Paloalto Note 3
Paloalto Note 3
Paloalto Note 3
4- Content ID - allow or block policy based on content; Ex: Credit card details, Insurance
number or you can define custom content based on "Reg Expression"
Features of paloalto:-
1- First of all, the next generation term (marketing term) was first introduce by Palo alto
networks and they really do have some next gen features
2- App - ID; traffics are classified based on application (Ex- Facebook is classified as an
application and you control Facebook not by URL, rather by Palo Alto Signature
Purpose of Templates
Templates are Data Objects to hold settings for network devices
When working under the Network and Device tabs in Panorama, a specific template must be
chosen where settings will be stored.
Template stacks can be formed from individual templates, up to 8 layers
o Settings in each later are inherited downward
o (update by stangri-la ) If there is a settings conflict, a lower layer will overwrite it.
o Settings most commonly shared are generally put higher in the stack.
o Individual templates can be used in multiple stacks.
o Firewall settings in a stack must be completed
Example: An interface must have all settings configured
Steps to push common parameters to a device
o Create a template then store the common settings/configuration parameters there
o Create a template stack, then add templates to a stack
o Push the stack to a device
Stacks are:
o An ordered list of Templates
o All settings in a template stack are pushed to a managed device
o Firewalls are assigned to one template stack
Max of 8 templates per stack
o Panorama 8.0+ supports up to 1024 template stacks
o When pushing updates to a device, the FW will push the updated template settings to
the firewall, and then execute a local commit to update the firewall
A template stack example:
o Template one (worldwide)
Logging profile settings
Administrator accounts
o Template Two (country)
SNMP, Syslog, DNS, Service Routes
o Template Three (local)
Interface Settings
o The above Templates will be: Worldwide->Country->Region
Country values will override the local settings, as it is higher in the template
stack.
o Network connectivity between MGT interfaces of HA Peers
o Validate the same URL Database and Dynamic update versions are identical
o Validate that both members will have communication to all managed devices
To create a Panorama HA Pairing (configure)
o Define the Primary and Secondary Devices
Navigate to Panorama > High Availability > Setup
Click to enable HA, enter the peer IP address
(optional) Encryption can be set. Recommended if the Panorama peers are in
different physical locations.
If using Encryption, the HA keys must match. Before enabling encryption,
Export the key from one device and import it to the other.
HA Uses TCP port 28 when encryption is enabled, and port 28769 when
encryption is not used.
Set the Monitor Hold time (in milliseconds). this time will be the wait time until
fail-over is triggered.
o Enable HA, configure heartbeat settings, Enable Path Groups
To create a Panorama HA Pairing (commit)
o Commit changes
o When commit is completed, any previous config on the secondary will be overwritten
and lost
HA Fail-over can occur when:
o Hello/Heartbeat message failure
o A heartbeat is sent every 1000ms (1s).
o A Hello message is sent every 5000ms (5s) (default)
o NOTE: The Module Says in text that the Hello message defaults to 5000ms, however the
audio states that the timeout is 1000ms, and the knowledge check question at the end of
the module also says that it is 1000ms. I have reached out to my PAN SE's and Local
Reps on this one to ask if this can be corrected by PAN's Education department.
Path Monitoring (optional)
o This is done by monitoring remote IP's for connectivity
o Done by using Ping ICMP messages
o Examples can include routers, switches, servers or other devices
o Path Monitoring fail-over can be configured on an 'any' or 'all' failure type.
HA timers can be adjusted to account for Latency of network response times
o Configured under Panorama > High Availability > Election Settings
o HA timer settings can be set manually by selecting Advanced.
Status can be seen by adding a widget to the dashboard; Also available in the logfiles.
Validate that HA fail-over is configured properly
o Schedule a PM window and simulate a fail-over
Physically unplug the cable to the Panorama device
Shut down the switchport it is connected to
oUpdates can only be done one at a time; stagger the updates to ensure that they will
complete.
Global Protect can be centrally managed and updated in Panorama
The options and configuration are avilable under: Panorama > Device Deployment >
GlobalProtect Client
o Select the version to download to Panorama.
o When downloaded, this version can be activated, and then specific firewalls can be
selected to push the update to.
Manage Panorama and Firewall configuration backups
Under Panorama > Setup > Operations, the export options for the configuration of Panorama
are listed.
o Export Named Panorama configuration snapshot exports the current running config, the
candidate config, or a previously imported config
o Export Panorama configuration version exports a version that is specified.
o Export Panorama and Devices config bundle exports Panorama and all firewall
configurations
o Export or Push device config bundle (see the transition section above in this chapter for
details)
A scheduled export can be configured for automatic backups
o Navigate under Panorama > Scheduled Config Export
o Export can be scheduled once per day
o FTP and SCP options are supported
FTP Passive mode can be selected from the checkbox, if Active mode is having
issues.
o If using anonymous for username, do not specify a password.
When a commit is done on a local firewall, a backup is sent to Panorama automatically.
By default, Panorama stores up to 100 previous configurations.
o These can be viewed under: Panorama > Managed Devices > Summary
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: High Availability
Configuration and Deployment of Panorama HA
Benfits of HA:
o Redundant systems ensures continuation of services if one system fails
Priority and Fail-over
o HA Pair is set as Active/Passive
o Active devices handles all the configuration changes and pushes to the firewalls
o Passive device receives synchronization updates from the Primary so it is current if
the primary fails
o Passive device cannot update device
o In a fail-over event where the active Panorama system cannot communicate with the
secondary, The active appliance monitors if the FW's are still connected to the primary
system. If the Passive system takes over control of devices, the active system sets
itself to passive, and lets the secondary become active.
To create a Panorama HA Pairing (prepare):
o Validate the Panorama systems are the same model, storage capasity, PanOS
version and mode
o Determine the OS version both on the Firewall and on Panorama
o Panorama must be running the same or later version of PanOS that is on the firewall
o Plan out the device group hierarchy and template deployment
Reduced redundancy
Streamline management of shared settings
o Identify andy configuration that needs to be managed locally
Normalize Zone Names
High Level sequence to add firewalls to Panorama:
o Add a new device
o Import the configuration
o Fine-tune the configurations
o Push the device state (config bundle)
o Commit the device groups and templates.
Note: This process replaces some or all of the firewall's configuration with the
config managed by Panorama.
In an HA Pair, further considerations are needed:
o Disable the Config Sync under Device > High Availability > General > Setup
o Add each firewall into Panorama
o After the import and configuration within Panorama, add both firewalls to the same
Device Group and Templates stack.
Steps to add:
o Join the firewall to Panorama as a managed device
Do not add the FW to any device groups or templates yet.
o Import the device configuration to Panorama - this is done under Panorama > Setup >
Operations > Configuration management
The import does not impact the config, it makes a copy of the configuration to
Panorama
Update the device group and template configurations as needed or desired for
standardization.
o Local configuration is removed
o Zone names are updated (if needed)
o Configuration data may be moved to different device groups or templates
o Shared object names changed where conflicts exist
o Push the configuration to the firewall; this will remove all policy rules and objects from
local configuration
Export or push device config bundle
Note: the firewall cannot be added to a device group or template before the
export/push device, as Panorama would error with problems of duplicate object
names.
Upgrade PanOS Software and perform dynamic updates
Panorama can manage software upgrades from a central location
To see the options available, navigate to: Panorama > Device Deployment > Software
o In this section, the software can be downloaded to Panorama, and then can be pushed
to firewalls.
o The options include:
Upload Only (do not install)
Install, and reboot after install
The application and content-ID updates can also be centrally managed and distributed with
Panorama
The options and configuration are available under: Panorama > Device Deployments >
Dynamic Updates
o A manual update/push can be done
o A scheduled download/push can be done
o A list of all devices and the location of the changes is listed.
Validate device group push will do a full validation on all device configuration to
validate the config
Validate Template Push will validate that the templates are valid and no errors
are present
The 'Edit selections' will let you edit the changes being pushed to which
devices. Useful if pushing to a single location, test device, all but a single device
Edit selections will allow to be very detailed in what is pushed where.
Options include to 'merge with device candidate config', 'include device and
network templates', and 'force template values'.
The 'force template values' will override any locally corrected values on the
target
o When a push is started, a status window will display showing the status.
o Selecting the link under 'Type' will show the status of the commit function.
o A Panorama server will commit one at a time, and while multiple can be made, they
will be queued and run in series.
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: Adding Firewalls to Panorama
Adding new Firewalls to Panorama
Configure the new firewall to connect to Panorama
o On the firewall's web interface, navigate to: Device > Setup > Management > Panorama
Settings
o Enter the MGT IP of the primary Panorama appliance (and it's HA Peer)
o Options on this page can be set to allow/disallow Panorama to manage policy and
objects, and network templates.
Add the FW's serial number to Panorama
o On the Panorama interface, navigate to: Panorama > Managed Devices > Summary >
Add
o Add the Device(s) Serial Numbers, and OK
On the Summary page after adding, the 'Group HA Peers' button can be selected
to group HA firewalls. If this is unchecked, each firewall is individually displayed.
o Device Tagging can be used to help identify specific firewalls in large managements.
Navigate under: Panorama > Manage devices > Summary > Tag
o Communication between devices can be secured. Navigate to: Panorama > Setup >
Management > Secure Communications Settings
Communication will be handled by either a predefined or local certificate
Commit All Changes
o Changes must be committed on both the local firewalls, and on the Panorama device.
Panorama can manage all licences on managed devices. This can be viewed under:
Panorama > Device Deployment > Licenses
o License status and expiration dates can be seen
o New licenses can be added with the 'activate' option, and an activation code.
o A license can be deactivated on one device, and activated on another (limited on some
depending on the license type).
Transition a firewall to Panorama management
Prior to migrating firewall, the following options must be done:
Services need to be configured for accurate function
o DNS and NTP servers should be set and validate they can be reached
o Panorama can be configured with a proxy server for outbound internet access
SNMP (Option) can also be configured
o MIB's from PAN are required for an SNMP manager
o These can be downloaded from the PAN website.
Legacy Mode (VM Mode) provides a single interface enabled, including managments.
o This mode is generally not recommended, unless needed for a specific deployment
o The management profile should be configured for this interface to allow management
connections
o This is configured under Panorama > Setup > Interfaces > Management
o If using SNMP, be sure to select SNMP in the management profile.
Network Segmentation can improve security and reduce congestion.
o Multiple interface (non-legacy) can be used for different network segments
o Device Management and Device Log Collection can be set on different interfaces;
This is set under the interface configuration at:
Panorama > Setup > Interfaces > Ethernet1/x
o An example configuration for multiple interface could be:
E1/1: Managment, Log and Query (perimeter firewalls)
E1/2: Managment traffic, for managing, updating and configuration (perimeter
firewalls)
E1/3: Device updates for content, software upgrades, etc (all firewall)
E1/4: Managment, Log and Query (DC/Colo firewalls)
E1/5: Managment traffic, for managing, updating and configuration (DC/Colo
firewalls)
This is useful for helping to balance the traffic so interfaces aren't tapped.
Describe the Commit Process
Commit process starts with clicking 'Commit' in the top right corner of the page:
o Commit to Panorama will save the candidate configuration changes to the Panorama
config.
o Push to Device will push the configuration to managed devices
o Commit and Push will perform both functions at once.
In the commit to Panorama window, the option to commit all changes, or to commit changes
made by the specific administrator
o A preview changes option is available to see what the changes will be
o A Change summary will provide a summary of changes
o A Validate Commit will validate the full configuration with changes, but not write the
new config
o An optional (but recommended) description field is available. Putting brief notes
stating what changes are being done is recommended
In the Push to devices window:
Responds to query's from Panorama servers
o Management Only Mode
o Only functions as a device manager
o No log collection
Requirements for each Mode in a VM are:
o Legacy:
4 CPU's, 4GB RAM, Max of 8TB of Storage
o Panorama:
8 CPU's, 32GB RAM, Max of 24TB of Storage
o Log Collector
16 CPU's, 32gb RAM, max of 24TB of storage
o Management only
4 CPU's, 8gb RAM, no storage needed beyond OS Disk.
Panorama 8.1: Manage Firewalls at Scale (EDU-120)
Panorama: Initial Configuration
Certificate Management
Devices are managed under Device > Certificate Management > Certificates
o Operations supported include:
Generate CSR's
View Certificates
Modify Certificate Use
Import/Export Certificates
Delete Certificates
Revoke Certificates
o Different certificates have different features
A signing certificate is required for SSL Forward Proxy and Global Protect
o There are 3 methods of getting a certificate on the FW
Generate a self-signed CA Certificate from the FW
Generate a CA Cert using CSR
Import a CA Certificate
The FW will sort the certificates in a hierarchy in order of the CA chain, root to intermediate
to device.
SSL Forward Proxy Decryption
An SSL Forward Proxy decryption is used to intercept and decrypt SSL session in order to
inspect the traffic for nefarious contents
Steps in this process are:
o Client sends request to external server through firewall
o Firewall intercepts the SSL request
o Firewall then contacts the external server and sends that server the FW cert
o External server responds with its server certificate; firewall validates certificate
Decryption Concepts
Encrypted traffic is growing every year
PAN's can decrypt SSHv2 and SSL/TLS inbound and outbound traffic
SSL Establishment includes:
o Client - requests SSL connection
o Server - sends server public cert
o Client - Verifies Cert
o Client - sends encrypted session key
o Server - begins encrypted communications session
When an SSL session is first established or needs to re-establish a session and rekey, this is
known as PFS (Perfect Forward Secrecy)
The FW can act as an Outbound SSL Proxy:
o A client initiates a session to an external server
o The FW intercepts the connection, decrypts it, applies any security policies, re-
encrypts the traffic and sends to the external server
The FW can perform Inbound SSL decryption (does not act as a proxy, just decrypts and
inspects)
o The internal server's certificate and private key need to be added to the PAN firewall
for this to function properly
The FW can perform SSHv2 Proxy for both inbound and outbound SSH traffic
o If SSH Tunneling of another application is found, the session is blocked to prevent
apps from bypassing firewall rules.
Public Key Infrastructure (PKI) solves issue of secure identification of public keys
o Uses digital certificates to verify public key owners (x.509 format)
o Typical PKI components include:
Root CA: Provides service that confirm identity and public keys to people and
companies.
Intermediate CA: Certified by a Root CA, and will issue certificates; has a DB
that will issue, revoke certs and stores CSR's
Device has the certificate and private keys. They maintain a list of trusted CA's,
and can be updated by admins or by system updates.
o Certificate Chain starts with the device and ends with the Root CA. As long as there is
a Root CA in the chain, the certificate can be checked as valid (or revoked).
o Certificate Hashes can be validated to confirm that it hasn't been intercepted and
altered.
Firewalls can use for many purposes:
o SSL/TLS
o MGT Interface User Auth
o Global Protect: Portal Auth, Gateway Auth, Mobile Security Manager Auth
o Captive Portal User Auth
o IPSec VPN IKE Auth
o Note: User ID is required for the User Credential Detection to function
o Under Objects > Security Profiles > URL Filtering > (profile name) > User Credential
Detection
If a URL is not categorized by the firewall, you can create a policy based on corporate
security policy
o Unknown URL's can be allowed
o Unknown URL's can be alert/logged
o Unknown URL's can be Continued with a challenge page
o Unknown URL's can be set to Override with the admin password
o Unknown URL's can be blocked
Not-Resolved URL's include sites that are not in the local cache and could not contact the
PAN Cloud to check the category
o Recommend to set to 'alert'
o Use the CLI Command 'show url-cloud status' to check cloud lookup service; should
say 'connected'. If not connected, troubleshoot connectivity to this site (may need a
service route installed)
The local URL Seed Database locally on the firewall is based on the region the FW is
installed, but doesn't contain all URL's that PAN has categorized as it would be too large.
Local contains most common accessed, and others are checked 'on-demand' as not-
resolved to the PAN cloud DB.
If a URL is miscategorized by PAN, a request can be submitted to ask it to be recategorized.
This is done under Monitor > Logs > URL Filtering - click on the entry you want to submit,
click the 'request categorization change' under details. Fill out all information including
comments, these are human reviewed and are generally responded to in 24-48 hours.
A category check can be done in 2 ways:
o By going to 'urlfiltering.paloaltonetworks.com and putting in the URL. You can also
submit a category change here
o by going under Objects > Security Profiles > URL Filtering > Add - click 'Check URL
Category Link'
Attaching URL Filtering Profiles
URL Filtering can be added into Security Profile Groups with other security profiles such as
AV, Vuln, File Block and Data filtering
Either Individual or groups can be assigned to a Security Policy rules. This is dependant on
your deployment and corporate security policy.
In the Security Policy, select the URL Profile or group you have created that you want to
apply the policy to.
o Reminder that only 'allow' policies evaluate URL policies. Polices set to deny or block
traffic will do just that.
Decryption
o Entries are case sensative, and subdomain considerations should be checked.
o www.ebay.com will not block cdn.ebay.com in a block list.
o *.ebay.com would block all ebay subdomains.
Allow list and block lists can be used to add sites you don't want users to access.
Actions available under the block list include:
o Block: block access, access attempt is logged, and a response page is given to the
user notifying them the site is blocked.
o Continue: a response page is presented, asking the user to confirm they want to
proceed. Item is logged as 'block-continue' when the continue page is presented, and
changed to 'continue' if the user proceed to the page.
o Override: will prompt for an administrator page to override a URL block. Used for
administrators and others that need a way to bypass blocks to some pages when
needed.
o Alert: allows the user to proceed without interruption, and generates an alert in the
URL log.
Custom HTML pages can be created and uploaded to the PAN firewall.
Custom HTML block pages are limited to 16kb
Block pages are used to provide a challenge/response or notification if a URL has an action
of block, continue or override.
User's name will be displayed on the page if UserID is enabled; otherwise the IP will be
displayed.
If Continue or Override is used, a 15 minute timer is set to allow access to that category.
o Timer can be changed at: Device > setup > content-id > URL Filtering
o Admin Password can be changed at : Device > Setup > Content ID > URL Admin
Override
o Only one override password is allowed.
o An SSL/TLS profile can be used to specify a certificate to secure the connection to the
firewall if Admin override is set to 'Redirect'
o Transparent mode can be used make block pages look to originate from the blocked
website
o Redirect will send the request to the specified IP. This IP must be an L3 interface on
the firewall.
o Safe Search can be selected under Objects > Security Profiles > URL Filtering >
(profile name) under the URL Filtering Tab
This is based on the browser's safe search setting
Log Container Page Only can be selected in this same section
Only the name of the page will be logged if Log Container Page is
selected(helps with log containment and size)
o Both SafeSearch and Log Container are both recommended settings by PAN for best
practice.
To configure Credential Phishing profiles by where users are allowed to submit credentials
o Only one Profile can be set per zone.
DoS Policy
o Provide flexible rules and matching criteria
o Can be used for specific hosts that are critical or have been hit previously
o This can be based on match criteria such as Source/Desination zone/interface, IP
address, user and services.
o Profiles include:
Protect:
Aggregate profile: applies limits to ALL incoming traffic
Classified Profile: applies limits to a single IP address
Allow: Permit all packets
Deny: Drop all packets
o Added under: Polices > DoS Protection > Add
Specify match for source/destination/option-protection tabs
You can specify the aggregate and/or classified profile if Protect is selected
Example setting is to protect a web server from attacks or floods.
Added under: Objects > Security Profiles > DoS Protection > Add
This will allow to set the profile options for flood proection. Syn, UDP, ICMP,
ICMPv6 and Other IP.
Resource Protection can be set to limit sessions to a host to prevent port
depletion or resource (cpu/memory) exhaustion
URL Filtering