user group.
o Examples could be: Department=Sales, City=Dallas, etc
o Can help without the need for an AD Admin to create or modify existing structure.
o User-ID also logs custom groups.
User-ID and Security Policy
 In the security policy rules, the options under the Users section are:
o Any: Any user if they match the rest of the rule criteria
o pre-logon: used with certain GP configurations and implementations
o known-user: a known/mapped user
o unknown: an unmapped/unmatched user/ip address
o select: a specific user or group specified
o Note: The source IP and the source user are processed with a logical AND condition.
So the user ID and the source IP range must match.
 This can be used in places to allow access only if someone is connected to a
network segment that is physically on-site at an office, and block access if
someone is connected via GP or other VPN.
o Small office can use Users, however in larger environments, groups are best to base
rules on.
Global Protect
Note: The training I think severely overcomplicated this section, particularly when it came to the
agent configuration, so the notes for the agent setups might be a bit jumbled. After I'm done with all
the sections, I'll see if I can come back and clean it up a bit.
Overview
 GlobalProtect: Solution to VPN Issues
o Extends NGFW to endpoints
o Deilvers full traffic visibility
o Simplifies Management
o Unifies policies
o Stops Advanced Threat
 Components
o Portal - Provides Management functions for GP; every client connecting to GP
receives configuration information from the portal
o Gateways - Provide Security Enforcement for traffic
 External gateways provide security enforcement and VPN Access
 Internal Gateways apply security policy for access to internal resources
o Sends a probe to each known IP to validate the same user is logged in. Each is
probed once per interval (20 minutes is default)
o NetBIOS can be enabled; is used for backwards compatibility with XP and earlier
versions of windows. Needs to have port 139 open for communication.
 Clicking the Discovery on the left side, you can use the 'Auto-Discover' button to try to
automagically add the DC's, or manually add the servers you want to probe.
 The firewall must be configured for each agent. This is done under Device > User
Identification > User-ID Agents > Add
o For Panorama setups that will gather the User-ID info, select 'serial number'
o For Windows Agents, select 'host port' If you change the Port the agent uses, this is
where it can be updated on the PAN side.
 Validate connectivity both on the agent and the firewall. Both should be green showing
connection is working.
 The Monitoring section on the left side of the agent will show a list of current IP to User-ID
mapping
 On the firewall CLI, you can see the mappings are:
o show user user-id-agent statistics
o show users user-ids
o show user ip-user-mappings all
o show user ip-user-mappings (ip/netmask)
Configuring Group Mapping
 Server profiles will LDAP servers will be contacted, which order, and where to search the
directory tree.
o Defaults to port 389; if SSL is configured on the server, then 636 is available.
o Type is the type of LDAP Server
o Base DN should auto-populate when you click the drop-down menu
 To check the Base DN manually, on the server open active directory domains
and trust > Microsoft Console Snap-In - look at the name of the Top-level
domain
o Bind DN and Password will be used to auth users and read the LDAP directory. The
Bind DN will depend on your DC configuration
 If Universal Groups are used, the GC must be used to capture group
memberships, and the LDAP port must be set to 3268
o Bind, Search and Retry timeouts can be changed
 To configure Group Mapping, open Device > User Identification > Group Mapping Settings >
Add
o Select the server profile for your AD/LDAP server profile
o The domain setting is generally blank; only enter a name if NetBIOS needs to
override.
o Groups objects should be dynamically populated by the LDAP server; these can be
manually changed to look in specific locations.
o Consult the Administrators guide for specific groups needed for your version of
Windows server.
 Configure session monitoring (optional)
o Enable session monitoring under Device > User Identification > User Mapping >
Server Monitor Tab
o This option enables the File/Print Sharing mapping to account and IP address
 Configure WMI Probing (optional)
o Enable WMI Client Probing under Device > User Identification > User Mapping >
Client Probing tab
o This will enable a probing of the clients every 20 minutes, to validate the same user is
still logged into the same IP address
o When an IP is found with no User-ID account, it sends it to the Agent for an immediate
probe
o WMI doesn't probe any IP's outside of RFC1918; to enable any non-routable IP's, add
them to the include list in the zone.
o File and Print sharing must be enabled on the client for this to function.
 Commit the configuration and validate agent connectivity
o After commit, each server specified under Device > User Identification should show as
connected. If not, troubleshoot the connection from the agent to the DC, check service
account rights, and confirm network connectivity
Windows-based agent configuration
 Installation information:
o Can be installed on 32 and 64-bit systems, XP SP3 or later
o Should be installed in the the same physical network as the servers to optimize
bandwidth
o Should be installed on at least 2 domain members for redundancy
o Recommended that it should NOT be installed on the domain controller itself (best
practice).
 Download the agent software from PAN's support site.
o Check the Release notes for details on supported OS's for the version you are
downloading
o MSI can also be used in SCCM to push to multiple locations
 In the Agent Application after installation:
o Click Setup on the left-side to change any of the settings
 Save will save but not activate
 Commit will implement all changes
o TCP Port 5007 is the default port
 Should run with a service account with proper rights.
o For specifics, check the Administrators guide or the support website.
 Server Monitoring tab can be used to enable the security sessions reader
 Client Probing tab can be set to enable WMI probing.
 DC must be configurd to log successful logon events
 All DC's must be configured
o An agent can only monitor one domain; for multiple domains, multiple agents would be
needed.
o Anyone who accesses file and printer shares also have their connections in the log
read to map to their user ID
 User-ID can be configured to use WMI to probe windows system
o This is useful for laptops and devices that may change IP's semi-frequently.
o NetBIOS is option and supported.
o WMI Probes are performed every 20 minutes (default)
 Global Protect
o GP will provide User-ID with username/IP when they log into the gateway
 User ID Mapping Recommendations
o User ID Agent is used for DC, Exchange, eDirectory, Windows file/print shares, Client
probing and Syslog Monitoring
o Terminal Services agent is used for mutliuser systems for MS Terminal Server, Citrix
Metaframe/Xenapp
o Captive Portal maps usernames to IP's for users that do not login to a windows
domain
o GlobalProtect maps usernames/IP's for remote users
o XML API is for non-User-ID devices and systems that can expore XML data
Configuring User-ID
 Enable User-ID by the zone
o Check the 'Enable User Identification' on the Network > Zones > (zone name)
o Only enable on inside-facing zones, or it will attempt to identify any user on the
internet if added on an outside facing zone.
o By default, all subnets in the source zone are mapped; the include/exclude list can be
added/modified to include or exclude custom subnets
o If WMI probing is enabled, it will only probe RFC1918 IP ranges (10/8, 172.16/12,
192.168/16); to add external IP's, they must be added to the include list.
 Configure user mapping methods
 Configure group mapping (optional)
 Modify FW Policies for user/group matching
PAN-OS Integrated Agent configuration
 On the DC, Create a service account with the required permissions
 Define the addresses of the Servers on the Firewall
o An autodiscover option for Windows DC based on domain name (under device >
setup > management > general settings) is also an option
 Add the service account to monitor the server(s)
o Added under Device > User Identification > User Mapping; username should be
entered as domain\account
User-ID
User-ID Overview
 Identify users by username and user group
 Creates Policies and view logs/reports based on user/group name
 Used in combination with App-ID allows for very granular control
 Can be used to profile identified vs non-identified users for policy control
 Prior to being ready for use, the FW needs to know the group mapping to match user to IP
 Components for User-ID include:
o PAN Firewall
o PAN OS Integrated User ID agent
o Windows Based User-ID Agent
o Terminal Services Agent
o (other options - see below)
 Integrated Vs Windows-Based Agents
o Windows Agent uses Windows RPC to read the full security logs
 Recommended for local deployments with the Windows Servers and Firewalls
in the same physical network
o Integrated Agent uses Windows WMI to read security logs to map Username to IP
 Uses much less bandwidth
 Uses more of the FW CPU
 Better for remote deployments of firewalls in small offices, labs, etc.
User Mapping Methods Overview
 Multiple Methods available, which will depend on the OS's, apps and infrastructure
o Can monitor Windows DC, Exchange servers, or Novell eDirectory for user auth
session tables
o Probes windows clients for file/printer mappings
o Captive Portal/GP Logins
o Terminal Services Agents for Windows RDP/Citrix
o Syslog login/logout for NAC, 802.1x and Wireless AC's
o Pan-OS XML API for devices that can send XML to the firewall.
 For User-ID to function, it must be enabled on the zone
 User-ID can monitor Syslog server for actions to map users, when syslog messages are
received from systems such as:
o Unix/Linux Authentication
o 802.1x Authentication
o Windows and the User-ID agent can parse the Syslogs to help mapping users to IP's
o Multiple Profiles can be configured to read from different sources.
 Domain Controller Monitoring
o Monitors the Security Log of DC's
o Continuously monitors logs for all login/logout events
o Default cloud is wildfire.paloaltonetworks.com (other clouds for different regions are
available)
o If you have a WF-500 locally, you can specify the IP on this screen
o Can also specify the maximum size files to upload; anything larger is permitted.
o Can report benign and greyware by selecting the checkboxes
o Decrypted content is not forwarded to Wildfire by default; this can be set under Device
> Setup > Content ID > Content ID settings to enable 'allow forwarding of decrypted
content'
 Under Device > Setup > Wildfire, you can specify what information is reported to wildfire.
This can include information such as source/dest IP, ports, VSYS, Application, User, etc.
 Wildfire submission is activated by being added to a firewall security policy rule. This is
added on the action tab in the rule details.
o Logs for submissions to wildfire are set under: Monitor > Logs > Wildfire Submissions
 A wildfire Analysis profile is created under Objects > Security Profiles > Wildfire Analysis
o A pre-configured default profile is included, that can be cloned/modified, or a new
from-scratch profile can be created.
o The types of files can besent to a specific destination (public, private or hybrid).
example: JAR can be sent to cloud, while DOCX can stay on a local WF-500
appliance.
 The profile can be added as an individual or as part of a group
o If a file block profile blocks a file, the file is not sent to wildfire for analysis.
 Updates are available under Device > Dynamic Updates. With a wildfire licence, you can
specify to updates from 1 minute to every hour. If you do not have a license, it can be set to
update once a day.
Wildfire Reporting
 Each time a file is analyzed, it reports its findings back to the firewall. The amount of
information reported is configurable.
 To verify successful uploads, you can use the CLI command:
o debug wildfire upload-log show
 Output should indicate an uploaded successful
 Detailed reports can be viewed by clicking the magnifying glass, and the analysis report tab
to get details on users, and the file details.
 More details can be seen at wildfire.paloaltonetworks.com - this will give a breakdown of the
category of findings (benign, greyware, malware, phishing).
o Files can also be manually uploaded on this portal as well.
o Reports button on the web portal can let you generate a custom report, and individual
entries can be viewed.
o Email reports can also be configured on this to get automatic reports.
o If a file was found to be flagged as something other than benign, you can open the
individual report, scroll to the bottom and submit a request to have it reviewed.
o The Types of verdicts assigned to files scanned by wildfire include:
 Benign - Found to be safe and pose no risk
 Greyware (intro'd in panos 7.0) - No security threat but may display obtrusive
behavior; adware, spyware, browser helper objects.
 Malware - the file contains a malicious payload; viruses, worms, trojans,
rootkits, botnets and remote access tools.
 Phishing (intro'd in panos 8.0) - scans links in emails to determine if the site is a
site to phish for credentials or other personal data
o File attachments and URL in emails are also scanned and will be categorized in one of
the options above.
 When files and URL's are submitted to wildfire, new signatures are generated and are
available for download within 24-48 hours as content updates.
 Two types of wildfire subscription service
o Standard Subscription: All systems running panOS 4.0+ can access wildfire standard
subscription service (as an XP or Win7 VM)
 Includes Windows PE Analysis: EXE, DLL, SCR, FON, etc
 AV signature delivered daily dynamic content updates (requires Threat
prevention license)
 Automatic file submission
o Wildfire Licensed Service get standard features plus:
 Additional file types scanned, including MSOffice files, PDF, JAR, CLASS,
SWF, SWC, APK, Mach-O, DMG, and PKG
 Wildfire signature files updated every 5 minutes
 API File submission
 Wildfire private cloud appliance: WF-500
 Wildfire Private Cloud
o WF-500 is a private cloud Win7 64-bit image based Wildfire private system hosted on
your network.
o Locally analyzes files forwarded from the FW or from the PAN XML API
o Signatures can be generated locally. Benign and Greyware never leave the network.
o You have the option to forward malware to the wildfire cloud for signature generation.
o Signatures updates every 5 minutes.
o Supports XML API
o Does not support Phishing; all positive matches are classified as 'malware'.
o Content updates can be installed manually or automatically
 Hybrid Cloud
o Combines local and cloud solutions. WF-500 can analyze sensitive files locally, and
less sensitive files can be uploaded to wildfire for analysis.
Configuring and Managing Wildfire
 Device > Setup > Wildfire to configured
o Create a decryption policy under Policies > Decryption > Add - under Options, select
'Decrypt'
o (Optional) Create a decryption profile that can be added to the decryption policy
Other Decryption Topics
 Some applications may not work with SSL Forward Proxy
o Application with client-side certs
o Non-RFC compliant apps
o Servers using unsupported cryptographic settings
 If an application fails, the site is added to the excluded cache list for 12 hours
 Decryption Exclusion are apps that encryption is known to break
o The prepopulated list is under Device > Certificate Management > SSL Decryption
Exclusion
o Custom domains can be added to this list, and wildcards are supported.
 If the decryption policy is set to an action of 'no-decrypt', the profile attached to the rule can
still check for expired or untrusted certificates. This can be done under 'No Decryption' tab in
the profile.
 Decryption Mirroring can mirror decrypted traffic to a capture device for DLP and/or network
forensics
o Requires a (free) licence to activate; contact TAC support to get the license key. Key
is perpetual, does not need renewal.
o Only available on the PA-3000, PA-5000 and PA-7000 series firewall.
 Hardware Security Module (HSM) are a hardware storage for keys for additional security
features (FIPS)
o PA-3000, PA-5000, PA-7000, and PA-VM series; Panorama VM, and M100e
 The traffic log can be used to determine if the traffic is being decrypted by the firewall
o Also can be done by setting a log filter for Flags, Has, SSL Proxy.
 Troubleshooting SSL sessions
o Using the log filter to search for 'session end reason' 'equal' 'decrypt error', you can
see what sessions are not being decrypted.
Wildfire
Wildfire Concepts
 When a file receives a file:
o It will check to see if it is signed by trusted signer.
o If there is not a signature, it creates a hash of the file to check if it has already been
sent to wildfire
 If not already submitted, it will check if it is below the maximum file size
configured to be uploaded to WF
 If exceeded max size, it is allowed through the firewall
 if under max size, it is uploaded and checked with Wildfire, and the response is
sent to the firewall.
o The SSL session is then established between the server and the firewall
o The firewall then sends a copy of the remote server cert, signed with the FW SSL
certificate
o The client validates the certificates and the session continues
 The firewall will sign the certificate sent to the client with its firewall trust cert if the external
servers cert is signed by a CA it trusts. If it doesn't have a CA the FW knows/trusts, the FW
will send back it's firewall untrust certificate, and the client is shown an untrusted warning
page in their browser.
 To configure Forward Proxy: (see PAN Docs for more details and instructions)
o Configure a Forward Trust Certificate
o Configure a Forward Untrust Certificate
 Generate a new cert on FW; cert should not be trusted by SSL clients, but
ability to sign other server certs.
 Do not copy; this should be untrusted and unknown to any CA.
 Select 'CA' checkbox on this cert
 Configure as forward untrust cert in properties
o Configure SSL Forward Proxy
 Under Policies > Decryption (be sure to know what traffic is protected by
local/state/national laws and cannot be decrypted).
o A decryption profile allows check on both decrypted traffic and traffic excluded from
decryption
 Allows to block sessions unsupported protocols, cypher suites, or SSL client
auth.
 Block sessions based on certificate status: revoked, unknown, expired, etc
 After creating a profile, it can be applied to a decryption policy.
 A default profile is provided that can be used/cloned/modified.
 Rules for the decrypted traffic will need to be present. For example, if traffic is
web-browsing, google docs, or another encrypted application setting, security
policies allowing that traffic must be present or the traffic will be dropped as
matching no FW rules.
SSL Inbound Inspection
 FW Can inspect inbound SSL traffic
 The internal server's cert and private key must be loaded on the firewall.
 The firewall will decrypt and read the traffic, and then forwards the original encrypted traffic
to the server
o Note that the traffic will be forwarded only if it is not blocked/dropped by a security
policy on the firewall.
 To create an SSL inbound inspection policy:
o Import the server certificate and private key into the firewall (PEM and PKCS12
formats supported)
o HA Auth
o Secure Syslog Auth
 All Certificates in a chain must be checked and validated before an SSL session is permitted
 Checking a Certificate includes:
o Is the signature valid
o Is the date range valid
o is it intact/not malformed?
o Has the certificate been revoked?
 CRL (certificate revocation list) has a list of revoked certificates
 OCSP (online cert status protocol) can check revocation status
 Certs can be revoked for: Private key compromised, Hostname/username
changed, counterfeit key found
 Certificate signing request (CSR) is generated by the device. This is used by a certificate
issuing authority to generate the device. The private key generated with this CSR never
leaves the device.

Certificate Management
 Devices are managed under Device > Certificate Management > Certificates
o Operations supported include:
 Generate CSR's
 View Certificates
 Modify Certificate Use
 Import/Export Certificates
 Delete Certificates
 Revoke Certificates
o Different certificates have different features
 A signing certificate is required for SSL Forward Proxy and Global Protect
o There are 3 methods of getting a certificate on the FW
 Generate a self-signed CA Certificate from the FW
 Generate a CA Cert using CSR
 Import a CA Certificate
 The FW will sort the certificates in a hierarchy in order of the CA chain, root to intermediate
to device.
SSL Forward Proxy Decryption
 An SSL Forward Proxy decryption is used to intercept and decrypt SSL session in order to
inspect the traffic for nefarious contents
 Steps in this process are:
o Client sends request to external server through firewall
o Firewall intercepts the SSL request
o Firewall then contacts the external server and sends that server the FW cert
o External server responds with its server certificate; firewall validates certificate
Decryption Concepts
 Encrypted traffic is growing every year
 PAN's can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
 SSL Establishment includes:
o Client - requests SSL connection
o Server - sends server public cert
o Client - Verifies Cert
o Client - sends encrypted session key
o Server - begins encrypted communications session
 When an SSL session is first established or needs to re-establish a session and rekey, this is
known as PFS (Perfect Forward Secrecy)
 The FW can act as an Outbound SSL Proxy:
o A client initiates a session to an external server
o The FW intercepts the connection, decrypts it, applies any security policies, re-
encrypts the traffic and sends to the external server
 The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and
inspects)
o The internal server's certificate and private key need to be added to the PAN firewall
for this to function properly
 The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
o If SSH Tunneling of another application is found, the session is blocked to prevent
apps from bypassing firewall rules.
 Public Key Infrastructure (PKI) solves issue of secure identification of public keys
o Uses digital certificates to verify public key owners (x.509 format)
o Typical PKI components include:
 Root CA: Provides service that confirm identity and public keys to people and
companies.
 Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB
that will issue, revoke certs and stores CSR's
 Device has the certificate and private keys. They maintain a list of trusted CA's,
and can be updated by admins or by system updates.
o Certificate Chain starts with the device and ends with the Root CA. As long as there is
a Root CA in the chain, the certificate can be checked as valid (or revoked).
o Certificate Hashes can be validated to confirm that it hasn't been intercepted and
altered.
 Firewalls can use for many purposes:
o SSL/TLS
o MGT Interface User Auth
o Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
o Captive Portal User Auth
o IPSec VPN IKE Auth
o Note: User ID is required for the User Credential Detection to function
o Under Objects > Security Profiles > URL Filtering > (profile name) > User Credential
Detection
 If a URL is not categorized by the firewall, you can create a policy based on corporate
security policy
o Unknown URL's can be allowed
o Unknown URL's can be alert/logged
o Unknown URL's can be Continued with a challenge page
o Unknown URL's can be set to Override with the admin password
o Unknown URL's can be blocked
 Not-Resolved URL's include sites that are not in the local cache and could not contact the
PAN Cloud to check the category
o Recommend to set to 'alert'
o Use the CLI Command 'show url-cloud status' to check cloud lookup service; should
say 'connected'. If not connected, troubleshoot connectivity to this site (may need a
service route installed)
 The local URL Seed Database locally on the firewall is based on the region the FW is
installed, but doesn't contain all URL's that PAN has categorized as it would be too large.
Local contains most common accessed, and others are checked 'on-demand' as not-
resolved to the PAN cloud DB.
 If a URL is miscategorized by PAN, a request can be submitted to ask it to be recategorized.
This is done under Monitor > Logs > URL Filtering - click on the entry you want to submit,
click the 'request categorization change' under details. Fill out all information including
comments, these are human reviewed and are generally responded to in 24-48 hours.
 A category check can be done in 2 ways:
o By going to 'urlfiltering.paloaltonetworks.com and putting in the URL. You can also
submit a category change here
o by going under Objects > Security Profiles > URL Filtering > Add - click 'Check URL
Category Link'
Attaching URL Filtering Profiles
 URL Filtering can be added into Security Profile Groups with other security profiles such as
AV, Vuln, File Block and Data filtering
 Either Individual or groups can be assigned to a Security Policy rules. This is dependant on
your deployment and corporate security policy.
 In the Security Policy, select the URL Profile or group you have created that you want to
apply the policy to.
o Reminder that only 'allow' policies evaluate URL policies. Polices set to deny or block
traffic will do just that.
Decryption
o Entries are case sensative, and subdomain considerations should be checked.
o www.ebay.com will not block cdn.ebay.com in a block list.
o *.ebay.com would block all ebay subdomains.
 Allow list and block lists can be used to add sites you don't want users to access.
 Actions available under the block list include:
o Block: block access, access attempt is logged, and a response page is given to the
user notifying them the site is blocked.
o Continue: a response page is presented, asking the user to confirm they want to
proceed. Item is logged as 'block-continue' when the continue page is presented, and
changed to 'continue' if the user proceed to the page.
o Override: will prompt for an administrator page to override a URL block. Used for
administrators and others that need a way to bypass blocks to some pages when
needed.
o Alert: allows the user to proceed without interruption, and generates an alert in the
URL log.
 Custom HTML pages can be created and uploaded to the PAN firewall.
 Custom HTML block pages are limited to 16kb
 Block pages are used to provide a challenge/response or notification if a URL has an action
of block, continue or override.
 User's name will be displayed on the page if UserID is enabled; otherwise the IP will be
displayed.
 If Continue or Override is used, a 15 minute timer is set to allow access to that category.
o Timer can be changed at: Device > setup > content-id > URL Filtering
o Admin Password can be changed at : Device > Setup > Content ID > URL Admin
Override
o Only one override password is allowed.
o An SSL/TLS profile can be used to specify a certificate to secure the connection to the
firewall if Admin override is set to 'Redirect'
o Transparent mode can be used make block pages look to originate from the blocked
website
o Redirect will send the request to the specified IP. This IP must be an L3 interface on
the firewall.
o Safe Search can be selected under Objects > Security Profiles > URL Filtering >
(profile name) under the URL Filtering Tab
 This is based on the browser's safe search setting
 Log Container Page Only can be selected in this same section
 Only the name of the page will be logged if Log Container Page is
selected(helps with log containment and size)
o Both SafeSearch and Log Container are both recommended settings by PAN for best
practice.
 To configure Credential Phishing profiles by where users are allowed to submit credentials
o Only one Profile can be set per zone.
 DoS Policy
o Provide flexible rules and matching criteria
o Can be used for specific hosts that are critical or have been hit previously
o This can be based on match criteria such as Source/Desination zone/interface, IP
address, user and services.
o Profiles include:
 Protect:
 Aggregate profile: applies limits to ALL incoming traffic
 Classified Profile: applies limits to a single IP address
 Allow: Permit all packets
 Deny: Drop all packets
o Added under: Polices > DoS Protection > Add
 Specify match for source/destination/option-protection tabs
 You can specify the aggregate and/or classified profile if Protect is selected
 Example setting is to protect a web server from attacks or floods.
 Added under: Objects > Security Profiles > DoS Protection > Add
 This will allow to set the profile options for flood proection. Syn, UDP, ICMP,
ICMPv6 and Other IP.
 Resource Protection can be set to limit sessions to a host to prevent port
depletion or resource (cpu/memory) exhaustion
URL Filtering

URL Filtering Security profiles


 Added to security policies that are set to 'allow'
 Applied to all packets over the life of a session
 Items are logged under:
o Monitor > Logs
o URL Category in the logs show which category the site falls under.
o The actions of 'Alert', 'Block', 'Continue' and 'Override' will generate a log entry
o Filtering logs can be done with (URL contains 'facebook') to search for all entries with
users going to facebook.
 Rules can be created to block access to specific websites, or website categories
 A default profile is included to be used 'out of the box'.
 A custom profile can be created based on your companies internal security policies
 A URL profile can be configured to take specific actions per each category.
 If User-ID is configured, you can enable under the 'User Credential Detection' tab to log the
user information to the logfiles.
 To create a new custom URL Category, go to: Objects > Custom Objects > URL Category >
Add
 Security Groups can be used to group a set of Security profiles. This will simplify Security
Policy rule maintenance and deployment by selecting one group that can contain AV, ASW,
Vuln, URL Filtering, File Blocking, Wildfire and Data Filtering Profiles.
 You can also assign individual Security Profiles to a rule
Telemetry and Threat Intelligence
 Opt in is required, and can be customized to what data you want to share
 Information sent to PAN is sanitized before being sent to PAN, and is not shared with any
3rd parties.
 Telemetry can be configured under Device > Setup > Telemetry and Threat Intelligence. The
check boxes can be selected for what you want to upload. A download box in the corner can
be used to get a copy of the 100 most recent folder with packet captures and threat data that
has been sent to PAN.
Denial of Service Protection
 DoS is Packet based, not session based.
 Use packet header info rather than signature matching.
 These are not linked to Security Policies.
 Zone Protection:
o Provides edge protection
o First line of defense
o Flood Protection:
 Protects agains most common attack types, including UDP flood, Syn Flood,
ICMP Floods.
 All Categories use a random early drop, except SYN (provide choice of RED or
SYN Cookies)
o Reconnaissance Protection
 Protects against TCP/UDP/ICMP sweeps and port scans within the criteria set
 Actions include:
 Allow: Permits the scan
 Alert: Generates an alert for each scan that matches the time interval
 Block: Blocks the attempts
 Block IP: Can be specified to block traffic from the source or for the
source/destination combo.
o Packet Based Attack Protection
 Protects agains specific type of packet attacks. Examples include Spoofed IP,
fragmented traffic, timestamp forging, etc
o Protocol Protection:
 Applies to L2 or Vwire zones only
 Used to allow or deny non-IP protocols can move between zone.
 Include list will allow specified protocols only; Exclude list will allow all but the
specified protocols
o Protection is enabled on a 'per-zone' basis
 DNS Signatures are included in the anti-spyware definition updates from PAN, but additional
custom DNS domains can be blacklisted manually.
 Exceptions can also be added by thread ID's. Add the thread ID and the threat name to the
exceptions list.
 Actions are:
o Allow - Permit without logging
o Alert - Permit with Logging
o Block - Block with Logging
o Sinkhole - This is a specified IP to send DNS lookup for C2 traffic servers to a dead
end. This can be sent to a PAN-provided IP, a local loopback, or a custom specified IP
address. it is recommended that the sinkhole be in a different zone unless intrazone
traffic is logged, so that the traffic can be logged.
 Actions are also available with single packet or extended packet capture
 Sinkhole traffic can be seen in the Monitor > Logs > Threat - action of 'sinkhole'
File Blocking Profiles
 Allows blocking of prohibited, malicious and sensative files
 File blocking can be done by extension or examination of files
 Granular control can be done by (example) blocking .exe files from gmail, but allowing .exe's
from FTP
 Profiles have these actions available:
o Alert: Allow and Log
o Continue: Log incident, send user to a browser response page for them to
review/continue/stop.
o Block: Block file and log
 Monitor > Logs > Data Filtering can be used to see the actions taken and the file name/type
 There is no predefined file block profile. One must be created manually.
 Rules can be set for:
o Specific applications
o File Types
o Direction (upload/download/both)
o Action (alert/continue/block)
 If a file matches multiple rules, the highest matching rule is applied.
 If Continue is set, the transfer is halted to alert the user that a matched file is attempting to
be downloaded. This can be set to help prevent 'drive-by' downloads, or downloads that are
done without the user knowing or interaction by the user.
o Continue only functions with an application over http
 The File Block can decode up to 4 layers of encoding. Encoding includes files such as .zip,
.tar, docx, .gzip, etc
o The 'Multi-Level Encoding' needs to be set under the 'File Types' in the file block rule
Attaching Security Profiles to Security Policy Rules
o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
 Application Exceptions can be added to the Application Exception section in the profile config
screen. Any application can be added, and the action specified.
 Packet Capture can be set to run a capture when a suspected virus is detected. This can be
useful to help troubleshoot and resolve false positives.
 The Virus Exception tab can be configured to add false positives to virus detections. Add the
Thread ID to the list to whitelist that pattern from having the specified action taken.
Anti-Spyware Security Profiles
 Include 2 predefined read only profiles. These can be cloned for making custom, or a new
profile can be built from scratch.
o Strict: Strict implementation of the profiles. Used for 'out of the box' protection.
o Default: Default action that will happen that will be applied to traffic. Generally used for
PoC and initial deployments
 Each individual Anti-Spyware signature has a predefined default action. The default action
can be seen under:
o Objects > Security Profiles > Anti-Spyware Protection > Add > Exceptions - then
select 'show all signatures' checkbox
 Virus signatures are release every 24 hours by PAN
 Spyware is generally detected when it attempts to 'phone home' to a C2 Server.
 A custom policy is recommended. Options are to clone the default or make a new one from
scratch. Best Practice is to create to your network design, deployment and company security
policy.
 Each profile can contain several rules to apply policy based on the severity or type of
spyware.
 Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching
that name
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging
o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
 The Exception tab can be configured to add false positives to anti-spyware detections. Add
the item to the list to whitelist that pattern from having the specified action taken. The action
here will override the rule with the action in the 'Action' column
 Threat log keeps records of vuln, AV, Anti-SW that can be reviewed, and can be forwarded
to an external log server.
Vulnerability Protection Security Profiles
 Include 2 predefined read only profiles. These can be cloned for making custom, or a new
profile can be built from scratch.
o Strict: Strict implementation of the profiles. Used for 'out of the box' protection.
o Default: Default action that will happen that will be applied to traffic. Generally used for
PoC and initial deployments
 Each individual vuln signature has a predefined default action. The default action can be
seen under:
o Objects > Security Profiles > Vulnerability Protection > Add > Exceptions - then select
'show all signatures' checkbox
 New updates are released weekly from PAN. *
 Rules can be configured to take packet captures
 Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching
that name
 Categories can can for Any or a specific CVE/Vendor ID
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging
o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
o Block IP: Blocks traffic/sessions from an IP, and a time to block can be set in seconds.
 Exceptions can be set to override the actions on rules. This can be used to override false
detection being detected blocking legitimate traffic. A list of IP's can be added to the
exemptions column, useful for servers that may be flagged as sending out false positives.
AV Security Profiles
 Default Policy is available out of the box. This is recommended for initial configurations and
TAP gatherings
 A custom policy is recommended. Options are to clone the default or make a new one from
scratch
 The profile has predefined application decoders for common apps: FTP, HTTP, IMAP, Pop3,
SMB, SMTP
 Virus signatures are release every 24 hours by PAN
 Action is what will occur when a virus signature is detected.
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging

You might also like